Docker Interview Questions and Answers

Introduction

Welcome to this comprehensive guide designed to equip you with the knowledge and confidence needed to excel in your next Docker interview! Whether you're a developer, DevOps engineer, or system administrator, mastering Docker is crucial in today's cloud-native landscape. This document covers a wide spectrum of Docker topics, from fundamental concepts and image management to advanced orchestration, security, and troubleshooting, including role-specific questions and practical challenges. Prepare to deepen your understanding and showcase your expertise, setting yourself up for success in any Docker-related role.

Docker Fundamentals and Core Concepts

What is Docker and why is it used?

Answer:

Docker is an open-source platform that automates the deployment, scaling, and management of applications using containerization. It's used to provide a consistent environment for applications, ensuring they run reliably across different computing environments, from development to production.

Explain the difference between a Docker Image and a Docker Container.

Answer:

A Docker Image is a lightweight, standalone, executable package that includes everything needed to run a piece of software, including the code, runtime, system tools, system libraries, and settings. A Docker Container is a runnable instance of a Docker Image. You can create, start, stop, move, or delete a container.

What is a Dockerfile and what is its purpose?

Answer:

A Dockerfile is a text document that contains all the commands a user could call on the command line to assemble an image. It provides a way to automate the image creation process, ensuring reproducibility and version control for your application's environment.

How does Docker achieve isolation?

Answer:

Docker achieves isolation primarily through Linux kernel features like namespaces and control groups (cgroups). Namespaces provide isolated views of system resources (e.g., process IDs, network interfaces), while cgroups limit and monitor resource usage (CPU, memory, I/O) for containers.

What are Docker volumes and why are they important?

Answer:

Docker volumes are the preferred mechanism for persisting data generated by and used by Docker containers. They are important because containers are ephemeral; without volumes, data inside a container would be lost when the container is removed. Volumes allow data to outlive the container.

Explain the concept of Docker layers.

Answer:

Docker images are composed of multiple read-only layers, each representing a Dockerfile instruction. When you build an image, each command creates a new layer on top of the previous one. This layering allows for efficient storage, sharing, and caching, as common layers can be reused across multiple images.

What is Docker Hub?

Answer:

Docker Hub is a cloud-based registry service provided by Docker for finding and sharing container images. It acts as a central repository where users can push their custom images and pull official or community-contributed images. It also offers automated builds and webhooks.

How do you expose a port from a Docker container to the host machine?

Answer:

You expose a port using the -p or --publish flag when running a container. For example, docker run -p 8080:80 my_image maps port 80 inside the container to port 8080 on the host machine, allowing external access.

What is the purpose of the .dockerignore file?

Answer:

The .dockerignore file is similar to .gitignore and specifies files and directories that should be excluded when building a Docker image. Its purpose is to prevent unnecessary files (like source code, build artifacts, or sensitive data) from being copied into the image, reducing image size and build time.

Briefly explain the Docker daemon (dockerd).

Answer:

The Docker daemon (dockerd) is the background service that runs on the host machine and manages Docker objects like images, containers, networks, and volumes. It listens for Docker API requests and processes them, performing tasks like building images, running containers, and managing storage.

Dockerfile and Image Management

What is a Dockerfile and why is it used?

Answer:

A Dockerfile is a text document that contains all the commands a user could call on the command line to assemble an image. It's used to automate the process of creating Docker images, ensuring consistency and reproducibility across different environments.

Explain the purpose of the FROM instruction in a Dockerfile.

Answer:

The FROM instruction initializes a new build stage and sets the base image for subsequent instructions. Every Dockerfile must start with FROM, specifying the parent image from which your image will be built, e.g., FROM ubuntu:22.04.

What is the difference between CMD and ENTRYPOINT in a Dockerfile?

Answer:

CMD provides default arguments for an executing container, which can be overridden by command-line arguments. ENTRYPOINT configures a container that will run as an executable, and its arguments are typically fixed, with CMD providing additional parameters to it.

How does the Docker build cache work and why is it important?

Answer:

Docker caches each layer during the build process. If an instruction and its context haven't changed since the last build, Docker reuses the cached layer, significantly speeding up subsequent builds. This is crucial for efficient development workflows.

What is the .dockerignore file and what is its purpose?

Answer:

The .dockerignore file lists files and directories that should be excluded when the build context is sent to the Docker daemon. This prevents unnecessary files from being included in the image, reducing image size and build time, similar to .gitignore.

Explain the concept of multi-stage builds in Dockerfiles.

Answer:

Multi-stage builds allow you to use multiple FROM statements in your Dockerfile, each starting a new build stage. This is used to separate build-time dependencies from runtime dependencies, resulting in smaller, more secure final images by only copying necessary artifacts from earlier stages.

How do you reduce the size of a Docker image?

Answer:

To reduce image size, use a minimal base image (e.g., Alpine), leverage multi-stage builds, clean up unnecessary files and caches after installation, consolidate RUN commands to minimize layers, and use .dockerignore to exclude irrelevant files from the build context.

What is a Docker image layer, and why are they important?

Answer:

A Docker image is composed of multiple read-only layers, each representing an instruction in the Dockerfile. Layers enable efficient storage and distribution through caching and sharing common layers between images, reducing disk space and download times.

When would you use ADD versus COPY in a Dockerfile?

Answer:

COPY is generally preferred as it only copies local files or directories into the image. ADD has additional functionality, such as automatically extracting tarballs from URLs or local paths, but this can lead to unexpected behavior or security risks if not carefully managed.

How do you tag a Docker image, and why is tagging important?

Answer:

You tag an image using docker build -t <image_name>:<tag> . or docker tag <source_image>:<source_tag> <target_image>:<target_tag>. Tagging is crucial for versioning images, identifying different builds (e.g., latest, dev, v1.0), and pushing them to registries.

What is the WORKDIR instruction used for?

Answer:

The WORKDIR instruction sets the working directory for any RUN, CMD, ENTRYPOINT, COPY, or ADD instructions that follow it in the Dockerfile. It helps organize the file system within the container and simplifies subsequent commands by providing a default path.

Container Orchestration (Docker Compose & Swarm)

What is Docker Compose and when would you use it?

Answer:

Docker Compose is a tool for defining and running multi-container Docker applications. You use a YAML file to configure your application's services, networks, and volumes, then use a single command (docker compose up) to start everything. It's ideal for local development environments and testing.

Explain the key components of a docker-compose.yml file.

Answer:

A docker-compose.yml file typically includes services (defining application components like web servers, databases), networks (for inter-service communication), and volumes (for persistent data storage). Each service specifies its image, ports, environment variables, and dependencies.

How do you scale services using Docker Compose?

Answer:

While Compose is primarily for single-host environments, you can scale services by using the --scale flag with docker compose up. For example, docker compose up --scale web=3 would start three instances of the 'web' service. For true distributed scaling, Docker Swarm or Kubernetes is used.

What is Docker Swarm and how does it differ from Docker Compose?

Answer:

Docker Swarm is Docker's native container orchestration solution for managing a cluster of Docker engines. Compose is for defining and running multi-container apps on a single host, while Swarm allows you to deploy and scale those applications across multiple hosts (nodes) in a fault-tolerant manner.

Describe the roles of 'manager' and 'worker' nodes in a Docker Swarm.

Answer:

Manager nodes handle cluster management tasks like maintaining the desired state, scheduling tasks, and service discovery. Worker nodes receive and execute tasks from manager nodes, running the actual containers. For high availability, a Swarm should have multiple manager nodes.

How do you initialize a Docker Swarm and add nodes to it?

Answer:

You initialize a Swarm on a manager node using docker swarm init. This command outputs a join token. To add worker nodes, you run docker swarm join --token <token> <manager-ip>:<port> on each worker. Managers can be added similarly with a different join token.

What is a 'service' in Docker Swarm context?

Answer:

In Docker Swarm, a 'service' is the definition of the tasks you want to execute on the Swarm. It defines which Docker image to use, how many replicas to run, which ports to expose, and other deployment configurations. Swarm ensures the desired number of service replicas are always running.

How does Docker Swarm handle service discovery and load balancing?

Answer:

Docker Swarm has built-in DNS-based service discovery, allowing services to find each other by name. It also provides internal load balancing (routing mesh) that distributes requests across all healthy replicas of a service, even if the request hits a node not running a replica.

Explain the concept of 'rolling updates' in Docker Swarm.

Answer:

Rolling updates allow you to update a service to a new version without downtime. Swarm updates replicas incrementally, replacing old containers with new ones one by one or in batches, ensuring that a sufficient number of old containers remain running until new ones are healthy.

When would you choose Docker Swarm over Kubernetes, or vice-versa?

Answer:

Choose Docker Swarm for simpler, native Docker orchestration, easier setup, and when you need less complexity. Choose Kubernetes for highly complex, large-scale deployments, advanced features like auto-scaling, self-healing, and a broader ecosystem, often at the cost of higher complexity and steeper learning curve.

Networking and Storage in Docker

Explain the default network drivers available in Docker and their primary use cases.

Answer:

Docker provides several default network drivers: bridge (default for standalone containers, isolated network), host (container shares host's network stack, no isolation), and none (container has no network interfaces). overlay is used for multi-host communication in Swarm, and macvlan assigns a MAC address to a container, making it appear as a physical device on the network.

What is the purpose of a user-defined bridge network in Docker, and how does it differ from the default bridge network?

Answer:

User-defined bridge networks provide better isolation, automatic DNS resolution between containers by name, and easier port mapping management compared to the default bridge network. Containers on a user-defined bridge can communicate with each other using their service names without explicit port mapping on the host.

How do you connect a running container to an existing user-defined network?

Answer:

You can connect a running container to an existing user-defined network using the docker network connect command. For example: docker network connect my_network my_container. This allows the container to communicate with other containers on that network.

Describe the different types of storage available in Docker and when you would use each.

Answer:

Docker offers volumes, bind mounts, and tmpfs mounts. Volumes are the preferred method for persistent data, managed by Docker, and ideal for databases. Bind mounts link a host path directly to a container path, useful for development or configuration files. Tmpfs mounts store data in the host's memory, suitable for non-persistent, sensitive data.

What are Docker volumes, and what are their advantages over bind mounts?

Answer:

Docker volumes are the recommended way to persist data generated by and used by Docker containers. They are fully managed by Docker, making them easier to back up, migrate, and manage. Volumes are also more performant than bind mounts, especially for I/O-intensive workloads, and work across different operating systems.

How do you create and use a named Docker volume?

Answer:

A named volume can be created using docker volume create my_data. To use it with a container, you specify it with the -v flag during container creation: docker run -d -v my_data:/app/data my_image. This mounts the my_data volume to /app/data inside the container.

Explain the concept of the 'copy-on-write' mechanism in Docker storage.

Answer:

The copy-on-write (CoW) mechanism is used by Docker's image layers. When a container starts, it gets a thin, writable layer on top of the immutable image layers. Any changes made by the container are written only to this top layer, leaving the underlying image layers untouched. This optimizes storage and allows multiple containers to share the same base image efficiently.

How can you inspect network details or volume information in Docker?

Answer:

To inspect network details, use docker network inspect <network_name_or_id>. This provides comprehensive information including connected containers, subnets, and gateways. For volume information, use docker volume inspect <volume_name>, which shows the mount point, driver, and other metadata.

When would you choose a host network driver over a bridge network driver?

Answer:

You would choose the host network driver when you need maximum network performance or direct access to host network services without port mapping. This is often used for performance-critical applications or when the container needs to bind to specific host ports directly, bypassing Docker's network stack.

What is the significance of the --mount flag compared to the -v flag for managing storage in Docker?

Answer:

The --mount flag is the newer, more explicit, and preferred syntax for managing storage (volumes, bind mounts, tmpfs mounts). It uses key-value pairs for clarity, making it easier to read and understand the mount type and options. The -v flag is a shorthand that can be ambiguous regarding whether it's a volume or bind mount based on the source path.

Scenario-Based and Troubleshooting Questions

Your Docker container is running but your application inside is not accessible. What are the first steps you would take to troubleshoot this?

Answer:

First, check docker logs <container_id> for application errors. Then, verify port mappings with docker ps to ensure the host port is correctly exposed. Finally, use docker exec -it <container_id> bash to enter the container and check if the application process is running and listening on the expected port (e.g., netstat -tulnp).

A Docker container keeps restarting immediately after starting. What could be the common causes and how would you investigate?

Answer:

Common causes include an error in the application's entrypoint script, a missing dependency, or an unhandled exception causing the process to exit. I would use docker logs <container_id> to see the output before the crash and docker inspect <container_id> to check the RestartCount and ExitCode.

You're trying to build a Docker image, but it fails during the RUN instruction with a 'command not found' error. How do you debug this?

Answer:

This usually means the command isn't available in the base image or wasn't installed correctly in a previous RUN step. I would add echo statements before the failing command to verify paths, or temporarily change the RUN command to sh -c 'set -x; <original_command>' to see command execution details. Alternatively, build up to the failing layer and then docker run that intermediate image to debug interactively.

Your Docker image size is excessively large. What strategies would you employ to reduce its size?

Answer:

I would use multi-stage builds to separate build-time dependencies from runtime artifacts. I'd also choose a smaller base image (e.g., Alpine), remove unnecessary files and caches, and combine RUN commands using && to minimize layers. Using .dockerignore to exclude irrelevant files is also crucial.

You need to share data between multiple Docker containers. What are your options and when would you choose each?

Answer:

Options include Docker volumes, bind mounts, and shared network storage. Docker volumes are preferred for persistent data and managing data lifecycle, especially for databases. Bind mounts are good for development, allowing host file changes to reflect instantly. Shared network storage (like NFS) is for distributed applications needing shared access across multiple hosts.

A Docker container is consuming too much CPU/memory. How would you identify the culprit and mitigate the issue?

Answer:

I'd use docker stats to monitor real-time resource usage. If a specific container is the issue, I'd use docker exec to enter it and use tools like top or htop to identify the process. Mitigation involves optimizing the application, setting resource limits (--cpus, --memory) during docker run, or scaling out the service.

You've updated your Docker image, but docker run still starts the old version. What's happening?

Answer:

This usually means the image tag you're using (e.g., myimage:latest) hasn't been updated locally. I would first run docker pull myimage:latest to ensure the latest image is downloaded. If the issue persists, verify the image ID with docker images to confirm you're pulling the correct one.

How would you ensure that your Docker containers automatically restart if the Docker daemon itself restarts or the host machine reboots?

Answer:

I would use a restart policy when running the container, such as --restart unless-stopped or --restart always. unless-stopped will restart the container unless it was explicitly stopped, while always will always restart it regardless of its previous state, even if manually stopped.

You're experiencing network connectivity issues between two Docker containers on the same host. What steps would you take to diagnose this?

Answer:

First, verify both containers are on the same Docker network using docker inspect <container_id>. Then, try to ping one container from the other using its container name or IP address. Check firewall rules on the host and within the containers, and ensure no port conflicts exist if they are exposing ports.

Your Docker container is running, but you can't write to a specific directory inside it. What could be the problem?

Answer:

This is often a permissions issue. I would docker exec into the container and check the ownership and permissions of the directory using ls -ld <directory>. The user running the application inside the container might not have write access. Adjusting permissions with chmod or chown in the Dockerfile or entrypoint script can resolve this.

Docker Security and Best Practices

What are the primary security concerns when using Docker containers?

Answer:

Key concerns include container escape, insecure images, misconfigured daemon, privilege escalation, denial of service, and sensitive data exposure. It's crucial to secure the host, images, containers, and network.

How can you minimize the attack surface of a Docker image?

Answer:

Use minimal base images (e.g., Alpine), remove unnecessary packages and dependencies, avoid installing development tools, and use multi-stage builds to separate build-time dependencies from runtime artifacts.

Why is it a bad practice to run containers as root, and what's the alternative?

Answer:

Running as root grants excessive privileges, increasing the risk of container escape or privilege escalation if compromised. The alternative is to create a dedicated non-root user inside the container and run processes as that user.

Explain the principle of least privilege in the context of Docker.

Answer:

It means granting only the necessary permissions for a container or process to function. This includes limiting capabilities, avoiding --privileged flag, restricting volume mounts, and running as a non-root user.

What are Docker Content Trust and Docker Notary, and how do they enhance security?

Answer:

Docker Content Trust (DCT) allows image publishers to sign their images and consumers to verify the integrity and authenticity of images. Notary is the underlying technology that provides cryptographically secure publishing and verification.

How can you manage sensitive information (e.g., API keys, passwords) securely in Docker containers?

Answer:

Avoid hardcoding secrets in Dockerfiles or committing them to version control. Use Docker Secrets (for Swarm) or Kubernetes Secrets (for Kubernetes), environment variables (with caution), or external secret management tools like HashiCorp Vault.

What is the purpose of Docker's default seccomp profile?

Answer:

The default seccomp (secure computing mode) profile restricts the system calls a container can make to the kernel. This significantly reduces the attack surface by preventing malicious or unnecessary syscalls.

How do you scan Docker images for vulnerabilities?

Answer:

Use vulnerability scanning tools like Clair, Trivy, Anchore Engine, or Docker Scout. These tools analyze image layers for known vulnerabilities in installed packages and dependencies, providing actionable reports.

What are some best practices for securing the Docker daemon?

Answer:

Restrict access to the Docker socket, enable TLS for remote access, configure appropriate logging, keep the daemon and Docker engine updated, and avoid exposing the daemon to untrusted networks.

Why should you regularly update your Docker images and the Docker engine?

Answer:

Regular updates ensure you have the latest security patches and bug fixes for both the base images and the Docker engine itself. This mitigates known vulnerabilities and improves overall system stability.

Advanced Docker Topics and Performance Optimization

Explain the concept of Docker Overlay Networks and when you would use them.

Answer:

Docker Overlay Networks enable communication between Docker containers running on different Docker daemon hosts. They are crucial for multi-host container orchestration, like in a Docker Swarm or Kubernetes cluster, allowing services to communicate seamlessly across nodes without complex routing configurations.

What is the purpose of Docker Content Trust (DCT) and how does it work?

Answer:

Docker Content Trust (DCT) provides cryptographic verification of image publishers and integrity. It ensures that images pulled from a registry are signed by trusted publishers, preventing the use of tampered or unauthorized images. It works by using Notary to sign and verify image manifests.

How can you limit the resources (CPU, memory) a Docker container can consume?

Answer:

Resource limits can be set using docker run flags. For CPU, use --cpus (e.g., --cpus='1.5') or --cpu-shares. For memory, use --memory (e.g., --memory='2g') and --memory-swap. These settings prevent a single container from monopolizing host resources.

Describe the difference between COPY and ADD in a Dockerfile.

Answer:

COPY copies local files or directories from the build context into the image. ADD has similar functionality but can also extract tar archives from the source and download files from URLs. Generally, COPY is preferred for clarity and security unless ADD's extra features are specifically needed.

What is a multi-stage build in Docker and what are its benefits?

Answer:

A multi-stage build uses multiple FROM instructions in a single Dockerfile, where each FROM can discard artifacts from previous stages. This significantly reduces the final image size by only copying necessary build artifacts (e.g., compiled binaries) into the final, smaller runtime image, improving security and deployment speed.

How do you optimize Docker image size and build speed?

Answer:

Optimize image size by using multi-stage builds, choosing smaller base images (e.g., Alpine), leveraging .dockerignore, and consolidating RUN commands. Optimize build speed by ordering Dockerfile instructions to maximize layer caching, using a .dockerignore file, and ensuring build context is minimal.

Explain Docker's storage drivers and their impact on performance.

Answer:

Docker uses storage drivers (e.g., OverlayFS, AUFS, Btrfs) to manage how layers are stored and combined. OverlayFS is generally recommended for its performance and simplicity, especially for read-heavy workloads. The choice of driver impacts container startup time, write performance, and overall disk I/O.

What is Docker Swarm Mode and how does it differ from Kubernetes?

Answer:

Docker Swarm Mode is Docker's native orchestration tool for managing a cluster of Docker engines. It's simpler to set up and use than Kubernetes, making it suitable for smaller deployments or those already heavily invested in the Docker ecosystem. Kubernetes is a more powerful, feature-rich, and complex orchestrator, widely adopted for large-scale, production-grade deployments.

How can you troubleshoot a Docker container that keeps restarting?

Answer:

First, check container logs using docker logs <container_id>. Then, inspect the container's state with docker inspect <container_id> to see exit codes and restart policies. You might also try running the container interactively (docker run -it ...) to observe its behavior directly or attach to it (docker attach).

Describe Docker's networking modes and their use cases.

Answer:

Docker offers several networking modes: bridge (default, isolated network for containers), host (container shares host's network stack), none (no network interface), and overlay (for multi-host communication). bridge is common for single-host apps, host for performance-critical apps needing direct port access, and overlay for distributed services.

Role-Specific Questions (Developer, DevOps, Administrator)

Developer: How do you ensure your Docker images are as small as possible?

Answer:

I use multi-stage builds to separate build-time dependencies from runtime dependencies. Additionally, I leverage smaller base images like Alpine, consolidate RUN commands, and remove unnecessary files or caches.

Developer: Explain the purpose of a .dockerignore file and provide an example of its use.

Answer:

A .dockerignore file specifies files and directories to exclude when building a Docker image, similar to .gitignore. This prevents unnecessary files from being added to the build context, speeding up builds and reducing image size. Example: *.log or node_modules/.

DevOps: Describe how you would implement a CI/CD pipeline for a Dockerized application.

Answer:

I would use a CI/CD tool (e.g., Jenkins, GitLab CI, GitHub Actions) to automate building the Docker image upon code commit, running tests, pushing the image to a registry, and then deploying it to a target environment (e.g., Kubernetes, Docker Swarm).

DevOps: How do you handle secrets (e.g., API keys, database passwords) in a Dockerized environment?

Answer:

For development, I might use environment variables or .env files. In production, I prefer Docker Secrets or Kubernetes Secrets for secure storage and injection. Vault or similar secret management tools can also be integrated for more advanced scenarios.

DevOps: What strategies do you use for rolling updates and rollbacks of Docker containers in production?

Answer:

I use orchestration tools like Docker Swarm or Kubernetes, which natively support rolling updates by gradually replacing old containers with new ones. For rollbacks, I can revert to a previous image tag or deployment configuration, leveraging the orchestration platform's capabilities.

Administrator: How do you monitor the health and performance of Docker containers and the Docker daemon?

Answer:

I use docker stats for quick checks. For comprehensive monitoring, I integrate with tools like Prometheus and Grafana to collect metrics (CPU, memory, network I/O) from cgroups and the Docker API, and set up alerts.

Administrator: Explain Docker networking modes and when you would use each.

Answer:

Common modes include bridge (default, isolated network for containers), host (container shares host's network stack), and none (no network interface). Bridge is for most applications, host for performance-critical apps needing direct port access, and none for specialized cases or debugging.

Administrator: What is Docker Swarm, and when would you choose it over Kubernetes?

Answer:

Docker Swarm is Docker's native orchestration tool for managing a cluster of Docker hosts. I'd choose Swarm for simpler, smaller-scale deployments or when I need a quick setup with minimal overhead, as it's easier to learn and manage than Kubernetes.

Administrator: How do you manage persistent data for Docker containers?

Answer:

I use Docker volumes for persistent data storage, as they are managed by Docker and are independent of the container's lifecycle. Bind mounts can also be used for development or when host file system access is required.

Administrator: Describe a scenario where you would use Docker Compose.

Answer:

I use Docker Compose to define and run multi-container Docker applications. For example, I'd use it to set up a local development environment consisting of a web application, a database, and a caching service, all defined in a single docker-compose.yml file.

Practical and Hands-on Challenges

You have a Dockerfile that builds an image, but the build process is very slow due to many layers. How would you optimize the Dockerfile to reduce build time and image size?

Answer:

To optimize, I'd reorder instructions to place frequently changing ones (like COPY application code) after less frequently changing ones (like FROM, RUN apt-get update). I'd also consolidate RUN commands using && to reduce the number of layers and remove unnecessary files (rm -rf /var/lib/apt/lists/*) in the same RUN command.

Describe how you would set up a multi-stage build for a Go application to create a small, production-ready Docker image.

Answer:

In the first stage, I'd use a Go builder image to compile the application. In the second stage, I'd use a minimal base image like scratch or alpine and only copy the compiled binary from the first stage. This significantly reduces the final image size by excluding build tools and dependencies.

You need to run a database container (e.g., PostgreSQL) and an application container that connects to it. How would you ensure they can communicate, and the database data persists across container restarts?

Answer:

I would use a Docker network (e.g., docker network create my-app-net) to connect both containers. For data persistence, I'd use a Docker volume (docker volume create pg-data) and mount it to the database container's data directory (-v pg-data:/var/lib/postgresql/data).

A Docker container is failing to start with an error message that flashes quickly. How would you debug this issue?

Answer:

I would use docker logs <container_id_or_name> to view the container's output. If it exits immediately, I'd add a tail -f /dev/null or sleep infinity command to the CMD or ENTRYPOINT in the Dockerfile (or override it with docker run) to keep the container running for inspection, then docker exec into it.

You have a docker-compose.yml file for a multi-service application. How would you scale a specific service (e.g., a web server) to run multiple instances?

Answer:

I would use the docker-compose up --scale web=3 command, where web is the service name and 3 is the desired number of instances. Docker Compose will then start three separate containers for the 'web' service, often with load balancing if a reverse proxy is in place.

Explain the difference between COPY and ADD in a Dockerfile and when you would use each.

Answer:

COPY copies local files or directories from the build context to the image. ADD has additional features: it can extract tar files and download files from URLs. Generally, COPY is preferred for clarity and predictability, using ADD only when its extra features are specifically needed.

How would you clean up unused Docker resources (images, containers, volumes, networks) to free up disk space?

Answer:

I would use docker system prune. This command removes all stopped containers, all dangling images, all dangling build cache, and optionally all unused volumes (-v) and networks. It's a comprehensive way to reclaim disk space.

You need to pass sensitive information (like API keys) to a running container without hardcoding them in the Dockerfile or committing them to version control. How would you do this securely?

Answer:

For single containers, I'd use environment variables via the -e flag with docker run. For Docker Compose or Swarm, I'd use Docker secrets. This allows injecting sensitive data at runtime without baking it into the image or exposing it in plain text.

A Docker container needs to access files on the host machine. How would you achieve this?

Answer:

I would use a bind mount. For example, docker run -v /host/path:/container/path my-image. This mounts a directory from the host filesystem directly into the container, allowing bidirectional access to files.

You've made changes to your application code. How do you update a running Docker container with these changes?

Answer:

You cannot directly update a running container's code. You must rebuild the Docker image with the new code (docker build), then stop the old container (docker stop), remove it (docker rm), and finally start a new container from the updated image (docker run). For orchestrated environments, this is handled by rolling updates.

Summary

Mastering Docker for interviews is a testament to your dedication and understanding of modern software development. By thoroughly preparing for the questions outlined in this document, you've not only equipped yourself to articulate your knowledge effectively but also deepened your practical understanding of containerization. This preparation is a critical step towards demonstrating your value to potential employers and securing your desired role.

Remember, the landscape of technology is ever-evolving. Continue to explore new Docker features, best practices, and related technologies like Kubernetes. Embrace continuous learning, contribute to projects, and stay curious. Your commitment to growth will ensure you remain a highly sought-after professional in the dynamic world of DevOps and cloud-native computing. Good luck on your journey!