Chapter One

Foundations

What a container actually is — a process the kernel has fenced off, not a small machine. Why containers beat the "works on my machine" problem, how they differ from virtual machines, the namespaces and cgroups that make them work, the image-versus-container distinction the whole book turns on, the architecture under the docker command, and your first running container.

6 topics

Docker is a small idea wrapped in a lot of vocabulary. The idea: a container is an ordinary process the kernel has been told to isolate, and an image is the read-only artifact you build it from. Everything else in this course — Dockerfiles, networking, volumes, Compose — is detail in service of that one distinction.

This chapter builds the mental model before you run anything in anger. What containers solve and why hand-installed environments rot, how a container differs from a virtual machine, the two kernel features that make isolation possible, the difference between an image and a container, the client-daemon-runtime chain under the docker command, and the first container you run on your own host. The rest of the course assumes these six pages.

Topics in This Chapter

Why Containers Exist

Packaging an app with its runtime, libraries, and file layout as one image. The "works on my machine" problem, the image as a single promotable artifact, and the cattle-not-pets disposability model.

ConceptContainers

Containers vs Virtual Machines

Shared host kernel versus a booted guest kernel — the one difference that explains size, startup time, and isolation strength. When a VM is still the right call, and why Docker Desktop hides one.

ConceptIsolation

Namespaces and cgroups

The two kernel features that make a container. Namespaces control what a process can see; cgroups control what it can use. Why the app is PID 1 inside but a high PID on the host.

KernelIsolation

Images vs Containers

The distinction the whole book turns on. An image is the immutable build artifact; a container is a running instance with a thin writable layer. Class versus instance, and why data dies with the container.

The Docker Architecture

The CLI, the daemon, containerd, and runc — who does what in the chain. Why Docker needs a running service, why the daemon socket is root-equivalent, and what "Kubernetes deprecated Docker" really meant.

ArchitectureDaemon

Installing Docker and Your First Container

Docker Engine on Linux versus Docker Desktop's hidden VM. What docker run hello-world exercises end to end, an interactive shell that makes isolation visible, and why the docker group equals root.