Pulling images
An image is a read-only template. A container is what you get
when you docker run an image. Before you can run anything, the image
has to land on this machine โ either pulled from a registry (Docker
Hub by default) or built locally.
Pull three of the most common base images:
docker pull nginx
docker pull ubuntu
docker pull httpd
Each pull downloads the image's layers (deduped โ nginx and
httpd share their underlying Debian/Alpine base, so the second pull
is faster).
Confirm they landed:
docker images
You should see at least nginx, ubuntu, and httpd in the listing,
with sizes, image IDs, and a latest tag (the default when no :tag
is specified on the pull).
Click Verify step when all three are present.
Hint
`docker pull nginx`, `docker pull ubuntu`, `docker pull httpd`.
Listing and inspecting
docker images (or docker image ls) lists locally-available images.
Columns: REPOSITORY, TAG, IMAGE ID, CREATED, SIZE.
docker images
Two refs point at the same image if they share an IMAGE ID. The
IMAGE ID is the canonical handle โ names + tags are just labels on
top.
docker inspect returns the full metadata as JSON. It's the
authoritative source for everything about an image: env vars,
exposed ports, working dir, default user, the entrypoint, layer
chain โ everything.
docker inspect nginx | head -40
docker inspect --format '{{.Config.ExposedPorts}}' nginx
docker inspect --format '{{.Config.Cmd}}' nginx
--format evaluates a Go template against the JSON, which is much
nicer than piping through jq.
Click Verify step when you've inspected at least one image.
Hint
`docker images` lists local images; `docker inspect <ref>` returns JSON metadata.
Tagging โ local aliases
A tag is a human-readable pointer at an image ID. The full
reference is repository:tag โ e.g. nginx:latest,
gcr.io/my-project/my-app:v1.2.3.
You can attach as many tags as you like to the same image:
docker tag nginx app/nginx:v1
docker tag nginx app/nginx:experimental
docker images | grep app/nginx
Both tags resolve to the same IMAGE ID โ confirm:
docker images --no-trunc --format '{{.Repository}}:{{.Tag}} {{.ID}}' | grep -E 'nginx|app/nginx'
Tag naming matters when you push to a registry. The repository
portion must match where you're pushing:
docker.io/<user>/<image>:tag # Docker Hub (`docker.io/` is implicit)
gcr.io/<project>/<image>:tag # Google Container Registry
asia-southeast1-docker.pkg.dev/<project>/<repo>/<image>:tag # Artifact Registry
We'll push in scenario 104. For now, click Verify step once
app/nginx:v1 shows up in docker images.
Hint
`docker tag nginx app/nginx:v1` creates an alias. Same image, different name.
History and layers
Docker images are built from layers. Each line in a Dockerfile
that modifies the filesystem creates a new layer. Pulls and rebuilds
reuse layers that haven't changed โ that's why docker pull is fast
the second time, and why a multi-stage Dockerfile that puts volatile
work last builds quickly.
See the layer chain top-down:
docker history nginx
The output shows each layer's instruction (CMD, COPY, RUN apt-get update && apt-get install ...), its age, and the size it added. The
top entry is the latest layer; the bottom is the FROM base.
Layers are content-addressed, so:
docker pull nginx:alpine
docker history nginx:alpine
โ the nginx:alpine and nginx:latest images share zero layers
(different base) but two pulls of nginx:latest share all layers.
Click Verify step when you've inspected the history of at least
one image.
Hint
`docker history nginx` shows the layer chain top-down.
Cleaning up
Local image storage grows quickly. Two cleanup tools:
docker rmi โ remove a specific image by ref or ID. Fails if the
image is in use by any container (running or stopped).
docker rmi httpd
docker images
If a removal is blocked by a container, the error will name the
container; remove it first (docker rm) or use -f to force.
docker image prune โ bulk-remove dangling images (untagged
ones, usually leftovers from docker build).
docker image prune -f
For a bigger cleanup, docker image prune -a -f removes every image
NOT used by an existing container. Useful between scenarios.
Finally, verify you've removed httpd:
docker images | grep -v httpd
Click Verify step.
Hint
`docker rmi <ref>` removes one image; `docker image prune` cleans dangling ones.