There are four parts to understanding the process of container creation in Docker.

Part-1

The most common way to start a container is to use the Docker CLI. The following docker container run command will start a simple new container based on the alpine:latest image.

$ docker container run --name ctr1 -it alpine:latest sh

When you type commands like this into the Docker CLI, the Docker client converts them into the appropriate API payload and POSTs them to the API endpoint exposed by the Docker daemon. The API is implemented in the daemon and can be exposed over a local socket or the network.

Part-2

Once the daemon receives the command to create a new container, it makes a call to containerd. The daemon communicates with containerd via a CRUD-style API over gRPC.

Part-3

Despite its name, containerd cannot actually create containers. It uses runc to do that. It converts the required Docker image into an OCI bundle and tells runc to use this to create a new container.

Part-4

runc interfaces with the OS kernel to pull together all of the constructs necessary to create a container (namespaces, cgroups etc.). The container process is started as a child-process of runc, and as soon as it is started, runc will exit.

The container is now started.

Understand the Docker Engine architecture in my blog post here.