Docker Interview Questions
Docker is one of the most common topics in DevOps, backend, and cloud-engineer interviews. These are the questions interviewers actually ask, with concise answers you can speak confidently.
17 questions with concise, interview-ready answers.
1. What is Docker, and how do containers differ from virtual machines?
Docker is a platform for building, packaging, and running applications inside containers — lightweight, isolated environments that bundle an application with its dependencies. Containers share the host operating system kernel and isolate processes using features like namespaces and cgroups, so they start in seconds and use few resources. Virtual machines, by contrast, each run a full guest operating system on top of a hypervisor, which makes them heavier and slower to boot. Containers give you consistency across environments with far less overhead than VMs.
2. What is the difference between an image and a container?
An image is a read-only template that contains the application code, runtime, libraries, and configuration needed to run a program. A container is a running instance of an image — when you start an image with docker run, Docker adds a writable layer on top and executes it as a live process. The relationship is similar to a class and its object: one image can produce many independent containers.
3. What is a Dockerfile?
A Dockerfile is a text file containing the step-by-step instructions Docker uses to build an image. Common instructions include FROM to set the base image, COPY or ADD to bring in files, RUN to execute build commands, WORKDIR to set the working directory, EXPOSE to document ports, and CMD or ENTRYPOINT to define what runs when the container starts. You build an image from it with docker build.
4. What are Docker image layers, and how does build caching work?
A Docker image is built as a stack of read-only layers, where each instruction in the Dockerfile that changes the filesystem — like RUN, COPY, or ADD — creates a new layer. Docker caches these layers, so on a rebuild it reuses any layer whose instruction and inputs have not changed and only rebuilds from the first change onward. To use the cache well, you put rarely changing steps such as installing dependencies before frequently changing steps like copying your source code, which speeds up builds significantly.
5. What is the difference between CMD and ENTRYPOINT?
Both define what runs when a container starts, but they behave differently. CMD sets default arguments that are easily overridden by anything you pass on the docker run command line. ENTRYPOINT sets the main executable that always runs, and arguments you pass on the command line are appended to it rather than replacing it. A common pattern is to use ENTRYPOINT for the fixed command and CMD to supply default arguments that can be overridden.
6. What is the difference between COPY and ADD in a Dockerfile?
COPY simply copies files and directories from the build context into the image, and it is the preferred choice for clarity. ADD does the same but has two extra features: it can automatically extract a local tar archive into the image, and it can fetch files from a remote URL. The general guidance is to use COPY by default and reach for ADD only when you specifically need tar extraction.
7. What is the difference between a volume and a bind mount?
Both let data persist beyond the lifetime of a container, but they store it differently. A named volume is managed by Docker in a dedicated area on the host, making it the preferred option for persistent application data because Docker handles its location and lifecycle. A bind mount maps a specific path on the host filesystem directly into the container, which is useful in development for sharing source code so changes appear instantly. Volumes are more portable and decoupled from the host directory structure, while bind mounts give you exact control over the host path.
8. Why do containers need volumes for persistent data?
A container has a writable layer, but anything written there is lost when the container is removed, and that layer is tied to a single container. Volumes solve this by storing data outside the container in a location Docker manages, so the data survives container restarts, recreation, and removal. Volumes also let multiple containers share the same data and make backups and migrations easier.
9. What is Docker Compose, and when would you use it?
Docker Compose is a tool for defining and running multi-container applications using a single YAML file, typically named compose.yaml or docker-compose.yml. In that file you describe each service, its image or build, ports, volumes, networks, and environment variables, then bring the whole stack up with docker compose up. It is ideal for local development and testing of applications that need several pieces working together, such as a web app, a database, and a cache.
10. How does networking work in Docker?
Docker provides several network drivers, and by default containers attach to a bridge network. On a user-defined bridge network, containers can reach each other by their container or service name through Docker built-in DNS, which is why Compose services can talk to each other by name. Other common drivers include host, which shares the host network stack directly, and none, which disables networking. Custom networks also isolate groups of containers from one another.
11. What is the difference between EXPOSE and publishing a port?
EXPOSE in a Dockerfile is documentation — it declares which ports the container application listens on, but on its own it does not make the port reachable from the host. To actually map a container port to the host, you publish it at run time with the -p flag, for example -p 8080:80, which forwards host port 8080 to container port 80. So EXPOSE communicates intent, while -p creates the real port mapping.
12. What is a Docker registry, and what is Docker Hub?
A registry is a storage and distribution system for Docker images, where images are organized into repositories and tags. Docker Hub is the default public registry that Docker pulls from and is home to many official images. You push images to a registry with docker push and retrieve them with docker pull, and teams often run private registries such as Amazon ECR, Google Artifact Registry, or a self-hosted one for their own images.
13. What is a multi-stage build, and why is it useful?
A multi-stage build uses multiple FROM statements in a single Dockerfile, where each FROM begins a new build stage. You can compile or build your application in an early stage that has all the build tools, then copy only the finished artifacts into a later, minimal stage using COPY --from. The result is a small final image that contains just what is needed to run the application, without compilers, build dependencies, or intermediate files.
14. How can you reduce the size of a Docker image?
Start from a small base image such as an Alpine or slim variant, or even a distroless image where appropriate. Use multi-stage builds so build tools do not end up in the final image, combine related RUN commands and clean up package caches in the same layer, and add a .dockerignore file to keep unnecessary files out of the build context. Fewer and leaner layers mean smaller images that pull faster and have a smaller attack surface.
15. What do docker ps and docker exec do?
docker ps lists currently running containers along with details like their ID, image, status, and published ports, and docker ps -a also shows stopped containers. docker exec runs a new command inside an already running container — for example, docker exec -it <container> sh opens an interactive shell so you can inspect or debug it from the inside. These are two of the most frequently used commands for day-to-day container troubleshooting.
16. What is the lifecycle of a container?
A container is created from an image, typically with docker run, which both creates and starts it, moving it into the running state. While running it can be paused, stopped, or restarted; stopping it leaves the container in an exited state where its writable layer still exists. Finally, docker rm removes a stopped container and discards that writable layer. Images themselves have a separate lifecycle — they are built or pulled, tagged, and removed with docker rmi — and an image persists independently of any containers created from it.
17. What is the difference between stopping and removing a container?
docker stop halts a running container by sending it a termination signal, but the container still exists in an exited state, so you can start it again with docker start and its writable data is preserved. docker rm deletes the container entirely, removing its writable layer and any data not stored in a volume. In short, stopping pauses the process while keeping the container, whereas removing deletes the container for good.
Get these answered live in your real interview
NostrobeAI is a real-time AI interview copilot — it hears the question and drafts a strong answer on your screen, invisible on Zoom, Meet, and Teams. One-time pricing, no subscription.
Try NostrobeAI free