Chapter Twelve

The Ecosystem

Docker is one implementation of an open standard, not the standard itself. This closing chapter names the OCI specs that make your images portable, looks under the daemon at containerd and runc, surveys the daemonless and multi-host alternatives, draws the single-host boundary the whole book has held, and hands off to Kubernetes — then assembles every chapter into one production pipeline for Driftwood.

6 topics

Everything so far has been about making one container right on one machine. This chapter zooms out. The portability you have relied on since Chapter 2 — that the same image runs under Docker, Podman, containerd, and Kubernetes — is not a Docker feature; it is the Open Container Initiative standard, and naming it explains why "build once, run anywhere" was ever true. Under the docker command sit containerd and runc, the components Kubernetes talks to directly, and around Docker sit the daemonless and multi-host alternatives that read the identical OCI image.

The chapter ends where the book ends: the single-host line. Docker builds and runs containers on one host; Kubernetes orchestrates them across many. When Driftwood outgrows one machine, the job changes shape, and this course hands off to the sibling Kubernetes Deep Dive — which consumes, unchanged, the exact image this book taught you to build. The final topic walks that whole pipeline end to end as one workflow, so the separate lessons become a single path from source to a hardened running container.

Topics in This Chapter

The OCI Standard

The three OCI specs — image, runtime, distribution — that make your image run under any compliant tool and push to any compliant registry. Why "Docker images" are really OCI images, and why portability is a standard, not a vendor.

containerd and runc Under the Hood

What is left when you remove dockerd: containerd manages images and lifecycle, runc does the namespace and cgroup syscalls then exits, and a shim keeps containers alive across restarts. The layer Kubernetes talks to, and where you swap in a stronger sandbox.

Podman and Buildah

The daemonless, rootless-by-default alternative. Each podman run forks the container as a child of your shell, Buildah builds and skopeo moves images, and Quadlet runs containers as systemd services — the same OCI images, no root-owned socket.

ToolingRootless

Docker's built-in multi-host orchestrator: services, overlay networks, and secrets from the same CLI, with no extra install. Simpler than Kubernetes and largely superseded by it — and an honest take on when that simplicity is the right call versus a dead end.

OrchestrationMulti-host

When You Outgrow a Single Host → Kubernetes

The boundary the whole book has held, now crossed and named. Docker builds and runs on one host; Kubernetes orchestrates across many. What one host cannot give you, why Kubernetes runs the same image unchanged, and where this course hands off to its sibling.

BoundaryKubernetes

The Production Container Workflow

The capstone. Every chapter assembled into one pipeline for Driftwood: multi-stage build, scan, sign, version tag, multi-arch push to the private registry, and a hardened run with limits and logging — ending at the line where Kubernetes takes over.

CapstonePipeline