Docker: Architecture and Theory

Architecture Big Picture

Container: isolated area of an OS with resource usage limits applied

To build containers, we use Control Groups and Namespaces (low level, hard-to-use kernel constructs) – note: Docker makes these easy to use.


docker command -> API -> sets up control groups and namespaces -> generates container

Kernel Internals


  • Process ID (pid) – separate process tree each with its own PID 1
  • Network (net) – isolated network stack – i.e. eth0, IP address
  • Filesystem/mount (mnt) – separate file stack
  • Inter-proc comms (ipc) – let processes use shared memory
  • UTS (uts) – i.e. separate hostnames. Note: UTS = Unix Timesharing System
  • User (user) – map accounts inside container to host accounts

Control Groups (aka cgroups – Windows calls them Job Objects / Control Groups)

Police system resources: portions out disk, RAM, CPU


Union file system

Docker Engine

Note whilst Docker Engine is used for creating containers, there is a whole load of stuff plugging into it such as:

  • Swarm
  • On-prem registry
  • Universal control plane
  • Ecosystem – e.g. Rancher, CircleCI

Some history: dotCloud born (tool called dc) which used LXC. LXC changes were breaking Docker. So Docker replaced LXC with libcontainerdc tool replaced by docker.

The docker daemon became a monolith (i.e. compose, authz, registry, REST API, orchestration, etc).

Kubernetes pulled in docker which already had orchestration – messy. So, Docker started refactoring.

Open Container Initiative.


Client – daemon (Docker API) – containerd – OCI (Runtime – i.e. interfaces with kernel)

Note: runc is OCI implementation.

On Windows, instead of containerd and runc we have Compute Services.


Example: creating a new container on Linux

docker container run

REST POST call to daemon

This then does a client.NewContainer(context, …) call to containerd.

containerd calls a shim which calls runc.

i.e. containerd and runc can be switched out if necessary.


And can reinstall / upgrade / restart the daemon which has no effect on running containers.

daemon: orchestration, builds, stacks, overlay-networks.


Some buzzwords:

GRPC: RPC framework –

containerd is a Cloud Native Computing Foundation

Windows Containers

Two types – Native and Hyper-V.

Native – uses Namespace isolation (i.e. runs on Host OS kernel)

Hyper-V – Windows spins up a Hyper-V kernel. i.e. 1 container per VM. To use, need:

docker container run --isolation=hyperv


Leave a Reply

Your email address will not be published. Required fields are marked *