Hack the Container: Understanding Docker's Inner Workings
containerd, shim and runC: How Everything Works Together
When you launch a container using Docker, several components work together behind the scenes:
Docker Engine, containerd, runC, and containerd-shim each have a specific role in the container lifecycle:
- Docker Engine exposes the Docker API and provides the user-facing control plane.
- containerd is responsible for managing the container lifecycle, image distribution, and execution state.
- runc is the low-level runtime that creates and executes the container using Linux kernel features.
- containerd-shim acts as an intermediary process that keeps the container running independently of higher-level daemons.
The corresponding binaries commonly present on a system are docker, containerd, containerd-shim, and runc. Earlier Docker versions used docker-containerd, docker-containerd-shim, and docker-runc as binary names, but these have since been replaced by the upstream containerd and runc binaries.
The process of starting a container using this architecture follows these steps:
- A user requests Docker to create a container using the Docker CLI, which communicates with the Docker Engine through the Docker API.
- The Docker Engine prepares the container configuration and delegates container execution to containerd.
- containerd creates a container task and spawns a containerd-shim process for that container.
Painless Docker - 2nd Edition
A Comprehensive Guide to Mastering Docker and its EcosystemEnroll now to unlock all content and receive all future updates for free.
Hurry! This limited time offer ends in:
To redeem this offer, copy the coupon code below and apply it at checkout: