Docker Concepts & Architecture

Difficulty: easy

Overview

Docker is an open-source platform for building, shipping, and running applications in containers.

Containers vs Virtual Machines:

Feature	Container	Virtual Machine
OS	Shares host kernel	Full guest OS per VM
Startup	Milliseconds	Minutes
Size	MBs	GBs
Isolation	Process-level (namespaces)	Hardware-level (hypervisor)
Density	100s per host	10s per host

Docker Architecture (Client-Server):

Docker Client (docker): CLI that sends commands to the daemon via REST API over a Unix socket or TCP.
Docker Daemon (dockerd): Background service that manages images, containers, networks, and volumes.
containerd: Container runtime that manages the complete container lifecycle (pull, create, start, stop).
runc: Low-level OCI-compliant runtime that creates and runs containers using Linux namespaces and cgroups.
Docker Registry: Storage and distribution for Docker images (e.g., Docker Hub, private registries).

Isolation Mechanisms:

Namespaces: Provide isolation — pid, net, mnt, uts, ipc, user namespaces keep containers separate.
cgroups (Control Groups): Limit and measure CPU, memory, disk I/O, and network usage per container.

Docker Machine:
Tool to provision Docker hosts on VMs (VirtualBox), cloud providers (AWS, GCP), or bare metal. Largely superseded by Docker Desktop and cloud-native tooling.

Docker Socket:
The daemon listens on /var/run/docker.sock by default. Mounting it into a container grants root-equivalent host access — a critical security consideration.