Demystifying Docker: How Images, Containers, and Commands Really Work

Preface

This article aims to help readers deeply understand Docker commands, as well as the differences between containers and images, and between containers and running containers.

Side note: Mastering a technology is best achieved by understanding the underlying principles, rather than relying on marketing hype or new terminology.

Image Definition

An image is a unified view of a stack of read‑only layers. The diagram below illustrates this definition.

Multiple read‑only layers overlap, each pointing to the next layer except the bottom one. These layers are Docker's internal implementation and are accessible on the host file system.

The union file system merges these layers into a single view, hiding the multiple layers from the user.

You can find these layers on the host under /var/lib/docker/aufs.

/var/lib/docker/<br/>├── aufs<br/>├── containers<br/>├── graph<br/>├── init<br/>├── linkgraph.db<br/>├── repositories-aufs<br/>├── tmp<br/>├── trust<br/>└── volumes<br/>7 directories, 2 files

Container Definition

A container is almost identical to an image: a stack of layers with a unified view, but the top layer is read‑write.

Note that the definition does not mention whether the container is running; this distinction clarifies many confusions.

Key point: Container = Image + read‑write layer. The definition does not specify if the container is running.

Next, we discuss running containers.

Running Container Definition

A running container consists of a read‑write unified file system, an isolated process space, and the processes inside that space.

File‑system isolation makes Docker powerful. Processes inside a container modify the read‑write layer.

You can verify this with the following command: docker run ubuntu touch happiness.txt Even after the container stops, the file remains on the host:

find / -name happiness.txt<br/>/var/lib/docker/aufs/diff/860a7b...889/happiness.txt

Image Layer Definition

To consolidate scattered data, we introduce the concept of an image layer. Each layer contains not only file‑system changes but also additional metadata.

Every layer also stores a pointer to its parent layer; the bottom layer has no parent.

Metadata Location

On my host, image‑layer metadata is stored in a file named json: /var/lib/docker/graph/e809f156dc985.../json e809f156dc985... is the layer ID.

A container’s metadata is split across many files, typically found under /var/lib/docker/containers/ , containing runtime data such as network settings and logs.

Tying It All Together

Now we can understand Docker commands in terms of the underlying layers.

docker create <image-id>

docker create adds a read‑write layer to the specified image, creating a new container that is not running.

docker start <container-id>

docker start creates an isolated process space for the container.

docker run <image-id>

Docker run combines create and start into a single step.

docker ps

docker ps lists only running containers; use docker ps -a to see all containers.

docker ps -a

docker ps -a lists both running and stopped containers.

docker images

docker images shows top‑level images; each top‑level image hides multiple read‑only layers.

docker images -a

docker images -a lists all images (all read‑only layers). Use docker history to view an image’s layer history.

docker stop <container-id>

docker stop sends a SIGTERM to the container’s processes.

docker kill <container-id>

docker kill sends a SIGKILL to all processes in the container.

docker pause <container-id>

docker pause uses cgroups to suspend the container’s processes.

docker rm <container-id>

docker rm removes the container’s read‑write layer (only for stopped containers).

docker rmi <image-id>

docker rmi removes a top‑level image layer; use -f to force removal of intermediate layers.

docker commit <container-id>

docker commit converts a container’s read‑write layer into a read‑only image.

docker build

docker build repeatedly executes a series of commands (run, modify, commit) for each instruction in a Dockerfile, creating new layers each time.

docker exec <running-container-id>

docker exec runs a new process inside a running container.

docker inspect <container-id> or <image-id>

docker inspect extracts top‑level metadata of a container or image.

docker save <image-id>

docker save creates a compressed archive of an image, preserving metadata for each layer.

docker export <container-id>

docker export creates a tar of the container’s current view, discarding metadata and flattening layers.

docker history <image-id>

docker history recursively lists an image’s layer history.