Understanding Docker Runtime Principles: Architecture, Core Technologies, and Execution Flow

Docker is a lightweight containerization technology that lets developers package applications and their dependencies into a portable container that runs consistently across environments.

Docker Runtime Principles

Docker’s runtime can be understood from three perspectives: architecture components, core technologies, and the execution workflow.

Docker Architecture

Docker consists of the following parts:

Docker Client: interacts with the user and forwards commands such as docker run and docker build to the Docker Daemon.

Docker Daemon: the background service that builds, runs, and manages container lifecycles, interfacing with Linux kernel features like namespaces and cgroups.

Docker Registry: stores images (e.g., Docker Hub, private Harbor) and communicates via commands like docker pull and docker push.

Core Technologies

Linux Namespaces : provide isolation for PID, network, mount, UTS, IPC, and user views.

Linux Cgroups : enforce resource limits (CPU, memory, I/O, network) for containers.

UnionFS: a layered filesystem that merges multiple read‑only layers into a single writable view, enabling lightweight images and efficient distribution.

Container Image & Container

Image : a read‑only template containing the application code, runtime, libraries, environment variables, and configuration.

Container : a running instance of an image with its own isolated filesystem, network, and process space.

Docker Execution Flow

<ol><li>User executes <code>docker run</code> command.</li><li>Docker Client sends the request to Docker Daemon.</li><li>Docker Daemon checks if the image exists locally or pulls it from a registry.</li><li>Daemon extracts the image layers using UnionFS to create the container’s filesystem.</li><li>Daemon sets up namespaces and cgroups to create an isolated environment.</li><li>Daemon initializes network, mounts volumes, and applies environment variables.</li><li>Daemon invokes <code>containerd</code> + <code>runc</code> to start the container process.</li><li>The container starts; PID 1 becomes the main process inside the container.</li></ol>

In summary, Docker’s operation relies on Linux kernel features (namespaces, cgroups, UnionFS) combined with container runtimes like containerd to deliver a lightweight, efficient container solution.