You had better know this!

Here are 25 senior-level Docker interview questions with tight, real-world answers you can use to score them quickly (ballpark = partial credit; fumbling = fail).

🐳 25 Docker Interview Questions + Answers (Senior-Level)

1. What’s the difference between an image and a container?

Answer:

An image is a read-only blueprint with instructions (filesystem + metadata). A container is a running instance of that image — it’s mutable, has its own process space, and can be started/stopped/destroyed independently.

2. How does Docker isolate processes?

Answer:

Through Linux namespaces (PID, NET, IPC, MNT, UTS) for isolation and cgroups for resource limits (CPU, memory). Combined, they create lightweight virtualization.

3. What is a Docker layer and why is it important?

Answer:

Each instruction in a Dockerfile creates a layer. Layers are cached, shared, and only rebuilt when they change — improving build speed and image efficiency.

4. Explain the difference between

ENTRYPOINT

and

CMD

.

Answer:

ENTRYPOINT defines the main executable; CMD provides default arguments.

CMD is overridden by command-line arguments, but ENTRYPOINT runs every time unless replaced with --entrypoint.

5. How do you reduce Docker image size?

Answer:

Use minimal base images (e.g., alpine), combine RUN commands, clean caches, use .dockerignore, and prefer multistage builds to copy only compiled artifacts.

6. What happens internally when you run

docker run

?

Answer:

Docker pulls the image (if not local), creates a container filesystem, assigns a network namespace and IP, sets up volumes, then executes the container’s command via the runtime (runc/containerd).

7. What’s the role of

docker-compose.yml

?

Answer:

Defines multi-container applications — services, networks, volumes — allowing you to bring up an entire stack with docker-compose up.

8. How do you persist data between container restarts?

Answer:

Use volumes (managed by Docker) or bind mounts (host path). Volumes are better for portability and lifecycle control.

9. How would you inspect what’s inside a running container?

Answer:

docker exec -it <container> /bin/bash for shell access,

docker logs, docker inspect, or docker top to view configuration, logs, and processes.

10. What’s the difference between a bridge, host, and overlay network?

Answer:

• bridge: default network for standalone containers on one host

• host: removes network isolation; uses host’s stack

• overlay: spans multiple hosts; used by Swarm/Kubernetes for service networking

11. What’s the difference between

COPY

and

ADD

?

Answer:

COPY just copies files.

ADD can also extract tar files and fetch remote URLs — discouraged unless you need that behavior.

12. How do you troubleshoot a container that won’t start?

Answer:

Use docker logs <id>, docker inspect <id> for error details, check entrypoint/command syntax, environment variables, image versions, or dependency services.

13. What’s the purpose of

.dockerignore

?

Answer:

Excludes unnecessary files (e.g., node_modules, .git) from build context to speed up builds and reduce image size.

14. What is the difference between

docker stop

and

docker kill

?

Answer:

stop sends SIGTERM (graceful), then SIGKILL after timeout.

kill sends SIGKILL immediately — no cleanup.

15. What’s a multistage build?

Answer:

Technique to build and package in separate stages — e.g., build code in one stage, copy binaries into a slim runtime image — minimizing final image size.

16. How do you share data between containers?

Answer:

By mounting the same volume into multiple containers, or through Docker networks for communication over TCP/HTTP.

17. How would you secure Docker in production?

Answer:

Run as non-root, use signed images, scan images for CVEs, enable user namespaces, limit capabilities (--cap-drop), and enforce read-only filesystems.

18. What’s the difference between Docker and a virtual machine?

Answer:

Docker containers share the host OS kernel (lightweight), while VMs emulate hardware and run full guest OS instances (heavier).

19. How can you view the layers of an image?

Answer:

docker history <image> or docker inspect <image> to see the layer chain and commands used to build it.

20. What’s the difference between

docker build

and

docker create

?

Answer:

build compiles an image from a Dockerfile.

create makes a stopped container from an image (without running it).

21. How do you pass environment variables into containers?

Answer:

Using -e VAR=value flags, --env-file, or in docker-compose.yml via environment: section.

22. How do you limit container resources?

Answer:

Flags like --memory, --cpus, --cpu-shares use cgroups to enforce CPU/memory quotas.

23. Explain image tagging and versioning.

Answer:

Images are tagged as repository:tag. latest is default but not fixed — use semantic versions (e.g., v1.2.3) for immutability.

24. How do you handle secrets in Docker?

Answer:

Avoid ENV or ARG in Dockerfiles. Use Docker Swarm secrets, AWS Secrets Manager, or mount secrets from external stores as volumes.

25. How do you integrate Docker into a CI/CD pipeline?

Answer:

Use docker build, docker push, and deploy via Compose, Swarm, or Kubernetes. Most pipelines (GitLab CI, Jenkins) run containerized builds for reproducibility.

✅ Scoring Guide (C+ and Above)

• A (90–100%) – Confident, concise, and explains reasoning behind answers (namespaces, layers, etc.)

• B (80–89%) – Knows the right answer but misses some depth

• C (70–79%) – Knows usage but can’t explain internals

• Below C – Hesitant, confused, or relying on guesses → not senior level