docker-layer-diff

Free Docker Dev Tool

Docker Layer Diff — Dockerfile Layer Analyzer

Paste one or two Dockerfiles to analyze layers by instruction, compare builds side-by-side, detect cache invalidation points, and find optimization opportunities.

Layer analysis Diff comparison Cache detection Optimization tips Free · No login
// Paste Dockerfile
// Layer breakdown
Paste a Dockerfile and click
Analyze Layers
// Dockerfile A (original)
// Dockerfile B (modified)
// Layer diff results
Paste two Dockerfiles and click
Compare Layers
// How Docker layers work

Docker Diff Layers — What Every Developer Should Know

Every instruction in a Dockerfile that modifies the filesystem creates a new read-only layer. FROM imports base layers. RUN, COPY, and ADD create new layers with filesystem changes. ENV, LABEL, EXPOSE, and CMD add metadata without creating filesystem layers.

Understanding the layer structure is critical for two reasons: build cache efficiency and image size optimization. Layers are cached by Docker — if a layer and all its ancestors are unchanged, Docker reuses the cached layer instead of rebuilding. Any change to a layer invalidates all subsequent layers.

// Optimization patterns

Common Docker Layer Diff Issues and Fixes

COPY before package install invalidates cache on every source change
The most common Dockerfile mistake: COPY . . before RUN npm install or RUN pip install. Any source file change invalidates the COPY layer and forces a full reinstall. Fix: copy only the dependency manifest first (COPY package.json .), run install, then copy source. This way source changes only rebuild the final COPY layer.

Multiple RUN commands vs chained commands
Each RUN instruction creates a separate layer. RUN apt-get update followed by RUN apt-get install creates two layers — and the update layer may be stale by the time the install runs. Combine: RUN apt-get update && apt-get install -y pkg && rm -rf /var/lib/apt/lists/*. The cleanup in the same layer actually reduces the final image size.

Secrets and credentials in layers
Any secret passed via ENV MY_SECRET=value or copied via COPY .env . is permanently in the image layer history — even if a later layer deletes it. Use Docker BuildKit secrets (RUN --mount=type=secret) or multi-stage builds to prevent credentials from appearing in any layer.

Large base images vs slim/alpine variants
The FROM node:18 image is ~950MB. FROM node:18-slim is ~240MB. FROM node:18-alpine is ~100MB. Switching base image shows up as a complete layer rebuild in the diff. For production images, alpine variants reduce attack surface and pull time significantly — check compatibility with native dependencies first.

// FAQ

Frequently Asked Questions

Docker diff layers refers to analyzing and comparing the filesystem layers that make up a Docker image. Each Dockerfile instruction that writes to the filesystem creates a new layer. Diffing layers between two image versions shows what changed, which instructions were added or modified, and which cached layers are shared.
Docker caches each layer by its content and the instruction that created it. If a layer is unchanged from the previous build, Docker reuses the cached version. Cache is invalidated top-down: if layer 3 changes, layers 4, 5, 6... are all rebuilt regardless of whether they changed. This is why instruction order in Dockerfiles matters — put frequently changing instructions last.
docker container diff shows filesystem changes in a running container compared to its image: A (Added), C (Changed), D (Deleted) files. It compares the container writable layer against the read-only image layers. This is different from image layer diff, which compares build layers between two images.
Each RUN, COPY, and ADD instruction adds to the image even if it also deletes files. A RUN apt-get install followed by RUN rm -rf /var/lib/apt/lists creates two layers — the second layer adds the deletion but the first layer's files are still in the image. Fix: combine cleanup in the same RUN instruction. Also audit large layers with docker history and use multi-stage builds to discard build-time dependencies.