How to create new docker image based on existing image?
Master System Design with Codemia
Enhance your system design skills with over 120 practice problems, detailed solutions, and hands-on exercises.
Introduction
The normal way to create a new Docker image from an existing one is to write a Dockerfile that starts with FROM. That approach is reproducible, reviewable, and easy to rebuild in CI. Docker also offers docker commit, but that is usually for temporary snapshots rather than a maintainable build workflow.
Start with a Base Image
Every child image begins by selecting a parent image:
After that, each Dockerfile instruction creates a new filesystem layer or image metadata change on top of the base. A simple application image might look like this:
This is the standard pattern because anyone on the team can read it and rebuild the exact same image later.
Build and Test the Child Image
Once the Dockerfile exists, build it from the directory that contains the Dockerfile and your application files.
The first command produces the new image. The second confirms that the inherited environment plus your new layers actually start the way you expect.
If the base image already defines a command or entrypoint, inspect it before assuming your child image will behave the way you think:
That small check prevents a lot of startup confusion.
Build on Internal or Prebuilt Images
The parent does not have to be an official image from Docker Hub. Many organizations publish internal base images with security hardening, certificates, standard users, or runtime tools already installed.
This is often the preferred approach in production because platform teams can patch the base image separately while application teams focus on only the top layer.
Keep the Build Context Small
When you create a child image, everything in the build context is potentially sent to the Docker daemon. That affects build speed and can accidentally leak files into the image. Use .dockerignore to exclude junk and local artifacts.
This matters for performance, but it also matters for security and repeatability.
Use docker commit Only for Exceptional Cases
You can snapshot a modified container into a new image:
That can be useful when:
- you are preserving a debugging environment
- you need a quick emergency snapshot
- you are exploring changes interactively
But it is a poor long-term workflow because the steps that created the image are not encoded anywhere. A committed image is hard to review and hard to rebuild from scratch.
Consider Multi-Stage Builds
If the application needs build tools but the final runtime should stay small, multi-stage builds are often better than piling everything into one image.
This still creates a new image based on an existing image, but it avoids shipping compilers and build caches in the final runtime layer.
Tag and Publish Deliberately
If the new image will be deployed, tag it with something traceable instead of relying only on latest.
Clear tags make rollbacks and incident analysis much easier.
Common Pitfalls
- Using
docker commitas the primary build process instead of a Dockerfile. - Choosing a base image that is much larger than the runtime actually needs.
- Copying the entire repository into the image without
.dockerignore. - Forgetting to verify inherited
CMDorENTRYPOINT. - Publishing only
latestand losing a clear link between source and artifact.
Summary
- Use
FROMin a Dockerfile to create a child image from an existing image. - Build and test the new image instead of assuming the inherited behavior is correct.
- Internal base images are common and often preferable in production environments.
- Use
.dockerignoreand multi-stage builds to keep the final image lean. - Reserve
docker commitfor temporary snapshots, not the normal delivery workflow.
