Comprehensive Introduction to Docker: Architecture, Components, Networking, and Practical Usage

A developer finishes an e‑commerce project that includes Jar, Redis, MySQL, ES, Hadoop and other components, and hands it over to testing, leading to a typical developer‑tester dialogue about bugs and environment mismatches.

Tester: I keep encountering unknown bugs during unit testing and data verification. Developer: Are you following the operation manual step by step? Tester: Absolutely, I followed the documentation! Developer: Did you restart, clear caches, use the latest code, or run Chrome? Did you change anything? Tester: I... I did nothing!

1 Docker Overview

1.1 Origin of Docker

Docker is a container engine written in Go that provides an isolation layer between applications and the host system. It eliminates the need for developers to manage complex host environments by packaging applications and their dependencies into images that the Docker engine runs.

Docker enables developers to bundle applications with all required libraries, making deployment to any environment straightforward. Its key characteristics include lightweight virtualization, easier collaboration across teams, portability across physical, virtual, and cloud machines, and strong scalability.

Docker containers are lightweight virtual technologies that consume fewer system resources. Containers simplify cooperation between development, testing, and operations teams. Containers can be deployed on any machine, including cloud platforms. Because containers are lightweight, they scale efficiently.

1.2 Basic Docker Components

Image: An immutable template that can be used to create containers, analogous to a class in programming.

A Docker image serves as a blueprint for creating container services.

Container: A runtime instance of an image, representing a process namespace that can be started, stopped, or removed.

Containers run one or more applications isolated from the host, similar to class instances.

Repository: A storage location for images, similar to Git, available as public or private registries.

Repositories host images; users typically pull from public registries or private mirrors.

1.3 VM vs Docker

Virtual Machine: Simulates an entire hardware stack and runs a full guest OS, consuming dedicated resources.

Each VM includes its own OS, binaries, and libraries, and reserves all allocated resources while running.

Docker Container: Shares the host kernel while providing isolated process, filesystem, and network namespaces.

Containers run as isolated processes on the host OS, sharing the kernel but keeping separate namespaces.

Comparison Item

Container

VM

Startup Speed

Seconds

Minutes

Performance

Near native

Some overhead

Disk Usage

MB

GB

Quantity

Hundreds‑thousands

Dozens

Isolation

Process level

System level

OS Support

Linux only

Almost all

Packaging

Application code + dependencies, shared kernel

Full OS

1.4 Docker and DevOps

DevOps bridges the gap between development and operations. Docker fits naturally into DevOps by providing a consistent, portable runtime that developers can manage while meeting operational requirements.

DevOps combines development and operations roles; Docker supplies the tooling that lets developers handle deployment tasks traditionally owned by ops.

1.5 Docker and Kubernetes (k8s)

Kubernetes is a container orchestration platform that manages the full lifecycle of containerized applications, offering features such as automated scaling, self‑healing, and rolling updates. It has surpassed Docker Swarm in market share.

If you have many Docker containers to run, maintain, or monitor, Kubernetes is the recommended solution.

1.6 Hello World

Running the classic hello‑world container:

docker run hello-world

The above command produces a flow diagram (image omitted).

2 Common Docker Commands

Official documentation: https://docs.docker.com/engine/reference/commandline/build/

3 Docker Runtime Principles

Docker runs applications as processes that share the host kernel. The core steps are:

Enable Linux namespaces. Configure cgroups for resource limits. Change the root filesystem using pivot_root (fallback to chroot if unsupported).

3.1 Namespace Process Isolation

Linux namespaces isolate resources such as PID, IPC, and network, making them appear as separate systems to processes within each namespace.

The kernel provides six types of namespaces, illustrated in the following diagram:

3.2 CGroup Resource Allocation

Docker uses cgroups to limit CPU, memory, and disk I/O for containers. Exceeding a quota triggers OOM termination.

Cgroups are kernel mechanisms that group processes and enforce resource constraints, forming the basis for Docker's resource control.

3.3 chroot and pivot_root

The chroot command changes a process's root directory to a specified path, e.g., $HOME/test . Docker prefers pivot_root for changing the root filesystem within a mount namespace.

$ ls /
bin dev etc home lib lib64 mnt opt proc root run sbin sys tmp usr var

3.4 Consistency

Because the entire runtime environment is packaged inside the image, containers provide consistent behavior across local machines, cloud instances, or any host.

Unpacking a container image reproduces the exact execution environment wherever it runs.

3.5 UnionFS

Docker uses layered UnionFS (AUFS, OverlayFS, etc.) to build images as a stack of read‑only layers plus a writable top layer, enabling efficient storage and reuse.

$ tree
.
├── fruits
│  ├── apple
│  └── tomato
└── vegetables
  ├── carrots
  └── tomato

Mounting these directories with AUFS merges them into a single view:

$ mkdir mnt
$ sudo mount -t aufs -o dirs=./fruits:./vegetables none ./mnt

$ tree ./mnt
./mnt
├── apple
├── carrots
└── tomato

3.6 Layered Filesystem

Docker images consist of multiple layers: read‑only base layers, an optional init layer for metadata, and a writable layer for runtime changes. The default storage driver is overlay2 .

3.6.1 Read‑Only Layers

Inspecting an Ubuntu image shows four read‑only layers that together form the base OS.

3.6.2 Writable Layer

The topmost layer is writable; any file modifications during container execution are stored here as incremental changes.

3.6.3 Init Layer

The init layer (named -init ) stores host‑specific metadata such as /etc/hosts , allowing per‑container customizations without altering the base image.

4 Docker Networking

Docker leverages Linux namespaces for network isolation. Each container typically receives its own network namespace.

Running docker network ls shows three default networks: bridge , host , and none .

[root@server1 ~]$ docker network ls
NETWORK ID   NAME    DRIVER   SCOPE
0147b8d16c64 bridge  bridge   local
2da931af3f0b host    host     local
63d31338bcd9 none    null     local

Docker supports four network modes:

Mode

Notes

host

Shares the host network stack.

none

No network configuration.

bridge

Default mode; containers connect to the

docker0

bridge.

container

Shares another container's network namespace.

4.1 Host Mode

Containers use the host's IP address and ports, but file systems and processes remain isolated.

4.2 Container Mode

Two containers share the same network namespace, allowing direct communication via the loopback interface.

4.3 None Mode

Network stack is disabled; useful for batch jobs that only need disk access.

4.4 Bridge Mode

The default mode creates a virtual bridge docker0 on the host. Containers receive IP addresses from a private subnet (commonly 172.17.0.0/16) and communicate through the bridge.

Network traffic from a container is NAT‑translated to the host's external IP, making the container invisible to the outside world.

4.5 --link

Using --link allows containers to resolve each other's names via entries added to /etc/hosts :

docker run -d -P --name linux03 --link linux02 linux
docker exec -it linux03 ping linux02   # succeeds
docker exec -it linux02 ping linux03   # fails

4.6 Custom Bridge Networks

Creating a user‑defined bridge network enables DNS‑based service discovery between containers.

# Create a custom bridge network
docker network create --driver bridge --subnet 192.168.0.0/16 --gateway 192.168.0.1 mynet

# Run containers on the custom network
docker run -d -P --name linux01 --net mynet alpine
docker run -d -P --name linux02 --net mynet alpine
docker exec -it linux01 ping linux02   # succeeds

5 Visual Management Tools

5.1 Portainer

Portainer offers a full‑featured graphical UI for Docker, including container lifecycle management, image handling, network and volume configuration, Swarm orchestration, and user access control.

5.2 DockerUI

DockerUI provides a web interface mirroring most Docker CLI functions but lacks multi‑host support.

5.3 Shipyard

Shipyard aggregates container, image, and registry information across multiple hosts, presenting resource usage and event logs via a web UI.

6 Docker Learning Resources

Recommended resources for further study:

Official documentation: https://docs.docker.com/engine/reference/commandline/build/ From beginner to practice: https://github.com/yeasy/docker_practice Online tutorial: https://vuepress.mirror.docker-practice.com PDF guide: request via public account with code 1412