Looking inside Container Images

This blog is a continuation of my previous blog on Container standards. In this blog, we will look inside a Container image to understand the filesystem and manifest files that describes the Container. We will cover Container images in Docker, APPC and OCI formats. As mentioned in previous blog, these Container images will converge into OCI format in the long run.

I have picked two Containers for this blog: “nginx”which is a standard webserver and “smakam/hellocounter” which is a Python web application.

Docker format:

To see Container content in Docker format, do the following:

docker save nginx > nginx.tar
tar -xvf nginx.tar

Following files are present:

  • manifest.json – Describes filesystem layers and name of json file that has the Container properties.
  • <id>.json – Container properties
  • <layer directory> – Each “layerid” directory contains json file describing layer property and filesystem associated with that layer. Docker stores Container images as layers to optimize storage space by reusing layers across images.

Following are some important Container properties that we can see in the JSON file:

  • Digest associated with each layer
  • OS and Architecture detail
  • Config section describes Environment like Path, working directory, command to be run, ports to be exposed, volumes to be mounted.
  • history section describes history of each layer.

Complete Container content in Docker format for “nginx” is available here and “smakam/hellocounter” is available here.

APPC format:
To see Container content in ACI format, do the following:

docker2aci nginx
tar -xvf nginx.aci

“docker2aci” converts Docker image into ACI format.

Following files are present:

  • manifest – Describes Container properties
  • rootfs – Directory containing Container filesystem

manifest file has the following important sections and content:

  • Annotations section has key, value pair describing Container name, image id which is the digest, creation date etc.
  • app section has environment variables like Path, Command to be started, working directory, userid, groupid to be used, mount points, exposed ports. app section also has isolators that describes resource limits like cpu, memory, io for the Container.

Complete Container content in ACI format for “nginx” is available here and “hellocounter” is available here.

OCI format:
To see Container content in OCI format, do the following:

mkdir rootfs
docker export $(docker create nginx) | tar -C rootfs -xvf -
runc spec -> creates config.json

To build runc, please use the procedure here.

Following are some parameters in config.json:

  • Platform section describes OS and architecture
  • Process section describes environment like Path, current working directory, executable to run.
  • Platform specific configuration is specified in OS section. For Linux, there is a section called linux that describes namespaces, cgroups.
  • Mounts section specifies mount points.

Complete Container content in OCIĀ format for “nginx” is available here and “hellocounter” is available here.


2 thoughts on “Looking inside Container Images

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s