Ajeet Raina Docker Captain, ARM Innovator & Docker Bangalore Community Leader.

Understanding Docker Container Architecture

2 min read

What is Docker?

Docker is a lightweight containerization technology that has gained widespread popularity in recent years.

What does Docker uses?

It uses a host of the Linux kernel’s features such as namespaces, cgroups, AppArmor profiles, and so on, to sandbox processes into configurable virtual environments.

What does Docker container look like?

A Docker container can be correlated to an instance of a VM. It runs sandboxed processes that share the same kernel as the host. The term container comes from the concept of shipping containers. The idea is that you can ship containers from your development environment to the deployment environment and the applications running in the containers will behave the same way no matter where you run them. The following image shows the layers of AUFS.


How does a Docker Image look like?

A Docker image is made up of filesystems layered over each other.


At the base is a boot filesystem, bootfs, which resembles the typical Linux/Unix boot filesystem. A Docker user will probably never interact with the boot filesystem. Indeed, when a container has booted, it is moved into memory, and the boot filesystem is unmounted to free up the RAM used by the initrd disk image. So far this looks pretty much like a typical Linux virtualization stack.

Indeed, Docker next layers a root filesystem, rootfs, on top of the boot filesystem. This rootfs can be one or more operating systems (e.g., a Debian or Ubuntu filesystem).

In a more traditional Linux boot, the root filesystem is mounted read-only and then switched to read-write after boot and an integrity check is conducted. In the Docker world, however, the root filesystem stays in read-only mode, and Docker takes advantage of a union mount to add more read-only filesystems onto the root filesystem.

A union mount is a mount that allows several filesystems to be mounted at one time but appear to be one filesystem. The union mount overlays the filesystems on top of one another so that the resulting filesystem may contain files and subdirectories from any or all of the underlying filesystems. Docker calls each of these filesystems images.

Images can be layered on top of one another. The image below is called the parent image and you can traverse each layer until you reach the bottom of the image stack where the final image is called the base image.

Finally, when a container is launched from an image, Docker mounts a read-write filesystem on top of any layers below. This is where whatever processes we want our Docker container to run will execute. This sounds confusing, so perhaps it is best represented by a diagram.

When Docker first starts a container, the initial read-write layer is empty. As changes occur, they are applied to this layer; for example, if you want to change a file, then that file will be copied from the read-only layer below into the readwrite layer. The read-only version of the file will still exist but is now hidden underneath the copy.

This pattern is traditionally called “copy on write” and is one of the features that makes Docker so powerful. Each read-only image layer is read-only; this image never changes. When a container is created, Docker builds from the stack of images and then adds the read-write layer on top.

That layer, combined with the knowledge of the image layers below it and some configuration data, form the container. Containers can be changed, they have state, and they can be started and stopped. This, and the image-layering framework, allows us to quickly build images and run containers with our applications and services

Have Queries? Join https://launchpass.com/collabnix

Ajeet Raina Docker Captain, ARM Innovator & Docker Bangalore Community Leader.

6 Replies to “Understanding Docker Container Architecture”

  1. you are in point of fact a excellent webmaster. The web site loading speed is incredible. It kind of feels that you’re doing any distinctive trick. Furthermore, The contents are masterwork. you’ve done a excellent activity on this topic!

  2. Hi Ajeet Raina,

    Thanks for this Article.

    I have two questions:
    1. WORKDIR command in dockerfile creates folders in image and containers too
    2. Is docker build the code inside the image after resolving the dependecies


Leave a Reply

Your email address will not be published.