Skip to content

Image vs Container

Mental model

Image = class definition. Container = object instance.

What it looks like

"docker run nginx" feels like one thing. In reality it uses an image to create a container, and those are distinct objects.

What it really is

Image: a read-only layered filesystem plus metadata. Built from a Dockerfile where each instruction creates an immutable layer. Identified by a content-addressable hash (image ID).

Container: a running (or stopped) instance of an image. Gets a thin writable layer on top of the image layers. Has its own namespaces, cgroups, and network stack.

Why it seems confusing

  • docker image and docker container commands overlap in everyday use.
  • Stopped containers still exist (visible in docker ps -a) even though nothing is running.
  • Tags look immutable but are mutable pointers to image IDs, like git branch names.

What actually matters

  • docker build creates an image. docker run creates a container from an image.
  • Layers are shared across images. Only the container layer is writable.
  • Image ID = content hash of config. Tags are mutable aliases. latest can point to anything at any time.

Common mistakes

  • Treating tags as immutable. Pinning latest in production is a moving target.
  • Forgetting stopped containers consume disk. Clean up with docker container prune.
  • Confusing "no running containers" with "no containers exist."

Small examples

# List images vs running containers
docker images
docker ps

# Multiple containers from one image
docker run -d --name app1 nginx
docker run -d --name app2 nginx

# Layers are shared — second pull is mostly cached
docker pull nginx:1.25
docker pull nginx:1.25-alpine  # shares common base layers

One-line summary

An image is a read-only layered template; a container is a running (or stopped) instance of that image with a writable layer.