Docker Architecture

Docker uses a client-server architecture: the Docker CLI (client) sends commands to the Docker daemon (dockerd) which does the actual work - building images, running containers, managing networks and volumes.
Client and daemon communicate over a Unix socket (/var/run/docker.sock) by default, or over TCP for remote connections.

Docker Engine

Docker Engine is the core open-source runtime. Linux-only. Includes:
- dockerd — the daemon that manages container objects and exposes the Docker API
- Docker CLI — the docker command-line client
Terminal window
```
# Connect CLI to a remote Docker daemon
docker -H remote-host:2375 ps

# Or set the environment variable
export DOCKER_HOST=tcp://remote-host:2375
```
Port 2375 is unauthenticated and unencrypted. Anyone who can reach it has full control of your Docker daemon — which is effectively root on the host. For remote access, use the TLS-secured port (2376) with client certificate auth, or tunnel over SSH: docker -H ssh://user@remote-host ps.
The daemon can join a cluster of other daemons (Docker Swarm) for orchestration.
Internally, dockerd delegates container execution to containerd, which uses runc (an OCI runtime) to actually create and run containers. This layered stack (dockerd → containerd → runc) is why OCI images built with Docker run on Kubernetes unchanged — Kubernetes uses containerd directly, skipping dockerd.

Docker Desktop

Docker Desktop is the developer-friendly distribution for macOS and Windows. It wraps Docker Engine in a Linux VM (via Apple Hypervisor / WSL2) and adds:

Component	Purpose
CLI	Standard `docker` commands
GUI	Manage images, containers, resource limits (CPU/memory/disk)
Credential Helper	Secure credential storage for private registries
Extensions	Third-party tools (e.g., Dive, Portainer, Trivy)
Optional Kubernetes	Single-node K8s cluster alongside Docker

![Docker Desktop architecture](/images/virtualization/Docker Architecture.png)

Docker Engine vs Docker Desktop

	Docker Engine	Docker Desktop
OS	Linux only	macOS, Windows, Linux
License	Free (Apache 2.0)	Free for personal use; paid for large orgs
Kubernetes	Not included	Optional, single-node
GUI	None	Included
VM overhead	None	Yes (Linux VM layer)

On Linux, prefer Docker Engine for servers and CI runners - no VM overhead, full performance.
On macOS/Windows, Docker Desktop is the practical choice. The VM boundary means bind mounts have some performance overhead compared to native Linux.

How the API Works

# The CLI is just a thin wrapper over the Docker REST API
# You can call it directly too:
curl --unix-socket /var/run/docker.sock http://localhost/containers/json

Any tool that speaks the Docker API (Portainer, VS Code Docker extension, CI runners) can manage Docker - the CLI is not special.