Master Docker: Core Architecture, Technologies, and Runtime Explained
This article provides a comprehensive overview of Docker, covering its lightweight container-based virtualization, core advantages, client‑daemon‑registry architecture, underlying Linux namespace and cgroup mechanisms, UnionFS layering, and the complete lifecycle from image building to container execution and removal.
Docker Overview
Docker is a lightweight virtualization platform based on container technology, used to package, distribute, and run applications.
Core Advantages
Lightweight: fast startup and low resource consumption.
Consistency: identical environments from development to production.
Portability: build once, run anywhere.
Efficient deployment: supports CI/CD for rapid releases.
Docker Architecture
Docker follows a client‑server (C/S) model consisting of three main components:
Docker Client : the entry point for users, issuing commands via the CLI or API.
Docker Daemon (dockerd) : the core service on the host that manages images, containers, networking, and storage.
Docker Registry : a repository for storing and distributing images, such as Docker Hub or private registries like Harbor.
Core Technologies
Docker relies on several Linux kernel features to provide isolation, resource control, and image layering.
Namespaces – Process Isolation
Namespaces give each container its own view of system resources, making processes invisible to each other.
PID : isolates process IDs, giving each container its own process tree.
NET : provides separate network interfaces, IP addresses, and routing.
MNT : isolates filesystem mounts, giving containers independent directory structures.
UTS : isolates hostname and domain name.
IPC : isolates inter‑process communication mechanisms.
USER : isolates user IDs, allowing different UID mappings inside containers.
Cgroups – Resource Control
Cgroups limit, isolate, and account for the CPU, memory, I/O, and other resources used by containers.
Example: restrict a container to 2 CPUs and 1 GB of memory.
Control I/O read/write rates.
Prevent a container from exhausting host resources.
UnionFS – Image Layering
UnionFS stacks multiple read‑only layers to create efficient, reusable images.
Base layer: Ubuntu system files
Middle layer: Python installation
Upper layer: Application code
Top layer: Writable layer for container runtimeDocker Runtime Process
The lifecycle of a Docker workload can be described as:
Image Build : Build a layered image from a Dockerfile; each instruction creates a new read‑only layer.
Container Run : The daemon creates a writable layer on top of the image, assigns namespaces and cgroups, and starts the main process (PID 1) via runc.
Runtime : The container’s processes share the host kernel but remain isolated.
Stop / Remove : Stopping the main process releases cgroup resources; the writable layer is deleted while the image layers persist.
Mike Chen's Internet Architecture
Over ten years of BAT architecture experience, shared generously!
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.