Skip to main content

Container Image

A container image is an immutable, layered, read-only template that packages an application and its dependencies for creating running containers.

A container image is an immutable, read-only package that contains everything needed to run an application: code, runtime, system libraries, and configuration. Containers are created from images at runtime; the image itself never changes.

How It Works

An image is built from a sequence of layers, each representing a filesystem change. Layers are typically defined by instructions in a build file (such as a Dockerfile) and stacked using a union filesystem. Because layers are content-addressed and cached, builds and pulls are fast: only changed layers are rebuilt or transferred.

An image also carries a manifest and a configuration document describing its layers, entrypoint, environment variables, and target architecture. Images are identified by a name and tag (for example app:1.2.0) and, more reliably, by a content digest (a SHA-256 hash). The OCI image specification standardizes this format so images are interoperable across tools.

Why It Matters

Immutability and layering make images reproducible and efficient to distribute. The same image runs identically everywhere, which is central to reliable deployments and rollbacks. Shared base layers reduce storage and bandwidth across many images.

Images are also a key security surface. They can embed vulnerable packages or secrets, so teams scan images, pin digests, and rebuild on a regular cadence. Minimal or distroless base images shrink the attack surface.

Related Terms

Images are stored and distributed through a container registry, instantiated as a container by a container runtime, and standardized by the OCI image specification.