Devii · DevOps · 2026-05-10 · 7 min read

Share

Docker Images And Containers: Layers, Immutability, And The OCI Spec

What an image actually is, how layers stack, and why containers are processes with namespaces, not lightweight VMs.

A **Docker image** is a read-only filesystem snapshot plus metadata (entrypoint, env defaults, exposed ports). Images build in **layers**; each Dockerfile instruction can create a layer. Layers are content-addressed and shared across images on the same host, which is why pulling a second image that reuses a base layer is fast.

A **container** is a running instance of an image: a process (or process tree) isolated with Linux **namespaces** and constrained with **cgroups**. The Open Container Initiative (**OCI**) publishes the **image-spec** and **runtime-spec** that Docker, containerd, and Podman implement. Containers are not full virtual machines; they share the host kernel.

Rack servers in a data center
Rack servers in a data center

Operational facts: image tags like `:latest` are pointers, not guarantees. Pin digests in production manifests when reproducibility matters. Multi-stage builds separate compile-time dependencies from the runtime image, shrinking attack surface and transfer size.

Read `docs.docker.com` for Dockerfile reference and `opencontainers.org` for the normative specs. This article states mechanics, not a vendor ranking.