Master Docker Image Layers: From Base to Scratch and Copy‑On‑Write

Knowledge Point 1: Image Layering

Image: A software unit composed of multiple layers. Layers: Stacked filesystem layers; the lowest is the base image. Base image: Provides the operating system; containers share the host kernel.

# vim Dockerfile
FROM python:2.7-slim
WORKDIR /app
ADD . /app
RUN pip install --trusted-host pypi.python.org -r requirements.txt
EXPOSE 80
ENV NAME World
ENV AUTHOR cali
CMD ["python","app.py"]

Each RUN command adds a new layer, increasing image size; the image runs as a single process consuming CPU and memory.

Example: Jenkins Dockerfile on Docker Hub

FROM openjdk:8-jdk – specifies the base image because Jenkins requires a Java runtime.

Knowledge Point 2: Base Image

1. Does not depend on other images; built from scratch . 2. Serves as a foundation for other images.

Typical base images include Ubuntu, Debian, CentOS, etc.

Knowledge Point 3: Scratch Image

What is a scratch image?

scratch is an empty image used to build ultra‑small images like busybox, essentially starting from zero.

Example: busybox Dockerfile on Docker Hub

busybox uses scratch as its base, providing only a minimal shell.

Knowledge Point 4: bootfs and rootfs

bootfs – filesystem needed during container start, provided by the host kernel, and removed after boot. rootfs – the container's own operating system filesystem (e.g., /dev, /proc, /bin, /etc, /usr, /tmp).

Different Linux distributions mainly differ in their rootfs.

Knowledge Point 5: Why Docker Uses Layered Structure

The main benefit is resource sharing: multiple images built from the same base share a single copy of that base on disk and in memory, reducing storage and RAM usage.

Writable Layer Concept

When a container starts, a writable layer (container layer) is added on top of the read‑only image layers. All changes (add, modify, delete) affect only this writable layer, leaving the underlying image unchanged.

Copy‑On‑Write (CoW)

Modifying a file copies it from the lower read‑only layer to the writable layer before the change; deletions are recorded in the writable layer.

Knowledge Point 6: Building a busybox Image

1. Write Dockerfile

# cat Dockerfile
FROM busybox
COPY . /
RUN cat /hello.txt
ENTRYPOINT ["/bin/sh","/while.sh"]

ENTRYPOINT defines the command executed when the container starts.

2. Write while.sh

#! /bin/bash
i=1
while :
do
  echo "hello world,sanchuang $i"
  let i++
  sleep 1
done

3. Build the image

# docker build -t scbusybox:1.0 .
Sending build context to Docker daemon  4.096kB
Step 1/4 : FROM busybox
... (output omitted for brevity) ...
Successfully built 7fb76760295e
Successfully tagged scbusybox:1.0

4. Run the container

Initial run fails because while.sh lacks execute permission.

# docker run -d --name scbusybox-1 scbusybox:1.0
... permission denied ...

Grant execute permission and rebuild:

# chmod +x while.sh
# docker build -t scbusybox:1.1 .
... (build output) ...
Successfully built 4883eded6503

Run the updated image successfully:

# docker run -itd --name scbusybox-6 scbusybox:1.1
2e55c7079934   scbusybox:1.1   "/bin/sh /while.sh"   Up 1 second   scbusybox-6