When a Dockerfile instruction like `RUN` or `COPY` is executed, a new read-only filesystem is added on top of the previous one. What are these individual filesystems called?

These individual read-only filesystems are called layers, or more precisely, image layers. Docker constructs images using a Union File System, which allows multiple distinct filesystems to be stacked together, presenting them as a single, coherent filesystem. Each instruction in a Dockerfile that modifies the filesystem, such as `RUN`, `COPY`, or `ADD`, creates a new, independent read-only layer. For instance, a `RUN` instruction executes a command and commits the resulting filesystem changes as a new layer, while a `COPY` instruction adds files from the build context directly into a new layer. Once a layer is created, it becomes immutable, meaning its contents cannot be altered. This immutability is fundamental for Docker's efficiency, enabling layers to be effectively cached and shared across multiple images, which significantly saves disk space and accelerates image builds. When a Docker container is launched from an image, a new, thin, writable layer is added on top of all the image's read-only layers. All modifications made by the running container, such as creating new files, deleting existing ones, or changing file contents, occur exclusively within this top writable layer. This mechanism, known as copy-on-write, ensures that the underlying read-only image layers remain untouched; if a container modifies a file present in a lower read-only layer, that file is first copied to the writable layer, and then the changes are applied to the copy.