Nicholas Dille

Automation, DevOps and Containerization

© 2001-2024. All rights reserved.

Images and Layers

Naming scheme

Format: <registry>/<repository>:<tag>

<repository> describes purpose

<tag> describes variant or version

<repository>:<tag> is called an image

Docker Hub

On Docker Hub: <repository>:<tag>

Official image: alpine:stable

Community image: nicholasdille/insulatr

Images and layers

Images consist of layers

Layers improve download performance

Layers enable reusability

Image Manifest

Lists layers in the image

Layers are referenced as blobs

References are SHA256 hashed: sha256:...

Image configuration

Contains command used to create layers

Stored as blob

Demo: Layers

Preparation

Upload image to local registry

Build and push image:

docker run -d -p 5000:5000 registry:2
docker build --tag localhost:5000/hello-world-java .
docker push localhost:5000/hello-world-java

Investigate layers locally

Check layers:

docker history hello-world-java

Analyze layers:

dive hello-world-java

https://github.com/wagoodman/dive

Demo: Image Manifest

Fetch image manifest:

curl http://localhost:5000/v2/hello-world-java/manifests/latest \
  --silent \
  --header "Accept: application/vnd.docker.distribution.manifest.v2+json" \
| jq

Demo: Image Configuration

Fetch image configuration:

DIGEST=$(
  curl http://localhost:5000/v2/hello-world-java/manifests/latest \
    --silent \
    --header "Accept: application/vnd.docker.distribution.manifest.v2+json" \
  | jq --raw-output '.config.digest'
)
curl http://localhost:5000/v2/hello-world-java/blobs/${DIGEST} \
  --silent \
  --header "Accept: application/vnd.docker.container.image.v1+json" \
| jq

Demo: Download image layer

Fetch digest of last layer:

DIGEST=$(
  curl http://localhost:5000/v2/hello-world-java/manifests/latest \
    --silent \
    --header "Accept: application/vnd.docker.container.image.v1+json" \
  | jq --raw-output '.layers[-1].digest'
)

View layer tarball:

curl http://localhost:5000/v2/hello-world-java/blobs/${DIGEST} \
  --silent \
  --header "Accept: application/vnd.docker.image.rootfs.diff.tar.gzip" \
| tar -tvz

Demo: Verifying a layer

Verifying a layer digest:

curl http://localhost:5000/v2/hello-world-java/blobs/${DIGEST} \
  --silent \
  --header "Accept: application/vnd.docker.image.rootfs.diff.tar.gzip" \
| sha256sum

Calculating a layer’s length:

curl http://localhost:5000/v2/hello-world-java/blobs/${DIGEST} \
  --silent \
  --header "Accept: application/vnd.docker.image.rootfs.diff.tar.gzip" \
| wc -c

Registries

REST API

No UI

Manage images, layers, configurations

Upload, list, update, delete

Usage

Registries are accessed using HTTPS

Insecure registries must be defined expicitly

Accepted insecure registry: 127.0.0.1/8

Further reading

Registry API

Image Manifest Specification v2.2

Demo: Registries

Tagging images remotely

Download existing manifest:

MANIFEST=$(
  curl http://localhost:5000/v2/hello-world-java/manifests/latest \
    --silent \
    --header "Accept: application/vnd.docker.distribution.manifest.v2+json"
)

Upload manifest to new path:

curl http://localhost:5000/v2/hello-world-java/manifests/new \
  --request PUT \
  --header "Content-Type: application/vnd.docker.distribution.manifest.v2+json" \
  --data "${MANIFEST}"

Test new tag:

docker pull localhost:5000/hello-world-java:new