✦ For everyone, free.

Practical knowledge for real and everyday life

Home

2.1.2.2 Client API Communication

A focused guide to Client API Communication, connecting core concepts with practical Docker and container operations.

Client API communication is the mechanism by which the Docker CLI, or any other client, actually talks to the daemon: structured HTTP requests sent over a Unix socket or a network connection, following the daemon's documented REST API.

The Transport Underneath Every Command

Regardless of how a command is invoked, the client ultimately sends an HTTP request, typically over a local Unix socket when the daemon is running on the same machine.

docker run hello-world
strace -f -e trace=network docker ps 2>&1 | grep -i sock

Tracing the client's system calls reveals that it communicates through the Unix socket at /var/run/docker.sock, regardless of the human-readable command that triggered it.

Request and Response Format

The API uses standard HTTP methods and JSON payloads for most operations, with a small number of endpoints using a streaming format for cases like log output or live build progress, where data needs to be delivered incrementally rather than all at once.

curl --unix-socket /var/run/docker.sock http://localhost/containers/json | python3 -m json.tool

This returns a JSON array describing every running container, the same data docker ps formats into a human-readable table.

Authentication Considerations

When communicating over a local Unix socket, access is controlled by standard filesystem permissions on the socket file; when communicating over a network connection, the API typically requires TLS client certificates to authenticate, since network-exposed access to the API is equivalent to full control over the daemon's host.

docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem -H tcp://remote-host:2376 ps
Streaming for Long-Running Operations

Some operations, such as following container logs or build output, keep the underlying HTTP connection open and stream data continuously rather than returning a single response, which is what allows commands like docker logs -f to show new output as it is produced.

docker logs -f myapp
Why Understanding This Layer Matters

Recognizing that every client interaction reduces to an HTTP request over a well-defined API clarifies that nothing about Docker's behavior is hidden inside the CLI itself — any tool capable of making the same API calls can achieve identical results, which is the basis for the broader ecosystem of tools built around Docker.

Related content