Docker_images
Chapter 03: Docker Images
Section titled “Chapter 03: Docker Images”Docker images are the building blocks of containers. They are read-only templates used to create containers.
What is a Docker Image?
Section titled “What is a Docker Image?”A Docker image is a read-only template that contains:
- A base operating system
- Application code
- Runtime libraries
- Dependencies
- Configuration files
┌─────────────────────────────────────────────────────────────────────────────┐│ Docker Image Structure │├─────────────────────────────────────────────────────────────────────────────┤│ ││ ┌────────────────────────────────────────────────────────────────┐ ││ │ Docker Image │ ││ ├────────────────────────────────────────────────────────────────┤ ││ │ ┌──────────────────────────────────────────────────────────┐ │ ││ │ │ Application Layer │ │ ││ │ │ (Your App Code) │ │ ││ │ └──────────────────────────────────────────────────────────┘ │ ││ │ ┌──────────────────────────────────────────────────────────┐ │ ││ │ │ Runtime Layer │ │ ││ │ │ (Node.js, Python, Java, Go, etc.) │ │ ││ │ └──────────────────────────────────────────────────────────┘ │ ││ │ ┌──────────────────────────────────────────────────────────┐ │ ││ │ │ OS Libraries Layer │ │ ││ │ │ (glibc, openssl, libcrypto) │ │ ││ │ └──────────────────────────────────────────────────────────┘ │ ││ │ ┌──────────────────────────────────────────────────────────┐ │ ││ │ │ Base OS Layer │ │ ││ │ │ (Ubuntu, Alpine, Debian) │ │ ││ │ └──────────────────────────────────────────────────────────┘ │ ││ └────────────────────────────────────────────────────────────────┘ ││ │└─────────────────────────────────────────────────────────────────────────────┘Image Layers
Section titled “Image Layers”Docker images are composed of multiple layers. Each instruction in a Dockerfile creates a new layer.
Layer Concept
Section titled “Layer Concept”┌─────────────────────────────────────────────────────────────────────────────┐│ Image Layer Architecture │├─────────────────────────────────────────────────────────────────────────────┤│ ││ Dockerfile: ││ ┌──────────────────────────────────────────────────────────────────┐ ││ │ FROM ubuntu:20.04 │ ││ │ RUN apt-get update && apt-get install -y nginx │ ││ │ COPY index.html /var/www/html/ │ ││ │ CMD ["nginx", "-g", "daemon off;"] │ ││ └──────────────────────────────────────────────────────────────────┘ ││ ││ Resulting Layers: ││ ││ ┌─────────────┐ ││ │ Layer 4 │ CMD - Container configuration ││ ├─────────────┤ ││ │ Layer 3 │ COPY - Application files ││ ├─────────────┤ ││ │ Layer 2 │ RUN - Installed packages ││ ├─────────────┤ ││ │ Layer 1 │ FROM - Base OS image ││ └─────────────┘ ││ ││ Benefits: ││ - Layers are cached and reused ││ - Smaller storage footprint ││ - Faster builds (only rebuild changed layers) ││ │└─────────────────────────────────────────────────────────────────────────────┘Docker Registries
Section titled “Docker Registries”A Docker registry stores Docker images. The most common registries:
1. Docker Hub
Section titled “1. Docker Hub”- Public registry maintained by Docker
- Default registry for Docker
- URL: https://hub.docker.com
2. Amazon ECR (Elastic Container Registry)
Section titled “2. Amazon ECR (Elastic Container Registry)”- AWS-managed private registry
- Integrated with AWS IAM for authentication
3. Google Container Registry (GCR)
Section titled “3. Google Container Registry (GCR)”- Google Cloud’s container registry
- Now replaced by Artifact Registry
4. GitHub Container Registry (GHCR)
Section titled “4. GitHub Container Registry (GHCR)”- Container registry integrated with GitHub
5. Private Registries
Section titled “5. Private Registries”- Harbor (open-source)
- GitLab Container Registry
- Nexus Repository
Pulling Images
Section titled “Pulling Images”Basic Pull Command
Section titled “Basic Pull Command”# Pull latest versiondocker pull nginx
# Pull specific tagdocker pull nginx:1.25
# Pull specific architecturedocker pull --platform linux/arm64 nginx
# Pull all available platformsdocker pull --all-platforms nginxUnderstanding Image Tags
Section titled “Understanding Image Tags”┌─────────────────────────────────────────────────────────────────────────────┐│ Image Tagging Format │├─────────────────────────────────────────────────────────────────────────────┤│ ││ Format: registry/namespace/repository:tag ││ ││ Examples: ││ ││ ┌──────────────────────────────────────────────────────────────────┐ ││ │ nginx:latest → nginx from Docker Hub (latest tag) │ ││ │ nginx:1.25 → nginx version 1.25 │ ││ │ nginx:alpine → nginx using Alpine base │ ││ │ redis:7.0-alpine → Redis 7.0 on Alpine Linux │ ││ │ myregistry.com:5000/myapp:v1 → Private registry image │ ││ │ 123456789.dkr.ecr.us-east-1.amazonaws.com/myapp:v1 → AWS ECR │ ││ └──────────────────────────────────────────────────────────────────┘ ││ │└─────────────────────────────────────────────────────────────────────────────┘Pulling Process
Section titled “Pulling Process”# Pull with verbose outputdocker pull -v nginx
# Pull and see progressdocker pull nginx 2>&1 | catListing Images
Section titled “Listing Images”# List all imagesdocker images
# List images with full length IDsdocker images --no-trunc
# List images in specific formatdocker images --format "table {{.Repository}}\t{{.Tag}}\t{{.Size}}"
# Filter imagesdocker images --filter "before=nginx:1.25"docker images --filter "dangling=true"Tagging Images
Section titled “Tagging Images”Tagging assigns a name and version to an image:
# Tag image for Docker Hubdocker tag myapp:latest myusername/myapp:latest
# Tag for local registrydocker tag myapp:latest localhost:5000/myapp:v1
# Tag for AWS ECRdocker tag myapp:latest 123456789.dkr.ecr.us-east-1.amazonaws.com/myapp:v1Pushing Images
Section titled “Pushing Images”Push to Docker Hub
Section titled “Push to Docker Hub”# Login to Docker Hubdocker login
# Push imagedocker push myusername/myapp:latestPush to Private Registry
Section titled “Push to Private Registry”# Tag for private registrydocker tag myapp:latest myregistry.com:5000/myapp:v1
# Push to private registrydocker push myregistry.com:5000/myapp:v1Removing Images
Section titled “Removing Images”# Remove specific imagedocker rmi nginx:1.25
# Remove unused imagesdocker image prune
# Remove all unused imagesdocker image prune -a
# Remove all dangling imagesdocker image prune -fInspecting Images
Section titled “Inspecting Images”# View image detailsdocker image inspect nginx:latest
# View image history (layers)docker history nginx:latest
# View image layers in detaildocker history --no-trunc nginx:latestImage Management Workflow
Section titled “Image Management Workflow”┌─────────────────────────────────────────────────────────────────────────────┐│ Image Management Workflow │├─────────────────────────────────────────────────────────────────────────────┤│ ││ 1. PULL 2. RUN 3. MODIFY 4. PUSH ││ ││ ┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────┐││ │Registry│ │ Create │ │ Container│ │Registry │││ │ │──pull──▶ │Container│──run───▶│ (change)│──commit─▶│ │││ │ nginx │ │ │ │ │ │ myapp │││ │ redis │ │ │ └────┬────┘ │ │││ │ myapp │ └─────────┘ │ └────┬────┘││ └─────────┘ │ │ ││ ▼ │ ││ ┌─────────┐ │ ││ │ New Image│◀─tag and push──┘ ││ │ myapp:v2 │ ││ └─────────┘ ││ │└─────────────────────────────────────────────────────────────────────────────┘Multi-Architecture Images
Section titled “Multi-Architecture Images”Docker supports multi-architecture images. When you pull an image, Docker automatically pulls the correct variant for your architecture.
# Check supported platformsdocker manifest inspect nginx
# Example output shows multiple architectures:# {# "manifests": [# {# "platform": {# "architecture": "amd64",# "os": "linux"# }# },# {# "platform": {# "architecture": "arm64",# "os": "linux"# }# }# ]# }Best Practices for Images
Section titled “Best Practices for Images”1. Use Specific Tags
Section titled “1. Use Specific Tags”# Baddocker pull nginx
# Gooddocker pull nginx:1.25.32. Use Minimal Base Images
Section titled “2. Use Minimal Base Images”# Bad - Large base imageFROM ubuntu:20.04
# Good - Minimal imageFROM alpine:3.18
# Best - Minimal with package managerFROM node:18-alpine3. Use .dockerignore
Section titled “3. Use .dockerignore”node_modulesnpm-debug.log.git.gitignoreREADME.md.env*.md4. Order Layers for Caching
Section titled “4. Order Layers for Caching”# Bad - Frequently changing firstCOPY . .RUN npm installFROM node:18
# Good - Static dependencies firstFROM node:18COPY package*.json ./RUN npm installCOPY . .5. Use Multi-stage Builds
Section titled “5. Use Multi-stage Builds”# Build stageFROM node:18 AS builderWORKDIR /appCOPY . .RUN npm run build
# Production stageFROM node:18-alpineWORKDIR /appCOPY --from=builder /app/dist ./distCMD ["node", "dist/index.js"]Saving and Loading Images
Section titled “Saving and Loading Images”Save Image to Tar
Section titled “Save Image to Tar”# Save image to tar filedocker save -o myapp.tar myapp:latest
# Save with compressiondocker save myapp:latest | gzip > myapp.tar.gzLoad Image from Tar
Section titled “Load Image from Tar”# Load image from tardocker load -i myapp.tar
# Load with compressiondocker load < myapp.tar.gzDocker Content Trust
Section titled “Docker Content Trust”Enable content trust for secure image pulls:
# Enable Docker Content Trustexport DOCKER_CONTENT_TRUST=1
# Now pulls will only work with signed imagesdocker pull nginxSummary
Section titled “Summary”In this chapter, you learned:
- Docker images are read-only templates
- Images are composed of multiple layers
- Registries store and distribute images
- How to pull, tag, push, and manage images
- Best practices for creating efficient images