AFAIK, image layers can only be added at build time. But overlayFS supports mounting on an already previous running mount. Therefore it should be possible for Docker to add the capability to inject a new layer into a running container.
Here’s an example of where this might be useful. Say you want to debug a deployed container. You probably want a tool like gdb inside the container to attach to the main process. But you want to keep your containers thin, and gdb adds something like 100MB of heft to the image. So you’re stuck with heavy containers or not having debug capabilities if/when you need them.
Runtime layer injection would be a great solution to this problem. The user could define a “post-deploy overlay”
in the Dockerfile:
[Normal Dockerfile] POST debug-layer RUN apt-get install gdb COPY .gdbinit
The overlay image wouldn’t be sent to the normal running container until if/when the user called it on a specific running container. That keeps normal running containers thin. But if/when the user needed the overlay they could call something like
$ docker inject [my-broken-container] debug-layer
Then the docker daemon would handle the heavy lifting of grabbing the image from the registry, and union mounting it into the container.
As far as I can tell, there aren’t any apparent downsides to this approach, and it would seem to add a lot of useful functionality. It seems pretty technically feasible to add these capabilities without significant modifications to existing source. Interested to hear any opinions or feedback.