Skip to content
  • devops
  • virtualization
  • docker
  • docker image

Docker Image

  • A Docker image is a read-only, layered filesystem snapshot containing everything needed to run an application: code, runtime, libraries, environment variables, and configuration.
  • Images are immutable - you never modify a running image. Updates mean building a new image.
  • Built from a Dockerfile using docker build. Hosted on a registry and pulled to any machine with a Docker runtime.

![Docker image layers](/images/virtualization/Untitled 18 4.png)

Layered Architecture

Section titled “Layered Architecture”

  • Every instruction in a Dockerfile that modifies the filesystem creates a new layer.

  • Layers are stacked using a Union Filesystem (overlayfs on modern Linux). Each layer contains only the delta from the previous.

  • Layers are cached and reused - if a layer hasn’t changed, Docker skips rebuilding it and reuses the cached version. This makes rebuilds fast.

    FROM ubuntu:22.04          → Layer 1: Base OS filesystem
    RUN apt-get install nginx  → Layer 2: nginx binaries added
    COPY ./site /var/www/html  → Layer 3: your site content added

  • Shared layers: Multiple images that share a base layer (e.g., all your apps based on node:20-alpine) only store that base layer once on disk. No duplication.

![Layered build process](/images/virtualization/Pasted image 20240806192051.png)

Image vs Container

Section titled “Image vs Container”
Docker ImageDocker Container
What it isBlueprint (read-only layers)Running instance of an image
StateStatic, immutableHas a writable layer on top
LifecycleBuilt once, used many timesCreated from an image, stopped, removed
StoragePassive - no CPU/RAM requiredActive - consumes RAM while running
DataBaked in at build timeRuntime writes go to container layer (ephemeral)
SharingPushed/pulled via registryNot shareable - run a new container instead
  • When a container starts, Docker adds a thin read-write layer on top of the image’s read-only layers.
  • Any data written to this layer is lost when the container is removed unless mounted to a volume.

Key Image Commands

Section titled “Key Image Commands”
Terminal window
# Build an image from a Dockerfile in the current directory
docker build -t my-app:1.0 .


# List images on the local machine
docker images


# Pull an image from a registry
docker pull nginx:alpine


# Inspect image layers and metadata
docker inspect nginx:alpine
docker history nginx:alpine   # Show all layers


# Tag an existing image for a different registry
docker tag my-app:1.0 myregistry.io/team/my-app:1.0


# Push to a registry (must be logged in)
docker push myregistry.io/team/my-app:1.0


# Remove an image
docker rmi my-app:1.0


# Remove dangling (untagged) images only — images used by stopped containers are kept
docker image prune


# Remove ALL unused images (not referenced by any container, running or stopped)
docker image prune -a

Image Naming and Tags

Section titled “Image Naming and Tags”

Images are identified as: [registry/][namespace/]name[:tag]

ExampleMeaning
nginxdocker.io/library/nginx:latest (implicit)
nginx:alpineOfficial nginx, alpine variant
myregistry.io/myteam/app:v2.1Private registry, specific version
myapp@sha256:abc123...Pinned to exact digest - most reproducible
  • Always pin versions in production - nginx:1.25.3 not nginx:latest. Tags are mutable; latest can change without warning.
  • Use digest pinning for critical dependencies - digest (sha256:...) is immutable and guarantees the exact image.