Production-tested. Partner links.
🛸 Proton VPN – Encrypted tunnel
🔐 Proton Pass – Zero-knowledge vault
🦑 GitKraken Pro – Visual Git client
🐧 Linux Foundation – Code: DEVOPSPINK
10 Docker Interview Questions & Answers for DevOps & Cloud Engineers
By Tatiana Mikhaleva · Developer Advocate · Docker Captain · IBM Champion
Prepping for a Cloud or DevOps Engineer interview in 2025? Then you already know Docker is going to show up. It always does. Every single time.
So here are 10 questions you’ll probably get asked, plus how to answer each one without sweating through your shirt. Let’s get you ready, queen. 💪
First, A Quick Refresher: What Is Docker?
Docker is a platform that runs your apps inside isolated little boxes called containers.
The magic part? A container behaves the same no matter where it runs. Your laptop, a test server, production, doesn’t matter. None of that “but it worked on my machine” drama. 😅
And in actual DevOps work, you’ll find it pretty much everywhere: app development, testing, CI/CD pipelines, cloud deployments. The whole pipeline, really.
Question 1: What’s the difference between an image and a container? And what happens if you delete the image?
Okay so think of a Docker image as a frozen recipe for your app. It packs everything the app needs to run, code, libraries, environment settings, all of it.
A container is what shows up when Docker actually cooks that recipe. The recipe becomes a real dish, sizzling on the stove. 🍳
The image stays read-only and you can reuse it as many times as you want. The container, on the other hand, gets its own writable layer and runs as an isolated process. Here’s the fun bit interviewers love: delete the image while the container is already running, and the container just… keeps going. It doesn’t care, because the image already lives in memory.
But stop that container and try to start it back up? Now Docker goes looking for the image, can’t find it, and the restart fails. Womp.
🚀 Pro Tip:
Tag your images properly (my-app:latest, my-app:v1.2) and regularly prune unused ones — but avoid deleting images used by running containers.
Question 2: What actually happens when you run docker run?
When I run docker run, the first thing Docker does is check whether the image is sitting on my machine already.
Nope? Then it pulls the image down from a registry like Docker Hub. After that it spins up a container, which is basically an isolated process with its very own filesystem, networking, and slice of resources.
The isolation itself comes from Linux namespaces and cgroups. That’s the secret sauce.
Then, last step, it fires off whatever default command the image was built to run.
📌 Example:
Running docker run nginx pulls the nginx image (if it’s not local), creates a container, and starts the Nginx server inside that isolated environment.
🚀 Pro Tip:
Use --rm with docker run to automatically clean up the container after it exits — so your system doesn’t get cluttered with stopped containers.
Question 3: COPY vs ADD — what’s the difference, and when would you use each?
Both COPY and ADD move files into your image. So far, twins.
COPYsimply copies files and folders — no surprises.ADDdoes more: it can unpack compressed files like.tar.gzand download files from URLs.
That “extra” behavior from ADD is exactly why I keep my distance. It does things you didn’t always ask for, which makes Dockerfiles harder to read. I reach for COPY by default, and only bring in ADD when I genuinely need one of those tricks.
📌 Example:
# PreferredCOPY ./app /app
# Only if needed (auto-extracts)ADD archive.tar.gz /app/🚀 Pro Tip:
Simplicity is security — prefer COPY unless you have a very good reason.
Question 4: What’s a multi-stage build, and when would you use it?
A multi-stage build just means you’ve got more than one FROM in your Dockerfile. Sounds fancy. It’s not, I promise.
- The first stage does heavy work — installing dependencies, building code.
- The final stage copies only the necessary artifacts into a clean, minimal base image.
The payoff is a lean image. All those build tools and temp files that production never needed? Gone. Left behind in the first stage where they belong.
📌 Example:
# Stage 1 — buildFROM node:20 AS builderWORKDIR /appCOPY package*.json ./RUN npm ciCOPY . .RUN npm run build
# Stage 2 — productionFROM node:20-slimWORKDIR /appCOPY --from=builder /app/dist ./distCOPY --from=builder /app/node_modules ./node_modulesCOPY --from=builder /app/package.json ./CMD ["node", "dist/index.js"]🚀 Pro Tip:
Smaller images = faster deployments + fewer vulnerabilities.
Question 5: CMD vs ENTRYPOINT — how do they work together?
ENTRYPOINT is the thing that runs. Your main executable. The star of the show.
CMD hands it the default arguments.
Now the part people trip on. When you call docker run and pass your own arguments, those override CMD. ENTRYPOINT stays put.
Put them together and you’ve got a sensible default that you can still bend at runtime. Best of both, honestly.
📌 Example:
FROM nginx:1.28.0-alpine-slim
ENTRYPOINT ["nginx"]CMD ["-g", "daemon off;"]🚀 Pro Tip:
Want full control at runtime? Use only CMD — and leave out ENTRYPOINT.
Question 6: Volumes vs Bind Mounts — which would you use in production, and why?
For production, I go with Docker-managed volumes every time. They stay tucked away from the host OS, they’re easy to back up, and they hold up nicely over the long haul.
Bind mounts lean on specific host paths. That makes them brittle, and very tied to one machine’s setup. They shine for local dev, though. Just keep them out of production, sis.
📌 Example:
services: db: image: postgres volumes: - pg-data:/var/lib/postgresql/data
volumes: pg-data:🚀 Pro Tip:
Volumes are portable, reliable, and more future-proof across hosts and clusters.
Question 7: How does networking between containers work?
Out of the box, Docker drops your containers onto a bridge network and hands each one a private IP.
Catch is, on that default network they can only find each other by IP. Not great. The fix is a user-defined bridge network.
On a user-defined bridge, containers can talk to each other by name. Suddenly service discovery just works, and your life gets so much easier. 💕
📌 Example:
services: app: image: my-app environment: DB_HOST: db DB_USER: appuser DB_PASSWORD: secret networks: - app-net
db: image: postgres environment: POSTGRES_DB: mydb POSTGRES_USER: appuser POSTGRES_PASSWORD: secret networks: - app-net
networks: app-net:🚀 Pro Tip:
Always use user-defined networks — the default bridge network doesn’t support automatic name-based discovery and can lead to frustrating connection issues.
Question 8: How do you reduce Docker image size, and why should you care?
Smaller images build faster, deploy faster, and give attackers way less to chew on. Win, win, win.
- I start with a minimal base image — like
alpine:3.21.3,python:3.12-slim-bookworm, ornode:20.13.1-alpine. - I combine RUN instructions to reduce layers, and clean up any temp files or caches.
- I always use a
.dockerignorefile to exclude things like.git,node_modules, and test data.
And when a build gets gnarly, multi-stage is my go-to. It keeps the build tools out of the final runtime, which is exactly where the bloat usually hides.
📌 Example:
A Node.js app image can shrink from 1.2 GB to under 200 MB by switching to node:20.13.1-alpine and cleaning up properly.
🚀 Pro Tip:
Smaller images = faster pipelines, quicker deploys, and fewer security issues.
Question 9: What is BuildKit, and why use it?
BuildKit is Docker’s modern build engine, and it’s a serious step up for performance, security, and flexibility.
It runs independent build steps in parallel, caches way more cleverly, and handles secrets safely while building. It’ll also do multi-platform builds and manage storage efficiently. Lots packed in there.
Good news for most of us: on recent Docker versions BuildKit is already on by default, so there’s nothing to set up. Stuck on something older? You can still switch it on with DOCKER_BUILDKIT=1, or by tweaking the Docker daemon config.
📌 Example:
With BuildKit, multi-stage builds can run steps in parallel, reducing build times significantly.
🚀 Pro Tip:
Lean on BuildKit for builds that are faster, safer, and a whole lot more efficient.
Question 10: How do you handle sensitive data (like secrets) in Docker?
Hardcoding secrets into Dockerfiles or images? Never. Not once. Don’t do it, darling.
For local runs I pass secrets in as environment variables, either inline or through a .env file. And if I use a .env file, it goes straight into .dockerignore so it never sneaks into the image by accident.
In production it’s a different game. I lean on proper secret managers, HashiCorp Vault, AWS Secrets Manager, or Kubernetes Secrets, and let them inject the secrets at runtime.
The rule is simple. Secrets live outside the image, never baked inside it.
📌 Example:
Pass database passwords using environment variables in staging, and HashiCorp Vault in production.
🚀 Pro Tip:
Good secret management = safer deployments and easier key rotations.
Thanks for reading! Be sure to watch the video version for extra insights and helpful visuals.
Related Posts
- 1How to Secure AI Agents in Production: IBM's Six-Phase FrameworkDevOps & Cloud · Teams secure AI agents like normal software, and production breaks. Here's IBM and Anthropic's six-phase framework for securing them, phase by phase.
- 2Your AI Agent Doesn't Need a Better Prompt. It Needs a CeilingDevOps & Cloud · A prompt is not a security control. It's a wish. The Vault → Sentinel → MCP → ADLC → watsonx Orchestrate stack that gives AI agents a hard ceiling — and why IBM consolidating HashiCorp made the whole thing boring, in the best possible way.
- 3CNCF Q1 2026 Report — Why Feature Flagging Is the Hidden Gateway to Cloud Native MaturityDevOps & Cloud · CNCF Q1 2026 cloud native report analysis. Why feature flagging is the bridge from mainstream to advanced engineering practice, with exclusive commentary from the report's author.
- 4AI SRE Joined My On-Call — A Beginner-Friendly Walkthrough of RootlyDevOps & Cloud · What an AI SRE actually does on call. A hands-on walkthrough of Rootly — how it observes, advises, and (when you let it) acts. With a real look at the four-level trust model.
Random Posts
- 1Git Branches - How to Not Break Prod and Stay AliveDevOps & Cloud · Learn Git branches the modern way. A clear 2025 guide to branching, merging, rebasing, and collaborating—without breaking production.
- 2How AI Learns — and Where It's Actually UsedAI & MLOps · How AI learns (supervised, unsupervised, reinforcement) — explained simply, with real-life examples you'll actually relate to.
- 3AWS AI/ML - The Ultimate Guide for IT GirlsAI & MLOps · Unlock AWS AI/ML! Discover how Amazon's AI tools like SageMaker, Lex, and Polly automate tasks, enhance CX, and drive innovation—no coding needed!
- 4AI for Beginners - How It Works, Learns, and Makes DecisionsAI & MLOps · Simple guide to AI and machine learning for beginners. Learn how it works with clear explanations and easy-to-understand examples.