I know that container images are build up from a series of layer, and each layer represents an instruction in the image’s Dockerfile.

But what happens behind the scenes when you run docker run IMAGE CMD or docker run --entrypoint=CMD IMAGE. Is the last layer of the image overridden or Docker adds a new, separate writable layer on top of the image (i.e. The container’s writable layer doesn’t persist after the container is deleted) ?

Hello

Docker run command will create a container so the image (and layers) are untouched. Everything will happens in RAM (for instance when you run apt-get install from inside the container).

Hope this will help.

To extend on @cavo789’s response:

It depends on the storage driver whether a copy-on-write layer is added as top layer on top of the merged image layers for the container filesystem (this is how overlay2 works), or whether each image layer is extracted, and copied over to the next layer folder, so the new layer details can be extracted into it, until you reach the final image layer, which is copied into the final container filesystem (this is how vfs works → waste of storage space, and slow when pulling images and creating containers).

Regardless which storage driver is used: the container filesystem is bundled with the lifecycle of a container. The deletion of a container, deletes the container filesystem as well.