✦ For everyone, free.

Practical knowledge for real and everyday life

Home

2 Docker Architecture

A focused guide to Docker Architecture, connecting core concepts with practical Docker and container operations.

Docker architecture describes the set of components that together implement building, running, and managing containers: a client that issues commands, a daemon that carries them out, a container runtime that creates the actual isolated processes, and supporting components such as image storage and networking.

The Client-Daemon Model

Docker is built around a client-server architecture. The docker command-line tool is the client; it sends API requests to the Docker daemon (dockerd), which performs the actual work of building images and running containers.

docker run -d nginx

This command is translated by the client into an API call to the daemon, which the daemon then carries out — the client itself does not directly create the container.

Communication Between Client and Daemon

The client and daemon can run on the same machine, communicating over a local Unix socket, or on different machines, communicating over a network using Docker's REST API.

docker -H tcp://remote-host:2375 ps

This command directs the client to talk to a daemon running on a different machine entirely, demonstrating that the client and daemon are not required to be co-located.

Layers Beneath the Daemon

The daemon does not implement container isolation itself; it delegates to containerd, a lower-level container runtime, which in turn uses runc to create containers according to the Open Container Initiative (OCI) specification, directly invoking kernel features like namespaces and cgroups.

ctr --namespace moby containers list

This lower-level tool interacts with containerd directly, beneath the layer most users interact with through the Docker CLI.

Supporting Components

Beyond running containers, Docker's architecture includes image storage (locally cached layers, and registries for sharing images), networking (virtual networks and DNS for container-to-container communication), and volume management (persistent storage that outlives a container's lifecycle).

docker volume create myapp-data
docker network create myapp-net
Why Understanding the Architecture Matters

Knowing that Docker is layered — client, daemon, containerd, runc — helps when diagnosing problems: a failure to reach the daemon is a different kind of issue than a container failing to start due to a runtime-level problem, and the appropriate place to look for logs or to intervene differs at each layer.

journalctl -u docker.service

Content in this section

Related content