Docker Interview Cheat Sheet
Top 50 interview questions with concise answers. Print this page or save as PDF for offline study.
1. What problem does Docker solve compared to traditional application deployments?
Before Docker, "works on my machine" was a real problem — different OS, different libraries, different configs on dev vs prod. Docker packages your app and all its dependencies into one container that runs identically everywhere. No more environment drift, no more manual setup, no more surprise failures at deployment.
2. How is a Docker container different from a virtual machine?
A VM runs a full guest operating system on top of a hypervisor — heavy, slow to start, GBs of disk. A container shares the host OS kernel and only packages the app and its libraries — lightweight, starts in milliseconds, uses far less disk and RAM. Containers are like isolated processes, not isolated computers.
3. What is a Docker image?
A Docker image is a read-only, layered snapshot of your application — it includes the OS base, runtime, dependencies, and your code. Think of it as a blueprint. When you run it, Docker creates a live, writable container from it. The same image can spin up hundreds of identical containers.
4. What is the role of a Dockerfile?
A Dockerfile is a script of instructions telling Docker how to build your image — start from a base image, install packages, copy code, set the startup command. Every instruction creates a layer. Docker reads the Dockerfile top to bottom and assembles a ready-to-run image from it.
5. What does the FROM instruction do in a Dockerfile?
FROM sets the base image — the starting point for your new image. Everything you build on top (RUN, COPY, etc.) layers on top of this base. FROM ubuntu:22.04 starts with Ubuntu; FROM node:20-alpine starts with Node pre-installed on Alpine. Choosing the right base image affects size, security, and compatibility.
6. Why do Docker images contain multiple layers?
Each instruction in a Dockerfile creates a separate layer. Layers are cached — if a layer hasn't changed, Docker reuses it from cache instead of rebuilding. This makes rebuilds fast. Layers are also shared between images — if two images use the same base, they share those layers on disk, saving space.
7. What is the purpose of the ENTRYPOINT instruction?
ENTRYPOINT sets the main executable that always runs when the container starts. It defines the container's purpose — like setting it to run nginx or a Python script. CMD provides default arguments to ENTRYPOINT, but they can be overridden at runtime. ENTRYPOINT is the fixed behavior; CMD is the flexible part.
8. What does docker run -p 8080:80 mean?
-p 8080:80 maps port 80 inside the container to port 8080 on your host machine. Traffic hitting localhost:8080 on your machine is forwarded to port 80 in the container. Format is always host:container. Without -p, the container's port is unreachable from outside.
9. What is the difference between CMD and ENTRYPOINT?
CMD sets the default command run at container startup — fully replaceable when you pass a command to docker run. ENTRYPOINT sets a fixed entry command that always runs — additional arguments from CMD or docker run are appended to it. ENTRYPOINT is for defining what the container IS; CMD is for its default behavior.
10. What is a container registry?
A container registry is a storage server for Docker images — you push images to it and pull them on other machines. Docker Hub is the public default. Companies use private registries (AWS ECR, Google Artifact Registry, Harbor) to store proprietary images securely and control access.
11. What is the difference between docker stop and docker kill?
docker stop sends SIGTERM, giving the container's process time to shut down gracefully — it can save state, close connections, finish in-flight work. After a timeout (default 10s), it sends SIGKILL. docker kill immediately sends SIGKILL — instant termination with no cleanup. Always prefer stop for production workloads.
12. What does docker exec do?
docker exec runs a new command inside an already-running container. Most common use: docker exec -it bash — opens an interactive shell inside a live container for debugging. The container stays running; you're just attaching an extra process to it. Nothing in the container is interrupted.
13. What is a bind mount in Docker?
A bind mount maps a specific host directory or file directly into the container. Changes from either side are immediately visible to the other. Great for development (code changes reflect instantly) but fragile in production — it ties the container to a specific host path, reducing portability.
14. What is a Docker volume and why is it preferred over bind mounts in production?
A Docker volume is managed by Docker itself, stored in Docker's own area (/var/lib/docker/volumes). Unlike bind mounts, volumes work regardless of host directory structure, support backup drivers, and survive container deletion. They're the right choice for databases and persistent app data in production.
15. What is an image tag?
An image tag is a label that identifies a specific version of an image — like nginx:1.25 or myapp:v2.1. Without a tag, Docker defaults to latest. Tags are just pointers — they don't guarantee the image is the "latest" version unless you explicitly updated them. Tag images with commit hashes or version numbers for traceability.
16. What is the purpose of .dockerignore?
.dockerignore tells Docker which files to exclude from the build context sent to the daemon. Without it, your entire project folder (including node_modules, .git, large test fixtures) gets sent on every build — slowing it down. It works like .gitignore — patterns of files/folders to skip.
17. What happens if you run a container without specifying --name?
Docker generates a random two-word name (e.g., "quirky_tesla"). The container still gets a unique ID regardless. The auto-generated name is for human convenience in docker ps — you can use it in commands instead of the full ID. Using --name yourself makes scripts and logs more readable.
18. What does docker ps -a show?
docker ps shows running containers. docker ps -a shows ALL containers — running, stopped, and exited. Stopped containers still exist on disk with their data until you explicitly remove them with docker rm. This is how you recover a crashed container's logs or inspect what went wrong.
19. Why shouldn’t you install unnecessary packages inside a container?
Every package you install adds to the image size, increases the attack surface, and takes longer to build and pull. A container should do one job. Extra tools (curl, wget, vim) are convenient during dev but become security risks in production — they give an attacker more tools to work with if they break in.
20. What is Alpine Linux and why is it popular in Docker?
Alpine is a minimal Linux distro built for security and small footprint — the base image is about 5MB vs 100MB+ for Ubuntu. Popular in Docker because smaller images build faster, pull faster, and reduce the attack surface. Trade-off: it uses musl libc instead of glibc, which can cause compatibility issues with some software.
21. What is the Docker daemon and what role does it play?
The Docker daemon (dockerd) is the background service that actually creates and manages containers, images, networks, and volumes. The Docker CLI talks to the daemon via a REST API. The daemon does all the heavy lifting — you just issue commands and it handles the rest.
22. Why is the Docker client and Docker daemon separation useful?
The separation means you can run Docker from remote machines, CI systems, or scripts by pointing the client at a remote daemon. It also means the daemon can run as root (needed for kernel-level operations) while the client runs as a regular user. They communicate over a Unix socket or TCP.
23. What is the difference between a container’s “image layer” and “container layer”?
Image layers are read-only — they're shared across all containers using that image. The container layer is a thin, writable layer added on top specifically for that container. Any writes (new files, modified files) go into the container layer via copy-on-write. The image underneath is never modified.
24. What happens internally when you run docker build?
docker build reads the Dockerfile, sends your project folder (build context) to the daemon, then executes each instruction in order. Each instruction creates a new layer. Docker checks its layer cache first — if the layer hasn't changed, it reuses it. The final result is a new image tagged with your name.
25. What does Docker’s copy-on-write mechanism do?
Copy-on-write means containers share read-only image layers until they need to modify a file. When a container writes to a file from an image layer, Docker copies that file into the container's writable layer first — then modifies the copy. The original image layer stays unchanged, shared by all containers.
26. Why is docker build . slow when your project folder is huge?
docker build sends your entire project folder (the build context) to the Docker daemon before processing the Dockerfile. If your folder is huge (large node_modules, build artifacts, test datasets), that transfer alone takes seconds or minutes. A .dockerignore file filters out what doesn't need to be sent.
27. What is the purpose of multi-stage builds?
Multi-stage builds let you use multiple FROM stages in one Dockerfile. Build tools, compilers, and test frameworks run in early stages; only the final artifact gets copied into a clean, minimal final image. Result: production images that are tiny and contain zero build tooling — smaller, faster, more secure.
28. What is the difference between ENTRYPOINT exec form and shell form?
Shell form (ENTRYPOINT cmd arg) runs through /bin/sh -c — the shell interprets it, so signal handling is poor (PID 1 is the shell, not your app). Exec form (ENTRYPOINT ["cmd", "arg"]) runs the process directly as PID 1 — receives signals correctly for graceful shutdown. Always use exec form in production.
29. Why do production Dockerfiles avoid using ADD?
ADD can accept remote URLs and auto-extracts tarballs — which sounds useful but adds implicit behavior and is a security risk (fetching from remote URLs during build). COPY is explicit — it only copies files from the local build context. Prefer COPY; use ADD only when you specifically need tarball extraction.
30. What is Docker Hub rate limiting?
Docker Hub limits unauthenticated pulls (100/6h) and free account pulls (200/6h). In CI pipelines with many parallel jobs, you can easily hit the limit and get 429 errors. Solutions: authenticate with a Docker Hub account, use a pull-through cache, or mirror images to a private registry.
31. What is Docker Compose and why is it useful?
Docker Compose defines and runs multi-container applications using a YAML file. Instead of manually running multiple docker run commands with all their flags, you declare all services, networks, and volumes in one docker-compose.yml and start everything with docker compose up. Great for local dev and simple deployments.
32. What is the difference between docker-compose up and docker-compose up --build?
docker compose up starts existing containers (or creates them if they don't exist) using the current images. docker compose up --build forces Docker to rebuild images before starting — picks up Dockerfile changes. Without --build, code changes in your Dockerfile won't be reflected in running containers.
33. How do Compose networks isolate containers?
Compose creates a private virtual network for your project. Services on the same network can reach each other by service name as the hostname (e.g., the web service reaches the DB as "db"). Services on different Compose networks or the host can't reach each other by default — clean isolation out of the box.
34. Why is it a bad practice to store secrets inside images?
Images are shareable and often public (or accessible to anyone with registry access). Baking secrets (API keys, DB passwords) into an image means everyone who pulls it gets the secrets — forever, even after you "delete" them, because they're in the layer history. Use environment variables or secrets managers at runtime instead.
35. What is the concept of image digest?
A digest is a SHA256 hash of an image's content — it uniquely and immutably identifies an exact version of an image. Unlike tags (which can be moved), a digest never changes. Pinning by digest (image@sha256:abc123...) guarantees you always pull exactly the same image, even if someone updates the tag.
36. Why is latest tag dangerous in production?
latest is just a tag — it points to whatever image was last pushed with that tag. It gives no guarantee of stability, version, or compatibility. In production, if you pull latest and the image changed, your deployment behavior changes silently. Always pin to a specific version tag or digest.
37. How does Docker’s overlay filesystem affect performance?
OverlayFS stacks read-only image layers under a writable container layer. File reads go through the layer stack — usually fast. Writes trigger copy-on-write: Docker copies the file from the image layer into the container layer, then modifies it. Frequent writes to many large files in a container can be slower than native disk I/O.
38. What does stateless container mean?
A stateless container stores no persistent data internally — all data goes to external volumes, databases, or caches. When the container restarts or is replaced, nothing is lost. Stateless containers are easy to scale (just add more copies), update (replace without migration), and recover (restart instantly).
39. Why should you avoid running multiple processes in one container?
One process per container keeps things focused and clean. Multiple processes in one container means you need a process supervisor (like supervisord), signals get complicated (PID 1 needs to handle them all), logs get mixed, and failure recovery is harder. If one process crashes, you can't restart just that part.
40. What is the difference between scaling at container vs node level?
Container scaling adds more container instances on the same node — uses more CPU/RAM on that host. Node scaling adds more physical or virtual machines to the cluster. Container scaling is fast (seconds); node scaling is slower (minutes). Orchestrators like Kubernetes do both automatically based on load.
41. What is the difference between a named volume and an anonymous volume?
Named volumes have an explicit name you give them — they persist after the container is removed and can be reused by name. Anonymous volumes are created without a name — Docker assigns a random ID, and they're harder to find and manage. Named volumes are always the right choice for data you want to keep.
42. What is a healthcheck in Docker?
A healthcheck is a command Docker runs periodically inside the container to verify it's working correctly. If it fails repeatedly, Docker marks the container as unhealthy. Orchestrators use health status to decide when a container is ready for traffic or needs to be restarted — far smarter than just checking if the process is running.
43. Why do some Docker images use non-root users?
Running as root inside a container means if an attacker escapes the container (container breakout), they're root on the host — catastrophic. A non-root user limits the blast radius. The process can still read and write its data but can't install system packages, modify critical files, or escalate privileges easily.
44. Explain the difference between docker logs and docker attach.
docker logs reads the container's captured stdout/stderr output — non-interactive, shows historical output, can be filtered by time. docker attach connects your terminal directly to the container's running process I/O — interactive, real-time, but detaching requires Ctrl+P+Q or you'll stop the container. logs is safer for debugging.
45. Why does Docker cache layers but not RUN commands that modify external states?
Docker caches layers based on the instruction and its context at build time. RUN commands that download from the internet (apt-get, curl) are cached based on the instruction text — not the external content. So if an apt package updates, Docker still uses the cached layer. To force a fresh download, break the cache manually.
46. What is an image base layer?
The base layer is the foundation of every image — defined by the FROM instruction. It's the first layer, typically a minimal OS (Alpine, Debian, Ubuntu) or a language runtime (node, python, golang). Every other layer in your image builds on top of it. Choosing a good base image is the most impactful size decision.
47. Why is docker cp not preferred for production?
docker cp copies files between a running container and the host. It's a one-time manual operation — not automated, not version controlled, not part of the image build. In production, files should be in the image or in volumes from the start. Using docker cp to "fix" a running container creates snowflake servers and hides real problems.
48. How does Docker handle environment variables?
Environment variables are passed to containers via -e VAR=value or --env-file. Inside the container they appear as normal env vars that the app reads. They're great for config (database URLs, ports, feature flags) but not for sensitive secrets — they show up in docker inspect and process listings.
49. What is the difference between restarting and recreating a container?
Restarting a container (docker restart) stops and starts the same container — same container ID, same writable layer, same data. Recreating a container (docker rm + docker run) destroys the old container entirely and starts fresh from the image. Recreating picks up image changes; restarting does not.
50. Why do some images include an .env but avoid copying it?
Some images ship with a sample .env file as documentation (shows which variables are expected). But you never COPY .env into the image itself — that would bake secrets into the image. The real .env gets injected at runtime via --env-file, keeping secrets out of the image and the registry.