Understanding Docker’s Core Architecture, Commands, and How It Differs from Virtual Machines

Docker Common Commands

Below is a list of frequently used Docker commands:

docker images
docker search imagename
docker pull imagename:tag
docker rmi id/name
docker ps
docker run -it -p port1:port2 image
docker exec -it containername
docker stop containername
docker start containername
docker cp file containername:dir
docker cp containername:dir file
docker inspect containername
docker rm containername
docker volume ls
docker save -o image
docker load xx.tar.gz

Docker vs. Virtual Machines

Docker was created to address inconsistencies between development and production environments and to simplify application deployment.

Case one: A project starts with MySQL 5.5, later upgrades to 5.7. Without virtualization, testing the new version requires reinstalling or maintaining multiple MySQL instances. With Docker, pulling the MySQL 5.7 image builds the environment in minutes.

Case two: Packaging an application with all its dependencies into a portable container eliminates environment‑specific setup problems.

Case three: Containers provide OS‑level isolation, allowing hundreds of instances to run with lower overhead and better security compared to traditional VMs.

Key differences:

Containers have fewer abstraction layers, making them lighter and cheaper.

Containers share the host kernel, while VMs require a full guest OS, leading to larger disk footprints (MB vs. GB).

Startup time is measured in seconds for containers versus minutes for VMs, resulting in higher performance and lower system overhead.

The most fundamental point is that Docker relies on kernel‑level virtualization and does not need hardware‑level support like traditional VMs.

Docker Technical Foundations

Three Linux technologies underpin Docker’s implementation: namespaces, control groups (cgroups), and Union File System (UnionFS).

Namespace

Namespaces provide kernel‑level resource isolation, giving each container its own view of process trees, network interfaces, mount points, and inter‑process communication. This isolation makes containers behave as if they run on separate machines.

Key namespace types used by Docker:

CLONE_NEWCGROUP – isolates cgroup hierarchy.

CLONE_NEWIPC – provides an independent IPC namespace.

CLONE_NEWNET – gives each container its own network stack.

CLONE_NEWPID – isolates process IDs.

CLONE_NEWUSER – separates user and group IDs.

CLONE_NEWUTS – isolates hostname and domain name.

When Docker runs a container, it invokes setNamespaces to configure these namespaces before creating the container process.

Cgroup

Cgroups limit a container’s physical resource consumption (CPU, memory, disk I/O). Each cgroup is a hierarchy of processes governed by the same resource limits, managed via the cgroupfs filesystem under /sys/fs/cgroup.

Typical cgroup operations:

Create a cgroup hierarchy.

Add processes to the cgroup (write PIDs to tasks file).

Set resource limits (e.g., write to cpu.cfs_quota_us).

Monitor usage through cgroup statistics files.

Union File System

UnionFS merges multiple read‑only and writable layers into a single virtual filesystem. Docker uses this to implement images and containers.

Three layers involved:

Read‑only layer – the base image containing OS files.

Writable layer – created for each container to store changes.

Combined layer – presents a unified view to the container.

Docker images are essentially compressed tarballs. Building an image adds a new read‑only layer for each Dockerfile instruction, similar to stacking blocks. When a container starts, Docker adds a writable layer on top of the image layers.

Docker Networking

Each container gets its own network namespace. Docker provides four network modes: host, container, none, and bridge. The default is bridge mode, where Docker creates a virtual bridge docker0, assigns each container an IP address, and configures iptables rules to forward traffic between the bridge and the host’s physical interface.

Through namespace isolation and iptables NAT, containers can expose services to the host or other containers while remaining isolated from the host network.