50 questions / 10 random questions
Random questions, instant feedback, and review for missed questions.
For a Node.js app, you want dependencies to be cached in the image while keeping rebuilds fast when source files change. What should the Dockerfile copy first?
Answer: package.json and the lock file
Copying dependency manifests first lets the dependency installation layer be cached. Source-only changes are less likely to force dependency installation again.
In a development environment, you want source changes on the host to appear immediately inside the container. What is the most natural approach?
Answer: Bind-mount the source directory
A bind mount exposes host files directly to the container, which is common for local development.
In a development Compose file, you want to access an app listening on port 3000 from host port 3000. Which setting is appropriate?
Answer: ports: ["3000:3000"]
ports publishes host ports to container ports. 3000:3000 maps host port 3000 to container port 3000.
An app inside a container cannot reach a database on the host by connecting to localhost. What is the best explanation?
Answer: localhost inside the container refers to the container itself
Containers have their own network namespace, so localhost inside the container means the container itself, not the host.
You want development and production to differ only in startup command and mounts. What Compose approach is appropriate?
Answer: Layer a development override file on top of the base Compose file
Compose can merge multiple files. Keeping shared definitions in a base file and overriding development-only commands or mounts is maintainable.
You want to reuse a dependency cache across builds without including it in the final image. Which BuildKit feature is appropriate?
Answer: RUN --mount=type=cache
BuildKit cache mounts can reuse package-manager caches across builds without directly baking them into image layers.
In a hot-reload development container, you want source files from the host but dependencies from inside the container. What setup is common?
Answer: Bind-mount source files and isolate the dependency directory with a named volume
A common pattern is to bind-mount source files while keeping OS-sensitive dependency directories such as node_modules in a named volume managed by the container.
When sharing a Dockerfile across a development team, which style should be avoided for stable OS package installation?
Answer: Putting apt-get upgrade -y in a normal application image build
Application images should install only required packages. Broad upgrades make builds less predictable and blur responsibility with base image maintenance.
You want environment-specific app settings while keeping the image common. What is appropriate?
Answer: Pass them at runtime as environment variables or external configuration
Keeping configuration outside the image and injecting it at runtime through environment variables, files, or secret management makes one image usable across environments.
For local development, you want to start multiple services together and let them communicate by service name. What fits best?
Answer: Docker Compose
Compose defines services, networks, volumes, and environment variables in a file and starts multiple containers together.
You want to list images stored locally. Which command should you use?
Answer: docker image ls
docker image ls lists local images and shows tags, image IDs, sizes, and related information.
You want to start a container in the background and automatically remove it when it stops. Which option combination is appropriate?
Answer: docker run -d --rm ...
-d runs detached, and --rm removes the container after it exits. This is useful for temporary test containers.
You want to list containers including stopped ones. Which command is appropriate?
Answer: docker ps -a
docker ps lists running containers; adding -a includes stopped containers.
You want to follow stdout logs from a running container. Which command should you use?
Answer: docker logs -f <container>
docker logs -f follows container logs. It works well when the application writes logs to stdout/stderr.
You want to open a temporary shell inside a running container for investigation. Which command is appropriate?
Answer: docker exec -it <container> sh
docker exec runs an additional command in a running container. -it enables interactive shell use.
You want to build an image named myapp:dev from a Dockerfile. Which command is appropriate?
Answer: docker build -t myapp:dev .
docker build -t name:tag context builds an image from a Dockerfile and assigns a tag.
You want to clean up stopped containers, unused networks, dangling images, and build cache. Which command is a suitable candidate?
Answer: docker system prune
docker system prune cleans unused resources. Review what will be removed so needed volumes or images are not deleted.
You want to start services defined in a Compose file in the background. Which command is appropriate?
Answer: docker compose up -d
docker compose up -d creates and starts Compose services in detached mode.
You want detailed JSON metadata for a container or image. Which command should you use?
Answer: docker inspect
docker inspect shows detailed JSON metadata such as IP addresses, mounts, environment variables, and settings.
You want to copy a configuration file from a container to the host. Which command is appropriate?
Answer: docker cp <container>:/path/file ./file
docker cp copies files between host and container, which is useful for retrieving configuration during investigation.
Which design best keeps a production image small and avoids including build tools?
Answer: Use a multi-stage build and copy only artifacts into the final stage
Multi-stage builds separate build and runtime stages, allowing the final image to contain only required artifacts.
Why should container images usually avoid packing too many independent long-running processes into one container?
Answer: It makes monitoring, restart, scaling, and log separation harder
Containers are easier to operate when responsibilities are focused. Too many responsibilities make failure isolation and scaling boundaries unclear.
You want production to reuse the exact intended image. Which tagging approach is safer?
Answer: Use version tags or image digests for deployment
Relying only on mutable latest can point to different content over time. Version tags or digests improve traceability.
What is the main purpose of maintaining .dockerignore before using COPY . . in a Dockerfile?
Answer: To exclude unnecessary or sensitive files from the build context
.dockerignore reduces files sent to the build context and helps prevent secrets or large unnecessary files from being included.
Why should database data usually not be stored only in a container writable layer?
Answer: Data can be lost when the container is removed or recreated
A container writable layer is tied to the container lifecycle. Database data should be persisted with volumes or external database services.
In a web app image, what does EXPOSE 8080 mean?
Answer: It documents as metadata that the container intends to listen on port 8080
EXPOSE is metadata about intended listening ports. Host publishing still requires docker run -p or Compose ports.
You tried to change production runtime settings using only Dockerfile ARG and it failed. What is the likely reason?
Answer: ARG is mainly a build-time variable; runtime settings use ENV or external injection
ARG is primarily used during build. Values that change at runtime should be passed through environment variables, configuration files, or secret management.
What is the benefit of copying frequently changed files later in a Dockerfile?
Answer: Stable earlier layer cache is easier to reuse
Dockerfile cache works by instruction order. Placing stable dependency steps earlier and frequently changed source copies later improves efficiency.
Why is writing app logs to stdout often preferred over writing only to files inside production containers?
Answer: Container runtimes and logging platforms can collect them more easily
Writing container logs to stdout/stderr makes integration with Docker and cloud log collectors easier.
Which design helps avoid leaving build-time secrets in an image?
Answer: Use mechanisms such as BuildKit secret mounts that avoid persisting secrets in layers
Secrets handled with Dockerfile ENV or COPY can remain in layer history. BuildKit secret mounts reduce exposure.
In standalone Docker, you want a container to restart automatically after a failure. Which setting is appropriate?
Answer: A restart policy such as --restart=unless-stopped
A restart policy tells the Docker daemon how to handle container exits. It serves a different purpose from --rm.
You want to view container CPU and memory usage in real time. Which command is appropriate?
Answer: docker stats
docker stats displays CPU, memory, network, and block I/O usage per container.
For production operations, what should an image provide to make container health easier to assess?
Answer: HEALTHCHECK or an easy-to-monitor health endpoint
Health checks help determine not only whether a process exists, but whether the application can respond correctly.
You want to inspect a running container's configuration, mounts, and networks. Which command is a good first choice?
Answer: docker inspect <container>
docker inspect returns detailed container information as JSON, making it useful for checking mounts, networks, and environment variables.
The host disk is running low and you want a breakdown of Docker disk usage. Which command should you use?
Answer: docker system df
docker system df shows disk usage summaries for images, containers, volumes, and build cache.
For production-like testing, you want to set a container memory limit in standalone Docker. Which option is representative?
Answer: docker run --memory 512m ...
--memory is a common option for limiting container memory usage.
Why is manually fixing a production container by entering it usually not a good root-cause fix?
Answer: The change is not reproducible and can be lost on recreation or redeploy
Containers are expected to be recreated. Fixes should be reflected in Dockerfiles, configuration, or deployment definitions so they are reproducible.
You want to view logs across services managed by Compose. Which command is appropriate?
Answer: docker compose logs
docker compose logs displays logs for services in a Compose project. -f follows them.
You need to transfer an image to another environment as a file, without using a registry. Which pair is appropriate?
Answer: docker save and docker load
docker save stores an image as a tar archive, and docker load loads it back while preserving tags and layers.
Before deleting unused Docker resources in operations, what deserves special attention?
Answer: Whether named volumes contain required persistent data
Volumes may contain important data such as databases or uploaded files. Confirm purpose and backups before deletion.
Which Dockerfile instruction is commonly used to avoid running the app as root?
Answer: USER
USER sets the user for later instructions and runtime processes. Running as non-root is a basic privilege reduction measure.
You need a private key during build to access a private repository, but you do not want it left in the image. What is appropriate?
Answer: Use BuildKit SSH mounts or secret mounts
BuildKit SSH and secret mounts expose secrets only during build and reduce the risk of leaving them in layers.
To reduce image vulnerability risk, what should you consider when choosing a base image?
Answer: Use a minimal, maintained, trusted base image
A small, maintained, trusted base helps reduce unnecessary packages and known vulnerabilities.
What is the main risk of mounting the host Docker socket /var/run/docker.sock into a container?
Answer: The container may gain powerful control over Docker on the host
The Docker socket controls the host Docker daemon. Mounting it can provide near host-level power and must be handled carefully.
What is the purpose of avoiding unnecessary Linux capabilities in a container?
Answer: To reduce privileges available if the container is compromised
Capabilities split root privileges into smaller units. Dropping unnecessary ones can limit damage after compromise.
You want to reduce the risk of filesystem tampering inside a container. Which runtime setting is a candidate?
Answer: --read-only
--read-only makes the container root filesystem read-only. Required writable paths should be explicitly provided with tmpfs or volumes.
When handling Docker images in CI, which step should be added for vulnerability checking?
Answer: Run image scanning and gate releases based on severity
Image scanning in CI helps detect known vulnerabilities in base images and dependencies before release.
Which approach should be avoided when passing secrets to containers?
Answer: Writing secrets directly into the Dockerfile
Secrets in Dockerfiles can leak through image history or registries. Runtime secret management is the usual approach.
Why should --privileged not be casually used for production containers?
Answer: It grants powerful near-host privileges and weakens isolation
--privileged grants many permissions and device access. Prefer allowing only required capabilities or devices.
Which option is known for running Docker Engine without root privileges to reduce impact if the daemon is compromised?
Answer: Rootless mode
Rootless mode runs the Docker daemon and containers as a non-root user. It has limitations and should be evaluated against requirements.