Docker¶
The industry-standard container engine that packages applications and dependencies into portable, isolated OCI-compliant containers.
Overview¶
Docker is the de facto containerization platform that introduced the modern container workflow to the software industry. It provides tools to build, ship, and run applications inside lightweight, portable containers. Docker Engine is the core runtime; Docker Desktop provides the developer experience layer on macOS, Windows, and Linux.
Repository & Community¶
| Attribute | Detail |
|---|---|
| Repository | github.com/moby/moby (Moby Project) |
| Stars | ~70k+ ⭐ |
| Latest Version | Engine v29.4.0 (April 7, 2026) |
| Language | Go |
| License | Apache 2.0 (Engine/Moby), Proprietary (Desktop for >250 employees) |
| Company | Docker, Inc. |
Evaluation¶
-
Why it's better: Pioneered the container workflow. Massive ecosystem (Docker Hub: 15M+ images). OCI-standard images work everywhere. BuildKit provides the fastest build pipeline. Docker Compose simplifies multi-container development.
-
When it fits (Applicability):
- Local development and testing
- CI/CD build pipelines (image building)
- Single-host container deployment
- Application packaging and distribution
-
Microservices development workflow
-
Pros and Cons:
| Pros | Cons |
|---|---|
| Ubiquitous — every developer knows it | Desktop license costs for large enterprises |
| Massive image ecosystem (Docker Hub) | Not an orchestrator (needs K8s/Swarm) |
| OCI-standard, portable containers | Docker Swarm deprecated in favour of K8s |
| BuildKit: fast, cacheable builds | daemonful architecture (rootful by default) |
| Docker Compose for local multi-service | Alternatives exist (Podman, nerdctl) |
| Excellent documentation | Security: root daemon attack surface |
Architecture¶
flowchart TB
subgraph Client["Docker Client"]
CLI["docker CLI"]
Compose["Docker Compose"]
API_C["Docker API\n(REST)"]
end
subgraph Daemon["Docker Daemon (dockerd)"]
direction TB
ImgMgmt["Image Management"]
NetMgmt["Network Management\n(bridge, overlay, host)"]
VolMgmt["Volume Management"]
BuildKit_D["BuildKit\n(image builds)"]
end
subgraph Runtime["Container Runtime Stack"]
Containerd["containerd\n(high-level runtime)"]
Shim["containerd-shim\n(per-container)"]
RunC["runc\n(OCI low-level runtime)"]
end
subgraph Kernel["Linux Kernel"]
NS["Namespaces\n(pid, net, mnt, uts, ipc, user)"]
CG["cgroups\n(CPU, memory, I/O limits)"]
UFS["Union FS\n(overlay2)"]
end
CLI -->|"REST API"| Daemon
Compose -->|"REST API"| Daemon
Daemon -->|"gRPC"| Containerd
Containerd -->|"exec"| Shim
Shim -->|"exec"| RunC
RunC -->|"syscalls"| Kernel
style Daemon fill:#0db7ed,color:#fff
style Runtime fill:#1565c0,color:#fffKey Features¶
| Feature | Detail |
|---|---|
| Container Engine | Build, run, stop, remove containers |
| Image Building | Dockerfile + BuildKit (multi-stage, cache mounts) |
| Docker Compose | YAML-based multi-service orchestration |
| Docker Hub | Public registry with 15M+ images |
| Networking | bridge, host, overlay, macvlan, ipvlan |
| Volumes | Named volumes, bind mounts, tmpfs |
| BuildKit | Parallel builds, cache exports, multi-platform |
| Docker Scout | Supply chain security, SBOM, CVE scanning |
| Docker Init | Auto-generate Dockerfiles for projects |
| Wasm Support | Experimental WebAssembly container runtime |
Pricing¶
| Tier | Cost | Notes |
|---|---|---|
| Docker Engine (Moby) | Free (Apache 2.0) | CLI + daemon, unlimited use |
| Docker Desktop — Personal | Free | <250 employees, <$10M revenue |
| Docker Desktop — Pro | $9/user/mo | CI/CD features, vulnerability scanning |
| Docker Desktop — Team | $15/user/mo | Centralized management, SSO |
| Docker Desktop — Business | $24/user/mo | SCIM, hardened desktop, air-gapped |
| Docker Hub | Free → $24/mo | Rate-limited (free), unlimited pulls (paid) |
Compatibility¶
| Dimension | Support |
|---|---|
| Host OS | Linux (native), macOS, Windows (via VM) |
| Container runtime | containerd + runc (default), crun, Kata, gVisor |
| Image format | OCI Image Spec, Docker Image Manifest V2 |
| CPU architecture | amd64, arm64, arm/v7, s390x, ppc64le |
| Storage drivers | overlay2 (default), btrfs, zfs, fuse-overlayfs |
| Network modes | bridge, host, overlay, macvlan, ipvlan, none |
Related Topics¶
Sources¶
| Source | URL | Retrieved Via |
|---|---|---|
| Official Website | https://docker.com | Direct |
| Engine Docs | https://docs.docker.com/engine/ | Direct |
| Release Notes | https://docs.docker.com/engine/release-notes/ | Web Search |
| Moby Project | https://github.com/moby/moby | Direct |
| containerd | https://github.com/containerd/containerd | Direct |
| runc | https://github.com/opencontainers/runc | Direct |
| OCI Specs | https://opencontainers.org | Direct |
| Docker Hub | https://hub.docker.com | Direct |
| BuildKit | https://github.com/moby/buildkit | Direct |
| Compose Spec | https://compose-spec.io | Direct |
| Pricing | https://docker.com/pricing | Direct |
Questions¶
Open Questions¶
Answered Questions¶
- What is the production readiness status of Docker's Wasm runtime support (containerd-shim-wasmedge)? — Still experimental/beta as of 2025. WasmEdge is a CNCF Sandbox project. The shim is functional but lacks mature networking, storage, and observability compared to runc. Suitable for edge/serverless use cases; traditional containers remain recommended for general production microservices. — resolved via web research
-
What is Docker Scout's detection rate vs Trivy/Grype for CVE scanning accuracy? — Docker Scout uses the same vulnerability databases (GitHub Advisory, NVD) but integrates directly into Docker Desktop and
docker scoutCLI. Independent benchmarks show Trivy and Grype have comparable detection rates. Scout's advantage is the Docker-native workflow (image analysis, SBOM generation, push-time scanning). For CI pipelines, Trivy is often preferred for its standalone nature and broader scanner support. — resolved via web research -
How does the experimental nftables support compare to iptables in Docker v29 for performance? — Docker v29.0 introduced experimental nftables support via the
firewall-backenddaemon option. For bridge networks, nftables and iptables have the same functionality. Key differences: nftables uses a simpler rule structure (no recursive chain traversal), reduces rule-count overhead for large deployments, and aligns with modern Linux kernel development (iptables is in maintenance mode). However, nftables support in Docker remains experimental — it does not auto-enable IP forwarding (unlike iptables), and migration requires manually updating anyDOCKER-USERchain rules. No official Docker-published benchmarks comparing throughput/latency exist yet. Production adoption should wait until GA. — resolved via Docker v29 release notes and Docker nftables documentation - What replaced Docker Swarm? → Kubernetes. Swarm mode is still in the engine but no longer actively developed.
- Does Docker support rootless mode? → Yes, since Docker Engine 20.10+. Run without root privileges.
- What is containerd vs Docker? → containerd is the low-level container runtime embedded in Docker. Docker adds image building, CLI, networking, volumes on top. See infrastructure/docker/architecture.