What happens when you run `docker run hello-world` — describe the flow end to end?
Quick Answer
The CLI sends a request to the daemon; the daemon checks whether the hello-world image exists locally, and if not, pulls it from Docker Hub (layer by layer); the daemon then asks containerd to create and start a container from that image; containerd hands off to runc, which sets up Linux namespaces and cgroups and executes the image's default command inside that isolated environment; the command runs (printing its message and exiting), and the container transitions to the Exited state, with its output streamed back up through containerd and the daemon to the CLI, which prints it to your terminal.
Detailed Answer
Tracing this single, simple command through every layer of the architecture ties together everything covered elsewhere in this topic.
docker run hello-world
Step 1: The CLI sends a request to the daemon
The docker CLI has no logic of its own for running containers — it constructs an HTTP request (POST /containers/create, followed by POST /containers/{id}/start) and sends it to dockerd over the local Unix socket (see the CLI/daemon question).
Step 2: The daemon checks for the image locally
Unable to find image 'hello-world:latest' locally
If you've never pulled hello-world before, the daemon doesn't have it in its local image store — it needs to fetch it.
Step 3: Pulling the image from a registry
latest: Pulling from library/hello-world
719385e32844: Pull complete
Digest: sha256:...
Status: Downloaded newer image for hello-world:latest
The daemon contacts Docker Hub (the default registry — see that topic), downloading the image's layers (each identified by content hash) and its manifest/configuration, storing them in its local layer cache.
Step 4: The daemon delegates actual container creation to containerd
dockerd doesn't create the container's isolated process itself. It calls into containerd (see the architecture question), which manages the container's lifecycle: unpacking the image's layers into a filesystem bundle, and preparing everything a runtime needs to actually start the container.
Step 5: containerd hands off to runc
containerd invokes runc (or whichever OCI-compliant runtime is configured), passing it the prepared filesystem bundle and an OCI runtime configuration. runc does the actual low-level work: creating new Linux namespaces (PID, network, mount, etc. — see that question) and configuring cgroups for the new container. It then executes the image's configured entrypoint/command inside that newly isolated environment.
Step 6: The container's process runs
Inside its isolated namespace, the hello-world image's program executes. In this specific image's case, it prints an explanatory message describing this exact flow and then exits immediately (hello-world is deliberately a minimal, self-documenting image with no long-running server process).
Step 7: Container exit and output streaming
Once the process inside exits, the container's state transitions to Exited — there's no long-running process left inside its PID namespace, so the container itself stops. Throughout this whole process, standard output from inside the container is streamed back up through runc → containerd → dockerd → the CLI, which is why you see the message printed directly in your terminal.
docker ps -a
# CONTAINER ID IMAGE STATUS NAMES
# a1b2c3d4e5f6 hello-world Exited (0) 2 seconds ago happy_euler
Why walking through this matters for an interview
Being able to narrate this full chain demonstrates that you understand Docker as a layered system built on standardized, swappable components, rather than treating docker run as an unexplained black box. The chain runs from the client request, through image resolution and pulling, the daemon delegating to containerd, containerd delegating to runc, and runc creating the actual isolated process via namespaces and cgroups. This is exactly the kind of question that requires tracing a request across every layer of the stack, and it distinguishes surface-level Docker familiarity from a deeper systems-level understanding.