Chapter 10. Downloading Squashed Docker Images

Docker images are composed of image layers which include all of the intermediary data used to reach their current state. When iterating on a solution locally on a developer’s machine, layers provide an efficient workflow.

There are scenarios, however, in which the layers cease to be efficient. For example, when deploying software to an ephemeral machine, that machine doesn’t care about the whole layer history, it just needs the end state of the image. This is why Quay.io supports Squashed Images.

10.1. Downloading a Squashed Image

To download a squashed image:

  1. Navigate to the Tags tab of a Quay Repository View. For an organization named abcsales and a repo named myweb, the URL would be https://quay.io/repository/abcsales/myweb?tab=tags) on Quay.io. For a Red Hat Quay registry, replace quay.io with your registry name.
  2. On the left side of the table, click on the Fetch Tag icon for the tag you want to download. A modal dialog appears with a dropdown for specifying the desired format of the download.
  3. Select Squashed Docker Image from the dropdown and then select a robot that has read permission to be able to pull the repository. Identify image to squash and download
  4. Click on the Copy Command button.
  5. Paste this command into a shell on the machine where you have a Docker service running.
  6. Type docker images to see that the image is loaded and read to use.

10.2. Caveats & Warnings

10.2.1. Prime the cache!

When the first pull of a squashed image occurs, the registry streams the image as it is being flattened in real time. Afterwards, the end result is cached and served directly. Thus, it is recommended to pull the first squashed image on a developer machine before deploying, so that all of the production machines can pull the cached result.

10.2.2. Isn’t piping curl insecure?

You may be familiar with installers that pipe curl into bash (curl website.com/installer | /bin/bash). These scripts are insecure because they allow arbitrary code execution. The Quay script to download squashed images uses curl to download a tarball that is streamed into docker load. This is just as secure as running docker pull because it never executes anything we’ve downloaded from the internet.

Additional resources