Docker is a containerization platform that packages applications and their dependencies into lightweight, portable containers. These questions cover core Docker concepts, commands, networking, storage, security, and orchestration basics — spanning beginner to advanced levels.
Docker is a platform for packaging and running applications in containers, which share the host OS kernel. Unlike VMs, containers don't need a full guest OS, making them faster to start and much lighter in resource usage.
An image is a read-only, layered template built from a Dockerfile that defines the application and its dependencies. A container is a runnable instance of an image — a live, isolated process created from that image.
A Dockerfile is a text file containing instructions to build a Docker image. Common instructions include FROM (base image), RUN (execute commands), COPY/ADD (copy files), CMD/ENTRYPOINT (default command), EXPOSE (document ports), and ENV (set environment variables).
ENTRYPOINT defines the fixed executable that always runs when a container starts, while CMD provides default arguments that can be overridden at runtime. When used together, CMD supplies default arguments to the ENTRYPOINT command.
COPY simply copies files or directories from the build context into the image. ADD does the same but additionally supports extracting local tar archives and fetching remote URLs; best practice is to use COPY unless the extra ADD features are specifically needed.
Each Dockerfile instruction creates a new read-only layer stacked on top of the previous ones; Docker caches these layers. If a layer hasn't changed, Docker reuses the cached version, dramatically speeding up subsequent builds — so ordering instructions from least to most frequently changed is critical.
A multi-stage build uses multiple FROM statements in one Dockerfile, allowing you to compile or build in one stage and copy only the final artifacts into a lean production image. This keeps final images small by discarding build tools, compilers, and intermediate files.
Docker Compose is a tool for defining and running multi-container applications using a YAML file (docker-compose.yml). It simplifies local development and testing by letting you spin up an entire stack — app, database, cache, etc. — with a single `docker compose up` command.
Bridge (default) creates an internal private network where containers communicate via IP; containers are isolated from the host network unless ports are published. Host mode removes network isolation so the container shares the host's network stack directly. None disables all networking for the container.
A Docker volume is managed by Docker, stored in Docker's storage area, and is the recommended way to persist data because it is portable and easier to back up. A bind mount maps a specific host filesystem path into the container, giving tighter control but creating host-path dependency.
Docker leverages Linux kernel features: namespaces (pid, net, mnt, uts, ipc) to isolate process trees, network interfaces, and filesystems per container; and cgroups to limit and account for CPU, memory, and I/O resources. This provides lightweight isolation without a hypervisor.
docker stop sends SIGTERM to the main process, giving it time to shut down gracefully, then sends SIGKILL after a timeout (default 10s). docker kill immediately sends SIGKILL (or a specified signal), forcefully terminating the container without a grace period.
Use a minimal base image (e.g., alpine), leverage multi-stage builds, chain RUN commands to reduce layer count, remove caches and temp files in the same layer they are created, use .dockerignore to exclude unnecessary build context files, and avoid installing unnecessary packages.
A Docker registry is a storage and distribution system for images (e.g., Docker Hub, AWS ECR). Tags are labels appended to an image name (image:tag) to identify versions; if omitted, latest is used by default. You push/pull images using the full reference: registry/repository:tag.
Docker secrets store sensitive data (passwords, tokens) in an encrypted, in-memory tmpfs file inside the container rather than in environment variables. This prevents secrets from appearing in docker inspect output, image layers, or shell history, reducing the attack surface.
EXPOSE is documentation only — it records which port the containerized application listens on but does not actually publish it to the host. The -p (or --publish) flag in docker run creates a host-to-container port mapping, making the port accessible from outside the container.
You set a restart policy with --restart when running a container. Options are: no (default, never restart), on-failure[:max-retries] (restart on non-zero exit), always (always restart, including on daemon start), and unless-stopped (always restart except when explicitly stopped by the user).
Docker Swarm is Docker's native clustering and orchestration tool — simpler to set up and good for smaller workloads. Kubernetes is a more powerful, feature-rich orchestration system with advanced scheduling, auto-scaling, and a large ecosystem, making it the industry standard for large-scale production deployments.
First run docker ps -a to find the container and check its exit code. Then use docker logs <container_id> to inspect stdout/stderr output. You can also override the entrypoint with docker run --entrypoint sh -it <image> to get an interactive shell and investigate the environment directly.
A distroless image contains only the application runtime and its dependencies — no shell, package manager, or standard Linux utilities. This drastically reduces the attack surface because an attacker who compromises the container has no tools to explore or escalate, and there are far fewer OS-level CVEs to patch.
© RM Full Stack & AI Engineer · All interview questions · Roadmaps · Open the app