Figure 13-24 Container Image Layers Using a
Union File System
This read-only aspect of a container is crucial to
understand. You may also hear the term immutable used
to describe the container file system; it simply means
unchanging over time. In other words, a container
doesn’t get patched; rather, it gets re-created with new
layers added. In Figure 13-24 you can see a Ubuntu
Linux base image layer that has OpenSSL added on top
of it via another layer. Above that is the Apache web
server. Think of these layers as simply running the apt-
get command and adding a new software package. What
happens if you need to update the OpenSSL layer
because of a vulnerability? You simply rebuild the
container with the latest versions of software. There is no
patching with a container; you destroy the old one and
re-create a new one with updated code. Later on in this
section, you will learn how this works through a
Dockerfile, which is how Docker builds container images.
DOCKER ARCHITECTURE
Just like your engine in a car, the Docker Engine is the
central component of the Docker architecture. Docker is
a client/server application that installs on top of a Linux,
Mac, or Windows operating system and provides all the
tools to manage a container environment. It consists of
the Docker daemon and the Docker client. Docker allows
you to package up an application with all of its