15 Most Common Docker Interview Questions

Introduction

Docker remains the cornerstone of modern DevOps and cloud-native development. Whether you're applying for junior DevOps, senior SRE, or platform engineering roles, strong Docker knowledge is non-negotiable. These 15 questions appear in almost every technical interview in 2025, often starting with secure container foundations like private subnet isolation.

1. What is Docker and how is it different from a virtual machine?

• Docker uses OS-level virtualization (containers) while VMs use hardware virtualization
• Containers share the host kernel; VMs include a full guest OS
• Docker images are typically MBs; VM images are GBs
• Containers start in milliseconds; VMs take minutes
• Containers are lightweight, portable, and more resource-efficient
• VMs provide stronger isolation but higher overhead

2. Explain Docker architecture and its main components

Docker uses a client-server architecture. The Docker client talks to the Docker daemon (dockerd) via REST API. Key components: Docker CLI, Docker daemon, containerd (container runtime), runc (OCI runtime), Docker Hub/registry, images, containers, and networks. In modern versions, containerd handles container lifecycle while dockerd manages higher-level features like networking and volumes.

3. What is a Dockerfile? What are the most important instructions?

4. What are Docker volumes and why do we need them?

Volumes are the preferred mechanism for persisting data generated by containers. Unlike bind mounts, volumes are fully managed by Docker, stored in /var/lib/docker/volumes/, and offer better performance. They survive container deletion and can be shared between containers. Use cases: databases, logs, configuration files.

5. Explain different Docker network types

• bridge: Default isolated network
• host: Container uses host network stack (no isolation)
• none: No networking
• overlay: For multi-host networking (Swarm/Kubernetes)
• macvlan: Container gets its own MAC address
• Custom bridge networks: Best practice for container communication

6. How do you optimize Docker image size?

• Use minimal base images (alpine, distroless)
• Multi-stage builds to exclude build tools
• Combine RUN commands to reduce layers
• Use .dockerignore properly
• Remove cache, temp files, and packages in same layer
• Avoid installing unnecessary tools

7. What is the difference between CMD and ENTRYPOINT?

CMD provides default arguments that can be overridden. ENTRYPOINT configures the container's main process and cannot be overridden (only appended to). Best practice: use ENTRYPOINT for the main command and CMD for default flags.

8. How does Docker handle container security?

• User namespaces (run as non-root)
• Read-only filesystems
• Seccomp profiles (limit syscalls)
• AppArmor/SELinux profiles
• Content trust and image signing
• Regular scanning with Trivy or Clair
• Drop unnecessary capabilities (--cap-drop ALL)

9. What is Docker Compose and when would you use it?

Docker Compose defines and runs multi-container applications using YAML files. Ideal for local development, testing, and staging environments. Version 3+ supports Swarm mode. Replaced by Compose v2 using docker compose (no hyphen).

10. What happens when you run "docker run"?

• Pulls image if not present
• Creates a new container from the image
• Allocates filesystem and mount points
• Sets up networking (bridge by default)
• Starts the container process (ENTRYPOINT + CMD)
• Attaches STDIN/STDOUT if -it flag used

11. What is Docker Swarm and how does it compare to Kubernetes?

Docker Swarm is Docker's native clustering/orchestration solution. Simpler to set up than Kubernetes but lacks advanced features (CRDs, operators, better RBAC). Most companies have migrated to Kubernetes in production.

12. How do you debug a running container?

• docker logs <container>
• docker exec -it <container> /bin/sh
• docker inspect <container>
• docker stats <container>
• docker top <container>
• docker events for cluster-wide debugging

13. What are Docker content trust and image signing?

Content trust ensures images come from trusted publishers using cryptographic signatures. Enabled with DOCKER_CONTENT_TRUST=1. Prevents running tampered or malicious images in production.

14. Explain multi-stage Docker builds with example

Multi-stage builds use multiple FROM statements to separate build and runtime environments. Example: compile Go binary in golang:alpine stage, then copy only the binary to scratch or distroless final image, drastically reducing size and attack surface.

15. Best practices for running Docker in production

• Never run as root (USER directive)
• Use official or verified images
• Scan images regularly
• Implement resource limits (--memory, --cpu)
• Use health checks (HEALTHCHECK instruction)
• Monitor with Prometheus + cAdvisor
• Use secrets management, often with observability integration

Conclusion

Mastering these 15 Docker concepts will make you stand out in any DevOps interview. Docker is the foundation of modern cloud-native development, and interviewers want to see deep understanding of not just syntax, but production-grade patterns, security, and performance optimization.

Frequently Asked Questions

Is Docker dead because of Kubernetes?

No. Kubernetes runs Docker containers (via containerd). Docker remains the standard for building and developing containerized applications.

Should containers run as root?

Never in production. Always define a non-root USER in Dockerfile and drop capabilities.

Docker Desktop vs Docker Engine?

Docker Desktop is for development (Mac/Windows). Docker Engine runs on Linux servers in production.

Can I use Docker without Swarm or Kubernetes?

Yes, for single-host applications. Most production workloads use orchestration.

What replaced Docker in Kubernetes?

containerd became the default runtime in Kubernetes 1.20+. Docker shim was deprecated.