Essential Docker Commands and Architecture: From Basics to Advanced Concepts
This article introduces Docker's core architecture, common command-line tools, compares containers with traditional virtual machines, and explains the underlying Linux technologies—namespaces, cgroups, and union file systems—that enable lightweight, portable, and efficient containerization.
Docker Common Commands
docker images</code>
<code>docker search imagename</code>
<code>docker pull imagename:tag</code>
<code>docker rmi id/name</code>
<code>docker ps</code>
<code>docker run -it -p port1:port2 image</code>
<code>docker exec -it containername /bin/bash</code>
<code>docker stop containername</code>
<code>docker start containername</code>
<code>docker cp file containername:dir</code>
<code>docker cp containername:dir file</code>
<code>docker inspect containername</code>
<code>docker rm containername</code>
<code>docker volume ls</code>
<code>docker save -o image.tar image</code>
<code>docker load -i image.tar.gzDocker vs Virtual Machines
Docker was created to solve development and operations challenges by providing consistent environments across development, testing, and production.
Case one: When the MySQL version changes from 5.5 to 5.7, Docker can pull the new image in minutes, avoiding manual reinstallations.
Case two: Containers package applications and dependencies, making environment setup repeatable and portable.
Case three: Containers offer better security and speed, allowing thousands of isolated instances with minimal overhead.
Key differences between Docker and traditional VMs:
Docker has fewer abstraction layers, making it lighter and cheaper.
Docker shares the host kernel, while KVM requires a full guest OS, resulting in MB vs GB disk usage.
Docker starts in seconds; KVM takes minutes, providing higher performance and lower system overhead.
Docker Technical Foundations
Namespace
Namespaces provide kernel‑level resource isolation, giving each container its own view of processes, network interfaces, mount points, and IPC resources.
CLONE_NEWCGROUP
CLONE_NEWIPC – isolated inter‑process communication
CLONE_NEWNET – separate network stack
CLONE_NEWNS
CLONE_NEWPID – independent PID space
CLONE_NEWUSER – separate user and group IDs
CLONE_NEWUTS – independent hostname and domain name
Docker creates these namespaces when a container is started, ensuring complete isolation from the host and other containers.
Cgroup
Cgroups limit the physical resources (CPU, memory, I/O) that a container can consume.
Create a cgroup hierarchy.
Add processes to the cgroup by writing their PIDs to the tasks file.
Set resource limits, e.g., using cgroup/cpu files.
Monitor usage through the cgroup filesystem.
Union File System
The Union File System (UFS) merges multiple layers—read‑only image layers and a writable layer—into a single virtual filesystem, enabling Docker images to be built as stacked, immutable layers.
Read‑only layer: the base image containing OS files.
Writable layer: created for each container to store changes.
Combined layer: presents a unified view to the container.
Docker images are essentially compressed archives of these read‑only layers; when a container runs, Docker adds a writable layer on top, turning the image into a fully functional environment.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Open Source Linux
Focused on sharing Linux/Unix content, covering fundamentals, system development, network programming, automation/operations, cloud computing, and related professional knowledge.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.