Container Images: Architecture and Best Practices

Learn how container images are structured, the difference between containers and images, parent and base images, and the role of the Docker manifest.

April 20, 2021

What is Container Image? 

A container image is a static file with executable code that can create a container on a computing system. A container image is immutable—meaning it cannot be changed, and can be deployed consistently in any environment. It is a core component of a containerized architecture.

Container images include everything a container needs to run—the container engine such as Docker or CoreOS, system libraries, utilities, configuration settings, and specific workloads that should run on the container. The image shares the operating system kernel of the host, so it does not need to include a full operating system.

A container image is composed of layers, added on to a parent image (also known as a base image). Layers make it possible to reuse components and configurations across images. Constructing layers in an optimal manner can help reduce container size and improve performance.

In this article, you will learn:

Docker Image Architecture 

Docker is the world’s most popular container engine, so we will focus our discussion of container image architecture on Docker.

A Docker image is a collection of files, including binaries, source code and other dependencies, needed to deploy a container environment. In Docker, there are two ways to create an images:

  • Dockerfile—Docker provides a simple, human-readable configuration file that specifies what a Docker image should contain.
  • Create an image from an existing container—you can run a container from an existing image, modify the container environment, and save the result as a new image.

What is the Difference Between Docker Containers and Images?

A Docker container image describes a container environment. A Docker container is an instance of that environment, running on Docker Engine. You can run multiple containers from the same image, and all of them will contain the same software and configuration, as specified in the image.

Docker Images and Layers

When you define a Docker image, you can use one or more layers, each of which includes system libraries, dependencies and files needed for the container environment. Image layers can be reused for different projects. 

To save time, most Docker images start from a parent image. For example, here is the Dockerfile of the MySQL image on Docker Hub, which can be used to create containers running the MySQL database. On top of this parent image, you can add layers that include additional software or specific configurations. 

When a container runs, Docker adds a readable/writable top layer over the static image layers. This top layer is used by the container to modify files during runtime, and can also be used to customize the container. This way, multiple containers created from the same image can have different data.

There are two ways to view layers added to the base image:

  • /var/lib/docker/aufs/diff directory on the container
  • Using the Docker CLI history command

Parent and Base Images

There is a subtle technical different between parent and base images:

  • A base image is an empty container image, which allows advanced users to create an image from scratch.
  • A parent image is a pre-configured image that provides some basic functionality, such as a stripped-down Linux system, a database such as MySQL or PostgreSQL, or a content management system such as WordPress. 

However, in the container community, the terms “base image” and “parent image” are often used interchangeably.

There is a large number of ready-made parent images available on Docker Hub, and on many other public container repositories. You can also use your own images as a parent for new images.

Docker Manifest

Each Docker image comes with a file called a manifest. This is a JSON file that describes the image and provides metadata such as tags, a digital signature to verify the origin of the image, and documentation.

Docker Image Security Best Practices 

Container images play a crucial role in container security. Any container created from an image inherits all its characteristics—including security vulnerabilities, misconfigurations, or even malware. 

Here are a few best practices that can help you ensure you only use secure, verified images in your container projects:

  • Prefer minimal base images—many Docker images use a fully installed operating system distribution as their underlying image. If you don’t need general system libraries, avoid using base images that install an entire operating system, or other components that are not essential for your project, to limit the attack surface.
  • Least privileged user—Dockerfiles must always specify a USER, otherwise they will default to running the container as root on the host machine. You should also avoid running applications on the container with root privileges. Running as root can have severe security consequences, because attackers compromising the container can gain control over the entire host. 
  • Sign and verify images—you must make sure the image you are pulling to create your container is really the image you selected from a trusted publisher, or created yourself. By using only signed images, you can mitigate tampering with the image over the wire (a man in the middle attack), or attackers pushing compromised images to a trusted repository.
  • Fix open source vulnerabilities—whenever you use a parent image in production, you need to be able to trust all the components it deploys. Automatically scan images as part of your build process, to ensure they do not contain vulnerabilities, security misconfigurations, or backdoors. Keep in mind new vulnerabilities may be introduced over time, even in images that were originally verified as secure. 

Related content: read our guide to Docker security best practices ›

Container Image Q&A

What is Docker Hub? 

Docker Hub is the world’s largest container image registry. You can use it to access publicly available Docker images, or store your own images. There are many other tools you can use to manage a container image repository, including:

  • Harbor
  • Amazon Elastic Container Registry (ECR)
  • Azure Container Registry (ACR)
  • Google Container Registry
  • JFrog Artifactory
  • Red Hat Quay

What is a Docker Image Security Scan? 

Docker image security scanning lets you find security vulnerabilities in Docker image files. Image scanning works by analyzing packages and dependencies defined in a container image, and checking each of them for known security vulnerabilities. Some container image registries provide built-in image scanning tools.