Docker Interview Questions

• Container vs VM? VM: full OS, hypervisor, heavy (GBs), slow start. Container: shares host OS kernel, isolated process (cgroups + namespaces), lightweight (MBs), starts in ms. VMs for stronger isolation; containers for density and speed

• How does layer caching work? Each Dockerfile instruction creates a layer. If a layer's instruction and all previous layers unchanged, Docker reuses cached layer. COPY changes invalidate all subsequent layers — order: install deps first (changes rarely), copy source last (changes often)

• Multi-stage builds? Multiple FROM statements in one Dockerfile. Build stages can copy artifacts from earlier stages. Final image only contains runtime artifacts — no build tools, source code, or dev dependencies. Dramatically reduces image size

• Volumes vs bind mounts? Bind mount: maps host path to container path — good for dev (live code changes). Volume: managed by Docker, stored in Docker's data directory — for persistent data in production (DB files, uploads)

• ENTRYPOINT vs CMD? ENTRYPOINT: always runs, defines the executable. CMD: default arguments, overridden by docker run args. Combine: ENTRYPOINT ["node"] CMD ["server.js"] — run args replace CMD. Use ENTRYPOINT for fixed executable, CMD for default args

• Container networking modes? bridge (default): isolated network, containers talk by name in Compose. host: share host network stack (no isolation). none: no networking. overlay: multi-host (Swarm). In Compose, services resolve by service name

• Security best practices? Run as non-root user (USER node). Use minimal base image (distroless, alpine). Scan with docker scout or trivy. Never store secrets in image layers. Read-only filesystem (--read-only). Limit capabilities (--cap-drop ALL)