The second image contains all the layers from the first image, plus new layers created by the COPY and RUN instructions, and a read-write container layer. Docker already has all the layers from the first image, so it does not need to pull them again. The two images share any layers they have in common.
Docker stores all caches in /var/lib/docker/<driver> , where <driver> is the storage driver overlay2 again. Just as with layer directories, the directory name corresponds to the cache ID. The directory contains six layers in total as there is exactly one cache for each layer.
Use the docker history commandAnd use docker history to show the layers.
Layers are stacked on top of each other to form a base for a container's root filesystem. The Docker storage driver is responsible for stacking these layers and providing a single unified view.
I might be late, but here's my 10 cents (complementing ashishjain's answer):
Basically, a layer, or image layer is a change on an image, or an intermediate image. Every command you specify (FROM
, RUN
, COPY
, etc.) in your Dockerfile causes the previous image to change, thus creating a new layer. You can think of it as staging changes when you're using git: You add a file's change, then another one, then another one...
Consider the following Dockerfile:
FROM rails:onbuild
ENV RAILS_ENV production
ENTRYPOINT ["bundle", "exec", "puma"]
First, we choose a starting image: rails:onbuild
, which in turn has many layers.
We add another layer on top of our starting image, setting the environment variable RAILS_ENV
with the ENV
command. Then, we tell docker to run bundle exec puma
(which boots up the rails server). That's another layer.
The concept of layers comes in handy at the time of building images. Because layers are intermediate images, if you make a change to your Dockerfile, docker will build only the layer that was changed and the ones after that. This is called layer caching.
You can read more about it here.
A docker container image is created using a dockerfile. Every line in a dockerfile will create a layer. Consider the following dummy example:
FROM ubuntu #This has its own number of layers say "X"
MAINTAINER FOO #This is one layer
RUN mkdir /tmp/foo #This is one layer
RUN apt-get install vim #This is one layer
This will create a final image where the total number of layers will be X+3
They make the most sense to me with an example...
Lets take a contrived example Dockerfile:
FROM busybox
RUN mkdir /data
# imagine this is downloading source code
RUN dd if=/dev/zero bs=1024 count=1024 of=/data/one
RUN chmod -R 0777 /data
# imagine this is compiling the app
RUN dd if=/dev/zero bs=1024 count=1024 of=/data/two
RUN chmod -R 0777 /data
# and now this cleans up that downloaded source code
RUN rm /data/one
CMD ls -alh /data
Each of those dd
commands outputs a 1M file to the disk. Lets build the image with an extra flag to save the temporary containers:
docker image build --rm=false .
In the output, you'll see each of the running commands happen in a temporary container that we now keep instead of automatically deleting:
...
Step 2/7 : RUN mkdir /data
---> Running in 04c5fa1360b0
---> 9b4368667b8c
Step 3/7 : RUN dd if=/dev/zero bs=1024 count=1024 of=/data/one
---> Running in f1b72db3bfaa
1024+0 records in
1024+0 records out
1048576 bytes (1.0MB) copied, 0.006002 seconds, 166.6MB/s
---> ea2506fc6e11
If you run a docker diff
on each of those container id's, you'll see what files were created in those containers:
$ docker diff 04c5fa1360b0 # mkdir /data
A /data
$ docker diff f1b72db3bfaa # dd if=/dev/zero bs=1024 count=1024 of=/data/one
C /data
A /data/one
$ docker diff 81c607555a7d # chmod -R 0777 /data
C /data
C /data/one
$ docker diff 1bd249e1a47b # dd if=/dev/zero bs=1024 count=1024 of=/data/two
C /data
A /data/two
$ docker diff 038bd2bc5aea # chmod -R 0777 /data
C /data/one
C /data/two
$ docker diff 504c6e9b6637 # rm /data/one
C /data
D /data/one
Each line prefixed with an A
is adding the file, the C
indicates a change to an existing file, and the D
indicates a delete.
Each of these container filesystem diffs above goes into one "layer" that gets assembled when you run the image as a container. The entire file is in each layer when there's an add or change, so each of those chmod
commands, despite just changing a permission bit, results in the entire file being copied into the next layer. The deleted /data/one file is still in the previous layers, 3 times in fact, and will be copied over the network and stored on disk when you pull the image.
You can see the commands that goes into creating the layers of an existing image with the docker history
command. You can also run a docker image inspect
on an image and see the list of layers under the RootFS section.
Here's the history for the above image:
IMAGE CREATED CREATED BY SIZE COMMENT
a81cfb93008c 4 seconds ago /bin/sh -c #(nop) CMD ["/bin/sh" "-c" "ls -… 0B
f36265598aef 5 seconds ago /bin/sh -c rm /data/one 0B
c79aff033b1c 7 seconds ago /bin/sh -c chmod -R 0777 /data 2.1MB
b821dfe9ea38 10 seconds ago /bin/sh -c dd if=/dev/zero bs=1024 count=102… 1.05MB
a5602b8e8c69 13 seconds ago /bin/sh -c chmod -R 0777 /data 1.05MB
08ec3c707b11 15 seconds ago /bin/sh -c dd if=/dev/zero bs=1024 count=102… 1.05MB
ed27832cb6c7 18 seconds ago /bin/sh -c mkdir /data 0B
22c2dd5ee85d 2 weeks ago /bin/sh -c #(nop) CMD ["sh"] 0B
<missing> 2 weeks ago /bin/sh -c #(nop) ADD file:2a4c44bdcb743a52f… 1.16MB
The newest layers are listed on top. Of note, there are two layers at the bottom that are fairly old. They come from the busybox image itself. When you build one image, you inherit all the layers of the image you specify in the FROM
line. There are also layers being added for changes to the image meta-data, like the CMD
line. They barely take up any space and are more for record keeping of what settings apply to the image you are running.
The layers have a couple advantages. First, they are immutable. Once created, that layer identified by a sha256 hash will never change. That immutability allows images to safely build and fork off of each other. If two dockerfiles have the same initial set of lines, and are built on the same server, they will share the same set of initial layers, saving disk space. That also means if you rebuild an image, with just the last few lines of the Dockerfile experiencing changes, only those layers need to be rebuilt and the rest can be reused from the layer cache. This can make a rebuild of docker images very fast.
Inside a container, you see the image filesystem, but that filesystem is not copied. On top of those image layers, the container mounts it's own read-write filesystem layer. Every read of a file goes down through the layers until it hits a layer that has marked the file for deletion, has a copy of the file in that layer, or the read runs out of layers to search through. Every write makes a modification in the container specific read-write layer.
One downside of the layers is building images that duplicate files or ship files that are deleted in a later layer. The solution is often to merge multiple commands into a single RUN
command. Particularly when you are modifying existing files or deleting files, you want those steps to run in the same command where they were first created. A rewrite of the above Dockerfile would look like:
FROM busybox
RUN mkdir /data \
&& dd if=/dev/zero bs=1024 count=1024 of=/data/one \
&& chmod -R 0777 /data \
&& dd if=/dev/zero bs=1024 count=1024 of=/data/two \
&& chmod -R 0777 /data \
&& rm /data/one
CMD ls -alh /data
And if you compare the resulting images:
Just by merging together some lines in the contrived example, we got the same resulting content in our image, and shrunk our image from 5MB to just the 1MB file that you see in the final image.
Since Docker v1.10, with introduction of the content addressable storage, the notion of 'layer' became quite different. Layers have no notion of an image or belonging to an image, they become merely collections of files and directories that can be shared across images. Layers and images became separated.
For example, on a locally built image from a base image, let's say, ubuntu:14.04
, the docker history
command yields the image chain, but some of the image IDs will be shown as 'missing' because the build history is no longer loaded. And the layers that compose these images can be found via
docker inspect <image_id> | jq -r '.[].RootFS'
The layer content is stored at /var/lib/docker/aufs/diff
if the storage driver selection is aufs
. But the layers are named with a randomly generated cache ID, it seems the link between a layer and its cache ID is only known to Docker Engine for security reasons. I am still looking for a way to find out
This blog provided much insight.
Per Docker's image spec via The Moby Project:
Images are composed of layers. Each layer is a set of filesystem changes. Layers do not have configuration metadata such as environment variables or default arguments - these are properties of the image as a whole rather than any particular layer.
So, essentially, a layer is just a set of changes made to the filesystem.
I think the official document gives a pretty detailed explanation: https://docs.docker.com/engine/userguide/storagedriver/imagesandcontainers/.
(source: docker.com)
An image consists of many layers which usually are generated from Dockerfile, each line in Dockerfile will create a new layer, and the result is an image, which is denoted by the form repo:tag
, like ubuntu:15.04
.
For more information, please consider reading the official docs above.
I used to think they are like diffs on previous layers. After reading some of the answers here I was not so sure; they are described as sets of changes to the filesystem. I've written some Dockerfiles to show they are more like diffs, ie, they really depend on previous layers.
Given these two Dockerfiles
FROM bash
RUN mkdir /data
RUN dd if=/dev/zero bs=1024 count=1024 of=/data/one
RUN dd if=/dev/zero bs=1024 count=1024 of=/data/two
RUN dd if=/dev/zero bs=1024 count=1024 of=/data/three
and
FROM bash
RUN mkdir /data
RUN dd if=/dev/zero bs=1024 count=1024 of=/data/three
RUN dd if=/dev/zero bs=1024 count=1024 of=/data/two
RUN dd if=/dev/zero bs=1024 count=1024 of=/data/one
one would expect the same set of layers if they just were about changes to the filesystem, but this is not the case:
$ docker history img_1
IMAGE CREATED CREATED BY SIZE
30daa166a9c5 6 minutes ago /bin/sh -c dd if=/dev/zero bs=1024 count=102… 1.05MB
4467d16e79f5 6 minutes ago /bin/sh -c dd if=/dev/zero bs=1024 count=102… 1.05MB
c299561fd031 6 minutes ago /bin/sh -c dd if=/dev/zero bs=1024 count=102… 1.05MB
646feb178431 6 minutes ago /bin/sh -c mkdir /data 0B
78664daf24f4 2 weeks ago /bin/sh -c #(nop) CMD ["bash"] 0B
<missing> 2 weeks ago /bin/sh -c #(nop) ENTRYPOINT ["docker-entry… 0B
<more missing...>
and
$ docker history img_2
IMAGE CREATED CREATED BY SIZE
f55c91305f8c 6 minutes ago /bin/sh -c dd if=/dev/zero bs=1024 count=102… 1.05MB
29b3b627c76f 6 minutes ago /bin/sh -c dd if=/dev/zero bs=1024 count=102… 1.05MB
18360be603aa 6 minutes ago /bin/sh -c dd if=/dev/zero bs=1024 count=102… 1.05MB
646feb178431 6 minutes ago /bin/sh -c mkdir /data 0B
78664daf24f4 2 weeks ago /bin/sh -c #(nop) CMD ["bash"] 0B
<missing> 2 weeks ago /bin/sh -c #(nop) ENTRYPOINT ["docker-entry… 0B
<more missing...>
You can see how, even if the changes to the filesystem are the same in both cases, the order matters.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With