Key Points

Images follow the OCI (Open Container Initiative) standard — this ensures Docker images are portable and compatible with other container engines.

Images are built from layers. Each instruction in a Dockerfile becomes one layer. These layers are combined using the Union File System.

Image layers are immutable (read-only) when the image is running as a container. A separate writable layer is added on top to allow in-container changes.

Changes made by a running container are written to the writable layer only; they do not affect the base image.

Layers are stored and managed independently. The same layer can be reused by multiple images, saving storage space and speeding up pulls/pushes.

When pulling a new image, only missing layers need to be downloaded. When pushing, only new layers need to be uploaded.

Common base images: Ubuntu (broad package support), Alpine (minimal and secure), Busybox (minimal with tools), RedHat UBI (enterprise), Amazon Linux (AWS-optimised).