A container image is a binary file that follows a specific standard. The emerging standard for this format is OCI, governed by the Open Container Initiative as part of the Linux Foundation. When a container runtime engine unpacks these files from the image and starts them on the operating system, then the container instance is running. In the end, containers are just normal processes that run on the operating system (commonly Linux).
How containers are built and how container runtime engines interpret these images is interesting and often important to understand. The best place to start understanding how they function is to start with the container image payload.
You will learn:
- The directory and file ingredients of container image binaries.
- How to create a runnable container without writing a Dockerfile.
- How to install and use the Dive tool to inspect container images.
There are other container formats, but the industry is moving toward the standard and governed OCI format. After completing this scenario, you now understand it's a collection of TAR files where each TAR is a layer. With this knowledge, it's now easy to inspect the contents of a container for discovery and debugging purposes. With this standard OCI format, you can see why there is a growing variety of tools that can build, run, and inspect OCI container images.
With these steps you have learned:
- ✔ The directory and file ingredients of container image binaries.
- ✔ How to create a runnable container without writing a Dockerfile.
- ✔ How to install and use the Dive tool to inspect container images.
Hopefully, you also understand how Kubernetes is a new type of data center operating system that can run your applications—across multiple nodes on your local laptop, a rack of servers, or any cloud target.
- "A Practical Introduction to Container Terminology"
- OCI Image Format Specification
- "Demystifying the Open Container Initiative (OCI) Specifications"
- TAR file
- Moby Project
- "Broken by default: why you should avoid most Dockerfile examples," by Itamar Turner-Trauring
- Alex Goodman
Kubernetes Containers: Decomposing Images
Container Image Dissection
A container image is a TAR file containing other TAR files. Internally, each TAR file is a layer. Once all TAR files have been extracted to a local filesystem, you can explore the details of the layers.
Using the docker tool, pull the layers of a Redis container image onto this filesystem.
docker pull redis:6.0.4-alpine3.11
Export the image into a raw TAR format.
docker save redis:6.0.4-alpine3.11 > redis.tar
Create a scratch location to inspect the Redis files.
mkdir redis && cd redis
Extract the files from the TAR.
tar -xvf ../redis.tar
All of the contents, along with the layer TAR files, are now viewable.
The image includes the manifest.json file that defines the metadata about the image, such as version information and tag names. The schema for the manifest.json file follows the OCI specification. Inspect the manifest.
cat manifest.json | jq .
Extracting a layer will reveal the specific files contained for that layer.
mkdir last-layer && tar -xvf 014d4966196e17dec4032a93660d4be192558c0a654af6347a6e012742079d6c/layer.tar -C last-layer
Inspect the files in the last layer.
This single file makes sense because it's the last instruction in the Redis Dockfile that would cause a layer to be created, on line 101 here.