My understanding (based on other comments in the thread - I'm no Docker internals expert) is that it's about the size of Docker image files, which contain a tarball (or similar) of files that each layer adds or modifies on top of its base layer. There's no way for them to say "same as this other file, just with permissions changed". Which has always seemed to me like a bad design decision on Docker's part, because there's lots of room for deduplication within the images that just cannot be done due to the format they chose. Why not have the layers reference individual file by content hash + metadata? If there's a lot of small, unusual files, you could just bundle them with the image, sort of like how Git packs objects together for efficiency, but still retains the identity of each.