基于Mert Mertce的回答，我编写了以下脚本，包括旋转器和进度条。

然而，自从写了脚本之后，我注意到我们构建服务器上的额外目录是暂时的——也就是说，Docker似乎正在清理，尽管速度很慢。我不知道如果存在删除目录的竞争，Docker是否会感到不安。我们目前的解决方案是使用documentum，但是有很多额外的开销(150+GB)。

#!/bin/bash
[[ $(id -u) -eq 0 ]] || exec sudo /bin/bash -c "$(printf '%q ' "$BASH_SOURCE" "$@")"
progname=$(basename $0)
quiet=false
no_dry_run=false
while getopts ":qn" opt
do
    case "$opt" in
      q)
          quiet=true
          ;;
      n)
          no_dry_run=true
          ;;
      ?)
          echo "unexpected option ${opt}"
          echo "usage: ${progname} [-q|--quiet]"
          echo "    -q: no output"
          echo "    -n: no dry run (will remove unused directories)"
          exit 1
          ;;
    esac
done
shift "$(($OPTIND -1))"

[[ ${quiet} = false ]] || exec /bin/bash -c "$(printf '%q ' "$BASH_SOURCE" "$@")" > /dev/null

echo "Running as: $(id -un)"

progress_bar() {
    local w=80 p=$1;  shift
    # create a string of spaces, then change them to dots
    printf -v dots "%*s" "$(( $p*$w/100 ))" ""; dots=${dots// /.};
    # print those dots on a fixed-width space plus the percentage etc.
    printf "\r\e[K|%-*s| %3d %% %s" "$w" "$dots" "$p" "$*";
}

cd /var/lib/docker/overlay2
echo cleaning in ${PWD}
i=1
spi=1
sp="/-\|"
directories=( $(find . -mindepth 1 -maxdepth 1 -type d | cut -d/ -f2) )
images=( $(docker image ls --all --format "{{.ID}}") )
total=$((${#directories[@]} * ${#images[@]}))
used=()
for d in "${directories[@]}"
do
    for id in ${images[@]}
    do
        ((++i))
        progress_bar "$(( ${i} * 100 / ${total}))" "scanning for used directories ${sp:spi++%${#sp}:1} "
        docker inspect $id | grep -q $d
        if [ $? ]
        then
            used+=("$d")
            i=$(( $i + $(( ${#images[@]} - $(( $i % ${#images[@]} )) )) ))
            break
        fi
    done
done
echo -e "\b\b " # get rid of spinner
i=1
used=($(printf '%s\n' "${used[@]}" | sort -u))
unused=( $(find . -mindepth 1 -maxdepth 1 -type d | cut -d/ -f2) )
for d in "${used[@]}"
do
    ((++i))
    progress_bar "$(( ${i} * 100 / ${#used[@]}))" "scanning for unused directories ${sp:spi++%${#sp}:1} "
    for uni in "${!unused[@]}"
    do
        if [[ ${unused[uni]} = $d ]]
        then
            unset 'unused[uni]'
            break;
        fi
    done
done
echo -e "\b\b " # get rid of spinner
if [ ${#unused[@]} -gt 0 ]
then
    [[ ${no_dry_run} = true ]] || echo "Could remove:  (to automatically remove, use the -n, "'"'"no-dry-run"'"'" flag)"
    for d in "${unused[@]}"
    do
        if [[ ${no_dry_run} = true ]]
        then
            echo "Removing $(realpath ${d})"
            rm -rf ${d}
        else
            echo " $(realpath ${d})"
        fi
    done
    echo Done
else
    echo "All directories are used, nothing to clean up."
fi

docker system prune -af && docker image prune -af

“官方”回答，用“修剪”命令清理，实际上不清理overlay2文件夹中的垃圾。

所以，要回答最初的问题，我们可以做的是:

免责声明:应用此功能时请小心。这可能会导致Docker对象中断!

List folder names (hashes) in overlay2 Inspect your Docker objects (images, containers, ...) that you need (A stopped container or an image currently not inside any container do not mean that you do not need them). When you inspect, you will see that it gives you the hashes that are related with your object, including overlay2's folders. Do grep against overlay2's folders Note all folders that are found with grep Now you can delete folders of overlay2 that are not referred by any Docker object that you need.

例子:

假设在overlay2目录中有这些文件夹，

a1b28095041cc0a5ded909a20fed6dbfbcc08e1968fa265bc6f3abcc835378b5
021500fad32558a613122070616963c6644c6a57b2e1ed61cb6c32787a86f048

您只有一个ID为c777cf06a6e3的图像。

然后，这样做:

docker inspect c777cf06a6e3 | grep a1b2809
docker inspect c777cf06a6e3 | grep 021500

想象一下，第一个命令找到了一些东西，而第二个命令什么也没有。

然后，您可以删除0215…overlay2文件夹:

rm -r 021500fad32558a613122070616963c6644c6a57b2e1ed61cb6c32787a86f048

回答问题的题目:

是的，如果你发现它没有被使用，直接删除overlay2文件夹是安全的。 不，如果你发现它正在被使用或者你不确定，直接删除它是不安全的。

背景

The blame for the issue can be split between our misconfiguration of container volumes, and a problem with docker leaking (failing to release) temporary data written to these volumes. We should be mapping (either to host folders or other persistent storage claims) all of out container's temporary / logs / scratch folders where our apps write frequently and/or heavily. Docker does not take responsibility for the cleanup of all automatically created so-called EmptyDirs located by default in /var/lib/docker/overlay2/*/diff/*. Contents of these "non-persistent" folders should be purged automatically by docker after container is stopped, but apparently are not (they may be even impossible to purge from the host side if the container is still running - and it can be running for months at a time).

解决方案

解决方案需要仔细的手动清理，虽然已经在其他地方描述过，但您仍然可以从我的案例研究中找到一些提示，我试图使其尽可能具有启发性和普遍性。

所以发生的事情是罪魁祸首应用程序(在我的案例中是claire -scanner)设法在几个月内向docker的overlay2的/diff/tmp子文件夹写入了数百gb的数据

du -sch /var/lib/docker/overlay2/<long random folder name seen as bloated in df -haT>/diff/tmp

271G total

因此，由于/diff/tmp中的所有子文件夹都是相当自解释的(都是克莱尔-scanner-*的形式，并且有过时的创建日期)，我停止了相关的容器(docker stop clair)，并小心地从diff/tmp中删除了这些过时的子文件夹，谨慎地从一个(最古老的)单一文件夹开始，并测试了对docker引擎的影响(这需要重新启动[systemctl restart docker]来回收磁盘空间):

rm -rf $(ls -at /var/lib/docker/overlay2/<long random folder name seen as bloated in df -haT>/diff/tmp | grep clair-scanner | tail -1)

我回收了数百gb的磁盘空间，而不需要重新安装docker或清除它的整个文件夹。所有正在运行的容器都必须在某一时刻停止，因为需要重新启动docker守护进程来回收磁盘空间，因此首先要确保您的故障转移容器在某个/其他节点上正确运行。我希望docker的prune命令也能覆盖过时的/diff/tmp(甚至/diff/*)数据(通过另一个开关)。

这是一个有3年历史的问题，你可以在Docker论坛上阅读它丰富多彩的历史，其中针对上述解决方案的应用程序日志的变体在2019年被提出，并且似乎在几个设置中起了作用:https://forums.docker.com/t/some-way-to-clean-up-identify-contents-of-var-lib-docker-overlay/30604

Docker使用/var/lib/docker来存储映像、容器和本地命名卷。删除它可能导致数据丢失，并可能停止引擎运行。overlay2子目录专门包含图像和容器的各种文件系统层。

要清除未使用的容器和映像，请参阅docker系统修剪。还有一些选项可以删除卷，甚至是带标签的图像，但默认情况下由于数据丢失的可能性而不启用:

$ docker system prune --help

Usage:  docker system prune [OPTIONS]

Remove unused data

Options:
  -a, --all             Remove all unused images not just dangling ones
      --filter filter   Provide filter values (e.g. 'label=<key>=<value>')
  -f, --force           Do not prompt for confirmation
      --volumes         Prune volumes

剪枝永远不会删除的内容包括:

正在运行的容器(使用docker ps列出它们) 这些容器上的日志(有关限制日志大小的详细信息，请参阅这篇文章) 由这些容器所做的文件系统更改(通过docker diff可见)

此外，在这个垃圾收集过程中，docker可能不会看到在普通docker文件夹之外创建的任何内容。这可能是其他应用写到这个目录，或者docker引擎之前的配置(例如，从AUFS切换到overlay2，或者可能在启用用户名称空间之后)。

What would happen if this advice is ignored and you deleted a single folder like overlay2 out from this filesystem? The container filesystems are assembled from a collection of filesystem layers, and the overlay2 folder is where docker is performing some of these mounts (you'll see them in the output of mount when a container is running). Deleting some of these when they are in use would delete chunks of the filesystem out from a running container, and likely break the ability to start a new container from an impacted image. See this question for one of many possible results.

为了完全刷新docker到一个干净的状态，你可以删除整个目录，而不仅仅是像overlay2这样的子目录:

# danger, read the entire text around this code before running
# you will lose data
sudo -s
systemctl stop docker
rm -rf /var/lib/docker
systemctl start docker
exit

引擎将在完全空的状态下重新启动，这意味着你将失去所有:

图片 容器 名叫卷 用户创建的网络 群状态

如果你的系统也用于构建映像，你可以看看如何清理由构建器创建的垃圾，使用:

docker buildx prune --all

and

docker builder prune --all