Storage Drivers

QScanner saves the image and creates a .tar output. This operation can be time-consuming if the image size is large. If you have a 'docker' or 'containerd' runtime installed and the image is pulled locally, you can avoid image saving by making use of the runtime's underlying 'overlay2'  or 'containerd-overlay' file system respectively.

For this, you can use --storage-driver <storage-driver-option> flag.

The following storage driver options are supported:

  • none:
    Doesn't use any storage driver.
    Option: --storage-driver none
    Performs actual image save for scanning. This is the 'default' storage driver option. To be used when the container runtime uses a storage driver that is not supported by QScanner. Refer to 'Supported Container Runtimes' topic.
  • containerd-overlayfs:
    Uses overlay file system for containerd environment.
    For example,
    $ export CONTAINERD_ROOT_DIR=$CUSTOM_DOCKER_ROOT_DIR
    $ ./qscanner image --storage-driver containerd-overlay centos:latest     

  • crio-overlay:
    Uses overlay file system for Cri_o environment.
    Option: --storage-driver crio-overlay  
    In the case of `crio-overlay`, you can override the default installation config using /etc/crio/crio.conf.
    By default, the Cri-O socket location is `/var/run/crio/crio.sock`.
    To use a non-default CRI-O socket - '/my/custom/runtime/dir/crio/crio.sock', run the following command.
    $ export XDG_RUNTIME_DIR=/my/custom/runtime/dir
    QScanner refers to the above default Cri-O socket path for creating a client. You can override this default path by using `XDG_RUNTIME_DIR` environment variable.
    For the custom root directory, set `CRIO_ROOT_DIR` in the environment variable.
    For example,
    $ export CRIO_ROOT_DIR=$CUSTOM_DOCKER_ROOT_DIR
    $ ./qscanner --pod US2 --access-token $QUALYS_ACCESS_TOKEN --storage-driver crio-overlay image centos:latest
    In absence of custom root directory, QScanner refers to the default path `/var/lib/containers/storage`.

  • docker-overlay2:
    Uses overlay2 file system for Docker environment.
    Option: --storage-driver docker-overlay2
    Set the docker root path as shown below if the docker root directory path is not set to default ("/var/lib/docker)
    $ export DOCKER_ROOT_DIR=$CUSTOM_DOCKER_ROOT_DIR
    $ ./qscanner --pod <Qualys POD> --access-token <QUALYS_ACCESS_TOKEN> --storage-driver docker-overlay2 image centos:latest

  • podman-overlay:
    Uses overlay file system for podman environment.
    Option: --storage-driver podman-overlay
    If podman is not installed at the default location, you need to set the podman socket path using, PODMAN_SOCKET_PATH=<podman-path> in the env. Otherwise, QScanner will refer to default /run/podman/podman.sock location. For custom Root Directory you need to set PODMAN_ROOT_DIR in env, otherwise QScanner will refer to default path /var/lib/containers/storage.
    For example,
    $ export PODMAN_ROOT_DIR=$CUSTOM_PODMAN_ROOT_DIR

    To use non-default podman socket:
    /my/custom/runtime/dir/podman/podman.sock

    $ export PODMAN_SOCKET_PATH=/my/custom/runtime/dir/podman/podman.sock
    $ ./qscanner --pod US2 --client-id $QUALYS_CLIENT_ID --client-secret
    $QUALYS_CLIENT_SECRET --storage-driver podman-overlay image centos:latest

Currently, the --storage-driver flag works only with 'docker' and 'containerd' runtimes.

 

© 2026 Qualys, Inc. All rights reserved. Privacy Policy. Last updated: March, 2026