100% Free
🎯 3200+ Questions. One Goal: Your Success Sign In Sign Up

Top Docker Interview Questions

Curated Docker interview questions and answers across difficulty levels.

Last updated:

Docker Interview Questions & Answers

Skip to Questions

Welcome to our comprehensive collection of Docker interview questions and answers. This page contains expertly curated interview questions covering all aspects of Docker, from fundamental concepts to advanced topics. Whether you're preparing for an entry-level position or a senior role, you'll find questions tailored to your experience level.

Our Docker interview questions are designed to help you:

  • Understand core concepts and best practices in Docker
  • Prepare for technical interviews at all experience levels
  • Master both theoretical knowledge and practical application
  • Build confidence for your next Docker interview

Each question includes detailed answers and explanations to help you understand not just what the answer is, but why it's correct. We cover topics ranging from basic Docker concepts to advanced scenarios that you might encounter in senior-level interviews.

Use the filters below to find questions by difficulty level (Entry, Junior, Mid, Senior, Expert) or focus specifically on code challenges. Each question is carefully crafted to reflect real-world interview scenarios you'll encounter at top tech companies, startups, and MNCs.

Questions

155 questions
Q1:

What problem does Docker solve compared to traditional application deployments?

Entry

Answer

Docker eliminates environment mismatch problems by packaging apps with all dependencies into portable containers that behave consistently across machines.
Permalink
Q2:

How is a Docker container different from a virtual machine?

Entry

Answer

Containers share the host OS kernel while VMs run a full OS. Containers start faster, use less memory, and are more efficient, while VMs provide stronger isolation with higher overhead.
Permalink
Q3:

What is a Docker image?

Entry

Answer

A Docker image is a read-only template containing application code, runtime, dependencies, filesystem, and configuration needed to run a container.
Permalink
Q4:

What is the role of a Dockerfile?

Entry

Answer

A Dockerfile contains step-by-step instructions to build an image such as selecting a base image, installing packages, copying code, exposing ports, and defining entrypoints.
Permalink
Q5:

What does the FROM instruction do in a Dockerfile?

Entry

Answer

FROM sets the base image for your container, for example FROM node:20-alpine or FROM ubuntu:22.04.
Permalink
Q6:

Why do Docker images contain multiple layers?

Entry

Answer

Each Dockerfile instruction creates a layer. Layers improve build speed via caching, reuse, and incremental distribution.
Permalink
Q7:

What is the purpose of the ENTRYPOINT instruction?

Entry

Answer

ENTRYPOINT defines the main command a container runs automatically, giving it a predictable default behavior.
Permalink
Q8:

What does docker run -p 8080:80 mean?

Entry

Answer

It maps host port 8080 to container port 80, allowing external traffic from the host to reach the container.
Permalink
Q9:

What is the difference between CMD and ENTRYPOINT?

Entry

Answer

ENTRYPOINT defines the primary executable, while CMD provides default arguments. If both exist, CMD arguments are passed to ENTRYPOINT.
Permalink
Q10:

What is a container registry?

Entry

Answer

A container registry stores and distributes Docker images. Examples include Docker Hub, GitHub Container Registry, and AWS ECR.
Permalink
Q11:

What is the difference between docker stop and docker kill?

Entry

Answer

docker stop sends SIGTERM for graceful shutdown, while docker kill sends SIGKILL for immediate forced termination.
Permalink
Q12:

What does docker exec do?

Entry

Answer

docker exec runs a command inside a running container, such as docker exec -it myapp bash.
Permalink
Q13:

What is a bind mount in Docker?

Entry

Answer

A bind mount attaches a host folder into a container. Changes are reflected both ways and commonly used in development.
Permalink
Q14:

What is a Docker volume and why is it preferred over bind mounts in production?

Entry

Answer

A Docker volume is managed by Docker and provides independent, durable storage with better performance and isolation compared to bind mounts.
Permalink
Q15:

What is an image tag?

Entry

Answer

An image tag identifies the image version, such as nginx:1.25. Without a tag, Docker uses :latest.
Permalink
Q16:

What is the purpose of .dockerignore?

Entry

Answer

.dockerignore excludes files from the build context to speed up builds and reduce image size.
Permalink
Q17:

What happens if you run a container without specifying --name?

Entry

Answer

Docker assigns a random name automatically, such as friendly_moose.
Permalink
Q18:

What does docker ps -a show?

Entry

Answer

docker ps -a lists all containers including running, stopped, and exited ones, useful for debugging.
Permalink
Q19:

Why shouldn’t you install unnecessary packages inside a container?

Entry

Answer

Unnecessary packages increase image size, attack surface, and build time. Production images should be minimal.
Permalink
Q20:

What is Alpine Linux and why is it popular in Docker?

Entry

Answer

Alpine Linux is a lightweight distribution (~5MB). Alpine-based images significantly reduce final image size.
Permalink
Q21:

What is the Docker daemon and what role does it play?

Junior

Answer

The Docker daemon (dockerd) manages all Docker objects—containers, images, volumes, networks. It listens to the Docker API and executes client commands like building, running, or stopping containers.
Permalink
Q22:

Why is the Docker client and Docker daemon separation useful?

Junior

Answer

This separation allows remote container management, CLI running on a different machine, API-driven automation. Docker becomes a client–server architecture.
Permalink
Q23:

What is the difference between a container’s “image layer” and “container layer”?

Junior

Answer

Image layers are read-only and shared among containers. Container layer is a thin writable layer on top where runtime changes occur.
Permalink
Q24:

What happens internally when you run docker build?

Junior

Answer

Docker sends build context to daemon, executes each Dockerfile instruction as a new layer, caches layers intelligently, and outputs a final image ID.
Permalink
Q25:

What does Docker’s copy-on-write mechanism do?

Junior

Answer

It avoids duplicating data. If many containers use the same layer, Docker creates a new copy only when modification occurs—saving disk space.
Permalink
Q26:

Why is docker build . slow when your project folder is huge?

Junior

Answer

Docker sends entire build context to the daemon. Without a .dockerignore, large directories dramatically slow down builds.
Permalink
Q27:

What is the purpose of multi-stage builds?

Junior

Answer

They split build and runtime stages to create smaller production images, remove build tools, and speed up CI/CD pipelines.
Permalink
Q28:

What is the difference between ENTRYPOINT exec form and shell form?

Junior

Answer

Exec form uses no shell and passes signals properly. Shell form uses /bin/sh -c and makes signal forwarding harder.
Permalink
Q29:

Why do production Dockerfiles avoid using ADD?

Junior

Answer

ADD auto-extracts archives and supports remote URLs, causing unpredictable builds. COPY is preferred unless extraction is needed.
Permalink
Q30:

What is Docker Hub rate limiting?

Junior

Answer

Unauthenticated users have pull limits. Exceeding limits prevents image pulls. Solutions include login, mirrors, or private registry.
Permalink
Q31:

What is Docker Compose and why is it useful?

Junior

Answer

Compose defines multi-container apps via YAML, managing networks, volumes, dependencies, and startup order.
Permalink
Q32:

What is the difference between docker-compose up and docker-compose up --build?

Junior

Answer

up uses existing images. up --build forces image rebuild before starting services.
Permalink
Q33:

How do Compose networks isolate containers?

Junior

Answer

Each project gets a dedicated bridge network. Containers communicate via service names, keeping environments isolated.
Permalink
Q34:

Why is it a bad practice to store secrets inside images?

Junior

Answer

Images can be extracted or shared, exposing secrets permanently. Secrets cannot be revoked once baked into images.
Permalink
Q35:

What is the concept of image digest?

Junior

Answer

Digest uniquely identifies image content. Unlike tags, digests are immutable and ensure reproducible builds.
Permalink
Q36:

Why is latest tag dangerous in production?

Junior

Answer

latest is mutable; pulling it later may fetch a different version, causing inconsistent environments.
Permalink
Q37:

How does Docker’s overlay filesystem affect performance?

Junior

Answer

OverlayFS adds extra read/write layers. Heavy writes slow performance compared to native filesystems.
Permalink
Q38:

What does stateless container mean?

Junior

Answer

A stateless container does not store persistent data. Volumes or external services store data instead.
Permalink
Q39:

Why should you avoid running multiple processes in one container?

Junior

Answer

One process ensures clean logging, easier monitoring, simple restarts, and better scaling.
Permalink
Q40:

What is the difference between scaling at container vs node level?

Junior

Answer

Container-level scaling means more replicas on same node; node-level scaling distributes containers across nodes.
Permalink
Q41:

What is the difference between a named volume and an anonymous volume?

Junior

Answer

Named volumes are persistent and reusable; anonymous volumes are temporary and often lost on container removal.
Permalink
Q42:

What is a healthcheck in Docker?

Junior

Answer

A command that checks container health; orchestrators restart containers if unhealthy.
Permalink
Q43:

Why do some Docker images use non-root users?

Junior

Answer

Running as root is insecure. Non-root users reduce risk and prevent privilege escalation.
Permalink
Q44:

Explain the difference between docker logs and docker attach.

Junior

Answer

docker logs shows output; docker attach connects to live STDIN/STDOUT and may interfere with the process.
Permalink
Q45:

Why does Docker cache layers but not RUN commands that modify external states?

Junior

Answer

Docker caches based on file changes only. External states do not invalidate cache.
Permalink
Q46:

What is an image base layer?

Junior

Answer

The base layer (like ubuntu:22.04) is the foundation layer on which all other layers build.
Permalink
Q47:

Why is docker cp not preferred for production?

Junior

Answer

Copying files into containers breaks immutability and leads to unpredictable deployments.
Permalink
Q48:

How does Docker handle environment variables?

Junior

Answer

Variables passed with -e or Compose are injected at runtime and override image defaults without being stored in layers.
Permalink
Q49:

What is the difference between restarting and recreating a container?

Junior

Answer

Restarting keeps container instance; recreating destroys and creates a new instance with updated config.
Permalink
Q50:

Why do some images include an .env but avoid copying it?

Junior

Answer

.env provides build-time defaults; copying it exposes secrets and breaks environment separation.
Permalink
Q51:

How does Docker’s internal DNS resolve service names?

Junior

Answer

Docker assigns DNS records per network; services resolve each other by name.
Permalink
Q52:

Why is ordering of layers important in Dockerfiles?

Junior

Answer

Lower layers cannot be changed without invalidating upper layers; ordering helps maximize caching.
Permalink
Q53:

What is the purpose of the WORKDIR instruction?

Junior

Answer

It sets the working directory for subsequent instructions to avoid long paths.
Permalink
Q54:

Why does docker system prune free so much space?

Junior

Answer

It removes unused images, networks, volumes, and stopped containers that accumulate over time.
Permalink
Q55:

What happens when two containers expose the same host port?

Junior

Answer

Port conflict occurs; only the first container binds successfully while the second fails.
Permalink
Q56:

How does Docker internally leverage Linux namespaces to isolate containers?

Mid

Answer

Docker uses namespaces for PID, NET, IPC, UTS, and MNT. Each container sees its own isolated OS view.
Permalink
Q57:

How does cgroups limit container resources?

Mid

Answer

cgroups enforce limits on CPU, RAM, I/O, and PIDs. Exceeding limits causes throttling or OOM kills.
Permalink
Q58:

Why is OverlayFS used as Docker’s storage backend on Linux?

Mid

Answer

OverlayFS merges read-only image layers with a writable upper layer, reducing duplication and speeding up container creation.
Permalink
Q59:

How do orphaned volumes accumulate if not managed properly?

Mid

Answer

Volumes persist after container deletion, accumulating unused data and consuming disk space.
Permalink
Q60:

Why is docker exec not recommended for critical automation?

Mid

Answer

If a container restarts, exec commands break. Exec depends on runtime state and is nondeterministic.
Permalink
Q61:

How does Docker handle DNS resolution for containers on user-defined networks?

Mid

Answer

Docker embeds a DNS server inside each network; containers register by name for service discovery.
Permalink
Q62:

Explain how Docker checks container health through health status propagation.

Mid

Answer

Healthchecks run periodically and transition through starting, healthy, and unhealthy states used by orchestrators.
Permalink
Q63:

Why does Docker build cache break when COPY or ADD instructions change?

Mid

Answer

COPY/ADD track file checksums; any change invalidates following layers, causing rebuild.
Permalink
Q64:

What issues arise when storing logs inside container filesystem instead of stdout/stderr?

Mid

Answer

Logs fill the writable layer, degrade performance, and are lost when containers are deleted.
Permalink
Q65:

What is the significance of the container’s init process (PID 1)?

Mid

Answer

PID 1 does not forward signals properly; using tini or an init wrapper is recommended.
Permalink
Q66:

Why is it dangerous to use containers with host networking mode?

Mid

Answer

Host networking bypasses isolation and exposes host ports, increasing attack surface.
Permalink
Q67:

What is the effect of using docker run --privileged?

Mid

Answer

This grants full host permissions and device access, defeating container security.
Permalink
Q68:

Why do many companies prefer private container registries over Docker Hub?

Mid

Answer

Private registries provide access control, compliance, privacy, and no rate limits.
Permalink
Q69:

What performance impact occurs when containers run on Btrfs or ZFS storage drivers?

Mid

Answer

These drivers support snapshots but have slower random writes compared to overlay2.
Permalink
Q70:

How does Docker optimize repeated downloads using shared layers?

Mid

Answer

Layers with identical checksums are reused, saving storage and reducing pull times.
Permalink
Q71:

What’s the difference between a dangling image and an unused image?

Mid

Answer

Dangling images are untagged leftovers; unused images are tagged but not referenced by containers.
Permalink
Q72:

How does Docker ensure network isolation using iptables?

Mid

Answer

Docker configures NAT, forwarding, and bridge rules for container isolation.
Permalink
Q73:

Why do CI pipelines use Alpine but production avoids it sometimes?

Mid

Answer

Alpine uses musl libc, causing compatibility issues; production prefers Debian/Ubuntu.
Permalink
Q74:

How does Docker ensure each container gets its own hostname and domain name?

Mid

Answer

UTS namespace provides isolated hostnames for each container.
Permalink
Q75:

Why is it important to pin image versions in production?

Mid

Answer

Pinning ensures reproducible builds and stable environments.
Permalink
Q76:

How can a misconfigured healthcheck cause a container to restart repeatedly?

Mid

Answer

If healthchecks fail repeatedly, orchestrators keep restarting the container.
Permalink
Q77:

What happens if a container uses more memory than allowed by cgroup?

Mid

Answer

The kernel OOM killer terminates the container, logged as OOMKilled.
Permalink
Q78:

How does Docker Compose handle service dependencies using depends_on?

Mid

Answer

depends_on controls startup order but doesn’t wait for health; healthchecks are needed.
Permalink
Q79:

Why should build tools be removed from production images?

Mid

Answer

Build tools increase size and attack surface; multi-stage builds remove them.
Permalink
Q80:

How does Docker clean up unused networks and why do they accumulate?

Mid

Answer

Networks persist after containers are removed; docker network prune cleans them.
Permalink
Q81:

Why should environment variables never include multi-line secrets?

Mid

Answer

Env vars appear in inspect, process lists, and layer history; use secret managers.
Permalink
Q82:

How does Docker isolate container PIDs?

Mid

Answer

PID namespaces isolate process trees so containers cannot see each other’s processes.
Permalink
Q83:

What issue arises when running too many containers on one host?

Mid

Answer

Resource contention leads to CPU throttling, RAM pressure, IO saturation, and network slowness.
Permalink
Q84:

Why is it recommended to use non-root users inside images?

Mid

Answer

Root in a container is root on the host kernel; escaping container compromises the host.
Permalink
Q85:

What’s the difference between soft and hard resource limits in Docker?

Mid

Answer

Soft limits may be exceeded temporarily; hard limits cannot be exceeded.
Permalink
Q86:

How does Docker use union filesystems to support copy-on-write across multiple image layers?

Senior

Answer

Docker uses union FS (Overlay2) to merge read-only layers with a writable layer. Modifications occur only in the upper layer to preserve base layers.
Permalink
Q87:

Why does modifying files in lower layers trigger whiteout files in OverlayFS?

Senior

Answer

OverlayFS creates whiteout entries to hide files from lower layers without altering immutable layers.
Permalink
Q88:

How does Docker ensure that different containers do not exhaust host PIDs using PID cgroups?

Senior

Answer

PID cgroups apply limits on the number of processes so containers cannot consume all system PIDs.
Permalink
Q89:

What mechanisms map container UID/GID to host UID/GID?

Senior

Answer

User namespaces remap container root to unprivileged host users, improving isolation.
Permalink
Q90:

Why can running many heavy containers on the same overlay network create large ARP tables?

Senior

Answer

Bridge networks and veth interfaces scale ARP/MAC tables, causing lookup latency and overhead.
Permalink
Q91:

How does Docker prevent network isolation failures using iptables chains?

Senior

Answer

Docker configures NAT and DOCKER-USER chains to enforce container isolation.
Permalink
Q92:

Why can Docker DNS resolution slow down under high container counts?

Senior

Answer

Embedded DNS scales poorly with many services, causing latency without caching layers.
Permalink
Q93:

What happens when the Docker daemon crashes while containers run?

Senior

Answer

Containers continue running as normal processes but cannot be managed until dockerd restarts.
Permalink
Q94:

How does Docker daemon maintain internal state?

Senior

Answer

It stores metadata and image/layer information in /var/lib/docker.
Permalink
Q95:

Why might bind mounts degrade container I/O performance?

Senior

Answer

Bind mounts rely on host FS performance; volumes use optimized drivers.
Permalink
Q96:

How does Docker detect and garbage-collect orphaned build layers?

Senior

Answer

Unreferenced layers become dangling and are removed by docker system prune.
Permalink
Q97:

Why is disabling container swap recommended for latency-critical workloads?

Senior

Answer

Swapping introduces unpredictable latency and stalls microservices.
Permalink
Q98:

What is the role of Docker’s shim process?

Senior

Answer

Shim keeps containers alive when dockerd exits and handles STDIO pipes.
Permalink
Q99:

Why can log-driver misconfigurations crash hosts?

Senior

Answer

JSON logs fill writable layers, consuming disk and freezing hosts.
Permalink
Q100:

How do image manifests ensure cross-architecture builds?

Senior

Answer

Manifest lists map architectures; clients pull correct images automatically.
Permalink
Q101:

What causes layer invalidation storms during Docker builds?

Senior

Answer

Early layer changes force rebuild of all subsequent layers.
Permalink
Q102:

How does Docker securely copy images between registries?

Senior

Answer

TLS and SHA256 digests ensure confidentiality and integrity.
Permalink
Q103:

Why can Docker services fail DNS lookups after IP churn?

Senior

Answer

Stale DNS caches break lookups; apps need low TTLs.
Permalink
Q104:

How does Docker integrate with AppArmor or SELinux?

Senior

Answer

Security profiles restrict syscalls, capabilities, and filesystem access.
Permalink
Q105:

Why is using network host insecure even internally?

Senior

Answer

It exposes host ports and allows traffic sniffing or injection.
Permalink
Q106:

How does Docker sandbox capabilities using Linux capabilities API?

Senior

Answer

Docker drops powerful capabilities like SYS_ADMIN to limit root power.
Permalink
Q107:

What are split DNS zones in Docker Enterprise?

Senior

Answer

Different networks get different DNS zones to avoid name collisions.
Permalink
Q108:

How does Docker pause process freeze container execution?

Senior

Answer

Pause holds namespaces to checkpoint containers without stopping processes.
Permalink
Q109:

Why is mounting docker.sock dangerous?

Senior

Answer

Access to docker.sock gives full daemon control ? host root access.
Permalink
Q110:

Why does running many containers degrade overlay network performance?

Senior

Answer

VXLAN encapsulation overhead and endpoint scaling increase CPU usage and latency.
Permalink
Q111:

How do multi-stage builds solve dependency leakage?

Senior

Answer

They exclude build tools from final images and include only minimal artifacts.
Permalink
Q112:

Why do rootless Docker installations reduce performance?

Senior

Answer

Rootless mode uses user namespaces and slower unprivileged I/O.
Permalink
Q113:

How does Docker handle secrets differently from environment variables?

Senior

Answer

Secrets live in RAM-backed storage and never appear in layers or logs.
Permalink
Q114:

Why does Docker prefer iptables for networking?

Senior

Answer

iptables provides NAT, filtering, and forwarding that routing tables cannot.
Permalink
Q115:

What happens when overlay networks have overlapping subnets?

Senior

Answer

IP conflicts break routing and containers become unreachable.
Permalink
Q116:

Why does Docker use content-addressable storage for layers?

Senior

Answer

SHA256 layer hashes enable deduplication, integrity guarantees, and caching.
Permalink
Q117:

What is the difference between hard and soft quotas in cgroups v2?

Senior

Answer

Hard quotas strictly enforce limits; soft quotas allow temporary bursts.
Permalink
Q118:

Why are runtimes moving to eBPF-based networking?

Senior

Answer

eBPF avoids iptables bottlenecks and provides high-performance packet filtering.
Permalink
Q119:

How does Docker isolate IPC mechanisms?

Senior

Answer

IPC namespaces isolate shared memory and semaphore segments.
Permalink
Q120:

Why is building images directly on production servers discouraged?

Senior

Answer

Build contexts may leak secrets and introduce supply-chain risks.
Permalink
Q121:

How does Docker ensure layers pulled from registries are tamper-proof?

Senior

Answer

Layer digests are verified before extraction to detect tampering.
Permalink
Q122:

Why can a container’s time drift from the host clock?

Senior

Answer

Timezone mounts or custom configurations may cause drift from host time.
Permalink
Q123:

How do overlay networks maintain VXLAN mappings across nodes?

Senior

Answer

Metadata stores exchange MAC-to-IP mappings for VXLAN routing.
Permalink
Q124:

Why avoid running databases in Docker without tuning storage drivers?

Senior

Answer

Overlay2 causes write latency and fsync issues affecting DB durability.
Permalink
Q125:

How does Docker prevent container resurrection after deletion?

Senior

Answer

Docker deletes metadata so deleted container IDs cannot be reused.
Permalink
Q126:

How does runc actually create a container process from an OCI bundle?

Expert

Answer

runc reads the OCI spec, sets namespaces, configures cgroups, mounts rootfs using pivot_root, drops capabilities, and execve()s the entrypoint to create an isolated environment.
Permalink
Q127:

Why is container root not equivalent to host root when user namespaces are enabled?

Expert

Answer

User namespaces remap UID 0 inside container to an unprivileged UID on host, preventing host-level root access.
Permalink
Q128:

What are the security weaknesses of Docker’s default seccomp profile?

Expert

Answer

It blocks dangerous syscalls but still allows many exploitable ones; hardened profiles are needed for secure environments.
Permalink
Q129:

How does Docker avoid race conditions between runc and dockerd during container creation?

Expert

Answer

Docker inserts a shim process between runc and dockerd so containers continue even if dockerd restarts.
Permalink
Q130:

Why does overlay networking introduce additional latency compared to direct bridge networking?

Expert

Answer

VXLAN encapsulation adds overhead and packets may cross nodes, increasing RTT and CPU cost.
Permalink
Q131:

How does Docker’s overlay implementation differ from Kubernetes CNI plugins?

Expert

Answer

Swarm uses libnetwork with built-in control plane; Kubernetes uses pluggable CNIs with independent data/control planes.
Permalink
Q132:

What is an OCI image manifest and how does Docker validate it?

Expert

Answer

Manifest lists layers and digests; Docker verifies SHA256 digests before extraction to detect tampering.
Permalink
Q133:

What causes multi-arch images to pull the wrong architecture occasionally?

Expert

Answer

Faulty manifest lists or CI misconfiguration lead clients to select incorrect architecture entries.
Permalink
Q134:

Why do Docker layers become unshareable across images even if identical?

Expert

Answer

Layer digests depend on metadata like timestamps and file order; differing metadata prevents sharing.
Permalink
Q135:

How does buildx leverage BuildKit to execute builds in DAG form?

Expert

Answer

BuildKit builds a dependency graph, parallelizes stages, and caches keyed intermediate states.
Permalink
Q136:

Why do Docker push and pull operations feel slow even for small layer files?

Expert

Answer

Registry communication involves multiple API calls and digest checks causing high latency.
Permalink
Q137:

How does Docker prevent cross-repo layer caching attacks in registries?

Expert

Answer

Layer digests require repo-scoped authorization; knowing a digest is not enough to download.
Permalink
Q138:

Why can Docker logging drivers cause kernel buffer pressure?

Expert

Answer

High log throughput stresses buffers, causing IO throttling, CPU spikes, and dropped logs.
Permalink
Q139:

How are checkpoint and restore used for live migration?

Expert

Answer

CRIU saves process state, TCP sessions, and memory; Docker restores it on another host.
Permalink
Q140:

What conditions cause CRIU checkpointing to fail?

Expert

Answer

Uncheckpointable operations like ptrace, inotify, special FDs, or kernel mismatches cause failure.
Permalink
Q141:

What is the attack surface of Docker’s network namespace sandboxing?

Expert

Answer

Misconfigured capabilities like CAP_NET_ADMIN allow route manipulation or packet sniffing.
Permalink
Q142:

How does Docker implement deterministic CPU throttling across containers?

Expert

Answer

cgroups v2 applies weighted fair sharing using quotas and CPU weights.
Permalink
Q143:

How do registries deduplicate identical layers across millions of images?

Expert

Answer

Content-addressing stores each digest once and tracks references to avoid duplication.
Permalink
Q144:

Why does Docker fail to garbage-collect layers sometimes?

Expert

Answer

Running or stopped containers still reference layers until removed.
Permalink
Q145:

How do kernel security modules secure Docker collectively?

Expert

Answer

AppArmor/SELinux enforce MAC, Seccomp filters syscalls, and capabilities reduce privileges.
Permalink
Q146:

Why is host kernel version critical for Docker performance and security?

Expert

Answer

Kernel defines namespaces, cgroups, OverlayFS, eBPF, and seccomp features.
Permalink
Q147:

Why does running systemd inside Docker break container assumptions?

Expert

Answer

systemd expects full init control and multiple processes, conflicting with container isolation.
Permalink
Q148:

How do multi-tenant platforms prevent noisy-neighbor problems?

Expert

Answer

Strict CPU, memory, IO limits and cgroup throttling isolate resource usage.
Permalink
Q149:

How does Docker isolate high-resolution timers?

Expert

Answer

Time namespaces provide isolated clocks preventing timing attacks.
Permalink
Q150:

Why is Docker used with immutable infrastructure principles?

Expert

Answer

Containers are stateless and replaceable, minimizing configuration drift.
Permalink
Q151:

Why is image attestation important in enterprise pipelines?

Expert

Answer

Attestation proves who built the image and ensures supply-chain integrity.
Permalink
Q152:

How does Docker’s network sandbox interact with eBPF plugins like Cilium?

Expert

Answer

eBPF replaces iptables for fast packet filtering and direct routing.
Permalink
Q153:

Why did orchestrators shift from Docker runtime to containerd and CRI?

Expert

Answer

containerd provides slim, fast, Kubernetes-native runtime integration.
Permalink
Q154:

How does Docker optimize overlay networks without full mesh tunnels?

Expert

Answer

Swarm uses gossip plus VXLAN mapping to create tunnels only when needed.
Permalink
Q155:

What causes fsync storms inside containers?

Expert

Answer

OverlayFS merges layers, causing heavy IO waits and slow database transactions.
Permalink

Curated Sets for Docker

No curated sets yet. Group questions into collections from the admin panel to feature them here.

People Also Ask - Related Docker Questions

What problem does Docker solve compared to traditional application deployments?
How is a Docker container different from a virtual machine?
What is a Docker image?
What is the role of a Dockerfile?
What does the FROM instruction do in a Dockerfile?
Why do Docker images contain multiple layers?
Ready to level up? Start Practice