DOCKER

 How will you run multiple Docker containers in one single host?
Answer: Docker Compose is the best way to run multiple containers as a single
service by defining them in a docker-compose.yml file.
 How do you manage sensitive security data like passwords in Docker?
Answer: Docker Secrets and Docker Environment Variables can be used to manage
sensitive data. The docker secret command is specifically designed for Docker
Swarm. If you are not interested in using Swarm mode, you can use environment
variables or volumes to pass sensitive information to your containers. Remember that
if you choose to use Swarm mode, you need to make sure your Docker environment is
initialized as a Swarm, either by running docker swarm init for a single-node Swarm
or by joining an existing Swarm using docker swarm join. If you want to work with
standalone containers, you might prefer using environment variables or volumes for
handling sensitive information (to pass sensitive data to your containers).
Use the docker secret create command to create a secret. For example:
echo "my_secret_value" | docker secret create my_secret –
The echo command here is used to generate the secret value, and it is piped into the
docker secret create command.
If you are not interested in using Swarm mode, you can use environment
variables or volumes to pass sensitive information to your containers. For
example, you can use environment variables like this:
docker run --name my_container -e MY_SECRET=my_secret_value my_image
You can use the docker secret ls command to view a list of your Docker secrets.
 How do you handle persistent storage in Docker?
Answer: Docker Volumes and Docker Bind Mounts are used to handle persistent
storage in Docker. Bind mounts link a directory or file on the host machine directly to
a directory in the container.
 How will you scale Docker containers based on traffic to your application?
Answer: Docker Swarm or Kubernetes can be used to auto-scale Docker Containers
based on traffic load.
 When RUN and CMD instructions will be executed?
Answer: RUN instruction will be executed while building the Docker Image. CMD
instruction will be executed while starting the Container.
 What’s the difference between COPY and ADD instructions?
Answer: Using COPY instruction, we can copy local files and folders from docker
build context to Docker Image. These files and folders will be copied while creating a
Docker Image. ADD instruction works similar to COPY instruction but the only
different is that we can download files from remote locations that’s from Internet
while creating a Docker Image.
 What’s the difference between CMD and ENTRYPOINT instructions?
Answer: CMD instruction will be used to start the process or application inside the
container. ENTRYPOINT instruction also works similar to CMD instruction.
ENTRYPOINT instruction will also be executed while creating a container. CMD
instruction can be overridden while creating a Container whereas ENTRYPOINT
 instruction cannot be overridden while creating a Container. When both
ENTRYPOINT and CMD are specified in a Dockerfile, the CMD instruction
provides default arguments to the command specified in ENTRYPOINT.
 Crafting a CI/CD pipeline for a sensitive app – How do you ensure security at each
stage?
Answer: Source Code Repository: Implement strict access controls to your source
code repository. Use role-based access control (RBAC) to ensure that only authorized
individuals have the necessary permissions.
Build Stage: Regularly update dependencies and software components to patch
known vulnerabilities. Use automated tools to scan dependencies for known
vulnerabilities. Consider using tools like OWASP Dependency-Check. Dependency-
Check is a Software Composition Analysis (SCA) tool that attempts to detect publicly
disclosed vulnerabilities contained within a project’s dependencies.
Static Code Analysis: Integrate static code analysis tools into your CI/CD pipeline to
identify and address security issues in the codebase.
Unit Testing: Include security-focused unit tests in your test suite to cover common
security scenarios.
Containerisation: Scan container images for vulnerabilities before deploying them.
Tools like Clair, Trivy, or Anchore can help in identifying vulnerabilities in Docker
images. Implement runtime security controls for your containers using tools like
Docker Bench for Security or Kubernetes Pod Security Policies.
Integration Testing: Ensure that test data used in integration tests does not expose
sensitive information.
Deployment Stage: Use IaC tools like Terraform or Ansible to define and deploy
infrastructure. Version control IaC files and apply security best practices for
infrastructure configuration. Consider using immutable infrastructure practices to
reduce the attack surface and enhance security.
Dynamic Application Security Testing (DAST): Integrate DAST tools into your
CI/CD pipeline to scan the running application for vulnerabilities. Conduct regular
penetration testing to identify and address security weaknesses.
Monitoring and Logging: Implement real-time monitoring to detect and respond to
security incidents promptly.
Secrets Management: Use secure vaults for storing and managing secrets. Avoid
hardcoding secrets in configuration files or scripts. Regularly rotate sensitive
credentials and update them in the CI/CD pipeline.
 Escalating AWS costs concern the team – How to optimize without compromising
efficiency?
Answer: Harness AWS Cost Explorer for in-depth cost analysis, AWS Budgets for
vigilant monitoring, and auto-scaling for resource alignment. Utilize Reserved
Instances or Savings Plans for cost predictability, regularly reviewing and adapting
configurations based on usage patterns.
