β Q1 β How do Docker image layers actually work?
Each Dockerfile instruction creates a read-only layer. Layers are cached and reused across images when unchanged. The final container adds a writable layer on top. Layer reuse is why build ordering matters for performance.
β Q2 β Why should frequently changing instructions be lower in Dockerfile?
Because Docker cache is layer-based. If an early layer changes, all later layers rebuild. Put stable steps (OS packages, base deps) first and fast-changing code COPY later. This maximizes cache reuse and speeds builds.
β Q3 β What is multi-stage build and why is it important?
Multi-stage builds use multiple FROM blocks to separate build and runtime environments. You compile in builder stage and copy only final artifacts to runtime stage. This reduces image size and removes build tools from production image. It improves security and startup speed.
β Q4 β Distroless images β when and why use?
Distroless images contain only app runtime and required libs β no shell or package manager. They reduce attack surface and size. Best for production microservices. Downside: harder to debug interactively.
β Q5 β Container vs VM β kernel difference at technical level?
Containers share the host kernel using namespaces and cgroups. VMs run separate guest kernels via hypervisor. Containers are lighter and faster but less isolated. Kernel bugs affect all containers.
β Q6 β What are namespaces in containers?
Namespaces isolate process views β PID, network, mount, user, IPC, UTS. Each container sees its own isolated environment. Thatβs how process and network separation is achieved. Itβs a Linux kernel feature.
β Q7 β What are cgroups?
Control groups limit and measure resource usage like CPU and memory. Docker uses cgroups to enforce container limits. Without limits, one container can starve the host. Kubernetes limits map to cgroups.
β Q8 β Why is running containers as root dangerous?
Root inside container is root on host namespace context (unless user namespaces used). Container escape bugs become host root. Always use non-root USER in Dockerfile. Drop capabilities when possible.
β Q9 β Difference between CMD and ENTRYPOINT?
ENTRYPOINT defines main executable. CMD provides default arguments. If both present β CMD is appended to ENTRYPOINT. ENTRYPOINT is harder to override; CMD is easier.
β Q10 β Why use exec form instead of shell form in CMD?
Exec form (["app"]) passes signals correctly to process. Shell form runs under /bin/sh -c and can swallow signals. Exec form is required for graceful shutdown in containers.
β Q11 β Why do containers exit immediately sometimes?
Main process exits. Container lifecycle = main PID lifecycle. If app runs in background and script ends β container stops. Fix by running foreground process.
β Q12 β Docker COPY vs ADD β difference?
COPY only copies files. ADD can also extract archives and fetch URLs. ADD has extra behavior β often discouraged for predictability. Prefer COPY unless extraction needed.
β Q13 β How do you reduce Docker image size in real projects?
Use slim base images. Multi-stage builds. Remove package caches. Combine RUN steps. Avoid installing unnecessary tools. Use distroless where possible.
β Q14 β Why avoid βlatestβ tag in production images?
Latest is mutable β not reproducible. Deploys become non-deterministic. Always use versioned or SHA tags. Rollback becomes possible only with fixed tags.
β Q15 β How does Docker networking work by default?
Default bridge network with NAT. Containers get private IPs. Port mapping exposes to host. Not recommended for multi-host production β orchestration networking used instead.
β Q16 β Host network mode β when used?
Container shares host network namespace. No port mapping needed. Lower latency. Used for monitoring agents or high-performance networking. Reduces isolation.
β Q17 β What is Docker overlay filesystem (overlay2)?
OverlayFS merges image layers efficiently. Lower layers read-only, upper writable. It reduces storage duplication. overlay2 is default driver in modern Linux Docker.
β Q18 β How do you debug container startup failure?
Check docker logs. Inspect entrypoint and command. Run container interactively overriding entrypoint. Verify env vars and mounts. Most failures are config or path errors.
β Q19 β Docker build is slow in CI β optimization steps?
Enable layer caching in CI. Use remote cache or buildkit. Reorder Dockerfile for cache hits. Avoid reinstalling dependencies each build.
β Q20 β Biggest Docker mistake seen in production?
Fat images + root user + latest tag + no scan. That combination is extremely common β and dangerous. Production images must be minimal, versioned, scanned, non-root.