Skip to main content

Top 50 Docker Interview Questions for DevOps Engineers

· 14 min read
Goel Academy
Goel Academy
DevOps & Cloud Learning Hub

Docker questions show up in nearly every DevOps, SRE, and platform engineering interview. Interviewers are not looking for memorized definitions — they want to see that you understand how containers actually work, when to use specific features, and how to troubleshoot real production problems. This post covers 50 questions organized from beginner to advanced, each with a concise answer and the key commands you should know.

Beginner Questions (1-15)

Q1: What is Docker and how does it differ from virtual machines?

Docker uses OS-level virtualization (namespaces and cgroups) to isolate processes, sharing the host kernel. VMs use hardware-level virtualization with a hypervisor, each running its own kernel. Containers start in milliseconds and use megabytes of RAM. VMs take minutes and use gigabytes.

Q2: What is the difference between a Docker image and a container?

An image is a read-only template containing the application, dependencies, and filesystem. A container is a running instance of an image with a writable layer on top. You can create multiple containers from the same image. Images are built with docker build, containers are created with docker run.

Q3: What is a Dockerfile?

A Dockerfile is a text file containing instructions to build a Docker image. Each instruction (FROM, RUN, COPY, CMD) creates a layer in the image. Docker caches layers, so unchanged instructions are not re-executed on subsequent builds.

Q4: Explain the difference between CMD and ENTRYPOINT.

CMD provides default arguments that can be overridden at runtime. ENTRYPOINT sets the main executable that always runs. When both are present, CMD arguments are passed to ENTRYPOINT.

ENTRYPOINT ["python"]
CMD ["app.py"]
# docker run myapp          → python app.py
# docker run myapp test.py  → python test.py (CMD overridden)

Q5: What is the difference between COPY and ADD?

COPY copies files from the build context into the image. ADD does the same but also supports URL downloads and automatic tar extraction. Best practice: always use COPY unless you specifically need tar extraction.

Q6: How do you list all running containers? All containers including stopped?

docker ps           # Running containers only
docker ps -a        # All containers (running + stopped)
docker ps -q        # Only container IDs (useful for scripting)

Q7: What is a Docker registry?

A registry stores Docker images. Docker Hub is the default public registry. Private registries (Harbor, AWS ECR, Google GCR, Azure ACR) store proprietary images. You interact with registries using docker push and docker pull.

Q8: What does docker build --no-cache do?

It forces Docker to rebuild every layer from scratch, ignoring cached layers. Useful when a RUN apt-get update layer is cached but you need fresh packages.

Q9: How do you remove all stopped containers, unused images, and build cache?

docker system prune -a      # Removes everything unused
docker container prune       # Stopped containers only
docker image prune -a        # All unused images
docker builder prune          # Build cache only

Q10: What is the purpose of .dockerignore?

.dockerignore excludes files from the build context, reducing build time and preventing sensitive files from being included in images. Similar to .gitignore syntax.

node_modules
.git
.env
*.md

Q11: What are Docker tags?

Tags are labels for image versions (e.g., nginx:1.25, nginx:alpine). The latest tag is the default when no tag is specified. Best practice: always use specific tags in production, never latest.

Q12: How do you inspect a running container?

docker inspect <container>          # Full JSON metadata
docker logs <container>             # Container stdout/stderr
docker exec -it <container> sh      # Shell into the container
docker stats <container>            # Live CPU/memory usage
docker top <container>              # Running processes

Q13: What is the difference between docker stop and docker kill?

docker stop sends SIGTERM, waits 10 seconds (configurable with --time), then sends SIGKILL. docker kill sends SIGKILL immediately. Use stop for graceful shutdown, kill when a container is unresponsive.

Q14: What happens when you run docker run?

Docker pulls the image (if not cached), creates a writable container layer, allocates a network interface, assigns an IP, and executes the specified command. The --rm flag auto-removes the container when it exits.

Q15: What are Docker layers?

Each instruction in a Dockerfile creates a layer. Layers are stacked and cached independently. If a layer changes, all subsequent layers are rebuilt. This is why you put frequently changing instructions (like COPY . .) at the end of the Dockerfile.

Intermediate Questions (16-35)

Q16: Explain Docker networking modes.

# Bridge (default) — containers on a private network, NAT to host
docker run --network bridge myapp

# Host — container shares host network stack, no isolation
docker run --network host myapp

# None — no networking at all
docker run --network none myapp

# Custom bridge — user-defined network with DNS resolution
docker network create mynet
docker run --network mynet --name api myapp
# Other containers on "mynet" can reach "api" by name

Q17: What are Docker volumes and how do they differ from bind mounts?

Volumes are managed by Docker and stored in /var/lib/docker/volumes/. Bind mounts map a host directory directly. Volumes are preferred because they work across platforms, can be backed up with Docker commands, and support volume drivers for remote storage.

docker volume create mydata                        # Named volume
docker run -v mydata:/app/data myapp               # Volume mount
docker run -v /host/path:/container/path myapp     # Bind mount

Q18: How does multi-stage build work and why is it useful?

Multi-stage builds use multiple FROM statements. Build dependencies stay in early stages. Only runtime artifacts are copied to the final stage. This reduces image size dramatically — a Go application drops from 1 GB (with build tools) to 10 MB (static binary on scratch).

FROM golang:1.23 AS builder
RUN go build -o /app .

FROM scratch
COPY --from=builder /app /app
CMD ["/app"]

Q19: How do you secure a Docker container?

Run as non-root user, use read-only filesystem, drop capabilities, scan images for vulnerabilities, use minimal base images, never store secrets in images, and limit resources.

FROM node:20-slim
RUN groupadd -r app && useradd -r -g app app
USER app

Q20: What is Docker Compose and when would you use it?

Docker Compose defines and runs multi-container applications using a YAML file. Use it for local development environments, CI testing, and single-host deployments. It manages service dependencies, networking, and volumes declaratively.

Q21: Explain the difference between docker compose up and docker compose run.

up starts all services defined in the Compose file. run starts a single service with a one-off command, useful for running migrations, tests, or shell sessions without starting the entire stack.

docker compose up -d              # Start all services
docker compose run api npm test   # Run tests in api service only

Q22: What are health checks and why are they important?

Health checks let Docker monitor whether an application inside a container is actually working, not just whether the process is running. A process can be alive but deadlocked.

HEALTHCHECK --interval=30s --timeout=5s --retries=3 \
  CMD curl -f http://localhost:3000/health || exit 1

Q23: How do you pass secrets to containers securely?

Never use environment variables for secrets in production (they appear in docker inspect). Use Docker secrets (Swarm), mount secret files, or use external secret managers (Vault, AWS Secrets Manager).

# Docker secret (Swarm mode)
echo "db-password" | docker secret create db_pass -
docker service create --secret db_pass myapp
# Secret available at /run/secrets/db_pass inside the container

Q24: What is the difference between EXPOSE and -p (publish)?

EXPOSE in a Dockerfile is documentation — it indicates which ports the container listens on but does not publish them. The -p flag actually maps container ports to host ports.

docker run -p 8080:3000 myapp   # Host 8080 → Container 3000
docker run -P myapp             # Map all EXPOSEd ports to random host ports

Q25: How do you limit container resources?

docker run \
  --memory=512m \
  --cpus=1.5 \
  --memory-swap=1g \
  --pids-limit=100 \
  myapp

Q26: What is a Docker network and how do containers communicate?

Containers on the same user-defined bridge network can communicate using container names as DNS hostnames. The default bridge network does not provide automatic DNS — you must use --link (deprecated) or IP addresses.

Q27: Explain the build context.

The build context is the set of files sent to the Docker daemon when you run docker build. It is the directory you specify (usually .). Large build contexts slow down builds. Use .dockerignore to exclude unnecessary files.

Q28: What is the purpose of docker commit?

docker commit creates a new image from a container's current state. It is useful for debugging but should never be used for production images — always use Dockerfiles for reproducibility.

Q29: How do you update a running container?

You do not update containers — you replace them. Build a new image, stop the old container, start a new one. Docker Compose up --build handles this. In Kubernetes, rolling updates do this with zero downtime.

Q30: What is the difference between ARG and ENV?

ARG is available only during build time and is not present in the running container. ENV persists in the running container. Use ARG for build-time variables (versions, flags), ENV for runtime configuration.

ARG NODE_VERSION=20
FROM node:${NODE_VERSION}
ENV APP_PORT=3000

Q31: How do you handle logging in Docker?

Docker captures stdout/stderr from the container process. Log drivers determine where logs go — json-file (default), syslog, journald, fluentd, awslogs, gelf. Configure per-container or daemon-wide.

docker run --log-driver=fluentd --log-opt fluentd-address=localhost:24224 myapp

Q32: What is a dangling image?

A dangling image is an image layer that is no longer tagged and not referenced by any other image. They accumulate when you rebuild images with the same tag. Remove them with docker image prune.

Q33: How does Docker handle DNS resolution?

Docker runs an embedded DNS server at 127.0.0.11 for user-defined networks. Containers resolve other container names through this DNS. The default bridge network uses the host's DNS configuration.

Q34: What is docker exec used for?

docker exec runs a command inside a running container. Commonly used for debugging, running migrations, or inspecting the container filesystem.

docker exec -it mycontainer bash        # Interactive shell
docker exec mycontainer cat /etc/hosts  # Run a command

Q35: Explain image layer caching. How do you optimize cache hits?

Docker caches each layer and reuses it if the instruction and its inputs have not changed. Optimization: put rarely changing instructions first (install OS packages), frequently changing instructions last (copy source code). Copy dependency files before source code.

COPY package.json .        # Changes rarely → cached
RUN npm install            # Cached if package.json unchanged
COPY . .                   # Changes often → invalidates only this layer

Advanced Questions (36-50)

Q36: What are storage drivers and how do they work?

Storage drivers implement the union filesystem that layers images. overlay2 is the default and recommended driver. It uses OverlayFS to combine read-only image layers with a read-write container layer. Alternatives include btrfs, zfs, and devicemapper for specific storage backends.

Q37: Explain BuildKit and its advantages over the legacy builder.

BuildKit is Docker's next-generation build engine. It provides parallel stage execution, better caching (content-addressable), build secrets that never appear in image layers, SSH agent forwarding, and cache mount for package managers.

# BuildKit secret mount — never stored in a layer
RUN --mount=type=secret,id=npmrc,target=/root/.npmrc npm install

# Cache mount — persist package manager cache across builds
RUN --mount=type=cache,target=/root/.npm npm install

Q38: What is rootless Docker and when should you use it?

Rootless Docker runs the Docker daemon and containers without root privileges. It uses user namespaces to map container root to an unprivileged host user. Use it when you cannot give users root access but they need to run containers.

dockerd-rootless-setuptool.sh install
export DOCKER_HOST=unix://$XDG_RUNTIME_DIR/docker.sock

Q39: Explain Linux namespaces and how Docker uses them.

Docker uses six namespace types: PID (process isolation), NET (network stack), MNT (filesystem mounts), UTS (hostname), IPC (inter-process communication), and USER (UID mapping). Each container gets its own instance of each namespace, creating the illusion of an isolated system.

Q40: How do cgroups work in Docker?

Control groups (cgroups) limit, account for, and isolate resource usage. Docker uses cgroups v2 to enforce --memory, --cpus, --pids-limit, and I/O bandwidth limits. When a container exceeds its memory limit, the OOM killer terminates it.

# See cgroup limits for a running container
cat /sys/fs/cgroup/docker/<container-id>/memory.max
cat /sys/fs/cgroup/docker/<container-id>/cpu.max

Q41: What are overlay networks and when are they used?

Overlay networks span multiple Docker hosts, enabling container-to-container communication across machines. They use VXLAN tunneling to encapsulate container traffic. Required for Docker Swarm services and multi-host networking.

docker network create --driver overlay --attachable my-overlay

Q42: How does Docker Swarm differ from Kubernetes?

Swarm is built into Docker, simpler to set up, and suitable for small-to-medium deployments. Kubernetes is more complex but offers richer features — custom resources, operators, advanced scheduling, service mesh integration. Kubernetes dominates in production; Swarm is being maintained but not actively developed.

Q43: What is the Docker content trust (DCT)?

DCT uses digital signatures to verify image integrity and publisher identity. When enabled, Docker only pulls signed images. It uses Notary under the hood.

export DOCKER_CONTENT_TRUST=1
docker pull myregistry.io/myapp:1.0.0  # Fails if not signed

Q44: Explain the difference between SIGTERM and SIGKILL in container shutdown.

When you run docker stop, Docker sends SIGTERM to PID 1 in the container. The process should handle SIGTERM for graceful shutdown (close connections, flush buffers). After the timeout (default 10s), Docker sends SIGKILL which cannot be caught. Common issue: shell-form CMD runs under /bin/sh which does not forward signals.

# Exec form — receives signals directly
CMD ["node", "server.js"]

# Shell form — /bin/sh receives signal, node does not
CMD node server.js

Q45: How do you debug a container that keeps crashing?

docker logs <container>                     # Check application logs
docker inspect <container> | jq '.[0].State'  # Check exit code
docker run -it --entrypoint sh myimage      # Override entrypoint to get a shell
docker events --filter container=<id>       # Watch Docker events
docker cp <container>:/app/logs ./logs      # Copy logs out

Q46: What are init processes in containers and why do they matter?

PID 1 in a container has special responsibilities: reaping zombie processes and forwarding signals. If your application is not designed to be PID 1, zombies accumulate and signals are lost. Use --init to add tini as PID 1, or use dumb-init.

docker run --init myapp    # Adds tini as PID 1

Q47: How does Docker handle image layer deduplication?

Layers are content-addressable — identified by SHA256 hash of their contents. If two images share the same base layers, Docker stores them once on disk. This is why pulling a second image with the same base is fast — shared layers are already present.

Q48: What is the container runtime interface (CRI)?

CRI is a Kubernetes API that allows different container runtimes (containerd, CRI-O) to work with kubelet. Docker required a shim (dockershim) which was removed in Kubernetes 1.24. containerd and CRI-O implement CRI natively.

Q49: Explain how Docker uses iptables for networking.

Docker manipulates iptables rules for port publishing (-p), inter-container communication, and NAT. Published ports get DNAT rules in the DOCKER chain. Container-to-external traffic gets MASQUERADE rules. The docker-proxy userland process handles hairpin NAT (container accessing its own published port).

Q50: How would you design a zero-downtime deployment strategy with Docker?

Use a load balancer (Traefik, nginx) in front of containers. Deploy the new version alongside the old one. Health check the new container. Switch traffic at the load balancer. Drain connections from the old container. Stop the old container. Docker Compose with --scale can run multiple instances. In production, use Kubernetes rolling updates or Docker Swarm with --update-delay and --update-parallelism.

# Simple blue-green with Compose
docker compose up -d --scale api=2 --no-recreate
# Wait for new container to be healthy, then remove old one

Wrapping Up

Docker interviews test breadth and depth. Beginners should know images, containers, Dockerfiles, and basic commands cold. Intermediate candidates need networking, volumes, Compose, security, and multi-stage builds. Advanced candidates are expected to understand the Linux primitives (namespaces, cgroups), storage internals, BuildKit capabilities, and orchestration trade-offs. The best interview answers include not just what a feature does, but when you would use it and what trade-offs are involved. Practice these questions, but more importantly, build real projects with Docker — hands-on experience is what separates memorized answers from genuine understanding.