Prev Next

API / Docker Interview questions contd.

1. Explain the different types of Docker Networks.

Docker provides several network drivers to handle container communication:

  • Bridge (Default): Used for containers running on the same Docker host. It provides a private internal network.
  • Host: Removes network isolation. The container shares the host's networking stack directly (e.g., a container on port 80 uses the host's port 80).
  • Overlay: Enables communication between containers running on different physical Docker hosts (essential for Docker Swarm).
  • Macvlan: Assigns a MAC address to a container, making it appear as a physical device on your network.
  • None: Disables all networking for the container.

2. Explain the Docker Architecture.

Docker uses a client-server architecture. The Docker Client talks to the Docker Daemon (dockerd), which does the heavy lifting of building, running, and distributing your Docker containers. They communicate via a REST API, over UNIX sockets, or a network interface.

3. What are Docker Namespaces?

Namespaces provide a layer of isolation for containers. When you run a container, Docker creates a set of namespaces for that container, ensuring that it cannot see or affect processes, network interfaces, or file systems outside of its designated environment. Key namespaces include:

  • pid: Process isolation.
  • net: Managing network interfaces.
  • ipc: Managing access to IPC resources.
  • mnt: Managing filesystem mount points.
  • uts: Isolating kernel and version identifiers.

4. What is the purpose of the 'EXPOSE' instruction in a Dockerfile?

The EXPOSE instruction informs Docker that the container listens on the specified network ports at runtime. However, it does not actually publish the port. It functions as a type of documentation between the person who builds the image and the person who runs the container. To actually map the port, you must use the -p flag during docker run.

5. Explain the difference between COPY and ADD instructions.

Both instructions serve the purpose of adding files to an image, but they have different capabilities:

  • COPY: Supports basic copying of local files from the build context into the container.
  • ADD: Has additional features, such as the ability to extract local tar files automatically into the container and the ability to download files from remote URLs.

Generally, COPY is preferred for its transparency and simplicity.

6. What is a Multi-stage build and why is it useful?

Multi-stage builds allow you to use multiple FROM statements in a single Dockerfile. Each FROM instruction begins a new stage of the build. You can selectively copy artifacts from one stage to another, leaving behind everything you donÂ’t want in the final image.

Benefit: It significantly reduces the size of the final production image by excluding build-time dependencies (like compilers or build tools).

7. How do you share data between containers?

The most common way to share data is by using Docker Volumes. Volumes are stored in a part of the host filesystem which is managed by Docker. You can mount the same volume into multiple containers simultaneously, allowing them to read and write to the same persistent storage.

8. What is the Docker Registry?

A Docker Registry is a storage and distribution system for named Docker images. The same image might have multiple different versions, identified by their tags. Docker Hub is the default public registry, but organizations often host private registries (like Amazon ECR or Google Container Registry) for security and speed.

9. What is the difference between 'docker run' and 'docker create'?

docker create creates a new container from a specified image but does not start it. It prepares the container's file system and settings. docker run is a combination of docker create and docker start; it creates the container and immediately executes the entrypoint process.

10. What is "Dangling" image in Docker?

A dangling image is an image that is no longer tagged and is not referenced by any container. They usually occur when you build a new version of an image with the same tag as an existing image. The old image becomes "untagged." You can clean these up using the docker image prune command.

11. What is the difference between a Volume and a Bind Mount?

While both are used for data persistence, they differ in how they are managed:

Feature Volume Bind Mount
Management Managed by Docker (stored in /var/lib/docker/volumes). Managed by the Host OS (can be anywhere).
Portability High; easy to back up or migrate. Low; depends on the host's specific directory structure.
Performance High on both Linux and Windows. Can have overhead on non-Linux hosts.

12. How does Docker's Layer Caching work during a build?

When building an image, Docker executes instructions in a Dockerfile top-to-bottom. Each instruction creates a new layer. Docker "caches" these layers. If you change a line in the Dockerfile, Docker will reuse the cached layers for all previous lines but will rebuild the changed line and all subsequent lines. This is why it is a best practice to put frequently changing instructions (like COPY . .) at the end of the Dockerfile.

13. What are 'cgroups' and what is their role in Docker?

Control Groups (cgroups) are a Linux kernel feature that limits, accounts for, and isolates the resource usage (CPU, memory, disk I/O, network) of a collection of processes. Docker uses cgroups to ensure that one container doesn't consume all the host's resources, which prevents "noisy neighbor" issues.

14. What is the difference between CMD and ENTRYPOINT?

Both define the command that runs when a container starts, but they behave differently:

  • ENTRYPOINT: Sets the main executable for the container. It is not easily overridden by command-line arguments.
  • CMD: Provides default arguments for the ENTRYPOINT or sets a default command. It can be easily overridden by passing arguments to docker run.

Example: If ENTRYPOINT is ["ls"] and CMD is ["-l"], the container runs ls -l. If you run docker run image -a, it executes ls -a.

15. How do you secure a Docker environment?

Key security best practices include:

  • Run as Non-Root: Use the USER instruction in the Dockerfile to avoid running processes with root privileges.
  • Use Official Images: Only pull images from trusted sources or verified publishers.
  • Scan for Vulnerabilities: Use tools like docker scan or Snyk to find security holes in your layers.
  • Limit Resources: Use flags like --memory and --cpus to prevent DoS attacks via resource exhaustion.
  • Docker Content Trust (DCT): Enable DCT to ensure you only run signed and verified images.

16. What is the purpose of 'docker-compose'?

Docker Compose is a tool for defining and running multi-container Docker applications. It uses a YAML file to configure your application's services. With a single command (docker-compose up), you can create and start all the services from your configuration, including networks and volumes.

17. How do you troubleshoot a container that keeps crashing?

The standard workflow for debugging a failing container is:

  1. Check Logs: docker logs [container_id] to see stdout/stderr.
  2. Inspect State: docker inspect [container_id] to check exit codes and health status.
  3. Interactive Shell: If the container stays up long enough, use docker exec -it [container_id] /bin/sh.
  4. Check Events: docker events to see real-time daemon activity.

18. What are Docker Secrets?

Docker Secrets (primarily used in Swarm mode) allow you to securely store sensitive data like passwords, SSH private keys, and SSL certificates. Unlike environment variables, secrets are encrypted during transit and at rest, and are only accessible to the specific services granted permission to see them.

19. Explain 'Docker Content Trust' (DCT).

Docker Content Trust (DCT) allows developers to sign their images before pushing them to a registry. When DCT is enabled (export DOCKER_CONTENT_TRUST=1), the Docker client will only pull or run images that have a valid digital signature. This prevents users from accidentally running tampered or malicious images.

«
»
Vault interview questions

Comments & Discussions