Skip to main content

Docker

Basic Level

1. What is Docker and why is it used?

Docker is a containerization platform that packages applications and their dependencies into standardized units called containers. It's used because it ensures consistency across different environments (development, testing, production), improves resource efficiency compared to virtual machines, enables faster deployment, and simplifies application scaling and management.

2. What's the difference between a Docker image and a Docker container?

A Docker image is a read-only template that contains the application code, runtime, libraries, and dependencies needed to run an application. A container is a running instance of an image. Think of an image as a class and a container as an object of that class. You can create multiple containers from the same image.

3. What is a Dockerfile?

A Dockerfile is a text file containing instructions to build a Docker image. It specifies the base image, commands to run, files to copy, environment variables to set, and the default command to execute when a container starts. Each instruction in a Dockerfile creates a new layer in the image.

4. Explain the Docker architecture.

Docker uses a client-server architecture with three main components:

  • Docker Client: The interface users interact with (docker commands)
  • Docker Daemon (dockerd): Runs on the host machine, manages containers, images, networks, and volumes
  • Docker Registry: Stores Docker images (like Docker Hub)

The client sends commands to the daemon, which does the actual work of building, running, and managing containers.

5. What is Docker Hub?

Docker Hub is a cloud-based registry service where you can store, share, and distribute Docker images. It contains both official images (maintained by Docker and software vendors) and community images. It's the default registry Docker uses when pulling images.

Intermediate Level

6. What are Docker volumes and why are they important?

Docker volumes are the preferred mechanism for persisting data generated by and used by Docker containers. They're important because:

  • Container file systems are ephemeral (lost when container is removed)
  • Volumes exist outside the container lifecycle
  • They can be shared between containers
  • They're easier to back up and migrate
  • They have better performance than bind mounts on Windows and Mac

7. Explain the difference between CMD and ENTRYPOINT in a Dockerfile.

  • CMD: Specifies default commands/parameters that can be overridden when running the container
  • ENTRYPOINT: Defines the executable that will always run; arguments can be added but the command itself cannot be easily overridden

Example:

ENTRYPOINT ["python"]
CMD ["app.py"]

Running docker run myimage test.py would execute python test.py (CMD is overridden but ENTRYPOINT remains).

8. What is Docker Compose?

Docker Compose is a tool for defining and running multi-container Docker applications. You use a YAML file (docker-compose.yml) to configure your application's services, networks, and volumes. With a single command (docker-compose up), you can create and start all services defined in the configuration.

9. What are the different network modes in Docker?

  • Bridge: Default network, containers can communicate with each other on the same bridge
  • Host: Container shares the host's network namespace (no network isolation)
  • None: Disables networking for the container
  • Overlay: Enables communication between containers across multiple Docker hosts
  • Macvlan: Assigns a MAC address to containers, making them appear as physical devices

10. How do you reduce Docker image size?

  • Use smaller base images (alpine instead of ubuntu)
  • Use multi-stage builds to separate build dependencies from runtime
  • Minimize layers by combining RUN commands
  • Remove unnecessary files and caches in the same layer they're created
  • Use .dockerignore to exclude unnecessary files
  • Avoid installing debugging tools in production images

Advanced Level

11. Explain multi-stage builds and their benefits.

Multi-stage builds allow you to use multiple FROM statements in a Dockerfile. Each FROM instruction starts a new build stage. You can selectively copy artifacts from one stage to another, leaving behind everything you don't need in the final image.

Benefits:

  • Significantly smaller production images
  • Separation of build-time and runtime dependencies
  • Better security (build tools not in production image)
  • Cleaner Dockerfiles

Example:

FROM golang:1.20 AS builder
WORKDIR /app
COPY . .
RUN go build -o myapp

FROM alpine:latest
COPY --from=builder /app/myapp /myapp
CMD ["/myapp"]

12. What is the difference between COPY and ADD in Dockerfile?

Both copy files from source to the container, but:

  • COPY: Simple, straightforward copying of files/directories
  • ADD: Has additional features like auto-extracting tar files and fetching files from URLs

Best practice: Use COPY unless you specifically need ADD's extra functionality, as COPY is more transparent.

13. How does Docker implement container isolation?

Docker uses several Linux kernel features:

  • Namespaces: Isolate processes, network, users, mount points, etc.
  • Control Groups (cgroups): Limit and monitor resource usage (CPU, memory, I/O)
  • Union File Systems: Create layers for efficient storage
  • Capabilities: Fine-grained privilege control instead of root/non-root

14. What is the difference between 'docker stop' and 'docker kill'?

  • docker stop: Sends SIGTERM signal to the main process, allowing graceful shutdown (10-second default timeout), then sends SIGKILL if still running
  • docker kill: Immediately sends SIGKILL signal, forcing immediate termination without cleanup

Use docker stop for graceful shutdowns; use docker kill only when a container is unresponsive.

15. How do you troubleshoot a failing container?

  • Check container logs: docker logs <container_id>
  • Inspect container details: docker inspect <container_id>
  • Check resource usage: docker stats <container_id>
  • Execute commands inside running container: docker exec -it <container_id> /bin/sh
  • For containers that exit immediately, run with override: docker run -it <image> /bin/sh
  • Review Dockerfile and docker-compose.yml for misconfigurations
  • Check host system resources and Docker daemon logs

16. What are health checks in Docker and how do you implement them?

Health checks monitor container health and can trigger automatic restarts. They're defined in Dockerfile or docker-compose:

HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
  CMD curl -f http://localhost/ || exit 1

Docker checks the container periodically and marks it as healthy or unhealthy, which orchestrators can use for automated recovery.

17. Explain Docker layer caching and how to optimize it.

Docker caches each layer during build. When rebuilding, if a layer hasn't changed, Docker reuses the cached version. To optimize:

  • Order Dockerfile instructions from least to most frequently changing
  • Copy dependency files first, install dependencies, then copy application code
  • This way, dependency installation is cached even when code changes
COPY package.json package-lock.json ./
RUN npm install
COPY . .

18. What security best practices should you follow with Docker?

  • Don't run containers as root user
  • Use official base images from trusted sources
  • Scan images for vulnerabilities regularly
  • Keep Docker and images updated
  • Limit container resources with cgroups
  • Use read-only file systems where possible
  • Implement network segmentation
  • Use secrets management (Docker secrets, not environment variables)
  • Minimize image attack surface (fewer packages/tools)
  • Enable Docker Content Trust for image signing

These questions cover fundamental concepts through advanced topics and should help prepare for Docker-related interviews at various levels.