Container Technology Quiz
This quiz tests your understanding of container technology fundamentals, how they work, and their relationship with Kubernetes.
Multiple Choice Questions
- Which of the following is NOT a key characteristic of containers?
- A) Portability
- B) Lightweight
- C) Complete hardware virtualization
- D) Isolated execution environment
Show Answer
Answer: C) Complete hardware virtualization
Explanation: Containers share the host OS kernel and do not virtualize hardware. Complete hardware virtualization is a characteristic of virtual machines (VMs). Containers provide portability, lightweight operation, and isolated execution environments, but they depend on the host OS kernel to operate.
- What is the main difference between containers and virtual machines?
- A) Containers require their own independent OS each
- B) Virtual machines have faster startup times than containers
- C) Containers share the host OS kernel
- D) Virtual machines use fewer resources than containers
Show Answer
Answer: C) Containers share the host OS kernel
Explanation: Containers operate by sharing the host OS kernel, while virtual machines each include a complete OS. As a result, containers are lighter, faster to start, and more resource-efficient than virtual machines.
- Which of the following is NOT an OCI (Open Container Initiative) compatible low-level container runtime?
- A) runc
- B) crun
- C) containerd
- D) gVisor
Show Answer
Answer: C) containerd
Explanation: containerd is a high-level container runtime that provides features such as image transfer, storage, and container execution management. runc, crun, and gVisor are all OCI-compatible low-level container runtimes responsible for actual container creation and execution.
- Which statement is correct about container image layers?
- A) Each layer can be independently modified
- B) Layers are always merged and stored as a single file
- C) Layers represent changes to the previous layer
- D) Every container has its own unique set of layers
Show Answer
Answer: C) Layers represent changes to the previous layer
Explanation: Container images consist of multiple layers, with each layer representing changes to the previous layer. This layered approach makes image sharing and caching efficient, saving storage space and improving image download speeds. Layers are read-only, and when a container runs, a writable layer is added on top.
- What is the main purpose of using multi-stage builds in Dockerfiles?
- A) Improving build speed
- B) Reducing final image size
- C) Reducing security vulnerabilities
- D) Supporting multiple operating systems
Show Answer
Answer: B) Reducing final image size
Explanation: The main purpose of multi-stage builds is to reduce the final image size. The build stage includes all necessary tools for source code compilation, dependency installation, etc., while the run stage brings only the build artifacts to create a small image with minimal runtime environment. This excludes build tools and intermediate files from the final image.
- What is Docker's default network driver?
- A) host
- B) bridge
- C) overlay
- D) macvlan
Show Answer
Answer: B) bridge
Explanation: bridge is Docker's default network driver, enabling communication between containers running on the same host. This driver creates a virtual bridge within the host to connect containers. The host driver directly uses the host network, overlay is for multi-host communication, and macvlan assigns MAC addresses to containers to make them appear as physical network devices.
- For persistent data storage in containers, which method uses an area of the host file system managed by Docker?
- A) Ephemeral storage
- B) Volume
- C) Bind mount
- D) tmpfs mount
Show Answer
Answer: B) Volume
Explanation: Volumes are an area of the host file system managed by Docker, which is the most suitable method for persistent data storage in containers. Ephemeral storage is the container's internal file system where data is lost when the container is deleted. Bind mounts mount a specific host path into the container, and tmpfs mounts store data only in memory.
- Which is NOT a method for enhancing container security?
- A) Running containers as non-root users
- B) Granting only necessary Linux capabilities
- C) Granting administrator privileges to all containers
- D) Using read-only file systems
Show Answer
Answer: C) Granting administrator privileges to all containers
Explanation: Granting administrator privileges to all containers is an action that weakens security. To enhance container security, you should follow the principle of least privilege. Running containers as non-root users, granting only necessary Linux capabilities, and mounting file systems as read-only when possible are good security practices.
- Which AWS service provides a serverless container execution environment?
- A) Amazon EC2
- B) Amazon ECS
- C) Amazon Fargate
- D) Amazon ECR
Show Answer
Answer: C) Amazon Fargate
Explanation: Amazon Fargate is AWS's serverless container execution environment, allowing you to run containers without managing servers. Amazon EC2 is a virtual server service, Amazon ECS is a container orchestration service, and Amazon ECR is a container image registry service.
- Which is NOT a main function of container orchestration tools?
- A) Automatic deployment and rollback
- B) Service discovery and load balancing
- C) Container image building
- D) Auto scaling
Show Answer
Answer: C) Container image building
Explanation: Container image building is typically the role of CI/CD pipelines or container build tools like Docker. The main functions of container orchestration tools (Kubernetes, Docker Swarm, etc.) are automatic deployment and rollback, service discovery and load balancing, auto scaling, self-healing, configuration management, and storage orchestration.
- Which state can a container NOT be in while not running?
- A) Created
- B) Exited
- C) Building
- D) Paused
Show Answer
Answer: C) Building
Explanation: Container lifecycle states include Created (created), Running (running), Paused (paused), Restarting (restarting), Exited (exited), and Dead (dead). Building is a state of the image build process and is not a container state. Containers are created after images are built.
- Which container restart policy restarts the container when the Docker daemon starts but does not restart if the container was manually stopped?
- A) no
- B) on-failure
- C) always
- D) unless-stopped
Show Answer
Answer: D) unless-stopped
Explanation: The unless-stopped restart policy always restarts the container unless it was explicitly stopped. The container starts automatically even when the Docker daemon restarts, but if the user manually stopped it with the docker stop command, the container will not start after daemon restart. always restarts regardless of manual stop status.
- Which Docker command checks the file system changes between a container and its original image?
- A) docker inspect
- B) docker diff
- C) docker logs
- D) docker history
Show Answer
Answer: B) docker diff
Explanation: The docker diff command shows the changes between the container's file system and the original image. In the output, A represents Added files, C represents Changed files, and D represents Deleted files. This command is useful for debugging what files were modified while the container was running.
Short Answer Questions
- What is the unique identifier based on the contents of a container image, expressed as a SHA256 hash?
Show Answer
Answer: Digest
Explanation: A digest is the SHA256 hash of the container image contents, serving as a unique identifier for the image. Unlike tags, if the image contents change, the digest also changes, so it is used to accurately reference a specific image version. Example: nginx@sha256:2834dc507516af02784808c5f48b7cbe38b8ed5d0f4837f16e78d00deb7e7767
- What is the Dockerfile directive that specifies the command to run when a container starts?
Show Answer
Answer: CMD
Explanation: The CMD directive specifies the default command to run when a container starts. For example, CMD ["node", "server.js"] runs the node server.js command when the container starts. CMD can be overridden by providing arguments to the docker run command.
- What is the name of the virtual network interface Docker creates for communication between containers?
Show Answer
Answer: docker0
Explanation: docker0 is the virtual bridge network interface that Docker creates by default. This bridge enables communication between containers running on the same host and mediates communication between containers and external networks.
- What is the Linux security feature that restricts the system calls that a process running inside a container can use?
Show Answer
Answer: seccomp (Secure Computing Mode)
Explanation: seccomp is a Linux kernel security feature that restricts the system calls a process can use. Container runtimes like Docker use seccomp profiles to restrict the system calls containers can perform, thereby enhancing security.
- What is the name of the AWS service that stores and manages container images?
Show Answer
Answer: Amazon ECR (Elastic Container Registry)
Explanation: Amazon ECR (Elastic Container Registry) is AWS's managed container image registry service. It provides features such as image vulnerability scanning, IAM integration, and image lifecycle management, and integrates seamlessly with other AWS services.
- What Docker command allows running additional commands inside a running container?
Show Answer
Answer: docker exec
Explanation: The docker exec command allows running additional commands inside a running container. For example, docker exec -it <container> bash connects to an interactive shell inside the container, or docker exec <container> ls /app lists files inside the container. This command is very useful for container debugging.
- What Docker command monitors real-time container events (start, stop, restart, etc.) as a stream?
Show Answer
Answer: docker events
Explanation: The docker events command shows real-time events from the Docker daemon as a stream. You can monitor events such as container start, stop, restart, image pull, network connect/disconnect, etc. The --filter option allows filtering by specific container or event type, which is useful for debugging and monitoring.
Hands-on Questions
- Write a Dockerfile that meets the following requirements:
- Use Node.js 14 Alpine image
- Set working directory to /app
- Copy package.json and package-lock.json files first
- Install dependencies
- Copy remaining files
- Expose port 3000
- Run "node server.js" command when container starts
Show Answer
Answer:
FROM node:14-alpine
WORKDIR /app
COPY package*.json ./
RUN npm install
COPY . .
EXPOSE 3000
CMD ["node", "server.js"]Explanation: This Dockerfile shows a basic configuration for Node.js applications. By copying dependency files (package*.json) first and installing them before copying the remaining files, it optimizes Docker's layer caching. This way, even if source code changes, the npm install step can be reused if dependencies haven't changed.
- Analyze the following Docker command and explain its purpose:bash
docker run -d --name my-app -p 8080:80 -v data:/app/data --restart always nginx:latest
Show Answer
Answer: This command is used for the following purposes: - -d: Run the container in background (detached mode) - --name my-app: Set the container name to "my-app" - -p 8080:80: Map host port 8080 to container port 80 - -v data:/app/data: Mount a volume named "data" to the /app/data path in the container - --restart always: Always automatically restart when container exits - nginx:latest: Use the latest version of nginx image
This command runs the nginx web server in the background, makes it accessible through host port 8080, sets up a volume for persistent data storage, and configures automatic restart when the container exits.
- Write an optimized Dockerfile for a React application using multi-stage builds.
Show Answer
Answer:
# Build stage
FROM node:14 AS build
WORKDIR /app
COPY package*.json ./
RUN npm install
COPY . .
RUN npm run build
# Run stage
FROM nginx:alpine
# Copy build artifacts to nginx's service directory
COPY --from=build /app/build /usr/share/nginx/html
# Use default nginx configuration
EXPOSE 80
CMD ["nginx", "-g", "daemon off;"]Explanation: This multi-stage Dockerfile consists of two stages:
- Build stage: Uses Node.js image to build the React application.
- Run stage: Uses lightweight nginx image to serve the built static files.
The advantage of this approach is that the final image does not include Node.js runtime, npm packages, source code, etc., significantly reducing image size. The final image contains only built static files and nginx, making it smaller and more secure.
- Write a Dockerfile that includes container health checks. Configure it to check the HTTP endpoint /health every 30 seconds, treat as failed if no response within 3 seconds, and mark as unhealthy after 3 failures.
Show Answer
Answer:
FROM nginx:alpine
# Copy application (example)
COPY ./html /usr/share/nginx/html
# Health check configuration
HEALTHCHECK --interval=30s --timeout=3s --start-period=10s --retries=3 \
CMD wget --quiet --tries=1 --spider http://localhost/health || exit 1
EXPOSE 80
CMD ["nginx", "-g", "daemon off;"]Explanation: Meaning of each HEALTHCHECK directive option:
--interval=30s: Perform health check every 30 seconds--timeout=3s: Health check command must complete within 3 seconds--start-period=10s: Ignore health check failures for 10 seconds after container start (initialization time)--retries=3: Mark container as unhealthy after 3 consecutive failuresCMD: Health check command to execute. Uses wget to check /health endpoint
Health checks are used by container orchestration tools to determine container status for automatic recovery or traffic routing decisions.
- Write Docker commands to check the environment variables, network settings, and process list of a running container for debugging purposes.
Show Answer
Answer:
# 1. Check environment variables
docker exec <container-id> env
# Or use inspect
docker inspect <container-id> --format='{{range .Config.Env}}{{println .}}{{end}}'
# 2. Check network settings
docker exec <container-id> ip addr
docker exec <container-id> netstat -tuln
# or
docker exec <container-id> ss -tuln
# Check IP address only
docker inspect <container-id> --format='{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}'
# 3. Check process list
docker exec <container-id> ps aux
# or
docker top <container-id>
# 4. Additional useful debugging commands
# Container detailed information
docker inspect <container-id>
# Container logs
docker logs <container-id>
# File system changes
docker diff <container-id>
# Real-time resource usage
docker stats <container-id>Explanation: When debugging containers, combine these commands to diagnose issues:
docker execruns commands in a running containerdocker inspectchecks detailed container metadatadocker topviews container processes from the host perspectivedocker diffchecks files changed compared to the image Using these tools effectively helps understand container internal state and resolve issues.
Advanced Questions
- Compare the roles of namespaces and cgroups, the core components of container technology, and explain how each contributes to container isolation.
Show Answer
Answer:
Namespaces: - Role: Isolates process groups so that each group can see system resources independently. - Isolation type: Provides visibility isolation. - Main namespaces: - PID namespace: Process ID isolation - Network namespace: Network stack isolation - Mount namespace: File system mount point isolation - UTS namespace: Hostname and domain name isolation - IPC namespace: Inter-process communication resource isolation - User namespace: User and group ID isolation
cgroups (Control Groups): - Role: Limits and isolates the resource usage of process groups. - Isolation type: Provides resource limitation. - Main functions: - CPU time limiting - Memory usage limiting - Block I/O bandwidth limiting - Network bandwidth limiting - Device access control
Contribution to container isolation:
Namespaces and cgroups play complementary roles:
- Namespaces allow containers to have their own independent environments (process trees, network interfaces, mount points, etc.), providing logical isolation. This gives each container its own unique view of the system.
- cgroups limit the system resources (CPU, memory, disk I/O, etc.) that containers can use, providing physical resource isolation. This prevents one container from using excessive resources and affecting other containers or the host system.
These two technologies work together to allow containers to run in isolated environments with limited resource usage. This isolation is lighter than virtual machines but provides sufficient isolation for security and resource management.
- Explain how the container image layering system works and how the Copy-on-Write (CoW) strategy contributes to container efficiency.
Show Answer
Answer:
Container Image Layering System:
Container images consist of a stack of multiple layers. Each layer represents file system changes, and each Dockerfile command (FROM, RUN, COPY, etc.) creates a new layer. These layers are read-only and stack hierarchically to form the final image.
Key features of the layering system:
- Incremental builds: Only changed layers are regenerated during image builds
- Layer sharing: Multiple images share the same base layers
- Caching: Already downloaded layers are reused
Copy-on-Write (CoW) Strategy:
Copy-on-Write is an optimization strategy that delays copy operations until data is actually modified. In the container context:
- Container start: When a container starts, a thin writable layer is added on top of existing image layers.
- Read operations: When reading a file, the system searches layers from top to bottom and uses the first version of the file found.
- Write operations: When modifying a file, the file is first copied to the writable layer then modified (Copy-on-Write). The original file remains unchanged.
- Delete operations: When deleting a file, the file is not actually deleted; instead, a "whiteout" file is created in the writable layer to make it appear deleted.
Contribution to efficiency:
Storage efficiency:
- Multiple containers using the same base image share image layers, saving disk space.
- Each container only needs to store its own changed data.
Faster startup time:
- When starting a new container, only the writable layer needs to be created, not copying the entire file system.
- This significantly reduces container startup time.
Memory efficiency:
- When the same file is used by multiple containers, page cache can be shared.
Network efficiency:
- Already existing layers don't need to be downloaded again during image download.
Thanks to these efficiencies, containers can start lighter and faster than virtual machines, and more containers can run on the same host.
- Explain the entire container lifecycle and describe the container behavior and state transition methods in each state (Created, Running, Paused, Restarting, Exited, Dead).
Show Answer
Answer:
Container Lifecycle States:
Created
- Container has been created but not yet started
- Created with the
docker createcommand - Process not running, minimal resource allocation
- Transition:
docker start→ Running
Running
- Container's main process is running
- Entered via
docker runordocker start - Actively using resources like CPU, memory
- Transitions:
docker pause→ Pauseddocker stop→ Exiteddocker kill→ Exiteddocker restart→ Restarting → Running- On process termination → Exited
Paused
- All processes paused with SIGSTOP
- Entered via
docker pausecommand - Memory maintained but no CPU usage
- Transition:
docker unpause→ Running
Restarting
- Temporary state while container is restarting
- Occurs via
docker restartor restart policy - Transition: Automatically transitions to Running or Exited
Exited
- Main process has terminated
- Exit code preserved
- File system changes maintained
- Transitions:
docker start→ Runningdocker rm→ Deleted
Dead
- Abnormal state where container removal attempt failed
- Resource cleanup not completed
- Generally requires manual intervention
- Attempt force removal with
docker rm -f
State check and management commands:
# Check state
docker ps -a # List all containers
docker inspect <id> | jq '.[0].State' # Detailed state
# State transitions
docker create nginx # → Created
docker start <id> # → Running
docker pause <id> # → Paused
docker unpause <id> # → Running
docker stop <id> # → Exited
docker restart <id> # → Running
docker rm <id> # DeleteRestart policies and lifecycle:
no: No automatic restarton-failure[:max]: Restart on abnormal exit, can specify max countalways: Always restart (including daemon restart)unless-stopped: Always restart until manually stopped
Understanding the container lifecycle helps ensure application availability and establish appropriate recovery strategies when issues occur.
Return to Learning Materials | Next Quiz: Kubernetes Introduction