Top 100 Docker Interview Questions

1. What is Docker?

Docker is an open-source platform that automates the deployment, scaling, and management of applications by using containerization. It allows developers to package an application with all of its dependencies (libraries, system tools, code, runtime) into a standardized unit called a container. You can learn more from the official Docker website.

2. What is the difference between Docker and a Virtual Machine (VM)?

• Docker Containers share the host system's kernel and only virtualize the application and its dependencies. This makes them lightweight, fast to start, and efficient.
• Virtual Machines (VMs) virtualize the hardware and run a full guest operating system on top of the host OS. This provides strong isolation but makes them much heavier, slower, and more resource-intensive than containers.

3. What is a Docker Image?

A Docker image is a lightweight, standalone, executable package that includes everything needed to run a piece of software, including the code, a runtime, libraries, environment variables, and config files. It's a read-only template with instructions for creating a Docker container.

4. What is a Docker Container?

A Docker container is a runnable instance of a Docker image. You can create, start, stop, move, or delete a container using the Docker API or CLI. A container is an isolated environment that runs an application without interfering with the host system or other containers.

5. What are the key components of Docker architecture?

• Docker Daemon: A background service running on the host that manages building, running, and distributing Docker containers.
• Docker Client: The command-line interface that users interact with to issue commands to the Docker daemon.
• Docker Images: Read-only templates used to create containers.
• Docker Containers: Runnable instances of images.
• Docker Registry: A repository for Docker images (e.g., Docker Hub).

6. What is Docker Hub?

Docker Hub is a cloud-based registry service provided by Docker that allows you to store and share Docker images. It serves as a central repository where you can find official images from software vendors as well as community-created images.

7. What is the difference between Docker and Kubernetes?

Docker is a platform for creating and running containers, while Kubernetes is a container orchestration system for managing multiple containers across multiple hosts. Docker focuses on packaging applications into containers, while Kubernetes focuses on deploying, scaling, and managing those containers.

8. What is the role of the Docker daemon?

The Docker daemon (dockerd) is a persistent background process that manages Docker containers, images, networks, and storage volumes. It listens for Docker API requests and processes them to manage Docker objects.

9. What is the Docker client?

The Docker client is the primary way users interact with Docker. When you use commands like docker run, the client sends these commands to the Docker daemon, which carries them out. The Docker client can communicate with a local or remote daemon.

10. What are Docker namespaces?

Docker uses Linux namespaces to provide isolation between containers. Namespaces partition kernel resources such that one set of processes sees one set of resources while another set of processes sees a different set of resources. The main namespaces used by Docker are: PID (process isolation), NET (network interfaces), IPC (manages access to IPC resources), MNT (manages filesystem mount points), and UTS (isolates kernel and version identifiers).

11. What is a Dockerfile?

A Dockerfile is a text document that contains all the commands a user could call on the command line to assemble an image. Using docker build, users can create an automated build that executes several command-line instructions in succession.

12. What are the most common Dockerfile instructions?

• FROM: Sets the base image for subsequent instructions
• RUN: Executes commands in a new layer on top of the current image
• CMD: Provides defaults for an executing container
• EXPOSE: Informs Docker that the container listens on the specified network ports
• ENV: Sets environment variables
• ADD/COPY: Copies files from the host to the container
• ENTRYPOINT: Configures a container that will run as an executable
• VOLUME: Creates a mount point for external volumes
• WORKDIR: Sets the working directory for subsequent instructions

13. What is the difference between ADD and COPY in a Dockerfile?

Both ADD and COPY copy files from the host to the container, but ADD has additional features:

• ADD can copy from a URL (COPY cannot)
• ADD can automatically extract tar archives (COPY cannot)
• COPY is generally preferred for simplicity and transparency when you just need to copy local files

14. What is the difference between CMD and ENTRYPOINT?

• CMD: Provides default arguments for the ENTRYPOINT instruction or a default command to execute. It can be overridden when running the container.
• ENTRYPOINT: Configures a container to run as an executable. Arguments passed to docker run will be appended to the ENTRYPOINT.

15. How do you reduce the size of a Docker image?

• Use a minimal base image (like Alpine Linux)
• Combine multiple RUN commands into one to reduce layers
• Use multi-stage builds to separate build dependencies from runtime
• Clean up unnecessary files and package caches in the same layer they were created
• Use .dockerignore to exclude unnecessary files from the build context

16. What are multi-stage builds in Docker?

Multi-stage builds allow you to use multiple FROM statements in your Dockerfile. Each FROM instruction can use a different base, and you can selectively copy artifacts from one stage to another, leaving behind everything you don't want in the final image. This helps create smaller and more secure final images.

17. What is the purpose of the .dockerignore file?

The .dockerignore file works similarly to .gitignore. It excludes files and directories from the build context, preventing them from being sent to the Docker daemon when building an image. This can significantly reduce build time and image size.

18. How do you optimize Docker image building?

• Order instructions from least to most frequently changing
• Leverage build cache by placing stable instructions first
• Use multi-stage builds
• Minimize the number of layers
• Use specific tags for base images instead of "latest"
• Remove unnecessary files and dependencies

19. What are Docker image layers?

Docker images are built using a layered filesystem. Each instruction in a Dockerfile creates a new layer. Layers are cached, so if you change a Dockerfile instruction, only that layer and subsequent ones need to be rebuilt. This makes builds faster and more efficient.

20. How do you remove dangling Docker images?

Dangling images are untagged images that are not referenced by any container. You can remove them with: docker image prune or to remove all unused images (both dangling and unreferenced): docker image prune -a

21. What is the purpose of the EXPOSE instruction in a Dockerfile?

The EXPOSE instruction informs Docker that the container listens on the specified network ports at runtime. It doesn't actually publish the port but serves as documentation and is used when linking containers. To actually publish the port, you need to use the -p flag with docker run.

22. How do you set environment variables in a Docker container?

You can set environment variables in several ways:

• Using the ENV instruction in a Dockerfile
• Using the -e flag with docker run
• Using an environment file with the --env-file flag

23. What is the purpose of the VOLUME instruction in a Dockerfile?

The VOLUME instruction creates a mount point with the specified name and marks it as holding externally mounted volumes from the native host or other containers. This allows data to persist beyond the container's lifecycle and be shared between containers.

24. How do you version Docker images?

Docker images can be versioned using tags. You can specify a tag when building an image: docker build -t myimage:1.0 . Common practices include using semantic versioning (1.0, 1.1, 2.0), using git commit hashes, or using "latest" for the most recent stable version.

25. What is a Docker image registry and how is it different from a repository?

A Docker registry is a storage and distribution system for Docker images (e.g., Docker Hub, Google Container Registry). A repository is a collection of different versions of a specific image within a registry. For example, in "nginx:alpine", "nginx" is the repository name and "alpine" is the tag.

26. What is the difference between docker create and docker run?

docker create creates a container from an image but doesn't start it, while docker run creates and starts the container in one command. docker create is useful when you want to configure a container before starting it.

27. How do you run a Docker container in detached mode?

Use the -d flag: docker run -d [image_name]. This runs the container in the background and returns the container ID.

28. How do you view logs from a Docker container?

Use docker logs [container_id]. To follow the logs in real-time, use docker logs -f [container_id].

29. How do you execute a command in a running container?

Use docker exec [container_id] [command]. For an interactive shell, use docker exec -it [container_id] /bin/bash.

30. How do you stop and remove a Docker container?

To stop a container: docker stop [container_id]. To remove a stopped container: docker rm [container_id]. To force remove a running container: docker rm -f [container_id].

31. What is the difference between docker stop and docker kill?

docker stop sends a SIGTERM signal, allowing the process to gracefully shut down, followed by SIGKILL after a grace period. docker kill sends a SIGKILL signal immediately, forcefully terminating the process.

32. How do you list all running containers?

Use docker ps. To list all containers (including stopped ones), use docker ps -a.

33. How do you remove all stopped containers?

Use docker container prune. This will remove all stopped containers and free up disk space.

34. How do you inspect a Docker container?

Use docker inspect [container_id]. This returns low-level information about the container in JSON format, including configuration, network settings, volumes, and more.

35. How do you monitor Docker container resource usage?

Use docker stats to display a live stream of container resource usage statistics, including CPU, memory, network I/O, and block I/O.

36. How do you restart a Docker container?

Use docker restart [container_id]. This stops and then starts the container again.

37. How do you pause and unpause a container?

To pause: docker pause [container_id]. To unpause: docker unpause [container_id]. Pausing freezes all processes in the container without stopping them.

38. How do you rename a Docker container?

Use docker rename [old_name] [new_name]. This changes the human-readable name of the container.

39. How do you copy files between the host and a container?

Use docker cp [host_path] [container_id]:[container_path] to copy from host to container, and docker cp [container_id]:[container_path] [host_path] to copy from container to host.

40. How do you set resource limits on a Docker container?

Use flags with docker run:

• --memory or -m to limit memory
• --cpus to limit CPU usage
• --cpu-shares to set CPU priority
• --blkio-weight to set block IO weight

41. What are the different Docker network drivers?

• bridge: The default network driver for containers
• host: Removes network isolation between container and host
• overlay: Connects multiple Docker daemons together
• macvlan: Assigns a MAC address to containers
• none: Disables all networking

42. How do you create a custom network in Docker?

Use docker network create [network_name]. You can specify the driver with --driver flag, e.g., docker network create --driver bridge my_bridge.

43. What is the difference between host and bridge networking?

In host networking, the container shares the host's network stack and all interfaces. In bridge networking, Docker creates an internal network and containers get their own network namespace with a virtual Ethernet pair connected to the bridge.

44. How do you connect a container to a specific network?

Use the --network flag with docker run: docker run --network=[network_name] [image]. You can also connect an existing container using docker network connect [network_name] [container_id].

45. How do you expose a container port to the host?

Use the -p flag with docker run: docker run -p [host_port]:[container_port] [image]. To bind to a specific host IP: docker run -p [ip]:[host_port]:[container_port] [image].

46. What is the difference between -p and -P in docker run?

-p allows you to specify a specific host port to map to a container port. -P (capital P) publishes all exposed ports to random ports on the host.

47. What are Docker volumes?

Docker volumes are the preferred mechanism for persisting data generated by and used by Docker containers. They are completely managed by Docker and stored in a part of the host filesystem.

48. How do you create a Docker volume?

Use docker volume create [volume_name]. You can then mount it to a container using the -v flag: docker run -v [volume_name]:[container_path] [image].

49. What is the difference between volumes and bind mounts?

• Volumes: Managed by Docker, stored in a part of the host filesystem, and can be shared among containers.
• Bind mounts: Map a host file or directory to a container path. The host path is directly referenced.

50. How do you list and remove Docker volumes?

List volumes: docker volume ls. Remove a volume: docker volume rm [volume_name]. Remove unused volumes: docker volume prune.

51. What are tmpfs mounts?

tmpfs mounts are stored only in the host system's memory and are never written to the host system's filesystem. They are useful for temporary data that doesn't need to persist.

52. How do you share data between containers?

You can share data between containers using:

• Volumes: Multiple containers can mount the same volume
• Bind mounts: Multiple containers can use the same host directory
• Container volumes: Use the --volumes-from flag to share volumes between containers

53. How do you inspect a Docker network?

Use docker network inspect [network_name]. This shows detailed information about the network, including connected containers, IPAM configuration, and more.

54. What is Docker's default network?

Docker creates a default bridge network called "bridge" when it is installed. Containers launched without specifying a network are connected to this default bridge network.

55. How do you disconnect a container from a network?

Use docker network disconnect [network_name] [container_id]. You can force disconnect with the -f flag.

56. What is Docker Compose?

Docker Compose is a tool for defining and running multi-container Docker applications. You use a YAML file to configure your application's services, networks, and volumes, then with a single command, you create and start all the services.

57. What is the difference between Docker and Docker Compose?

Docker is used to manage individual containers, while Docker Compose is used to manage multi-container applications. Docker Compose simplifies the process of defining and running complex applications with multiple interconnected services.

58. How do you install Docker Compose?

Docker Compose is now included with Docker Desktop for Windows and Mac. For Linux, you can install it separately by downloading the binary from the GitHub releases page or using package managers.

59. What is the structure of a docker-compose.yml file?

A docker-compose.yml file typically includes:

• Version of the Compose file format
• Services definitions (containers to run)
• Networks configuration
• Volumes configuration
• Configs and secrets (in newer versions)

60. How do you start services with Docker Compose?

Use docker-compose up in the directory containing your docker-compose.yml file. To run in detached mode, use docker-compose up -d.

61. How do you stop services with Docker Compose?

Use docker-compose down to stop and remove containers, networks, and volumes defined in the compose file. Use docker-compose stop to just stop the containers without removing them.

62. How do you view logs with Docker Compose?

Use docker-compose logs to view logs from all services. To view logs from a specific service: docker-compose logs [service_name]. To follow logs in real-time, add the -f flag.

63. How do you scale services with Docker Compose?

Use the --scale flag: docker-compose up --scale [service_name]=[number_of_instances]. Note that this requires version 3.x of the Compose file format.

64. What are environment variables in Docker Compose?

You can set environment variables for services in Docker Compose using the environment key in the service definition, or by using an external environment file with the env_file key.

65. How do you build images with Docker Compose?

Use the build key in the service definition to specify the build context. Then run docker-compose build to build the images, or docker-compose up --build to build and start the services.

66. What is Docker Swarm?

Docker Swarm is a container orchestration tool native to Docker that allows you to manage a cluster of Docker nodes as a single virtual system. It provides clustering, scheduling, service discovery, and load balancing capabilities.

67. How do you initialize a Docker Swarm?

Use docker swarm init on the manager node. This will output a token that you can use to join worker nodes to the swarm with docker swarm join --token [token] [manager_ip]:2377.

68. What is the difference between a manager node and a worker node in Docker Swarm?

• Manager nodes: Handle cluster management tasks, orchestration, and maintain the desired state of the swarm.
• Worker nodes: Execute tasks assigned by manager nodes and do not participate in the Raft consensus.

69. How do you create a service in Docker Swarm?

Use docker service create followed by the image name and any options: docker service create --name [service_name] --replicas [number] [image].

70. How do you scale a service in Docker Swarm?

Use docker service scale [service_name]=[number_of_replicas]. For example: docker service scale web=5 to scale the web service to 5 replicas.

71. What is a Docker stack?

A Docker stack is a group of interrelated services that are deployed together in a Swarm cluster. You define a stack using a Docker Compose file and deploy it with docker stack deploy.

72. How do you deploy a stack in Docker Swarm?

Use docker stack deploy -c [compose_file] [stack_name]. This will create or update the stack with the services defined in the Compose file.

73. What is the difference between Docker Compose and Docker Stack?

Docker Compose is used for development and testing on a single host, while Docker Stack is used for production deployments across a Swarm cluster. Stack supports a subset of Compose instructions and adds Swarm-specific features.

74. How does Docker Swarm handle service discovery?

Docker Swarm has an internal DNS server that automatically assigns a DNS entry to each service. Containers can communicate with each other using the service name, and Swarm's internal load balancer distributes requests among the service's tasks.

75. What is the Raft consensus algorithm in Docker Swarm?

Raft is a consensus algorithm used by manager nodes in Docker Swarm to maintain a consistent state across the cluster. It ensures that the manager nodes agree on the state of the swarm and can elect a new leader if the current leader fails.

76. What are some Docker security best practices?

• Run containers as non-root users
• Use minimal base images
• Regularly update images and dependencies
• Scan images for vulnerabilities
• Use secrets for sensitive data
• Limit container capabilities
• Use resource constraints
• Implement network segmentation

77. How do you run a container as a non-root user?

You can specify a user in the Dockerfile with the USER instruction, or use the --user flag with docker run: docker run --user [user_id]:[group_id] [image].

78. What are Docker secrets and how are they used?

Docker secrets are a secure way to store and manage sensitive data such as passwords, API keys, and certificates. They are encrypted during transit and at rest, and are only available to authorized services in a Swarm cluster.

79. How do you scan Docker images for vulnerabilities?

You can use Docker Security Scanning (if available in your Docker edition), or third-party tools like Trivy, Clair, Anchore, or Snyk to scan images for known vulnerabilities.

80. What is the principle of least privilege in Docker?

The principle of least privilege means giving containers only the permissions they absolutely need to function. This includes running as non-root, dropping unnecessary capabilities, and using read-only filesystems where possible.

81. How do you make a container's filesystem read-only?

Use the --read-only flag with docker run: docker run --read-only [image]. For specific writeable directories, you can use volumes.

82. What are Docker capabilities and how do you manage them?

Linux capabilities are privileges that can be granted to processes. By default, Docker drops many capabilities for security. You can add capabilities with --cap-add and drop capabilities with --cap-drop.

83. How do you limit container resources?

Use resource constraints with docker run:

• --memory or -m to limit memory
• --memory-swap to limit swap memory
• --cpus to limit CPU usage
• --blkio-weight to set block IO weight

84. What is Docker Content Trust?

Docker Content Trust (DCT) is a security feature that provides the ability to use digital signatures for data sent to and received from remote Docker registries. These signatures allow client-side verification of the integrity and publisher of specific image tags.

85. How do you enable Docker Content Trust?

Set the environment variable DOCKER_CONTENT_TRUST=1 before running Docker commands. This will enforce signature verification for image operations.

86. What are some best practices for writing Dockerfiles?

• Use minimal base images
• Combine RUN commands to reduce layers
• Use specific version tags instead of "latest"
• Clean up temporary files in the same layer
• Use .dockerignore to exclude unnecessary files
• Set appropriate user permissions
• Use multi-stage builds for production images

87. How do you optimize Docker build performance?

• Order instructions from least to most frequently changing
• Leverage build cache effectively
• Use build-time arguments for configuration
• Use multi-stage builds to keep final images small
• Use a .dockerignore file to exclude unnecessary files

88. What is the significance of using specific version tags instead of "latest"?

Using specific version tags ensures reproducibility and stability. The "latest" tag can change over time, which might break your application. Specific tags ensure you're always using the same version of an image.

89. How do you handle configuration in Docker containers?

Configuration can be handled through:

• Environment variables
• Configuration files mounted as volumes
• Docker configs (in Swarm mode)
• Command-line arguments

90. What are some common Docker anti-patterns to avoid?

• Running containers as root
• Storing data in containers instead of volumes
• Using overly large images
• Including secrets in images
• Running multiple processes in a single container
• Using the "latest" tag in production

91. How do you debug Docker containers?

• Use docker logs to view container logs
• Use docker exec to run commands inside containers
• Use docker inspect to view container details
• Use docker stats to monitor resource usage
• Use docker events to view real-time events

92. How do you backup and restore Docker containers?

To backup a container, commit it to an image: docker commit [container_id] [backup_image]. To restore, create a new container from the backup image. For data, back up volumes by copying data from volume directories.

93. What is the difference between docker save and docker export?

• docker save saves an image to a tar archive, preserving all layers, tags, and history.
• docker export exports a container's filesystem to a tar archive, without metadata or history.

94. How do you migrate Docker containers to a new host?

To migrate containers:

1. Commit the container to an image: docker commit [container_id] [image_name]
2. Save the image: docker save [image_name] > image.tar
3. Transfer the tar file to the new host
4. Load the image: docker load < image.tar
5. Create a new container from the image

95. How do you clean up unused Docker resources?

Use the prune commands:

• docker system prune: Remove all unused containers, networks, images, and build cache
• docker container prune: Remove all stopped containers
• docker image prune: Remove unused images
• docker volume prune: Remove unused volumes
• docker network prune: Remove unused networks

96. What are Docker build arguments (ARG) and how are they used?

Build arguments (ARG) are variables that users can pass at build-time to the Docker daemon. They can be used in Dockerfiles with the ARG instruction and are available from the line they are declared until the end of the build process.

97. How do you use health checks in Docker?

You can define health checks in Dockerfiles with the HEALTHCHECK instruction, or with the --health-cmd flag in docker run. Docker will then periodically execute the specified command to check the container's health.

98. What are Docker labels and how are they used?

Docker labels are key-value pairs that can be added to images and containers to provide metadata. They can be used for organization, filtering, and automation purposes.

99. How do you troubleshoot Docker networking issues?

• Use docker network inspect to examine network configuration
• Use docker exec to run network diagnostic tools inside containers
• Check iptables rules on the host
• Verify DNS resolution within containers
• Check port mapping and firewall settings

100. What are some emerging trends in container technology?

• Serverless containers (e.g., AWS Fargate, Google Cloud Run)
• WebAssembly (Wasm) modules as lightweight alternatives to containers
• Improved security with rootless containers and gVisor
• GitOps practices for container deployment and management
• Multi-architecture images supporting different CPU architectures
• Extended Berkeley Packet Filter (eBPF) for enhanced observability and security