What is an Image

A container image is a packaged filesystem containing everything an application needs to run — the binary, its libraries, configuration files, and a minimal operating system layer. An image is not a single file. It is a stack of read-only layers, each containing filesystem changes relative to the layer below.

How it works

Each instruction in a Dockerfile that modifies the filesystem creates a new layer. Layers are stored as compressed tar archives with content-addressable SHA256 digests. At runtime, overlayfs merges all layers into a single unified view, with a writable layer on top for runtime changes.

Images are distributed through registries (Docker Hub, ghcr.io, ECR). Pulling an image downloads only the layers not already cached locally. Because layers are content-addressed, identical layers across different images are stored only once.

Images are identified by tags (nginx:1.25) or digests (nginx@sha256:abc...). Tags are mutable — the same tag can point to different images over time. Digests are immutable and guarantee reproducibility.

Why it matters

Images are the packaging and distribution unit for containers. They ensure that the same application runs identically in development, CI, and production. Layer caching makes builds fast (only changed layers rebuild) and distribution efficient (only missing layers transfer). The OCI specification standardizes the format across all runtimes.

See How Container Images Work for the full explanation.