This is the sixth day of my participation in the November Gwen Challenge. See details: The Last Gwen Challenge 2021.

Because containers are created based on images, it is important to understand the mechanics and internals of mirrors.

The base of mirror

A base image is a basic image, usually a simple Linux image, such as Ubuntu, on which we can install the required software and apps. But strictly base images need to be made from zero (scratch, for example, is an empty image with nothing but metadata). From the previous content we already know that Docker ubuntu image is only more than 70 MB, but the full Ubuntu image is generally more than 2G, Docker how to make the Ubuntu container image so small? This starts with the structure of the Docker image.

The hierarchical structure of the mirror image

A typical Linux system startup requires two FS, bootfs and Rootfs, which belong to kernel space and user space respectively. When Linux starts up, bootFS is loaded and uninstalled after startup. However, rootfs always exists, which contains /dev, /proc, /bin and other file directories required by system operation. The kernel space of the base image directly uses Host and only needs to provide its own rootfs, which can be simplified according to its own needs, thus realizing the lightweight of the Docker image. Containers can only use the Host kernel and cannot be modified. If your application only runs on a certain kernel version, you are not advised to use containers.

Mirror layered structure diagram

As shown in the figure above, the new image installs software on top of the base image. Each installation operation adds a layer to the image. Why this way? Because resources can be shared in this way, different containers created based on this image share the image layer. The difference between each container is that it has a different container layer to record the changes of the image. This feature is called copy-on-write, which means that a Copy is copied to the container layer only when the image changes.

To summarize: The container layer records changes made to the image. All image layers are read-only and cannot be modified by the container, so images can be shared by multiple containers.