Docker relies on Linux kernel features, specifically Namespaces for resource isolation and Cgroups for resource limitation, to provide operating-system-level virtualization. As the leading open-source container engine, it functions primarily as a streamlined application packaging mechanism.

The architecture consists of the Docker Client (CLI), the Docker Daemon (background service), Docker Images (read-only templates), Docker Containers (runtime instances), and the Docker Registry (distribution repository).

Images and Storage

A Docker image represents a layered file system and a specific software runtime environment. Unlike a full virtual machine, it does not include a Linux kernel but shares the host's kernel, acting as a lightweight, standardized delivery unit. A single image can spawn multiple container instances.

Image Management CLI

Common commands for managing images include:

• ls: Lists locally stored images.
• build: Constructs an image from a Dockerfile.
• inspect: Displays low-level configuraton details.
• pull / push: Retrieves or uploads images to a registry.
• rm: Deletes specific images.
• prune: Removes dangling images not referenced by any container.
• tag: Creates an alias target for a source image.
• save / load: Archives or restores images via tar.
• export / import: Handles container filesystem exports.

Container Resource Constraints

Resource allocation is handled at runtime.

# Limit memory usage to 512MB and swap to 1GB, disabling the OOM Killer
docker run -d --name web_core --memory="512m" --memory-swap="1g" --oom-kill-disable nginx

# Allocate 2 dedicated CPU cores
docker run -d --name compute_engine --cpus="2" nginx

# Restrict CPU usage to 25% of a single core
docker run -d --name micro_service --cpus=".25" nginx

Data Persistence Strategies

Docker offers three primary methods for mounting data from the host:

1. Volumes: Managed by Docker within /var/lib/docker/volumes. This is the preferred method for persistent data.
2. Bind Mounts: Maps any file or directory on the host to the container.
3. tmpfs: Stores data in host memory only, preventing persistence to the host filesystem and improving write performance for temporary data.

Volume Management Example:

# Create and manage a volume
docker volume create app_data
docker run -d --name db_instance --mount source=app_data,target=/var/lib/postgresql/data postgres

# Cleanup
docker stop db_instance && docker rm db_instance
docker volume rm app_data

Bind Mount Example:

# Mount a local source directory into the container
docker run -d --name web_dev --mount type=bind,source=/local/codebase,target=/usr/share/nginx/html nginx

Note: Bind mounts require the source path to exist on the host. Mounting to a non-empty directory in the container will obscure the existing files.

Networking Modes

• Bridge: The default mode (--net=bridge). Containers connect to a private bridge network (docker0).
• Host: (--net=host). The container shares the host's network namespace, removing network isolation.
• None: (--net=none). Provides a network namespace without any network configuration.
• Container: (--net=container:ID). Shares the network namespace with another specified container.
• Custom Networks: Bridge networks with built-in DNS resolution, allowing containers to communicate by name.

Custom Network Configuration:

# Establish a custom network for service discovery
docker network create dev_environment

# Deploy containers within the network
docker run -d --name client_a --network dev_environment busybox sleep 3600
docker run -d --name client_b --network dev_environment busybox sleep 3600

# Verify connectivity using container names
docker exec -it client_a ping -c 2 client_b

Building Images

The docker build command creates images from source.

# Build from the current directory
docker build -t my-org/application:latest .

# Build with a specific Dockerfile location
docker build -f ./docker/Dockerfile.prod -t my-org/application:prod /path/to/src

# Build from a remote URL
docker build -t my-org/application http://example.com/context/Dockerfile