---
title: "Docker Interview Questions (2026): By Level, With Model Answers"
url: https://weworkworldwide.com/docker-interview-questions/
description: "Docker interview questions for junior, mid and senior engineers — images, layers, networking and multi-stage builds — with model answers and the red flags to listen for."
date: 2026-07-04T15:29:03+00:00
source: https://weworkworldwide.com/llms.txt
---

# Docker Interview Questions (2026): By Level, With Model Answers

How to use this

Docker is easy to use and easy to misuse. These questions check whether a candidate understands images, layers and isolation — not just `docker run`.

Hiring a Docker developer is easy. Telling a real one from a convincing résumé is the hard part — and it’s most of what we do. These are grouped by level, because the same question that stretches a junior is a warm-up for a senior.

## Junior Docker interview questions

0–2 years

Core concepts.

### What is the difference between an image and a container?

What a strong answer covers

An image is an immutable, layered template; a container is a running (or stopped) instance of one with a writable layer on top.

Red flag

Uses the terms interchangeably.

### What is the difference between a container and a virtual machine?

What a strong answer covers

Containers share the host kernel and isolate at the process level, so they are lighter and faster; VMs virtualise hardware and run full guest OSes.

Red flag

Thinks containers each run a full OS.

### What does a Dockerfile do?

What a strong answer covers

It declares, step by step, how to build an image — base image, dependencies, files and the run command.

Red flag

Confuses a Dockerfile with docker-compose.

### What is the difference between `CMD` and `ENTRYPOINT`?

What a strong answer covers

ENTRYPOINT sets the executable; CMD provides default arguments that can be overridden at run time. Together they define what runs.

Red flag

Can’t explain how they combine.

### What is the difference between `COPY` and `ADD`?

What a strong answer covers

Both copy files; ADD also handles URLs and auto-extracts archives, so COPY is preferred unless you need those features.

Red flag

Uses ADD everywhere without knowing why COPY is recommended.

### How do you persist data beyond a container’s life?

What a strong answer covers

Named volumes or bind mounts; the container’s writable layer is ephemeral and lost on removal.

Red flag

Writes important data to the container filesystem and loses it.

### What does `docker-compose` solve?

What a strong answer covers

Defining and running multi-container apps declaratively, with networking and dependencies, in one file.

Red flag

Starts each container by hand with long run commands.

### How do containers on the same host communicate?

What a strong answer covers

Over a Docker network by service/container name via the embedded DNS; exposed ports handle external access.

Red flag

Hardcodes IP addresses between containers.

## Mid-level Docker interview questions

2–5 years

Images, layers and builds.

### How does image layering and caching work?

What a strong answer covers

Each instruction creates a cached layer; ordering matters, so put rarely-changing steps (dependency install) before frequently-changing ones (source copy) to reuse cache.

Red flag

Copies source before installing deps, busting the cache every build.

### What is a multi-stage build and why use it?

What a strong answer covers

Building artefacts in one stage and copying only what’s needed into a slim final image, dramatically reducing size and attack surface.

Red flag

Ships the whole build toolchain in the runtime image.

### How do you reduce image size?

What a strong answer covers

Slim/alpine or distroless bases, multi-stage builds, combining layers, a `.dockerignore`, and removing build caches.

Red flag

Produces multi-gigabyte images and shrugs.

### How do you handle secrets in Docker?

What a strong answer covers

Injected at runtime via env or a secrets mechanism, never baked into image layers where they persist in history.

Red flag

Bakes credentials into the Dockerfile.

### What is the difference between a volume and a bind mount?

What a strong answer covers

A bind mount maps a host path directly; a named volume is Docker-managed and more portable, preferred for production data.

Red flag

Uses bind mounts to host paths in production.

### How do health checks work?

What a strong answer covers

A `HEALTHCHECK` lets Docker/orchestrators know if a container is actually serving, not just running, enabling restarts and routing decisions.

Red flag

Treats “process is up” as “service is healthy.”

### Why run a container as a non-root user?

What a strong answer covers

To limit blast radius if the container is compromised; running as root is a common, avoidable risk.

Red flag

Runs everything as root by default.

### What does `.dockerignore` do?

What a strong answer covers

Excludes files from the build context, speeding builds and preventing secrets or bulky files from leaking into the image.

Red flag

Sends the whole repo, including `node_modules` and `.git`, into the build.

## Senior Docker interview questions

5+ years

Production and security.

### How do you make container builds reproducible?

What a strong answer covers

Pin base image digests and dependency versions, avoid pulling “latest,” and keep builds hermetic so the same input yields the same image.

Red flag

Depends on `:latest` and unpinned installs.

### How do you secure container images?

What a strong answer covers

Minimal base images, non-root users, scanning for CVEs, pinned versions, signed images and dropped Linux capabilities.

Red flag

No scanning, root user, latest tags.

### How does container resource isolation work?

What a strong answer covers

cgroups limit CPU/memory and namespaces isolate processes, network and filesystem; setting limits prevents noisy-neighbour issues.

Red flag

Runs containers with no resource limits.

### How do you debug a container that won’t start?

What a strong answer covers

Inspect logs, run it with an interactive shell or overridden entrypoint, check exit codes, health checks and mounted config.

Red flag

Only knows to rebuild and hope.

### How do you handle logging from containers?

What a strong answer covers

Write logs to stdout/stderr and let the platform collect them, rather than to files inside the container.

Red flag

Writes logs to files inside the ephemeral container.

### What are the tradeoffs of running databases in containers?

What a strong answer covers

Fine for dev and stateless workloads; in production you need careful volume, backup and orchestration strategy, and many teams use managed data services.

Red flag

Thinks stateful data in containers is free of caveats.

### How do you keep images small and fast in CI?

What a strong answer covers

Layer caching across builds, multi-stage builds, cache mounts, and only rebuilding what changed.

Red flag

Rebuilds everything from scratch each pipeline run.

### What is the difference between an image registry’s tag and digest?

What a strong answer covers

A tag is mutable and can be repointed; a digest is a content hash that pins an exact image, which is what you want for reproducible deploys.

Red flag

Deploys by mutable tag and is surprised when it changes.

**Skip the screening entirely.**We vet Docker engineers so you don’t have to — embed one in your team, or have us build it.

[Hire Docker developers](https://weworkworldwide.com/hire-remote-devops-developers/)[Compare us](https://weworkworldwide.com/compare/)

Build and score a full interview with our free [interview scorecard tool](https://weworkworldwide.com/developer-interview-scorecard/), browse the [full question hub](https://weworkworldwide.com/interview-questions/), or see [how we interview engineers](https://weworkworldwide.com/how-we-interview-engineers/).
