Chapter 7. Downloading Squashed Docker Images

Docker images are composed of image layers which include all of the intermediary data used to reach their current state. When iterating on a solution locally on a developer’s machine, layers provide an efficient workflow.

There are scenarios, however, in which the layers cease to be efficient. For example, when deploying software to an ephemeral machine, that machine doesn’t care about the whole layer history, it just needs the end state of the image. This is why Quay.io supports Squashed Images.

7.1. Downloading a Squashed Image

To download a squashed image:

  1. Navigate to the Tags tab of a Quay Repository View (https://quay.io/repository/YOURORG/YOURREPO?tab=tags).
  2. On the left side of the table, click on the Fetch Tag icon for the tag you want to download. A modal dialog appears with a dropdown for specifying the desired format of the download.
  3. Select Squashed Docker Image from the dropdown and then select a robot that has read permission to be able to pull the repository.
  4. Click on the Copy Command button and paste this command into the shell of the machine you want to download.

7.2. Caveats & Warnings

7.2.1. Prime the cache!

When the first pull of a squashed image occurs, the registry streams the image as it is being flattened in real time. Afterwards, the end result is cached and served directly. Thus, it is recommended to pull the first squashed image on a developer machine before deploying, so that all of the production machines can pull the cached result.

7.2.2. Isn’t piping curl insecure?

You may be familiar with installers that pipe curl into bash (curl website.com/installer | /bin/bash). These scripts are insecure because they allow arbitrary code execution. The Quay script to download squashed images uses curl to download a tarball that is streamed into docker load. This is just as secure as running docker pull because it never executes anything we’ve downloaded from the internet.

Additional resources