Docker Images: The Art of Choosing the Right Building Blocks 🏗️
The Story of the Perfect Backpack
Imagine you’re packing a backpack for a trip. You could throw in everything you own—but then it would be heavy, slow, and hard to carry. Instead, you pick only what you need. A light backpack means you travel faster and easier!
Docker images are exactly like backpacks. They hold everything your app needs to run. A well-packed image is small, fast, and secure. A bloated one? Slow to download, wastes space, and has more things that could break.
Let’s learn how to pack the perfect Docker backpack!
1. Image Inspection and History: Peeking Inside the Backpack
What’s Inside?
Before you buy a backpack, you’d check what’s already inside, right? Docker lets you do the same with images!
docker inspect shows you everything about an image—like reading the ingredient label on food.
docker inspect nginx:latest
This tells you:
- How big is it?
- What commands does it run?
- What ports does it use?
- Who made it?
Who Packed It? (Image History)
docker history shows you every step that built the image—like a recipe!
docker history nginx:latest
Example output:
IMAGE CREATED BY SIZE
abc123 CMD ["nginx", "-g"...] 0B
def456 COPY nginx.conf /etc... 2.3KB
ghi789 RUN apt-get install... 50MB
jkl012 FROM debian:bullseye 80MB
Each line is a layer—like layers in a cake. More on this soon!
Why This Matters
- Find bloat: Spot which step added 500MB!
- Debug problems: See exactly what was installed
- Trust check: Verify the image does what you expect
2. Image Size Optimization: Traveling Light
The Problem with Big Images
Big images mean:
- ⏳ Slow downloads (imagine waiting 10 minutes to start!)
- 💸 More storage costs
- 🐌 Slower deployments
- 🎯 More attack surface (more stuff = more vulnerabilities)
Quick Wins for Smaller Images
1. Start with a smaller base (we’ll cover this soon!)
2. Clean up after yourself
RUN apt-get update && \
apt-get install -y curl && \
rm -rf /var/lib/apt/lists/*
3. Use multi-stage builds
# Stage 1: Build
FROM node:18 AS builder
COPY . .
RUN npm run build
# Stage 2: Run (much smaller!)
FROM node:18-alpine
COPY --from=builder /app/dist ./dist
CMD ["node", "dist/index.js"]
The builder stage has all the tools. The final image only has what you need to run!
Real Size Comparison
| Image Type | Typical Size |
|---|---|
| Ubuntu base | ~80MB |
| Alpine base | ~5MB |
| Distroless | ~2-20MB |
| Scratch | 0MB (empty!) |
3. Layer Caching: The Magic of Not Repeating Yourself
How Layers Work
Think of layers like floors in a building:
graph TD A["🏠 Base Image<br>#40;Floor 1#41;"] --> B["📦 Install Dependencies<br>#40;Floor 2#41;"] B --> C["📁 Copy Source Code<br>#40;Floor 3#41;"] C --> D["🔨 Build App<br>#40;Floor 4#41;"] D --> E["🚀 Final Image"]
If Floor 1 changes, ALL floors above must be rebuilt. But if only Floor 4 changes? Only that floor is rebuilt!
The Golden Rule
Put things that change LEAST at the TOP, things that change MOST at the BOTTOM.
❌ Bad Order (slow builds):
FROM node:18
COPY . .
RUN npm install
Every code change = reinstall ALL packages!
✅ Good Order (fast builds):
FROM node:18
COPY package*.json ./
RUN npm install
COPY . .
Package files rarely change, so npm install is cached!
Cache-Friendly Tips
- Copy dependency files first (package.json, requirements.txt)
- Install dependencies before copying code
- Combine RUN commands to reduce layers
- Use
.dockerignoreto skip unnecessary files
4. Choosing Base Images: Picking Your Foundation
The Foundation Matters
Your base image is like choosing between a mansion and a tiny house. Both can shelter you, but one is way more than you need!
Decision Flowchart
graph TD A["🤔 What do I need?"] --> B{"Need a shell<br>and tools?"} B -->|Yes| C{"How minimal?"} B -->|No| D["🔥 Scratch or<br>Distroless"] C -->|Standard| E["📦 Debian/Ubuntu"] C -->|Minimal| F["🏔️ Alpine"]
Base Image Options
| Type | Size | When to Use |
|---|---|---|
| Ubuntu/Debian | ~80MB | Need familiar tools, debugging |
| Alpine | ~5MB | Want small + shell access |
| Distroless | ~2-20MB | Security-focused, no shell |
| Scratch | 0MB | Static binaries only |
5. Official and Verified Images: Trust Matters
What Makes an Image “Official”?
Official images are like products with a quality seal. Docker and the software makers maintain them!
Look for the blue “Official Image” badge on Docker Hub.
# Official nginx image
docker pull nginx
# NOT official (random user)
docker pull someuser123/nginx
Verified Publishers
Some companies are Verified Publishers—Docker checked that they are who they claim to be.
Why Use Official Images?
- ✅ Regularly updated with security patches
- ✅ Best practices baked in
- ✅ Documentation is solid
- ✅ Trusted source (no hidden malware)
Example: Finding Official Images
# Search Docker Hub for official images
docker search --filter is-official=true nginx
6. Alpine Images: The Lightweight Champion
What is Alpine?
Alpine Linux is a super tiny Linux distribution. While Ubuntu is ~80MB, Alpine is just ~5MB!
Think of it like: A full suitcase (Ubuntu) vs. a small pouch (Alpine).
Using Alpine
Most official images have Alpine versions:
# Regular Node.js (~400MB)
docker pull node:18
# Alpine Node.js (~50MB)
docker pull node:18-alpine
Alpine Gotchas
Alpine uses musl instead of glibc. Some programs might not work!
# If something breaks on Alpine,
# you might need to install gcompat
RUN apk add --no-cache gcompat
When to Use Alpine
| ✅ Great For | ❌ Avoid When |
|---|---|
| Simple apps | Need glibc compatibility |
| Web servers | Complex native extensions |
| Go/Rust apps | Debugging production issues |
| Saving space | Need familiar Linux tools |
7. Scratch and Distroless: The Minimalists
Scratch: Starting from Zero
Scratch is literally an empty image. Nothing at all!
FROM scratch
COPY myapp /myapp
CMD ["/myapp"]
Perfect for:
- Go binaries (they’re self-contained!)
- Rust binaries
- Any statically compiled program
Size: Whatever your binary is. Nothing extra!
Distroless: Just Enough
Google’s Distroless images have a runtime but NO:
- Shell
- Package manager
- Any extra tools
FROM gcr.io/distroless/static-debian12
COPY myapp /myapp
CMD ["/myapp"]
Comparison Table
| Feature | Scratch | Distroless | Alpine |
|---|---|---|---|
| Shell | ❌ | ❌ | ✅ |
| Package manager | ❌ | ❌ | ✅ |
| SSL certificates | ❌ | ✅ | ✅ |
| Timezone data | ❌ | ✅ | ✅ |
| Debug tools | ❌ | ❌ | ✅ |
| Size | 0MB | ~2-20MB | ~5MB |
Security Bonus
Fewer things = fewer vulnerabilities!
If there’s no shell, attackers can’t get a shell. If there’s no curl, they can’t download tools. Simple!
The Complete Journey
graph TD A["🔍 Inspect Images"] --> B["📏 Optimize Size"] B --> C["⚡ Use Layer Caching"] C --> D["🏠 Choose Base Image"] D --> E{"What type?"} E --> F["🏔️ Alpine<br>#40;Small + Shell#41;"] E --> G["🔒 Distroless<br>#40;Secure#41;"] E --> H["⚡ Scratch<br>#40;Minimal#41;"] E --> I["📦 Official<br>#40;Standard#41;"]
Quick Summary
- Inspect images to understand what’s inside
- Optimize by removing unnecessary files and using multi-stage builds
- Cache layers by ordering Dockerfile commands smartly
- Choose the right base for your needs
- Trust official images from verified sources
- Go Alpine for small images with shell access
- Use Scratch/Distroless for maximum security and minimum size
Remember This!
“A Docker image is like a backpack. Pack only what you need, and you’ll travel fast and light!” 🎒
You’re now ready to build lean, secure Docker images like a pro!