Anatomy of the Engine
What Happens When You Type docker run
docker the command is just a client. The real work happens in a chain of daemons:
docker CLI ──REST /var/run/docker.sock──▶ dockerd ──▶ containerd ──▶ runc
(client) (API, (container (creates the
images, lifecycle) namespaces/
networks) cgroups, exits)
- dockerd - the Docker daemon: API server, image builds, networks, volumes
- containerd - manages container lifecycle; also used directly by Kubernetes
- runc - the OCI runtime that actually creates the isolated process, then exits (your container is NOT running "inside" anything - it's a normal process, visible in the host's
ps)
Note: This layering is why the OCI standards matter: images and runtimes are interchangeable. The image you build with Docker runs on Kubernetes, Podman, or any OCI runtime unchanged.
Danger: The client talks to dockerd over /var/run/docker.sock, and dockerd runs as root. Access to that socket = root on the machine. This one fact drives half of Docker security practice.