Podman: Understanding Container Images and Containers Registries

Is Container and Images Related ?

A container is a running instance of an image. Image  is a collection of everything that is needed to run the main application in a container. Image contains the application code, dependency libraries and language runtime.  External libraries such as libc which is normally provided by the host operating system, are also included in the container image. This makes the container image to appear based on a specific Linux distribution

Container itself is a read only instance of the application that just need to be started. Similar analogy we can consider is the applications on the smart phones. When we click on the image from the app store, the same will get installed on the phone and will be running on the phone as long as it is required.

While a container is started, a writable layer is added on the image. In the writable layer all the changes made by the operator is stored.

What is a Container Image?

  • Container image, when we look from technical point of view. it is a TAR file or an archive file which contains
    • Container root file system: A directory that looks like the standard root of the operating system, but presented as a mount namespace.  And the mount namespace makes that the root file system really appears as everything that is available to the container
    • Metadata: It is a json file which specifies  how to run that root file system, including all the settings that are required to get a functional container, such as the entry point, the environment variables and other details.
  • Container images by its nature are layers. we can install additional content, new json file etc. and we can store the difference in a new TAR file
  • If we analyze a container image in granular level, we will see that image is based on a generic container image and this makes working with container images more efficient
  • Images are standardized by Open containers initiative (OCI). Container images are shared by public registries or by sharing mechanisms to build them (Docker file)
  •  The Docker container image format has become the de facto standard image format. And the Docker container format is also the basis of the OCI container format. They are very much alike and well, in practice we can use either of them in most containerized solution

Container Image Layers

  • Container images are made up of a series of file system layers. Each layer adds or removes or modifies files from the preceding layer in the file system. This system is what we call an overlay file system and currently in a containerized world, different overlay file systems exist so it says AUFS overlay and Overlay 2
  • By using the different container image layers, and by pointing to the other image layers in a smart way, it's easy to build containers that have support for multiple versions of vital components.
  • Apart from the different layers, container images have a container configuration file that provides instructions on how to run the container.

Untitled Diagram.drawio

  • The above diagram shows layers of a container image
  • Layer 1 is the base image, which is a small operating system image
  • Layer 2 is Ruby, which is built on the top of Layer 1, alpine image
  • On top of Ruby Layer , two more layer is introduced, which is Rails of different versions
  • On top of all the above layers, only will be the application reside on
  • Layer 1-4 is the starting point which will be given in the docker file

Container Registries

  •  a container registry is  takes care of the distribution of images. Another way is to distribute the created tar ball manually. But it is not really recommended in a production environment, as it  is not efficient
  • Some of the common registries are DockerHub, Quay and even some organizations have their own private registries
  • When it comes to Registry access, we can have registered access or anonymous access.
  • In case of anonymous access, you will get limited access, registered access in some repos need premium subscriptions.
  • One known repo is DockerHub, which offers Docker professional account with an annual fee of 70 $. With Docker professional account, we can set automatic image upload, unlimited pull of images etc.
  • Once account is created, we can use docker login or podman login command to authenticate to the registry

Benefits of Container Registries

Container repositories have benefits such as the following:

  • Cost-savings: Container registries helps in reducing overall project cost, as it allows developers to share and store images without any requirement to maintain and provision in their own hardware and infrastructure
  • Portability: Registries allows developers to move the images between different environment, which reduces the overall deployment time
  • Better Collaboration: Registries allow multiple developers to collaborate and work on same project
  • Security: Registries increases security of the images, as most of the registries have in build encryption and access control
  • Version control: Version control of the container image is possible via Registries
  • Availability: Container registries allows developers to store the images, quickly and easy.  It allows the high availability on container image access

Read more

Container Architecture

Search on LinuxDataHub

Leave a Comment