Docker Engine acts as a client-server application.

The following figure shows a high-level view of the Docker engine architecture with brief descriptions:

Docker daemon (dockerd)

The daemon is called dockerd. Some of the major functionalities of the daemon includes: image management, image builds, the REST API, authentication, security, core networking & orchestration.

containerd

containerd is the container life cycle (start | pause | stop | delete etc.) manager. In addition, it manages things like image pulls, volumes and networks.

containerd can’t actually create containers. It uses runc to do that. It converts the required Docker image into an OCI bundle and tells runc to use this to create a new container.

runc

runc is a standalone container runtime tool, whose purpose is to create containers. The layer that runc operates at is called the “OCI LAYER”.

runc interfaces with the OS kernel to pull together all the constructs necessary to create a container (namespaces, cgroups, etc.). The container process is started as a child process of runc, and as soon as it starts, runc exits.

shim

The shim makes it possible to decouple running containers from the daemon for things like daemon upgrades.

containerd creates a new instance of runc for every container it creates. However, once each container is created the parent runc process exits. This means that we can run hundreds of containers without having to run hundreds of runc instances.

Once a container’s parent runc process exits, the associated containerd-shim process becomes the container’s parent. Some of the responsibilities the shim performs as a container’s parent include:

• Keeping any STDIN & STDOUT streams open, so that when the daemon is restarted, the container doesn’t terminate due to pipes being closed etc.
• Reports the container’s exit status back to the daemon.

Understand the process of creating a new Docker container in my blog post here.