A container image is a read-only, layered snapshot of a filesystem together with metadata describing how to run a container from it: the default command, environment variables, exposed ports, working directory, user. Images are the immutable templates; containers are the mutable running instances.
Images are built from a Dockerfile (or equivalent). Each instruction in a Dockerfile creates a new layer, a diff on top of the previous one. This layering enables two important properties: reuse (many images sharing the same base layer need store that layer only once) and caching (rebuilding an image reuses layers whose instructions have not changed).
docker build -t myapp:v1 .
docker images
docker tag myapp:v1 registry.example.com/myapp:v1
docker push registry.example.com/myapp:v1
docker pull nginx:alpine
docker rmi myapp:v1
Images are identified by their SHA-256 digest and by one or more tags (human-readable references like nginx:alpine or myapp:v1.2.3). Tags are mutable—:latest can point to different digests over time—so for reproducibility you often want to pin to digests: nginx@sha256:.... Modern Linux container tooling around OCI images, registries, and signing (cosign, sigstore) makes the supply chain far more auditable than it used to be.
Related terms: Container, Dockerfile, oci, registry
Discussed in:
- Chapter 17: Containers and Virtualisation — Docker: The Packaging Revolution
Also defined in: Textbook of Linux