Understanding Docker Images, Containers, and Commands: A Deep Dive

This article aims to help readers deeply understand Docker commands, the distinction between containers and images, and the differences between a container and a running container.

When I first encountered Docker, its commands seemed confusing. After weeks of studying Docker’s inner workings—especially the union file system—the commands became clear and simple.

Understanding any technology requires grasping its underlying principles. Media hype often obscures the core concepts, and new terminology can add a layer of abstraction that hinders true mastery.

Just as with Git, learning Docker’s internals leads to confident usage.

Image Definition

An image is a unified view of a stack of read‑only layers. The diagram below illustrates this concept.

Multiple read‑only layers overlap; each layer (except the bottom one) points to the next. Docker’s union file system merges these layers into a single file system view, hiding the multiple layers from the user.

On the host, these layers reside under /var/lib/docker/aufs , but they are invisible inside a running container.

Container Definition

A container is almost identical to an image, consisting of the same stack of layers, with the only difference being that the topmost layer is read‑write.

Key point: a container = image + a writable layer, and the definition does not specify whether the container is running.

Running Container Definition

A running container combines a writable union file system with an isolated process space containing the container’s processes.

File‑system isolation allows processes inside the container to modify, delete, or create files, which affect only the writable layer.

We can verify this with the following command:

docker run ubuntu touch happiness.txt

Even after the container stops, the file remains on the host:

/var/lib/docker/aufs/diff/860a7b.../happiness.txt

Image Layer Definition

To aggregate scattered data we define an image layer. Each layer contains not only file‑system changes but also metadata such as parent‑layer information.

Metadata is stored in JSON files under paths like /var/lib/docker/graph/ layer-id /json . Container metadata is spread across files in /var/lib/docker/containers/ .

Global Understanding (Tying It All Together)

Now we connect the implementation details to Docker commands.

docker create

The docker create command adds a writable layer to a specified image, forming a new container that does not run.

docker start

docker start creates an isolated process space for the container; each container can have only one such space.

docker run

docker run first creates a container from an image and then starts it, effectively combining docker create and docker start .

docker ps

docker ps lists only running containers.

docker ps –a

docker ps –a lists all containers, both running and stopped.

docker images

docker images shows top‑level images (those used to create containers or directly pulled). Each top‑level image hides multiple read‑only layers.

docker images –a

docker images –a lists all images, effectively all read‑only layers. Use docker history to view layers of a specific image ID.

docker stop

docker stop sends a SIGTERM to the container’s processes, terminating them gracefully.

docker kill

docker kill sends a SIGKILL to all processes inside the container.

docker pause

docker pause uses cgroups to suspend the container’s process space, unlike docker stop or docker kill which send UNIX signals.

docker rm

docker rm removes the writable layer of a non‑running container.

docker rmi

docker rmi removes a read‑only layer (an image). Only top‑level layers can be removed directly; the -f flag forces removal of intermediate layers.

docker commit

docker commit converts a container’s writable layer into a read‑only image layer.

docker build

docker build repeatedly executes a series of steps: 1) run (which is create + start ), 2) modify the filesystem, 3) commit . Each step creates a new layer, resulting in many layers.

docker exec

docker exec runs a new process inside a running container.

docker inspect

docker inspect extracts the top‑level metadata of a container or image.

docker save

docker save creates a compressed archive of an image, preserving metadata for each layer. It works only on images.

docker export

docker export creates a tarball of a container’s filesystem, discarding metadata and merging all layers into a single layer.

docker history

docker history recursively lists the history of an image’s layers.