Skip to content

Container Internals & Runtimes-A 24-Week Mastery Roadmap

Authoring lens: Senior Container Architect. Target outcome: A graduate of this curriculum can (a) build, run, and inspect containers without a Docker daemon-using runc, skopeo, buildah, and crun directly, (b) reason from OCI specs to wire-level container behavior, (c) ship hardened images with reproducible builds, SBOMs, and signed provenance, and (d) implement a "mini-Docker" demonstrating manual orchestration of namespaces, cgroups, and rootfs.

This is not "Docker in a week." It assumes the reader has used containers and is ready to read the OCI specs and runc source as primary literature.

Repository Layout

File Purpose
00_PRELUDE_AND_PHILOSOPHY.md What containers actually are (and aren't); the shape of the OCI ecosystem.
01_MONTH_OCI_FOUNDATIONS.md Weeks 1–4. OCI image + runtime specs, runc, crun, skopeo.
02_MONTH_FILESYSTEMS_AND_BUILDS.md Weeks 5–8. OverlayFS, image layers, buildah, multi-stage, distroless.
03_MONTH_RUNTIMES_AND_DAEMONS.md Weeks 9–12. containerd, CRI-O, podman, the no-daemon model, rootless.
04_MONTH_SECURITY.md Weeks 13–16. Capabilities, seccomp, AppArmor/SELinux for containers, user namespaces.
05_MONTH_SUPPLY_CHAIN.md Weeks 17–20. SBOM (Syft), vuln scanning (Grype/Trivy), signing (cosign), SLSA.
06_MONTH_BUILD_YOUR_OWN.md Weeks 21–24. Mini-Docker capstone: Go or Rust implementation.
APPENDIX_A_HARDENING.md Image hardening, runtime hardening, gVisor/Kata, rootless patterns.
APPENDIX_B_REFERENCE_PATTERNS.md Common image patterns, multi-arch builds, debugging, CI/CD recipes.
APPENDIX_C_CONTRIBUTING.md Contribution paths to runc, containerd, podman, buildah.
CAPSTONE_PROJECTS.md Three tracks: mini-Docker, image scanning service, runtime fork.

How Each Week Is Structured

  1. Conceptual Core-the why, with a mental model.
  2. Mechanical Detail-the how, down to spec section and source location.
  3. Lab-a hands-on exercise.
  4. Hardening Drill-a security-relevant micro-task that compounds.
  5. Production Readiness Slice-a CI/CD, registry, signing, or scanning task that builds a publishable template.

Each week is sized for ~12–16 focused hours.

Progression Strategy

OCI Foundations ──► Filesystems & Builds ──► Runtimes & Daemons
       │                    │                          │
       └──────────┬─────────┴──────────────────────────┘
              Security
             Supply Chain
            Build Your Own

Prerequisites

  • Comfortable on a Linux command line.
  • Familiar with namespaces and cgroups at a basic level (see the Linux curriculum for the deep version).
  • Reading-comfortable with C or Go or Rust-capstone choice depends on this.

Capstone Tracks (pick one in Month 6)

  1. Mini-Docker-a from-scratch container runner in Go or Rust implementing namespaces, cgroups, OverlayFS, and a small subset of OCI spec.
  2. Image Scanning & Signing Service-an HTTP service that ingests images, runs Syft + Grype + Trivy, attaches signed SBOMs, gates promotion via cosign-based policy.
  3. Custom Runtime-fork runc (or write a `crun - equivalent) adding one feature: gVisor-style sandbox, custom seccomp generator, or eBPF-based observability.

Details in CAPSTONE_PROJECTS.md.

Print this path

Want to read offline or archive? Open the printable version — every section of this path concatenated into one page, styled for paper. Use your browser's Print → Save as PDF.