Science and technology

A hands-on information to pictures and containers for builders

Containers and Open Container Initiative (OCI) photos are vital open supply utility packaging and supply applied sciences made standard by tasks like Docker and Kubernetes. The higher you perceive them, the extra in a position you’ll be to make use of them to reinforce the consistency and scalability of your tasks.

In this text, I’ll describe this expertise in easy phrases, spotlight the important elements of photos and containers for a developer to know, then wrap up by discussing some greatest practices builders can comply with to make their containers moveable. I will even stroll you thru a easy lab that demonstrates constructing and working photos and containers.

What are photos?

Images are nothing greater than a packaging format for software program. An awesome analogy is Java’s JAR file or a Python wheel. JAR (or EAR or WAR) recordsdata are merely ZIP recordsdata with a distinct extension, and Python wheels are distributed as gzipped tarballs. All of them conform to a typical listing construction internally.

Images are packaged as tar.gz (gzipped tarballs), they usually embrace the software program you are constructing and/or distributing, however that is the place the analogy to JARs and wheels ends. For one factor, photos bundle not simply your software program however all supporting dependencies wanted to run your software program, as much as and together with a whole working system. Whereas wheels and JARs are often constructed as dependencies however could be executable, photos are nearly at all times constructed to be executed and extra hardly ever as a dependency.

Knowing the main points of what is within the photos is not obligatory to know the right way to use photos or to jot down and design software program for them (when you’re , learn “What is a container image?”). From your perspective, and particularly from the attitude of your software program, what’s vital to know is that the photographs you create will include a full working system. Because photos are packaged as if they are a full working system from the attitude of the software program you want to run, they’re essentially a lot bigger than software program packaged in a extra conventional trend.

Note that photos are immutable. They can’t be modified as soon as they’re constructed. If you modify the software program working on the picture, it’s essential to construct a wholly new picture and change the previous one.


When photos are created, they’re created with a novel hash, however they’re sometimes recognized with a human-readable title resembling ubi, ubi-minimal, openjdk11, and so forth. However, there could be totally different variations of the picture for every of their names, and people are sometimes differentiated by tags. For instance, the openjdk11 picture may be tagged as jre- and jre-, denoting picture builds of the openjdk11 software program bundle model put in on a Red Hat ubi and ubi minimal picture, respectively.

What are containers?

Containers are photos which have been realized and executed on a number system. Running a container from a picture is a two-step course of: create and begin. Create takes the picture and provides it its personal ID and filesystem. Create (as in docker create, for instance) could be repeated many instances in an effort to create many cases of a working picture, every with its personal ID and filesystem. Starting the container will launch an remoted course of on the host machine wherein the software program working contained in the container will behave as whether it is working in its very personal digital machine. A container is thus an remoted course of on the host machine, with its personal ID and unbiased filesystem.

From a software program developer’s perspective, there are two main causes to make use of containers: consistency and scalability. These are associated to one another, and collectively they permit tasks to make use of one of the crucial promising improvements to come back to software program improvement in recent times, the precept of “Build once, deploy many.”


Because photos are immutable and embrace all the dependencies wanted to run your software program from the OS on up, you achieve consistency wherever you select to deploy it. This means whether or not you launch a picture as a container in a improvement, check, or any variety of manufacturing environments, the container will run precisely the identical means. As a software program developer, you will not have to fret about whether or not any of these environments are working on a distinct host working system or model, as a result of the container is working the identical working system each time. That’s the good thing about packaging your software program together with its full runtime surroundings, moderately than simply your software program with out the whole set of dependencies wanted to run it.

This consistency signifies that in nearly all instances, when a problem is present in one surroundings (for instance, manufacturing), you could be assured that you can reproduce that challenge in improvement or another surroundings, so you possibly can affirm the conduct and deal with fixing it. Your undertaking ought to by no means get mired in and stumped by the dreaded “But it works on my machine” downside once more.


Images include not solely your software program but additionally all of the dependencies wanted to run your software program, together with the underlying working system. This means all processes working contained in the container view the container because the host system, the host system is invisible to processes working contained in the container, and, from the host system’s perspective, the container is simply one other course of it manages. Of course, digital machines do nearly the identical factor, which raises a legitimate query: Why use container expertise as a substitute of a digital machine? The reply lies in each velocity and dimension.

Containers run solely the software program required to assist an unbiased host with out the overhead of getting to imitate the {hardware}. Virtual machines should include a whole working system and mimic the underlying {hardware}. The latter is a really heavyweight answer, which additionally ends in a lot bigger recordsdata. Because containers are handled as simply one other working course of from the host system’s perspective, they are often spun up in seconds moderately than minutes. When your utility must scale shortly, containers will beat a digital machine in assets and velocity each time. Containers are additionally simpler to reduce down.

Scaling is outdoors the scope of this text from a practical standpoint, so the lab is not going to be demonstrating this characteristic, nevertheless it’s vital to know the precept in an effort to perceive why container expertise represents such a major advance within the packaging and deployment of software program.

Note: While it’s doable to run a container that does not include a complete operating system, that is hardly ever performed as a result of the minimal photos accessible are often an inadequate start line.

How to seek out and retailer photos

Like each different kind of software program packaging expertise, containers want a spot the place packages could be shared, discovered, and reused. These are known as picture registries, analogous to Java Maven and Python wheel repositories or npm registries.

These are a sampling of various picture registries accessible on the web:

  • Docker Hub: The unique Docker registry, which hosts many Docker official photos used broadly amongst tasks worldwide and supplies alternatives for people to host their very own photos. One of the organizations that hosts photos on Docker Hub is adoptopenjdk; view their repository for examples of photos and tags for the openjdk11 undertaking.
  • Red Hat Image Registry: Red Hat’s official picture registry supplies photos to these with legitimate Red Hat subscriptions.
  • Quay: Red Hat’s public picture registry hosts a lot of Red Hat’s publicly accessible photos and supplies offering alternatives for people to host their very own photos.

Using photos and containers

There are two utilities whose function is to handle photos and containers: Docker and Podman. They can be found for Windows, Linux, and Mac workstations. From a developer’s perspective, they’re utterly equal when executing instructions. They could be thought of aliases of each other. You may even set up a bundle on many methods that can robotically change Docker right into a Podman alias. Wherever Podman is talked about on this doc, Docker could be safely substituted with no change in consequence.

[ Read next: 5 underused Podman features to try now ]

You’ll instantly discover these utilities are similar to Git in that they carry out tagging, pushing, and pulling. You will use or confer with this performance commonly. They shouldn’t be confused with Git, nonetheless, since Git additionally manages model management, whereas photos are immutable and their administration utilities and registry haven’t any idea of change administration. If you push two photos with the identical title and tag to the identical repository, the second picture will overwrite the primary with no technique to see or perceive what has modified.


The following are a sampling of Podman and Docker subcommands you’ll generally use or confer with:

  • construct: construct a picture
    • Example: podman construct -t org/some-image-repo -f Dockerfile
  • picture: handle photos regionally
    • Example: podman picture rm -a will take away all native photos.
  • photos: listing photos saved regionally
  • tag: tag a picture
  • container: handle containers
    • Example: podman container rm -a will take away all stopped native containers.
  • run: create and begin a container
  • pull/push: pull/push and picture from/to a repository on a registry


Dockerfiles are the supply recordsdata that outline photos and are processed with the construct subcommand. They will outline a dad or mum or base picture, copy in or set up any additional software program you wish to have accessible to run in your picture, outline any additional metadata for use in the course of the construct and/or runtime, and probably specify a command to run when a container outlined by your picture is run. A extra detailed description of the anatomy of a Dockerfile and a number of the extra widespread instructions utilized in them is within the lab under. A hyperlink to the whole Dockerfile reference seems on the finish of this text.

Fundamental variations between Docker and Podman

Docker is a daemon in Unix-like methods and a service in Windows. This means it runs within the background on a regular basis, and it runs with root or administrator privileges. Podman is binary. This means it runs solely on demand, and might run as an unprivileged consumer.

This makes Podman safer and extra environment friendly with system assets (why run on a regular basis if you do not have to?). Running something with root privileges is, by definition, much less safe. When utilizing photos on the cloud, the cloud that can host your containers can handle photos and containers extra securely.

Skopeo and Buildah

While Docker is a singular utility, Podman has two different associated utilities maintained by the Containers group on GitHub: Skopeo and Buildah. Both present performance that Podman and Docker don’t, and each are a part of the container-tools bundle group with Podman for set up on the Red Hat household of Linux distributions.

For essentially the most half, builds could be executed via Docker and Podman, however Buildah exists in case extra sophisticated builds of photos are required. The particulars of those extra sophisticated builds are far outdoors the scope of this text, and you will hardly ever, if ever, encounter the necessity for it, however I embrace point out of this utility right here for completeness.

Skopeo supplies two utility features that Docker doesn’t: the flexibility to repeat photos from one registry to a different and to delete a picture from a distant registry. Again, this performance is outdoors the scope of this dialogue, however the performance might ultimately be of use to you, particularly if it’s essential write some DevOps scripts.

Dockerfiles lab

The following is a really quick lab (about 10 minutes) that can educate you the right way to construct photos utilizing Dockerfiles and run these photos as containers. It will even reveal the right way to externalize your container’s configuration to comprehend the total advantages of container improvement and “Build once, deploy many.”


The following lab was created and examined regionally working Fedora and in a Red Hat sandbox environment with Podman and Git already put in. I consider you will get essentially the most out of this lab working it within the Red Hat sandbox surroundings, however working it regionally is completely acceptable.

You also can set up Docker or Podman by yourself workstation and work regionally. As a reminder, when you set up Docker, podman and docker are utterly interchangeable for this lab.

Building Images

1. Clone the Git repository from GitHub:

$ git clone

2. Open the Dockerfile:

$ cd hello-world-container-lab
$ vim Dockerfile



3 USER root





8 ARG JAR_FILE=goal/*.jar

9 COPY ${JAR_FILE} app.jar


11 USER 1001


13 ENTRYPOINT ["java", "-jar", "/app.jar"]

This Dockerfile has the next options:

  • The FROM assertion (line 1) defines the bottom (or dad or mum) picture this new picture shall be constructed from.
  • The USER statements (traces 3 and 11) outline which consumer is working in the course of the construct and at execution. At first, root is working within the construct course of. In extra sophisticated Dockerfiles I’d should be root to put in any additional software program, change file permissions, and so forth, to finish the brand new picture. At the top of the Dockerfile, I swap to the consumer with UID 1001 in order that, each time the picture is realized as a container and executes, the consumer is not going to be root, and subsequently safer. I exploit the UID moderately than a username in order that the host can acknowledge which consumer is working within the container in case the host has enhanced safety measures that stop containers from working as the basis consumer.
  • The ARG statements (traces 5 and eight) outline variables that can be utilized in the course of the construct course of solely.
  • The ENV assertion (line 6) defines an surroundings variable and worth that can be utilized in the course of the construct course of however will even be accessible each time the picture is run as a container. Note the way it obtains its worth by referencing the variable outlined by the earlier ARG assertion.
  • The COPY assertion (line 9) copies the JAR file created by the Spring Boot Maven construct into the picture. For the comfort of customers working within the Red Hat sandbox, which does not have Java or Maven put in, I’ve pre-built the JAR file and pushed it to the hello-world-container-lab repo. There isn’t any must do a Maven construct on this lab. (Note: There can be an add command that may be substituted for COPY. Because the add command can have unpredictable conduct, COPY is preferable.)
  • Finally, the ENTRYPOINT assertion defines the command and arguments that ought to be executed within the container when the container begins up. If this picture ever turns into a base picture for a subsequent picture definition and a brand new ENTRYPOINT is outlined, it should override this one. (Note: There can be a cmd command that may be substituted for ENTRYPOINT. The distinction between the 2 is irrelevant on this context and outdoors the scope of this text.)

Type :q and hit Enter to give up the Dockerfile and return to the shell.

3. Build the picture:

$ podman construct --squash -t check/hello-world -f Dockerfile

You ought to see:

Getting picture supply signatures
Copying blob d46336f50433 performed  
Copying blob be961ec68663 performed
STEP 7/8: USER 1001
STEP 8/8: ENTRYPOINT ["java", "-jar", "/app.jar"]
COMMIT check/hello-world
Successfully tagged localhost/check/hello-world:newest

In addition to constructing the picture the instructions present the next directions:

The --squash flag will scale back picture dimension by making certain that just one layer is added to the bottom picture when the picture construct completes. Excess layers will inflate the scale of the ensuing picture. FROM, RUN, and COPY/ADD statements add layers, and greatest practices are to concatenate these statements when doable, for instance:

RUN dnf -y --refresh replace &&
    dnf set up -y --nodocs podman skopeo buildah &&
    dnf clear all

The above RUN assertion is not going to solely run every assertion to create solely a single layer however will even fail the construct ought to any one among them fail.

The -t flag is for naming the picture. Because I didn’t explicitly outline a tag for the title (resembling check/hello-world:1.0), the picture shall be tagged as newest by default. I additionally didn’t outline a registry (resembling, so the default registry shall be localhost.

The -f flag is for explicitly declaring the Dockerfile to be constructed.

When working the construct, Podman will observe the downloading of “blobs.” These are the picture layers your picture shall be constructed upon. They are initially pulled from the distant registry, and they are going to be cached regionally to hurry up future builds.

Copying blob d46336f50433 performed  
Copying blob be961ec68663 performed
Copying blob 744c86b54390 skipped: already exists  
Copying blob 1323ffbff4dd skipped: already exists

4. When the construct completes, listing the picture to verify it was efficiently constructed:

$ podman photos

You ought to see:

REPOSITORY                                        TAG                                                      IMAGE ID      CREATED               SIZE
localhost/check/hello-world                 newest                                                    140c09fc9d1d  7 seconds in the past  454 MB  x86_64-ubi-minimal-jre-  5b0423ba7bec  22 hours in the past   445 MB

Running containers

5. Run the picture:

$ podman run check/hello-world

You ought to see:

  .   ____          _            __ _ _
 / / ___'_ __ _ _(_)_ __  __ _
( ( )___ | '
_ | '_| | '_ / _` |
 /  ___)| |_)| | | | | || (_| |  ) ) ) )
  '  |____| .__|_| |_|_| |___, | / / / /
 :: Spring Boot ::                (v2.5.4)

GREETING: Hello, world
GREETING: Hello, world

The output will proceed printing “Hello, world” each three seconds till you exit:


6. Prove that Java is put in solely within the container:

$ java -version

The Spring Boot utility working contained in the container requires Java to run, which is why I selected the bottom picture. If you are working within the Red Hat sandbox surroundings for the lab, this show sthat Java is put in solely within the container, and never on the host:

-bash: java: command not discovered...

Externalize your configuration

The picture is now constructed, however what occurs after I need the “Hello, world” message to be totally different for every surroundings I deploy the picture to? For instance, I’d wish to change it as a result of the surroundings is for a distinct section of improvement or a distinct locale. If I alter the worth within the Dockerfile, I’m required to construct a brand new picture to see the message, which breaks one of the crucial elementary advantages of containers—”Build once, deploy many.” So how do I make my picture really moveable so it may be deployed wherever I would like it? The reply lies in externalizing the configuration.

7. Run the picture with a brand new, exterior welcome message:

$ podman run -e 'MESSAGE_WELCOME=Hello, world DIT' check/hello-world

You ought to see:

  .   ____          _            __ _ _
 / / ___'_ __ _ _(_)_ __  __ _
( ( )___ | '
_ | '_| | '_ / _` |
 /  ___)| |_)| | | | | || (_| |  ) ) ) )
  '  |____| .__|_| |_|_| |___, | / / / /
 :: Spring Boot ::                (v2.5.4)

GREETING: Hello, world DIT
GREETING: Hello, world DIT

Stop utilizing through the use of crtl-c and adapt the message:

$ podman run -e 'MESSAGE_WELCOME=Hola Mundo' check/hello-world
.   ____          _            __ _ _
 / / ___'_ __ _ _(_)_ __  __ _
( ( )___ | '
_ | '_| | '_ / _` |
 /  ___)| |_)| | | | | || (_| |  ) ) ) )
  '  |____| .__|_| |_|_| |___, | / / / /
 :: Spring Boot ::                (v2.5.4)

GREETING: Hola Mundo
GREETING: Hola Mundo

The -e flag defines an surroundings variable and worth to inject into the container at startup. As you possibly can see, even when the variable was constructed into the unique picture (the ENV MESSAGE_WELCOME=${ARG_MESSAGE_WELCOME} assertion in your Dockerfile), will probably be overridden. You’ve now externalized knowledge that wanted to vary based mostly on the place it was to be deployed (for instance, in a DIT surroundings or for Spanish audio system) and thus made your photos moveable.

8. Run the picture with a brand new message outlined in a file:

$ echo 'Hello, world from a file' > greetings.txt
$ podman run -v "$(pwd):/mnt/data:Z"
    -e 'MESSAGE_FILE=/mnt/knowledge/greetings.txt' check/hello-world

In this case you must see:

  .   ____          _            __ _ _
 / / ___'_ __ _ _(_)_ __  __ _
( ( )___ | '
_ | '_| | '_ / _` |
 /  ___)| |_)| | | | | || (_| |  ) ) ) )
  '  |____| .__|_| |_|_| |___, | / / / /
 :: Spring Boot ::                (v2.5.4)

GREETING: Hello, world from a file
GREETING: Hello, world from a file

Repeat till you hit crtl-c to cease

The -e flag on this case defines a path to the file at /mnt/knowledge/greetings.txt that was mounted from the host’s native file system with the -v flag at $(pwd)/greetings.txt (pwd is a bash utility that outputs absolutely the path of the present listing, which in your case ought to be the hello-world-container-lab). You’ve now externalized knowledge that wanted to vary based mostly on the place it was to be deployed, however this time your knowledge was outlined in an exterior file you mounted into the container. Environment variable settings are OK for a restricted variety of settings, however when you have got a number of settings to use, a file is a extra environment friendly means of injecting the values into your containers.

Note: The :Z flag on the finish of the quantity definition above is for methods utilizing SELinux. SELinux manages safety on many Linux distributions, and the flag permits the container entry to the listing. Without the flag, SELinux would stop the studying of the file, and an exception could be thrown within the container. Try working the command above once more after eradicating the :Z to see an illustration.

This concludes the lab.

Developing for containers: externalize the configuration

“Build once, deploy many” works as a result of the immutable containers working in several environments do not have to fret about variations within the {hardware} or software program required to assist your specific software program undertaking. This precept makes software program improvement, debugging, deployment, and ongoing upkeep a lot quicker and simpler. It additionally is not good, and a few minor adjustments should be made in the way you code to make your container really moveable.

The most vital design precept when writing software program for containerization is deciding what to externalize. These selections finally make your photos moveable to allow them to absolutely notice the “Build once, deploy many” paradigm. Although this will appear sophisticated, there are some easy-to-remember elements to think about when deciding whether or not the configuration knowledge ought to be injectable into your working container:

  • Is the information environment-specific? This consists of any knowledge that must be configured based mostly on the place the container is working, whether or not the surroundings is a manufacturing, non-production, or improvement surroundings. Data of this kind consists of internationalization configuration, datastore data, and the precise testing profile(s) you need your utility to run underneath.
  • Is the information launch unbiased? Data of this kind can run the gamut from characteristic flags to internationalization recordsdata to log ranges—principally, any knowledge you may want or want to vary between releases with out a construct and new deployment.
  • Is the information a secret? Credentials ought to by no means be laborious coded or saved in a picture. Credentials sometimes should be refreshed on schedules that do not match launch schedules, and embedding a secret in a picture saved in a picture registry is a safety danger.

The greatest apply is to decide on the place your configuration knowledge ought to be externalized (that’s, in an surroundings variable or a file) and solely externalize these items that meet the above standards. If it does not meet the above standards, it’s best to go away it as a part of the immutable picture. Following these tips will make your photos really moveable and hold your exterior configuration moderately sized and manageable.

[ Free online course: Containers, Kubernetes and Red Hat OpenShift Technical Overview ]


This article introduces 4 key concepts for software program builders new to pictures and containers:

  1. Images are immutable binaries: Images are a method of packaging software program for later reuse or deployment.
  2. Containers are remoted processes: When they’re created, containers are a runtime instantiation of a picture. When containers are began, they grow to be processes in reminiscence on a number machine, which is way lighter and quicker than a digital machine. For essentially the most half, builders solely must know the latter, however understanding the previous is useful.
  3. “Build once, deploy many”: This precept is what makes container expertise so helpful. Images and containers present consistency in deployments and independence from the host machine, permitting you to deploy with confidence throughout many alternative environments. Containers are additionally simply scalable due to this precept.
  4. Externalize the configuration: If your picture has configuration knowledge that’s environment-specific, release-independent, or secret, take into account making that knowledge exterior to the picture and containers. You can inject this knowledge into your working picture by injecting an surroundings variable or mounting an exterior file into the container.

Additional studying

A brief history of containers: from the 1970s till now

A practical introduction to container terminology

Dockerfile reference

Podman vs. Docker

Most Popular features the latest multimedia technologies, from live video streaming to audio packages to searchable archives of news features and background information. The site is updated continuously throughout the day.

Copyright © 2017 Breaking Express, Green Media Corporation

To Top