使用面向对象编程的类比，Docker镜像和Docker容器之间的区别就像类和对象之间的区别一样。对象是类的运行时实例。类似地，容器是映像的运行时实例。

对象在实例化时只创建一次。类似地，容器可以运行也可以停止。容器是根据映像创建的，尽管情况可能并不总是如此。下面的例子创建一个Apache服务器镜像，运行镜像，列出镜像，然后列出容器:

创建一个Dockerfile，内容如下: 从httpd: 2.4 安装Apache服务器 Sudo docker build -t my-apache2。 运行映像 Sudo docker运行-it——rm——命名my-running-app my-apache2 列出Docker映像 Sudo docker图像 列出正在运行的Docker容器 码头工人ps 列出所有容器 Docker ps a 列出最新创建的容器 Docker ps -l

映像是根文件系统更改和容器运行时中使用的相应执行参数的有序集合。映像是只读的。

https://docs.docker.com/glossary/?term=image

容器是映像的活动(退出时为非活动)状态实例化。

https://docs.docker.com/glossary/?term=container

映像是活动容器的冻结的不可变快照。容器是正在运行(或已停止)某个映像的实例。

从名为“ubuntu”的基本图像开始。让我们在ubuntu映像中交互式地运行bash并创建一个文件。我们将使用-i和-t标志来提供一个交互式bash shell。

$ docker run -i -t ubuntu  /bin/bash
root@48cff2e9be75:/# ls
bin  boot  dev  etc  home  lib  lib64  media  mnt  opt  proc  root  run  sbin  srv  sys  tmp  usr  var
root@48cff2e9be75:/# cat > foo
This is a really important file!!!!
root@48cff2e9be75:/# exit

退出并重新启动映像时，不要期望该文件仍然存在。您将从与之前开始时完全相同的定义状态重新开始，而不是从您离开的地方重新开始。

$ docker run -i -t ubuntu  /bin/bash
root@abf181be4379:/# ls
bin  boot  dev  etc  home  lib  lib64  media  mnt  opt  proc  root  run  sbin  srv  sys  tmp  usr  var
root@abf181be4379:/# exit

但是，容器现在不再运行，它有状态，可以保存(提交)到一个映像。

$ docker ps -a
CONTAINER ID        IMAGE               COMMAND                CREATED              STATUS                          PORTS                      NAMES
abf181be4379        ubuntu:14.04        /bin/bash              17 seconds ago       Exited (0) 12 seconds ago                                  elegant_ardinghelli    
48cff2e9be75        ubuntu:14.04        /bin/bash              About a minute ago   Exited (0) 50 seconds ago                                  determined_pare        
...

让我们从创建文件的容器ID为48cff2e9be75中创建一个图像:

$ docker commit 48cff2e9be75 ubuntu-foo
d0e4ae9a911d0243e95556e229c8e0873b623eeed4c7816268db090dfdd149c2

现在，我们有了一个非常重要的文件的新图像:

$ docker run ubuntu-foo /bin/cat foo
This is a really important file!!!!

尝试命令docker映像。你应该会看到你的新映像ubuntu-foo与我们开始时的ubuntu标准映像一起列出。

容器是基于图像的。需要将图像传递给Dockers run命令。

例子:

BusyBox映像

http://i.stack.imgur.com/eK9dC.png

这里我们指定一个名为busybox的映像。Docker在本地没有这个映像，而是从公共注册表中获取它。

注册表是Docker镜像的目录，Docker客户端可以与之通信并从中下载镜像。一旦图像被拉出，Docker启动一个容器并执行echo hello world命令。

映像基本上是用于创建容器的不可变模板。通过考虑将图像转换为容器所发生的变化，可以更容易地理解图像和容器之间的区别。

The Docker engine takes the image and adds a read-write filesystem on top, then initialises various settings. These settings include network options (IP, port, etc.), name, ID, and any resource limits (CPU, memory). If the Docker engine has been asked to run the container it will also initialise a process inside it. A container can be stopped and restarted, in which case it will retain all settings and filesystem changes (but will lose anything in memory and all processes will be restarted). For this reason a stopped or exited container is not the same as an image.

映像:运行容器所需的文件系统和元数据。它们可以被认为是一种应用程序打包格式，其中包括运行应用程序的所有依赖项，以及执行该应用程序的默认设置。元数据包括要运行的命令的默认值、环境变量、标签和healthcheck命令。

容器:孤立应用程序的实例。容器需要映像来定义其初始状态，并使用映像中的只读文件系统以及容器特定的读写文件系统。正在运行的容器是正在运行的进程的包装器，为文件系统、网络和pid等提供进程名称空间。

当您执行docker run命令时，您在命令行上提供一个映像以及任何配置，docker根据您提供的映像定义和配置返回一个容器。

References: to the docker engine, an image is just an image id. This is a unique immutable hash. A change to an image results in creating a new image id. However, you can have one or more references pointing to an image id, not unlike symbolic links. And these references can be updated to point to new image id's. Note that when you create a container, docker will resolve that reference at the time of container creation, so you cannot update the image of a running container. Instead, you create a new image, and create a new container based on that new image.

Layers: Digging a bit deeper, you have filesystem layers. Docker assembles images with a layered filesystem. Each layer is a read-only set of changes to the filesystem, and that layer is represented by a unique hash. Using these read-only layers, multiple images may extend another, and only the differences between those images need to be stored or transmitted over the network. When a Docker container is run, it receives a container specific read-write filesystem layer unique to that container, and all of the image layers are assembled with that using a union filesystem. A read is processed through each layer until the file is found, a deletion is found, or the file is not found in the bottom layer. A write performs a copy-on-write from the image read-only layer to the container specific read-write layer. And a deletion is recorded as a change to the container specific read-write layer. A common step in building images is to run a command in a temporary container based off the previous image filesystem state and save the resulting container specific layer as a layer in the new image.