20+ Docker Interview Questions and Answers For Job Candidates

Software engineers need to be well prepared to answer Docker interview questions when applying for their next job. Why? Docker use has grown exponentially in recent years and was named the third most commonly used platform after Linux and Windows in a 2019 survey. 

Docker is a vast ecosystem with many tools, keywords, and subjects to know within it. To help you ace your time in front of the hiring manager, here are 20+ of the most common Docker-relation questions and answers to study for your next interview. 

Question: What is the difference between the Docker CLI and the Docker daemon?

The Docker CLI (command line interface) and the Docker daemon get confused often. The daemon is the program that does the heavy lifting, functioning as the Docker engine representing the servers. The daemon builds images and manages created containers.

The CLI is the Docker client that interacts with the daemon. The CLI receives commands and feeds them into the daemon. 

Question: What are the most important Docker CLI commands? 

The most important commands are the ones you use all the time, so list those you use on an everyday basis.

• ‘build’ – the command used to build a new image
• ‘create’ – used for creating new containers out of a built image
• ‘ps’ – used to list details about each running container
• ‘exec’ – runs a command inside of a running container 

Question: What are some considerations around running a database in a container? 

Remember, Docker containers are ephemeral in nature. When the container is removed, you lose the data inside of it forever.

If you’re going to run a database inside of a container, you need a data persistence strategy. This is usually done by mounting a volume in the container. The database can then store its data inside of this volume. If the container gets removed, the data will get persisted through the volume. We can then create a new container and mount the same volume to it to reuse that data. 

Question: What is the best way to create Docker images? 

Always create Docker images using a Dockerfile. Dockerfiles are text documents that specify a clear series of steps that the daemon should use to create an image. They are easy for other engineers to read and change.

Don’t create images by making a container, changing it by hand, then running ‘docker commit’. This may create an image, but it will be challenging for other engineers to reproduce the image.

Question: How can you debug a running container?

There are a few methods to use to debug a running container:

• Use the ‘docker exec’ command to start a shell in the container. You can then use this shell to run more commands in the context of the container and inspect its state.
• Use the ‘docker inspect’ command to take a look at the configuration of a running container. Then, inspect the commands and environment variables given to the container.
• Run the ‘docker logs’ command. This will print out logs from StdOut and StdErr. 

Question: Are Dockerfiles written with JSON or YAML syntax?

Trick question! Dockerfile’s container neither JSON nor YAML. That syntax only gets used in docker-compose files.

There is not a set name for the syntax used in a Dockerfile. You should say that Dockerfiles contain a series of Docker commands.

Question: Do containers get full access to their host operating system?

Docker containers are isolated from the host operating system by default. Containers can get access to the host operating system by setting the ‘privileged’ flag. When you create a container with the ‘privileged’ flag, it will have full access to the host operating system. 

Question: Why would you run a container with the ‘privileged’ flag?

There are few reasons to run a Docker container with the ‘privileged’ flag. The most common reason is that you want the container to be able to create containers on its own. 

Question: What is the difference between the ‘stop’ and ‘kill’ CLI commands? 

The ‘stop’ command sends the ‘SIGTERM’ signal to the primary process. Docker then waits for the process to exit. If the process does not exit, Docker will send the ‘SIGKILL’ signal ten seconds later.

The ‘kill’ command immediately sends a ‘SIGKILL’ signal to the primary process. 

Question: What is the difference between the ‘attach’ and ‘exec’ commands? 

Use the ‘exec’ command to run a command inside of a container. The command you run can start up a new process inside the container.

The ‘attach’ command interacts with streams for the primary process. In particular, it will interact with the STDOUT, STDERR, and STDIN streams. 

In summary: Use ‘exec’ when you want to run a new command in the container. Use the ‘attach’ command to interact with the primary process.

Question: What is the ‘diff’ command used for? 

The ‘diff’ command lists out all files that have changed inside of the container. This will only list changes made since you created the container.

Question: Are you required to use Docker Hub for all projects? 

No, Docker Hub is not required for all projects. We only use Docker Hub if we need to use images that are hosted there.

If we wanted to avoid using Docker Hub, we could build each image from scratch instead. 

Question: How do you constrain the resources a container can use? 

You can limit the resources a container uses by adding on some options to the ‘docker run’ command.

• Use the ‘-m’ flag to limit the amount of memory a container has access to.
• Use the ‘–cpus’ command to limit the amount of processing power a container has access to.
• Use the ‘–gpus’ command to make GPUs available to the container process.

Question: Are Docker containers and virtual machines the same thing?

No, Docker containers are not equivalent to virtual machines. A Docker container is a single process or group of processes that are sandboxed, limiting access to the host file system. A virtual machine, however, is managed by a hypervisor.

Question: Do all images you create with the Docker CLI automatically get published to a public registry like Docker Hub?

No, images that you build do not get pushed to a public registry automatically. Built images are available only on the machine they were built on. To make that image available elsewhere, you must manually push it to a public registry.

Question: What are the pros and cons of using Docker during application development?

Pros

• Engineers can specify the exact environment that our programs run in.
• Each program run on Docker can use different dependencies. For example, one process might need Python 2.X, while another needs Python 3.X.
• A precise amount of processing power and memory can be provided to each container. You can then ensure that the program runs as it would on a production machine with identical specs.
• Containers provide a consistent environment for testing. For example, you might be writing a program that edits each file in a certain directory. To test this, you can use a container that always starts up with the exact same files in a given folder. This saves time over creating these files by hand for each test run.
• Each container can have its own set of dependent containers. For example, two different web apps in different containers can get their own copies of a database.  There will be no contention between each web app and the database.

Cons

• Docker is another dependency in the software development lifecycle. Each engineer needs to maintain a copy of Docker on their machines. Engineers must make sure they have the same version of Docker as their colleagues. 
• Engineers have to understand Docker, which is not an easy feat since the Docker ecosystem is vast. Working with Docker introduces new ideas and new syntax for doing basic app development. An engineer will have to understand how to use Docker to work on a project efficiently.
• The ‘Docker For Mac’ and ‘Docker For Windows’ tools are not 100% stable.  These tools make it easy to start with Docker, but can sometimes crash. Teams may lose development time working with these tools.

Question: When building a new image, how can you tell the Docker CLI to ignore all the files in a directory?

Create a ‘.dockerignore’ file. This file follows the same rules as a ‘.gitignore’ file. In the  ‘.dockerignore’ file, you’ll list each file and folder that Docker should ignore when building a new image. 

Question: Why would you want Docker to ignore a directory when building an image? 

Docker should handle installing all relevant dependencies when building an image. If you give Docker a copy of the dependencies, they will be overwritten during the image build. By ignoring dependencies, it ensures that build times will be speedy. 

Question: What is the difference between the commands ‘create’, ‘start’, and ‘run’? 

• The ‘create’ command will make a new container out of an image, but not start it.
• The ‘start’ command will run the primary process in a container that is not currently running.
• The ‘run’ command is identical to running ‘create’ then ‘start’ in series. It will create a container out of an image, then run the primary process in it.

Question: What happens when the primary process of a container crashes? 

It depends upon the restart policy assigned to the container when it was built.

• A policy of ‘no’ means the container will stop after crashing. This is the default policy.
• The ‘on-failure’ policy will restart the primary process when it stops due to an error.
• An ‘always’ policy will cause the primary process to always restart. This is overridden if you stop the container by hand. The container will also restart when the Docker daemon gets restarted.
• A policy of ‘unless-stopped’ is the same as ‘always’. But, it will not restart when the Docker daemon gets restarted.

Question: How is a Docker image created?

There are two ways to create a Docker image.

1. You can create an image by using the ‘docker build’ command with a Dockerfile

2. Images are also created by running the ‘docker commit’ command on a container 

Question: What is a ‘layer’ in an image?

Docker images get built out of many layers. Each layer represents a set of changes to the file system.

When a Docker image is created, it starts off with an empty file system. As each step of a Dockerfile runs, another layer gets added to the image. 

Question: Can two running containers share the same layers from an image?

Yes!  When you create a container, Docker adds a new layer to the underlying image.  Any changes made to the container file system get written to this layer.

The layers belonging to the underlying image never change. Docker will share them among each container that is running based on that image.

Files in these original layers are only accessed through read operations. You can not write to them through the container. 

Question: Running a single container is easy using the Docker CLI. Managing many containers is more challenging. What term refers to the process of managing many containers? Also, what tools exist for managing many containers?

Managing more than one container is called an ‘orchestration’. 

There are two popular tools for container ‘orchestration’:

1. Docker Swarm, the official Docker solution.
2. Kubernetes, a popular open-source solution first introduced by Google.

Each of these tools creates containers and manage their lifecycles. They’re also used to handle networking connections between different containers. 

Question: Imagine you create an image that is 1GB in size. You then create five separate containers out of this image. In each image, you create a file that is 200MB in size. How much disk space does this entire operation use up?

Each container created out of an image uses a negligible amount of disk space. Making the set of five containers does not consume a significant amount of space. However, each of the 200MB files made in each container does consume 200MB.

This entire operation uses 1GB for the original image, then 5 * 200MB for each container, for a final total of 2GB.

Creating a container out of an image does not duplicate the underlying image’s layers. 

Question: What is the easiest way to monitor a running container?

The easiest way to monitor a container is by using the ‘docker ps’ command. This will print out the status of all running containers.

It is also easy to monitor a container by using the ‘docker attach’ command. This prints logs from a container, showing the STDOUT and STDERR streams of the primary process.

All past logs emitted over STDOUT and STDERR get printed by using the ‘docker logs’ command. This is useful for seeing what a container has done in the past.

Question: List some of the different commands that appear in a Dockerfile. What is the purpose of each command?

Dockerfiles contain many different commands.

• FROM – This command specifies the base image to use for the image we are creating.
• RUN – Used to execute a single command or series of commands in a container as it is being built.
• COPY – Copies a file or group of files from the host file system into the container.
• CMD – Specifies the default command to run when a container is first executed.
• WORKDIR – Sets the working directory for all later commands in the Dockerfile.  All later commands execute with this working directory as the current working directory.
• USER – All following commands execute with this user as the context.