Docker Interview Questions (2026): By Level, With Model Answers

How to use this

Docker is easy to use and easy to misuse. These questions check whether a candidate understands images, layers and isolation — not just docker run.

Hiring a Docker developer is easy. Telling a real one from a convincing résumé is the hard part — and it’s most of what we do. These are grouped by level, because the same question that stretches a junior is a warm-up for a senior.

Junior Docker interview questions

0–2 years

Core concepts.

What is the difference between an image and a container?

What a strong answer covers

An image is an immutable, layered template; a container is a running (or stopped) instance of one with a writable layer on top.

Red flag

Uses the terms interchangeably.

What is the difference between a container and a virtual machine?

What a strong answer covers

Containers share the host kernel and isolate at the process level, so they are lighter and faster; VMs virtualise hardware and run full guest OSes.

Red flag

Thinks containers each run a full OS.

What does a Dockerfile do?

What a strong answer covers

It declares, step by step, how to build an image — base image, dependencies, files and the run command.

Red flag

Confuses a Dockerfile with docker-compose.

What is the difference between CMD and ENTRYPOINT?

What a strong answer covers

ENTRYPOINT sets the executable; CMD provides default arguments that can be overridden at run time. Together they define what runs.

Red flag

Can’t explain how they combine.

What is the difference between COPY and ADD?

What a strong answer covers

Both copy files; ADD also handles URLs and auto-extracts archives, so COPY is preferred unless you need those features.

Red flag

Uses ADD everywhere without knowing why COPY is recommended.

How do you persist data beyond a container’s life?

What a strong answer covers

Named volumes or bind mounts; the container’s writable layer is ephemeral and lost on removal.

Red flag

Writes important data to the container filesystem and loses it.

What does docker-compose solve?

What a strong answer covers

Defining and running multi-container apps declaratively, with networking and dependencies, in one file.

Red flag

Starts each container by hand with long run commands.

How do containers on the same host communicate?

What a strong answer covers

Over a Docker network by service/container name via the embedded DNS; exposed ports handle external access.

Red flag

Hardcodes IP addresses between containers.

Mid-level Docker interview questions

2–5 years

Images, layers and builds.

How does image layering and caching work?

What a strong answer covers

Each instruction creates a cached layer; ordering matters, so put rarely-changing steps (dependency install) before frequently-changing ones (source copy) to reuse cache.

Red flag

Copies source before installing deps, busting the cache every build.

What is a multi-stage build and why use it?

What a strong answer covers

Building artefacts in one stage and copying only what’s needed into a slim final image, dramatically reducing size and attack surface.

Red flag

Ships the whole build toolchain in the runtime image.

How do you reduce image size?

What a strong answer covers

Slim/alpine or distroless bases, multi-stage builds, combining layers, a .dockerignore, and removing build caches.

Red flag

Produces multi-gigabyte images and shrugs.

How do you handle secrets in Docker?

What a strong answer covers

Injected at runtime via env or a secrets mechanism, never baked into image layers where they persist in history.

Red flag

Bakes credentials into the Dockerfile.

What is the difference between a volume and a bind mount?

What a strong answer covers

A bind mount maps a host path directly; a named volume is Docker-managed and more portable, preferred for production data.

Red flag

Uses bind mounts to host paths in production.

How do health checks work?

What a strong answer covers

A HEALTHCHECK lets Docker/orchestrators know if a container is actually serving, not just running, enabling restarts and routing decisions.

Red flag

Treats “process is up” as “service is healthy.”

Why run a container as a non-root user?

What a strong answer covers

To limit blast radius if the container is compromised; running as root is a common, avoidable risk.

Red flag

Runs everything as root by default.

What does .dockerignore do?

What a strong answer covers

Excludes files from the build context, speeding builds and preventing secrets or bulky files from leaking into the image.

Red flag

Sends the whole repo, including node_modules and .git, into the build.

Senior Docker interview questions

5+ years

Production and security.

How do you make container builds reproducible?

What a strong answer covers

Pin base image digests and dependency versions, avoid pulling “latest,” and keep builds hermetic so the same input yields the same image.

Red flag

Depends on :latest and unpinned installs.

How do you secure container images?

What a strong answer covers

Minimal base images, non-root users, scanning for CVEs, pinned versions, signed images and dropped Linux capabilities.

Red flag

No scanning, root user, latest tags.

How does container resource isolation work?

What a strong answer covers

cgroups limit CPU/memory and namespaces isolate processes, network and filesystem; setting limits prevents noisy-neighbour issues.

Red flag

Runs containers with no resource limits.

How do you debug a container that won’t start?

What a strong answer covers

Inspect logs, run it with an interactive shell or overridden entrypoint, check exit codes, health checks and mounted config.

Red flag

Only knows to rebuild and hope.

How do you handle logging from containers?

What a strong answer covers

Write logs to stdout/stderr and let the platform collect them, rather than to files inside the container.

Red flag

Writes logs to files inside the ephemeral container.

What are the tradeoffs of running databases in containers?

What a strong answer covers

Fine for dev and stateless workloads; in production you need careful volume, backup and orchestration strategy, and many teams use managed data services.

Red flag

Thinks stateful data in containers is free of caveats.

How do you keep images small and fast in CI?

What a strong answer covers

Layer caching across builds, multi-stage builds, cache mounts, and only rebuilding what changed.

Red flag

Rebuilds everything from scratch each pipeline run.

What is the difference between an image registry’s tag and digest?

What a strong answer covers

A tag is mutable and can be repointed; a digest is a content hash that pins an exact image, which is what you want for reproducible deploys.

Red flag

Deploys by mutable tag and is surprised when it changes.

Skip the screening entirely.We vet Docker engineers so you don’t have to — embed one in your team, or have us build it.

Hire Docker developersCompare us

Build and score a full interview with our free interview scorecard tool, browse the full question hub, or see how we interview engineers.

Share