在Docker中，一切都从图像开始。映像是构成操作系统所需的所有文件。传统上，您需要为每个应用程序安装一个完整的操作系统。使用Docker，你可以把它配对，这样你就有一个小容器，里面有足够的操作系统来做你需要做的事情，你可以在一台计算机上高效地拥有很多很多这样的容器。

使用docker images查看已安装的映像，使用docker ps查看正在运行的映像。 当你输入docker run时，它会获取映像，并使其成为一个带有运行进程的活容器。我倾向于使用:

Docker运行-ti <image>:<tag> bash

最后，图像有它们自己的id集，容器也有它们自己的id集——它们不重叠。

容器是基于图像的。需要将图像传递给Dockers run命令。

例子:

BusyBox映像

http://i.stack.imgur.com/eK9dC.png

这里我们指定一个名为busybox的映像。Docker在本地没有这个映像，而是从公共注册表中获取它。

注册表是Docker镜像的目录，Docker客户端可以与之通信并从中下载镜像。一旦图像被拉出，Docker启动一个容器并执行echo hello world命令。

The official difference is that the container is the last layer which is writable whereas the layers below are only readable and they belong to your image. The intuitive difference is that the docker instance is the instance virtualized by your docker daemon and the running your image, it operates within an isolated section of your kernel (this process is hidden from you). The image however is static, it doesn't run, it is just a pile of layers (static files). If we would relate this paradigm to object-oriented programming, the image is your class definition, whereas your docker instance is your class spawned object that resides in memory.

我写了一个教程来加强你的docker知识直觉:

http://javagoogleappspot.blogspot.com/2018/07/docker-basics.html

映像是活动容器的冻结的不可变快照。容器是正在运行(或已停止)某个映像的实例。

从名为“ubuntu”的基本图像开始。让我们在ubuntu映像中交互式地运行bash并创建一个文件。我们将使用-i和-t标志来提供一个交互式bash shell。

$ docker run -i -t ubuntu  /bin/bash
root@48cff2e9be75:/# ls
bin  boot  dev  etc  home  lib  lib64  media  mnt  opt  proc  root  run  sbin  srv  sys  tmp  usr  var
root@48cff2e9be75:/# cat > foo
This is a really important file!!!!
root@48cff2e9be75:/# exit

退出并重新启动映像时，不要期望该文件仍然存在。您将从与之前开始时完全相同的定义状态重新开始，而不是从您离开的地方重新开始。

$ docker run -i -t ubuntu  /bin/bash
root@abf181be4379:/# ls
bin  boot  dev  etc  home  lib  lib64  media  mnt  opt  proc  root  run  sbin  srv  sys  tmp  usr  var
root@abf181be4379:/# exit

但是，容器现在不再运行，它有状态，可以保存(提交)到一个映像。

$ docker ps -a
CONTAINER ID        IMAGE               COMMAND                CREATED              STATUS                          PORTS                      NAMES
abf181be4379        ubuntu:14.04        /bin/bash              17 seconds ago       Exited (0) 12 seconds ago                                  elegant_ardinghelli    
48cff2e9be75        ubuntu:14.04        /bin/bash              About a minute ago   Exited (0) 50 seconds ago                                  determined_pare        
...

让我们从创建文件的容器ID为48cff2e9be75中创建一个图像:

$ docker commit 48cff2e9be75 ubuntu-foo
d0e4ae9a911d0243e95556e229c8e0873b623eeed4c7816268db090dfdd149c2

现在，我们有了一个非常重要的文件的新图像:

$ docker run ubuntu-foo /bin/cat foo
This is a really important file!!!!

尝试命令docker映像。你应该会看到你的新映像ubuntu-foo与我们开始时的ubuntu标准映像一起列出。

映像:运行容器所需的文件系统和元数据。它们可以被认为是一种应用程序打包格式，其中包括运行应用程序的所有依赖项，以及执行该应用程序的默认设置。元数据包括要运行的命令的默认值、环境变量、标签和healthcheck命令。

容器:孤立应用程序的实例。容器需要映像来定义其初始状态，并使用映像中的只读文件系统以及容器特定的读写文件系统。正在运行的容器是正在运行的进程的包装器，为文件系统、网络和pid等提供进程名称空间。

当您执行docker run命令时，您在命令行上提供一个映像以及任何配置，docker根据您提供的映像定义和配置返回一个容器。

References: to the docker engine, an image is just an image id. This is a unique immutable hash. A change to an image results in creating a new image id. However, you can have one or more references pointing to an image id, not unlike symbolic links. And these references can be updated to point to new image id's. Note that when you create a container, docker will resolve that reference at the time of container creation, so you cannot update the image of a running container. Instead, you create a new image, and create a new container based on that new image.

Layers: Digging a bit deeper, you have filesystem layers. Docker assembles images with a layered filesystem. Each layer is a read-only set of changes to the filesystem, and that layer is represented by a unique hash. Using these read-only layers, multiple images may extend another, and only the differences between those images need to be stored or transmitted over the network. When a Docker container is run, it receives a container specific read-write filesystem layer unique to that container, and all of the image layers are assembled with that using a union filesystem. A read is processed through each layer until the file is found, a deletion is found, or the file is not found in the bottom layer. A write performs a copy-on-write from the image read-only layer to the container specific read-write layer. And a deletion is recorded as a change to the container specific read-write layer. A common step in building images is to run a command in a temporary container based off the previous image filesystem state and save the resulting container specific layer as a layer in the new image.

DockerFile——(构建)——> DockerImage——(运行)——> DockerContainer

DockerFile是你或开发人员编写代码来做某事的文件(安装前)

Docker Image是你在构建Docker文件时得到的。

Docker容器是你运行Docker镜像时得到的

我们可以通过拖动Docker hub来获取Docker Image，然后运行它来获取container。