Test yourself
Docker in depth
Final exam · 82 questions · answers explained as you pick
Image management
12 questions
01An image is best described as…
Incorrect — that is a container; an image is the template it runs from.
Correct — layers are content-addressed and shared; the config records entrypoint, env, and ports.
Incorrect — images are layered and content-addressed, not one flat blob.
Incorrect — no guest OS or kernel is involved — it is a layered filesystem plus metadata.
02Which Dockerfile instruction does NOT create a filesystem layer?
Incorrect — RUN executes a command and bakes the result into a layer.
Incorrect — COPY adds files, producing a layer.
Correct — ENV only changes metadata (the config), adding a zero-byte layer — no filesystem change.
Incorrect — ADD writes files into the image, producing a layer.
03An image built to 900 MB even though a big archive is "removed" in a later RUN. Why?
Correct — download-use-delete must happen in ONE RUN so the file never becomes its own layer.
Incorrect — the storage driver does not duplicate files like that.
Incorrect — the registry stores what you push; it adds nothing.
Incorrect — CMD is metadata and copies nothing.
04To fix "every build reinstalls all dependencies," you…
Incorrect — that disables caching entirely — the opposite of the goal.
Incorrect — base size has nothing to do with dependency-install caching.
Correct — deps then reinstall only when the manifest changes; a code edit reuses the cached install.
Incorrect — running it twice just wastes time; ordering is the fix.
05docker diff on a running container shows…
Incorrect — that is not what diff does; it inspects one container’s changes.
Correct — A/C/D entries reflect copy-on-write changes since it started.
Incorrect — shared layers are read-only and unchanged; diff shows the writable delta.
Incorrect — diff is filesystem-only.
06Copy-on-write means the first write to a file that lives in a lower layer…
Correct — which is why containers start instantly and why big-file writes are costly on the overlay.
Incorrect — lower layers are read-only and never modified.
Incorrect — the write succeeds — into the writable layer.
Incorrect — no volume is needed; CoW handles it (just slowly for big files).
07Multi-stage builds primarily reduce…
Incorrect — they can add build time; the win is elsewhere.
Correct — only the artifact is copied into a clean final stage.
Incorrect — smaller images help storage, but the point is surface and size in production.
Incorrect — there is no meaningful layer-count limit being addressed.
08In a Dockerfile with stages, COPY --from=build /out/server /server does what?
Incorrect — it does not rebuild; it copies from an already-built stage.
Incorrect — that is a plain COPY; --from pulls from another stage or image.
Correct — this is how only the finished binary reaches the small final image.
Incorrect — that is docker push; COPY moves files.
09A tag differs from a digest in that a tag…
Correct — a digest (sha256) is the content itself and is immutable.
Incorrect — that describes a digest, not a tag.
Incorrect — tags are the usual way to run images.
Incorrect — tags work everywhere, public or private.
10Two nodes "running 1.4.2" behave differently. The most likely cause is…
Incorrect — possible but unlikely to change app behavior like this.
Correct — a mutable tag can point at different bytes over time; pin by digest to prevent it.
Incorrect — that does not change the image bytes.
Incorrect — corruption would fail the pull, not silently serve different code.
11docker save / docker load is used to…
Incorrect — that is not what save does; it archives an image.
Correct — useful for air-gapped transfer; load reads it back on the far side.
Incorrect — unrelated to save/load.
Incorrect — signing is cosign/notation, not save/load.
12On a CI host low on disk, the safest reclaim is…
Correct — removes untagged layers and cache without deleting base images your next build needs.
Incorrect — aggressive — removes all unused images, including bases and cache your builds rely on.
Incorrect — corrupts Docker state; use the prune commands.
Incorrect — that destroys persistent data and does not target the image bloat.
12 questions · explanations appear as you answer
The Docker engine
14 questions
01Which component actually creates the container process (namespaces, cgroups)?
Incorrect — it serves the API and manages images/networks/volumes, then delegates down.
Incorrect — it manages lifecycle but hands low-level creation to runc via a shim.
Correct — the OCI runtime that makes the Linux calls, then exits; the shim stays as parent.
Incorrect — the CLI only sends API requests.
02Why do running containers survive a Docker daemon restart?
Incorrect — they keep running, not pause.
Correct — with live-restore they keep running while dockerd is down, then reconnect.
Incorrect — restart does stop it; containers survive regardless via the shim.
Incorrect — no orchestrator is present on a plain host.
03Kubernetes talks to containerd directly (dropping the Docker shim) because…
Correct — the same runtime, minus the Docker daemon in front of it.
Incorrect — Docker uses containerd underneath — it is the same one.
Incorrect — OCI images run fine; only the dockershim was removed.
Incorrect — runc remains the default low-level runtime.
04Engine-wide settings (data-root, default log driver) live in…
Incorrect — those are per-container; engine defaults live elsewhere.
Correct — the single source of truth for daemon-wide configuration.
Incorrect — a Dockerfile configures an image, not the daemon.
Incorrect — that holds CLI/registry auth, not daemon settings.
05A busy host goes down with a full disk. The classic Docker cause is…
Incorrect — networks consume little disk.
Incorrect — rare, and not the usual disk-full culprit.
Correct — json-file does not rotate unless you set max-size/max-file.
Incorrect — a Swarm networking feature, unrelated to disk.
06To cap container logs, set in daemon.json (or per container)…
Correct — bounds each log file and how many rotations are kept.
Incorrect — that only moves where Docker stores data.
Incorrect — image size does not bound log growth.
Incorrect — that limits RAM, not log files.
07A single misplaced comma in daemon.json causes…
Incorrect — invalid JSON stops the daemon from starting.
Correct — the daemon serves the CLI — validate with dockerd --validate and keep a backup.
Incorrect — container data is unaffected by a config parse error.
Incorrect — a parse error deletes nothing.
08A container is a Linux process isolated by two kernel mechanisms:…
Correct — namespaces give the private view; cgroups cap resources.
Incorrect — that is a VM; containers share the host kernel.
Incorrect — those add hardening but are not the base isolation primitives.
Incorrect — networking tools, not the isolation mechanisms.
09In its own PID namespace, a container’s main process is…
Incorrect — PID 0 is not a userspace process.
Correct — the namespace hides host processes and remaps the tree.
Incorrect — the host sees a different PID; inside it is 1.
Incorrect — PIDs are stable within the namespace.
10--network=container:web on a second container is used for…
Incorrect — it is valid and commonly used.
Incorrect — it does the opposite — it shares one.
Correct — the same idea as a Kubernetes pod’s shared network.
Incorrect — that is -p; this shares a namespace.
11A container keeps dying with exit code 137, State.OOMKilled true. That means…
Correct — 137 = 128 + SIGKILL(9); raise the limit or fix the leak.
Incorrect — OOMKilled is memory, not network.
Incorrect — a missing image fails before the container runs.
Incorrect — that is a different failure; OOMKilled is memory.
12--pids-limit is a cheap defence against…
Incorrect — that is --memory; pids-limit caps process count.
Correct — it caps how many processes the container may create.
Incorrect — that is --cpus.
Incorrect — unrelated to process count.
13The json-file log driver’s dangerous default is that it…
Incorrect — it writes locally, not remotely.
Correct — cap it in daemon.json or per container to avoid a disk-full outage.
Incorrect — it keeps them — that is the problem when unbounded.
Incorrect — no encryption is involved.
14With a remote log driver (fluentd, syslog, gelf), docker logs…
Correct — docker logs works with file/journald drivers; remote drivers ship elsewhere.
Incorrect — it does not; the stream went off-box.
Incorrect — it shows nothing from a remote driver.
Incorrect — docker logs is local to one daemon regardless.
14 questions · explanations appear as you answer
Storage & volumes
12 questions
01Where should a database keep its data, and why?
Incorrect — it pays copy-on-write per change and is deleted with the container.
Correct — volumes write to the backing store and persist independently.
Incorrect — tmpfs is memory-backed and vanishes on stop — not durable.
Incorrect — images are read-only templates; runtime data does not belong in them.
02The three mount types are volumes, bind mounts, and…
Incorrect — not a Docker mount type.
Incorrect — overlay is the storage driver, not a mount type you attach.
Correct — volumes (managed), bind mounts (host path), tmpfs (RAM).
Incorrect — NFS is one volume driver, not a distinct mount type.
03With -v (not --mount), a bind source path that does not exist is…
Correct — a typo then hands the container an empty folder; --mount errors instead.
Incorrect — that is --mount’s behavior; -v creates it.
Incorrect — a directory, not a file.
Incorrect — it mounts — an empty dir, which is the trap.
04Why prefer --mount over -v for anything important?
Incorrect — performance is identical; the difference is clarity and safety.
Correct — -v silently creates missing dirs; --mount fails loudly.
Incorrect — both work with any image.
Incorrect — neither encrypts; that is unrelated.
05To back up a named volume, you typically…
Incorrect — commit captures the image layer, not the volume.
Incorrect — fragile and unsafe; use a helper container.
Correct — the standard pattern: mount both, tar the volume into the host directory.
Incorrect — save is for images, not volumes.
06Bind-mounting a whole Node project breaks on missing modules. The clean fix is…
Incorrect — defeats the point of a live bind mount.
Correct — the volume masks that subpath, keeping the container’s installed dependencies.
Incorrect — then nothing has the deps at all.
Incorrect — tmpfs would lose your source on stop.
07A tmpfs mount is the right choice for…
Correct — memory-backed and gone on stop — nothing to recover from disk.
Incorrect — that must persist; tmpfs vanishes on stop.
Incorrect — that is a bind mount.
Incorrect — tmpfs is ephemeral, the opposite of a backup.
08The modern default storage driver is…
Incorrect — legacy; overlay2 replaced it on current kernels.
Correct — a union filesystem stacking lower (image) and upper (writable) dirs.
Incorrect — older and largely retired.
Incorrect — available in special cases, not the default.
09In overlay2, the container’s writable layer is the…
Correct — reads fall through to lowerdir; writes copy up into upperdir.
Incorrect — lowerdir is the read-only image layers.
Incorrect — workdir is overlay’s scratch area, not where writes land.
Incorrect — the writable layer is part of the overlay, not a volume.
10Writes to a large file inside a container are slow because…
Incorrect — this is a filesystem, not network, effect.
Incorrect — unrelated unless you configured tmpfs.
Correct — volumes bypass the union/CoW machinery for direct writes.
Incorrect — overlay2 does not compress writes.
11overlay2 needs a backing filesystem that supports…
Incorrect — not a requirement.
Correct — without d_type, overlay2 misbehaves; docker info shows "Supports d_type".
Incorrect — not required by overlay2.
Incorrect — irrelevant to the driver.
12To move Docker’s storage to a dedicated disk, set in daemon.json…
Correct — relocates images/containers/volumes off the root partition.
Incorrect — not how you relocate Docker’s store.
Incorrect — that configures logging, not the data directory.
Incorrect — that limits per-container size; it does not relocate the store.
12 questions · explanations appear as you answer
Networking
14 questions
01Two containers on the DEFAULT bridge cannot resolve each other by name because…
Incorrect — DNS works — on user-defined networks.
Correct — create a user-defined bridge (or use Compose) and names resolve.
Incorrect — publishing is for host access; same-network containers talk directly.
Incorrect — volumes share files, not connectivity.
02The embedded Docker DNS server inside a container listens on…
Incorrect — that is a public resolver, not Docker’s embedded DNS.
Incorrect — that is the cloud metadata endpoint.
Correct — Docker’s embedded DNS on user-defined networks.
Incorrect — DNS is the special 127.0.0.11 address.
03host networking (--network host) means the container…
Correct — it can bind any host port and see host traffic; reserve for cases that need it.
Incorrect — that is --network none.
Incorrect — overlay is a multi-host Swarm driver, not host mode.
Incorrect — the opposite — it shares the host stack.
04A published port with a bare -p 8080:80 binds on…
Incorrect — that requires -p 127.0.0.1:8080:80 explicitly.
Correct — bind 127.0.0.1 or firewall it to avoid exposing "local" ports.
Incorrect — that is -P (capital).
Incorrect — publishing maps to the host, not just the container.
05To expose a debug port to the host only (not the internet), use…
Incorrect — that binds 0.0.0.0 — reachable from outside on a cloud box.
Incorrect — that removes isolation entirely, exposing more.
Correct — binds the loopback so only the host itself can reach it.
Incorrect — publishes to a random 0.0.0.0 port — still public.
06To isolate tiers so the DB is unreachable except from web, you…
Correct — a container reaches only networks it is attached to; the DB, absent from frontend, is unreachable there.
Incorrect — that limits host access, not container-to-container reach.
Incorrect — removes isolation — wrong direction.
Incorrect — EXPOSE/ports do not gate cross-container reachability; networks do.
07A container can be reached by name after it is recreated with a new IP because…
Incorrect — they do change on recreate; that is the point of DNS.
Correct — so you connect by name, never a hardcoded IP.
Incorrect — IPs are not pinned by default.
Incorrect — resolution is via Docker’s embedded DNS, not the host hosts file.
08macvlan is the driver to use when a container must…
Correct — powerful, but needs promiscuous mode and is often blocked on cloud networks.
Incorrect — that is overlay.
Incorrect — that is none.
Incorrect — that is host mode.
09A published port maps fine but curl localhost:8080 is refused. The sneaky cause is…
Incorrect — it would not start, not just refuse connections.
Incorrect — unrelated to a host port refusal.
Correct — it must bind 0.0.0.0; ss -tlnp inside reveals the localhost bind.
Incorrect — that is about bind permission, not this refusal.
10The fastest way to test connectivity from inside a minimal (no-tools) container is…
Incorrect — slow and pollutes the image; there is a cleaner way.
Correct — gives nslookup/curl/ss without touching the target image.
Incorrect — the daemon log will not tell you app reachability.
Incorrect — unhelpful for a connectivity test.
11When debugging "web can't reach db," the first thing to confirm is…
Correct — the most common cause — they are on different networks so the name never resolves.
Incorrect — irrelevant to name resolution/reachability.
Incorrect — size does not affect connectivity.
Incorrect — internal traffic does not need host internet.
12ss -tlnp inside a container is used to check…
Incorrect — that is nslookup/dig.
Correct — reveals a 127.0.0.1 bind that makes a mapped port unreachable.
Incorrect — that is docker history.
Incorrect — that is docker inspect.
13EXPOSE in a Dockerfile does what?
Incorrect — that is -p / -P at run time; EXPOSE publishes nothing.
Incorrect — it touches no firewall.
Correct — -P can auto-publish EXPOSEd ports, but EXPOSE itself is documentation.
Incorrect — it blocks nothing.
14The legacy --link flag is deprecated mainly because user-defined networks…
Correct — --link was point-to-point, brittle, and injected the linked container’s config.
Incorrect — the issue is correctness and leakage, not raw speed.
Incorrect — both work with any image.
Incorrect — neither encrypts by default; that is a mesh/mTLS concern.
14 questions · explanations appear as you answer
Orchestration with Swarm
12 questions
01Why must a swarm run an odd number of managers?
Incorrect — it is about consensus, not load.
Correct — an even count buys nothing, and two managers is worse than one.
Incorrect — workers are unaffected by manager count.
Incorrect — the mesh is a data-plane feature, independent of quorum.
02If a swarm loses its manager majority, the cluster…
Incorrect — nothing is deleted.
Incorrect — it cannot schedule without quorum.
Correct — you must restore quorum before changes take effect.
Incorrect — promotion is a manual/administrative action.
03To take a node down for maintenance without dropping its workloads, you…
Correct — draining reschedules its tasks elsewhere and stops new placement.
Incorrect — that kills workloads instead of relocating them.
Incorrect — not how swarm evacuation works.
Incorrect — that removes the workload entirely.
04A Swarm service is…
Incorrect — that is docker run; a service is cluster-wide desired state.
Correct — the swarm reconciles reality to the declared replicas.
Incorrect — networks are separate objects.
Incorrect — volumes are separate objects.
05Global mode (--mode global) is for…
Correct — it grows automatically as nodes join.
Incorrect — that is replicated mode.
Incorrect — global runs on all eligible nodes, not just managers.
Incorrect — that is replicated with replicas=1.
06A rolling update that reverts automatically on failure uses…
Incorrect — that restarts tasks; it does not roll back an update.
Correct — a failed task aborts and reverts the whole update.
Incorrect — force re-runs the update; it does not add rollback.
Incorrect — that deletes the service.
07docker stack deploy ignores the build: key because…
Incorrect — it is by design.
Incorrect — the swarm does not build at all.
Correct — build+push first, then deploy.
Incorrect — they can; the swarm just ignores it.
08To pin a service to specific nodes (e.g. SSD hosts), you use…
Correct — label the nodes, then constrain the service to matching labels.
Incorrect — unrelated to scheduling placement.
Incorrect — that changes networking, not placement.
Incorrect — a security flag, not a placement mechanism.
09An overlay network lets services on different nodes talk by…
Incorrect — the overlay handles cross-node traffic transparently.
Correct — a container on node-1 reaches one on node-2 as if on one LAN.
Incorrect — volumes share files, not network reach.
Incorrect — bridge is single-host; overlay spans nodes.
10The routing mesh means a published service port is reachable…
Correct — so an external LB can target all nodes without tracking replicas.
Incorrect — that is host-mode publishing, not the mesh.
Incorrect — any node answers on the published port.
Incorrect — the mesh handles external published ports too.
11A Docker secret is delivered to a service as…
Incorrect — secrets are deliberately NOT env vars — that is the leak they avoid.
Correct — encrypted in Raft at rest, never on disk, absent from docker inspect.
Incorrect — secrets are not baked into images.
Incorrect — secrets are encrypted, not public.
12To rotate a Swarm secret with no downtime, you…
Incorrect — secrets are immutable; they cannot be edited.
Incorrect — unnecessary and disruptive.
Correct — tasks pick up the new file as they are replaced; then remove the old secret.
Incorrect — that reintroduces the leak secrets exist to prevent.
12 questions · explanations appear as you answer
Practical recipes
10 questions
01In a Compose stack, where should a database keep its data?
Incorrect — deleted with the container and slow (copy-on-write).
Correct — survives recreate and bypasses overlay CoW — the only durable choice.
Incorrect — env vars hold small config, not a database’s files.
Incorrect — images are read-only; runtime data does not belong in them.
02The official DB images read a password from a file when you use…
Correct — keeps the value out of inspect, logs, and the process environment.
Incorrect — not how the official images take credentials, and it would leak in ps.
Incorrect — that bakes it into the image — the opposite of secret.
Incorrect — labels are metadata, not credential inputs.
03depends_on with condition: service_healthy makes a service wait for…
Incorrect — the opposite — it waits for readiness.
Incorrect — that is plain depends_on; the condition waits for the healthcheck.
Correct — eliminates the "app booted before the DB was ready" race.
Incorrect — no human step is involved.
04Why prefer python:3.12-slim over python:3.12-alpine for most apps?
Incorrect — Alpine is small, but that is not the issue for Python.
Correct — slim (Debian/glibc) uses prebuilt manylinux wheels — faster builds, fewer bugs.
Incorrect — user is set by your Dockerfile, not the base flavor.
Incorrect — it can; the friction is native wheels.
05An unauthenticated Redis published on 0.0.0.0 is dangerous because…
Correct — a classic mass-exploited misconfig; require a password and do not publish it.
Incorrect — the risk is exposure, not CPU.
Incorrect — Redis can persist (RDB/AOF); the issue is open access.
Incorrect — exposure, not blocking, is the problem.
06In the NGINX reverse-proxy recipe, the backend app service should…
Incorrect — then it is directly reachable, defeating the proxy.
Incorrect — removes isolation; unnecessary.
Correct — only NGINX gets a host port; it proxies to the app by service name.
Incorrect — it should share the stack’s user-defined network for name resolution.
07Scripts placed in /docker-entrypoint-initdb.d of an official DB image run…
Incorrect — they run once, on an empty data directory — not every start.
Correct — first-run bootstrap for users/schema/seed — not migrations.
Incorrect — it is a real, supported hook.
Incorrect — it works with plain docker run and Compose.
08Your application should connect to MySQL/Postgres as…
Correct — so a leaked app credential cannot administer the whole server.
Incorrect — a single injection then owns every database.
Incorrect — unauthenticated databases are breached routinely.
Incorrect — blast radius and auditing both suffer; scope per app.
09For a live-reload Node dev container, you bind-mount the source and…
Incorrect — host-arch modules often break on the Linux image.
Correct — keeps the container’s installed dependencies while source stays live.
Incorrect — defeats the purpose of the bind mount.
Incorrect — unrelated to the node_modules shadowing issue.
10In the WordPress + MySQL stack, the WordPress container reaches the DB at host…
Incorrect — that is WordPress’s own container, not the DB.
Incorrect — IPs change; use the name.
Correct — services reach each other by name on the stack network.
Incorrect — internal traffic stays on the Compose network, by name.
10 questions · explanations appear as you answer
Production & CI
8 questions
01The two non-negotiable container security habits are…
Correct — root+kernel bug = host compromise; a secret in any layer is leaked to all who can pull.
Incorrect — both are exactly what to avoid.
Incorrect — those help; disabling them is backwards.
Incorrect — that maximizes exposure — the opposite of a good habit.
02The exec form CMD ["node","server.js"] (vs a bare string) matters because…
Incorrect — readability aside, the real reason is signals.
Correct — the shell form wraps it in /bin/sh, which swallows SIGTERM so stop hangs then kills.
Incorrect — form does not affect size.
Incorrect — the string form is allowed; it just handles signals worse.
03Bind-mounting /var/run/docker.sock into a CI job is risky because…
Incorrect — it is usually faster — the problem is security, not speed.
Incorrect — it can build; that is why people use it.
Correct — prefer isolated DinD or a daemonless builder (BuildKit, Kaniko).
Incorrect — caching is unaffected; exposure is the issue.
04In a container pipeline, the scan stage should…
Correct — a scanner that blocks every merge gets disabled; gate on what is actionable.
Incorrect — that floods developers and gets the gate turned off.
Incorrect — the point is to catch issues before merge.
Incorrect — tests and vulnerability scans check different things.
05Tagging a CI image by commit SHA (not a floating name) gives you…
Incorrect — the tag does not change size.
Correct — each image ties to the exact commit that built it — good for rollback and audit.
Incorrect — the tag name does not affect build speed.
Incorrect — signing is a separate cosign step.
06A daemonless image builder (BuildKit/buildx or Kaniko) is preferred in CI because…
Correct — no root-equivalent socket or dind privilege needed.
Incorrect — it produces standard OCI images.
Incorrect — BuildKit has strong caching.
Incorrect — these run on Linux CI runners.
07Signing an image in CI (e.g. Cosign) exists so that…
Incorrect — signing does not compress.
Incorrect — signing adds a step; speed is not the point.
Correct — a Kubernetes policy can reject anything unsigned or signed by the wrong identity.
Incorrect — unrelated to cost.
08Registry credentials in a pipeline should be…
Incorrect — that leaks them to anyone who reads the repo.
Correct — kept out of the repo and out of logs.
Incorrect — never log credentials.
Incorrect — that commits the secret into version control.
8 questions · explanations appear as you answer