Debugging Docker image sizes - how to inspect them with dive

Have you ever wondered why your docker images are so large, and what can be done to drill down into the layers one by one. Well, you can.

Debugging Docker image sizes - how to inspect them with dive

Have you ever wondered why your docker images are so large, and what can be done to drill down into the layers one by one. Well, you can.

Introducing Dive

dive is a cool command line tool for inspecting the layers one by one of your docker images.

A tool for exploring a Docker image, layer contents, and discovering ways to shrink the size of your Docker/OCI image.

Wait, isn't Dive abandoned?

dive last was updated in February 2024, and since there have been a number of quality of life issues pop up that are yet to be merged. Since then a fork emerged https://github.com/joschi/dive to which I now use regularly.

Running dive on an image

This is simple, and can be run with docker (meta):

docker run -it --rm -v /var/run/docker.sock:/var/run/docker.sock ghcr.io/joschi/dive <registry>/<repo>@sha256:<hash>

Example report

Here is a real life docker image, that came in at 1.3GB, which is on the high side of things. Scrolling through the layers I find this one, to which contributes 560MB all by itself.

Example dive report, focusing on a single layer that is 560MB

The cause jumps out and smacks you in the face, the layer is copying the entire git repo into the image (see the right hand panel, green indicates a file was added in this layer). This folder never really needed in a docker image, and should not be copied if possible. Finding the offending line in the docker file:

# Copy the rest of the application code
COPY . /app

So the fix here is to use .dockerignore and add in .git as a line in that file. Simple.

The use of .dockerignore is covered in more detail on my other blog post that deals with making best practice docker images.