By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.
For engineers who need to deploy, debug, and scale containers in production.
Docker’s architecture is the backbone of how containers run in development, CI/CD, and production. If you don’t understand the daemon, client, and registry, you’ll: - Waste hours debugging "Why won’t my container start?" (Hint: The daemon isn’t running.) - Accidentally expose sensitive images to the public (Registry misconfigurations are a top cause of breaches.) - Struggle to scale deployments because you don’t know how images are pulled and cached.
Real-world scenario:You’re onboarding to a new team. The CI/CD pipeline fails with Error: Cannot connect to the Docker daemon. The logs show dial unix /var/run/docker.sock: connect: permission denied. Your task: Fix it now so the team can deploy. Without knowing how the daemon, client, and registry interact, you’re stuck guessing.
Error: Cannot connect to the Docker daemon
dial unix /var/run/docker.sock: connect: permission denied
This guide gives you the exact commands, configs, and troubleshooting steps to: ✅ Deploy containers reliably in production.✅ Debug permission errors, image pulls, and registry issues.✅ Pass hands-on certs (CKA, Docker Certified Associate) with confidence.
dockerd
--restart=always
/var/run/docker.sock
docker
docker run
docker build
DOCKER_HOST
Cannot connect to the Docker daemon
sudo systemctl status docker
myapp:v1.2.3
latest
nginx:alpine
RUN
Dockerfile
docker ps -a
docker context use <name>
sudo
# Start a registry container (insecure, for testing only) docker run -d -p 5000:5000 --name registry registry:2
Verify:
curl http://localhost:5000/v2/_catalog # Expected output: {"repositories":[]}
# Build a simple Nginx image docker build -t my-nginx - <<EOF FROM nginx:alpine RUN echo "Hello from private registry!" > /usr/share/nginx/html/index.html EOF # Tag the image for your registry (format: <registry-url>/<image>:<tag>) docker tag my-nginx localhost:5000/my-nginx:v1
docker push localhost:5000/my-nginx:v1
Troubleshooting:- If you get http: server gave HTTP response to HTTPS client, add the registry to Docker’s insecure registries: bash # Edit /etc/docker/daemon.json (create if it doesn’t exist) echo '{"insecure-registries": ["localhost:5000"]}' | sudo tee /etc/docker/daemon.json sudo systemctl restart docker
http: server gave HTTP response to HTTPS client
bash # Edit /etc/docker/daemon.json (create if it doesn’t exist) echo '{"insecure-registries": ["localhost:5000"]}' | sudo tee /etc/docker/daemon.json sudo systemctl restart docker
# Remove the local image first docker rmi my-nginx localhost:5000/my-nginx:v1 # Pull from the registry docker pull localhost:5000/my-nginx:v1 # Run it docker run -d -p 8080:80 --name my-nginx localhost:5000/my-nginx:v1
curl http://localhost:8080 # Expected output: "Hello from private registry!"
bash openssl req -newkey rsa:4096 -nodes -sha256 -keyout domain.key -x509 -days 365 -out domain.crt
bash docker run -d -p 5000:5000 --name registry \ -v $(pwd)/domain.crt:/certs/domain.crt \ -v $(pwd)/domain.key:/certs/domain.key \ -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \ -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \ registry:2
# Run the registry with auth docker run -d -p 5000:5000 --name registry \ -v $(pwd)/auth:/auth \ -e "REGISTRY_AUTH=htpasswd" \ -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \ -e "REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd" \ registry:2 4. Log in and push:bash docker login localhost:5000 # Username: testuser, Password: testpassword docker push localhost:5000/my-nginx:v1 ```
4. Log in and push:
dockerd-rootless-setuptool.sh
docker scan
bash export DOCKER_CONTENT_TRUST=1 docker push my-registry/my-image:signed
FROM alpine:latest COPY --from=builder /app/myapp . CMD ["./myapp"] - Clean up unused images/volumes regularly:bash docker system prune -a --volumes ```
- Clean up unused images/volumes regularly:
v1.2.3
.dockerignore
.git
node_modules
FROM alpine:3.18
FROM alpine
docker stats
docker events
docker logs
bash docker run -d --memory="512m" --cpus="1" my-app
docker:dind
nginx:1.25.3
docker system prune
REGISTRY_AUTH=htpasswd
"Which command connects to a remote daemon?" → docker -H tcp://<ip>:2375.
docker -H tcp://<ip>:2375
Registry Security:
"How do you prevent unauthorized access to a private registry?" → Enable auth (htpasswd) and HTTPS.
htpasswd
Image Tags:
"What’s the risk of using latest in production?" → Unpredictable updates break deployments.
Debugging:
docker logs <container>
docker ps
nginx
"You need to deploy a private registry for a team of 10 developers. What’s the most secure way to set it up?" Answer:1. Run the registry with TLS (REGISTRY_HTTP_TLS_CERTIFICATE).2. Enable auth (REGISTRY_AUTH=htpasswd).3. Use a reverse proxy (e.g., Nginx) for additional security.
REGISTRY_HTTP_TLS_CERTIFICATE
Challenge:You’re debugging a CI/CD pipeline that fails with:
Error response from daemon: Get "https://registry-1.docker.io/v2/": dial tcp: lookup registry-1.docker.io: no such host
Task: Fix the issue so the pipeline can pull images from Docker Hub.
Solution:
# Check DNS resolution nslookup registry-1.docker.io # If DNS fails, use Google's DNS (8.8.8.8) or Cloudflare (1.1.1.1) echo "nameserver 8.8.8.8" | sudo tee /etc/resolv.conf # Restart Docker sudo systemctl restart docker
Why it works:The error indicates a DNS failure. Switching to a public DNS resolver (like Google’s) fixes the issue.
docker version
docker info
docker context ls
docker login <registry>
~/.docker/config.json
docker pull <image>
docker push <image>
<registry>/<image>:<tag>
export DOCKER_HOST=tcp://<ip>:2375
registry:2
-p 5000:5000
-a
docker build --no-cache
Join 4M+ learners. Unlock unlimited quizzes, wrong-answer tracking, flashcards + reminders, study guides, and 1-on-1 challenges.