Developer Advocate @docker. Microsoft MVP. Pluralsight Author.
Posts my own.

  Docker on Windows
  My Pluralsight Courses
 
 Old blog 
 Speaking
 Books
 Courses

    Weekly Windows Dockerfile #8: The Container Filesystem

    There are 52 Dockerfiles in the source code for my book, Docker on Windows. Perfect for a year-long blog series.

    Each week I'll look at one Dockerfile in detail, showing you what it does and how it works. This is #8 in the series, looking at the filesystem in Docker containers.

    Container Filesystem

    I covered last week how Docker presents a virtual filesystem to containers. Inside a Windows container there's a single C drive, and processes inside the container can read and write any part of the filesystem, in line with the normal Windows access permissions for user accounts.

    The filesystem is actually composed from the read-only image layers, the writeable container layer and any volumes. But that's all transparent to the container. This week's Dockerfile is a simple exploration of how those layers interact.

    ch02-fs-1

    dockeronwindows/ch02-fs-1 is a very basic image which just writes one new file onto the base image. I'll be building on it next week, but for this week the focus is showing you where the files sit.

    The Dockerfile

    If you've been following the series, there's nothing new here:

    # escape=`
    FROM microsoft/nanoserver
    
    RUN md c:\data & `  
        echo 'from image 1' > c:\data\file1.txt
    
    • the app starts from Nano Server, because it doesn't use any features that require full Windows Server Core (see my post on How to Dockerize Windows apps for guidance on that choice)

    • the RUN instruction just creates a new directory and writes a file to that directory.

    The Docker Image

    It's a standard docker image build command to package the Dockerfile. You can also just run docker image pull dockeronwindows/ch02-fs-1 and download the public version of the image that's alrady up on Docker Hub.

    When the image is built, it will use the layer(s) of the Nano Server base image and then add one layer on top with the new file. You can see the image layers with docker image inspect, and you can see more detail with the Winspector tool.

    Winspector is an open-source app from Docker Captain Stefan Scherer. If you're interested in Docker on Windows, you should follow Stefan on Twitter, @stefscherer. And me, @EltonStoneman.

    Winspector looks inside Windows Docker images and tells you about the layers. Winspector ships as a Docker image itself, so to run the tool you run a task container, telling it the name of the image to inspect.

    Here's part of the output from running the tool to look at this week's image:

    docker run --rm stefanscherer/winspector dockeronwindows/ch02-fs-1  
    ...
    Sizes of layers:  
      sha256:...0277 - 252691002 byte
      sha256:...8ef - 80617684 byte
      sha256:...e81 - 127219 byte
    Total size (including Windows base layers): 333435905 byte  
    Application size (w/o Windows base layers): 127219 byte  
    

    This shows there are three layers in the image. Two of them form the Nano Server base image, and the last one is the app image layer. That layer is just 12KB, because it only has the new directory information and the new text file.

    The Container

    The layer information shows you how creating a new file in this image doesn't affect any of the content of the Nano Server image. Docker merges up all the layers when you run a container, so the content of the Nano Server layers and the app image layer all appear in the container's C drive.

    Running a container from this image you can see the new file:

    PS> docker container run dockeronwindows/ch02-fs-1 `  
        powershell cat c:\data\file1.txt
    'from image 1'  
    

    Of course that file isn't in the base image:

    PS> docker container run microsoft/nanoserver `  
        powershell cat c:\data\file1.txt
    cat : Cannot find path 'C:\data\file1.txt'...  
    

    And if you modify the file in one container:

    PS> docker container run dockeronwindows/ch02-fs-1 `  
        powershell "echo additional >> c:\data\file1.txt; cat C:\data\file1.txt"
    'from image 1'  
    additional  
    

    That only edits the file in that container's writeable layer. Run another container from the image and the contents return to the original state:

    PS> docker container run dockeronwindows/ch02-fs-1 `  
        powershell cat c:\data\file1.txt
    'from image 1'  
    

    Next Up

    Next week builds on this example with ch02-fs-2.

    That image uses this image as the base, showing that there's nothing special about base images - any image can be the base, and when you build on it you just add more layers.


    Share this article on
    Author image
    Written by Elton Stoneman
    Developer Advocate @docker | Microsoft MVP | Pluralsight Author