Each test is 5 questions with varying difficulty.
AI Prep covers AI Agents, Generative AI, ML Fundamentals, NLP & LLMs and a lot more, with adaptive tests and daily challenges. Fully offline on Android. Free to try, one-time unlock for lifetime access.
Docker has cemented its position as a foundational technology in modern software development and operations. In 2026, containerisation is a baseline expectation for engineers across backend, DevOps, data engineering, and AI infrastructure roles. Docker enables consistent, reproducible environments from a developer's laptop to a production Kubernetes cluster, eliminating the 'works on my machine' problem that plagued pre-container deployments.
Docker interview questions span from practical command knowledge to deep architecture understanding. Junior candidates are expected to know Dockerfiles, image builds, container lifecycle, and Docker Compose for multi-service setups. Mid-level engineers must design multi-stage builds, optimise layer caching, manage volumes vs bind mounts, and understand networking drivers. Senior candidates are assessed on container security hardening, daemon architecture, rootless containers, and the containerd/runc execution stack.
This guide is essential for DevOps Engineers, Platform Engineers, AI Engineers packaging model serving containers, and any backend engineer deploying services in containerised environments.
Docker's significance in 2026 stems from its ability to standardize development environments, streamline deployment workflows, and enhance application portability. Companies like Netflix and Spotify leverage Docker for their microservices architectures, achieving faster iteration cycles and improved resource utilization. For instance, a typical enterprise can reduce server provisioning time from days to minutes and improve application startup times by 30-50% using Docker containers compared to traditional VMs. This translates to significant operational cost savings and accelerated time-to-market for new features. Docker is a high-signal interview topic because a strong understanding reveals a candidate's ability to build, deploy, and manage modern, scalable applications. It demonstrates proficiency in isolating dependencies, managing environments, and troubleshooting complex distributed systems. A weak answer often indicates a lack of practical experience with modern development paradigms or an inability to reason about infrastructure concerns. In 2026, Docker's relevance has only grown, particularly with the widespread adoption of Kubernetes and serverless architectures, where Docker images serve as the fundamental deployment unit. The focus has shifted from merely containerizing applications to optimizing container images for size and security, implementing robust container networking, and integrating Docker into sophisticated CI/CD and MLOps pipelines for AI/ML workloads.
The Docker architecture consists of the Docker Client, Docker Daemon (dockerd), and Docker Registry. The Docker Daemon is the core component, running on the host machine, listening for API requests from the Docker Client. It manages Docker objects like images, containers, networks, and volumes. The Daemon interacts with lower-level components like containerd and runc to manage container lifecycles. Containerd is a container runtime that manages the complete container lifecycle, from image transfer and storage to container execution and supervision. Runc is a lightweight, portable container runtime that actually creates and runs containers according to the OCI (Open Container Initiative) specification. Docker Registry (like Docker Hub) stores Docker images, allowing users to pull and push images.
The Docker Client sends commands to the Docker Daemon via REST API. The Daemon pulls images from the Docker Registry, builds images using Dockerfiles, and instructs containerd to manage container lifecycles. Containerd then uses runc to interact with the OS kernel's namespaces and cgroups to create and run isolated containers.
[Docker Client] (CLI/API)
↓
[Docker Daemon (dockerd)]
(Manages Images, Containers, Networks, Volumes)
↓
[Containerd] (Container Runtime)
(Manages Image Transfer, Storage, Execution)
↓
[Runc] (OCI Runtime)
(Creates & Runs Containers)
↓
[OS Kernel]
(Namespaces, Cgroups)
↓
[Isolated Docker Container(s)] ←→ [Docker Registry] (Image Storage)This pattern involves using multiple FROM statements in a Dockerfile. Each FROM instruction can use a different base image, and artifacts from earlier stages (e.g., build tools, compilers) can be copied into a leaner final image. This significantly reduces the final image size by discarding unnecessary build dependencies. Implemented by using `FROM <image> AS <stage_name>` and `COPY --from=<stage_name> ...`.
Trade-offs: Benefits: Smaller image size, improved security (less attack surface), faster deployments. Tradeoffs: Can make Dockerfiles slightly more complex to read and maintain, requires careful planning of build artifacts.
This pattern leverages Docker's layer caching mechanism to speed up image builds. By placing frequently changing instructions (like `COPY . .`) after less frequently changing ones (like `COPY requirements.txt .` and `RUN pip install`), Docker can reuse cached layers for the stable parts of the build. This is critical for CI/CD pipelines. Implemented by ordering Dockerfile instructions strategically.
Trade-offs: Benefits: Faster build times, especially for incremental changes. Tradeoffs: Requires careful ordering of Dockerfile instructions; incorrect ordering can negate caching benefits. May not be effective for highly volatile codebases.
A sidecar container runs alongside a main application container in the same pod (in Kubernetes context) or Docker Compose service. It extends or enhances the functionality of the main container, sharing its network namespace and often a volume. Common uses include logging agents, configuration reloader, or network proxies. Implemented by defining multiple containers within a single `docker-compose.yml` service or Kubernetes Pod manifest.
Trade-offs: Benefits: Decouples concerns, simplifies main application, reusability of sidecar components. Tradeoffs: Increases resource consumption (CPU/memory) per application, adds complexity to deployment and management, tight coupling between sidecar and main application.
This pattern involves defining a command within the Dockerfile or Docker Compose that Docker periodically executes to check if a containerized application is still healthy and responsive, not just running. If the health check fails, Docker can restart the container. Implemented using the `HEALTHCHECK` instruction in a Dockerfile (e.g., `HEALTHCHECK --interval=5s --timeout=3s CMD curl -f http://localhost/health || exit 1`) or `healthcheck` block in `docker-compose.yml`.
Trade-offs: Benefits: Improves application reliability, automates recovery from unresponsive states, prevents routing traffic to unhealthy instances. Tradeoffs: Adds overhead due to periodic checks, requires careful definition of health check logic to avoid false positives/negatives, can mask deeper issues if not properly monitored.
| Reliability | Docker ensures reliability through container isolation, allowing failures in one container to not directly impact others. Implementing `HEALTHCHECK` in Dockerfiles and using restart policies (`--restart always`) for containers ensures automatic recovery from transient failures. Orchestration tools like Kubernetes further enhance reliability by automatically rescheduling failed containers and maintaining desired states. |
| Scalability | Docker facilitates horizontal scalability by enabling easy replication of container instances. Services can be scaled up or down by simply increasing or decreasing the number of running containers. Docker Swarm and Kubernetes provide built-in mechanisms for managing these replicated services across a cluster, distributing load and ensuring high availability. Scaling involves configuring replica counts and resource limits. |
| Performance | Docker containers introduce minimal overhead compared to virtual machines, typically less than 1-2% CPU/memory. Performance bottlenecks often arise from large image sizes, inefficient Dockerfiles, or inadequate resource allocation. Optimizing image layers, using multi-stage builds, and choosing appropriate base images (e.g., Alpine variants) are crucial. Monitoring container resource usage (CPU, memory, I/O) helps identify and address performance issues. |
| Cost | Docker reduces infrastructure costs by enabling higher resource utilization per host compared to VMs. However, costs can increase with excessive image storage on registries, network egress for image pulls, and over-provisioning of host resources. Reducing image size, cleaning up unused images/volumes (`docker system prune`), and optimizing container resource limits directly impact cost efficiency. |
| Security | Docker security involves several layers: host OS hardening, using minimal base images, running containers as non-root users, setting strict resource limits, and implementing network segmentation. Image scanning tools (e.g., Trivy, Clair) are essential for identifying vulnerabilities. Docker Content Trust ensures image authenticity, and AppArmor/SELinux profiles can further restrict container capabilities. |
| Monitoring | Key metrics for Docker environments include container CPU utilization, memory usage, disk I/O, network I/O, and container restart counts. Tools like Prometheus with cAdvisor, Grafana, Datadog, or New Relic are commonly used to collect and visualize these metrics. Alert thresholds should be set for high resource usage, frequent restarts, or failed health checks to proactively address issues. |
A Docker image is a read-only template with instructions for creating a Docker container. It's a static blueprint. A Docker container is a runnable instance of an image, representing the live, executing environment of your application. You build an image, and then you run a container from that image.
VMs virtualize the hardware, each running a full guest OS, leading to higher resource consumption and slower startup. Containers virtualize the OS, sharing the host OS kernel but running isolated user spaces. This makes containers much lighter, faster to start, and more resource-efficient than VMs.
Docker Compose is a tool for defining and running multi-container Docker applications. You use a YAML file to configure your application's services, networks, and volumes. It's ideal for local development environments, testing, and small-scale deployments where you need to manage several interdependent containers as a single unit.
Docker volumes are the preferred mechanism for persisting data generated by and used by Docker containers. Unlike data stored in a container's writable layer, volumes exist independently of the container's lifecycle. This ensures that data is not lost when a container is removed or recreated, crucial for stateful applications.
Docker networking allows containers to communicate with each other and the outside world. Common drivers include `bridge` (default, isolated network for containers on a single host), `host` (container shares host's network stack), `overlay` (for multi-host communication in Swarm), and `macvlan` (assigns MAC/IP to container directly on physical network).
Best practices include using multi-stage builds to reduce image size, leveraging `.dockerignore` to exclude unnecessary files, ordering instructions to maximize layer caching, combining `RUN` commands with `&&` for cleanup, and using specific, immutable image tags instead of `latest`.
The Docker daemon is the background service running on the host machine that manages Docker objects like images, containers, networks, and volumes. It listens for API requests from the Docker client and performs the heavy lifting of building, running, and distributing containers.
Secure containers by running them as non-root users, using minimal base images (e.g., Alpine), implementing resource limits, scanning images for vulnerabilities with tools like Trivy, using Docker Content Trust, and configuring network segmentation to restrict communication.
`CMD` provides default arguments for an executing container. If `ENTRYPOINT` is defined, `CMD` specifies its default parameters. If no `ENTRYPOINT` is defined, `CMD` specifies the command to execute. `ENTRYPOINT` configures a container that will run as an executable, making it harder to override.
Docker Swarm is simpler to set up and manage, making it suitable for smaller deployments or teams already heavily invested in the Docker ecosystem. Kubernetes is more powerful, feature-rich, and the industry standard for large-scale, complex, and highly available production deployments, though it has a steeper learning curve.
A dangling image is an image layer that has no associated tags and is not used by any container. They consume disk space unnecessarily. You can clean them up using `docker image prune` or `docker system prune` to remove all dangling images and other unused Docker objects.
You can limit resources using `docker run` flags: `--cpus` to set CPU shares, `--memory` for RAM limits, and `--memory-swap` for swap space. In Docker Compose, these are configured under the `resources` section for each service. This prevents a single container from monopolizing host resources.
AI Prep covers AI Agents, Generative AI, ML Fundamentals, NLP & LLMs and a lot more, with adaptive tests and daily challenges. Fully offline on Android. Free to try, one-time unlock for lifetime access.