Essential Docker Commands and Architecture: From Basics to Containers

Common Docker Commands

The following commands cover the most frequently used Docker operations:

docker images</code>
<code>docker search imagename</code>
<code>docker pull imagename:tag</code>
<code>docker rmi id/name</code>
<code>docker ps</code>
<code>docker run -it -p port1:port2 image</code>
<code>docker exec -it containername</code>
<code>docker stop containername</code>
<code>docker start containername</code>
<code>docker cp file containername:dir</code>
<code>docker cp containername:dir file</code>
<code>docker inspect containername</code>
<code>docker rm containername</code>
<code>docker volume ls</code>
<code>docker save -o image</code>
<code>docker load xx.tar.gz

Docker vs. Traditional Virtual Machines

Docker was created to address development‑and‑operations challenges such as environment inconsistency, complex setup, and resource inefficiency. Unlike heavyweight VMs, Docker containers share the host kernel, start in seconds, and consume far fewer resources.

Containers have fewer abstraction layers, making them lightweight and low‑cost.

Containers use the host kernel, while KVM requires a full guest OS, leading to larger disk usage (GB vs. MB).

Startup time: containers launch in seconds; KVM VMs take minutes.

Both Docker and KVM provide isolation, but Docker achieves it at the kernel level without needing dedicated hardware support.

Docker Technical Foundations

Docker relies on three Linux kernel features: namespaces, control groups (cgroups), and a union file system (UFS). These components together provide process isolation, resource limiting, and layered file system capabilities.

Namespaces

Namespaces isolate system resources such as process IDs, network interfaces, mount points, and IPC mechanisms. Each container gets its own set of namespaces, ensuring that processes inside one container cannot see or affect those in another or on the host.

CLONE_NEWCGROUP – isolates cgroup hierarchy.

CLONE_NEWIPC – provides a private IPC namespace.

CLONE_NEWNET – gives each container its own network stack.

CLONE_NEWPID – separate PID space.

CLONE_NEWUSER – independent user and group IDs.

CLONE_NEWUTS – separate hostname and domain name.

Docker creates these namespaces when a container is started (e.g., via docker run or docker start), and it also configures networking modes (host, container, none, bridge). The default bridge mode creates a virtual bridge docker0, assigns each container an IP address, and sets up iptables rules for traffic forwarding.

Cgroups

Cgroups enforce limits on physical resources such as CPU, memory, and I/O. Each cgroup is a hierarchy of processes with shared constraints, managed through the cgroupfs filesystem under /sys/fs/cgroup. Typical cgroup workflow:

Create a cgroup hierarchy.

Add processes to the cgroup (by writing PIDs to tasks).

Set resource limits (e.g., cpu.max, memory.limit_in_bytes).

Monitor usage via cgroup statistics files.

Union File System (UFS)

UFS merges multiple layers—read‑only image layers and a writable layer—into a single virtual filesystem. In Docker, each image consists of a stack of read‑only layers; when a container runs, Docker adds a writable layer on top. This design enables efficient image reuse and fast container startup.

Key layers:

Read‑only layer: provided by the Docker image.

Writable layer: created for each running container.

Combined (union) layer: presents a unified view to the container.

Docker images are essentially compressed archives of these layered filesystems, built incrementally from a Dockerfile where each instruction adds a new read‑only layer.

Summary

Docker combines a client‑server architecture, lightweight container isolation via namespaces, resource control through cgroups, and a layered union file system to provide fast, portable, and reproducible environments that bridge the gap between development and production.