40+
MCQs Covered
6
Domains Covered
55
Exam Questions
2026
Updated For
The Docker Certified Associate (DCA) validates your ability to work with Docker containerization in enterprise environments. Docker revolutionized software development by enabling developers to package applications into lightweight, portable containers that run consistently across any environment. The DCA covers container fundamentals, image creation, networking, storage, orchestration with Docker Swarm, and enterprise security. Whether you’re a DevOps engineer, cloud engineer, SRE, or developer — Docker skills are essential for modern cloud-native development, and DCA proves you have them.
Question 01
What is a Docker container?
AA virtual machine with its own kernel and operating system
BA lightweight, standalone, executable package that includes everything needed to run an application — code, runtime, libraries, and settings ✅
CA configuration management tool like Ansible
DA cloud service for hosting websites
💡 Explanation: A Docker container is a runnable instance of an image. Containers are isolated, lightweight, and share the host OS kernel — unlike VMs, which each have their own OS. Containers package the application code, runtime, system tools, libraries, and settings into a single unit that runs identically on any Docker-compatible host. This “build once, run anywhere” approach solved the “it works on my machine” problem.
Question 02
What is the key difference between a Docker container and a virtual machine (VM)?
AContainers share the host OS kernel and are more lightweight; VMs run a full guest OS with their own kernel ✅
BVMs are faster than containers
CContainers require a hypervisor
DThere is no difference
💡 Explanation: Containers share the host OS kernel and use namespaces/cgroups for isolation — they start in seconds and use minimal resources. VMs run a complete guest OS with its own kernel on a hypervisor — they provide stronger isolation but consume more resources and take minutes to start. Containers are typically 10-100x smaller than VMs. Most modern applications use containers for microservices architecture.
Question 03
Which command runs a new Docker container from the nginx image in detached mode (background) and maps port 80 on the host to port 80 in the container?
A
docker run -d -p 80:80 nginx ✅B
docker start -p 80:80 nginxC
docker create -d -p 80:80 nginxD
docker exec -d -p 80:80 nginx💡 Explanation:
docker run creates and starts a new container. The -d flag runs it in detached (background) mode. -p 80:80 maps host port 80 to container port 80 (host:container). docker start restarts an existing stopped container. docker create creates but doesn’t start. docker exec runs a command inside a running container. Knowing these commands and flags is essential for the DCA.Question 04
What happens to data stored inside a Docker container when the container is deleted?
AThe data is lost — containers are ephemeral by default ✅
BThe data is automatically backed up
CThe data persists in the image
DThe data is saved to the host automatically
💡 Explanation: Containers are ephemeral — when deleted, all data in the writable container layer is lost. To persist data, use Docker volumes (
docker volume create) or bind mounts. Volumes are stored in /var/lib/docker/volumes/ and are managed by Docker. Bind mounts map a host directory into the container. For databases and stateful applications, volumes are essential. This is a fundamental Docker concept.2
Image Creation & Management
Dockerfile, Build, Registry
Question 05
Which file contains the instructions for building a Docker image, specifying the base image, commands, environment variables, and exposed ports?
A
Dockerfile ✅B
docker-compose.ymlC
.dockerignoreD
config.json💡 Explanation: A Dockerfile is a text file with instructions to build a Docker image. Key instructions:
FROM (base image), RUN (execute commands during build), COPY/ADD (add files), WORKDIR (set working directory), EXPOSE (document ports), ENV (set environment variables), CMD/ENTRYPOINT (default command). docker-compose.yml defines multi-container applications. .dockerignore excludes files from the build context.Question 06
What is the difference between CMD and ENTRYPOINT in a Dockerfile?
ACMD provides default arguments that can be overridden at runtime; ENTRYPOINT defines the main executable that always runs ✅
BThey are identical in function
CCMD runs during build; ENTRYPOINT runs at startup
DENTRYPOINT can be overridden; CMD cannot
💡 Explanation:
CMD sets the default command and arguments — it can be overridden by passing arguments to docker run. ENTRYPOINT configures the container as an executable — it always runs and cannot be easily overridden (use --entrypoint flag). Best practice: use ENTRYPOINT for the main command and CMD for default arguments. Example: ENTRYPOINT ["python"] + CMD ["app.py"] — users can override app.py but python always runs.Question 07
What is a multi-stage build in Docker and why is it used?
AUsing multiple FROM statements in a Dockerfile to create smaller, more secure production images by separating build and runtime stages ✅
BBuilding multiple containers simultaneously
CRunning docker build on multiple machines
DCaching layers for faster builds
💡 Explanation: Multi-stage builds use multiple
FROM statements. Stage 1 compiles/builds the application (large image with build tools). Stage 2 copies only the compiled artifact into a minimal runtime image (small, secure). Example: build a Go app in a Go image, then copy the binary to an Alpine image. This reduces the final image size from hundreds of MB to a few MB — critical for production security and deployment speed.3
Networking & Storage
Networks, Volumes, Bind Mounts
Question 08
Which Docker network driver is used by default when no network is specified, providing automatic DNS resolution between containers on the same network?
Abridge ✅
Bhost
Coverlay
Dnone
💡 Explanation: Docker network drivers: bridge (default) — isolated network on a single host, containers communicate via container names (DNS). host — container shares the host’s network stack directly (no isolation). overlay — spans multiple Docker hosts for Swarm services. none — no networking. macvlan — assigns a MAC address, making containers appear as physical devices. User-defined bridge networks provide automatic DNS resolution by container name.
Question 09
Which Docker storage mechanism is the RECOMMENDED approach for persisting data generated by containers?
ADocker volumes ✅
BBind mounts
Ctmpfs mounts
DContainer writable layer
💡 Explanation: Docker volumes are the recommended way to persist data. They are managed by Docker, stored in
/var/lib/docker/volumes/, work on both Linux and Windows, and can be shared between containers. Bind mounts map a specific host path but depend on the host’s file structure. tmpfs mounts are in-memory only (no persistence). The container’s writable layer is deleted when the container is removed. Volumes also support volume drivers for remote storage.Question 10
Which tool allows you to define and run multi-container Docker applications using a YAML file?
ADocker Compose ✅
BDocker Swarm
CDockerfile
DDocker Hub
💡 Explanation: Docker Compose uses a
docker-compose.yml (or compose.yaml) file to define multi-container applications — specifying services, networks, volumes, environment variables, and dependencies. Run with docker compose up -d. Ideal for development environments and simple deployments. Docker Swarm is for production orchestration across multiple hosts. Dockerfile builds a single image. Docker Hub is the public image registry.4
Orchestration & Security
Swarm, Security, Enterprise
Question 11
Which command initializes a Docker Swarm cluster on the current node, making it a manager node?
A
docker swarm init ✅B
docker swarm joinC
docker cluster createD
docker node init💡 Explanation:
docker swarm init initializes a new Swarm cluster and makes the current node a manager. It generates join tokens for adding worker and manager nodes. docker swarm join --token adds nodes to the cluster. Key Swarm concepts: manager nodes (orchestrate), worker nodes (run tasks), services (desired state), tasks (individual containers), and replicas (service instances). Docker Swarm is Docker’s native orchestration.Question 12
In Docker Swarm, what is the recommended way to securely pass sensitive data like database passwords to services?
AEnvironment variables in docker-compose.yml
BDocker Secrets ✅
CHardcode credentials in the Dockerfile
DPass credentials as command-line arguments
💡 Explanation: Docker Secrets securely stores sensitive data (passwords, TLS certificates, API keys) and makes it available only to authorized Swarm services. Secrets are encrypted at rest and in transit, mounted as files inside containers at
/run/secrets/. Environment variables are visible in docker inspect — not secure. Never hardcode credentials in Dockerfiles or images. Docker Secrets require Swarm mode to be enabled.Question 13
What is Docker Content Trust (DCT) and why is it important?
AA security feature that uses digital signatures to verify the integrity and publisher of Docker images ✅
BA backup mechanism for Docker images
CA license agreement for Docker Enterprise
DA container health check feature
💡 Explanation: Docker Content Trust (DCT) uses Notary to sign and verify images. When enabled (
export DOCKER_CONTENT_TRUST=1), Docker only pulls signed images — preventing tampered or malicious images from being deployed. Publishers sign images with their private key; consumers verify with the public key. DCT ensures image provenance and integrity — critical for enterprise security and supply chain protection.Question 14
Which Linux kernel features does Docker use to provide container isolation?
ANamespaces (process isolation) and cgroups (resource limits) ✅
BHypervisor and virtual hardware
CSELinux only
DFirewalls and VPNs
💡 Explanation: Docker uses two key Linux kernel features: Namespaces provide process isolation — each container gets its own PID, network, mount, UTS, and IPC namespace, so containers can’t see each other’s processes. Cgroups (control groups) limit and account for resource usage — CPU, memory, disk I/O, and network. Together, these provide lightweight isolation without the overhead of full virtualization. Additional security layers include AppArmor, SELinux, and seccomp profiles.
🏗️ Docker Architecture
🖥️
Docker Client
CLI commands (docker run)
Talks to Docker daemon
REST API interface
Talks to Docker daemon
REST API interface
⚙️
Docker Daemon
dockerd — builds, runs,
manages containers
Listens for API requests
manages containers
Listens for API requests
📦
Docker Registry
Docker Hub (public)
Private registries
Stores & distributes images
Private registries
Stores & distributes images
⌨️ Essential Docker Commands
docker run
Create & start
a container
a container
docker build
Build image
from Dockerfile
from Dockerfile
docker ps
List running
containers
containers
docker exec
Run command in
running container
running container
docker pull
Download image
from registry
from registry
docker push
Upload image
to registry
to registry
docker logs
View container
output logs
output logs
docker stop
Stop a running
container
container
⚖️ Container vs Virtual Machine
🐳 Containers
✦ Share host OS kernel
✦ Start in seconds
✦ MBs in size (lightweight)
✦ Process-level isolation
✦ Best for microservices
✦ Start in seconds
✦ MBs in size (lightweight)
✦ Process-level isolation
✦ Best for microservices
🖥️ Virtual Machines
✦ Full guest OS + kernel
✦ Start in minutes
✦ GBs in size (heavy)
✦ Hardware-level isolation
✦ Best for full OS workloads
✦ Start in minutes
✦ GBs in size (heavy)
✦ Hardware-level isolation
✦ Best for full OS workloads
📝 Key Dockerfile Instructions
FROM
Base image for the build
RUN
Execute commands at build
COPY / ADD
Add files to the image
CMD
Default command (overridable)
ENTRYPOINT
Main executable (fixed)
EXPOSE
Document container ports
💡 Docker DCA Exam Tips
1
Master Docker Commands — Hands-On Required
The DCA tests practical knowledge. Know docker run, build, exec, logs, inspect, network, volume, and compose commands with all key flags. Install Docker locally and practice building images, creating networks, mounting volumes, and running multi-container apps. The exam includes multiple-choice questions about command output and behavior.
2
Know Docker Swarm Deeply
Docker Swarm makes up a large portion of the DCA exam. Know: swarm init/join, services vs tasks, replicated vs global services, rolling updates, secrets, configs, overlay networks, and the difference between manager and worker nodes. Also know how to promote/demote nodes and drain nodes for maintenance.
3
Understand Dockerfile Best Practices
Know: multi-stage builds (smaller images), layer caching (order instructions wisely), CMD vs ENTRYPOINT, COPY vs ADD, non-root users for security, .dockerignore files, and minimizing layer count. Several questions will show a Dockerfile and ask you to identify issues or predict the build result.
🎯 Keep Practicing — More MCQs Available!
We update our question bank regularly to match the latest Docker exam objectives
Leave a Comment