Module Review: Working with Images
Key Takeaways
- Layers are Immutable: An image is a stack of read-only layers. Containers add a thin read-write layer on top.
- Order Matters: Place volatile instructions (source code) last to leverage the build cache.
- Multi-Stage is Mandatory: Never ship build tools (GCC, Maven) to production. Use multi-stage builds to copy only the binary.
- Tags Lie: The
latesttag is just a string. It is mutable. For true reproducibility, use immutable Digests (SHA256). - Minimize Attack Surface: Use minimal base images (Alpine, Distroless, Scratch) to reduce vulnerabilities.
1. Interactive Flashcards
CMD vs ENTRYPOINT
What is the key difference?
Click to flipOverridability
CMD is easily overridden by arguments passed to `docker run`.
ENTRYPOINT is difficult to override; arguments are appended to it.
Copy-on-Write (CoW)
What happens when you modify a file from a lower layer?
Click to flipCopy Up
The file is copied from the read-only lower layer to the read-write upper layer *before* modification.
Multi-Stage Build
Why use `COPY --from=builder`?
Click to flipSize Reduction
It allows you to copy artifacts (binaries/jars) from a heavy build image into a tiny runtime image, discarding the build tools.
.dockerignore
Why is this file critical?
Click to flipContext Size
It prevents sending unnecessary files (node_modules, .git) to the Docker daemon, speeding up builds.
2. Cheat Sheet
| Command | Description |
|---|---|
docker build -t myapp:v1 . |
Build an image from the current directory. |
docker history myapp:v1 |
Show the layers and size of an image. |
docker images |
List all local images. |
docker rmi <id> |
Delete an image. |
docker tag myapp:v1 myapp:latest |
Create a new tag (alias) for an existing image. |
docker push myapp:v1 |
Upload the image to a registry. |
docker pull myapp:v1 |
Download an image from a registry. |
Dockerfile Instructions
| Instruction | Usage |
|---|---|
FROM |
Base image (Start here). |
RUN |
Execute commands (Install packages). |
COPY |
Copy files from host to image. |
WORKDIR |
Set current directory. |
CMD |
Default command (Overridable). |
ENTRYPOINT |
Main executable (Not overridable). |
ENV |
Environment variable (Persists at runtime). |
ARG |
Build-time variable (Disappears at runtime). |
3. Next Steps
Now that you’ve mastered Images, it’s time to learn how to manage them in production.