Kenhuang Academy
  • English

      • Docker System Architecture

      This chapter provides a deep dive into Docker's system architecture, helping you understand how Docker components work together and the underlying technologies.

      Docker Overall Architecture

      Docker uses a classic client-server (C/S) architecture with three core components:

      ┌──────────────────────────────────────────────────────────────────┐
│                    Docker Architecture Overview                   │
│                                                                  │
│  ┌──────────────┐         ┌──────────────────────────────────┐  │
│  │ Docker CLI   │         │        Docker Daemon             │  │
│  │              │  REST   │  ┌────────┐ ┌──────────┐        │  │
│  │ docker build │  API    │  │ Images │ │Containers│        │  │
│  │ docker pull  │◄───────►│  └────────┘ └──────────┘        │  │
│  │ docker run   │         │  ┌────────┐ ┌────────┐          │  │
│  │ docker ps    │         │  │Networks│ │ Volumes│          │  │
│  └──────────────┘         │  └────────┘ └────────┘          │  │
│                           └──────────────┬───────────────────┘  │
│                                          │                      │
│                           ┌──────────────▼───────────────────┐  │
│                           │       Docker Registry            │  │
│                           │  ┌──────────┐  ┌─────────────┐  │  │
│                           │  │Docker Hub│  │Private Reg.  │  │  │
│                           │  └──────────┘  └─────────────┘  │  │
│                           └──────────────────────────────────┘  │
└──────────────────────────────────────────────────────────────────┘

      Core Components

      1. Docker Client

      The Docker Client is the primary way users interact with Docker, sending requests through the docker CLI tool.

      docker run nginx          # Run a container
docker build -t myapp .   # Build an image
docker pull ubuntu        # Pull an image
docker ps                 # List containers

      The client communicates with the Docker Daemon via REST API:

      Connection TypeDescriptionExample
      Unix SocketLocal communication (default)/var/run/docker.sock
      TCPRemote communicationtcp://192.168.1.100:2376
      SSHSecure remote communicationssh://user@host

      2. Docker Daemon

      The Docker Daemon (dockerd) is Docker's core service process, responsible for:

      • Listening for Docker API requests
      • Managing Docker objects (images, containers, networks, volumes)
      • Communicating with other Docker Daemons (in cluster mode)

      3. Docker Registry

      A Registry stores and distributes Docker images:

      • Docker Hub: Official public registry with official and community images
      • Private registries: Self-hosted solutions like Harbor, Nexus
      • Cloud provider registries: AWS ECR, Google GCR, Azure ACR, etc.

      Underlying Technologies

      Docker leverages several Linux kernel technologies for container isolation and resource management:

      Namespaces

      Namespaces provide container isolation, giving each container its own system view:

      NamespaceIsolatesDescription
      PIDProcess IDsContainer processes isolated from host
      NETNetworkingIndependent network stack, IP, ports
      MNTFilesystem mountsIndependent filesystem view
      UTSHostname and domainContainer has its own hostname
      IPCInter-process communicationIndependent semaphores, message queues
      USERUsers and groupsUser mapping between container and host

      Cgroups (Control Groups)

      Cgroups limit and monitor container resource usage:

      # Limit container to 512MB memory and 1 CPU
docker run -m 512m --cpus 1 nginx

# View container resource usage
docker stats
      ResourceControl
      CPULimit CPU time and cores
      MemorySet memory usage limits
      Disk I/OLimit read/write rates
      NetworkLimit bandwidth

      Union File System

      Docker images use a layered storage architecture with union filesystems (e.g., OverlayFS):

      ┌─────────────────────────┐
│  Writable Layer (Container) │  ← Runtime modifications
├─────────────────────────┤
│  Application Layer       │  ← COPY/ADD instructions
├─────────────────────────┤
│  Dependencies Layer      │  ← RUN apt-get install
├─────────────────────────┤
│  Base Image Layer        │  ← FROM ubuntu:22.04
└─────────────────────────┘

      Benefits of layered storage:

      • Shared base layers: Multiple images share common layers, saving disk space
      • Fast builds: Only changed layers need rebuilding
      • Efficient distribution: Only differential layers need transfer

      Container Runtime Architecture

      containerd and runc

      Docker CLI → Docker Daemon → containerd → runc → Container Process
      ComponentResponsibility
      Docker DaemonReceives API requests, manages images and high-level features
      containerdContainer lifecycle management (create, start, stop)
      runcOCI-standard container runtime, creates actual containers

      OCI Standards

      The Open Container Initiative (OCI) defines open standards for containers:

      • Runtime Specification: How containers should run
      • Image Specification: Image format definition
      • Distribution Specification: How images are distributed

      Docker Network Architecture

      Docker provides multiple network drivers for different scenarios:

      Network ModeDescriptionUse Case
      bridgeDefault, containers communicate via virtual bridgeSingle-host container communication
      hostContainer uses host network directlyHigh-performance networking
      noneNo network connectionSecurity isolation
      overlayCross-host container communicationDocker Swarm clusters
      macvlanContainer gets its own MAC addressDirect physical network access

      Docker Storage Architecture

      Docker provides multiple data persistence options:

      Storage TypeManaged ByPersistentUse Case
      VolumeDockerYesDatabases, application data
      Bind MountUser-specified pathYesDevelopment, config files
      tmpfsMemoryNoTemporary data, sensitive info

      Chapter Summary

      Docker's architecture is elegantly designed, providing a clean user interface through the client-server model while leveraging Linux kernel technologies — Namespaces, Cgroups, and union filesystems — for lightweight container isolation. Understanding these fundamentals helps with troubleshooting and performance optimization.

      Further Reading