Docker Commit

When build docker images, sometimes we need to use some files to install some packages inside container, for example when build redhat docker image: redhat.repo, entitlement/ and rpm-gpg/ are needed for package installation.

But we don’t want to use COPY command in dockerfile to copy them into image, that will add layers to store them when run docker build, not safe. The solution is mount these files in docker run, after install then commit, docker commit will not include any data in volumes mounted inside the container.

For example:

## mount redhat repo and keys, install packages
docker run --detach \
  --name=serviceosbase \
  --user 0 \
  -v /etc/yum.repos.d/redhat.repo:/etc/yum.repos.d/redhat.repo \
  -v /etc/pki/rpm-gpg:/etc/pki/rpm-gpg \
  -v /etc/pki/entitlement:/etc/pki/entitlement \
  --entrypoint=/bin/sh \
  ${DOCKER_IMAGE_TAG}:1 \
  -c 'tail -f /dev/null'

docker exec serviceosbase /bin/sh -c "yum install -y glibc glibc-common systemd
    systemd-libs openssl-libs && yum update -y && rm -rf /var/tmp/yum-* && yum
    makecache fast"

docker commit serviceosbase ${DOCKER_IMAGE_TAG}:1

You can check the layers with docker history <image> command:

IMAGE               CREATED              CREATED BY                                      SIZE                COMMENT
1f6e112efb83        About a minute ago   /bin/sh -c #(nop)  ENV LANG=en_US.UTF-8 LANGU   0 B
6060bfb14056        About a minute ago   /bin/sh -c rm /etc/yum.repos.d/ubi.repo &&      10.83 MB
543fa76542de        2 minutes ago        /bin/sh -c #(nop)  MAINTAINER XXX               0 B
6558c4297a5d        2 minutes ago        /bin/sh -c #(nop)  LABEL name=IIS Services ve   0 B
6fecccc91c83        5 weeks ago                                                          7.06 kB
<missing>           5 weeks ago                                                          204.8 MB            Imported from -

Compare with dockerfile, no layer is for mount data after commit.