The-Ramadhan

Image

#docker#container#image

Image is a read-only template that contains everything needed to run an application. Images are build-time constructs.

Many container can be created from a single image. An image and the containers that run from it are bound. This means that the image cannot be deleted until all the containers running from it are deleted.

On Linux, image sizes usually are very small.

The image that ships without shells and package managers is called slim images.

The image also contains only enough OS-kernel-related components (usually file-system objects).

Repository

The repository is where the docker image is stored.

Local Repository is where images stored in our local machine. In Linux, it’s usually on /var/lib/docker/<storage-driver>.

To list image, use docker image ls command.

To pull an image from a remote repository, use docker pull <image_name>.

Docker will assume (unless otherwise specified) that the image is pulled from the Docker Hub and that the default image tag is latest.

Docker pulls images layer by layer. Shared layers are cached. So, no two identical layers are stored together in a repository.

Registry

Image Registry refers to a centralized place to store docker images, either public or private. Most registries implement OCI distribution-spec.

An image registry contains one or more repositories. A repository contains one or more images.

Example of image registry:

  • Docker Hub (hub.docker.com)
  • Github Container Registry (ghcr.io)
  • Red Hat Quay
  • LinuxServer.io Container Registry
  • harbor (goharbor.io)
  • Cloud-Specific
    • AWS ECR
    • Azure ACR
    • Google GCR

Name & Tag

The image name is called the tag. The same image could have a different tag.

The fully qualified image name is as follows:

<registry>/<username/orgname>/<repository>/<image/tag>

Example:

docker.io/langchain/langchain:latest

Registry default to docker hub. Tag default to latest.

Layer

Images are built from stacked read-only layers that docker presents as a single unified file system. This layer contains one or more files. The layers are stacked in the order they were built.

A layer is stored independently in the storage. Images are just metadata that point to layers that are used to build it.

There are a few ways to inspect layer:

  • Using docker pull command
    • When pulling an image, we can see the image is downloaded per layer and extracted sequentially from the bottom layer to the top.
    • this command shows the short id of the image
  • Using docker image inspect command
    • this command shows detailed information about an image, including layers
    • layers shown their sha256 hash.
  • Using docker image history command
    • this command shows build history of the image
    • all Dockerfile instruction is shown here, not only the instruction that adds layer (RUN, COPY, ADD)

Image can share layers in a local repository or registry to save space.

Every layer is immutable and has its own content hash.

Digest

Image digest are hash of the image manifest file Layer digest are hash of the layer content.

Image that stored in registries are compressed. Image compressed before pushed to registries. The compressed version of image also has its own hash called distribution hash. To see distribution hash use docker manifest inspect command.

Image that stored in local repository is not compressed. Image is extracted after downloaded from the registries. The hash of uncompressed image is called content hash. To see content hash use docker image inspect command.

Manifest

A docker tag may support multiple architectures. Docker uses image manifest and manifest list.

An Image manifest contains supported architecture info and its content digest. Every architecture has its own content digest.

A manifest list contains a list of the manifest from all architecture supported by the image.

When pulling an image, the client gets a big fat manifest containing all the manifest from all architecture. Then, our client checks for match architecture. Then, it parses the manifest to get a list of layers and downloads it (if not yet cached).

To see the image manifest and all supported architecture, use below command:

docker manifest inspect <repo_name>

Deleting Image

Image can be deleted using docker image rm or docker rmi command.