DOCKER

DOCKER Interview Questions and Answers

1. What is Docker, and how is it different from a virtual machine?

Answer: Docker is a platform for developing, shipping, and running applications in containers. Unlike virtual machines (which virtualize hardware), Docker virtualizes the OS, making it lightweight and faster to start.

Feature Virtual Machine Docker
Virtualizes Hardware OS level
Startup Time Minutes Seconds
Resource Use Heavy Lightweight

2. What is a Docker image?

Answer: A Docker image is a read-only template containing the application code, libraries, dependencies, and instructions needed to create a container.

3. How do you create a Docker image?

Answer: By writing a Dockerfile and running docker build.

Example:

FROM node:18-alpine
WORKDIR /app
COPY package*.json ./
RUN npm install
COPY . .
EXPOSE 3000
CMD ["npm", "start"]

Run:

docker build -t my-node-app .

4. What is a Docker container?

Answer: A Docker container is a runnable instance of a Docker image. It includes the app and its environment, isolated from the host.

Run a container:

docker run -d -p 3000:3000 my-node-app

5. Explain the difference between CMD and ENTRYPOINT in Docker.

Answer: Both define the command to run inside a container, but ENTRYPOINT is not overridden by command-line arguments, while CMD is.

Example:

ENTRYPOINT ["echo"]
CMD ["Hello"]

Running:

docker run myimage World

Output: echo World

6. How do you view running Docker containers?

docker ps

To see all containers:

docker ps -a

7. How do you stop a running container?

docker stop <container_id>

8. What is the difference between docker stop and docker kill?

Answer: docker stop sends a SIGTERM and allows graceful shutdown; docker kill sends SIGKILL and forces immediate stop.

9. How do you remove a Docker container?

docker rm <container_id>

Remove all stopped containers:

docker container prune

10. How do you remove a Docker image?

docker rmi <image_id>

11. What is Docker Hub?

Answer: Docker Hub is a cloud-based repository where Docker users can share, store, and distribute images.

12. Explain Docker volumes and their use cases.

Answer: Volumes are Docker-managed directories stored on the host to persist data outside containers.

Mount a volume:

docker run -v my_volume:/data busybox

13. Difference between bind mounts and volumes?

Feature Bind Mounts Volumes
Managed by User Docker
Path specified Absolute path Named or anonymous
Backups Manual docker volume command

14. What is the Dockerfile instruction order significance?

Answer: Docker builds layers in the order of instructions. Changing early layers causes rebuilding of all subsequent layers.

15. What is a multi-stage build in Docker? Why use it?

Answer: It allows using multiple FROM instructions to reduce final image size by copying only needed artifacts to the final stage.

Example:

FROM golang:1.18 AS builder
WORKDIR /app
COPY . .
RUN go build -o myapp

FROM alpine
COPY --from=builder /app/myapp /myapp
CMD ["/myapp"]

16. Explain Docker networking types.

Network Type Use case
bridge Default, single-host
host Shares host network
overlay Multi-host swarm
none No networking

17. How do you connect a container to a network?

docker network create mynet
docker run --network=mynet myimage

18. What is a Docker context?

Answer: A context lets you switch between different Docker environments (e.g., local, remote servers).

List:

docker context ls

Use:

docker context use mycontext

19. What is the difference between COPY and ADD in Dockerfile?

COPY ADD
Copies files/directories Copies + supports URL, tar extraction

Prefer COPY unless you need extra ADD features.

20. How do you pass environment variables to containers?

docker run -e VAR_NAME=value myimage

Or in Dockerfile:

ENV VAR_NAME value

21. Explain docker exec vs docker attach.

Answer:

  • docker exec: runs a command in a running container.

  • docker attach: connects your terminal to container's main process.

Use exec for isolated command; attach to interact directly.

22. What is a dangling image?

Answer: An image not tagged or referenced by any container, usually intermediate build layers.

Clean:

docker image prune

23. What is Docker Swarm?

Answer: Native Docker clustering tool for managing multiple Docker hosts as a single virtual system.

Initialize:

docker swarm init

24. How do you scale services in Docker Swarm?

docker service scale myservice=5

25. How do you inspect a Docker container?

docker inspect <container_id>

26. How do you limit CPU and memory usage in a container?

docker run --memory="500m" --cpus="1.5" myimage

27. What is .dockerignore file?

Answer: Works like .gitignore to exclude files from the build context.

Example:

node_modules
*.log

28. Explain Docker Compose.

Answer: A tool to define and run multi-container Docker apps using docker-compose.yml.

Example docker-compose.yml:

version: '3'
services:
  web:
    image: nginx
    ports:
      - "8080:80"
  db:
    image: mysql
    environment:
      MYSQL_ROOT_PASSWORD: example

Run:

docker-compose up -d

29. What is the difference between docker-compose up and docker-compose up --build?

Answer: up --build forces rebuilding images before starting containers.

30. How do you persist database data in Docker?

By using a named volume:

docker run -v db_data:/var/lib/mysql mysql

31. What is the difference between docker save and docker export?

Answer:

  • docker save: saves an image (with layers and metadata) to a tar archive.

  • docker export: exports a container's filesystem as a tar archive without metadata.

32. How do you import/export Docker images?

Export:

docker save myimage > myimage.tar

Import:

docker load < myimage.tar

33. How do you copy files from a running container to the host?

docker cp <container_id>:/path/in/container /host/path

34. What is the difference between a container restart policy always vs unless-stopped?

Policy Behavior
always Always restarts
unless-stopped Restart unless explicitly stopped

35. What is the difference between image layers and containers?

Answer: Images are composed of immutable layers; containers are runnable instances that add a writable layer on top of the image layers.

36. How do you clean up unused Docker resources?

docker system prune

37. Explain what happens when you run docker run nginx.

Answer:

  1. Docker checks for nginx image locally.

  2. If not found, pulls from registry.

  3. Creates container from image.

  4. Starts container with default command.

38. How do you configure logging drivers in Docker?

docker run --log-driver=json-file myimage

Available drivers: json-file, syslog, journald, gelf, fluentd, awslogs.

39. How do you view Docker container logs?

docker logs <container_id>

40. How do you debug a Docker build failure?

docker build --progress=plain --no-cache .

Also use docker history <image> to inspect layers.

41. Explain Docker health checks.

Answer: Used to determine container health status.

In Dockerfile:

HEALTHCHECK CMD curl --fail http://localhost:8080 || exit 1

42. What is a sidecar container?

Answer: A container that runs alongside a main application container, providing auxiliary functionality (logging, monitoring, proxy).

43. How do you attach to a running container's shell?

docker exec -it <container_id> /bin/bash

If bash missing, try /bin/sh.

44. How do you update a running container?

You can't directly update; you need to:

  1. Commit changes:

docker commit <container_id> myupdatedimage

  1. Run new container from updated image.

45. What is Docker's default storage driver?

Depends on OS:

  • overlay2 on most Linux distros.

  • windowsfilter on Windows.

Check:

docker info | grep Storage

46. How do you inspect an image's layers?

docker history <image>

47. Explain container exit codes.

  • 0: successful execution

  • Non-zero: error code from process

Check exit code:

docker inspect --format='{{.State.ExitCode}}' <container>

48. What is the difference between docker-compose down and docker-compose stop?

Command Effect
stop Stops containers
down Stops + removes containers, networks, volumes

49. Explain image caching in Docker builds.

Docker caches intermediate layers to speed up rebuilds; changes to earlier layers invalidate cache for later ones.

50. How do you override an image's CMD at runtime?

docker run myimage mycustomcommand

51. How do you sign a Docker image for security purposes?

Answer: By using Docker Content Trust (DCT) and Notary.
Enable DCT:

env DOCKER_CONTENT_TRUST=1 docker push myimage

52. What is the difference between Docker Content Trust and image scanning tools?

Answer: DCT ensures image authenticity and integrity via signing; scanning tools check for vulnerabilities in images.

53. How can you enforce image signature verification?

Answer: By setting DOCKER_CONTENT_TRUST=1 globally on the Docker client or in CI pipelines.

54. How do you create a custom Docker network plugin?

Answer: Write a plugin following Docker's plugin API and register it using:

docker plugin install <plugin-name>
docker network create --driver=<plugin-name> mynet

55. What is seccomp in Docker?

Answer: Seccomp (secure computing mode) is a Linux kernel feature to restrict system calls inside containers. Docker uses a default seccomp profile for added security.

56. How do you specify a custom seccomp profile?

docker run --security-opt seccomp=/path/to/profile.json myimage

57. How can you restrict container capabilities?

docker run --cap-drop=ALL --cap-add=NET_BIND_SERVICE myimage

58. What is a rootless Docker daemon?

Answer: A Docker daemon that runs without root privileges, improving security by reducing attack surface.

59. How do you configure Docker to run in rootless mode?

Follow official Docker rootless installation:

curl -fsSL https://get.docker.com/rootless | sh

60. What are image layers, and how do they impact caching?

Answer: Layers are immutable file system changes; Docker caches unchanged layers to avoid rebuilding.

61. How do you reduce Docker image size?

  • Use smaller base images (alpine)

  • Minimize layers

  • Use .dockerignore

  • Multi-stage builds

62. What is a scratch image?

Answer: An empty base image useful for building minimal containers (e.g., statically compiled Go binaries).

63. How do you export and import a Docker volume?

Export:

docker run --rm -v myvol:/volume -v $(pwd):/backup busybox tar czf /backup/backup.tar.gz -C /volume .

Import:

docker run --rm -v myvol:/volume -v $(pwd):/backup busybox tar xzf /backup/backup.tar.gz -C /volume

64. How do you set default ulimit values for a container?

docker run --ulimit nofile=1024:2048 myimage

65. How do you analyze the disk space used by Docker?

docker system df

66. What is the difference between Docker Swarm and Kubernetes?

Feature Swarm Kubernetes
Setup complexity Low High
Features Basic Extensive
Ecosystem Docker-native Broad

67. How do you manage secrets in Docker Swarm?

docker secret create mysecret ./mysecret.txt
docker service create --secret mysecret nginx

68. How do you update an existing secret in Docker Swarm?

Secrets are immutable; create a new secret and update the service with the new secret.

69. How do you monitor Docker containers?

  • docker stats

  • Prometheus + cAdvisor

  • 3rd-party tools like Datadog, Grafana, ELK.

70. What is container runtime? Give examples.

Answer: Low-level software to run containers. Examples: runc, containerd, cri-o.

71. How do you customize logging in Docker Compose?

logging:
  driver: syslog
  options:
    syslog-address: "tcp://192.168.0.42:123"

72. What are container labels?

Answer: Key-value metadata used to organize and filter containers.

docker run --label environment=dev myimage

73. How do you filter containers by label?

docker ps --filter label=environment=dev

74. How do you configure resource limits in Docker Compose?

services:
  web:
    image: nginx
    deploy:
      resources:
        limits:
          cpus: '0.50'
          memory: 512M

75. Explain Docker BuildKit.

Answer: BuildKit is a modern build engine offering faster builds, parallelization, and better caching.
Enable:

DOCKER_BUILDKIT=1 docker build .

76. How do you run Docker inside Docker (dind)?

docker run --privileged -d docker:dind

77. What is the difference between ENTRYPOINT and CMD in Compose?

Compose uses entrypoint: and command: keys; entrypoint overrides image ENTRYPOINT, command overrides CMD.

78. How do you isolate container I/O from host?

  • Use --read-only filesystem

  • Limit mounts

  • Control device access via --device

79. How do you inspect Docker network traffic?

Use tcpdump or Wireshark inside container or attach to bridge interface on host.

80. How do you debug a stuck container?

docker exec -it <container> sh

Check logs, process tree, network connections.

81. What are common Docker security risks?

  • Running as root

  • Privileged containers

  • Exposed daemon socket

  • Untrusted images

82. How do you avoid image tampering?

  • Use signed images

  • Verify checksums

  • Pull only from trusted registries

83. What are namespaces in Docker?

Answer: Linux namespaces isolate resources (PID, net, IPC, mnt, UTS) between containers.

84. What are cgroups in Docker?

Answer: Linux control groups to limit and account resources (CPU, memory, I/O) for containers.

85. How do you change default Docker data directory?

Edit /etc/docker/daemon.json:

{
  "data-root": "/mnt/docker-data"
}

Restart daemon.

86. What is the difference between soft and hard memory limits?

Answer: Docker uses kernel memory limits; soft is an advisory, hard is enforced. Docker enforces --memory as hard limit.

87. How do you configure overlay network encryption in Swarm?

docker network create --opt encrypted --driver overlay my_overlay

88. How do you remove all unused Docker resources?

docker system prune -a

89. How do you configure an HTTP proxy for Docker daemon?

Set environment file /etc/systemd/system/docker.service.d/http-proxy.conf:

[Service]
Environment="HTTP_PROXY=http://proxy.example.com:80/"

Reload systemd:

systemctl daemon-reload
systemctl restart docker

90. How do you clean up dangling volumes?

docker volume prune

91. How do you check container IP address?

docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' <container>

92. How do you configure Docker to listen on a TCP socket?

Edit /etc/docker/daemon.json:

{
  "hosts": ["unix:///var/run/docker.sock", "tcp://0.0.0.0:2375"]
}

93. What are OCI containers?

Answer: Containers following the Open Container Initiative specification (standard for image format and runtime).

94. What is container image digest?

Answer: A SHA256 hash uniquely identifying an image's content.

Pull by digest:

docker pull nginx@sha256:abc123...

95. How do you set a restart policy in Compose?

restart: unless-stopped

96. How do you remove a node from Docker Swarm?

On manager:

docker node rm <node>

On worker:

docker swarm leave

97. How do you troubleshoot image layer cache issues?

  • Use docker build --no-cache

  • Check .dockerignore

  • Analyze docker history

98. What is a BuildKit frontend?

Answer: A plugin defining build language; default is Dockerfile frontend.

99. What are ephemeral containers (Kubernetes context)?

Answer: Temporary containers for debugging running pods.

100. How do you export Docker events for monitoring?

docker events --since 1h