Skilled Coder Blog
Twitter
|
Newsletter
Technology Explained

How Docker Works End to End

  1. You install Docker Engine: it runs as a background service on your machine.

  2. You write a Dockerfile: it’s like a recipe that defines how your app environment should be built.

  3. You run docker build: Docker reads the Dockerfile and builds a Docker image layer by layer.

  4. The image is a snapshot of your app and everything it needs: code, libs, configs, OS dependencies.

  5. You run docker run: it launches a container from that image.

  6. A container is an isolated process with its own filesystem, network, and resources: but shares the host OS kernel.

  7. Docker uses Union File System: multiple layers stacked together to form the container filesystem.

  8. Each container has its own read-write layer: changes inside the container don’t affect the image.

  9. Containers are fast to start and stop because they’re just processes, not full VMs.

  10. Containers are isolated using namespaces (for process, network, file system) and limited using cgroups (for CPU, memory).

  11. Docker assigns a virtual network to containers: they can talk to each other via container names.

  12. You can expose ports using -p flag to allow access from outside (docker run -p 8080:80).

  13. For persistent data, you use volumes: external directories that containers can mount.

  14. You can push your image to a Docker registry (like Docker Hub) with docker push.

  15. Other people can pull and run the same image anywhere: your app works the same way on any machine.

  16. You can define and manage multi-container setups using Docker Compose (via docker-compose.yml).

  17. Docker Compose lets you start everything with one command (docker-compose up): great for dev/test environments.

  18. Docker also lets you set env variables, networks, restart policies, limits, and health checks easily.

  19. For production, you can run Docker with orchestration tools like Kubernetes or Docker Swarm to manage multiple containers.

  20. In the end: build once, run anywhere, stay lightweight, isolate cleanly, and ship faster.

NOTE: The content below is additional technical knowledge and not necessary for basic understanding. Feel free to stop here if you're looking for just the essential process.

Docker Architecture Deep Dive

Docker Engine Components

The Docker Engine consists of three main components:

  • dockerd (Docker daemon): A persistent background process that manages Docker objects like images, containers, networks, and volumes
  • REST API: Specifies interfaces that programs can use to talk to the daemon
  • Docker CLI: Command-line interface that allows users to interact with Docker via commands

Container Isolation: Namespaces

Docker uses Linux namespaces to provide isolation between containers:

  • PID namespace: Process isolation (each container has its own process ID space)
  • NET namespace: Network isolation (each container has its own network stack)
  • IPC namespace: Inter-process communication isolation
  • MNT namespace: Mount point isolation (filesystem)
  • UTS namespace: Unix Timesharing System isolation (hostname and domain name)
  • USER namespace: User isolation (container users mapped to host users)

Resource Control: Control Groups (cgroups)

Cgroups limit and account for resource usage by containers:

  • CPU: Limit percentage of CPU usage
  • Memory: Limit available RAM and swap
  • Block I/O: Control disk read/write operations
  • Network bandwidth: Control inbound/outbound traffic

Container Lifecycle States

Containers transition through several states:

  1. Created: Container is created but not started
  2. Running: Container processes are executing
  3. Paused: Container processes are temporarily suspended
  4. Stopped: Container processes have terminated
  5. Deleted: Container is removed from the system

Dockerfile Instructions Deep Dive

  • FROM: Specifies the base image (e.g., FROM ubuntu:20.04)
  • RUN: Executes commands inside the container during build
  • COPY/ADD: Transfers files from host to container
  • ENTRYPOINT: Defines the main executable of the container
  • CMD: Provides default arguments to ENTRYPOINT
  • ENV: Sets environment variables
  • EXPOSE: Documents which ports the container listens on
  • VOLUME: Creates a mount point for external volumes
  • WORKDIR: Sets the working directory for subsequent instructions

Image Layering System

  1. Each Dockerfile instruction creates a new layer
  2. Layers are cached to speed up builds
  3. Only modified layers and those above need to be rebuilt
  4. When pulling an image, Docker only downloads layers not already present
  5. A typical image has 5-20 read-only layers plus one read-write layer when running

Networking Models

Docker supports multiple network drivers:

  • bridge: Default network driver, creates a private network for containers
  • host: Removes network isolation, container uses host’s network
  • overlay: Connects multiple Docker daemons together (for Swarm)
  • macvlan: Assigns a MAC address to containers, making them appear as physical devices
  • none: Disables networking for a container

Security Considerations

  1. Docker uses seccomp (secure computing mode) profiles to restrict system calls
  2. SELinux/AppArmor integration provides mandatory access control
  3. Docker rootless mode allows running without root privileges
  4. Container images should be scanned for vulnerabilities
  5. Principle of least privilege: containers should run as non-root users

Performance Optimizations

  1. Multi-stage builds to create smaller images
  2. Layer optimization (combining commands to reduce layers)
  3. Proper use of .dockerignore to prevent unnecessary files
  4. Using alpine or distroless base images for minimal size
  5. Proper resource constraints to prevent container resource hogging