Docker Interview Questions: basic to advanced topics, scenario-based

Docker Basics

1 What is Docker and how does it differ from virtual machines?

Docker is a containerization platform that packages applications and their dependencies into containers. Unlike VMs, containers share the host OS kernel, making them lightweight (MBs vs GBs), faster to start (seconds vs minutes), and more efficient. VMs virtualize hardware; containers virtualize the operating system.

2 What is a Docker image and a Docker container?

An image is a read-only template with instructions for creating a container. It contains the application code, libraries, and dependencies. A container is a runnable instance of an image. Images are like classes; containers are like objects.

3 What is the difference between CMD and ENTRYPOINT in Dockerfile?

CMD sets default command that can be overridden. ENTRYPOINT sets a command that is harder to override. They are often used together: ENTRYPOINT for the executable, CMD for default arguments. Example: `ENTRYPOINT ["nginx"]; CMD ["-g", "daemon off;"]`.

4 Explain the Docker architecture.

Docker uses a client-server architecture. The Docker client communicates with the Docker daemon (dockerd) via REST API. The daemon manages images, containers, networks, and volumes. Docker registries (like Docker Hub) store and distribute images. Docker Desktop includes the daemon and client.

Dockerfile & Images

5 What are the most common Dockerfile instructions?

FROM (base image), RUN (execute commands), COPY (copy files), ADD (copy with tar/URL support), WORKDIR (set working directory), ENV (environment variables), EXPOSE (document ports), CMD (default command), ENTRYPOINT (main command), USER (non-root user), VOLUME (persistent storage).

6 What is a multi-stage build and why use it?

Multi-stage builds use multiple FROM statements to separate build environment from runtime environment. Build tools and compilers are in the builder stage; only the compiled artifacts are copied to the final stage. This reduces image size significantly (e.g., 1GB to 15MB for Go apps).

7 What is the difference between COPY and ADD?

COPY copies files from build context to image. ADD does the same plus supports URL downloads and auto-extraction of tar files. Unless you need those features, use COPY to avoid unexpected behavior.

8 What is a .dockerignore file?

.dockerignore excludes files from the build context, similar to .gitignore. It prevents sending unnecessary files (node_modules, .git, logs) to the Docker daemon, speeding up builds and reducing image size.

Essential Docker Commands

9 What is the difference between docker run and docker start?

`docker run` creates and starts a new container from an image. `docker start` restarts an existing, stopped container. Use `docker run` for first-time launch, `docker start` for subsequent launches.

10 What does `docker exec` do?

`docker exec` runs a command inside a running container. It's used for debugging, running migrations, or getting an interactive shell. Example: `docker exec -it container bash`.

11 How do you view logs of a container?

Use `docker logs container_name`. Add `-f` to follow logs, `--tail N` for last N lines, `--since` for time-based filtering.

Docker Networking

12 What are the different Docker network drivers?

bridge (default for standalone containers), host (no isolation, uses host network), none (no network), overlay (multi-host communication for Swarm), macvlan (assign MAC addresses for physical network integration).

13 How do containers communicate with each other?

On a user-defined bridge network, containers can communicate by container name (automatic DNS resolution). On default bridge, use IP addresses only. For multi-host, use overlay networks.

14 What is the difference between EXPOSE and -p?

EXPOSE is documentation - it doesn't publish ports. `-p` (or `--publish`) actually maps host port to container port, making the service accessible outside the host.

Volumes & Storage

15 What is the difference between a volume and a bind mount?

Volumes are managed by Docker, stored in `/var/lib/docker/volumes/`, portable across systems. Bind mounts map any host directory directly into the container, host-path dependent. Use volumes for production, bind mounts for development.

16 How do you create and use a named volume?

`docker volume create mydata` then `docker run -v mydata:/data myapp`. Or `docker run -v mydata:/data myapp` (creates automatically).

17 Does a container's data persist after deletion?

No, the writable layer is deleted with the container. Use volumes to persist data beyond container lifecycle.

Docker Compose

18 What is Docker Compose and why use it?

Docker Compose defines and runs multi-container applications using a YAML file. It simplifies managing services, networks, and volumes with a single command: `docker compose up`. Ideal for development, testing, and simple production deployments.

19 What is the difference between `depends_on` and health checks?

`depends_on` waits for container start (not readiness). Health checks wait for the service to be functional. Use both for reliable startup order.

20 How do you pass environment variables to Compose?

Three ways: `environment` directive (hardcoded), `env_file` (load from file), and `.env` file (variable substitution in compose file).

Docker Swarm

21 What is Docker Swarm and how does it work?

Docker Swarm is Docker's native container orchestration platform. It turns multiple Docker hosts into a single virtual host. Manager nodes handle cluster state using Raft consensus; worker nodes run tasks (containers). Services define desired state (replicas, image, ports).

22 What is the difference between replicated and global services?

Replicated services run a specified number of tasks on available nodes. Global services run exactly one task on every node (e.g., monitoring agents, log collectors).

23 What is the ingress routing mesh?

The ingress routing mesh is Swarm's built-in load balancer. When you publish a port, any node can accept traffic and route it to a healthy task, even if the task isn't on that node. Provides high availability.

Docker Security

24 How do you run containers as non-root user?

In Dockerfile: create a user with `RUN adduser -D myuser`, then `USER myuser`. For existing containers: `docker run --user 1000:1000 myapp`.

25 What are Docker secrets and when to use them?

Docker secrets store sensitive data (passwords, API keys) securely. Available in Swarm mode. Secrets are encrypted at rest and in transit, mounted as files in `/run/secrets/`. Never use environment variables for secrets.

26 What is seccomp and how does it improve security?

seccomp (secure computing mode) restricts system calls a container can make. Docker's default seccomp profile blocks about 44 dangerous syscalls, reducing attack surface.

Scenario-Based Questions

27 Your container keeps crashing. How do you debug?

1. Check `docker ps -a` for exit status. 2. View logs: `docker logs container`. 3. Inspect exit code: `docker inspect --format='{{.State.ExitCode}}' container`. 4. Run interactively: `docker run -it image sh` then manually run the command. 5. Check resource limits, volume permissions, and environment variables.

28 How would you reduce a 1.5GB Docker image to under 200MB?

1. Use Alpine base image (5MB vs 70MB). 2. Multi-stage builds (separate build tools from runtime). 3. Combine RUN commands and clean up temporary files. 4. Remove unnecessary packages. 5. Use `--squash` (experimental). 6. Use distroless images for final stage.

29 How do you handle database migrations in a containerized environment?

Run migrations as a separate one-off container before app deployment: `docker run --rm --network app-net myapp npm run migrate`. Use init containers in Kubernetes, or run as a job in Swarm. Ensure migrations are idempotent and backward-compatible.

30 Your container runs out of disk space. What do you check?

1. Logs: check `docker logs` size, configure log rotation. 2. Volumes: `docker system df -v` to find large volumes. 3. Build cache: `docker builder prune`. 4. Docker directory: `du -sh /var/lib/docker`. 5. Run `docker system prune -a` to clean up unused resources.

Advanced Topics

31 What is the difference between Docker Swarm and Kubernetes?

Swarm is simpler, integrated with Docker, great for smaller workloads. Kubernetes is more powerful, has auto-scaling, service mesh, extensive ecosystem, and steeper learning curve. Choose Swarm for simplicity, K8s for enterprise-scale features.

32 What is BuildKit and why use it?

BuildKit is Docker's next-generation build engine. Benefits: parallel build stages, better cache management, secret handling, SSH forwarding, and skipping unused stages. Enable with `DOCKER_BUILDKIT=1`.

33 What are rootless containers?

Rootless containers run the Docker daemon and containers without root privileges, reducing the impact of container escapes. Available in Docker Engine 19.03+ with rootless mode.

Interview Tips for Docker

Focus on practical experience and real-world scenarios.

Demonstrate with commands - Show you know the actual Docker commands, not just concepts.
Share real experiences - Describe actual problems you solved with Docker.
Understand the "why" - Explain trade-offs (e.g., volumes vs bind mounts, Swarm vs K8s).
Security matters - Discuss non-root users, secrets, and image scanning.
Performance optimization - Talk about multi-stage builds, Alpine images, and resource limits.

Practice explaining these concepts out loud. Many interview mistakes happen from lack of articulation, not knowledge.