Docker Interview Questions 2026: Images, Networking and Production

# Image: static, stored
docker pull nginx:alpine          # download image
docker images                     # list images
docker image inspect nginx:alpine # see image details

# Container: running, dynamic
docker run nginx:alpine           # create + start container from image
docker ps                         # list running containers
docker ps -a                      # include stopped containers

# bridge (default) — containers on same bridge can communicate by name
docker network create mynet
docker run --network mynet --name api myapp
docker run --network mynet --name db postgres
# api can reach db at hostname "db"

# host — container uses host's network directly (no port mapping needed)
docker run --network host nginx  # exposes port 80 directly

# none — no network (isolated)
docker run --network none myapp

# container — share network stack with another container
docker run --network container:myapp nginx

# ENTRYPOINT — command that always runs, cannot be overridden
ENTRYPOINT ["python", "app.py"]
# docker run myimage --port 8080  → python app.py --port 8080 (args appended)

# CMD — default command, can be overridden at runtime
CMD ["gunicorn", "app:app"]
# docker run myimage bash  → runs bash instead of gunicorn

# Combined (best practice):
ENTRYPOINT ["python"]
CMD ["app.py"]              # default: python app.py
# docker run myimage manage.py migrate  → python manage.py migrate (override CMD)

# Shell vs Exec form
CMD gunicorn app:app        # shell form (runs in /bin/sh -c)
CMD ["gunicorn", "app:app"] # exec form (preferred — faster, proper signal handling)

# Named volume — managed by Docker, persists across container restarts
docker volume create mydata
docker run -v mydata:/var/lib/postgresql/data postgres

# Bind mount — maps host path to container path (dev workflow)
docker run -v $(pwd):/app node npm start
# Changes on host immediately visible in container

# tmpfs mount — in-memory, not persisted
docker run --tmpfs /tmp:size=100m myapp

# Read-only mount
docker run -v /config:/etc/myapp:ro myapp

# When to use:
# Named volumes: database data, persistent app state
# Bind mounts: development (hot reload), config files
# tmpfs: sensitive temp data that should never persist

# WRONG: copy everything first (invalidates cache on any file change)
COPY . .
RUN pip install -r requirements.txt  # reinstalls every time ANY file changes!

# CORRECT: copy dependencies first (cached unless requirements change)
COPY requirements.txt .
RUN pip install -r requirements.txt  # cached until requirements.txt changes
COPY . .

# Tips:
# - Instructions that change frequently should be at the bottom
# - Combine RUN commands to reduce layers
# - Use .dockerignore to exclude unnecessary files

HEALTHCHECK --interval=30s --timeout=10s --start-period=40s --retries=3   CMD curl -f http://localhost:8000/health || exit 1

# States:
# starting  — within start-period
# healthy   — health check passes
# unhealthy — health check fails retries times

# In compose.yaml
services:
  api:
    image: myapp
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:8000/health"]
      interval: 30s
      timeout: 10s
      retries: 3
    depends_on:
      db:
        condition: service_healthy  # wait for DB to be healthy

# BuildKit — next-gen Docker build (enabled by default in recent Docker)
# Features:
# - Parallel build stages (multi-stage builds are faster)
# - Better cache management
# - Secret mounting (never in image layers)
# - SSH forwarding in builds

# Mount secrets without baking into image
RUN --mount=type=secret,id=mysecret cat /run/secrets/mysecret

# Build with secret
docker build --secret id=mysecret,src=$HOME/.ssh/id_rsa .

# Cache mounts (persist between builds)
RUN --mount=type=cache,target=/root/.cache/pip pip install -r requirements.txt

# docker run — creates a NEW container from an image
docker run myapp python manage.py migrate

# docker exec — runs command in an EXISTING running container
docker exec myapp-container python manage.py migrate

# Common usage
docker exec -it myapp bash     # interactive shell in running container
docker exec mydb psql -U postgres  # run command in DB container

# docker attach — attach to running container's main process
docker attach myapp-container  # see stdout of running process

# 1. Use minimal base images
FROM python:3.12-slim   # vs python:3.12 (300MB smaller!)
# Or: FROM gcr.io/distroless/python3  # even smaller

# 2. Multi-stage builds (common pattern)
FROM python:3.12 AS builder
RUN pip install -r requirements.txt

FROM python:3.12-slim
COPY --from=builder /usr/local/lib/python3.12/site-packages /usr/local/lib/python3.12/site-packages

# 3. Combine RUN commands
RUN apt-get update     && apt-get install -y --no-install-recommends curl     && rm -rf /var/lib/apt/lists/*

# 4. .dockerignore file
# .git
# __pycache__
# *.pyc
# node_modules
# .env

# COPY — simple, predictable, preferred
COPY src/ /app/src/
COPY requirements.txt .

# ADD — additional features (usually avoid in favor of COPY)
# - Can extract tar files automatically
# - Can download URLs (don't use! no caching, security risk)
ADD https://example.com/file.tar.gz /app/  # BAD: no caching!
ADD archive.tar.gz /app/                    # Extracts to /app/

# Rule: always prefer COPY unless you specifically need ADD's tar extraction