Master your Docker interview with this comprehensive guide covering everything from basics to advanced topics. Whether you’re a junior developer or a senior architect, these Docker containerization interview questions will help you succeed in DevOps interviews in 2026.
- 1. Docker Fundamentals & Architecture
- 2. Docker Images & Containers
- 3. Docker Compose
- 4. Docker Networking
- 5. Docker Storage & Volumes
- 6. Docker Security Best Practices
- 7. Docker Performance Optimization
- 8. CI/CD with Docker, GitHub & GitHub Actions
- 9. Docker Swarm vs Kubernetes
- 10. Advanced Docker Concepts
- Q37: What is Docker Content Trust and how do you implement it?
- Q38: Explain Docker BuildKit and its advanced features
- Q39: How do you implement container health checks?
- Q40: What are Docker init processes and why are they important?
- Q41: Explain Docker rootless mode and its benefits
- Q42: How do you implement Docker multi-stage builds for different languages?
- Q43: How do you debug containers that won't start?
- Q44: What are Docker contexts and how do you use them?
- Q45: How do you implement container restart policies and handle crashes?
- Conclusion and Interview Tips
- List services
- Scale service
- Update service (rolling update)
1. Docker Fundamentals & Architecture
Q1: What is Docker, and why is it important in 2026?
Answer: Docker is a containerization platform that packages applications and their dependencies into isolated containers. In 2026, Docker remains crucial because:
- Consistency: Ensures applications run identically across development, testing, and production environments
- Microservices Architecture: Essential for building and deploying microservices
- Resource Efficiency: Containers share the host OS kernel, using fewer resources than VMs
- DevOps Integration: Core component of modern CI/CD pipelines
- Cloud-Native Development: Foundation for Kubernetes and container orchestration
Interview Tip: Mention real-world benefits like faster deployment times and improved scalability.
Q2: Explain Docker architecture and its key components
Answer: Docker uses a client-server architecture with these components:
1. Docker Client: CLI tool that sends commands to Docker daemon
2. Docker Daemon (dockerd): Background service managing containers, images, networks, and volumes
3. Docker Registry: Stores Docker images (Docker Hub, private registries)
4. Docker Objects:
- Images: Read-only templates for creating containers
- Containers: Runnable instances of images
- Networks: Enable container communication
- Volumes: Persist data outside containers
Architecture Flow:
Client → Docker CLI → REST API → Docker Daemon → containerd → runc → Container
Follow-up Questions:
- What is containerd and runc?
- How does Docker differ from virtual machines?
Q3: What’s the difference between Docker and Virtual Machines?
Answer:
| Aspect | Docker Containers | Virtual Machines |
|---|---|---|
| OS | Share host kernel | Full OS per VM |
| Size | MBs | GBs |
| Startup | Seconds | Minutes |
| Performance | Near-native | Overhead from hypervisor |
| Isolation | Process-level | Hardware-level |
| Resource Usage | Lightweight | Heavy |
Practical Example: Running 10 microservices:
- Docker: ~2GB RAM, starts in 10 seconds
- VMs: ~20GB RAM, starts in 10+ minutes
Interview Tip: Emphasize that containers are ideal for microservices, while VMs are better for complete OS isolation.
Q4: What are Docker namespaces and cgroups?
Answer:
Namespaces provide isolation for containers:
- PID namespace: Process isolation
- NET namespace: Network isolation
- MNT namespace: Filesystem mount points
- UTS namespace: Hostname and domain name
- IPC namespace: Inter-process communication
- USER namespace: User and group ID isolation
Cgroups (Control Groups) limit resource usage:
- CPU allocation
- Memory limits
- Disk I/O
- Network bandwidth
Example:
# Limit container to 512MB RAM and 50% CPU
docker run -m 512m --cpus="0.5" nginx
Q5: Explain the Docker image layering system
Answer: Docker images use a Union File System with layers:
How it works:
- Each Dockerfile instruction creates a new layer
- Layers are read-only except the top container layer
- Layers are cached and reused across images
- Only changed layers are rebuilt
Example Dockerfile:
FROM node:18-alpine # Layer 1: Base image
WORKDIR /app # Layer 2: Set working directory
COPY package*.json ./ # Layer 3: Copy dependency files
RUN npm install # Layer 4: Install dependencies
COPY . . # Layer 5: Copy application code
CMD ["node", "server.js"] # Layer 6: Set command
Benefits:
- Efficient storage (shared layers)
- Faster builds (cached layers)
- Quick distribution (only changed layers transferred)
Interview Tip: Mention optimization strategies like ordering instructions from least to most frequently changed.
2. Docker Images & Containers
Q6: What’s the difference between an image and a container?
Answer:
Image:
- Read-only template
- Blueprint for containers
- Stored in registries
- Immutable
Container:
- Running instance of an image
- Has a writable layer
- Can be started, stopped, and deleted
- Ephemeral by default
Analogy: Image is like a class in OOP, container is like an object instance.
# Pull image (download template)
docker pull nginx:latest
# Run container (create instance)
docker run -d --name web nginx:latest
# Multiple containers from same image
docker run -d --name web1 nginx
docker run -d --name web2 nginx
Q7: How do you optimize Docker images for production?
Answer: Key optimization strategies:
1. Use Multi-Stage Builds:
# Build stage
FROM node:22 AS builder
WORKDIR /app
COPY package*.json ./
RUN npm install
COPY . .
RUN npm run build
# Production stage
FROM node:22-alpine
WORKDIR /app
COPY --from=builder /app/dist ./dist
COPY --from=builder /app/node_modules ./node_modules
CMD ["node", "dist/server.js"]
2. Choose Minimal Base Images:
# Bad: 900MB
FROM ubuntu:latest
# Good: 150MB
FROM node:22
# Better: 40MB
FROM node:22-slim
# Best: 8MB
FROM node:22-alpine
3. Optimize Layer Caching:
# Copy dependencies first (changes less often)
COPY package*.json ./
RUN npm install
# Copy code last (changes frequently)
COPY . .
4. Use .dockerignore:
node_modules
.git
.env
*.log
coverage/
.DS_Store
5. Combine RUN Commands:
# Bad: 3 layers
RUN apt-get update
RUN apt-get install -y curl
RUN apt-get clean
# Good: 1 layer
RUN apt-get update && \
apt-get install -y curl && \
apt-get clean && \
rm -rf /var/lib/apt/lists/*
Result: Image size reduced from 1.2GB to 150MB, build time from 10min to 2min.
Q8: Explain Docker build cache and how to leverage it?
Answer: Docker caches each layer during builds to speed up subsequent builds.
Cache Invalidation Rules:
- If a layer changes, all subsequent layers are rebuilt
- Cache is based on instruction and file contents
-
COPYandADDuse file checksums
Best Practices:
# Order matters for cache efficiency
# 1. Base image (rarely changes)
FROM python:3.11-slim
# 2. System dependencies (rarely changes)
RUN apt-get update && apt-get install -y gcc
# 3. Application dependencies (changes occasionally)
COPY requirements.txt .
RUN pip install -r requirements.txt
# 4. Application code (changes frequently)
COPY . .
# 5. Runtime configuration
CMD ["python", "app.py"]
Force rebuild without cache:
docker build --no-cache -t myapp:latest .
View layer sizes:
docker history myapp:latest
Q9: How do you manage Docker images in a CI/CD pipeline?
Answer: Image management strategy:
1. Tagging Strategy:
# Semantic versioning
docker tag myapp:latest myapp:1.2.3
# Git commit SHA
docker tag myapp:latest myapp:${GIT_COMMIT_SHA}
# Environment-specific
docker tag myapp:latest myapp:production
docker tag myapp:latest myapp:staging
# Date-based
docker tag myapp:latest myapp:2026-01-06
2. Registry Management:
# Login to registry
docker login registry.example.com
# Push with multiple tags
docker push myapp:1.2.3
docker push myapp:latest
# Pull specific version
docker pull myapp:1.2.3
3. Image Scanning:
# Scan for vulnerabilities
docker scan myapp:latest
# Use Trivy
trivy image myapp:latest
4. Cleanup Strategy:
# Remove dangling images
docker image prune
# Remove unused images
docker image prune -a
# Remove images older than 7 days
docker image prune -a --filter "until=168h"
Q10: What are the different ways to create a Docker image?
Answer:
1. Dockerfile (Most Common):
FROM nginx:alpine
COPY index.html /usr/share/nginx/html/
EXPOSE 80
CMD ["nginx", "-g", "daemon off;"]
docker build -t mynginx:1.0 .
2. Docker Commit (Not Recommended for Production):
# Run container and make changes
docker run -it ubuntu bash
apt-get update && apt-get install curl
# Commit changes to new image
docker commit container_id myubuntu:curl
3. Import from Tarball:
docker import backup.tar myimage:latest
4. Using BuildKit (Modern, Faster):
DOCKER_BUILDKIT=1 docker build -t myapp .
Interview Tip: Always recommend Dockerfile for reproducibility and version control.
3. Docker Compose
Q11: What is Docker Compose and when should you use it?
Answer: Docker Compose is a tool for defining and running multi-container applications using a YAML file.
Use Cases:
- Development environments with multiple services
- Microservices architecture
- Testing with dependencies (database, cache, queue)
- Local service orchestration
Example docker-compose.yml:
services:
web:
build: ./web
ports:
- "3000:3000"
environment:
- DATABASE_URL=postgres://db:5432/myapp
depends_on:
- db
- redis
volumes:
- ./web:/app
networks:
- app-network
db:
image: postgres:15-alpine
environment:
- POSTGRES_USER=user
- POSTGRES_PASSWORD=password
- POSTGRES_DB=myapp
volumes:
- postgres-data:/var/lib/postgresql/data
networks:
- app-network
redis:
image: redis:7-alpine
networks:
- app-network
volumes:
postgres-data:
networks:
app-network:
driver: bridge
Commands:
# Start all services
docker-compose up -d
# View logs
docker-compose logs -f web
# Scale service
docker-compose up -d --scale web=3
# Stop all services
docker-compose down
# Remove volumes too
docker-compose down -v
Q12: Explain Docker Compose networking and service discovery
Answer: Docker Compose automatically creates a network for your application.
Service Discovery:
services:
backend:
image: myapi:latest
frontend:
image: myweb:latest
environment:
# Services can reach each other by name
- API_URL=http://backend:8080
How it works:
- Compose creates a default network
- Services join this network automatically
- DNS resolution allows service-to-service communication by name
- Each service gets its own hostname
Custom Networks:
services:
web:
networks:
- frontend
- backend
api:
networks:
- backend
db:
networks:
- backend
networks:
frontend:
driver: bridge
backend:
driver: bridge
internal: true # No external access
Testing connectivity:
# Execute command in container
docker-compose exec web ping api
# Check network
docker network inspect myapp_backend
Q13: How do you handle environment-specific configurations in Docker Compose?
Answer: Multiple approaches:
1. Environment Files:
# docker-compose.yml
services:
web:
env_file:
- .env.common
- .env.production
# .env.production
NODE_ENV=production
DATABASE_URL=postgres://prod-db:5432/app
REDIS_URL=redis://prod-redis:6379
LOG_LEVEL=error
2. Multiple Compose Files:
# Base configuration
docker-compose.yml
# Development overrides
docker-compose.dev.yml
# Production overrides
docker-compose.prod.yml
# docker-compose.prod.yml
version: '3.8'
services:
web:
image: myapp:${VERSION}
restart: always
deploy:
replicas: 3
resources:
limits:
cpus: '0.5'
memory: 512M
Usage:
# Development
docker-compose -f docker-compose.yml -f docker-compose.dev.yml up
# Production
docker-compose -f docker-compose.yml -f docker-compose.prod.yml up
3. Variable Substitution:
services:
web:
image: myapp:${VERSION:-latest}
ports:
- "${WEB_PORT:-3000}:3000"
Q14: How do you debug issues in Docker Compose?
Answer: Debugging strategies:
1. View Logs:
# All services
docker-compose logs
# Specific service with follow
docker-compose logs -f web
# Last 100 lines
docker-compose logs --tail=100 web
# Timestamps
docker-compose logs -t web
2. Check Service Status:
# List running services
docker-compose ps
# Check resource usage
docker stats $(docker-compose ps -q)
3. Execute Commands:
# Interactive shell
docker-compose exec web sh
# Run command
docker-compose exec db psql -U user -d myapp
# Run as root
docker-compose exec --user root web bash
4. Inspect Configuration:
# View resolved compose file
docker-compose config
# Validate compose file
docker-compose config --quiet
5. Network Debugging:
# Test connectivity
docker-compose exec web ping db
# Check DNS resolution
docker-compose exec web nslookup db
# Inspect network
docker network inspect myapp_default
6. Volume Issues:
# List volumes
docker volume ls
# Inspect volume
docker volume inspect myapp_postgres-data
# Check permissions
docker-compose exec web ls -la /app
4. Docker Networking
Q15: Explain different Docker network drivers
Answer:
1. Bridge (Default):
- Default network for standalone containers
- Containers can communicate via IP or container name
- Provides network isolation
docker network create my-bridge-network
docker run -d --network my-bridge-network --name web nginx
docker run -d --network my-bridge-network --name api node:18
2. Host:
- Container uses host’s network stack
- No network isolation
- Better performance for high-throughput applications
docker run -d --network host nginx
# Container accessible at host's IP directly
3. None:
- No networking
- Complete isolation
- Useful for batch jobs
docker run -d --network none alpine sleep 3600
4. Overlay:
- Multi-host networking
- Used in Docker Swarm/Kubernetes
- Enables container communication across hosts
docker network create -d overlay my-overlay-network
5. Macvlan:
- Assigns MAC address to container
- Container appears as physical device
- Used for legacy applications
docker network create -d macvlan \
--subnet=192.168.1.0/24 \
--gateway=192.168.1.1 \
-o parent=eth0 macvlan-net
Q16: How do you expose container ports and what’s the difference between EXPOSE and publish?
Answer:
EXPOSE (Documentation only):
# Dockerfile
EXPOSE 8080
# Only documents intended port, doesn't actually publish
Publish Ports (Actual port mapping):
# Map container port 8080 to host port 3000
docker run -p 3000:8080 myapp
# Map to random host port
docker run -P myapp
# Bind to specific interface
docker run -p 127.0.0.1:3000:8080 myapp
# Multiple ports
docker run -p 3000:8080 -p 3001:8081 myapp
# UDP port
docker run -p 3000:8080/udp myapp
Port Mapping Scenarios:
# docker-compose.yml
services:
web:
ports:
# HOST:CONTAINER
- "3000:8080" # Public access
- "127.0.0.1:3001:8081" # Localhost only
- "3002" # Random host port
expose:
- "9090" # Only to other services
Check port mappings:
docker port container_name
Q17: How do containers communicate with each other?
Answer:
1. Same Bridge Network (by name):
docker network create mynetwork
docker run -d --name db --network mynetwork postgres
docker run -d --name app --network mynetwork myapp
# In app container
curl http://db:5432
2. Default Bridge (by IP only):
docker run -d --name db postgres
DB_IP=$(docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' db)
docker run -d --name app -e DATABASE_URL=$DB_IP myapp
3. Links (Legacy, not recommended):
docker run -d --name db postgres
docker run -d --name app --link db:database myapp
4. Docker Compose (Automatic DNS):
services:
api:
build: ./api
worker:
build: ./worker
environment:
- API_URL=http://api:3000
5. Host Network:
docker run --network host app1
docker run --network host app2
# Both can communicate via localhost
Best Practice Example:
services:
frontend:
networks:
- public
backend:
networks:
- public
- private
database:
networks:
- private
networks:
public:
private:
internal: true
Q18: How do you troubleshoot Docker network issues?
Answer:
1. Network Inspection:
# List networks
docker network ls
# Inspect network
docker network inspect bridge
# See which containers are connected
docker network inspect mynetwork --format '{{range .Containers}}{{.Name}} {{end}}'
2. Container Network Details:
# Get container IP
docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' container_name
# All network settings
docker inspect container_name | jq '.[0].NetworkSettings'
3. Connectivity Tests:
# Ping between containers
docker exec web ping api
# Test port connectivity
docker exec web nc -zv api 8080
# DNS resolution
docker exec web nslookup api
# Trace route
docker exec web traceroute api
# Check listening ports
docker exec web netstat -tlnp
4. Common Issues & Solutions:
Issue: Container can’t reach another container by name
# Solution: Ensure on same custom network
docker network connect mynetwork container1
docker network connect mynetwork container2
Issue: Can’t access exposed port
# Check port mapping
docker port container_name
# Verify process listening
docker exec container_name netstat -tlnp | grep 8080
# Check firewall
sudo iptables -L -n | grep 8080
Issue: DNS not working
# Check DNS settings
docker exec container_name cat /etc/resolv.conf
# Test Docker DNS
docker exec container_name nslookup google.com
5. Network Performance:
# Test bandwidth between containers
docker exec -it web iperf3 -s
docker exec -it api iperf3 -c web
5. Docker Storage & Volumes
Q19: Explain Docker volumes vs bind mounts vs tmpfs
Answer:
1. Volumes (Recommended):
- Managed by Docker
- Stored in Docker’s directory
- Persist data outside container lifecycle
- Can be shared between containers
# Create named volume
docker volume create mydata
# Use volume
docker run -v mydata:/app/data myapp
# Docker Compose
services:
db:
volumes:
- postgres-data:/var/lib/postgresql/data
volumes:
postgres-data:
2. Bind Mounts:
- Mount host directory into container
- Full host path required
- Useful for development
# Bind mount
docker run -v /home/user/code:/app myapp
# Docker Compose
services:
web:
volumes:
- ./src:/app/src:ro # Read-only
- ./logs:/app/logs # Read-write
3. tmpfs Mounts:
- Stored in host memory only
- Never written to disk
- Useful for sensitive data
# tmpfs mount
docker run --tmpfs /app/temp:rw,size=100m,mode=1777 myapp
Comparison:
| Feature | Volume | Bind Mount | tmpfs |
|---|---|---|---|
| Location | Docker managed | Host filesystem | Host memory |
| Persistence | Yes | Yes | No |
| Performance | Good | Good | Fastest |
| Portability | High | Low | High |
| Use Case | Production data | Development | Secrets/temp |
Q20: How do you backup and restore Docker volumes?
Answer:
Backup Volume:
# Method 1: Using tar
docker run --rm \
-v mydata:/data \
-v $(pwd):/backup \
alpine tar czf /backup/mydata-backup.tar.gz -C /data .
# Method 2: Using docker cp
docker create --name temp -v mydata:/data alpine
docker cp temp:/data ./backup
docker rm temp
Restore Volume:
# Create new volume
docker volume create mydata-restored
# Restore data
docker run --rm \
-v mydata-restored:/data \
-v $(pwd):/backup \
alpine tar xzf /backup/mydata-backup.tar.gz -C /data
# Verify
docker run --rm -v mydata-restored:/data alpine ls -la /data
Automated Backup Script:
#!/bin/bash
# backup-volumes.sh
VOLUMES=$(docker volume ls -q)
BACKUP_DIR="./backups/$(date +%Y%m%d)"
mkdir -p $BACKUP_DIR
for volume in $VOLUMES; do
echo "Backing up $volume..."
docker run --rm \
-v $volume:/data \
-v $BACKUP_DIR:/backup \
alpine tar czf /backup/${volume}.tar.gz -C /data .
done
echo "Backup complete!"
Docker Compose Backup:
# Backup all volumes defined in compose
docker-compose down
docker run --rm \
-v myapp_db-data:/data \
-v $(pwd)/backups:/backup \
alpine tar czf /backup/db-data.tar.gz -C /data .
docker-compose up -d
Q21: What are volume drivers and when would you use them?
Answer: Volume drivers enable storing volumes on remote hosts or cloud providers.
Built-in Driver (local):
docker volume create --driver local myvolume
Common Volume Drivers:
1. NFS (Network File System):
docker volume create --driver local \
--opt type=nfs \
--opt o=addr=192.168.1.100,rw \
--opt device=:/path/to/share \
nfs-volume
2. CIFS/SMB:
docker volume create --driver local \
--opt type=cifs \
--opt o=username=user,password=pass \
--opt device=//server/share \
smb-volume
3. Cloud Storage (AWS EBS):
docker volume create --driver rexray/ebs \
--opt size=10 \
aws-volume
Docker Compose with NFS:
services:
app:
volumes:
- nfs-data:/data
volumes:
nfs-data:
driver: local
driver_opts:
type: nfs
o: addr=192.168.1.100,rw
device: ":/mnt/data"
Use Cases:
- Multi-host deployments
- Shared storage across containers
- Cloud-native applications
- High availability setups
Q22: How do you manage storage permissions in Docker?
Answer:
Problem: Permission denied errors when containers access volumes
Solutions:
1. Match User IDs:
# Create user with specific UID
FROM node:18-alpine
RUN addgroup -g 1001 -S appgroup && \
adduser -u 1001 -S appuser -G appgroup
USER appuser
WORKDIR /app
# Run container as specific user
docker run --user 1001:1001 -v mydata:/app/data myapp
2. Change Volume Permissions:
# Using init container pattern
docker run --rm -v mydata:/data alpine chown -R 1001:1001 /data
3. Docker Compose:
services:
app:
user: "1001:1001"
volumes:
- app-data:/data
init:
image: alpine
volumes:
- app-data:/data
command: chown -R 1001:1001 /data
4. Bind Mount Permissions:
# Development: give everyone access (not for production)
chmod -R 777 ./data
# Better: match host user
docker run --user $(id -u):$(id -g) -v $(pwd):/app myapp
5. Named Volumes with Permissions:
FROM alpine
RUN mkdir -p /data && chown -R 1001:1001 /data
VOLUME /data
USER 1001
6. Docker Security Best Practices
Q23: What are the top Docker security best practices?
Answer:
1. Use Official and Minimal Base Images:
# Bad
FROM ubuntu:latest
# Good
FROM node:18-alpine
# Best - Distroless
FROM gcr.io/distroless/nodejs18-debian11
2. Run as Non-Root User:
FROM node:18-alpine
# Create non-root user
RUN addgroup -S appgroup && adduser -S appuser -G appgroup
# Set ownership
COPY --chown=appuser:appgroup . /app
USER appuser
WORKDIR /app
CMD ["node", "server.js"]
3. Scan Images for Vulnerabilities:
# Docker scan
docker scan myapp:latest
# Trivy
trivy image myapp:latest
# Snyk
snyk container test myapp:latest
4. Use Read-Only Filesystem:
docker run --read-only --tmpfs /tmp myapp
Docker Compose:
services:
web:
read_only: true
tmpfs:
- /tmp
- /var/run
5. Limit Container Resources:
docker run \
--memory="512m" \
--cpus="0.5" \
--pids-limit=100 \
myapp
6. Drop Unnecessary Capabilities:
docker run \
--cap-drop=ALL \
--cap-add=NET_BIND_SERVICE \
myapp
7. Use Secrets Management:
# Docker secrets (Swarm)
echo "db_password" | docker secret create db_pass -
# Docker Compose
docker run --env-file .env.secret myapp
Q24: How do you scan Docker images for security vulnerabilities?
Answer:
1. Docker Native Scanning:
# Scan image
docker scan myapp:latest
# Scan with specific severity
docker scan --severity high myapp:latest
# JSON output
docker scan --json myapp:latest > scan-results.json
2. Trivy (Recommended):
# Install Trivy
brew install trivy # macOS
apt-get install trivy # Ubuntu
# Scan image
trivy image myapp:latest
# Only critical and high
trivy image --severity CRITICAL,HIGH myapp:latest
# Scan Dockerfile
trivy config Dockerfile
# CI/CD integration
trivy image --exit-code 1 --severity CRITICAL myapp:latest
3. Snyk:
# Install
npm install -g snyk
# Authenticate
snyk auth
# Scan image
snyk container test myapp:latest
# Monitor in Snyk dashboard
snyk container monitor myapp:latest
4. Clair:
# Run Clair server
docker run -d --name clair -p 6060:6060 quay.io/coreos/clair:latest
# Scan with clairctl
clairctl analyze myapp:latest
CI/CD Integration Example (GitHub Actions):
name: Security Scan
on: [push]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Build image
run: docker build -t myapp:${{ github.sha }} .
- name: Run Trivy scan
uses: aquasecurity/trivy-action@master
with:
image-ref: myapp:${{ github.sha }}
severity: 'CRITICAL,HIGH'
exit-code: '1'
5. Best Practices:
- Scan during CI/CD pipeline
- Block deployments on critical vulnerabilities
- Regular rescans of running containers
- Maintain inventory of base images
- Automate patching process
Q25: Explain Docker secrets and how to manage sensitive data
Answer:
Docker Swarm Secrets (Production):
# Create secret from file
docker secret create db_password ./password.txt
# Create secret from stdin
echo "mypassword" | docker secret create db_pass -
# List secrets
docker secret ls
# Use in service
docker service create \
--name webapp \
--secret db_pass \
myapp:latest
In Application:
// Secret available at /run/secrets/db_pass
const fs = require('fs');
const dbPassword = fs.readFileSync('/run/secrets/db_pass', 'utf8').trim();
Docker Compose Secrets:
version: '3.8'
services:
db:
image: postgres:15
secrets:
- db_password
environment:
- POSTGRES_PASSWORD_FILE=/run/secrets/db_password
secrets:
db_password:
file: ./secrets/db_password.txt
Environment Variables (Development Only):
# NOT recommended for production
docker run -e DATABASE_PASSWORD=secret myapp
# Better: Use env file
docker run --env-file .env.secret myapp
HashiCorp Vault Integration:
# Fetch secret from Vault
docker run \
-e VAULT_ADDR=https://vault.example.com \
-e VAULT_TOKEN=$VAULT_TOKEN \
myapp
Best Practices:
- Never commit secrets to Git
- Use different secrets per environment
- Rotate secrets regularly
- Use secret management tools (Vault, AWS Secrets Manager)
- Avoid environment variables for production secrets
Q26: How do you implement the principle of least privilege in Docker?
Answer:
1. Non-Root User:
FROM python:3.11-slim
# Create user with minimal permissions
RUN useradd -m -u 1000 appuser && \
mkdir /app && \
chown appuser:appuser /app
USER appuser
WORKDIR /app
COPY --chown=appuser:appuser requirements.txt .
RUN pip install --user -r requirements.txt
COPY --chown=appuser:appuser . .
CMD ["python", "app.py"]
2. Drop All Capabilities, Add Only Required:
services:
web:
cap_drop:
- ALL
cap_add:
- NET_BIND_SERVICE # Only if binding to ports < 1024
- CHOWN # Only if changing file ownership
3. Read-Only Root Filesystem:
services:
app:
read_only: true
tmpfs:
- /tmp:mode=1777,size=128m
- /var/log:mode=0755,size=64m
4. Security Options:
docker run \
--security-opt=no-new-privileges:true \
--security-opt=seccomp=default \
myapp
5. AppArmor/SELinux Profiles:
# AppArmor
docker run --security-opt apparmor=docker-default myapp
# SELinux
docker run --security-opt label=type:container_runtime_t myapp
6. Network Isolation:
services:
frontend:
networks:
- public
backend:
networks:
- internal
database:
networks:
- internal
networks:
public:
internal:
internal: true # No external access
7. Docker Performance Optimization
Q27: How do you optimize Docker container performance?
Answer:
1. Resource Limits:
# Set memory and CPU limits
docker run \
--memory="1g" \
--memory-reservation="512m" \
--memory-swap="2g" \
--cpus="1.5" \
--cpu-shares=1024 \
myapp
Docker Compose:
services:
web:
deploy:
resources:
limits:
cpus: '1.5'
memory: 1G
reservations:
cpus: '0.5'
memory: 512M
2. Use BuildKit:
# syntax=docker/dockerfile:1.4
FROM node:18-alpine
WORKDIR /app
# BuildKit cache mounts
RUN --mount=type=cache,target=/root/.npm \
npm install -g pnpm
COPY package*.json ./
RUN --mount=type=cache,target=/root/.local/share/pnpm/store \
pnpm install --frozen-lockfile
COPY . .
RUN pnpm build
CMD ["node", "dist/server.js"]
Build with BuildKit:
DOCKER_BUILDKIT=1 docker build -t myapp .
3. Optimize Image Layers:
# Bad: Many layers
RUN apt-get update
RUN apt-get install -y curl
RUN apt-get install -y git
RUN apt-get clean
# Good: Single layer, smaller image
RUN apt-get update && \
apt-get install -y --no-install-recommends curl git && \
apt-get clean && \
rm -rf /var/lib/apt/lists/*
4. Use Multi-Stage Builds:
# Build stage
FROM golang:1.21 AS builder
WORKDIR /app
COPY . .
RUN CGO_ENABLED=0 go build -o server
# Runtime stage (10x smaller)
FROM alpine:3.18
COPY --from=builder /app/server /server
CMD ["/server"]
5. Enable Docker Daemon Optimization:
// /etc/docker/daemon.json
{
"storage-driver": "overlay2",
"log-driver": "json-file",
"log-opts": {
"max-size": "10m",
"max-file": "3"
},
"default-ulimits": {
"nofile": {
"Name": "nofile",
"Hard": 64000,
"Soft": 64000
}
}
}
6. Use Volume Mounts for I/O Performance:
# Better I/O than bind mounts
docker volume create fast-storage
docker run -v fast-storage:/data myapp
Q28: How do you monitor Docker container performance?
Answer:
1. Docker Stats:
# Real-time stats for all containers
docker stats
# Specific container
docker stats container_name
# No stream, single snapshot
docker stats --no-stream
# Format output
docker stats --format "table {{.Container}}\t{{.CPUPerc}}\t{{.MemUsage}}"
2. Docker Events:
# Monitor container events
docker events
# Filter by container
docker events --filter container=myapp
# Filter by type
docker events --filter type=container
3. Prometheus + cAdvisor:
version: '3.8'
services:
cadvisor:
image: gcr.io/cadvisor/cadvisor:latest
ports:
- "8080:8080"
volumes:
- /:/rootfs:ro
- /var/run:/var/run:ro
- /sys:/sys:ro
- /var/lib/docker/:/var/lib/docker:ro
prometheus:
image: prom/prometheus:latest
ports:
- "9090:9090"
volumes:
- ./prometheus.yml:/etc/prometheus/prometheus.yml
grafana:
image: grafana/grafana:latest
ports:
- "3000:3000"
4. Custom Metrics with PromQL:
# prometheus.yml
scrape_configs:
- job_name: 'cadvisor'
static_configs:
- targets: ['cadvisor:8080']
Example Queries:
# CPU usage
rate(container_cpu_usage_seconds_total[5m])
# Memory usage
container_memory_usage_bytes
# Network I/O
rate(container_network_receive_bytes_total[5m])
5. Application Performance Monitoring:
// Node.js with prom-client
const promClient = require('prom-client');
const register = new promClient.Registry();
const httpRequestDuration = new promClient.Histogram({
name: 'http_request_duration_ms',
help: 'Duration of HTTP requests in ms',
labelNames: ['method', 'route', 'status_code']
});
register.registerMetric(httpRequestDuration);
Q29: What causes Docker containers to run slowly and how do you fix it?
Answer:
Common Performance Issues:
1. Insufficient Resources:
# Problem: Container hitting memory limit
docker stats myapp
# Shows high memory usage, possible OOM kills
# Solution: Increase limits
docker update --memory="2g" --cpus="2" myapp
# Or in Compose
services:
app:
deploy:
resources:
limits:
memory: 2G
cpus: '2'
2. Disk I/O Bottleneck:
# Problem: Slow disk operations
docker run -v /slow/hdd:/data myapp
# Solution: Use volumes on faster storage
docker volume create --driver local \
--opt type=tmpfs \
--opt device=tmpfs \
fast-storage
docker run -v fast-storage:/data myapp
3. Logging Overhead:
# Problem: Large logs consuming resources
docker logs myapp | wc -l # Millions of lines
# Solution: Configure log rotation
docker run \
--log-opt max-size=10m \
--log-opt max-file=3 \
myapp
// /etc/docker/daemon.json
{
"log-driver": "json-file",
"log-opts": {
"max-size": "10m",
"max-file": "3"
}
}
4. Network Latency:
# Problem: DNS resolution slow
docker exec myapp time nslookup google.com # Takes > 1s
# Solution: Use custom DNS
docker run --dns 8.8.8.8 --dns 1.1.1.1 myapp
5. Inefficient Image:
# Problem: Large base image
FROM ubuntu:latest # 78MB + dependencies
# Solution: Use alpine
FROM alpine:3.18 # 7MB base
# Or distroless
FROM gcr.io/distroless/base # Minimal
6. Too Many Processes:
# Problem: Multiple services in one container
CMD supervisord # Running nginx, php-fpm, redis
# Solution: One process per container
# Use docker-compose with separate services
Diagnosis Script:
#!/bin/bash
# diagnose.sh
CONTAINER=$1
echo "=== CPU Usage ==="
docker stats --no-stream $CONTAINER | awk '{print $3}'
echo "=== Memory Usage ==="
docker stats --no-stream $CONTAINER | awk '{print $4}'
echo "=== Disk I/O ==="
docker exec $CONTAINER iostat -x 1 5
echo "=== Network Latency ==="
docker exec $CONTAINER ping -c 5 8.8.8.8
echo "=== Process Count ==="
docker exec $CONTAINER ps aux | wc -l
echo "=== Log Size ==="
docker inspect --format='{{.LogPath}}' $CONTAINER | xargs ls -lh
8. CI/CD with Docker, GitHub & GitHub Actions
Q30: How do you integrate Docker with GitHub Actions?
Answer:
Complete GitHub Actions Workflow:
# .github/workflows/docker-ci-cd.yml
name: Docker CI/CD Pipeline
on:
push:
branches: [ main, develop ]
pull_request:
branches: [ main ]
release:
types: [ published ]
env:
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}
jobs:
build-and-test:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Log in to Container Registry
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract metadata
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
tags: |
type=ref,event=branch
type=ref,event=pr
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=sha,prefix={{branch}}-
- name: Build and push Docker image
uses: docker/build-push-action@v5
with:
context: .
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Run tests in container
run: |
docker run --rm ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }} npm test
- name: Security scan with Trivy
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}
severity: 'CRITICAL,HIGH'
exit-code: '1'
deploy-staging:
needs: build-and-test
runs-on: ubuntu-latest
if: github.ref == 'refs/heads/develop'
steps:
- name: Deploy to staging
run: |
# SSH to staging server and deploy
ssh ${{ secrets.STAGING_HOST }} "
docker pull ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:develop
docker-compose -f docker-compose.staging.yml up -d
"
deploy-production:
needs: build-and-test
runs-on: ubuntu-latest
if: github.event_name == 'release'
steps:
- name: Deploy to production
run: |
# Deploy to production with health checks
ssh ${{ secrets.PROD_HOST }} "
docker pull ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.event.release.tag_name }}
docker-compose -f docker-compose.prod.yml up -d
./health-check.sh
"
Q31: How do you implement Docker layer caching in CI/CD?
Answer:
GitHub Actions with BuildKit Cache:
- name: Build with cache
uses: docker/build-push-action@v5
with:
context: .
push: true
tags: myapp:latest
cache-from: type=gha
cache-to: type=gha,mode=max
build-args: |
BUILDKIT_INLINE_CACHE=1
Docker Compose Cache:
# docker-compose.ci.yml
version: '3.8'
services:
app:
build:
context: .
cache_from:
- myapp:latest
- myapp:cache
image: myapp:${CI_COMMIT_SHA}
Optimized Dockerfile for Caching:
# syntax=docker/dockerfile:1.4
FROM node:18-alpine AS deps
WORKDIR /app
# Cache dependencies layer
COPY package*.json ./
RUN --mount=type=cache,target=/root/.npm \
npm ci --only=production
FROM node:18-alpine AS builder
WORKDIR /app
COPY package*.json ./
RUN --mount=type=cache,target=/root/.npm \
npm ci
COPY . .
RUN --mount=type=cache,target=/app/.next/cache \
npm run build
FROM node:18-alpine AS runner
WORKDIR /app
ENV NODE_ENV production
COPY --from=deps /app/node_modules ./node_modules
COPY --from=builder /app/.next ./.next
COPY --from=builder /app/public ./public
COPY --from=builder /app/package.json ./package.json
CMD ["npm", "start"]
Multi-Registry Caching:
- name: Build with multi-registry cache
run: |
docker buildx build \
--cache-from type=registry,ref=myregistry/myapp:cache \
--cache-to type=registry,ref=myregistry/myapp:cache,mode=max \
--push \
-t myregistry/myapp:${{ github.sha }} \
.
Q32: How do you implement a complete Docker-based deployment pipeline?
Answer:
Multi-Environment Pipeline:
# .github/workflows/complete-pipeline.yml
name: Complete Docker Pipeline
on:
push:
branches: [ main, develop, feature/* ]
jobs:
lint-and-test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Lint Dockerfile
uses: hadolint/hadolint-action@v3.1.0
with:
dockerfile: Dockerfile
- name: Run unit tests
run: |
docker-compose -f docker-compose.test.yml up --build --abort-on-container-exit
docker-compose -f docker-compose.test.yml down
build-and-scan:
needs: lint-and-test
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Build image
uses: docker/build-push-action@v5
with:
context: .
load: true
tags: myapp:${{ github.sha }}
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Scan for vulnerabilities
run: |
docker run --rm \
-v /var/run/docker.sock:/var/run/docker.sock \
aquasec/trivy:latest image \
--severity HIGH,CRITICAL \
--exit-code 1 \
myapp:${{ github.sha }}
- name: Run integration tests
run: |
docker-compose -f docker-compose.integration.yml up -d
./wait-for-it.sh localhost:3000 -- npm run test:integration
docker-compose -f docker-compose.integration.yml down
push-to-registry:
needs: build-and-scan
runs-on: ubuntu-latest
if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/develop'
steps:
- uses: actions/checkout@v4
- name: Login to DockerHub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Login to GHCR
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build and push
uses: docker/build-push-action@v5
with:
context: .
platforms: linux/amd64,linux/arm64
push: true
tags: |
myorg/myapp:${{ github.sha }}
myorg/myapp:latest
ghcr.io/${{ github.repository }}:${{ github.sha }}
ghcr.io/${{ github.repository }}:latest
deploy-staging:
needs: push-to-registry
runs-on: ubuntu-latest
if: github.ref == 'refs/heads/develop'
environment:
name: staging
url: https://staging.example.com
steps:
- name: Deploy to staging
uses: appleboy/ssh-action@master
with:
host: ${{ secrets.STAGING_HOST }}
username: ${{ secrets.STAGING_USER }}
key: ${{ secrets.STAGING_SSH_KEY }}
script: |
cd /opt/myapp
docker-compose pull
docker-compose up -d
docker system prune -f
deploy-production:
needs: push-to-registry
runs-on: ubuntu-latest
if: github.ref == 'refs/heads/main'
environment:
name: production
url: https://example.com
steps:
- name: Deploy to production
uses: appleboy/ssh-action@master
with:
host: ${{ secrets.PROD_HOST }}
username: ${{ secrets.PROD_USER }}
key: ${{ secrets.PROD_SSH_KEY }}
script: |
cd /opt/myapp
docker-compose pull
docker-compose up -d --no-deps --build web
./health-check.sh
if [ $? -eq 0 ]; then
docker-compose up -d
else
docker-compose up -d --force-recreate
exit 1
fi
Health Check Script:
#!/bin/bash
# health-check.sh
MAX_RETRIES=30
RETRY_INTERVAL=2
HEALTH_URL="http://localhost:3000/health"
for i in $(seq 1 $MAX_RETRIES); do
HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" $HEALTH_URL)
if [ $HTTP_CODE -eq 200 ]; then
echo "Health check passed!"
exit 0
fi
echo "Attempt $i/$MAX_RETRIES: Health check failed (HTTP $HTTP_CODE)"
sleep $RETRY_INTERVAL
done
echo "Health check failed after $MAX_RETRIES attempts"
exit 1
Q33: How do you implement blue-green deployment with Docker?
Answer:
Blue-Green Deployment Strategy:
# docker-compose.blue-green.yml
version: '3.8'
services:
nginx:
image: nginx:alpine
ports:
- "80:80"
volumes:
- ./nginx.conf:/etc/nginx/nginx.conf
depends_on:
- blue
- green
blue:
image: myapp:${BLUE_VERSION}
environment:
- COLOR=blue
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:3000/health"]
interval: 10s
timeout: 5s
retries: 3
green:
image: myapp:${GREEN_VERSION}
environment:
- COLOR=green
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:3000/health"]
interval: 10s
timeout: 5s
retries: 3
Nginx Configuration:
# nginx.conf
upstream backend {
server blue:3000 weight=100;
server green:3000 weight=0;
}
server {
listen 80;
location / {
proxy_pass http://backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
location /health {
access_log off;
return 200 "healthy\n";
}
}
Deployment Script:
#!/bin/bash
# blue-green-deploy.sh
NEW_VERSION=$1
CURRENT_COLOR=$(docker-compose exec nginx curl -s http://backend/color)
if [ "$CURRENT_COLOR" == "blue" ]; then
DEPLOY_TO="green"
WEIGHT_FROM=100
WEIGHT_TO=0
else
DEPLOY_TO="blue"
WEIGHT_FROM=0
WEIGHT_TO=100
fi
echo "Deploying to $DEPLOY_TO environment..."
# Update the target environment
export ${DEPLOY_TO^^}_VERSION=$NEW_VERSION
docker-compose up -d $DEPLOY_TO
# Wait for health check
echo "Waiting for $DEPLOY_TO to be healthy..."
for i in {1..30}; do
if docker-compose exec $DEPLOY_TO curl -f http://localhost:3000/health; then
echo "$DEPLOY_TO is healthy!"
break
fi
sleep 2
done
# Gradual traffic shift
echo "Shifting traffic to $DEPLOY_TO..."
for weight in 10 25 50 75 100; do
# Update nginx config with new weights
sed -i "s/server blue:.* weight=[0-9]\+/server blue:3000 weight=$((100-weight))/" nginx.conf
sed -i "s/server green:.* weight=[0-9]\+/server green:3000 weight=$weight/" nginx.conf
docker-compose exec nginx nginx -s reload
echo "Traffic: $weight% on $DEPLOY_TO"
sleep 30
done
echo "Deployment complete! All traffic on $DEPLOY_TO"
GitHub Actions Integration:
deploy-blue-green:
runs-on: ubuntu-latest
steps:
- name: Deploy with blue-green
run: |
ssh ${{ secrets.PROD_HOST }} '
cd /opt/myapp
./blue-green-deploy.sh ${{ github.sha }}
'
- name: Verify deployment
run: |
sleep 60
RESPONSE=$(curl -s https://example.com/health)
if [ "$RESPONSE" != "healthy" ]; then
echo "Deployment failed! Rolling back..."
ssh ${{ secrets.PROD_HOST }} './rollback.sh'
exit 1
fi
9. Docker Swarm vs Kubernetes
Q34: What are the key differences between Docker Swarm and Kubernetes?
Answer:
| Feature | Docker Swarm | Kubernetes |
|---|---|---|
| Complexity | Simple, easy to learn | Complex, steep learning curve |
| Setup | Built into Docker | Separate installation |
| Scalability | Good for small-medium clusters | Excellent for large clusters |
| Ecosystem | Limited | Extensive (Helm, operators, etc.) |
| Auto-scaling | Manual scaling | Horizontal Pod Autoscaler |
| Self-healing | Basic restart policies | Advanced health checks & recovery |
| Load Balancing | Built-in | Requires configuration |
| Community | Smaller | Massive, industry standard |
| Use Case | Simple deployments | Complex, enterprise-grade |
When to use Docker Swarm:
- Small to medium deployments
- Team familiar with Docker
- Quick setup required
- Simple microservices architecture
- Limited DevOps resources
When to use Kubernetes:
- Large-scale deployments
- Multi-cloud strategy
- Advanced orchestration needs
- Large DevOps team
- Industry-standard required
Q35: How do you set up a Docker Swarm cluster?
Answer:
Initialize Swarm:
# On manager node
docker swarm init --advertise-addr 192.168.1.100
# Get join token for workers
docker swarm join-token worker
# Get join token for managers
docker swarm join-token manager
Join Worker Nodes:
# On worker nodes
docker swarm join \
--token SWMTKN-1-xxxxx \
192.168.1.100:2377
Deploy Service:
# Create service
docker service create \
--name web \
--replicas 3 \
--publish 80:80 \
nginx:alpine
Kubernetes Deployment:
kubectl apply -f deployment.yaml
kubectl scale deployment web-deployment --replicas=5
kubectl set image deployment/web-deployment nginx=nginx:latest
Key Differences:
- Kubernetes uses Pods (can contain multiple containers)
- More granular control in K8s
- Swarm simpler for Docker users
- K8s has namespaces for isolation
- Better monitoring/logging in K8s ecosystem
Q36: Explain Kubernetes architecture and how it compares to Docker Swarm
Answer:
Kubernetes Architecture:
Control Plane Components:
- API Server: Central management point
- etcd: Distributed key-value store
- Scheduler: Assigns pods to nodes
- Controller Manager: Maintains desired state
- Cloud Controller Manager: Cloud provider integration
Node Components:
- kubelet: Node agent
- kube-proxy: Network proxy
- Container Runtime: Docker/containerd/CRI-O
Kubernetes Manifest:
# deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: web-deployment
spec:
replicas: 3
selector:
matchLabels:
app: web
template:
metadata:
labels:
app: web
spec:
containers:
- name: nginx
image: nginx:alpine
ports:
- containerPort: 80
resources:
requests:
memory: "64Mi"
cpu: "250m"
limits:
memory: "128Mi"
cpu: "500m"
---
apiVersion: v1
kind: Service
metadata:
name: web-service
spec:
selector:
app: web
ports:
- protocol: TCP
port: 80
targetPort: 80
type: LoadBalancer
Comparison:
Docker Swarm Service:
docker service create \
--name web \
--replicas 3 \
--publish 80:80 \
10. Advanced Docker Concepts
Q37: What is Docker Content Trust and how do you implement it?
Answer: Docker Content Trust (DCT) provides cryptographic signing and verification of Docker images.
Enable Content Trust:
# Enable globally
export DOCKER_CONTENT_TRUST=1
# Pull only signed images
docker pull nginx:alpine
# Disable for specific command
DOCKER_CONTENT_TRUST=0 docker pull untrusted-image
Sign and Push Images:
# Generate keys (first time)
docker trust key generate mykey
# Add signer
docker trust signer add --key mykey.pub alice myrepo/myimage
# Push signed image
export DOCKER_CONTENT_TRUST=1
docker push myrepo/myimage:latest
# Will prompt for passphrase
Inspect Signatures:
# View trust data
docker trust inspect myrepo/myimage:latest
# View signers
docker trust signer remove alice myrepo/myimage
GitHub Actions with Content Trust:
- name: Sign and push image
env:
DOCKER_CONTENT_TRUST: 1
DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ secrets.DCT_PASSPHRASE }}
run: |
docker push myrepo/myimage:${{ github.sha }}
Use Cases:
- Ensure image integrity
- Prevent unauthorized image deployment
- Regulatory compliance
- Supply chain security
Q38: Explain Docker BuildKit and its advanced features
Answer: BuildKit is the next-generation Docker build system with improved performance and new features.
Enable BuildKit:
# One-time
DOCKER_BUILDKIT=1 docker build .
# Permanently
export DOCKER_BUILDKIT=1
# Or in daemon.json
{
"features": {
"buildkit": true
}
}
Advanced Features:
1. Cache Mounts:
# syntax=docker/dockerfile:1.4
FROM node:18-alpine
WORKDIR /app
# Cache npm dependencies
RUN --mount=type=cache,target=/root/.npm \
npm install -g pnpm
COPY package*.json ./
# Cache pnpm store
RUN --mount=type=cache,target=/root/.local/share/pnpm/store \
pnpm install --frozen-lockfile
COPY . .
RUN pnpm build
CMD ["node", "dist/server.js"]
2. Secret Mounts:
# syntax=docker/dockerfile:1.4
FROM alpine
# Mount secret at build time (not stored in image)
RUN --mount=type=secret,id=github_token \
apk add git && \
git config --global url."https://$(cat /run/secrets/github_token)@github.com/".insteadOf "https://github.com/"
# Build with secret
docker build --secret id=github_token,src=$HOME/.github-token -t myapp .
3. SSH Mounts:
# syntax=docker/dockerfile:1.4
FROM alpine
RUN apk add git openssh-client
# Use SSH keys for private repos
RUN --mount=type=ssh \
git clone git@github.com:private/repo.git
# Build with SSH
docker build --ssh default -t myapp .
4. Multi-Platform Builds:
# Create builder
docker buildx create --name multiplatform --use
# Build for multiple architectures
docker buildx build \
--platform linux/amd64,linux/arm64,linux/arm/v7 \
--push \
-t myrepo/myapp:latest \
.
5. Build-time Network Control:
# syntax=docker/dockerfile:1.4
# Disable network during build
FROM alpine
RUN --network=none echo "No network access"
# Or enable only specific hosts
RUN --network=host curl https://api.example.com
6. Parallel Builds:
# syntax=docker/dockerfile:1.4
FROM alpine AS build1
RUN task1
FROM alpine AS build2
RUN task2
FROM alpine
COPY --from=build1 /output1 /
COPY --from=build2 /output2 /
BuildKit Benefits:
- Parallel build stage execution
- Incremental builds
- Build cache import/export
- Rootless builds
- Improved security
Q39: How do you implement container health checks?
Answer:
Dockerfile Health Check:
FROM node:18-alpine
WORKDIR /app
COPY . .
# Simple HTTP health check
HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
CMD node healthcheck.js
# Or using curl
HEALTHCHECK --interval=30s --timeout=3s \
CMD curl -f http://localhost:3000/health || exit 1
# Or custom script
HEALTHCHECK CMD /app/healthcheck.sh || exit 1
CMD ["node", "server.js"]
Health Check Script:
// healthcheck.js
const http = require('http');
const options = {
host: 'localhost',
port: 3000,
path: '/health',
timeout: 2000
};
const healthCheck = http.request(options, (res) => {
console.log(`STATUS: ${res.statusCode}`);
if (res.statusCode === 200) {
process.exit(0);
} else {
process.exit(1);
}
});
healthCheck.on('error', (err) => {
console.error('ERROR:', err);
process.exit(1);
});
healthCheck.end();
Docker Compose Health Checks:
version: '3.8'
services:
web:
image: myapp:latest
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:3000/health"]
interval: 30s
timeout: 10s
retries: 3
start_period: 40s
depends_on:
db:
condition: service_healthy
db:
image: postgres:15
healthcheck:
test: ["CMD-SHELL", "pg_isready -U postgres"]
interval: 10s
timeout: 5s
retries: 5
environment:
POSTGRES_PASSWORD: password
redis:
image: redis:7-alpine
healthcheck:
test: ["CMD", "redis-cli", "ping"]
interval: 5s
timeout: 3s
retries: 5
Advanced Health Check Endpoint:
// Express.js health check
app.get('/health', async (req, res) => {
const healthcheck = {
uptime: process.uptime(),
message: 'OK',
timestamp: Date.now(),
checks: {}
};
try {
// Check database
await db.ping();
healthcheck.checks.database = 'OK';
// Check Redis
await redis.ping();
healthcheck.checks.redis = 'OK';
// Check external API
const apiResponse = await fetch('https://api.example.com/health');
healthcheck.checks.externalAPI = apiResponse.ok ? 'OK' : 'DEGRADED';
res.status(200).json(healthcheck);
} catch (error) {
healthcheck.message = error.message;
res.status(503).json(healthcheck);
}
});
Kubernetes Liveness and Readiness:
apiVersion: v1
kind: Pod
metadata:
name: myapp
spec:
containers:
- name: app
image: myapp:latest
livenessProbe:
httpGet:
path: /health
port: 3000
initialDelaySeconds: 30
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 3
readinessProbe:
httpGet:
path: /ready
port: 3000
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 3
successThreshold: 1
failureThreshold: 3
Monitor Health Status:
# Check health status
docker ps
# Shows (healthy), (unhealthy), or (health: starting)
# View health check logs
docker inspect --format='{{json .State.Health}}' container_name | jq
# Watch health status
watch -n 1 'docker inspect --format="{{.State.Health.Status}}" container_name'
Q40: What are Docker init processes and why are they important?
Answer:
The Problem:
# Bad: Process runs as PID 1
FROM node:18-alpine
CMD ["node", "server.js"]
When a process runs as PID 1:
- It doesn’t handle signals properly (SIGTERM, SIGINT)
- Zombie processes aren’t reaped
- Graceful shutdown doesn’t work
Solutions:
1. Use tini or dumb-init:
FROM node:18-alpine
# Install tini
RUN apk add --no-cache tini
# Use tini as entrypoint
ENTRYPOINT ["/sbin/tini", "--"]
CMD ["node", "server.js"]
2. Use Docker’s –init flag:
docker run --init myapp:latest
Docker Compose:
services:
web:
image: myapp:latest
init: true
3. Proper Signal Handling in Application:
// server.js
const express = require('express');
const app = express();
const server = app.listen(3000, () => {
console.log('Server started on port 3000');
});
// Graceful shutdown
process.on('SIGTERM', () => {
console.log('SIGTERM signal received: closing HTTP server');
server.close(() => {
console.log('HTTP server closed');
// Close database connections
db.close(() => {
console.log('Database connection closed');
process.exit(0);
});
});
});
process.on('SIGINT', () => {
console.log('SIGINT signal received');
process.exit(0);
});
4. Use exec form of CMD:
# Bad: Shell form (creates unnecessary shell process)
CMD node server.js
# Good: Exec form
CMD ["node", "server.js"]
# Best: With init process
ENTRYPOINT ["/sbin/tini", "--"]
CMD ["node", "server.js"]
Testing Signal Handling:
# Start container
docker run -d --name test myapp
# Send SIGTERM
docker stop test
# Should see graceful shutdown logs
# Check exit code
docker inspect test --format='{{.State.ExitCode}}'
# Should be 0 for graceful shutdown
Q41: Explain Docker rootless mode and its benefits
Answer:
Rootless Docker allows running Docker daemon and containers without root privileges.
Installation:
# Install rootless Docker
curl -fsSL https://get.docker.com/rootless | sh
# Add to PATH
export PATH=$HOME/bin:$PATH
export DOCKER_HOST=unix://$XDG_RUNTIME_DIR/docker.sock
# Start daemon
systemctl --user start docker
# Enable on boot
systemctl --user enable docker
Benefits:
- Enhanced security (no root access needed)
- Mitigates container breakout risks
- Better for multi-tenant environments
- Compliance with security policies
- Isolation between users
Limitations:
- Can’t use privileged ports (< 1024) by default
- Some storage drivers not supported
- Performance overhead
- Limited cgroup support
Port Mapping Workaround:
# Use port > 1024
docker run -p 8080:80 nginx
# Or use sysctl (requires sudo once)
sudo sysctl net.ipv4.ip_unprivileged_port_start=80
Docker Compose with Rootless:
version: '3.8'
services:
web:
image: nginx:alpine
ports:
- "8080:80" # Use high port
user: "1000:1000"
Check if running rootless:
docker info | grep -i rootless
# Output: Rootless: true
Q42: How do you implement Docker multi-stage builds for different languages?
Answer:
Node.js Multi-Stage Build:
# syntax=docker/dockerfile:1.4
# Stage 1: Dependencies
FROM node:18-alpine AS deps
WORKDIR /app
COPY package*.json ./
RUN npm ci --only=production
# Stage 2: Build
FROM node:18-alpine AS builder
WORKDIR /app
COPY package*.json ./
RUN npm ci
COPY . .
RUN npm run build
# Stage 3: Production
FROM node:18-alpine AS runner
WORKDIR /app
ENV NODE_ENV production
RUN addgroup --system --gid 1001 nodejs && \
adduser --system --uid 1001 nodejs
COPY --from=deps --chown=nodejs:nodejs /app/node_modules ./node_modules
COPY --from=builder --chown=nodejs:nodejs /app/dist ./dist
COPY --from=builder --chown=nodejs:nodejs /app/package.json ./
USER nodejs
EXPOSE 3000
CMD ["node", "dist/server.js"]
Python Multi-Stage Build:
# Stage 1: Builder
FROM python:3.11-slim AS builder
WORKDIR /app
# Install build dependencies
RUN apt-get update && \
apt-get install -y --no-install-recommends gcc
# Install Python dependencies
COPY requirements.txt .
RUN pip wheel --no-cache-dir --no-deps --wheel-dir /app/wheels -r requirements.txt
# Stage 2: Production
FROM python:3.11-slim
WORKDIR /app
# Copy only wheels
COPY --from=builder /app/wheels /wheels
COPY --from=builder /app/requirements.txt .
# Install dependencies
RUN pip install --no-cache /wheels/*
# Copy application
COPY . .
# Create non-root user
RUN useradd -m -u 1000 appuser && \
chown -R appuser:appuser /app
USER appuser
CMD ["python", "app.py"]
Go Multi-Stage Build:
# Stage 1: Build
FROM golang:1.21-alpine AS builder
WORKDIR /app
# Copy go mod files
COPY go.mod go.sum ./
RUN go mod download
# Copy source
COPY . .
# Build binary
RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o main .
# Stage 2: Production
FROM alpine:3.18
RUN apk --no-cache add ca-certificates
WORKDIR /root/
# Copy binary from builder
COPY --from=builder /app/main .
# Run as non-root
RUN adduser -D appuser
USER appuser
CMD ["./main"]
Java Multi-Stage Build:
# Stage 1: Build with Maven
FROM maven:3.9-eclipse-temurin-17 AS builder
WORKDIR /app
# Copy pom.xml and download dependencies
COPY pom.xml .
RUN mvn dependency:go-offline
# Copy source and build
COPY src ./src
RUN mvn package -DskipTests
# Stage 2: Runtime with JRE
FROM eclipse-temurin:17-jre-alpine
WORKDIR /app
# Copy jar from builder
COPY --from=builder /app/target/*.jar app.jar
# Create non-root user
RUN addgroup -S spring && adduser -S spring -G spring
USER spring
EXPOSE 8080
ENTRYPOINT ["java", "-jar", "app.jar"]
React/Next.js Multi-Stage Build:
# Stage 1: Dependencies
FROM node:18-alpine AS deps
WORKDIR /app
COPY package*.json ./
RUN npm ci
# Stage 2: Builder
FROM node:18-alpine AS builder
WORKDIR /app
COPY --from=deps /app/node_modules ./node_modules
COPY . .
RUN npm run build
# Stage 3: Production
FROM node:18-alpine AS runner
WORKDIR /app
ENV NODE_ENV production
RUN addgroup --system --gid 1001 nodejs && \
adduser --system --uid 1001 nextjs
# Copy built assets
COPY --from=builder /app/public ./public
COPY --from=builder --chown=nextjs:nodejs /app/.next/standalone ./
COPY --from=builder --chown=nextjs:nodejs /app/.next/static ./.next/static
USER nextjs
EXPOSE 3000
CMD ["node", "server.js"]
Size Comparison:
# Single-stage Go build
FROM golang:1.21
# Final size: ~800MB
# Multi-stage Go build
FROM golang:1.21 AS builder
FROM alpine:3.18
# Final size: ~15MB
Q43: How do you debug containers that won’t start?
Answer:
Common Debugging Techniques:
1. View Container Logs:
# View logs of stopped container
docker logs container_name
# Follow logs in real-time
docker logs -f container_name
# Last 100 lines
docker logs --tail 100 container_name
# With timestamps
docker logs -t container_name
2. Inspect Container:
# Full container details
docker inspect container_name
# Specific field
docker inspect --format='{{.State.ExitCode}}' container_name
docker inspect --format='{{.State.Error}}' container_name
# Network settings
docker inspect --format='{{json .NetworkSettings}}' container_name | jq
3. Override Entrypoint:
# Start with shell instead of normal command
docker run -it --entrypoint /bin/sh myapp
# Or bash
docker run -it --entrypoint /bin/bash myapp
# Docker Compose
docker-compose run --entrypoint /bin/sh web
4. Check for Missing Dependencies:
# Run and check what's missing
docker run -it myapp /bin/sh
> ls -la
> which node
> echo $PATH
> env
5. File Permission Issues:
# Add debugging
FROM node:18-alpine
WORKDIR /app
COPY . .
# Check permissions
RUN ls -la /app
RUN whoami
RUN id
CMD ["node", "server.js"]
6. Use docker events:
# Monitor Docker events in real-time
docker events
# Filter by container
docker events --filter container=myapp
# Save to file
docker events > events.log &
docker run myapp
# Check events.log
7. Health Check Debugging:
# See health check results
docker inspect --format='{{json .State.Health}}' container_name | jq
# Run health check manually
docker exec container_name curl -f http://localhost:3000/health
8. Common Issues and Solutions:
Issue: Port already in use
# Check what's using the port
sudo lsof -i :3000
# Change host port
docker run -p 3001:3000 myapp
Issue: Volume mount permission denied
# Check volume permissions
docker run -v mydata:/data alpine ls -la /data
# Fix permissions
docker run -v mydata:/data alpine chown -R 1000:1000 /data
Issue: Network connectivity
# Test DNS
docker run alpine nslookup google.com
# Test network
docker run --network host alpine ping 8.8.8.8
9. Build-time Debugging:
# Add debugging steps
FROM node:18-alpine
WORKDIR /app
COPY package*.json ./
# Debug: Show files
RUN ls -la
# Debug: Check npm
RUN npm --version
RUN npm install
# Debug: Show installed packages
RUN ls -la node_modules
COPY . .
# Debug: Show all files
RUN find . -type f
CMD ["node", "server.js"]
10. Use docker-compose logs:
# All services
docker-compose logs
# Specific service
docker-compose logs web
# Follow and timestamps
docker-compose logs -f -t web
Q44: What are Docker contexts and how do you use them?
Answer:
Docker contexts allow switching between different Docker environments easily.
List Contexts:
# Show available contexts
docker context ls
# Current context
docker context show
Create Context:
# For remote Docker host
docker context create remote-server \
--docker "host=ssh://user@remote-server"
# For Kubernetes
docker context create k8s-context \
--kubernetes config-file=~/.kube/config \
--default-stack-orchestrator=kubernetes
Switch Context:
# Use context
docker context use remote-server
# Run command
docker ps
# Now shows containers on remote-server
# Switch back to default
docker context use default
Practical Use Cases:
1. Multi-Environment Management:
# Create contexts for different environments
docker context create dev --docker "host=ssh://dev-server"
docker context create staging --docker "host=ssh://staging-server"
docker context create prod --docker "host=ssh://prod-server"
# Deploy to different environments
docker context use dev
docker-compose up -d
docker context use prod
docker-compose -f docker-compose.prod.yml up -d
2. Cloud Provider Integration:
# AWS ECS
docker context create ecs-context --ecs
docker context use ecs-context
docker compose up
# Azure ACI
docker context create aci-context --aci
docker context use aci-context
docker compose up
3. Local and Remote Development:
# Local development
docker context use default
docker-compose up
# Test on remote server
docker context use remote-dev
docker-compose up -d
4. SSH Configuration:
# ~/.ssh/config
Host docker-remote
HostName 192.168.1.100
User dockeruser
IdentityFile ~/.ssh/docker-key
# Create context using SSH config
docker context create remote --docker "host=ssh://docker-remote"
5. Context with Environment Variables:
# Use with environment variable
export DOCKER_CONTEXT=staging
docker ps
# Or per-command
DOCKER_CONTEXT=prod docker ps
6. Inspect Context:
# View context details
docker context inspect remote-server
# Export context
docker context export remote-server
# Creates remote-server.dockercontext file
# Import context
docker context import remote-server remote-server.dockercontext
Q45: How do you implement container restart policies and handle crashes?
Answer:
Restart Policies:
1. Docker Run:
# No restart (default)
docker run --restart=no myapp
# Always restart
docker run --restart=always myapp
# Restart unless stopped manually
docker run --restart=unless-stopped myapp
# Restart on failure (max 5 times)
docker run --restart=on-failure:5 myapp
2. Docker Compose:
version: '3.8'
services:
web:
image: myapp:latest
restart: unless-stopped
deploy:
restart_policy:
condition: on-failure
delay: 5s
max_attempts: 3
window: 120s
worker:
image: worker:latest
restart: always
batch:
image: batch:latest
restart: "no"
3. Swarm Mode:
services:
web:
image: myapp:latest
deploy:
replicas: 3
restart_policy:
condition: on-failure
delay: 5s
max_attempts: 3
window: 120s
update_config:
failure_action: rollback
monitor: 60s
Handle Application Crashes:
1. Implement Graceful Shutdown:
// Node.js example
const express = require('express');
const app = express();
const server = app.listen(3000);
let isShuttingDown = false;
// Health check endpoint
app.get('/health', (req, res) => {
if (isShuttingDown) {
res.status(503).send('Shutting down');
} else {
res.status(200).send('OK');
}
});
// Graceful shutdown
function gracefulShutdown(signal) {
console.log(`${signal} received, starting graceful shutdown`);
isShuttingDown = true;
// Stop accepting new requests
server.close(() => {
console.log('HTTP server closed');
// Close database connections
mongoose.connection.close(false, () => {
console.log('MongoDB connection closed');
process.exit(0);
});
});
// Force shutdown after 30s
setTimeout(() => {
console.error('Forced shutdown after timeout');
process.exit(1);
}, 30000);
}
process.on('SIGTERM', () => gracefulShutdown('SIGTERM'));
process.on('SIGINT', () => gracefulShutdown('SIGINT'));
2. Crash Recovery Script:
#!/bin/bash
# monitor.sh
CONTAINER_NAME="myapp"
MAX_RESTARTS=10
RESTART_COUNT=0
while true; do
if ! docker ps | grep -q $CONTAINER_NAME; then
echo "Container $CONTAINER_NAME is not running"
if [ $RESTART_COUNT -lt $MAX_RESTARTS ]; then
echo "Restarting container (attempt $((RESTART_COUNT+1)))"
docker start $CONTAINER_NAME
RESTART_COUNT=$((RESTART_COUNT+1))
# Send alert
curl -X POST https://alerts.example.com/webhook \
-d "Container $CONTAINER_NAME restarted"
else
echo "Max restart attempts reached, sending critical alert"
# Send critical alert
exit 1
fi
fi
sleep 10
done
3. Monitor and Alert:
# docker-compose.monitoring.yml
version: '3.8'
services:
app:
image: myapp:latest
restart: unless-stopped
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:3000/health"]
interval: 30s
timeout: 10s
retries: 3
start_period: 40s
labels:
- "com.example.alert=true"
monitor:
image: google/cadvisor:latest
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
alertmanager:
image: prom/alertmanager:latest
volumes:
- ./alertmanager.yml:/etc/alertmanager/alertmanager.yml
4. Use Process Managers:
FROM node:18-alpine
# Install PM2
RUN npm install -g pm2
WORKDIR /app
COPY package*.json ./
RUN npm ci --only=production
COPY . .
# PM2 with cluster mode
CMD ["pm2-runtime", "start", "ecosystem.config.js"]
// ecosystem.config.js
module.exports = {
apps: [{
name: 'api',
script: './server.js',
instances: 'max',
exec_mode: 'cluster',
max_restarts: 10,
min_uptime: '10s',
max_memory_restart: '1G',
error_file: '/dev/null',
out_file: '/dev/null',
merge_logs: true,
autorestart: true
}]
};
Conclusion and Interview Tips
Final Tips for Docker Interviews in 2026:
1. Demonstrate Practical Experience:
- Share real-world scenarios you’ve encountered
- Explain trade-offs you’ve made
- Discuss how you’ve optimized Docker in production
2. Security First:
- Always mention security best practices
- Discuss image scanning and vulnerability management
- Explain least privilege principles
3. Performance Awareness:
- Know image optimization techniques
- Understand resource management
- Explain monitoring and debugging approaches
4. Cloud-Native Mindset:
- Understand orchestration (Swarm vs Kubernetes)
- Know CI/CD integration patterns
- Discuss multi-cloud strategies
5. Stay Updated:
- Follow Docker blog and release notes
- Know the latest features (BuildKit, rootless, etc.)
- Understand industry trends
Common Follow-up Questions Interviewers Ask:
- “Have you used this in production?”
- “What challenges did you face?”
- “How would you scale this?”
- “What’s your monitoring strategy?”
- “How do you handle secrets?”
Resources for Further Learning:
- Docker Official Documentation
- Docker Mastery Course
- Kubernetes Documentation
- DevOps blogs and communities
- GitHub Actions marketplace
Key Takeaways:
- Fundamentals Matter: Know Docker architecture inside-out
- Security is Critical: Always implement best practices
- Optimization is Key: Small images, fast builds
- Monitoring is Essential: Know your containers’ health
- CI/CD Integration: Automate everything
- Cloud-Native: Understand orchestration
- Troubleshooting Skills: Know how to debug
- Best Practices: Follow industry standards
Good luck with your Docker interviews in 2026! Remember to demonstrate not just knowledge, but understanding of when and why to use specific Docker features and patterns.
