Unlock Docker Image Secrets: From Basics to Advanced Optimization

Hello, I’m Joker, a frontline operations practitioner.

Basic Concepts of Docker Images

Docker images are essentially a

rootfs

that provides the filesystem needed for a container, containing programs, libraries, resources, configurations, and runtime parameters. For example, the

ubuntu:21.10

image includes a minimal Ubuntu root filesystem without a kernel.

Image Storage Mechanism

Docker utilizes UnionFS, specifically OverlayFS, to implement layered storage. OverlayFS consists of a lower and an upper layer, where the upper layer has higher priority. When mounting, files in the upper layer hide those in the lower layer, and modifications are written to the upper layer, preserving the lower layer as read‑only.

<code># mkdir lower upper work merge</code>

lower directory stores lower‑layer files

upper directory stores upper‑layer files

work directory stores temporary files

merge directory is the mount point

Files with the same name in both layers result in the upper version being visible. Modifications to files from the lower layer are copied to the upper layer (copy‑on‑write), leaving the lower layer unchanged.

Dockerfile and Image Relationship

A Dockerfile is the recipe for building an image. For example:

<code>FROM ubuntu:latest
ADD run.sh / 
VOLUME /data 
CMD ["./run.sh"]</code>

Running

docker build

processes the Dockerfile instructions to create a new image layered on top of the base image.

Image and Container Relationship

An image is a static file; a container is a running process created from that image. Without an image, a Docker container cannot exist.

Image Optimization Techniques

Optimizing Image Size

Choose a minimal base image (e.g., Alpine) when possible.

Reduce the number of layers by combining commands.

Delete unnecessary packages and temporary files within the same layer.

Use multi‑stage builds to discard build‑time dependencies.

Example of combining commands:

<code>FROM ubuntu:latest
RUN apt update && \
    apt install -y git curl && \
    rm -rf /var/lib/apt/lists/*
ADD run.sh /
CMD ["./run.sh"]</code>

Optimizing Build Speed

Use a local registry or caching proxy to speed up base‑image pulls.

Minimize build context with a

.dockerignore

file or a clean build directory.

Leverage Docker’s layer cache by keeping the base image and unchanged commands stable.

Image Security Management

Keep images minimal to reduce attack surface.

Run containers as non‑root users.

Scan images for vulnerabilities using built‑in Docker scanning or tools like Harbor.

Regularly review security scan results.

Conclusion

Docker images are built from layered filesystems, and understanding their storage, optimization, and security aspects is essential for creating efficient, reliable containers.

References

http://blog.daocloud.io/principle-of-docker-image/

https://www.cnblogs.com/arnoldlu/p/13055501.html

https://yeasy.gitbook.io/docker_practice/basic_concept/image