What is the scratch image?

I understand that the scratch image is a minimal Docker image used for creating base images. But, surely, just by copying a tar.xz file, the resulting image does not become runnable? E.g. the debian image

FROM scratch
ADD rootfs.tar.xz /
CMD ["bash"]

Also, compare this procedure with booting an ‘empty’ computer with a .iso image stored in a USB, DVD, HDD, etc. Even that empty computer has something (BIOS, etc.) such that an OS (in the form of an .iso) is installed for future run.

In the same manner, how is it that adding a tar.xz file result in a runnable container?

A docker container is not a vm. Your comparision illustrates that you got the idea about how containers work not sorted out yet. A container “virtualizes on the application level” and uses the hosts kernel. It s designed to start a single(!) process (which itself can technically spawn further sub processes).

the ADD directive extracts binaries and configuration files loosly into an image layer - it needs to include everything to statisfy all dependenices of the main process. Heck, if you create a binary where all dependencies are staticly compiled into it, you would not even need an “os layer” (as an example take a look into the portainer image…),

The CMD directive declares what will be started in the container (Though, i doubt the $PATH variable is set and bash is actualy found). This is the only process beeing started, nothing else (as in no os processes!).

the scratch image is empty :wink:

To expand on what @meyay is explaining, you need to understand the difference between ADD and COPY because the difference in behavior is what makes this work. Had the Dockfile been:

FROM scratch
COPY rootfs.tar.xz /
CMD ["bash"]

It would not have worked. You would have had a file called rootfs.tar.xz placed in the root of the container and that would be it. But ADD has an additional behavior that you need to understand to see why this works. If ADD sees a compressed archive like a .zip file or .tgz or tar.xz file, it will expand it. In effect, that Dockerfile is really doing the same thing as this:

FROM scratch
COPY rootfs.tar.xz /
RUN tar -xf rootfs.tar.xz
CMD ["bash"]

This is the key as to why the original Dockerfile works. I’m guessing from the filename that rootfs.tar.xz is an entire Root Filesystem. So it starts with a scratch image, untars the root filesystem which results in an runnable image and then executes bash.

Understanding the difference between COPY and ADD and the fact that ADD has additional behavior that will process compressed archives, is why this works.

~jr

1 Like