Docker Interview Questions and Answers (2022)

They are executable packages(bundled with application code & dependencies, software packages, etc.) for the purpose of creating containers. Docker images can be deployed to any docker environment and the containers can be spun up there to run the application.

A container is a standard unit of software bundled with dependencies so that applications can be deployed fast and reliably b/w different computing platforms.

• Docker can be visualized as a big ship (docker) carrying huge boxes of products (containers).
• Docker container doesn’t require the installation of a separate operating system. Docker just relies or makes use of the kernel’s resources and its functionality to allocate them for the CPU and memory it relies on the kernel’s functionality and uses resource isolation for CPU and memory, and separate namespaces to isolate the application’s view of the OS (operating system).

• CMD command provides executable defaults for an executing container. In case the executable has to be omitted then the usage of ENTRYPOINT instruction along with the JSON array format has to be incorporated.
• ENTRYPOINT specifies that the instruction within it will always be run when the container starts. This command provides an option to configure the parameters and the executables. If the DockerFile does not have this command, then it would still get inherited from the base image mentioned in the FROM instruction. The most commonly used ENTRYPOINT is /bin/sh or /bin/bash for most of the base images.
• As part of good practices, every DockerFile should have at least one of these two commands.

The command gets detailed information about Docker installed on the host system. The information can be like what is the number of containers or images and in what state they are running and hardware specifications like total memory allocated, speed of the processor, kernel version, etc.

Yes, it is possible only while using certain docker-defined policies while using the docker run command. Following are the available policies:

1. Off: In this, the container won’t be restarted in case it's stopped or it fails.
2. On-failure: Here, the container restarts by itself only when it experiences failures not associated with the user.
3. Unless-stopped: Using this policy, ensures that a container can restart only when the command is executed to stop it by the user.
4. Always: Irrespective of the failure or stopping, the container always gets restarted in this type of policy.

These policies can be used as: docker run -dit — restart [restart-policy-value] [container_name]

• FROM: This is used to set the base image for upcoming instructions. A docker file is considered to be valid if it starts with the FROM instruction.
• LABEL: This is used for the image organization based on projects, modules, or licensing. It also helps in automation as we specify a key-value pair while defining a label that can be later accessed and handled programmatically.
• RUN: This command is used to execute instructions following it on the top of the current image in a new layer. Note that with each RUN command execution, we add layers on top of the image and then use that in subsequent steps.
• CMD: This command is used to provide default values of an executing container. In cases of multiple CMD commands the last instruction would be considered.

There is no clearly defined limit to the number of containers that can be run within docker. But it all depends on the limitations - more specifically hardware restrictions. The size of the app and the CPU resources available are 2 important factors influencing this limit. In case your application is not very big and you have abundant CPU resources, then we can run a huge number of containers.

A Virtual machine monitor, known as Hypervisor, is software to create and run virtual machines. It allows a single host computer to support more than one guest VMs. This is done by sharing resources like memory, processing, etc., thus reducing the memory, space, and maintenance requirements. There are two types of hypervisor:

• Type I: it is like a lightweight operating system that runs on the host's hardware.
• Type II: runs like software programs on an operating system.

You could grep and cut or awk the output of “docker inspect” but it requires complex shell scripting. A better option is to parse JSON from the Shell using JQ package

$ docker inspect| jq

No, any data that your application writes to disk get stored in container. The file system for the contain persists even after the container halts.

Ways to achieve this when developing your applications. One is to add logic to your application to store files on a cloud object storage system like Amazon S3. Another is to create volumes with a driver that supports writing files to an external storage system like NFS or Amazon S3.

Volume drivers allow you to abstract the underlying storage system from the application logic. For example, if your services use a volume with an NFS driver, you can update the services to use a different driver, as an example to store data in the cloud, without changing the application logic.

You cannot remove a paused container. The container has to be in the stopped state before it can be removed.

A Docker Image is a group of files and an amalgamation of parameters that allow the creation of instances that run in distinct containers as isolated processes. An image is basically built using the instructions for a complete and executable version of an application, which relies on the host OS kernel. The Docker run command can be used to create the instance called container which can be run using the Docker image. When the Docker user runs an image, it becomes one or multiple instances of that container.

The concept behind stateful applications is that they store their data onto the local file system. You need to decide to move the application to another machine, retrieving data becomes painful. I honestly would not prefer running stateful applications on Docker.

Yes. YAML is a superset of json so any JSON file should be valid Yaml.

We cannot change an already existing image directly. We first create a new container using the image, and then we make the required changes in the container. Thereafter, we transform the changes into a new layer. We then create a new image by stacking the new layer on top of the old image.

Everything starts with the Dockerfile. The Dockerfile is the source code of the Image. Once the Dockerfile is created, you build it to create the image of the container. The image is just the "compiled version" of the "source code" which is the Dockerfile.

Once you have the image of the container, you should redistribute it using the registry. The registry is like a git repository -- you can push and pull images.

Next, you can use the image to run containers. A running container is very similar, in many aspects, to a virtual machine (but without the hypervisor).

A Dockerfile is a simple text file that contains the commands a user could call to assemble an image whereas Docker Compose is a tool for defining and running multi-container Docker applications. Docker Compose define the services that make up your app in docker-compose.yml so they can be run together in an isolated environment. It get an app running in one command by just running docker-compose up.

Docker compose uses the Dockerfile if one add the build command to your project's docker-compose.yml. Your Docker workflow should be to build a suitable Dockerfile for each image you wish to create, then use compose to assemble the images using the build command.

It contains container, images, and Docker daemon. It offers a complete environment to execute and run your application.

When you have to manage large and dynamic environments, the docker command alone does not suffice. You will face many problems automating scaling and health checks for containers. In this case, software teams use container orchestration tools like Kubernetes. Such software enables another level of automation:

• Deploy or scale your containers easily, securely, and with high availability
• Provide a service (internally or externally) from a container group
• Move your containers from one host to another when there’s a host-specific problem
• Manage your configuration data—like environment variables—easily

Similar to a .gitignore file, we also have a Dockerignore files which allows you to mention a list of files and/or directories which you might want to ignore while building the image. This would definitely reduce the size of the image and also help to speed up the docker build process.

With standard virtualization using a hypervisor like vSphere, an operating system is necessary for each app. A host operating system is at the bottom of your infrastructure, and a hypervisor has to be installed on your host OS. Then on top of the hypervisor, you install operating systems for each of your applications.

With Docker, the Docker daemon sits between your host operating system and your Docker images, in place of a hypervisor. Docker images reuse parts of the host operating system—thus a separate OS is not necessary for each app—but your apps are still isolated like they would be with a standard hypervisor.

Docker stores logs at both daemon level and container level so that developers can debug issues once they occur

Logging at Daemon Level has four levels of logging namely Debug, Info, Errors and Fatal. Debug carries all daemon process proceedings. Info carries all other information including some errors during the daemon process. Errors include errors that happened during the daemon process. Fatal contains all the fatal errors that happened during the daemon process.

To monitor Docker in production, tools such as Docker stats and Docker events are available. Through these tools, one can get reports on important statistics. Once Docker stats are called with a container ID, it returns the container's CPU and memory usage. It is similar to the top command in Linux. On the other hand, Docker Events are commands to see a list of activities in process in Docker Daemon. Some of these events are attached, commit, rename, destroy, die and more. One also has the option to filter the events they are interested in.

This is done through the use of docker-compose. With Docker Compose, we can use a YAML file to configure the application's services. After this, with a single command, all the services can be created and started. To use Compose, follow the below steps:

• Define the app environment in the Dockerfile so that it can be replicated anywhere
• Define all the services of your application in the docker-compose.yml file.;
• Run docker-compose up to create and start the entire app.

We have to map ports in Docker for variety of reasons:

• We are out of IPv4 addresses
• Containers cannot have public IPv4 addresses
• They have private addresses
• Services have to be exposed port by port
• Ports have to be mapped to avoid conflicts

You might choose private Docker registries rather than Docker Hub or any cloud provider’s registry. This might take the form of deploying a Docker registry server, or perhaps a third-party on-premise registry server like Nexus.

When you want to connect these private registries, your registry should be secured with an SSL certificate in accordance with best practices.

You can also elect to use a private registry insecurely if you want to use self-signed SSL certificates—note, this should only be done for testing purposes. To do this, add your private test registry to an array as the value for the "insecure-registries" key in your daemon.json config file.

We can terminate a detached container using two ways. First, we can kill it using the docker kill command. Second, we can stop it using the docker stop command. The docker kill command stops the container immediately by using the SIGKILL signal. The docker stop command sends a SIGTERM signal, waits for 10 seconds to let the container stop and then sends the SIGKILL signal.

It’s a command used to remove all stopped containers, unused networks, build caches, and dangling images. Prune is one of the most useful commands in Docker. The syntax is: $ docker system prune

A namespace is one of the Linux features and an important concept of containers. Namespace adds a layer of isolation in containers. Docker provides various namespaces in order to stay portable and not affect the underlying host system. Few namespace types supported by Docker — PID, Mount, IPC, User, Network

There are two ways i.e. explicit and implicit. We can download image explicitly using command ‘docker pull’. Implicitly, when we execute ‘docker run’ then Docker daemon searches the image locally and if not found, it downloads the image.

Yes, you can run multiple processes inside Docker container however this approach is discouraged for most use cases.It is generally recommended that you separate areas of concern by using one service per container. For maximum efficiency and isolation, each container should address one specific area of concern. However, if you need to run multiple services within a single container, you can try using tools like Supervisor. Supervisor is a moderately heavy-weight approach that requires you to package supervisord and its configuration in your image (or base your image on one that includes supervisord), along with the different applications it manages. Then you start supervisord, which manages your processes for you.

You can use a combination of Rest API, socket.IO, and TCP to facilitate communication.

The best way to assign a database password to a container is using ENV variable.

A memory-swap flag is a modifier flag that allows a container to write excess memory requirements into a disk when it has used all the available RAM. It is set only when the --memory flag is set. Example, if memory = "400m" and memory-swap = "1g", then the container can use 400m of memory and swap of 600m (1g-400m).

We can integrate containers in your network using any one (or a combination) of the following.

• Start the container and let Docker allocate a public port for it. Thereafter, find that port number and plug it in your configuration.
• Pick a fixed port number in advance at the time of your configuration generation. After that, you can start your container by setting the port numbers manually.
• Use an overlay network and connect your containers with VLANs or tunnels etc.

Copy on write or COW is a mechanism to share and copy files to maximize efficiency. Each docker image is a set of read only layers with a thin read write layer at the top of the image stack. So for a file placed at the lower layer in the image stack, the layer (including the writable layer) lying above it, if it needs read access to it, it just uses the existing file. Whenever another layer needs to modify the file (when building the image or running the container), the file is copied into that layer and modified. This minimizes input/output flow and reduces the size of each of the subsequent layers.

This is a trick question. SIGKILL cannot be intercepted, and will terminate the container with brute force and outputs its container id on the console.

Virtualization is a method of logically dividing mainframes to allow multiple applications to run simultaneously.

However, this scenario changed when companies and open source communities were able to offer a method of handling privileged instructions. It allows multiple OS to run simultaneously on a single x86 based system.

It is achieved using 3rd party tools. First you need to deploy a key/value store such as Consul or Zookeeper. Then you need to add two extra flags to your Docker Engine which would enable you to create networks using the overlay driver.

The moment you create a network on one host with the overlay driver, it will appear automatically on all other hosts. Containers under same network are able to resolve and ping in same way as local.

The overlay network is based on VXLAN technology and store neighbor info in a key/value store.

The different states of the Docker container are:

• Created - a container that is created but not active.
• Restarting - a container that is in the process of getting restarted.
• Running - running container.
• Paused - container whose processes are paused.
• Exited - a container that ran and completed.
• Dead - a container that the daemon tried and failed to stop.

The Docker containers can be scaled to any level starting from a few hundred to even thousands or millions of containers. The only condition for this is that the containers need the memory and the OS at all times, and there should not be a constraint when the Docker is getting scaled.

‘docker run’ and ‘docker create’ both is used for container creation but the end result is different. ‘docker create’ creates the container in a ‘stopped’ state and it stores and output container ID for use later. ‘docker run’ creates and simultaneously execute the container.

Docker Architecture consists of a Docker Engine which is a client-server application with three major components:

• A server which is a type of long-running program called a daemon process (the docker command).
• A REST API which specifies interfaces that programs can use to talk to the daemon and instruct it what to do.
• A command line interface (CLI) client (the docker command).
• The CLI uses the Docker REST API to control or interact with the Docker daemon through scripting or direct CLI commands. Many other Docker applications use the underlying API and CLI.

Virtualization can be defined as a process by which we create a virtual, software-based version of anything such as servers, computer storage, applications, etc. It can be done with just a physical single hardware system. A software named Hypervisor comes in use to split a single system into various different sections. These split sections, in turn, work like a distinct, separate individual system.

Labels are the mechanism for applying metadata to Docker objects such as containers, images, local daemons, networks, volumes, and nodes.

Docker states and Docker Events are used to monitoring docker in the production environment.

You need make the following changes to your compose file before migrating your application to the production environment:

• Removing volume bindings, so the code stays inside the container and cannot be changed from outside the container.
• Binding to different ports on the host.
• Specify a restart policy
• Add extra services like log aggregator

Post Docker Engine 1.9 release, orphaned volumes i.e. volumes would be orphaned when the last container referencing them is destroyed, can be listed with “docker volume ls” and mounted to containers with -v.

Please note that Docker system does not take care of logging, monitoring, and taking backup of your volumes. It is the onus of developer to carry out these activities.

Docker Swarm is native gathering for docker which helps you to a group of Docker hosts into a single and virtual docker host. It offers the standard docker application program interface.

In terms of networking, a bridge network is a Link Layer device which forwards traffic between network segments. A bridge can be a hardware device or a software device running within a host machine’s kernel.

In terms of Docker, a bridge network uses a software bridge which allows containers connected to the same bridge network to communicate, while providing isolation from containers which are not connected to that bridge network. The Docker bridge driver automatically installs rules in the host machine so that containers on different bridge networks cannot communicate directly with each other.

The place where all Docker Images are stored is known as the Docker Registry. The Docker Hub is a public registry which is the default storage for these images. Another public registry is Docker Cloud. The Docker Hub is the most significant public storehouse of the image containers, consistently maintained by a large number of developers, along with many individual contributors.

While using docker service with multiple containers across different hosts, you come across the need to load balance the incoming traffic. Load balancing and HAProxy is basically used to balance the incoming traffic across different available(healthy) containers. If one container crashes, another container should automatically start running and the traffic should be re-routed to this new running container. Load balancing and HAProxy works around this concept.

In a Dockerfile, both CMD and ENTRYPOINT instructions define which command will be executed while running a container. For their cooperation, there are some rules, such as:

• The Dockerfile should specify at least one command from CMD or ENTRYPOINT
• While using the container as an executable, ENTRYPOINT needs to be defined
• When running the container with an alternative argument, CMD will be overridden

Docker registries provide locations for storing and downloading images. There are two types of registries

• Public registry
• Private registry Public registries include Docker Hub and Docker Cloud.

If the objects on the file system that Docker is about to produce are unchanged between builds, reusing a cache of a previous build on the host is a great time-saver. It makes building a new container really, really fast. None of those file structures have to be created and written to disk this time — the reference to them is sufficient to locate and reuse the previously built structures.

Docker containers are very easy to deploy in any cloud platform. It can get more applications running on the same hardware when compared to other technologies, it makes it easy for developers to quickly create, ready-to-run containerized applications and it makes managing and deploying applications much easier. You can even share containers with your applications.

A docker-compose stop will attempt to stop a specific Docker container by sending a SIGTERM message. Once this message is delivered, it waits for the default timeout period of 10 seconds and once the timeout period is crossed, it then sends out a SIGKILL message to the container – in order to kill it forcefully. If you are actually waiting for the timeout period, then it means that the containers are not shutting down on receiving SIGTERM signals/messages.

Containers provide an isolated environment for running the application. The entire user space is explicitly dedicated to the application. Any changes made inside the container is never reflected on the host or even other containers running on the same host. Containers are an abstraction of the application layer. Each container is a different application.

In Virtualization, hypervisors provide an entire virtual machine to the guest(including Kernal). Virtual machines are an abstraction of the hardware layer. Each VM is a physical machine.

The different stages of the docker container from the start of creating it to its end are called the docker container life cycle. The most important stages are:

• Created: This is the state where the container has just been created new but not started yet.
• Running: In this state, the container would be running with all its associated processes.
• Paused: This state happens when the running container has been paused.
• Stopped: This state happens when the running container has been stopped.
• Deleted: In this, the container is in a dead state.