_____ ___ ___ _____     ___     ___ ___   
 |     |  _|  _| __  |_ _|   |_ _|   |_  |  
 |  |  |  _|  _| __ -| | | | |_'_| | |_| |_ 
 |_____|_| |_| |_____|_  |___|_,_|___|_____|

Docker 102 - Architecture

A quick guide to docker architecture

Client-Server Architecture

Docker uses a client-server architecture. The client interacts with the docker daemon (dockerd) using a REST based api. Dockerd then manages docker objects and services such as; volumes, networks, images, and (of course) containers.

Whenever we run a command with the docker client (docker), a corresponding request will be issued to dockerd. It is possible to use the REST API directly; there are docker packages for Python, Go, NodeJS and more.

Images & Registeries:

When a container is created, it is based off an image; images act as templates for docker containers. An image is essentially a package that includes everything needed to run some targeted application. Images can be based of other images. For example you might have a java base image that you use to create a spring-boot image.

Docker doesn’t come with any images by default. If a local copy of a given image does not already exist on the server it will need to pull it down from a registery.

By default docker is setup to use Docker Hub which is a public registory where you can save your own images, as well as use images shared by others. There a few other options for container registories such as; AWS ECR, Azure (A)CR, Jfrog CCR, and Quay Cloud to name a few.

You can of course also build your own images, you can do this with a dockerfile.


You can think of containers as runnable impermanent read-write instances of images, and of images as a read-only collection of layers. Each change made to an container creates a new layer. However, these changes will not be saved unless an image of the new container state (base image + new layers) is created. In other words, writable layers are deleted when the container is deleted.

Not to fear - images aren’t the only way to prevent loss of data: you can connect networks and/or attach storage (host or remote), ensuring important data isn’t lost. For example, gitlab runners often save build artifacts to the host.

A Note on Security

Whilst containers are fairly well isolated from the host by default, you should look into SELinux and AppArmour, especially if running any sensitive or internet facing applications.