Reading Notes: Docker Deep Dive - Fifth Edition

Introduction

This document is a reading note for Docker Deep Dive - Fifth Edition.

As the name suggests, this is a book that dives deep into Docker.
While it does contain information on how to use Docker, it is a book that touches on how it works. I think it would be more useful to read when you have been using Docker "by feel" rather than as a complete beginner, as it helps organize your knowledge.

By looking at the following chapters, you might get a glimpse of what is running behind Docker:

• 5: The Docker Engine
• 13: Docker Networking
• 16: Docker security

Also, since the update date is 2025, it is one of the newer books among those that explain Docker.

Note that, looking at the Amazon reviews, some people have given low ratings to the print edition, possibly because it lacks an index (it still has a 4.5/5 rating).

Chapter Summaries

1: Containers from 30,000 feet

This chapter reviews the history of containers from a high-level perspective.
The explanation follows this flow:

• Pre-virtualization era
• Era of virtual environments using VMware
• Emergence of containers
• Docker support on Windows and Mac
• Wasm trends
• Approaches to utilizing AI apps
• About Kubernetes

2: Docker and container-related standards and projects

This chapter explains "Docker" and the standards and projects related to containers.

• Two meanings of Docker
  • Docker, Inc. (The company formerly known as dotCloud)
  • Docker platform (The system for creating, sharing, and running containers: CLI and Engine)
• Container-related standards and projects
  • Open Container Initiative (OCI)
    • A governance council responsible for low-level container-related standards
    • Image spec
    • Runtime spec
    • Distribution spec
  • Cloud Native Computing Foundation (CNCF)
    • Aiming to promote cloud-native adoption, it hosts projects such as Kubernetes
  • Moby
    • A collection of community-driven components for assembling container platforms

3: Getting Docker

This chapter explains how to obtain and install Docker.

• Docker Desktop provides a feature-rich Docker environment for Linux, Mac, and Windows machines.
• Multipass creates cloud-style Linux VMs on Linux, Mac, or Windows machines and runs the Docker engine (server) on those Linux VMs. Some features of Docker Desktop are not available.

Note that in the case of Linux, Docker can be installed without a virtual VM.

4: The big picture

This chapter provides an overview of how to use images and containers.

• Operational perspective
  • Obtaining images, starting, stopping, and deleting containers, and how to execute commands within containers.
• Developer perspective
  • Obtaining source code, checking Dockerfiles, creating images, and the workflow for starting containers.

5: The Docker Engine

This chapter explains the Docker Engine.

Diagram:

　  　 docker cli
       　　↑↓
+--------{API}----------+
|     Docker Engine     |
|      　  ↑↓           |
|      containerd       |
|      　  ↑↓           |
|         shim          |
|       +-*---*-+       |
|       | runc  |       |
|       +-*-+-*-+       |
|           |           |
|   Running containers  |
+-----------------------+

• The configuration of the early Docker Engine and why it was changed.
• runc
  • A lightweight CLI wrapper that uses libcontainer. As a low-level runtime, it creates and deletes containers using OCI bundles.
  • https://github.com/opencontainers/runc/releases
• containerd
  • A high-level runtime that manages lifecycle events such as starting, stopping, and deleting containers.
  • A low-level runtime is required for actual execution. In many cases, it is paired with runc, but it is also possible to change runc to a different low-level runtime.
  • It also features image management capabilities.
  • https://github.com/containerd/containerd/releases
• Shim
  • Mediates between containerd and low-level runtimes such as runc.

6: Working with Images

This chapter discusses the fundamentals of images.

• One or more containers can be started from a single image.
• An image is composed of one or more read-only layers stacked together to form a unified view (upper layers cover lower ones, appearing as updates).
• Layer sharing enables efficient downloading and storage.
• Multiple tags can be assigned to an image, but they are mutable. Instead, you can use immutable digests for precise specification.
• They are stored and distributed in registries (Docker Hub and others), which host official and unofficial repositories. However, caution is still necessary even with official ones.
• Multi-architecture images: Multiple architectures can be hidden behind a single tag.
• Docker Hub has official images that are relatively safe to use (though care should always be taken when downloading software over the internet).
• Vulnerability scanning with Docker Scout.
• Introduction to image-related commands:
  • docker pull Downloading an image from a remote repository.
  • docker images Listing images in the local repository.
  • docker inspect Displaying metadata of an image.
  • docker manifest inspect Checking the manifest list of an image.
  • docker buildx imagetools Subcommand can query manifest-related data from an image.
  • docker scout Vulnerability checking.
  • docker rmi Deleting an image.

7: Working with containers

This chapter provides a basic explanation of containers.

• Comparison between containers and VMs.
• Explanation of the flow for starting a container from an image.
  • Containers share the same image but have their own R/W layer.
  • This allows unique changes to be made to the container, but the R/W layer is deleted when the container is removed.
• How to start apps inside a container.
• How to connect to a running container.
• Obtaining detailed container information with docker inspect.
• Stopping, restarting, and deleting containers.
• Debugging containers with Docker Debug (requires Pro or higher).
• Introduction to container-related commands:
  • docker run Command to start a new container.
  • docker ps Listing running containers. -a also shows stopped containers.
  • docker exec Executing commands inside a container.
  • docker stop Stopping a container.
  • docker restart Restarting a container.
  • docker rm Deleting a container.
  • docker inspect Obtaining detailed information about a container.
  • docker debug Attach a debug shell to a container or image to use debugging commands.

8: Containerizing an app

This chapter explains the process of packaging an application as an image (= containerization).

• Creating a Dockerfile
  • Creation using docker init
  • Explanation of the generated Dockerfile
• Containerizing the application
  • Creating an image with docker build
  • Verifying the created image with docker inspect
• Pushing the image to Docker Hub
  • Assigning a tag to the image with docker tag
  • Pushing the image to a remote repository with docker push
• Running the application in a container
  • Starting it as a container with docker run
• Verifying details
  • Checking commands used for the image with docker history
  • Explanation of why the image layer structure is the way it is
• Multi-stage build sample
  • A Go example that separates the compilation stage from the stage containing only the executable
  • This ensures that compilation-related files do not need to be included in the final image
• Buildx, BuildKit, driver, BuildCloud
  • Buildx is Docker's build client
  • Build Cloud provides BuildKit builders in the cloud
  • Buildx uses Drivers to instruct multiple BuildKits to perform builds
  • Multi-architecture builds utilize this mechanism to containerize apps for different architectures
• Best practices
  • Leverage the build cache
  • Install only essential packages

9: Multi-container apps with Compose

This chapter explains how to manage multi-container applications using Compose (docker compose).

• History from Fig to Compose
• Explanation of the sample app
• Deploying applications using Compose
• Stopping, restarting, deleting, and status information for applications using Compose

10: Docker and AI

This chapter explains how to use Docker Model Runner to run LLM models utilizing the host's GPU.
However, model training is not possible at this time.

11: Docker and Wasm

This chapter explains the functionality for containerizing WebAssembly applications, which is a beta feature as of September 2025.
Overall, I felt the descriptions were a bit unrefined (e.g., instructions like "look online to set up your Rust environment").

Furthermore, in my environment, WebAssembly containerization itself did not work at all.
Since even official Docker commands hung and required a restart of Docker Desktop, I don't think it was an issue with the steps in this book.

docker run \
  --runtime=io.containerd.wasmedge.v1 \
  --platform=wasi/wasm \
  secondstate/rust-example-hello

Reference

This issue occurred in the following environment:

• 2 GHz Quad-Core Intel Core i5
• macOS 15.4.1 (24E263)
• Docker Desktop 4.47.0
  Note that it was also reproducible in a Windows 11 environment.

This blog post reports the same issue, suggesting that this problem occurs in environments other than just mine.

12: Docker Swarm

This chapter explains how to deploy a multi-node Swarm cluster and run applications on it.
At the start, it mentions that Swarm's popularity is declining and that Kubernetes is more vibrant, so for some people, the motivation to read this chapter might be low.

When actually experimenting, Docker Desktop only has a single Docker node, so it is recommended to use the Play with Docker cloud lab environment or use Multipass.

• Reasons to choose Swarm over Kubernetes
• Creating a Swarm
• Deploying applications to a Swarm
• Managing apps (example of scaling up)
• Deleting a Swarm
  • Note that while networks and services are removed, volumes remain.
• Docker Swarm commands
  • docker swarm init Initializes a Swarm
  • docker stack deploy Deploys and updates Swarm apps
  • docker stack ls Lists all Swarm apps
  • docker stack ps Provides detailed information about a Swarm app
  • docker stack services Information about each application service
  • docker stack rm Deletes a Swarm app

13: Docker Networking

This chapter covers the basics of Docker networking.
It is also recommended to use the Play with Docker cloud lab environment or Multipass when actually performing experiments.

• Container Network Model (CNM) is a design specification that outlines the fundamental building blocks of Docker networking.
  • It consists of the following three blocks:
    • Sandboxes: Holds the configuration of the container's network stack.
      • Management of container interfaces, routing tables, DNS settings, etc.
    • Endpoints: Virtual network interfaces.
    • Networks: Groups of endpoints that can communicate with each other.
• libnetwork is an implementation of CNM + control plane functions (management API, service discovery via built-in DNS, etc.).
• Driver: Provides the actual network implementation.
  • Data plane implementation (bridge/overlay/macvlan).
• Single-host bridge network
  • Terminology:
    • The network spans only a single Docker host.
    • It is an implementation of a Layer 2 switch.
  • To expose a service outside the network, the container must be mapped to a host port.
    • Only suitable for local development or very small-scale applications.
• macvlan driver
  • Allows creating Docker networks that connect containers to existing physical networks or VLANs.
  • Since it requires the host's NIC to operate in promiscuous mode, it is often not permitted in many corporate networks or public clouds.

14: Docker overlay networking

This chapter constructs a sample that sets up multiple Docker hosts using Docker Swarm and communicates using an overlay network.
In essence, it uses VXLAN (UDP 4789) tunnels and VTEPs on each node to make the underlay (L3) appear as the "same L2 segment."

15: Volumes and persistent data

This chapter explains how to use volumes to persist data that should be retained even after a container is deleted.
You can also specify third-party drivers using the -d option when creating a volume to provide access to cloud storage services or NAS.

16: Docker security

This chapter covers Docker security.

• Linux security technologies:
  • Kernel Namespaces: Provides lightweight isolation by separating process trees, network stacks, mounts (file systems), IPC, users, UTS, etc. (Not as robust a boundary as VMs).
  • Control Groups: Limits a container's CPU/memory/network/disk I/O consumption to prevent resource monopolization (DoS).
  • Capabilities: Divides the privileges held by root into several groups, granting only the necessary permissions.
  • Mandatory Access Control (AppArmor / SELinux): Additional access control rules are automatically applied to containers, and can be enabled/disabled or overridden as needed.
  • seccomp: Filters syscalls from the container to the host kernel.
• Docker security technologies:
  • Swarm security: Cryptographic IDs for participating nodes, mutual authentication (TLS), secure join tokens, etc.
  • Docker Scout: Vulnerability checking.
  • Docker Content Trust (DCT): Provides image signing and verification.
  • Docker Secrets: Limited to Swarm mode. Secrets are stored encrypted in the cluster store.