π’ Easy (Basics)
1. What is Docker and why use it?
Docker is a platform to build, ship, and run applications in lightweight containers. Benefits: portability, consistency, faster delivery, isolation.
2. Image vs Container?
Image = read-only blueprint (layers). Container = running (writable layer on top of image).
3. What is a Dockerfile?
A declarative recipe to build an image using instructions like FROM, COPY, RUN, CMD, ENTRYPOINT.
4. Basic lifecycle commands?
docker build, docker pull, docker run, docker ps, docker stop, docker rm, docker rmi.
5. What is Docker Hub / Registry?
A registry stores images. Docker Hub is the default public registry; you can host private registries, too.
π‘ Medium (Hands-on)
6. COPY vs ADD?
COPY copies local files. ADD also supports remote URLs and auto-extracts local tar files. Prefer COPY for clarity.
7. CMD vs ENTRYPOINT?
ENTRYPOINT defines the executable; CMD provides default args. Combine for flexible overrides. ENTRYPOINT ["app"] + CMD ["--flag"].
8. What are Docker volumes?
Persistent data storage managed by Docker. Types: named volumes, bind mounts, and tmpfs. Volumes decouple data from container lifecycle.
9. Container networking modes?
bridge (default, NAT), host (shares host network), none (no network), overlay (Swarm/K8s multi-host), macvlan (L2 with real MAC).
10. Multi-stage builds?
Use multiple FROM stages to compile in one stage and copy only artifacts to a minimal runtime stage β smaller, safer images.
π΄ Hard (Advanced / Real-World)
11. How do Docker image layers and cache work?
Each instruction creates a layer. Cache is reused if the instruction and its context are unchanged. Put frequently changing steps later; group RUN commands; leverage --mount=type=cache in BuildKit.
12. Security best practices?
- Use minimal base images (e.g., distroless, alpine where appropriate).
- Run as non-root (set
USER).
- Donβt bake secrets into images; use secrets store.
- Regularly scan images (e.g., Trivy, Grype).
- Pin versions and verify signatures (
cosign/Notary v2).
13. Resource limits & isolation?
Configured via cgroups & namespaces. Use --cpus, --memory, --pids-limit; namespaces provide PID/NET/IPC/MNT/UTS/USER isolation.
14. How do you pass secrets to containers?
Prefer runtime secret providers (Vault, AWS/GCP/Azure secret managers) or orchestrator secrets. With BuildKit: --secret for build-time, not baked into layers.
15. .dockerignore purpose?
Excludes files from the build context to reduce image size and avoid leaking secrets (e.g., .git, node_modules).
16. Healthchecks?
Define with HEALTHCHECK in Dockerfile or --health-cmd at run time to let orchestrators know container readiness/liveness.
17. Compose vs Swarm vs Kubernetes?
Compose: local multi-container dev; Swarm: simple clustering/orchestration; Kubernetes: full-featured orchestration at scale.
18. Debugging/troubleshooting toolkit?
docker logs, docker exec -it, docker inspect, docker events, network checks (docker network ls/inspect), and minimal debug images (e.g., busybox).
19. Reproducible & small images tips?
Pin versions/digests; avoid apt cache bloat; use multi-stage; remove build deps; compress layers; prefer COPY --chown to fix perms without extra layers.
20. CI/CD with Docker best practices?
- Build once, tag immutably (
app:1.4.2 + git SHA), push to registry.
- Scan images in pipeline; fail on high CVEs.
- Use BuildKit (
DOCKER_BUILDKIT=1), buildx for multi-arch.
- Promote images across envs via tags (dev β qa β prod).
21. Layer ordering for caching?
Place volatile steps (deps install with changing lockfiles, source copy) later. Copy lockfiles before source to maximize cache hits.
22. Bind mounts vs named volumes?
Bind mounts map host paths (great for dev, but host-dependent). Named volumes are managed by Docker (portable, safer defaults for prod data).
23. Private registries & auth?
Use docker login, credentials helpers, or orchestrator secrets; restrict pulls by namespace; enable content trust/signing.
24. Immutable vs latest tag problems?
Avoid mutable latest in prod; use immutable digests (@sha256:β¦) or versioned tags to ensure deterministic deploys.
25. When to use rootless Docker?
To reduce privilege on shared hosts/CI. Trade-offs: some networking/storage features differ; good security hardening measure.