A Docker image is a file, comprised of multiple layers, used to execute code in a Docker container. An image is essentially built from the instructions for a complete and executable version of an application, which relies on the host OS kernel. When the Docker user runs an image, it becomes one or multiple instances of that container.
Docker is an open source OS-level virtualization software platform primarily designed for Linux and Windows. Docker uses resource isolation features of the OS kernel, such as cgroups in Linux, to run multiple independent containers on the same OS. A container that moves from one Docker environment to another with the same OS will work without changes, because the image includes all of the dependencies needed to execute the code.
Docker images and layers
A Docker image is made up of multiple layers. A user composes each Docker image to include system libraries, tools, and other files and dependencies for the executable code. Image developers can reuse static image layers for different projects. Reuse saves time, because a user does not have to create everything in an image.
Most Docker images start with a base image, although a user can build one entirely from scratch, if desired. Each image has one readable/writable top layer over static layers. Layers are added to the base image to tailor the code to run in a container. Each layer of a Docker image is viewable under /var/lib/docker/aufs/diff, or via the Docker history command in the command line interface (CLI). By default, Docker shows all top-layer images, such as the repository, tags and file sizes. Intermediate layers are cached, which makes top layers easier to view. Docker utilizes storage drivers to manage contents of image layers.
When a new container is created from an image, a writable layer is also created. This layer is called the container layer, and it hosts all changes made to the running container. This layer can store newly written files, modifications to existing files and newly deleted files. The writable layer allows customization of the container. Changes made to the writable layer are saved on that layer. Multiple containers can share the same underlying base image and have their own data state thanks to the writable layer.
The Docker CLI enables a user to initiate certain commands that customize Docker images. Examples of Docker commands for images follow:
- history: docker history shows the history of an image, including changes made to it and its layers.
- update: docker update allows a user to update the configuration of containers.
- tag: docker tag creates a tag, such as target_image, which enables users to group and organize container images.
- search: docker search looks in Docker Hub, an image repository, for whatever the user needs.
- save: docker save allows a user to save images to an archive.
- rmi: docker rmi removes one or multiple images.
Docker image repositories
Docker users store images in private or public repositories, and from there can deploy containers, test images and share them. Docker offers Docker Hub, which is a cloud-based registry service that includes private and public image repositories. It also has Docker Trusted Registry, which adds image management and access control features.
Official images have been produced by Docker, while community images are images created by Docker users. CoScale agent is an example of an official Docker image, which provides monitoring of Dockerized applications. An example of a community Docker image is datadog/docker-dd-agent, which is as Docker container for agents in the log management program Datadog.
A user can upload their own custom image to the Docker Hub by using the docker push command. To ensure the quality of community images, Docker reviews the image and provides feedback for the image author before publishing. Once it is published, the author of the image is responsible for updates. Use prudent caution when sourcing an image from another party, as attackers can gain access to a system through copycat images designed to trick a user into thinking they are from a trusted source.