Back to All Concepts
DevOpsContainersLinuxLow LevelAdvanced

Docker Internals

What actually is a container? Just a Linux process with a mask on. Deep dive into Namespaces, Cgroups, and Union Filesystems (OverlayFS).

Containers vs Virtual Machines

Virtual Machine (VM): Emulates hardware. Runs a full Guest OS on top of a Hypervisor. Heavy (GBs). Container: Shares the Host OS Kernel. Lightweight (MBs). Fast startup (ms).

Containers are process isolation mechanisms provided by the Linux Kernel.

mermaid
graph TD
    subgraph VM_Architecture [Virtual Machine]
        App1[App A + Libs]
        GuestOS[Guest OS]
        Hypervisor[Hypervisor]
        HW1[Hardware]
        
        App1 --> GuestOS
        GuestOS --> Hypervisor
        Hypervisor --> HW1
    end
    
    subgraph Container_Architecture [Container]
        App2[App B + Libs]
        Docker[Docker Engine]
        HostOS[Host OS Kernel]
        HW2[Hardware]
        
        App2 --> Docker
        Docker --> HostOS
        HostOS --> HW2
    end
Click to expand code...

The Three Pillars of Containers

How does docker run actually work? It uses three Linux features:

1. Namespaces (Isolation)

Namespaces limit what a process can see.

NamespaceWhat it Isolates
PIDProcess Key Numbers. Container thinks it's PID 1.
NETNetwork Interfaces (eth0), Ports, Routing Tables.
MNTMount Points. Container has its own root /.
UTSHostname and Domain.
IPCInter-Process Communication (Shared Memory).
USERUser IDs. Root in container != Root on host.

Try it: unshare --fork --pid --mount-proc /bin/bash creates a new PID namespace.

2. Control Groups (Cgroups) (Resource Limiting)

Cgroups limit how much a process can use.

  • Memory: "You get 512MB RAM." (OOM Kill if exceeded)
  • CPU: "You get 0.5 CPU cores."
  • Block I/O: "Limit disk read speed to 10MB/s."

Accessed via file system: /sys/fs/cgroup/.

3. Union Filesystem (Storage)

How are images so efficient?

Docker Images are built from Layers.

  • Layers: Read-only changesets (e.g., Ubuntu Base -> Add Python -> Add App Code).
  • Union Mount: Merges all layers into a single view.
  • Copy-on-Write (COW): If a container modifies a file from a lower layer, it copies it up to the writable top layer first.

OverlayFS is the modern implementation.

mermaid
graph BT
    W[Writable Container Layer] --> R3[Layer 3: App Code]
    R3 --> R2[Layer 2: Python Runtime]
    R2 --> R1[Layer 1: Ubuntu Base]
    
    style W fill:#f55,stroke:#333
    style R3 fill:#55f,stroke:#333
    style R2 fill:#55f,stroke:#333
    style R1 fill:#55f,stroke:#333
Click to expand code...

Docker Architecture

Client-Server model.

  1. Docker CLI: Sends commands (docker run) to Daemon via REST API (Unix Socket).
  2. Docker Daemon (dockerd): Manages objects (images, containers, networks).
  3. Containerd: High-level runtime. Manages image pull/push and lifecycle.
  4. Runc: Low-level runtime. Spawns the actual process using syscalls.

Building Efficient Images

1. Multi-Stage Builds

Build in a fat image (Go compiler), copy binary to tiny image (Alpine/Scratch).

dockerfile
# Stage 1: Build
FROM golang:1.21 AS builder
WORKDIR /app
COPY . .
RUN go build -o myapp main.go

# Stage 2: Run
FROM alpine:latest
WORKDIR /root/
COPY --from=builder /app/myapp .
CMD ["./myapp"]
# Result: 10MB image (instead of 800MB)
Click to expand code...

2. Layer Caching

Order matters! Put frequently changing instructions (COPY code) at the bottom.

dockerfile
# BAD: Breaks cache if source code changes
COPY . .
RUN npm install

# GOOD: Caches dependencies unless package.json changes
COPY package.json .
RUN npm install
COPY . .
Click to expand code...

Security: Container Breakout

If a container runs as root, and a vulnerability exists in the Kernel... Container Breakout: Attacker escapes the container and gains access to the Host.

Defenses:

  • Run as Non-Root: USER appuser in Dockerfile.
  • Read-Only Root: docker run --read-only.
  • Capabilities: Drop unused Linux privileges (--cap-drop ALL --cap-add NET_BIND_SERVICE).

Related Concepts

About ScaleWiki

ScaleWiki is an interactive educational platform dedicated to demystifying distributed systems, software architecture, and system design. Our mission is to provide high-quality, technically accurate resources for software engineers preparing for interviews or solving complex scaling challenges in production.

Read more about our Editorial Guidelines & Authorship.

Educational Disclaimer: The architectural patterns and system designs discussed in this article are based on common industry practices, technical whitepapers, and public engineering blogs. Actual implementations in enterprise environments may vary significantly based on specific product requirements, legacy constraints, and evolving technologies.

Related Articles

Pro

Kubernetes Architecture Explained

Under the hood of K8s: The Control Plane (API Server, Scheduler, Etcd, Controllers) and Data Plane (Kubelet, Kube-proxy, Container Runtime).

DevOpsInfrastructureContainers
Intermediate

Blue-Green Deployment

Zero-downtime deployment strategy using two identical production environments (Blue and Green) to enable instant rollbacks, reduce risk, and allow thorough testing before directing traffic.

DevOpsDeploymentInfrastructure
Intermediate

CI/CD Pipeline Architecture

Designing robust Continuous Integration and Continuous Deployment pipelines. Strategies for artifact promotion, testing pyramids, canary deployments, and rollback mechanisms.

DevOpsCICDAutomation