Understand docker visually

An isolated execution unit that shares the host kernel

A container is a way to package an application and its runtime dependencies into an isolated execution unit. It looks like a small server from the outside, but internally it runs as isolated processes that share the host kernel.

The Linux kernel mechanisms that create container isolation

Linux namespaces and cgroups are the kernel features that make containers work. Namespaces decide what a process can see, and cgroups decide how much of the machine it can consume.

An immutable bundle of files and defaults for running a container

A Docker image is the immutable package that contains the filesystem and defaults needed to start a container. A running container is an execution instance built from that image plus a small writable layer.

The unit that accumulates image changes and enables build cache reuse

Image layers explain how Docker accumulates filesystem changes and reuses previous build results. Cache is the mechanism that keeps unchanged steps from being repeated.

A Dockerfile pattern that separates build stages from runtime stages

Multi-stage build is the Dockerfile pattern that separates build environments from runtime environments. Early stages can compile and test, while the final stage keeps only the runtime artifacts.

The specification file for building container images

A Dockerfile is the text-based build specification for a container image. It declares the base image, file copies, dependency installation, build steps, and startup command in order. `docker build` reads that file and turns each step into image layers.

A platform for storing and distributing container images

A container registry is the central storage and distribution point for container images. It plays a role similar to a source code host, except the artifact is a built image rather than source files. Teams push images after build and pull them wherever they need to run.

The storage mechanism for keeping container data persistent

A Docker volume keeps data alive independently from the container lifecycle. By default, writes go into the container's writable layer, which disappears when the container is removed. Volumes move important data outside that disposable layer.

The virtual networking layer for container communication and isolation

Docker networking is the virtual networking layer that determines how containers talk to each other and to the outside world. Each container starts in an isolated network namespace, and Docker networks selectively reconnect the communication paths it needs.

The tool for declaring multiple container services in one file

Docker Compose is the tool for defining and running multiple container services from one `compose.yml` file. It acts as a lightweight orchestration layer for application stacks rather than single containers.

The execution layer that turns images into isolated running processes

The container runtime is the execution layer that turns an image into real running processes. Behind `docker run`, the Docker daemon receives the request, containerd manages container lifecycle, and runc performs the final process launch. Users see one command, but the runtime is a chain of components with different responsibilities.

The mechanism for checking whether an app inside a container is truly working

A health check is the mechanism that periodically verifies whether the application inside a container is actually functioning. Docker can tell whether the main process is still alive, but that is not the same as knowing whether the app can still serve real traffic.