Understanding Docker: Architecture, Namespaces, cgroups, and UnionFS

Docker is the leading container platform that packages applications and dependencies into lightweight, portable containers, enabling “build once, run anywhere”.

Docker Architecture

Docker follows a client‑server (C/S) model. The Docker CLI or API acts as the client, sending requests to the Docker daemon (dockerd). The daemon handles image management, container scheduling, and low‑level operations such as kernel interfaces, storage, and networking. A RESTful API allows integration with automation tools like Docker Compose and Kubernetes.

How Docker Works

Instead of virtualizing an entire machine, Docker leverages the host kernel’s isolation and resource‑control features to run applications in isolated containers.

The core technologies are Linux namespaces, cgroups, and a layered (union) file system, orchestrated by the Docker Engine’s client‑daemon architecture to build images, run containers, and manage distribution.

Namespaces

Namespaces provide the illusion of an independent system by isolating resources such as processes, network, mounts, hostname, IPC, and user IDs. Docker uses six namespace types:

PID : isolates process IDs; the container’s PID 1 starts a separate process tree.

Network : gives each container its own network stack, IP, ports, and routing table.

Mount (MNT) : isolates file‑system mount points, giving the container its own root directory.

UTS : isolates hostname and domain name.

IPC : isolates inter‑process communication resources such as semaphores and message queues.

User : isolates user and group IDs; root inside the container is not the host’s root.

cgroups

Control groups (cgroups) complement namespaces by limiting the amount of CPU, memory, I/O, and process count a container can consume, preventing a single container from exhausting host resources.

Key cgroup parameters include: cpu.cfs_quota_us: CPU time quota. memory.limit_in_bytes: memory limit. blkio.weight: block I/O weight.

Union File System (Layered FS)

Docker images are built from multiple read‑only layers stacked together. When a container starts, a writable layer is added on top, enabling efficient image reuse, sharing, and incremental distribution.

libcontainer / runc

The low‑level runtime (libcontainer, now runc) actually creates the container by configuring namespaces, cgroups, and the root filesystem according to the image specifications.