Docker 102 - Architecture
A quick guide to docker architecture
Docker uses a client-server architecture. The client interacts with the docker daemon (dockerd) using a REST based api. Dockerd then manages docker objects and services such as; volumes, networks, images, and (of course) containers.
Whenever we run a command with the docker client (docker), a corresponding request will be issued to dockerd. It is possible to use the REST API directly; there are docker packages for
NodeJS and more.
Images & Registeries:
When a container is created, it is based off an image; images act as templates for docker containers. An image is essentially a package that includes everything needed to run some targeted application. Images can be based of other images. For example you might have a
java base image that you use to create a
Docker doesn’t come with any images by default. If a local copy of a given image does not already exist on the server it will need to pull it down from a registery.
By default docker is setup to use Docker Hub which is a public registory where you can save your own images, as well as use images shared by others. There a few other options for container registories such as; AWS ECR, Azure (A)CR, Jfrog CCR, and Quay Cloud to name a few.
You can of course also build your own images, you can do this with a dockerfile.
You can think of containers as runnable impermanent read-write instances of images, and of images as a read-only collection of layers. Each change made to an container creates a new layer. However, these changes will not be saved unless an image of the new container state (base image + new layers) is created. In other words, writable layers are deleted when the container is deleted.
Not to fear - images aren’t the only way to prevent loss of data: you can connect networks and/or attach storage (host or remote), ensuring important data isn’t lost. For example, gitlab runners often save build artifacts to the host.
A Note on Security
Whilst containers are fairly well isolated from the host by default, you should look into
AppArmour, especially if running any sensitive or internet facing applications.