100 docker interview questions answer

By /

Here are 100 Docker interview questions and answers, covering fundamentals, commands, Dockerfile, networking, volumes, Docker Compose, security, and real-world scenarios.

Docker Fundamentals

1. What is Docker?
Docker is an open-source platform that automates the deployment, scaling, and management of applications using containerization. Containers package an application and its dependencies together, ensuring consistency across environments.

2. What is a container?
A lightweight, standalone, executable software package that includes everything needed to run an application: code, runtime, system tools, libraries, and settings. Containers share the host OS kernel but run in isolated user spaces.

3. How does a container differ from a virtual machine?
Containers share the host OS kernel and are much more lightweight, starting in seconds. VMs include a full guest OS, hypervisor layer, and are heavier. Containers offer process-level isolation; VMs provide full OS isolation.

4. What is the Docker engine?
The core Docker runtime consisting of a server (dockerd), a REST API, and a command-line interface (docker CLI). The daemon manages containers, images, networks, and volumes.

5. What are the key components of Docker architecture?
Docker client (CLI), Docker daemon (dockerd), Docker registries (Docker Hub), images, containers, networks, and volumes. The client communicates with the daemon via REST API.

6. What is a Docker image?
A read-only template with instructions for creating a Docker container. It’s built in layers and contains the application code, runtime, libraries, and configurations.

7. What is a Docker container?
A runnable instance of a Docker image. You can create, start, stop, move, or delete a container. It’s isolated but can share resources with the host.

8. What is Docker Hub?
A cloud-based registry service provided by Docker for finding and sharing container images. It hosts official images and community submissions.

9. What is the difference between a Docker image and a container?
An image is a blueprint (template), while a container is the running instance of that image. You can run multiple containers from the same image.

10. What is container orchestration?
The automated management of containerized applications, including deployment, scaling, and operations. Tools: Kubernetes, Docker Swarm, Amazon ECS.

Images & Containers

11. How do you list all running containers?
docker ps — lists running containers. Add -a flag to show all containers (stopped included).

12. How do you start a stopped container?
docker start container_name_or_id

13. How do you stop a running container?
docker stop container_name_or_id (graceful). docker kill for immediate termination.

14. How do you remove a container?
docker rm container_name_or_id. Use -f to force remove running container. docker container prune removes all stopped containers.

15. How do you remove an image?
docker rmi image_name_or_id. Force with -f. Use docker image prune to remove unused images.

16. How do you execute a command inside a running container?
docker exec -it container_name_or_id /bin/bash (or sh). This creates an interactive terminal session.

17. How do you see the logs of a container?
docker logs container_name_or_id. Follow with -f flag: docker logs -f container.

18. What does the -d flag do in docker run?
Runs the container in detached mode (in the background), and prints the container ID.

19. How do you map ports when running a container?
Using -p host_port:container_port. Example: docker run -p 8080:80 nginx maps host port 8080 to container port 80.

20. What is the difference between CMD and ENTRYPOINT in a Dockerfile?
CMD provides default command and/or arguments that can be overridden. ENTRYPOINT configures a container to run as an executable; arguments appended to docker run are passed to it.

21. How do you inspect details of a container or image?
docker inspect container_or_image_name — returns JSON with detailed low-level information.

22. How do you copy files between a container and the host?
docker cp <src> <dest>. Example: docker cp container:/app/log.txt ./ copies file from container to host.

23. How do you create a container without starting it?
docker create image_name — creates a writable container layer but does not start it.

24. What does docker run do under the hood?
Pulls the image if not locally available, creates a new container, allocates a filesystem, mounts resource limits, configures networking, and starts the container.

25. How do you rename a container?
docker rename old_name new_name

Dockerfile

26. What is a Dockerfile?
A text document containing a series of instructions for Docker to build an image automatically. Each instruction creates a new layer.

27. What is the difference between ADD and COPY?
COPY copies files from host into the image. ADD does the same but also supports remote URLs and automatic tar extraction. COPY is preferred for simple file copying.

28. What is the RUN instruction?
Executes commands during image build, creating a new layer. Example: RUN apt-get update && apt-get install -y curl.

29. What is the EXPOSE instruction?
Informs Docker that the container will listen on the specified network ports at runtime. It’s documentation; actual port mapping requires -p flag.

30. What are multi-stage builds?
A Dockerfile feature that uses multiple FROM statements to create intermediate images, allowing you to copy only necessary artifacts from one stage to the final image, reducing final image size.

31. How do you use an environment variable in a Dockerfile?
ENV MY_VAR=value sets it. You can also use ARG for build-time variables that are not persisted in the image.

32. What is .dockerignore?
A file that specifies patterns of files and directories to exclude from the build context, similar to .gitignore. It speeds up builds and prevents sensitive data leakage.

33. What is the difference between ARG and ENV?
ARG is only available during build time (passed via --build-arg). ENV persists in the image and is available in containers.

34. How do you optimize a Dockerfile for smaller image size?
Use a minimal base image (Alpine), combine RUN commands with && to reduce layers, use multi-stage builds, clean up package caches, and remove unnecessary files.

35. What is the WORKDIR instruction?
Sets the working directory for any subsequent RUNCMDENTRYPOINTCOPY, and ADD instructions. If it doesn’t exist, it’s created.

36. What is the USER instruction?
Sets the user (and optionally group) to run the container and any subsequent RUNCMDENTRYPOINT instructions. Running as non-root improves security.

37. What is the HEALTHCHECK instruction?
Tells Docker how to test if the container is still working, useful for detecting issues like deadlocks. It runs a command periodically and can return status.

38. What is the purpose of ONBUILD?
Adds a trigger instruction to be executed when the image is used as a base for another build. Rarely used nowadays.

39. How do you build an image from a Dockerfile?
docker build -t image_name:tag . (the . is the build context).

40. How do you tag an image?
During build: -t name:tag. After build: docker tag source_image:tag target_image:tag.

Docker Commands & Management

41. How do you push an image to a registry?
docker push image_name:tag. First, tag it with the registry host if needed: docker tag local name:tag registry/name:tag.

42. How do you pull an image?
docker pull image_name:tag. If tag is omitted, latest is assumed.

43. How do you view Docker disk usage?
docker system df — shows space used by images, containers, volumes, and build cache.

44. How do you clean up unused Docker objects?
docker system prune — removes stopped containers, unused networks, dangling images, and build cache. Add -a for all unused images.

45. How do you run a command in a new container immediately?
docker run image_name command. Container will run the command and exit when command finishes (unless run with -it for interactive).

46. How do you check the status of Docker daemon?
docker info and docker version. On Linux, systemctl status docker.

47. What is docker commit?
Creates a new image from a running container’s changes. It’s generally discouraged in favor of Dockerfile builds for reproducibility.

48. How do you save and load Docker images?
docker save -o file.tar image exports image to tar. docker load -i file.tar loads an image from tar.

49. How do you view resource usage of containers?
docker stats — live stream of CPU, memory, network, and disk usage.

50. How do you run a container interactively?
docker run -it image_name /bin/bash

Networking

51. What are the different network drivers in Docker?
bridge (default isolated network), host (container shares host network namespace), overlay (multi-host communication for Swarm), none (disables networking), macvlan (assigns MAC address).

52. What is the default Docker network?
bridge — a private internal network on the host. Containers on same bridge network can communicate via IP addresses.

53. How do you create a custom bridge network?
docker network create network_name. Containers on the same custom bridge can resolve each other by container name.

54. How do you connect a container to a network?
At runtime: docker run --network=network_name image. Or after: docker network connect network_name container.

55. What is DNS resolution in Docker networks?
Containers on a user-defined bridge network can resolve each other by container name or network alias automatically using Docker’s built-in DNS server.

56. How do you publish all exposed ports randomly?
docker run -P image — publishes all EXPOSEd ports to random host ports.

57. What is the host network mode and when would you use it?
Container shares the host’s networking namespace directly; no isolation. Use for high-performance networking or when you want the container to bind to a specific host port without port mapping.

58. How do containers communicate with an external database?
They connect via the host’s network (using host.docker.internal or host IP) or through Docker networking if the database is containerized, using the service name.

59. What is an overlay network?
A network spanning multiple Docker hosts, used in Docker Swarm mode to allow containers across different hosts to communicate.

60. How do you inspect a network?
docker network inspect network_name

Storage & Volumes

61. What is a Docker volume?
A persistent data storage mechanism managed by Docker. Stored in a part of the host filesystem (/var/lib/docker/volumes/). Volumes survive container deletion.

62. What is the difference between a volume and a bind mount?
Volumes are Docker-managed, portable, and independent of host file system structure. Bind mounts link a specific host path to a container path; they are host-dependent.

63. How do you create and use a volume?
docker volume create my_vol, then docker run -v my_vol:/container/path image.

64. What are tmpfs mounts?
Temporary storage that resides in the host’s memory, not persistent. Use for sensitive files you don’t want persisted.

65. How do you list volumes?
docker volume ls. Inspect: docker volume inspect vol_name. Remove: docker volume rm vol_name. Prune: docker volume prune.

66. How do you share data between containers?
Create a volume and mount it in multiple containers. They can read/write simultaneously.

67. Where are Docker volumes stored on Linux?
Typically under /var/lib/docker/volumes/.

68. How do you back up a Docker volume?
Mount the volume into a temporary container alongside a backup directory, then use tar to archive the volume, saving to the host via bind mount.

69. How do you manage permissions for volumes?
Use the :Z or :z SELinux labels, or ensure the container’s user matches the host’s file ownership. Best practice is to run containers as non-root and align UIDs.

70. What is a storage driver in Docker?
Manages how images and containers are stored and layered on the filesystem. Examples: overlay2 (default), aufs, devicemapper. Overlay2 is recommended for modern Linux kernels.

Docker Compose

71. What is Docker Compose?
A tool for defining and running multi-container Docker applications. You define services, networks, and volumes in a YAML file (docker-compose.yml), then use a single command to start everything.

72. How is Compose different from docker run commands?
Compose allows declarative configuration of multiple containers, their relationships, and dependencies in one file, making complex setups reproducible and version-controlled.

73. What is the typical structure of a docker-compose.yml file?

yaml

version: '3'
services:
  web:
    image: nginx
    ports:
      - "8080:80"
  db:
    image: postgres
    volumes:
      - db-data:/var/lib/postgresql/data
volumes:
  db-data:

74. How do you start services defined in Compose?
docker-compose up — add -d for detached mode.

75. How do you stop and remove Compose services?
docker-compose down — stops containers and removes networks. Add -v to also remove volumes.

76. How do you scale a service in Compose?
docker-compose up --scale service_name=N. However, Compose mainly handles single-host scaling; for production scaling, use Swarm or Kubernetes.

77. What is the difference between docker-compose and docker stack?
docker-compose is for local development on a single host. docker stack is for deploying Swarm services in production using a similar Compose file (with deploy keys).

78. How do you use environment variables in Compose?
Either define them under environment key in the YAML, or pass an .env file using env_file attribute.

79. How do you rebuild images in Compose?
docker-compose build or docker-compose up --build.

80. What is the depends_on directive?
Controls the order of service startup. It does not wait for the service to be “ready” (e.g., wait for DB to accept connections), only that it started. For readiness, use tools like wait-for-it.sh or health checks with condition in version 2.1+.

Docker Security

81. Why should you avoid running containers as root?
If the container is compromised, the attacker gets root on the host if the container has privileged access or exploits. Running as a non-root user reduces blast radius.

82. What is --privileged flag?
Grants the container almost all capabilities and lifts all cgroup restrictions. Use is extremely discouraged; avoid unless absolutely necessary for low-level hardware access.

83. How do you limit container resources?
--memory and --cpus flags: docker run --memory="256m" --cpus="1.5" image. Prevents DoS attacks and noisy neighbors.

84. What are Docker content trust and image signing?
Content trust uses digital signatures to verify the integrity and publisher of images. Enabled via DOCKER_CONTENT_TRUST=1 environment variable.

85. How do you scan images for vulnerabilities?
docker scan image (uses Snyk) or tools like Trivy, Clair, or Anchore. Integrated in CI pipeline.

86. What are Linux capabilities in Docker?
Instead of giving full root, you can give specific privileges (like NET_BIND_SERVICE) using --cap-add and --cap-drop. Better to drop all and add only needed.

87. What is a seccomp profile?
A security facility that restricts the system calls a process can make. Docker applies a default seccomp profile that disables many dangerous syscalls.

88. How do you manage secrets in Docker?
In Swarm mode, use docker secret to securely transmit sensitive data (passwords, certs). For standalone, use environment variables with care, or external vaults (HashiCorp Vault). Never bake secrets into images.

89. What is the risk of exposing the Docker daemon socket (/var/run/docker.sock)?
Giving a container access to the socket gives it full control over the Docker host. Avoid it; use Docker API with authentication and TLS if remote access needed.

90. What is Docker Bench Security?
An automated script that checks containers against dozens of best practices outlined in the CIS Docker Benchmark.

Docker Swarm & Orchestration (Basics)

91. What is Docker Swarm?
Docker’s native clustering and orchestration solution that turns a pool of Docker hosts into a single, virtual host. It provides service deployment, scaling, and load balancing.

92. How do you initialize a Swarm?
docker swarm init on the manager node. Workers join using token: docker swarm join --token ...

93. What is a service in Swarm?
A definition of a task to be executed on manager or worker nodes. It’s the cluster-level equivalent of docker run. You define a service with desired state (number of replicas, etc.).

94. What is a stack in Swarm?
A group of interrelated services that can be deployed together using a Compose file (v3+). Command: docker stack deploy -c docker-compose.yml stackname.

95. How do you scale a service in Swarm?
docker service scale servicename=5

96. What is a node in Swarm?
A Docker Engine instance participating in the swarm. Manager nodes handle orchestration; worker nodes execute tasks.

97. What is the difference between a replicated and global service?
Replicated service runs a specified number of identical tasks across nodes. Global service runs exactly one task on every node (useful for agents like monitoring).

98. How does load balancing work in Swarm?
Swarm has an internal DNS that distributes requests among service tasks. External traffic enters via the routing mesh; any node can accept a request on a published port and forward it to a valid task.

Troubleshooting & Scenarios

99. A container keeps crashing immediately after startup. How do you debug?
Check logs with docker logs container_id. Run the container with an interactive shell overriding CMD: docker run -it --entrypoint /bin/sh image. Check for misconfigurations, missing files, or resource limits.

100. Your Docker build takes too long. How do you optimize it?
Use a .dockerignore to exclude unnecessary files, order layers from least to most frequently changing (dependencies first), combine RUN commands, use multi-stage builds, leverage build cache, and use caching mirrors for package managers.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top