Understanding Docker Images, Containers, and Commands: A Deep Dive
This article provides a comprehensive explanation of Docker’s architecture, detailing the differences between images and containers, the role of the union file system, and how various Docker commands such as create, start, run, ps, and build operate on these layers.
This article aims to help readers deeply understand Docker commands, the distinction between containers and images, and the differences between a container and a running container.
When I first encountered Docker, its commands seemed confusing. After weeks of studying Docker’s inner workings—especially the union file system—the commands became clear and simple.
Understanding any technology requires grasping its underlying principles. Media hype often obscures the core concepts, and new terminology can add a layer of abstraction that hinders true mastery.
Just as with Git, learning Docker’s internals leads to confident usage.
Image Definition
An image is a unified view of a stack of read‑only layers. The diagram below illustrates this concept.
Multiple read‑only layers overlap; each layer (except the bottom one) points to the next. Docker’s union file system merges these layers into a single file system view, hiding the multiple layers from the user.
On the host, these layers reside under /var/lib/docker/aufs, but they are invisible inside a running container.
Container Definition
A container is almost identical to an image, consisting of the same stack of layers, with the only difference being that the topmost layer is read‑write.
Key point: a container = image + a writable layer, and the definition does not specify whether the container is running.
Running Container Definition
A running container combines a writable union file system with an isolated process space containing the container’s processes.
File‑system isolation allows processes inside the container to modify, delete, or create files, which affect only the writable layer.
We can verify this with the following command: docker run ubuntu touch happiness.txt Even after the container stops, the file remains on the host:
/var/lib/docker/aufs/diff/860a7b.../happiness.txtImage Layer Definition
To aggregate scattered data we define an image layer. Each layer contains not only file‑system changes but also metadata such as parent‑layer information.
Metadata is stored in JSON files under paths like /var/lib/docker/graph/<em>layer-id</em>/json. Container metadata is spread across files in /var/lib/docker/containers/.
Global Understanding (Tying It All Together)
Now we connect the implementation details to Docker commands.
docker create
The docker create command adds a writable layer to a specified image, forming a new container that does not run.
docker start
docker startcreates an isolated process space for the container; each container can have only one such space.
docker run
docker runfirst creates a container from an image and then starts it, effectively combining docker create and docker start.
docker ps
docker pslists only running containers.
docker ps –a
docker ps –alists all containers, both running and stopped.
docker images
docker imagesshows top‑level images (those used to create containers or directly pulled). Each top‑level image hides multiple read‑only layers.
docker images –a
docker images –alists all images, effectively all read‑only layers. Use docker history to view layers of a specific image ID.
docker stop
docker stopsends a SIGTERM to the container’s processes, terminating them gracefully.
docker kill
docker killsends a SIGKILL to all processes inside the container.
docker pause
docker pauseuses cgroups to suspend the container’s process space, unlike docker stop or docker kill which send UNIX signals.
docker rm
docker rmremoves the writable layer of a non‑running container.
docker rmi
docker rmiremoves a read‑only layer (an image). Only top‑level layers can be removed directly; the -f flag forces removal of intermediate layers.
docker commit
docker commitconverts a container’s writable layer into a read‑only image layer.
docker build
docker buildrepeatedly executes a series of steps: 1) run (which is create + start), 2) modify the filesystem, 3) commit. Each step creates a new layer, resulting in many layers.
docker exec
docker execruns a new process inside a running container.
docker inspect
docker inspectextracts the top‑level metadata of a container or image.
docker save
docker savecreates a compressed archive of an image, preserving metadata for each layer. It works only on images.
docker export
docker exportcreates a tarball of a container’s filesystem, discarding metadata and merging all layers into a single layer.
docker history
docker historyrecursively lists the history of an image’s layers.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Architect's Tech Stack
Java backend, microservices, distributed systems, containerized programming, and more.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.