About
This page is about the container image in Docker.
OCI is the standardized container format used by Docker
Identification / Full Qualified Name
name
# or a tagged name
name[:tag]
# or a digest name
name[@sha:]
# or a namespace scoped tagged name
[namespace/]name[:tag]
# or a namespace scoped digest name
[namespace/]name[@sha:]
# or a Full Qualified Name by tag with the registry
[registryHost/]namespace/name[:tag]
# a Full Qualified Name by digest with the registry
[registryHost/]namespace/name[@sha256:]
where:
- sha256:e90fc3a is the digest, the machine readable version of the image (unique) (default to latest)
- tag is the human readable version of the image (default to latest)
- namespace is a namespace that identifies generally a user or organization.
- For example the image training/sinatra has been created by the user training.
- An empty namespace corresponds to the official images of the registry host (docker generally)
- name is the image name
- registryHost/namespace/name identifies the repository (ie where images with the same name but different version/tag can be stored)
- registryHost is the registry host
- default to the dockerhub: docker.io
- for github: ghcr.io
- for a custom local. Example: myregistry.local:5000
Tag
See Docker - Tag (Tag, push, and pull your image)
A repository potentially holds multiple variants of an image
In the case of the ubuntu image, there is multiple variants covering Ubuntu 10.04, 12.04, 12.10, 13.04, 13.10 and 14.04. Each variant is identified by a tag and you can refer to a tagged image like so:
ubuntu:14.04
Digest
In the registry, all images are content addressable, referenced by a digest (currently sha256)
Example of image referencing with digest
# the format
registry/user/image-name@sha256:digest
# an example
docker.io/user/image-name@sha256:e90fc3a3b363b6d74b2f07392e5cd02f0c782bcd0c3ca84078f5c7722346ec88
A digest is also known as an immutable tags.
It is strongly recommended to use immutable tags in a production environment to ensures the deployment does not change automatically if the same tag is updated with a different image.
To see the digest for images:
docker images --digests
To pull with a digest
docker pull NAME@sha256:xxx
Management
Location
Docker stores downloaded images on the Docker host at the Docker Root Dir location
sudo ls /var/lib/docker/image/aufs
distribution imagedb layerdb repositories.json
List
- One
docker images --filter reference=image-name
- All
docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker-whale latest 1351cae1fdfb About a minute ago 275.1 MB
ubuntu latest f753707788c5 7 weeks ago 127.2 MB
hello-world latest c54a2cc56cbb 5 months ago 1.848 kB
docker/whalesay latest 6b362a9f73eb 18 months ago 247 MB
training/webapp latest 6fae60ef3446 19 months ago 348.8 MB
where
- repository is what repository they came from, for example ubuntu.
- tag are the tags for each image, for example 14.04.
- Image id: The image ID of each image.
Id
name[:tag]
where:
Name
[user/]name
Build Version
Next to the tag, image may have more labels to set more defiinition on the build.
Example: with inspect and the label build_version
docker inspect -f '{{ index .Config.Labels "build_version" }}' <image_name>
Base
A base image is a minimal linux image where you start to build more complicated image. See Docker - dockerfile
Example:
Remove
docker rmi -f (name or id)
where:
- name: name of the image
- id: id of the image
Visualization
Visualization of the image and their different layer:
(Pre) load
Docker will automatically download any image you use that isn’t already present on the Docker host when you try to run it. If you want to pre-load an image you can download it using the docker pull
Layer
When doing a pull, you can see that each layer of the image has been pulled down
docker pull centos
Using default tag: latest
latest: Pulling from library/centos
f1b10cd84249: Pull complete
c852f6d61e65: Pull complete
7322fbe74aa5: Pull complete
Digest: sha256:90305c9112250c7e3746425477f1c4ef112b03b4abe78c612e092037bfecc3b7
Status: Downloaded newer image for centos:latest
Create
To create an image, you can
- use a Dockerfile to specify instructions to (create|build) an image.
- create a commit from an existing container
docker commit containerName imageName
Update
You can update a container created from an image and commit the results to an image.
You can commit the changes made to an image
docker commit -m "Added json gem" -a "Kate Smith" 0b2616b0e5a8 ouruser/sinatra:v2
where:
- -m: commit message
- -a: commit author
- 0b2616b0e5a8: the container ID
- ouruser/sinatra:v2: the target image
Searching
# docker search searchTerm
docker search oracle
NAME DESCRIPTION STARS OFFICIAL AUTOMATED
wnameless/oracle-xe-11g Oracle Express 11g R2 on Ubuntu 16.04 LTS 352 [OK]
oraclelinux Oracle Linux is an open-source operating s... 260 [OK]
alexeiled/docker-oracle-xe-11g This is a working (hopefully) Oracle XE 11... 185 [OK]
sath89/oracle-12c Oracle Standard Edition 12c Release 1 with... 78 [OK]
sath89/oracle-xe-11g Oracle xe 11g with database files mount su... 76 [OK]
where:
- OFFICIAL means that it comes from an official repository
- AUTOMATED means that the build is automated.
Run
A container is a running instance of an image that you create with a run command.
Save / Export
docker save [OPTIONS] IMAGE [IMAGE...]
Inspect
To see the property of the image such as the entrypoint, you can use the inspect command
How to see the files (mount)
Docker image are just a file store that you can run.
Example with mkfs where they are transformed as a the ext3 file system format 1)
#!/usr/bin/env bash
set -euo pipefail
IMG="$1"
DOCKER_IMAGE_SIZE_IN_MB="$2"
# We have to pick a fixed size in advance for the .img file we create, so base it on the size
# of the original Docker image to avoid either wasting space or having the later tar extraction
# step fail with out of disk space errors. The image will be mounted read-only at runtime, so
# does not need free space for app files (separate mounts are used for those). The multiplier
# here is to account for the 5-6% loss of usable space due to ext3 filesystem overhead, as well
# as to ensure a few MB additional free space headroom.
IMG_SIZE_IN_MB=$((DOCKER_IMAGE_SIZE_IN_MB * 107 / 100))
echo "Using file size of ${IMG_SIZE_IN_MB} MB based on Docker image size of ${DOCKER_IMAGE_SIZE_IN_MB} MB"
mkdir -p "$(dirname "$IMG")"
# Create an empty file of the specified size.
# Using `fallocate` instead of `dd` since it's faster, simpler for this use-case, and doesn't
# suffer from `dd`'s non-determinism when attempting to copy an exact number of bytes:
# https://unix.stackexchange.com/a/121888
fallocate --length "${IMG_SIZE_IN_MB}MiB" "${IMG}"
# Format that file as an ext3 filesystem.
# The `-T` argument forces the 'default' config profile to be used, since otherwise if the filesystem size
# is less than 512 MB (as is the case for Heroku-24's run image) the 'small' profile would be used instead.
# The `-m` argument reduces reserved-blocks-percentage from its default of 5% to 1%.
# TODO: Switch to calling `mkfs.ext3` or `mke2fs -t ext3` since the `mkfs` alias is deprecated:
# https://manpages.ubuntu.com/manpages/jammy/en/man8/mkfs.8.html
mkfs -t ext3 -T default -m 1 -v "$IMG"
# Adjust the filesystem parameters for improved performance on runtime instances.
# The `-c` and `-i` arguments disable automatic filesystem checks, which are otherwise run based
# on number of times the image is mounted, or how much time has passed since the last check.
tune2fs -c 0 -i 0 "$IMG"
It is then just a file store format that you can mount 2)
#!/usr/bin/env bash
set -euo pipefail
IMG="$1"
IMG_MNT="$2"
mkdir -p "$IMG_MNT"
mount -o loop,noatime,nodiratime "$IMG" "$IMG_MNT"