Storage Drivers

QScanner saves the image and creates a .tar output. This operation can be time-consuming if the image size is large. If you have a 'docker', 'containerd', or 'podman' runtime installed and the image is pulled locally, you can avoid image saving by making use of the runtime's underlying 'overlay2', 'overlay', or 'overlayfs' file system respectively.

For this, you can use --storage-driver <storage-driver-option> flag.

The following storage driver options are supported:

  • none:
    Doesn't use any storage driver.
    Usage: --storage-driver none
    Performs actual image save for scanning. This is the 'default' storage driver option. To be used when the container runtime uses a storage driver that is not supported by QScanner. Refer to 'Supported Container Runtimes' topic.
  • containerd-overlayfs:
    Uses overlay file system for the containerd environment.
    Usage: --storage-driver containerd-overlayfs
    For example,
    $ export CONTAINERD_ROOT_DIR=$CUSTOM_DOCKER_ROOT_DIR
    $ ./qscanner image --storage-driver containerd-overlayfs centos:latest     

  • crio-overlay:
    Uses overlay file system for Cri_o environment.
    Usage: --storage-driver crio-overlay  
    In the case of `crio-overlay`, you can override the default installation config using /etc/crio/crio.conf.
    By default, the Cri-O socket location is `/var/run/crio/crio.sock`.
    To use a non-default CRI-O socket - '/my/custom/runtime/dir/crio/crio.sock', run the following command.
    $ export XDG_RUNTIME_DIR=/my/custom/runtime/dir
    QScanner refers to the above default Cri-O socket path for creating a client. You can override this default path by using `XDG_RUNTIME_DIR` environment variable.
    For the custom root directory, set `CRIO_ROOT_DIR` in the environment variable.
    For example,
    $ export CRIO_ROOT_DIR=$CUSTOM_DOCKER_ROOT_DIR
    $ ./qscanner --pod US2 --access-token $QUALYS_ACCESS_TOKEN --storage-driver crio-overlay image centos:latest
    In the absence of a custom root directory, QScanner refers to the default path `/var/lib/containers/storage`.

  • docker-overlay2:
    Uses overlay2 file system for Docker environment.
    Usage: --storage-driver docker-overlay2
    Set the Docker root path as shown below if the docker root directory path is not set to default ("/var/lib/docker)
    $ export DOCKER_ROOT_DIR=$CUSTOM_DOCKER_ROOT_DIR
    $ ./qscanner --pod <Qualys POD> --access-token <QUALYS_ACCESS_TOKEN> --storage-driver docker-overlay2 image centos:latest

  • docker-overlayfs:
    Uses overlayfs (containerd snapshotter) file system for Docker environment.
    Usage--storage-driver docker-overlayfs
    Note: The 'overlayfs' storage driver is supported in all QScanner modes.

  • podman-overlay:
    Uses overlay file system for podman environment.
    Usage: --storage-driver podman-overlay
    If podman is not installed at the default location, you need to set the podman socket path using, PODMAN_SOCKET_PATH=<podman-path> in the env. Otherwise, QScanner will refer to default /run/podman/podman.sock location. For custom Root Directory you need to set PODMAN_ROOT_DIR in env, otherwise QScanner will refer to default path /var/lib/containers/storage.
    For example,
    $ export PODMAN_ROOT_DIR=$CUSTOM_PODMAN_ROOT_DIR

    To use non-default podman socket:
    /my/custom/runtime/dir/podman/podman.sock

    $ export PODMAN_SOCKET_PATH=/my/custom/runtime/dir/podman/podman.sock
    $ ./qscanner --pod US2 --client-id $QUALYS_CLIENT_ID --client-secret
    $QUALYS_CLIENT_SECRET --storage-driver podman-overlay image centos:latest

 

© 2026 Qualys, Inc. All rights reserved. Privacy Policy. Last updated: April, 2026