Swag now available

Layers & Repositories

Introduction

The goal of this exercise is to understand the difference between base images and multi-layered images (repositories), as well as the difference between an image layer and a repository.  

Image Layers and Repositories

Let's take a look at some base images. We will use the podman history command to inspect all of the layers in these repositories. Notice that these container images have no parent layers. These are base images and they are designed to be built upon. First, let's look at the full ubi8 base image. The first step is to pull a local copy of the image:

 
podman pull registry.access.redhat.com/ubi8/ubi:latest

Podman can be used to inspect the history of the image:

podman history registry.access.redhat.com/ubi8/ubi:latest
Now, let's take a look at the minimal base image which is part of the Red Hat Universal Base Image (UBI) collection. Notice that it's quite a bit smaller:

 

podman pull registry.access.redhat.com/ubi8/ubi-minimal:latest
podman history registry.access.redhat.com/ubi8/ubi-minimal:latest

 

Now, using a simple Dockerfile, you build a multi-layered image. Create a new file named Dockerfile with the contents:
 
FROM registry.access.redhat.com/ubi8/ubi
RUN echo "Hello world" > /tmp/newfile
RUN echo "Hello world" > /tmp/newfile2
RUN echo "Hello world" > /tmp/newfile3
RUN echo "Hello world" > /tmp/newfile4
RUN echo "Hello world" > /tmp/newfile5

In the same directory as the Dockerfile, run the command:

podman build -t ubi8-change -f Dockerfile

Do you see the newly created ubi8-change tag?

 

podman images

 

Can you see all of the layers that make up the new image/repository/tag? This command even shows a short summary of the commands run in each layer. This is very convenient for exploring how an image was made.

 

podman history ubi8-change

 

Notice that that the first image ID (bottom) listed in the output matches the registry.access.redhat.com/ubi8/ubi image. Remember, it is important to build on a trusted base image from a trusted source (aka have provenance or maintain chain of custody). Container repositories are made up of layers, but we often refer to them simply as "container images" or containers. When architecting systems, we must be precise with our language or we will cause confusion to our end users.