All Dockerfiles start from a base image.
A base is the image that your image extends.
It refers to the contents of the FROM
instruction in the Dockerfile.
FROM debian
For most cases, you don't need to create your own base image. Docker Hub contains a vast library of Docker images that are suitable for use as a base image in your build. Docker Official Images are specifically designed as a set of hardened, battle-tested images that support a wide variety of platforms, languages, and frameworks. There are also Docker Verified Publisher images, created by trusted publishing partners, verified by Docker.
Create a base image#
If you need to completely control the contents of your image, you can create
your own base image from a Linux distribution of your choosing, or use the
special FROM scratch
base:
FROM scratch
The scratch
image is typically used to create minimal images containing only
just what an application needs. See Create a minimal base image using scratch.
To create a distribution base image, you can use a root filesystem, packaged as
a tar
file, and import it to Docker with docker import
. The process for
creating your own base image depends on the Linux distribution you want to
package. See Create a full image using tar.
Create a minimal base image using scratch#
The reserved, minimal scratch
image serves as a starting point for
building containers. Using the scratch
image signals to the build process
that you want the next command in the Dockerfile
to be the first filesystem
layer in your image.
While scratch
appears in Docker's repository on Docker Hub,
you can't pull it, run it, or tag any image with the name scratch
.
Instead, you can refer to it in your Dockerfile
.
For example, to create a minimal container using scratch
:
# syntax=docker/dockerfile:1
FROM scratch
ADD hello /
CMD ["/hello"]
Assuming an executable binary named hello
exists at the root of the build context.
You can build this Docker image using the following docker build
command:
$ docker build --tag hello .
To run your new image, use the docker run
command:
$ docker run --rm hello
This example image can only successfully execute as long as the hello
binary
doesn't have any runtime dependencies. Computer programs tend to depend on
certain other programs or resources to exist in the runtime environment. For
example:
- Programming language runtimes
- Dynamically linked C libraries
- CA certificates
When building a base image, or any image, this is an important aspect to
consider. And this is why creating a base image using FROM scratch
can be
difficult, for anything other than small, simple programs. On the other hand,
it's also important to include only the things you need in your image, to
reduce the image size and attack surface.
Create a full image using tar#
In general, start with a working machine that is running the distribution you'd like to package as a base image, though that is not required for some tools like Debian's Debootstrap, which you can also use to build Ubuntu images.
For example, to create an Ubuntu base image:
$ sudo debootstrap focal focal > /dev/null
$ sudo tar -C focal -c . | docker import - focal
sha256:81ec9a55a92a5618161f68ae691d092bf14d700129093158297b3d01593f4ee3
$ docker run focal cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=20.04
DISTRIB_CODENAME=focal
DISTRIB_DESCRIPTION="Ubuntu 20.04 LTS"
There are more example scripts for creating base images in the Moby GitHub repository.
More resources#
For more information about building images and writing Dockerfiles, see: