Spread the love


What is Docker?

Docker is a lightweight containerization technology that has gained widespread popularity in recent years.

What does Docker uses?

It uses a host of the Linux kernel’s features such as namespaces, cgroups, AppArmor profiles, and so on, to sandbox processes into configurable virtual environments.

What does Docker container look like?

A Docker container can be correlated to an instance of a VM. It runs sandboxed processes that share the same kernel as the host. The term container comes from the concept of shipping containers. The idea is that you can ship containers from your development environment to the deployment environment and the applications running in the containers will behave the same way no matter where you run them. The following image shows the layers of AUFS.


How does a Docker Image look like?

A Docker image is made up of filesystems layered over each other.


At the base is a boot filesystem, bootfs, which resembles the typical Linux/Unix boot filesystem. A Docker user will probably never interact with the boot filesystem. Indeed, when a container has booted, it is moved into memory, and the boot filesystem is unmounted to free up the RAM used by the initrd disk image. So far this looks pretty much like a typical Linux virtualization stack.

Indeed, Docker next layers a root filesystem, rootfs, on top of the boot filesystem. This rootfs can be one or more operating systems (e.g., a Debian or Ubuntu filesystem).

In a more traditional Linux boot, the root filesystem is mounted read-only and then switched to read-write after boot and an integrity check is conducted. In the Docker world, however, the root filesystem stays in read-only mode, and Docker takes advantage of a union mount to add more read-only filesystems onto the root filesystem.

A union mount is a mount that allows several filesystems to be mounted at one time but appear to be one filesystem. The union mount overlays the filesystems on top of one another so that the resulting filesystem may contain files and subdirectories from any or all of the underlying filesystems. Docker calls each of these filesystems images.

Images can be layered on top of one another. The image below is called the parent image and you can traverse each layer until you reach the bottom of the image stack where the final image is called the base image.

Finally, when a container is launched from an image, Docker mounts a read-write filesystem on top of any layers below. This is where whatever processes we want our Docker container to run will execute. This sounds confusing, so perhaps it is best represented by a diagram.

When Docker first starts a container, the initial read-write layer is empty. As changes occur, they are applied to this layer; for example, if you want to change a file, then that file will be copied from the read-only layer below into the readwrite layer. The read-only version of the file will still exist but is now hidden underneath the copy.

This pattern is traditionally called “copy on write” and is one of the features that makes Docker so powerful. Each read-only image layer is read-only; this image never changes. When a container is created, Docker builds from the stack of images and then adds the read-write layer on top.

That layer, combined with the knowledge of the image layers below it and some configuration data, form the container. Containers can be changed, they have state, and they can be started and stopped. This, and the image-layering framework, allows us to quickly build images and run containers with our applications and services


Spread the love
Categories: Docker

Ajeet Raina

My name is Ajeet Singh Raina and I am an author of this blogging site. I am a Docker Captain, ARM Innovator & Docker Bangalore Community Leader. I bagged 2 special awards last year(2019): Firstly, “The Tip of Captain’s Hat Award” at Dockercon 2019, San Francisco, and secondly, “2019 Docker Community Award“. I run Collabnix Community Slack with over 5300+ audience . I have built popular GITHUB repositories like DockerLabs, KubeLabs, Kubetools, RedisPlanet Terraform etc. with the support of Collabnix Community. Currently working as Developer Relations Manager at Redis Labs where I help customers and community members adopt Redis. With over 12,000+ followers over LinkedIn & close to 5100+ twitter followers, I like sharing Docker and Kubernetes related content . You can follow me on Twitter(@ajeetsraina) & GitHub(@ajeetraina)


Spartherm · 12th October 2016 at 3:53 am

you are in point of fact a excellent webmaster. The web site loading speed is incredible. It kind of feels that you’re doing any distinctive trick. Furthermore, The contents are masterwork. you’ve done a excellent activity on this topic!

    ajeetraina · 12th October 2016 at 3:22 pm

    Thanks for your kind words. Thank You.

Arun Tripathy · 10th July 2021 at 12:56 am

Hi Ajeet Raina,

Thanks for this Article.

I have two questions:
1. WORKDIR command in dockerfile creates folders in image and containers too
2. Is docker build the code inside the image after resolving the dependecies


DevOps: A Survival Guide for Infrastructure Teams - WWT · 8th March 2017 at 10:14 pm

[…] A deep dive explanation of Docker layers can be found here and a user view can be found […]

Docker仍然有bootfs吗? – 玩编程 · 18th January 2020 at 12:17 am

[…] Docker是否使用某种bootf仍然是真的吗?例如,这些文章使我感到困惑:https://collabnix.com/understanding-docker-container-image/。它具有包含内核和cgroup的bootfs。但据我所知,内核位于Docker外部,它是主机系统的一部分。 […]

Leave a Reply

Your email address will not be published. Required fields are marked *

Join Collabnix SlackIt's 100% FREE!

Get chance to chat with 5500+ DevOps Engineers !