What is a Docker image?
A Docker image is a file used to execute code in a Docker container. Docker images act as a set of instructions to build a Docker container, like a template. Docker images also act as the starting point when using Docker. An image is comparable to a snapshot in virtual machine (VM) environments.
Docker is used to create, run and deploy applications in containers. A Docker image contains application code, libraries, tools, dependencies and other files needed to make an application run. When a user runs an image, it can become one or many instances of a container.
Docker images have multiple layers, each one originates from the previous layer but is different from it. The layers speed up Docker builds while increasing reusability and decreasing disk use. Image layers are also read-only files. Once a container is created, a writable layer is added on top of the unchangeable images, allowing a user to make changes.
References to disk space in Docker images and containers can be confusing. It's important to distinguish between size and virtual size. Size refers to the disk space that the writable layer of a container uses, while virtual size is the disk space used for the container and the writeable layer. The read-only layers of an image can be shared between any container started from the same image.
Docker image use cases
A Docker image has everything needed to run a containerized application, including code, config files, environment variables, libraries and runtimes. When the image is deployed to a Docker environment, it can be executed as a Docker container. The docker run command creates a container from a specific image.
Docker images are a reusable asset -- deployable on any host. Developers can take the static image layers from one project and use them in another. This saves the user time, because they do not have to recreate an image from scratch.
Docker container vs. Docker image
A Docker container is a virtualized runtime environment used in application development. It is used to create, run and deploy applications that are isolated from the underlying hardware. A Docker container can use one machine, share its kernel and virtualize the OS to run more isolated processes. As a result, Docker containers are lightweight.
A Docker image is like a snapshot in other types of VM environments. It is a record of a Docker container at a specific point in time. Docker images are also immutable. While they can't be changed, they can be duplicated, shared or deleted. The feature is useful for testing new software or configurations because whatever happens, the image remains unchanged.
Containers need a runnable image to exist. Containers are dependent on images, because they are used to construct runtime environments and are needed to run an application.
Anatomy of a Docker image
A Docker image has many layers, and each image includes everything needed to configure a container environment -- system libraries, tools, dependencies and other files. Some of the parts of an image include:
- Base image. The user can build this first layer entirely from scratch with the build command.
- Parent image. As an alternative to a base image, a parent image can be the first layer in a Docker image. It is a reused image that serves as a foundation for all other layers.
- Layers. Layers are added to the base image, using code that will enable it to run in a container. Each layer of a Docker image is viewable under /var/lib/docker/aufs/diff, or via the Docker history command in the command-line interface (CLI). Docker's default status is to show all top-layer images, including repository, tags and file sizes. Intermediate layers are cached, making top layers easier to view. Docker has storage drives that handle the management of image layer contents.
- Container layer. A Docker image not only creates a new container, but also a writable or container layer. This layer hosts changes made to the running container and stores newly written and deleted files, as well as changes to existing files. This layer is also used to customize containers.
- Docker manifest. This part of the Docker image is an additional file. It uses JSON format to describe the image, using information such as image tags and digital signature.
Docker image repositories
Docker images get stored in private or public repositories, such as those in the Docker Hub cloud registry service, from which users can deploy containers and test and share images. Docker Hub's Docker Trusted Registry also provides image management and access control capabilities.
Official images are ones Docker produces, while community images are images Docker users create. CoScale agent is an official Docker image that monitors Docker applications. Datadog/docker-dd-agent, a Docker container for agents in the Datadog log management program, is an example of a community Docker image.
Users can also create new images from existing ones and use the docker push command to upload custom images to the Docker Hub. To ensure the quality of community images, Docker provides feedback to authors prior to publishing. Once the image is published, the author is responsible for updates. Authors must be cautious when sourcing an image from another party because attackers can gain access to a system through copycat images designed to trick a user into thinking they are from a trusted source.
The concept of a latest image may also cause confusion. Docker images tagged with ":latest" are not necessarily the latest in an ordinary sense. The latest tag does not refer to the most recently pushed version of an image; it is simply a default tag.
How to create a Docker image
Docker images can be created through either an interactive or Dockerfile method.
With this method, users run a container from an existing Docker image and manually make any needed changes to the environment before saving the image. The interactive method is the easiest way to create docker images. The first step is to launch Docker and open a terminal session. Then use the Docker run command image_name:tag_name. This starts a shell session with the container that was launched from the image. If the tag name is omitted, Docker uses the most recent version of the image. After this, the image should appear listed in results.
This approach requires making a plain text Dockerfile. The Dockerfile makes the specifications for creating an image. This process is more difficult and time-consuming, but it does well in continuous delivery environments. The method includes creating the Dockerfile and adding the commands needed for the image. Once the Dockerfile is started, the user sets up a .dockerignore file to exclude any files not needed for the final build. The .dockerignore file is in the root directory. Next, the Docker build command is used to create a Docker image and an image name and tag are set. Lastly, the Docker images command is used to see the created image.
Docker image commands
According to Docker, there are sets of primary Docker image commands, categorized as child commands; some include the following:
- docker image build. Builds an image from a Dockerfile.
- docker image inspect. Displays information on one or more images.
- docker image load. Loads an image from a tar archive or streams for receiving or reading input (STDIN).
- docker image prune. Removes unused images.
- docker image pull. Pulls an image or a repository from a registry.
- docker image push. Pushes an image or a repository to a registry.
- docker image rm. Removes one or more images.
- docker image save. Saves one or more images to a tar archive (streamed to STDOUT by default).
- docker image tag. Creates a tag TARGET_IMAGE that refers to SOURCE_IMAGE.
The Docker CLI provides commands that are used to customize Docker images. Examples of Docker image commands include the following:
- docker image history. Shows the history of an image, including changes made to it and its layers.
- docker update. Enables a user to update the configuration of containers.
- docker tag. Creates a tag, such as TARGET_IMAGE, which enables users to group and organize container images.
- docker search. Looks in Docker Hub for whatever the user needs.
- docker save. Enables a user to save images to an archive.
- docker compose. Used to handle an environment variable.
Docker images are an important concept and tool to know when working within Docker to create applications in containerized environments. Learn more about managing containers and securing Docker images.