The Docker daemon (dockerd) listens for Docker API requests and manages Docker objects such as images, containers, networks, and volumes. A daemon can also communicate with other daemons to manage Docker services.
dockerd (The High-Level Controller): Handles the API, authentication, and high-level networking/volumes.
containerd (The Manager): A CNCF-graduated project that manages the container lifecycle (transferring images, executing containers, supervising them).
containerd-shim: A tiny process that sits between containerd and the running container. It allows the daemon to be restarted or upgraded without killing the running containers.
runc (The Runtime): The low-level tool that actually interacts with the Linux Kernel to create the container using Namespaces and Cgroups.
Listening for API Requests: It provides a standard Docker Engine API (REST) that the Docker Client (CLI) or third-party tools (like Portainer or VS Code) call.
Object Management: It handles the creation and cleanup of Docker objects (Images, Containers, Networks, and Volumes).
Image Management: It manages the local image cache and coordinates with registries (like Docker Hub or Amazon ECR) to pull or push layers.
Unix Socket (/var/run/docker.sock): The default. It’s the most secure because it only allows local communication.
Systemd Socket: Used on modern Linux distributions to start the daemon on demand.
TCP Socket: Allows you to control Docker remotely (e.g., controlling a production AWS instance from your local terminal). Warning: This must be secured with TLS/SSL in production to prevent unauthorized access.
data-root: Changing where Docker stores images and containers (useful if your root partition is small).
registry-mirrors: Speeding up docker pull by using a local mirror.
default-ulimits: Setting resource limits for all containers at the daemon level.
insecure-registries: Allowing the daemon to connect to a private registry without a valid SSL certificate (common in internal dev environments).