Docker Deep Dive
by Sergey Okinchuk
Base ImagesThe Container Lifecycle

Chapter Three

Running Containers

An image is inert until you run it. This chapter is the runtime half of the model: the state machine a container moves through, the dozen docker run flags that matter, why your process is PID 1 and what that does to docker stop, the three ways back into a running container, restart policies and the exit codes that drive them, CPU and memory limits and the OOM kill, and where per-environment configuration comes from. You run the Driftwood web container by hand here, before any Dockerfile or Compose exists.

7 topics

Most confusion about Docker comes from not knowing what state a container is in. A container is not simply on or off — it moves through created, running, paused, and exited before it is finally removed, and a stopped container still exists, still holds its writable layer, and can be started again. This chapter makes that state machine explicit, then walks the runtime controls layered on top of it: the flags that shape a single docker run, the signal contract that decides whether a shutdown is clean or a yanked plug, and the cgroup limits that keep one container from taking down the host.

The running example becomes hands-on here. You start the Driftwood web container yourself — detached, named, with its logs followed and a memory limit set — and watch what happens when it crashes, when it leaks memory, and when you stop it. Everything in this chapter runs one container at a time on one host; when you need a replica count, rescheduling onto another node, or a failed host replaced, you have crossed into orchestration, which is Kubernetes territory (Chapter 12).

Topics in This Chapter

Topic 13
The Container Lifecycle
The five states — created, running, paused, exited, removed — and the commands that transition between them. Why a stopped container still exists, what docker start reuses, and what --rm saves you from.
LifecycleState
Topic 14
The Anatomy of docker run
The command you type most. Detached vs foreground, naming and identity, the -it pair, publishing ports and wiring mounts and environment, and how everything after the image overrides what it runs.
CLIRun
Topic 15
Processes, PID 1, and Signals
Why your process is PID 1 and the kernel treats it specially. Shell form vs exec form and which one delivers SIGTERM, why docker stop waits 10 seconds then SIGKILLs, zombie reaping, and what --init fixes.
SignalsFootgun
Topic 16
exec, attach, and logs
Three ways back into a running container, and how people reach for the wrong one. logs reads the main process, exec starts a new one, attach reconnects to PID 1 — and how Ctrl-C kills a container.
DebugI/O
Topic 17
Restart Policies and Exit Codes
What the exit code tells you — 137 is a SIGKILL or OOM, 143 a clean SIGTERM — and the four restart policies. The always vs unless-stopped distinction, and why a policy can't recover a hung process.
ResilienceExit codes
Topic 18
Resource Limits — CPU, Memory, OOM
By default a container can use the whole host. The asymmetry that bites: exceeding --memory gets you OOM-killed, exceeding --cpus only throttles. Reservations vs limits, and the cgroup-aware runtime trap.
CgroupsLimits
Topic 19
Environment and Configuration
One image, many environments — configuration is passed in, never baked in. Env vars vs mounted config files, the ENV-vs--e precedence, and why environment variables are the wrong place for secrets.
ConfigEnv