Docker System Architecture
This chapter provides a deep dive into Docker's system architecture, helping you understand how Docker components work together and the underlying technologies.
Docker Overall Architecture
Docker uses a classic client-server (C/S) architecture with three core components:
┌──────────────────────────────────────────────────────────────────┐
│ Docker Architecture Overview │
│ │
│ ┌──────────────┐ ┌──────────────────────────────────┐ │
│ │ Docker CLI │ │ Docker Daemon │ │
│ │ │ REST │ ┌────────┐ ┌──────────┐ │ │
│ │ docker build │ API │ │ Images │ │Containers│ │ │
│ │ docker pull │◄───────►│ └────────┘ └──────────┘ │ │
│ │ docker run │ │ ┌────────┐ ┌────────┐ │ │
│ │ docker ps │ │ │Networks│ │ Volumes│ │ │
│ └──────────────┘ │ └────────┘ └────────┘ │ │
│ └──────────────┬───────────────────┘ │
│ │ │
│ ┌──────────────▼───────────────────┐ │
│ │ Docker Registry │ │
│ │ ┌──────────┐ ┌─────────────┐ │ │
│ │ │Docker Hub│ │Private Reg. │ │ │
│ │ └──────────┘ └─────────────┘ │ │
│ └──────────────────────────────────┘ │
└──────────────────────────────────────────────────────────────────┘Core Components
1. Docker Client
The Docker Client is the primary way users interact with Docker, sending requests through the docker CLI tool.
docker run nginx # Run a container
docker build -t myapp . # Build an image
docker pull ubuntu # Pull an image
docker ps # List containersThe client communicates with the Docker Daemon via REST API:
| Connection Type | Description | Example |
|---|---|---|
| Unix Socket | Local communication (default) | /var/run/docker.sock |
| TCP | Remote communication | tcp://192.168.1.100:2376 |
| SSH | Secure remote communication | ssh://user@host |
2. Docker Daemon
The Docker Daemon (dockerd) is Docker's core service process, responsible for:
- Listening for Docker API requests
- Managing Docker objects (images, containers, networks, volumes)
- Communicating with other Docker Daemons (in cluster mode)
3. Docker Registry
A Registry stores and distributes Docker images:
- Docker Hub: Official public registry with official and community images
- Private registries: Self-hosted solutions like Harbor, Nexus
- Cloud provider registries: AWS ECR, Google GCR, Azure ACR, etc.
Underlying Technologies
Docker leverages several Linux kernel technologies for container isolation and resource management:
Namespaces
Namespaces provide container isolation, giving each container its own system view:
| Namespace | Isolates | Description |
|---|---|---|
| PID | Process IDs | Container processes isolated from host |
| NET | Networking | Independent network stack, IP, ports |
| MNT | Filesystem mounts | Independent filesystem view |
| UTS | Hostname and domain | Container has its own hostname |
| IPC | Inter-process communication | Independent semaphores, message queues |
| USER | Users and groups | User mapping between container and host |
Cgroups (Control Groups)
Cgroups limit and monitor container resource usage:
# Limit container to 512MB memory and 1 CPU
docker run -m 512m --cpus 1 nginx
# View container resource usage
docker stats| Resource | Control |
|---|---|
| CPU | Limit CPU time and cores |
| Memory | Set memory usage limits |
| Disk I/O | Limit read/write rates |
| Network | Limit bandwidth |
Union File System
Docker images use a layered storage architecture with union filesystems (e.g., OverlayFS):
┌─────────────────────────┐
│ Writable Layer (Container) │ ← Runtime modifications
├─────────────────────────┤
│ Application Layer │ ← COPY/ADD instructions
├─────────────────────────┤
│ Dependencies Layer │ ← RUN apt-get install
├─────────────────────────┤
│ Base Image Layer │ ← FROM ubuntu:22.04
└─────────────────────────┘Benefits of layered storage:
- Shared base layers: Multiple images share common layers, saving disk space
- Fast builds: Only changed layers need rebuilding
- Efficient distribution: Only differential layers need transfer
Container Runtime Architecture
containerd and runc
Docker CLI → Docker Daemon → containerd → runc → Container Process| Component | Responsibility |
|---|---|
| Docker Daemon | Receives API requests, manages images and high-level features |
| containerd | Container lifecycle management (create, start, stop) |
| runc | OCI-standard container runtime, creates actual containers |
OCI Standards
The Open Container Initiative (OCI) defines open standards for containers:
- Runtime Specification: How containers should run
- Image Specification: Image format definition
- Distribution Specification: How images are distributed
Docker Network Architecture
Docker provides multiple network drivers for different scenarios:
| Network Mode | Description | Use Case |
|---|---|---|
| bridge | Default, containers communicate via virtual bridge | Single-host container communication |
| host | Container uses host network directly | High-performance networking |
| none | No network connection | Security isolation |
| overlay | Cross-host container communication | Docker Swarm clusters |
| macvlan | Container gets its own MAC address | Direct physical network access |
Docker Storage Architecture
Docker provides multiple data persistence options:
| Storage Type | Managed By | Persistent | Use Case |
|---|---|---|---|
| Volume | Docker | Yes | Databases, application data |
| Bind Mount | User-specified path | Yes | Development, config files |
| tmpfs | Memory | No | Temporary data, sensitive info |
Chapter Summary
Docker's architecture is elegantly designed, providing a clean user interface through the client-server model while leveraging Linux kernel technologies — Namespaces, Cgroups, and union filesystems — for lightweight container isolation. Understanding these fundamentals helps with troubleshooting and performance optimization.