Core Docker Operations: Images, Containers, and Runtime Management
Docker is a platform for developing, shipping, and running applications inside lightweight, isolated environments called containers. Built on Linux kernel primitives—primarily namespaces and cgroups—it enables process-level isolation without the overhead of full virtualization.
Key Architectural Foundations
Docker leverages two core Linux kernel features:
- Namespaces: Provide isolation boundaries across six domains:
pid: Isolates process IDsnet: Separates network interfaces, routing tables, and portsmnt: Encapsulates mount points and filesystem viewsipc: Segregates inter-process communication resources (e.g., message queues)uts: Insulates hostname and domain nameuser: Maps host UIDs/GIDs to container-local identities
- Cgroups (Control Groups): Enforce resource constraints—CPU shares, memory limits, I/O bandwidth—on containerized workloads.
Core Abstractions
Images
An image is an immutable, layered filesystem snapshot that defines how a container should execute. It includes application binaries, dependencies, configuration, and metadata. Images are built from Dockerfiles or committed from running containers and stored in registries.
Containers
A container is a runnable instance of an image. Each runs as an isolated process tree under the host OS kernel, with its own network stack, filesystem view, and process namespace—but no guest OS.
Registries
Centralized repositories for storing and distributing images. Public options include Docker Hub; private alternatives include Harbor, Amazon ECR, and Alibaba Cloud Container Registry (ACR).
Installation (CentOS 7 Example)
Disable conflicting services and SELinux:
sudo systemctl disable --now firewalld
sudo setenforce 0
sudo sed -i 's/^SELINUX=.*/SELINUX=disabled/' /etc/selinux/config
Configure Aliyun package mirrors:
cd /etc/yum.repos.d
sudo mv local.repo repo.bak
sudo curl -o /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-7.repo
Install prerequisites and Docker CE:
sudo yum install -y yum-utils device-mapper-persistent-data lvm2
sudo yum-config-manager --add-repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
sudo yum install -y docker-ce docker-ce-cli containerd.io
sudo systemctl enable --now docker
Image Lifecycle Management
Search and pull:
docker search redis
docker pull redis:7.2-alpine
docker pull nginx:1.25
List and inspect:
docker images --format "table {{.Repository}}\t{{.Tag}}\t{{.ID}}\t{{.CreatedAt}}"
docker inspect redis:7.2-alpine | jq '.[0].RootFS.Layers'
Tag and export:
docker tag redis:7.2-alpine myregistry.example.com/app/redis:stable
docker save -o /tmp/redis-stable.tar redis:7.2-alpine
Import and load:
docker load -i /tmp/redis-stable.tar
cat /tmp/nginx-exported.tar | docker import - nginx:imported
Push to registry:
docker login registry.cn-hangzhou.aliyuncs.com
docker tag nginx:1.25 registry.cn-hangzhou.aliyuncs.com/myteam/nginx:prod
docker push registry.cn-hangzhou.aliyuncs.com/myteam/nginx:prod
Container Orchestration Basics
Create and run:
docker create --name db-redis -p 6379:6379 -d redis:7.2-alpine
docker start db-redis
Or launch directly with run:
docker run -d --name web-nginx -p 8080:80 -v /var/www:/usr/share/nginx/html nginx:1.25
Interact and debug:
docker exec -it web-nginx sh
docker logs -f web-nginx
docker cp ./config.conf web-nginx:/etc/nginx/conf.d/default.conf
Manage state:
docker stop web-nginx
docker rm web-nginx
docker rm $(docker ps -aq --filter "status=exited") -f
Runtime Behavior Notes
Containers remain active only while their PID 1 process is alive. If the main process exits, the container terminates—even if background tasks continue. To keep a container running without foreground activity, use:
docker run -d alpine tail -f /dev/null
The docker run workflow internally perfomrs these steps:
- Verifies presence of requested image locally; pulls if missing
- Mounts overlay2 layers: read-only image layers + writable top layer
- Attaches virtual network interface via
docker0bridge - Assigns IPv4 address from default subnet (
172.17.0.0/16) - Executes entrypoint/command, binding stdout/stderr to logging driver