what's in a container image

the new age of fat binaries...


what's in a container image

the new age of fat binaries...

container image

These days there are 2 main types of container images floating around, docker images and oci images. Most tools understand both and they're pretty similar.


crane is an amazing tool for manipulating container images, allowing you to inspect / manipulate / move images with minimal overhead.

ls and cp

These 2 are the my most used commands:


crane pull your.registry/image:tag output.tar pulls an image. Expanding the archive you'll find something along the lines of:


crane export your.registry/image:tag output.tar creates a tar of the final image filesystem. No metadata in here.

append and mutate

This presents us with the interesting possibility of building a minimal image with just crane:

$ CGO_ENABLED=0 go build -o app
$ tar cf app.tar app
$ crane append -b gcr.io/distroless/static -f app.tar -t index.docker.io/seankhliao/gcrane-test:tmp
$ crane mutate index.docker.io/seankhliao/gcrane-test:tmp --entrypoint /app -t index.docker.io/seankhliao/gcrane-test:out

This does have some unfortunate inefficiencies: crane primarily operates on images from remote registries, so the base and intermediate images both need to come from / write to a registry.


dive is the go to tool for exploring what's in the image at the different layers in a terminal ui. Use it.