Docker Deep Dive
by Sergey Okinchuk
Installing DockerImage Layers and the Union Filesystem

Chapter Two

Images

An image is the read-only artifact a container runs from — and underneath the friendly tag it is a stack of content-addressed layers named by a SHA-256 digest. This chapter reads images the way you'd read a dependency's source: their layers, their manifests, the difference between a movable tag and an immutable digest, how pulling fills the local store, and how the base you build on sets size and security surface for the life of the image.

6 topics

Chapter 1 drew the line between an image and a container. This chapter takes the image apart. An image is an ordered stack of read-only layers, each a set of filesystem changes, merged into one root filesystem by a union mount — and identified not by its tag but by the SHA-256 digest of its manifest. Once you can read that structure, an image stops being a black box and becomes a dependency you can audit before you trust it.

You will inspect the two images Driftwood depends on — the official postgres:16 and nginx:1.27-alpine — before building anything of your own: their layers, their digests, their sizes, and what their history hides. Along the way the pieces that matter for reproducibility fall into place: why a deleted file doesn't shrink an image, why a tag can change under you while a digest cannot, why the second pull is instant, and why the base image you pick is the most consequential single line in a Dockerfile.

Topics in This Chapter

Topic 07
Image Layers and the Union Filesystem
An image is an ordered stack of read-only layers merged by overlay2 into one filesystem view. Copy-on-write, content-addressed layer sharing, and why deleting a file in a later layer never shrinks the image.
LayersFilesystem
Topic 08
Manifests, Digests, and the Registry View
Underneath the tag, an image is identified by content. The manifest JSON, content-addressed layers, the image digest that pins exact bytes, and the multi-arch manifest list that serves the right image per platform.
ManifestRegistry
Topic 09
Tags vs Digests
A tag is a movable human label; a digest is an immutable content id. What :latest really is, why re-pushing a version tag breaks consumers, and pinning by digest as the unit of a reproducible deploy.
PinningImmutability
Topic 10
Pulling Images and the Local Store
How docker pull fetches an image layer by layer, why the second pull is instant, when docker run does network work, how unqualified names resolve, and why the local store fills the disk quietly.
PullLocal store
Topic 11
Inspecting an Image
Reading an image before you run it. docker image inspect for the config, docker history for how it was built and what secrets it hides, per-layer sizes to find the bloat, and provenance labels.
InspectSupply chain
Topic 12
Base Images
The FROM line sets your size, attack surface, and debugging story. The spectrum from full distro through slim, alpine, and distroless to scratch — and the musl caveat that makes alpine not a free win.
Base imageSize