Docker Images

A container is basically a running Image.

An Image is a bunch of layers with a Manifest (saying how the Image should run).

As Images are Read Only, a Read Write layer is created per container.

Images in detail


docker rmi <image id>

Potential errors:

Error response from daemon: conflict: unable to delete <image id> (must be forced) – image is referenced in multiple repositories

You’ll need to untag them all individually. E.g.

docker images | grep <image id>


docker rmi <repo>:<tag>


Error response from daemon: conflict: unable to delete ae6b78bedf88 (must be forced) – image is being used by stopped container b6e81decac41

docker rmi -f <image id>




docker images


docker image ls

Note: you can optionally use a Repo name to just list those repos. E.g.

docker images alpine

or filter with a wildcard (using Zsh you’ll need to use quotes):

docker images 'alp*




docker image pull redis

pull does an API request to a registry.

Step 1: get manifest

Step 2: pull layers

First, it looks for a Fat Manifest (aka Manifest List) and then, in turn, gets the Image Manifest. We then get a list of Layers which we pull.

Note: digest is a hash containing the Image ID which we can see with:

docker image ls --digests

Note, even though docker system info reports the Docker Root Dir as /var/lib/docker on the Mac, the images are actually stored in the xhyve virtual machine.

docker history

Say you’ve pulled something with docker image pull redis, you can see the commands that built the image using:

docker history redis


 Docker  docker history redis
IMAGE               CREATED             CREATED BY                                      SIZE                COMMENT
4e8db158f18d        3 weeks ago         /bin/sh -c #(nop)  CMD ["redis-server"]         0B
<missing>           3 weeks ago         /bin/sh -c #(nop)  EXPOSE 6379/tcp              0B
<missing>           3 weeks ago         /bin/sh -c #(nop)  ENTRYPOINT ["docker-entry…   0B
<missing>           3 weeks ago         /bin/sh -c #(nop) COPY file:9c29fbe8374a97f9…   344B
<missing>           3 weeks ago         /bin/sh -c #(nop) WORKDIR /data                 0B
<missing>           3 weeks ago         /bin/sh -c #(nop)  VOLUME [/data]               0B
<missing>           3 weeks ago         /bin/sh -c mkdir /data && chown redis:redis …   0B
<missing>           3 weeks ago         /bin/sh -c set -ex;   buildDeps='   wget    …   24.8MB
<missing>           3 weeks ago         /bin/sh -c #(nop)  ENV REDIS_DOWNLOAD_SHA=fc…   0B
<missing>           3 weeks ago         /bin/sh -c #(nop)  ENV REDIS_DOWNLOAD_URL=ht…   0B
<missing>           3 weeks ago         /bin/sh -c #(nop)  ENV REDIS_VERSION=4.0.11     0B
<missing>           6 weeks ago         /bin/sh -c set -ex;   fetchDeps="   ca-certi…   3MB
<missing>           6 weeks ago         /bin/sh -c #(nop)  ENV GOSU_VERSION=1.10        0B
<missing>           6 weeks ago         /bin/sh -c groupadd -r redis && useradd -r -…   329kB
<missing>           6 weeks ago         /bin/sh -c #(nop)  CMD ["bash"]                 0B
<missing>           6 weeks ago         /bin/sh -c #(nop) ADD file:919939fa022472751…   55.3MB

For more info see: docker image inspect

and delete with docker image rm redis


On-premises Registry – e.g. Docker Trusted Registry (part of Docker’s commercial offering).

Note: official registry is So, docker pull redis is short hand for:

docker pull

The image is actually called latest. The repo is called redis and the registry is

Note: uncompressed layers use a content hash, Registry uses distribution hash (‘cos the layer gets compressed before being uploaded) and the layers on the file system use a random ID.

 Best Practices

  1. use official images (e.g. alpine)
  2. use specific versions of a docker image (rather than latest)


Leave a Reply

Your email address will not be published. Required fields are marked *