Docker Architecture & Internals
Docker Architecture — Client, Daemon, Registry
Understand the components that make up the Docker platform.
Interview: A primary topic in DevOps and Infrastructure interviews to gauge your understanding of Docker's client-server communication, Unix sockets, and system-level security limits.
Introduction
When you run a command like docker run, it feels like Docker executes the container directly inside your terminal. In reality, the docker command is simply a command-line client communicating with a background engine.
Docker is built on a client-server architecture. The client makes REST API calls to the server daemon, which takes care of building, running, and distributing your containers.
Why It Matters
Understanding this architecture is essential for configuring remote Docker hosts, debugging connection failures (e.g., "Cannot connect to the Docker daemon"), and avoiding critical security vulnerabilities associated with daemon Unix socket access.
The Three Core Components
Docker's workflow relies on three primary building blocks:
- The Docker Client (
docker): The CLI tool that users interact with. When you typedocker buildordocker run, the client parses the command and translates it into standard HTTP REST API requests. - The Docker Daemon (
dockerd): The persistent server running in the background. It listens for API requests and manages Docker objects, including images, containers, networks, and storage volumes. - The Docker Registry (e.g., Docker Hub): A remote storage service holding image binaries. The daemon automatically interacts with registries to download (
pull) or upload (push) images.
Client-Daemon Communication channels
The client and daemon communicate using one of three socket types:
• Unix Sockets (Default on Linux): Located at /var/run/docker.sock. This is a secure local communications channel. By default, it requires root or docker group permissions to access.
• Systemd Sockets: Managed via systemd service configuration endpoints.
• TCP Sockets: Allows remote control over a network. By default, TCP sockets run unencrypted on port 2375, or secured with TLS mutual authentication on port 2376.
Practical Example
Since the Docker client communicates via REST APIs, we can bypass the docker CLI completely and query the daemon directly using curl over the local Unix socket:
What just happened? We made a raw HTTP request directly to the Docker daemon API over the Unix socket. This demonstrates that the docker CLI is just a thin wrapper sending REST calls.
Quick Quiz
Q1: Which component is responsible for managing container lifecycles, storage, and networking on a host?
A) The Docker Client
B) The Docker Registry
C) The Docker Daemon (dockerd)
D) The REST API Wrapper
Answer: C — The daemon is the background service that manages host containers and configurations.
Scenario-Based Challenge
Production Scenario:
You are setting up a monitoring container (like Portainer or Prometheus) that needs to display running host containers. The configuration recommends mounting the host's /var/run/docker.sock into the container. What security risks does this introduce, and how can you mitigate them?
Risk: Mounting the Docker socket gives the container complete root access over the host. A compromised container can use the socket to run arbitrary privileged containers, read host files, or gain a root shell on the host machine (privilege escalation).
Mitigation:
1. If possible, avoid socket mounting. Use read-only API proxies (like docker-socket-proxy) which restrict access to safe endpoints (e.g., allow GET containers, block POST/DELETE).
2. Run the Docker daemon in **Rootless Mode**, limiting the daemon's host capabilities if compromised.
Interview Questions
1. What does the error message "Cannot connect to the Docker daemon" indicate?
It means the Docker client CLI cannot locate or communicate with the daemon socket. This happens if the dockerd process is stopped, if the user running the command lacks read/write permissions to /var/run/docker.sock, or if the DOCKER_HOST environment variable points to an invalid remote endpoint.
2. Can you run Docker containers without the docker CLI client?
Yes. You can interact with the daemon directly using API tools like curl, utilize language-specific SDKs (e.g., Docker Java/Go SDK), or use alternative high-level runtime CLI clients like crictl and nerdctl.
Production Considerations
In production environments, never expose the TCP socket (port 2375) to the public internet without mutual TLS authentication. An exposed Docker socket is equivalent to passwordless root SSH. Restrict access to local sockets using Linux file permissions, and monitor API calls to look for unauthorized container deployments.