Under the Hood
Docker uses a client-server architecture. The Docker client talks to the Docker daemon, which does the heavy lifting of building, running, and distributing your Docker containers.
The Docker Daemon
The daemon (dockerd) listens for Docker API requests and manages Docker objects.
The Docker Client
The client (docker) is the primary way that many Docker users interact with Docker. When you use commands such as docker run, the client sends these commands to dockerd.
Docker Objects
Docker objects include:
- Images: Read-only templates for creating containers
- Containers: Runnable instances of images
- Services: Definitions for running containers in production
- Volumes: Persistent storage mechanism
- Networks: Enable communication between containers
The Complete Flow
Dockerfile → Docker Image → Docker Container
When you run docker run:
- Client sends the request to the daemon
- Daemon checks if the image exists locally
- If not, pulls it from a registry (like Docker Hub)
- Creates a new container from the image
- Allocates a filesystem, network interface, and resource limits
- Starts the container with your command
Docker Registries
Registries store and distribute Docker images:
- Docker Hub: Public registry (default)
- Docker Trusted Registry: Private registry
- Amazon ECR, Google Container Registry, Azure Container Registry: Cloud registries
Pulling Images
# From Docker Hub (default)
docker pull ubuntu
docker pull nginx:latest
# From private registry
docker pull myregistry.com/myapp:v1.0Pushing Images
# Tag your image
docker tag myapp myregistry.com/myapp:v1.0
# Push to registry
docker push myregistry.com/myapp:v1.0Container Lifecycle
Created → Running → Paused → Stopped → Removed
Key commands:
docker create # Create but don't start
docker start # Start a stopped container
docker run # Create + start in one command
docker pause # Pause execution
docker unpause # Resume execution
docker stop # Graceful shutdown
docker kill # Force stop
docker rm # Remove containerLayered Architecture
Docker images are built in layers:
FROM ubuntu:22.04 # Base layer
RUN apt-get update # New layer
RUN apt-get install nginx # New layer
COPY app /app # New layer
CMD ["nginx"] # ConfigurationEach layer is cached. If a layer changes, only that layer and subsequent layers are rebuilt. This makes Docker images efficient.
Key Architecture Concepts
Union File System
Docker uses a union file system to combine multiple layers into a single filesystem view. This allows:
- Read-only base layers
- Writable container layer on top
- Efficient storage (layers are shared between images)
Isolation
Docker provides isolation through:
- Namespaces: PID, network, filesystem, UTS, IPC namespaces
- Control Groups (cgroups): Limit CPU, memory, and I/O resources
- SELinux/AppArmor: Additional security policies
Networking
Containers communicate via:
- Bridge network: Default, containers on same host communicate
- Host network: Container shares host's network stack
- Overlay network: For Docker Swarm/Kubernetes clusters
- Custom networks: User-defined networks for container communication
Architecture Diagram
Summary
Docker's architecture separates concerns:
- Client handles user commands
- Daemon manages all resources and operations
- Registries store and distribute images
- Containers are isolated runtime environments
- Layers enable efficient image storage and building
This design makes Docker scalable, efficient, and portable across environments.