Demystifying Docker: Understanding Images, Containers, and Core Commands

This article aims to help readers deeply understand Docker commands, the difference between containers and images, and the distinction between containers and running containers.

When I first encountered Docker, the commands seemed opaque; after weeks of studying Docker’s union file system, the commands became logical and simple.

Side note: Mastering a technology requires understanding its underlying principles rather than relying on hype or marketing terminology.

Image Definition

An image is a unified view of a stack of read‑only layers. The diagram below illustrates this concept.

These read‑only layers overlap, each pointing to the next layer except the bottom one. Docker’s union file system merges them into a single view, hiding the multiple layers from the user.

The layers are stored on the host file system (e.g., under /var/lib/docker/aufs), but they are invisible inside a running container.

/var/lib/docker/
├── aufs
├── containers
├── graph
├── init
├── linkgraph.db
├── repositories-aufs
├── tmp
├── trust
├── volumes

Container Definition

A container is essentially an image plus a top writable layer.

Key point: Container = Image + writable layer. The definition deliberately does not mention whether the container is running.

Next, we discuss running containers.

Running Container Definition

A running container adds a writable union file system, an isolated process space, and the processes themselves. The diagram below shows a running container.

File‑system isolation lets Docker modify files in the writable layer without affecting other layers.

Example command to verify this behavior: docker run ubuntu touch happiness.txt Even after the container stops, the file remains on the host:

find / -name happiness.txt
/var/lib/docker/aufs/diff/860a7b...889/happiness.txt

Image Layer Definition

We introduce the concept of an image layer, which includes not only file‑system changes but also metadata.

Metadata stores information needed for building and running images, and each layer points to its parent layer.

Layers without a parent pointer are the bottom layers.

Metadata Location

On my host, image‑layer metadata is stored in a JSON file:

/var/lib/docker/graph/e809f156dc985.../json

e809f156dc985... is the layer ID.

Container metadata is spread across files under /var/lib/docker/containers/<id>, containing runtime data such as network settings and logs.

Global Understanding (Tying It All Together)

Now we connect the implementation details to Docker commands.

docker create <image-id>

docker create

adds a writable layer to the specified image, creating a new container that is not running.

docker start <container-id>

docker start

creates an isolated process space for the container; each container can have only one such space.

docker run <image-id>

docker run

combines docker create and docker start, which can be confusing for newcomers.

Analogy: docker run is like git pull (a combination of git fetch and git merge).

docker ps

docker ps

lists only running containers. To see all containers, use:

docker ps -a

docker images

docker images

shows top‑level images (those used to create containers or pulled directly). Each top‑level image hides multiple underlying layers.

docker images -a

docker images -a

lists all images, i.e., all read‑only layers; use docker history to view a specific image’s layers.

docker stop

docker stop <container-id>

Sends a SIGTERM to the container’s processes, stopping them gracefully.

docker kill

docker kill <container-id>

Sends a SIGKILL, forcibly terminating all processes inside the container.

docker pause

docker pause <container-id>

Uses cgroups to pause the container’s processes (SIGTSTP), which is less intuitive than other signals.

docker rm

docker rm <container-id>

Removes the writable layer of a non‑running container.

docker rmi

docker rmi <image-id>

Removes a read‑only layer; only top‑level images can be removed directly, unless forced with -f.

docker commit

docker commit <container-id>

Converts a container’s writable layer into a read‑only layer, turning the container into an immutable image.

docker build

docker build

repeatedly executes commands from a Dockerfile: it runs, modifies, and commits, creating a new layer at each step.

docker exec <running-container-id>

docker exec

runs a new process inside a running container.

docker inspect <container-id> or <image-id>

docker inspect

extracts the top‑level metadata of a container or image.

docker save <image-id>

docker save

creates a compressed archive of an image, preserving metadata for each layer.

docker export <container-id>

docker export

creates a tarball of a container’s filesystem without metadata, merging layers into a single layer.

docker history <image-id>

docker history

recursively lists an image’s layer history.

Source: http://dockone.io/article/783