Master Docker: Essential Commands, Architecture, and How It Beats Virtual Machines

Docker Common Commands

The diagram shows Docker’s architecture.

Docker consists of a client, a server (daemon), and a registry.

Common commands:

docker images
docker search imagename
docker pull imagename:tag
docker rmi id/name
docker ps
docker run -it -p port1:port2 image
docker exec -it containername
docker stop containername
docker start containername
docker cp file containername:dir
docker cp containername:dir file
docker inspect containername
docker rm containername
docker volume ls
docker save -o image
docker load xx.tar.gz

Docker vs Virtual Machines

Docker was created to solve traditional development and operations problems.

Case one: Development and production environments may differ, e.g., MySQL version changes; Docker allows quickly pulling the required version.

Case two: Docker packages applications and dependencies into portable containers, simplifying environment setup.

Case three: From security and speed perspectives, Docker can easily run hundreds of isolated containers.

In short: Docker lets us control the program’s runtime environment.

Difference between Docker and VMs

Docker is not a lightweight VM.

Docker follows a client‑server model; the daemon runs on the host and is accessed via a socket.

A Docker container is a runtime environment, akin to a process container.

Both Docker and KVM are virtualization technologies, but Docker uses the host kernel while KVM requires a guest OS.

Docker has fewer abstraction layers, making it lighter and cheaper.

Docker shares the host kernel; KVM runs a full guest OS, consuming more disk.

Docker starts in seconds, KVM in minutes; Docker offers higher performance and lower overhead.

KVM creates a virtual layer, guest OS, and virtualization store before installing applications.

Containers run Docker Engine on the host OS and then install applications.

Thus, VMs take minutes to start, containers seconds.

The core point: Docker performs kernel‑level virtualization without requiring hardware support, unlike traditional VMs that virtualize all hardware.

Docker Technical Foundations

Linux namespaces, control groups (cgroups), and UnionFS are the three core technologies behind Docker.

Namespace

Namespaces provide kernel‑level resource isolation, giving each container its own view of processes, network, mounts, etc.

They enable complete isolation of services on a single host.

Docker creates namespaces for processes, users, network, and IPC when a container starts.

Docker’s default network mode is bridge, creating a virtual bridge (docker0) that assigns IPs to containers and connects them via iptables.

Cgroup

Cgroups limit a container’s physical resource usage such as CPU, memory, and disk I/O.

Each cgroup is a hierarchy of processes with shared resource limits.

The cgroup filesystem (cgroupfs) resides at /sys/fs/cgroup and allows creating, managing, and monitoring cgroups.

Union File System

UnionFS merges multiple filesystems (read‑only layers and a writable layer) into a single virtual filesystem.

In Docker, it enables read‑only image layers plus a writable layer for each container.

Docker images are built as a stack of read‑only layers; when a container runs, a writable layer is added on top.

The difference between an image (read‑only) and a container (image plus writable layer) allows multiple containers to share the same image.