Docker Ops¶
91 cards — 🟢 19 easy | 🟡 38 medium | 🔴 19 hard
🟢 Easy (19)¶
1. A registry contains one or more _ which in turn contain one or more _
Show answer
A registry contains one or more repositories which in turn contain one or more images.Analogy: registry = library, repository = bookshelf (one per project), image = specific edition of a book (tagged by version).
Example: Docker Hub (registry) > library/nginx (repository) > nginx:1.25, nginx:1.24, nginx:alpine (images/tags).
Remember: a repository groups all versions of one image. A registry hosts many repositories.
2. How to check which architectures a certain container image supports?
Show answer
`docker manifest inspectExample: docker manifest inspect nginx:latest shows a manifest list with entries for linux/amd64, linux/arm64, linux/arm/v7, etc.
Under the hood: multi-arch images use a manifest list (also called an OCI image index) that maps each platform to a platform-specific image manifest.
Remember: crane (from go-containerregistry) is a faster alternative: crane manifest nginx:latest | jq '.manifests[].platform'
3. How to list the layers of an image?
Show answer
In case of Docker, you can use `docker image inspectExample: docker history nginx:latest --no-trunc shows the full Dockerfile instruction that created each layer.
Remember: dive is a third-party tool that lets you interactively browse layers and see exactly what files each layer adds or removes.
4. What forms of self-healing options available for Docker containers?
Show answer
Restart Policies. It allows you to automatically restart containers after certain events.Example: docker run --restart=always nginx restarts the container on crash, daemon restart, or host reboot. Other policies: no (default), on-failure[:max-retries], unless-stopped.
Remember: restart policies provide basic self-healing. For production, Kubernetes provides richer self-healing: liveness probes, readiness probes, and deployment controllers that recreate failed pods.
5. True or False? Once created, it's impossible to remove a tag for a certain image
Show answer
False. You can run `podman rmi IMAGE:TAG`.Under the hood: removing a tag removes only the pointer. Underlying layers remain until garbage collected.
6. True or False? In multi-stage builds, artifacts can be copied between stages
Show answer
True. In multi-stage builds, `COPY --from=builder /app/binary /app/binary` copies artifacts between stages. This lets you compile in a full SDK image but ship only the binary in a minimal runtime image (e.g., distroless or alpine), dramatically reducing final image size and attack surface.7. How to view the instructions that were used to build image?
Show answer
`docker image historyUnder the hood: docker history shows each layer's command and size. Helps identify bloated RUN instructions.
8. True or False? A single container image can have multiple tags
Show answer
True. When listing images, you might be able to see two images with the same ID but different tags.Example: tag same image as v1.2.3, v1.2, v1, latest — all pointing to one digest. Standard versioning strategy.
9. What is "Docker Hub"?
Show answer
Docker Hub is a public registry for storing and sharing Docker images. It hosts official images (nginx, postgres, ubuntu) maintained by Docker and verified publishers. Free accounts get one private repo; paid plans add more. Alternatives include Quay.io, GitHub Container Registry (ghcr.io), and self-hosted registries.10. How to see changes done to a given image over time?
Show answer
`docker historyGotcha: squashed images or images built with BuildKit may show truncated history.
11. What does docker system prune -a do?
Show answer
Deletes all unused images, containers, and data.Under the hood: removes stopped containers, unused networks, dangling images, and build cache. Add -a for ALL unused images, --volumes for volumes.
Gotcha: prune is permanent. In production, schedule carefully — it can remove images that stopped containers need for restart.
12. How do you tag a Docker image and what are tagging best practices?
Show answer
`podman tag IMAGE:TAG` or `docker tag SOURCE_IMAGE:TAG TARGET_IMAGE:TAG`.Example: `docker tag myapp:latest myregistry.com/myapp:v1.2.3`.
Best practice: use semantic versioning (v1.2.3) rather than 'latest', which is mutable and makes rollbacks ambiguous. Also tag with the git SHA for traceability.
13. How to push an image to a registry?
Show answer
`podman push IMAGE`You can specify a specific registry: `podman push IMAGE REGISTRY_ADDRESS`
Under the hood: push uploads only new layers. Content-addressable storage deduplicates — shared layers never re-uploaded.
14. True or False? Multiple tags can reference the same image
Show answer
True. Multiple tags can point to the same Docker image (same digest). For example, 'latest', 'v1.2', and 'stable' can all reference the same image layers.15. Which operations OCI based containers must support?
Show answer
OCI containers must support five operations: Create, Kill, Delete, Start, and Query State. Mnemonic: CKDSQ — 'Containers Keep Delivering Software Quickly.' These operations define the minimum interface any OCI-compliant runtime (runc, crun, kata) must implement.16. How the centralized location, where images are stored, is called?
Show answer
A Registry. Docker Hub is the default public registry. You can run a private registry with `docker run -d -p 5000:5000 registry:2`. Images are pushed/pulled by their registry path.17. How the Docker client communicates with the daemon?
Show answer
Via the local socket at `/var/run/docker.sock`Gotcha: docker.sock = full root on the host. Mounting it into containers is equivalent to giving them root access.
18. How to find out which files were added to the container image filesystem?
Show answer
`podman diff IMAGE_NAME` shows filesystem changes: A=added, C=changed, D=deleted files in the container's writable layer versus the base image. This is useful for debugging unexpected file modifications or verifying that a container only changed what you intended. Works on both running and stopped containers.19. True or False? A single image can support multiple architectures (Linux x64, Windows x64, ...)
Show answer
True. Docker supports multi-architecture images via manifest lists. A single image tag can resolve to different platform-specific images (linux/amd64, linux/arm64, windows/amd64).🟡 Medium (38)¶
1. How multi-architecture images work? Explain by describing what happens when an image is pulled
Show answer
1. A client makes a call to the registry to use a specific image (using an image name and optionally a tag)2. A manifest list is parsed (assuming it exists) to check if the architecture of the client is supported and available as a manifest
3. If it is supported (a manifest for the architecture is available) the relevant manifest is parsed to obtain the IDs of the layers
4. Each layer is then pulled using the obtained IDs from the previous step
2. How do you tag and version Docker images?
Show answer
Tagging and versioning Docker images help identify and manage different versions of an image. The basic syntax for tagging is repository:tag. Here's how you can tag and version a Docker image:```\n# Tagging an image with a specific version\ndocker tag image_name:latest image_name:1.0\n# Pushing the tagged image to a registry (optional)\ndocker push image_name:1.0\n```
`image_name` is the name of your Docker image.
`latest` is the default tag, but it's a good practice to use version tags like 1.0.
3. Describe in detail what happens when you run podman/docker run hello-world?
Show answer
Docker/Podman CLI passes your request to Docker daemon.Docker/Podman daemon downloads the image from Docker Hub
Docker/Podman daemon creates a new container by using the image it downloaded
Docker/Podman daemon redirects output from container to Docker CLI which redirects it to the standard output
4. How to configure registries with the containers engine you are using?
Show answer
For podman, registries can be configured in `/etc/containers/registries.conf` this way:```\n[registries.search]\nregistries = ["quay.io"]\n```
For Docker, registries are configured in /etc/docker/daemon.json or ~/.docker/config.json.
Gotcha: Docker defaults to docker.io. Podman defaults to searching multiple registries. Misconfigured search order can pull the wrong image from the wrong registry.
Example: docker login ghcr.io stores credentials in ~/.docker/config.json for GitHub Container Registry.
5. You and your team work on the same project, but different versions of it. For each version, the team creates a new, separate image. What would you suggest the team to change in such case?
Show answer
Use tags. You can distinguish between different releases of a project using image tags. There is no need to create an entire separate image for version/release of a project.6. What is the digest of an image? What problem does it solves?
Show answer
Tags are mutable. This is mean that we can have two different images with the same name and the same tag. It can be very confusing to see two images with the same name and the same tag in your environment. How would you know if they are truly the same or are they different?This is where "digests` come handy. A digest is a content-addressable identifier. It isn't mutable as tags. Its value is predictable and this is how you can tell if two images are the same content wise and not merely by looking at the name and the tag of the images.
7. What is a distribution hash in regards to layers?
Show answer
- Layers are compressed when pushed or pulled- distribution hash is the hash of the compressed layer
- the distribution hash used when pulling or pushing images for verification (making sure no one tempered with image or layers)
- It's also used for avoiding ID collisions (a case where two images have exactly the same generated ID)
8. What is a dangling image?
Show answer
It's an image without tags attached to it.One way to reach this situation is by building an image with exact same name and tag as another already existing image. It can be still referenced by using its full SHA.
9. How do you initialize a Docker Swarm?
Show answer
To initialize a Docker Swarm and make the current node a manager:```docker swarm init --advertise-addr
This command generates a join token that other nodes can use to join the swarm.
To join a worker or manager node to the swarm:
```docker swarm join --token
10. What is a container registry and how is it used?
Show answer
- A registry is a service which stores container images and allows users to pull specified images to run containers.- There are public registries (everyone can access them) and private (accessed only internally in the organization or specific network)
11. How to find out which registry do you use by default from your environment?
Show answer
Depends on the containers technology you are using. For example, in case of Docker, it can be done with `docker info````\n> docker info\nRegistry: https://index.docker.io/v1\n```
12. There is a running container that has a certain issue. You would like to share an image of that container with your team members, with certain environment variables set for debugging purposes. How would you do it?
Show answer
`podman commit` can be a good choice for that. You can create a new image of the running container (with the issue) and share that new image with your team members.What you probably want to avoid using:
- Using something as `podman save/load` as it applies on an image, not a running container (so you'll share the image but the issue might not be reproduced when your team members run a container using it)
- Modifying Containerfile/Dockerfile as you don't really want to add environment variables meant for debugging to the source from which you usually build images
13. What is shim in regards to Docker?
Show answer
shim is the process that becomes the container's parent when runc process exists. It's responsible for:- Reporting exit code back to the Docker daemon
- Making sure the container doesn't terminate if the daemon is being restarted. It does so by keeping the stdout and stdin open
14. What is Docker Hub and how is it used in container workflows?
Show answer
Docker Hub is a cloud registry for Docker images. It allows you to push images to share them and pull images (like "nginx" or "ubuntu") for use. It contains official images and user-contributed repositories.15. What is Docker Swarm, and how does it facilitate orchestration?
Show answer
Docker Swarm is a native clustering and orchestration solution for Docker. It allows you to create and manage a swarm of Docker nodes, turning them into a single, virtual Docker host. Swarm provides built-in orchestration features for deploying, scaling, and managing containerized applications across a cluster of machines.**Swarm facilitates orchestration by:**
* Service Management: Defining and deploying services across the swarm.
* Scaling: Scaling services up or down based on demand.
* Load Balancing: Distributing traffic to services among available nodes.
* Rolling Updates: Performing rolling updates to services with minimal downtime.
* Secrets and Configs: Managing sensitive information and configurations securely.
16. True or False? Running a dozen of containers will result in having a dozen of runc processes
Show answer
False. Once a container is created, the parent runc process exists.Under the hood: runc creates namespaces/cgroups, starts the process, then exits. The shim becomes container's parent.
17. What are some best practices in regards to Container Images?
Show answer
- Use tags. Using `latest` is quite common (which can mean latest build or latest release)- tag like `3.1` can be used to reference the latest release/tag of the image like `3.1.6`
- Don't use `commit` for creating new official images as they include the overhead of logs and processes and usually end up with bigger images
- For sharing the image, use a registry (either a public or a private one, depends on your needs)
18. What components are part of the Docker engine?
Show answer
The Docker engine has three core components: the Docker daemon (dockerd) handles high-level tasks like image management and networking; containerd manages container lifecycle (start, stop, pause); and runc is the low-level OCI runtime that actually creates and runs containers using Linux namespaces and cgroups.19. Explain the concept of Docker Swarm stacks.
Show answer
To perform rolling updates in Docker Swarm, use the docker service update command with the --update-delay option:```docker service update --image new_image:tag --update-delay 10s my_service```
This example updates the my_service service to use the new image with a 10-second delay between updating each container. This ensures a controlled and gradual rollout of the new version, minimizing downtime.
Rolling updates help maintain service availability while introducing changes to the running containers.
20. You would like to share an image with another developer, but without using a registry. How would you do it?
Show answer
Use `podman save -o image.tar IMAGE` to export, transfer with rsync/scp, then `podman load -i image.tar` on the remote host. This is useful for air-gapped environments without registry access.Gotcha: the tarball includes all layers, so large images produce large files — consider compressing with gzip.
21. What are image tags? Why is it recommended to use tags when supporting multiple releases/versions of a project?
Show answer
Image tags are used to distinguish between multiple versions of the same software or project. Let's say you developed a project called "FluffyUnicorn" and the current release is `1.0`. You are about to release `1.1` but you still want to keep `1.0` as stable release for anyone who is interested in it. What would you do? If your answer is create another, separate new image, then you probably want to rethink the idea and just create a new image tag for the new release.In addition, it's important to note that container registries support tags. So when pulling an image, you can specify a specific tag of that image.
22. Do you perform any checks or testing on your Containerfiles/Dockerfiles?
Show answer
Use [hadolint](https://github.com/hadolint/hadolint), a Dockerfile linter based on best practices. Run it with `hadolint Dockerfile` or integrate into CI. It checks for issues like missing version pinning in apt-get install, running as root, and using COPY instead of ADD. Also consider `docker scout` for vulnerability scanning of built images.23. Which components/layers compose the Docker technology?
Show answer
1. Runtime - responsible for starting and stopping containers2. Daemon - implements the Docker API and takes care of managing images (including builds), authentication, security, networking, etc.
3. Orchestrator
24. How do you keep Docker images small?
Show answer
Use smaller base images, minimize layers, clean package caches, and copy only what's required. Multi-stage builds help keep production images clean.25. What podman commit does?. When will you use it?
Show answer
Creates a new image from a running container. Users can apply extra changes to be saved in the new image version.Most of the time the user case for using `podman commit` would be to apply changes allowing to better debug the container. Not so much for creating a new image since commit adds additional overhead of potential logs and processes, not required for running the application in the container. This eventually makes images created by `podman commit` bigger due to the additional data stored there.
26. What are some best practices you following in regards to using containers in production?
Show answer
Images:* Use images from official repositories
* Include only the packages you are going to use. Nothing else.
* Specify a tag in FROM instruction. Not using a tag means you'll always pull the latest, which changes over time and might result in unexpected result.
* Do not use environment variables to share secrets
* Keep images small! - you want them only to include what is required for the application to run successfully. Nothing else.
Components:
* Secured connection between components (e.g. client and server)
27. What are the pros and cons of squashing images?
Show answer
Pros:* Smaller image
* Reducing number of layers (especially if the image has lot of layers)
Cons:
* No sharing of the image layers
* Push and pull can take more time (because no matching layers found on target)
28. What is the low-level runtime?
Show answer
- The low level runtime is called runc- It manages every container running on Docker host
- Its purpose is to interact with the underlying OS to start and stop containers
- Its reference implementation is of the OCI (Open Containers Initiative) container-runtime-spec
- It's a small CLI wrapper for libcontainer
29. What is Docker Hub, and how is it used?
Show answer
Docker Hub is a cloud-based registry service provided by Docker that allows users to store and share Docker images. It serves as a central repository for Docker images, and users can pull images from Docker Hub to their local systems. Docker Hub provides both public and private repositories. Public repositories are accessible to anyone, while private repositories require authentication to access. Users can also push their own Docker images to Docker Hub, making them available to the Docker community. It is a convenient platform for collaborating, distributing, and versioning Docker images.30. True or False? The docker daemon (dockerd) performs lower-level tasks compared to containerd
Show answer
False. The Docker daemon (dockerd) performs higher-level tasks like image management, networking, and volume orchestration. containerd handles the lower-level container lifecycle (start, stop, pause, delete). Below containerd, runc does the actual Linux kernel work (namespaces, cgroups). The hierarchy is: dockerd -> containerd -> runc.31. What are some of the best practices regarding Containerfiles/Dockerfiles that you are following?
Show answer
* Include only the packages you are going to use. Nothing else.* Specify a tag in FROM instruction. Not using a tag means you'll always pull the latest, which changes over time and might result in unexpected result.
* Do not use environment variables to share secrets
* Use images from official repositories
* Keep images small! - you want them only to include what is required for the application to run successfully. Nothing else.
* If are using the apt package manager, you might want to use 'no-install-recommends' with `apt-get install` to install only main dependencies (instead of suggested, recommended packages)
32. How do you remove old, non running, containers?
Show answer
1. To remove one or more Docker images use the docker container rm command followed by the ID of the containers you want to remove.2. The docker system prune command will remove all stopped containers, all dangling images, and all unused networks
3. docker rm $(docker ps -a -q) - This command will delete all stopped containers. The command docker ps -a -q will return all existing container IDs and pass them to the rm command which will delete them. Any running containers will not be deleted.
33. What is the purpose of Docker services in Swarm mode?
Show answer
Docker services in Swarm mode are the primary abstraction for deploying and managing containers. A service defines the desired state for a group of tasks (containers) and ensures that the specified number of replicas are running across the swarm.**Key aspects of Docker services:**
* Replicas: The number of identical containers running the service.
* Load Balancing: Services distribute incoming traffic across all running containers.
* Desired State: The service maintains the desired number of replicas, auto-healing if necessary.
* Scaling: Services can be scaled up or down dynamically.
34. What .dockerignore is used for?
Show answer
By default, Docker uses everything (all the files and directories) in the directory you use as build context.`.dockerignore` used for excluding files and directories from the build context
35. How can you scale services in Docker Swarm?
Show answer
To scale a service in Docker Swarm, use the docker service scale command:```docker service scale my_service=5```
This command scales the service named my_service to have five replicas. Docker Swarm will automatically distribute the replicas across available worker nodes.
36. How can you remove intermediate images in the Docker build process?
Show answer
Docker automatically creates intermediate images during the build process, and these images can accumulate, consuming disk space. To remove intermediate images, you can use the docker image prune command:```\n# Remove all dangling (untagged) images and unused build cache\ndocker image prune\n# Remove all unused images, not just dangling ones\ndocker image prune -a\n```
The -a option in the second command removes all unused images, including those with tags.
37. What restart policies are you familiar with?
Show answer
* always: restart the container when it's stopped (not with `docker container stop`)* unless-stopped: restart the container unless it was in stopped status
* no: don't restart the container at any point (default policy)
* on-failure: restart the container when it exists due to an error (= exit code different than zero)
38. What is the OCI (Open Container Initiative) and what standards does it define?
Show answer
OCI (Open Container Initiative) is an open governance established in 2015 to standardize container creation - mostly image format and runtime. At that time there were a number of parties involved and the most prominent one was Docker.Specifications published by OCI:
- [image-spec](https://github.com/opencontainers/image-spec)
- [runtime-spec](https://github.com/opencontainers/runtime-spec)
🔴 Hard (19)¶
1. What is the role of cache in image builds?
Show answer
When you build an image for the first time, the different layers are being cached. So, while the first build of the image might take time, any other build of the same image (given that Containerfile/Dockerfile didn't change or the content used by the instructions) will be instant thanks to the caching mechanism used.In little bit more details, it works this way:
1. The first instruction (FROM) will check if base image already exists on the host before pulling it
2.
2. Describe in detail what happens when you run a container
Show answer
1. The Docker client converts the run command into an API payload2. It then POST the payload to the API endpoint exposed by the Docker daemon
3. When the daemon receives the command to create a new container, it makes a call to containerd via gRPC
4. containerd converts the required image into an OCI bundle and tells runc to use that bundle for creating the container
5. runc interfaces with the OS kernel to pull together the different constructs (namespace, cgroups, etc.) used for creating the container
6. Container process is started as a child-process of runc
7. Once it starts, runc exists
3. Describe in detail what happens when you run docker pull image:tag?
Show answer
Docker CLI passes your request to Docker daemon. Dockerd Logs shows the processdocker.io/library/busybox:latest resolved to a manifestList object with 9 entries; looking for a unknown/amd64 match
found match for linux/amd64 with media type application/vnd.docker.distribution.manifest.v2+json, digest sha256:400ee2ed939df769d4681023810d2e4fb9479b8401d97003c710d0e20f7c49c6
4. What happens when you run docker container run ubuntu?
Show answer
1. Docker client posts the command to the API server running as part of the Docker daemon2. Docker daemon checks if a local image exists
1. If it exists, it will use it
2. If doesn't exists, it will go to the remote registry (Docker Hub by default) and pull the image locally
3. containerd and runc are instructed (by the daemon) to create and start the container
5. How do you optimize Docker images for size?
Show answer
Optimizing Docker images for size is crucial for efficient image distribution and faster deployment. Here are some strategies:* Use Minimal Base Images:
Choose lightweight base images, such as Alpine Linux, to minimize the size of the initial image layer.
* Reduce the Number of Layers:
Minimize the number of layers in the Dockerfile to reduce image complexity and improve caching.
* Combine RUN Commands:
Combine multiple RUN commands into a single command to reduce the number of layers.
6. What is the significance of the Docker daemon?
Show answer
The Docker daemon (dockerd) is a background process responsible for managing Docker objects on the host system. It serves as the central component of the Docker architecture and performs key functions, including:* Image and Container Management: The daemon manages Docker images, containers, networks, and volumes.
7. Explain Multi-stage builds
Show answer
Multi-stages builds allow you to produce smaller container images by splitting the build process into multiple stages.As an example, imagine you have one Containerfile/Dockerfile where you first build the application and then run it. The whole build process of the application might be using packages and libraries you don't really need for running the application later. Moreover, the build process might produce different artifacts which not all are needed for running the application.
8. How do you uninstall Docker from a system?
Show answer
The process of uninstalling Docker varies depending on the operating system. Here are instructions for some common platforms:**Linux (Ubuntu/Debian):**
* sudo apt-get purge docker-ce docker-ce-cli containerd.io
**Linux (CentOS/RHEL):**
* sudo yum remove docker-ce docker-ce-cli containerd.io
**Mac:**
Use the Docker Desktop application to stop Docker.
* Remove the Docker application from the "Applications" folder.
**Windows:**
* Use the "Add or Remove Programs" feature to uninstall Docker Desktop.
9. Explain the architecture of Docker.
Show answer
Docker follows a client-server architecture. The key components include:* Docker Daemon: This is a background process that manages Docker objects like images, containers, networks, and volumes on the host system.
* Docker Client: It is the primary interface through which users interact with Docker. Users issue commands to the Docker client, and the client communicates with the Docker daemon to execute those commands.
* Docker Registry: It is a repository for Docker images. Docker Hub is the default public registry, but private registries can also be used.
* Docker Objects: These include images, containers, networks, and volumes. Images are the blueprints for containers, and containers are the running instances of those images.
10. True or False? Killing the Docker daemon will kill all the running containers
Show answer
False. While this was true at some point, today the container runtime isn't part of the daemon (it's part of containerd and runc) so stopping or killing the daemon will not affect running containers.11. What is a multi-stage Docker build and why would you use it?
Show answer
Multi-stage builds allow you to use multiple FROM statements in a Dockerfile,creating separate build stages. Only the final stage becomes the output image.
Benefits:
- Smaller final images (no build tools, source code)
- Improved security (fewer components to attack)
- Cleaner Dockerfiles (no complex cleanup commands)
- Faster deployments (smaller images to transfer)
Example:
```dockerfile\n# Build stage\nFROM golang:1.21 AS builder\nWORKDIR /app\nCOPY . .\nRUN go build -o myapp\n\n# Final stage\nFROM alpine:3.19\nCOPY --from=builder /app/myapp /usr/local/bin/\nCMD ["myapp"]\n```
Result: Final image only contains Alpine + binary, not the Go compiler
and all source code.
Common pattern: Build in full SDK image, run in minimal runtime image.
12. Explain the concept of Docker context.
Show answer
Docker context is a feature introduced to simplify the management of Docker environments. A Docker context represents a point of interaction with a Docker daemon, which can be local or remote. It includes information about the Docker host, authentication details, and other settings.**Key aspects of Docker context:**
* Switching Contexts: Users can switch between different Docker contexts using the docker context use command.
13. What is Docker Machine, and how is it used?
Show answer
Docker Machine is a tool for creating and managing Docker hosts (virtual machines) on local or remote systems. It simplifies the process of setting up Docker on different platforms, allowing users to create and manage Docker-enabled machines with minimal effort.**Key features and usage of Docker Machine:**
* Provisioning: Docker Machine can create Docker hosts on various platforms, including local VirtualBox, AWS, Azure, and others.
* Management: Docker Machine provides commands for starting, stopping, and managing Docker hosts.
14. What is the purpose of Docker plugins?
Show answer
Docker plugins extend Docker's functionality by providing additional features, functionalities, or integrations. Plugins allow users to customize and enhance Docker according to specific requirements.**Key aspects of Docker plugins:**
* Storage Plugins: Extend Docker's storage capabilities, allowing integration with various storage solutions.
* Network Plugins: Enhance Docker's networking features, enabling integration with different network infrastructures.
15. What is multi-stage Docker builds, and when would you use them?
Show answer
Multi-stage builds in Docker allow you to use multiple FROM statements in a single Dockerfile, creating a series of intermediate images. Each stage is used for a specific purpose, such as building dependencies or compiling code, and the final stage produces the optimized runtime image.16. What ways are there to reduce container images size?
Show answer
* Reduce number of instructions - in some case you may be able to join layers by installing multiple packages with one instructions for example or using `&&` to concatenate RUN instructions* Using smaller images - in some cases you might be using images that contain more than what is needed for your application to run. It is good to get overview of some images and see whether you can use smaller images that you are usually using.
* Cleanup after running commands - some commands, like packages installation, create some metadata or cache that you might not need for running the application. It's important to clean up after such commands to reduce the image size
* For Docker images, you can use multi-stage builds
17. Explain the significance of the "docker inspect" command.
Show answer
The docker inspect command is used to obtain detailed information about Docker objects, including containers, images, volumes, networks, and more. It provides a JSON-formatted output containing extensive details about the specified object.**Key uses and significance of docker inspect:**
* Container Details: View container configurations, networking information, mounted volumes, and more.
* Image Details: Retrieve information about image layers, labels, and other metadata.
18. What is the high-level runtime?
Show answer
- The high level runtime is called containerd- It was developed by Docker Inc and at some point donated to CNCF
- It manages the whole lifecycle of a container - start, stop, remove and pause
- It take care of setting up network interfaces, volume, pushing and pulling images, ...
- It manages the lower level runtime (runc) instances
- It's used both by Docker and Kubernetes as a container runtime
- It sits between Docker daemon and runc at the OCI layer
Note: running `ps -ef | grep -i containerd` on a system with Docker installed and running, you should see a process of containerd
19. Describe the architecture of Docker Swarm.
Show answer
Docker Swarm follows a decentralized and agent-based architecture. Key components include:**Manager Nodes:**
* Control the swarm and orchestrate deployments.
* Maintain the desired state of services.
* Serve as the entry point for CLI and API commands.
**Worker Nodes:**
* Execute containerized tasks and services.
* Receive workloads from manager nodes.
**Tokens:**
* Used for node join operations.
* Managers and workers join the swarm using tokens.
**Raft Consensus Algorithm:**