Docker containerization on Linux

Originally, Docker Engine was developed primarily for the Linux OS, which provides the following kernel features for the Docker runtime:

• Kernel namespaces: This is the core concept for containers and makes it possible to create isolated process workspaces. Namespaces partition kernel resources (such as network stacks, mount points, and so on) so that each process workspace can access its own set of resources and ensures they can't be accessed by processes from other workspaces. This is what ensures the isolation of containers.
• Control groups: Resource usage limits and isolation is a secondary core concept in containerization. On Linux, this feature is provided by cgroups, which enables resource limiting (CPU usage, RAM usage, and so on) and priority access to resources for one process or a group of processes.
• Layer filesystem capabilities: On Linux, UnionFS is one of the many implementations of union mount –  a file system service that allows files and directories coming from separate filesystems to be unified into one transparent, coherent filesystem. This feature is crucial for Docker container images that consist of immutable layers. During the container runtime, the read-only layers are transparently overlaid together with a writable container layer.

Docker Engine is responsible for providing a basic runtime for containers, abstracting container management, and exposing functionalities using the REST API to the client layer, such as the Docker CLI. The architecture of Docker on Linux can be summarized with the following diagram:

From a Linux OS perspective, the container runtime architecture is presented in the following diagram. This architecture applies to container engines on Linux in general, not only Docker:

Next, we will look at Docker containerization on Windows.