Container Internals & Runtimes-A 24-Week Mastery Roadmap¶

Authoring lens: Senior Container Architect. Target outcome: A graduate of this curriculum can (a) build, run, and inspect containers without a Docker daemon-using runc, skopeo, buildah, and crun directly, (b) reason from OCI specs to wire-level container behavior, (c) ship hardened images with reproducible builds, SBOMs, and signed provenance, and (d) implement a "mini-Docker" demonstrating manual orchestration of namespaces, cgroups, and rootfs.

This is not "Docker in a week." It assumes the reader has used containers and is ready to read the OCI specs and runc source as primary literature.

Repository Layout¶

File	Purpose
`00_PRELUDE_AND_PHILOSOPHY.md`	What containers actually are (and aren't); the shape of the OCI ecosystem.
`01_MONTH_OCI_FOUNDATIONS.md`	Weeks 1–4. OCI image + runtime specs, runc, crun, skopeo.
`02_MONTH_FILESYSTEMS_AND_BUILDS.md`	Weeks 5–8. OverlayFS, image layers, buildah, multi-stage, distroless.
`03_MONTH_RUNTIMES_AND_DAEMONS.md`	Weeks 9–12. containerd, CRI-O, podman, the no-daemon model, rootless.
`04_MONTH_SECURITY.md`	Weeks 13–16. Capabilities, seccomp, AppArmor/SELinux for containers, user namespaces.
`05_MONTH_SUPPLY_CHAIN.md`	Weeks 17–20. SBOM (Syft), vuln scanning (Grype/Trivy), signing (cosign), SLSA.
`06_MONTH_BUILD_YOUR_OWN.md`	Weeks 21–24. Mini-Docker capstone: Go or Rust implementation.
`APPENDIX_A_HARDENING.md`	Image hardening, runtime hardening, gVisor/Kata, rootless patterns.
`APPENDIX_B_REFERENCE_PATTERNS.md`	Common image patterns, multi-arch builds, debugging, CI/CD recipes.
`APPENDIX_C_CONTRIBUTING.md`	Contribution paths to runc, containerd, podman, buildah.
`CAPSTONE_PROJECTS.md`	Three tracks: mini-Docker, image scanning service, runtime fork.

How Each Week Is Structured¶

Conceptual Core-the why, with a mental model.
Mechanical Detail-the how, down to spec section and source location.
Lab-a hands-on exercise.
Hardening Drill-a security-relevant micro-task that compounds.
Production Readiness Slice-a CI/CD, registry, signing, or scanning task that builds a publishable template.

Each week is sized for ~12–16 focused hours.

Progression Strategy¶

OCI Foundations ──► Filesystems & Builds ──► Runtimes & Daemons
       │                    │                          │
       └──────────┬─────────┴──────────────────────────┘
                  ▼
              Security
                  │
                  ▼
             Supply Chain
                  │
                  ▼
            Build Your Own

Prerequisites¶

Comfortable on a Linux command line.
Familiar with namespaces and cgroups at a basic level (see the Linux curriculum for the deep version).
Reading-comfortable with C or Go or Rust-capstone choice depends on this.

Capstone Tracks (pick one in Month 6)¶

Mini-Docker-a from-scratch container runner in Go or Rust implementing namespaces, cgroups, OverlayFS, and a small subset of OCI spec.
Image Scanning & Signing Service-an HTTP service that ingests images, runs Syft + Grype + Trivy, attaches signed SBOMs, gates promotion via cosign-based policy.
Custom Runtime-fork runc (or write a `crun - equivalent) adding one feature: gVisor-style sandbox, custom seccomp generator, or eBPF-based observability.

Details in CAPSTONE_PROJECTS.md.

Print this path

Want to read offline or archive? Open the printable version - every section of this path concatenated into one page, styled for paper. Use your browser's Print → Save as PDF.

Worked examples

Concrete walkthroughs that pair with the senior weeks - real code, narrated line by line, with the trap and an exercise. Different shape than the syllabus chapters; designed to be read after (or before) the matching week.

Worked example - Week 14: Linux capabilities in a real Dockerfile