Container Internals & Runtimes — A 24-Week Mastery Roadmap¶
Authoring lens: Senior Container Architect. Target outcome: A graduate of this curriculum can (a) build, run, and inspect containers without a Docker daemon-using runc, skopeo, buildah, and crun directly, (b) reason from OCI specs to wire-level container behavior, (c) ship hardened images with reproducible builds, SBOMs, and signed provenance, and (d) implement a "mini-Docker" demonstrating manual orchestration of namespaces, cgroups, and rootfs.
This is not "Docker in a week." It assumes the reader has used containers and is ready to read the OCI specs and runc source as primary literature.
What you'll learn¶
A 24-week curriculum organized into six monthly modules, plus three reference appendices and a capstone catalog at the end.
| Module | What it covers |
|---|---|
| Prelude - Philosophy and reading list | What containers actually are (and aren't); the shape of the OCI ecosystem. |
| Month 1 - OCI Foundations (Weeks 1–4) | OCI image + runtime specs, runc, crun, skopeo. |
| Month 2 - Filesystems and Builds (Weeks 5–8) | OverlayFS, image layers, buildah, multi-stage, distroless. |
| Month 3 - Runtimes and Daemons (Weeks 9–12) | containerd, CRI-O, podman, the no-daemon model, rootless. |
| Month 4 - Security (Weeks 13–16) | Capabilities, seccomp, AppArmor/SELinux for containers, user namespaces. |
| Month 5 - Supply Chain (Weeks 17–20) | SBOM (Syft), vuln scanning (Grype/Trivy), signing (cosign), SLSA. |
| Month 6 - Build Your Own (Weeks 21–24) | Mini-Docker capstone: Go or Rust implementation. |
| Appendix - Hardening | Image hardening, runtime hardening, gVisor/Kata, rootless patterns. |
| Appendix - Reference Patterns | Common image patterns, multi-arch builds, debugging, CI/CD recipes. |
| Appendix - Contributing | Contribution paths to runc, containerd, podman, buildah. |
| Capstone tracks | Three tracks: mini-Docker, image scanning service, runtime fork. |
How Each Week Is Structured¶
- Conceptual Core-the why, with a mental model.
- Mechanical Detail-the how, down to spec section and source location.
- Lab-a hands-on exercise.
- Hardening Drill-a security-relevant micro-task that compounds.
- Production Readiness Slice-a CI/CD, registry, signing, or scanning task that builds a publishable template.
Each week is sized for ~12–16 focused hours.
Progression Strategy¶
OCI Foundations ──► Filesystems & Builds ──► Runtimes & Daemons
│ │ │
└──────────┬─────────┴──────────────────────────┘
▼
Security
│
▼
Supply Chain
│
▼
Build Your Own
Prerequisites¶
- Comfortable on a Linux command line.
- Familiar with namespaces and cgroups at a basic level (see the Linux curriculum for the deep version).
- Reading-comfortable with C or Go or Rust-capstone choice depends on this.
Capstone Tracks (pick one in Month 6)¶
- Mini-Docker-a from-scratch container runner in Go or Rust implementing namespaces, cgroups, OverlayFS, and a small subset of OCI spec.
- Image Scanning & Signing Service-an HTTP service that ingests images, runs Syft + Grype + Trivy, attaches signed SBOMs, gates promotion via cosign-based policy.
- Custom Runtime-fork
runc(or write a `crun - equivalent) adding one feature: gVisor-style sandbox, custom seccomp generator, or eBPF-based observability.
Detailed track briefs are in the capstone catalog.
Get started¶
Ready to begin? Start with the Prelude — philosophy, the mental model, and the reading list — then work Month 1 forward. The labs are the unit of mastery: do them.
Print this path
Want to read offline or archive? Open the printable version - every section of this path concatenated into one page, styled for paper. Use your browser's Print → Save as PDF.
Worked examples
Concrete walkthroughs that pair with the senior weeks - real code, narrated line by line, with the trap and an exercise. Different shape than the syllabus chapters; designed to be read after (or before) the matching week.