Master Docker Base Images: Layers, Building, Tagging, and Distribution Explained

1. Base Images

In Docker, a base image has two meanings: (1) an image built directly from scratch without depending on any other image, and (2) an image that serves as the foundation for other images. Typical base images are official Linux distribution images such as Ubuntu, Debian, or CentOS. docker pull ubuntu Linux consists of kernel space and user space. Containers share the host kernel; they only need to provide a rootfs (user‑space filesystem) that contains essential directories like /dev, /proc, and /bin. A minimal rootfs can be very small (e.g., Alpine < 10 MB), while full‑featured distributions like CentOS are larger because they include many extra packages.

Example of a CentOS base image Dockerfile:

FROM scratch
ADD centos-7-docker.tar.xz /
CMD ["/bin/bash"]

The ADD instruction adds the tarball containing the CentOS 7 rootfs to the image, which is unpacked into / to create the standard Linux directories.

2. Image Layer Structure

Docker builds a new image by stacking read‑only layers on top of a base image. Each instruction in a Dockerfile creates a new layer. When a container runs, a writable layer (the container layer) is placed on top of the stacked read‑only image layers.

All changes (add, modify, delete) happen in the writable container layer; lower image layers remain immutable.

When a file exists in multiple layers, the version from the highest layer masks the lower ones.

Docker uses a copy‑on‑write mechanism: a file is copied to the writable layer only when it is modified.

Because image layers are read‑only, the same image can be shared by many containers simultaneously.

3. Building Images

3.1 docker commit

The docker commit command creates a new image from a running container. Typical steps:

Run a container (e.g., docker run -it ubuntu).

Make changes inside the container (install packages, edit files, etc.).

Commit the container to a new image (e.g., docker commit <em>container_id</em> ubuntu-with-vi).

After committing, the new image appears larger because the added software occupies space in a new layer.

3.2 Dockerfile

A Dockerfile is a plain‑text script that records every step needed to build an image. Typical workflow:

Create a Dockerfile and write commands such as FROM, RUN, ADD, COPY, and CMD.

Run docker build -t <em>image_name</em> . where the trailing dot denotes the build context (the directory whose contents are sent to the Docker daemon).

Example Dockerfile that adds vim to an Ubuntu base:

FROM ubuntu
RUN apt-get update && apt-get install -y vim

The --no-cache flag disables layer caching when you want a fresh build.

3.3 Viewing Image History

Use docker history <em>image_name</em> to see each layer created by the Dockerfile, its size, and the command that generated it. Missing IDs often appear for layers already present in Docker Hub.

3.4 Image Caching

Docker caches each layer after it is built. If a layer already exists, Docker reuses it, speeding up subsequent builds. Changing any instruction invalidates the cache for that layer and all layers that follow; you can force a clean build with --no-cache.

4. Distributing Images

4.1 Naming Images

An image name follows the [repository]:[tag] pattern. If no tag is supplied, Docker uses latest by default.

docker build -t ubuntu-with-vi
# equivalent to docker build -t ubuntu-with-vi:latest

4.2 Tag Best Practices

Adopt semantic versioning for tags. An image can have multiple tags (e.g., 1.9.1, 1.9, 1, latest) that point to the same image ID. When a new patch version is released, add a new tag and move the older tags to the new version.

4.3 Using Public Registries

Docker Hub is the default public registry. To push an image:

docker login -u <em>username</em>
docker tag ubuntu <em>username</em>/ubuntu:v1
docker push <em>username</em>/ubuntu:v1

Only layers that are not already present on the registry are uploaded, which reduces data transfer.

4.4 Running a Private Registry

You can run your own registry container:

docker run -d -p 5000:5000 -v /root/registry:/var/lib/registry registry:2

Push and pull using the host and port:

docker push registry.example.net:5000/username/ubuntu:v1
docker pull registry.example.net:5000/username/ubuntu:v1

Image names for private registries include the host and optional port, e.g., registry.example.net:5000/username/ubuntu:v1. Public registries like Docker Hub omit the host portion.