Docker is easy to use and easy to misuse. These questions check whether a candidate understands images, layers and isolation — not just docker run.
Hiring a Docker developer is easy. Telling a real one from a convincing résumé is the hard part — and it’s most of what we do. These are grouped by level, because the same question that stretches a junior is a warm-up for a senior.
Junior Docker interview questions
0–2 years
Core concepts.
What is the difference between an image and a container?
An image is an immutable, layered template; a container is a running (or stopped) instance of one with a writable layer on top.
Uses the terms interchangeably.
What is the difference between a container and a virtual machine?
Containers share the host kernel and isolate at the process level, so they are lighter and faster; VMs virtualise hardware and run full guest OSes.
Thinks containers each run a full OS.
What does a Dockerfile do?
It declares, step by step, how to build an image — base image, dependencies, files and the run command.
Confuses a Dockerfile with docker-compose.
What is the difference between CMD and ENTRYPOINT?
ENTRYPOINT sets the executable; CMD provides default arguments that can be overridden at run time. Together they define what runs.
Can’t explain how they combine.
What is the difference between COPY and ADD?
Both copy files; ADD also handles URLs and auto-extracts archives, so COPY is preferred unless you need those features.
Uses ADD everywhere without knowing why COPY is recommended.
How do you persist data beyond a container’s life?
Named volumes or bind mounts; the container’s writable layer is ephemeral and lost on removal.
Writes important data to the container filesystem and loses it.
What does docker-compose solve?
Defining and running multi-container apps declaratively, with networking and dependencies, in one file.
Starts each container by hand with long run commands.
How do containers on the same host communicate?
Over a Docker network by service/container name via the embedded DNS; exposed ports handle external access.
Hardcodes IP addresses between containers.
Mid-level Docker interview questions
2–5 years
Images, layers and builds.
How does image layering and caching work?
Each instruction creates a cached layer; ordering matters, so put rarely-changing steps (dependency install) before frequently-changing ones (source copy) to reuse cache.
Copies source before installing deps, busting the cache every build.
What is a multi-stage build and why use it?
Building artefacts in one stage and copying only what’s needed into a slim final image, dramatically reducing size and attack surface.
Ships the whole build toolchain in the runtime image.
How do you reduce image size?
Slim/alpine or distroless bases, multi-stage builds, combining layers, a .dockerignore, and removing build caches.
Produces multi-gigabyte images and shrugs.
How do you handle secrets in Docker?
Injected at runtime via env or a secrets mechanism, never baked into image layers where they persist in history.
Bakes credentials into the Dockerfile.
What is the difference between a volume and a bind mount?
A bind mount maps a host path directly; a named volume is Docker-managed and more portable, preferred for production data.
Uses bind mounts to host paths in production.
How do health checks work?
A HEALTHCHECK lets Docker/orchestrators know if a container is actually serving, not just running, enabling restarts and routing decisions.
Treats “process is up” as “service is healthy.”
Why run a container as a non-root user?
To limit blast radius if the container is compromised; running as root is a common, avoidable risk.
Runs everything as root by default.
What does .dockerignore do?
Excludes files from the build context, speeding builds and preventing secrets or bulky files from leaking into the image.
Sends the whole repo, including node_modules and .git, into the build.
Senior Docker interview questions
5+ years
Production and security.
How do you make container builds reproducible?
Pin base image digests and dependency versions, avoid pulling “latest,” and keep builds hermetic so the same input yields the same image.
Depends on :latest and unpinned installs.
How do you secure container images?
Minimal base images, non-root users, scanning for CVEs, pinned versions, signed images and dropped Linux capabilities.
No scanning, root user, latest tags.
How does container resource isolation work?
cgroups limit CPU/memory and namespaces isolate processes, network and filesystem; setting limits prevents noisy-neighbour issues.
Runs containers with no resource limits.
How do you debug a container that won’t start?
Inspect logs, run it with an interactive shell or overridden entrypoint, check exit codes, health checks and mounted config.
Only knows to rebuild and hope.
How do you handle logging from containers?
Write logs to stdout/stderr and let the platform collect them, rather than to files inside the container.
Writes logs to files inside the ephemeral container.
What are the tradeoffs of running databases in containers?
Fine for dev and stateless workloads; in production you need careful volume, backup and orchestration strategy, and many teams use managed data services.
Thinks stateful data in containers is free of caveats.
How do you keep images small and fast in CI?
Layer caching across builds, multi-stage builds, cache mounts, and only rebuilding what changed.
Rebuilds everything from scratch each pipeline run.
What is the difference between an image registry’s tag and digest?
A tag is mutable and can be repointed; a digest is a content hash that pins an exact image, which is what you want for reproducible deploys.
Deploys by mutable tag and is surprised when it changes.
Build and score a full interview with our free interview scorecard tool, browse the full question hub, or see how we interview engineers.