Docker vs Virtual Machines MCQ 60 Tests With Answers (2026)
PerfectNotes TeamUpdated: April 2026~15 min practice 60 Questions · 3 Levels 60 Questions · 3 Levels
Docker vs Virtual Machines MCQ practice questions are essential for preparing for competitive exams, cloud certifications, and technical infrastructure engineering interviews. This comprehensive MCQ platform provides 60 carefully curated practice questions comparing the two dominant server virtualization strategies: Docker containerization and traditional Virtual Machines.
These questions are organized into three progressive difficulty levels of 20 questions each: Basics (covering foundational compute differences, standard hypervisors, and storage foot-prints), Concepts (covering intermediate namespaces, cgroups, storage drivers, default networks, and system patching), and Advanced (covering scenario-based container escapes, microVM runtimes, performance isolation, and high-throughput networking limitations). Each question includes a verified, in-depth explanation to reinforce learning.
Practice in Study Mode to reveal answers and detailed explanations instantly, or use Exam Mode for timed testing and real-time scoring to simulate certification environments. The interactive engine tracks your progress and identifies knowledge gaps across Docker layers, VM hard disks, and OS kernels.
Contents
- 1.Basics (20 Questions)Architecture · hypervisors · startup times · storage · resource allocation
- 2.Concepts (20 Questions)Namespaces · cgroups · storage drivers · networking · orchestration
- 3.Advanced (20 Questions)Container escapes · microVMs · kernel interactions · security · performance tuning
- 4.Conclusionsummary · next steps · study tips
- 5.Key Takeawaysquick-fire bullet recap of essential facts
- 6.Quick Review Summaryconcept · definition · key fact table
- 7.FAQcommon questions answered
Docker vs Virtual Machines — Basics
1What is the fundamental architectural difference between a Virtual Machine and a Docker container?
CorrectC: Virtual machines virtualize the hardware to run multiple OS instances, while containers virtualize the OS to run multiple applications on a single kernel.
Virtual machines use a hypervisor to virtualize physical hardware, allowing multiple complete operating systems to run independently on the same host. Containers virtualize the operating system layer, allowing multiple applications to share the same kernel. This fundamental difference drives all other distinctions: startup time, resource usage, portability, and isolation level.
IncorrectC: Virtual machines virtualize the hardware to run multiple OS instances, while containers virtualize the OS to run multiple applications on a single kernel.
Virtual machines use a hypervisor to virtualize physical hardware, allowing multiple complete operating systems to run independently on the same host. Containers virtualize the operating system layer, allowing multiple applications to share the same kernel. This fundamental difference drives all other distinctions: startup time, resource usage, portability, and isolation level.
2Which software layer is responsible for creating and managing Virtual Machines?
CorrectB: The Hypervisor
A hypervisor is the specialized virtualization software that abstracts physical hardware resources (CPU, RAM, storage, networking) and allocates them to individual virtual machines. Type 1 hypervisors (like ESXi) run directly on bare metal; Type 2 hypervisors (like VirtualBox) run as applications on top of an OS.
IncorrectB: The Hypervisor
A hypervisor is the specialized virtualization software that abstracts physical hardware resources (CPU, RAM, storage, networking) and allocates them to individual virtual machines. Type 1 hypervisors (like ESXi) run directly on bare metal; Type 2 hypervisors (like VirtualBox) run as applications on top of an OS.
3What is the primary software component responsible for running and managing Docker containers on a host?
CorrectA: The Docker Engine
The Docker Engine is the core runtime that manages the complete container lifecycle: pulling images, creating containers, running processes, managing storage, and networking. It leverages OS-level technologies (namespaces, cgroups) but abstracts them through a simple API and command-line interface.
IncorrectA: The Docker Engine
The Docker Engine is the core runtime that manages the complete container lifecycle: pulling images, creating containers, running processes, managing storage, and networking. It leverages OS-level technologies (namespaces, cgroups) but abstracts them through a simple API and command-line interface.
4When comparing startup times, which statement is generally true?
CorrectC: Containers start in milliseconds because they do not need to boot a full OS, whereas VMs take minutes to boot a guest OS.
Containers typically start in milliseconds—they simply spawn a process using the host's kernel. VMs must boot a complete operating system (including kernel initialization, systemd startup, driver loading), which takes seconds to minutes depending on the guest OS. This dramatic difference makes containers ideal for rapid scaling and CI/CD pipelines.
IncorrectC: Containers start in milliseconds because they do not need to boot a full OS, whereas VMs take minutes to boot a guest OS.
Containers typically start in milliseconds—they simply spawn a process using the host's kernel. VMs must boot a complete operating system (including kernel initialization, systemd startup, driver loading), which takes seconds to minutes depending on the guest OS. This dramatic difference makes containers ideal for rapid scaling and CI/CD pipelines.
5How does the storage footprint of a typical Docker image compare to a Virtual Machine image?
CorrectA: Docker images are usually measured in megabytes, while VM images are typically measured in gigabytes.
A Docker image (e.g., a Node.js application) might be 50–500 MB, including only the application, libraries, and required dependencies. A VM image requires a complete OS installation (2–10 GB for Linux, 20–40+ GB for Windows), plus the hypervisor overhead. Docker's layering and sharing mechanism also reduce redundant storage.
IncorrectA: Docker images are usually measured in megabytes, while VM images are typically measured in gigabytes.
A Docker image (e.g., a Node.js application) might be 50–500 MB, including only the application, libraries, and required dependencies. A VM image requires a complete OS installation (2–10 GB for Linux, 20–40+ GB for Windows), plus the hypervisor overhead. Docker's layering and sharing mechanism also reduce redundant storage.
6Which scenario is generally better suited for a traditional Virtual Machine rather than a Docker container?
CorrectC: Running a legacy monolithic application that strictly requires a specific, outdated Windows kernel.
VMs excel at running applications requiring different operating systems or kernels. A legacy Windows Server 2008 application cannot run in a Linux Docker container without Windows Server 2008's specific kernel features. VMs provide full OS flexibility; containers are constrained to the host's kernel. Conversely, microservices, CI/CD, and rapid scaling favor containers.
IncorrectC: Running a legacy monolithic application that strictly requires a specific, outdated Windows kernel.
VMs excel at running applications requiring different operating systems or kernels. A legacy Windows Server 2008 application cannot run in a Linux Docker container without Windows Server 2008's specific kernel features. VMs provide full OS flexibility; containers are constrained to the host's kernel. Conversely, microservices, CI/CD, and rapid scaling favor containers.
7In a Docker architecture, what represents the host operating system?
CorrectB: The underlying operating system running directly on the physical server or VM providing the kernel.
The host OS is the operating system installed directly on the physical server or VM. It provides the kernel that all containers share. Containers do not include their own kernel; they use Linux system calls to interact with the host kernel, making them dependent on the host OS type (Linux, Windows, or macOS with Docker Desktop).
IncorrectB: The underlying operating system running directly on the physical server or VM providing the kernel.
The host OS is the operating system installed directly on the physical server or VM. It provides the kernel that all containers share. Containers do not include their own kernel; they use Linux system calls to interact with the host kernel, making them dependent on the host OS type (Linux, Windows, or macOS with Docker Desktop).
8What does "Guest OS" refer to in the context of Virtual Machines?
CorrectC: The complete, independent operating system installed inside the virtual machine.
The Guest OS is the complete operating system (Windows, Ubuntu, CentOS, etc.) installed inside each VM. It runs independently with its own kernel, drivers, services, and system libraries. The hypervisor isolates each guest OS from others, making them unaware they're running on virtualized hardware.
IncorrectC: The complete, independent operating system installed inside the virtual machine.
The Guest OS is the complete operating system (Windows, Ubuntu, CentOS, etc.) installed inside each VM. It runs independently with its own kernel, drivers, services, and system libraries. The hypervisor isolates each guest OS from others, making them unaware they're running on virtualized hardware.
9Why are Docker containers considered more portable than Virtual Machines?
CorrectA: Containers package the application code and its specific dependencies together, ensuring it runs consistently regardless of the host's Linux distribution.
Containers bundle the application with all its dependencies (libraries, configuration, runtime) into a single image. A Docker image built on Ubuntu runs identically on Debian, CentOS, or any Linux distribution because it contains everything needed. VMs require the entire guest OS to be compatible with the target hypervisor, introducing environment variability. Containers achieve "build once, run anywhere" portability through this dependency bundling.
IncorrectA: Containers package the application code and its specific dependencies together, ensuring it runs consistently regardless of the host's Linux distribution.
Containers bundle the application with all its dependencies (libraries, configuration, runtime) into a single image. A Docker image built on Ubuntu runs identically on Debian, CentOS, or any Linux distribution because it contains everything needed. VMs require the entire guest OS to be compatible with the target hypervisor, introducing environment variability. Containers achieve "build once, run anywhere" portability through this dependency bundling.
10What is a "Hypervisor" primarily responsible for?
CorrectB: Abstracting and partitioning physical hardware resources (CPU, RAM, Disk) to allocate them to isolated virtual machines.
A hypervisor is virtualization middleware that sits between the physical hardware and VMs. It interepts hardware access requests (CPU instructions, memory accesses, I/O operations) and arbitrates them among VMs. VMs believe they have exclusive hardware; the hypervisor enforces isolation by controlling hardware resource allocation.
IncorrectB: Abstracting and partitioning physical hardware resources (CPU, RAM, Disk) to allocate them to isolated virtual machines.
A hypervisor is virtualization middleware that sits between the physical hardware and VMs. It interepts hardware access requests (CPU instructions, memory accesses, I/O operations) and arbitrates them among VMs. VMs believe they have exclusive hardware; the hypervisor enforces isolation by controlling hardware resource allocation.
11Which of the following best describes the isolation level of a Virtual Machine?
CorrectC: Hardware-level isolation
VMs achieve hardware-level isolation: the hypervisor controls CPU execution modes, memory management units, and I/O, creating completely separate virtual hardware contexts. A VM compromise cannot easily leak into another VM without exploiting the hypervisor itself. This is the strongest isolation model but comes at a performance cost.
IncorrectC: Hardware-level isolation
VMs achieve hardware-level isolation: the hypervisor controls CPU execution modes, memory management units, and I/O, creating completely separate virtual hardware contexts. A VM compromise cannot easily leak into another VM without exploiting the hypervisor itself. This is the strongest isolation model but comes at a performance cost.
12Which of the following best describes the isolation level of a Docker container?
CorrectC: OS-level (Process) isolation
Containers achieve OS-level isolation using Linux namespaces (PID, IPC, network, UTS, mount) and cgroups. Each container has its own process namespace (PID 1 is the container's main process), network namespace (isolated network interface), and file system namespace. Processes inside containers cannot see or interact with processes outside their namespace, but they all share the same kernel.
IncorrectC: OS-level (Process) isolation
Containers achieve OS-level isolation using Linux namespaces (PID, IPC, network, UTS, mount) and cgroups. Each container has its own process namespace (PID 1 is the container's main process), network namespace (isolated network interface), and file system namespace. Processes inside containers cannot see or interact with processes outside their namespace, but they all share the same kernel.
13If you need to run applications requiring three completely different operating system kernels on a single physical server, which technology must you use?
CorrectB: Virtual Machines
Containers share the host kernel, so all containers must be compatible with the same OS. If you need Windows 10 kernel, Windows Server 2008 kernel, and Ubuntu kernel simultaneously, you must use VMs. Each VM can have its own distinct kernel independent of the host or other VMs.
IncorrectB: Virtual Machines
Containers share the host kernel, so all containers must be compatible with the same OS. If you need Windows 10 kernel, Windows Server 2008 kernel, and Ubuntu kernel simultaneously, you must use VMs. Each VM can have its own distinct kernel independent of the host or other VMs.
14What happens to the computing resources (RAM/CPU) allocated to a running Virtual Machine?
CorrectC: They are dedicated and blocked off by the hypervisor, regardless of whether the VM is actively using them.
When you allocate 4 CPUs and 8 GB RAM to a VM, the hypervisor reserves those resources exclusively for that VM. Even if the VM is idle, those resources cannot be used by other VMs. This guarantees predictable performance (the VM always has access to promised resources) but reduces host utilization efficiency compared to containers.
IncorrectC: They are dedicated and blocked off by the hypervisor, regardless of whether the VM is actively using them.
When you allocate 4 CPUs and 8 GB RAM to a VM, the hypervisor reserves those resources exclusively for that VM. Even if the VM is idle, those resources cannot be used by other VMs. This guarantees predictable performance (the VM always has access to promised resources) but reduces host utilization efficiency compared to containers.
15How does Docker handle resource allocation (RAM/CPU) by default?
CorrectA: Containers share the host's available resources dynamically, utilizing only what they currently need unless strict limits are applied.
Containers are "burstable" by default—they consume what they need from the host's shared pool. If CPU is available, a container uses it; when demand peaks, they share available resources. You can impose hard limits using `--memory` and `--cpus` flags, but the default model enables high density by avoiding resource over-allocation.
IncorrectA: Containers share the host's available resources dynamically, utilizing only what they currently need unless strict limits are applied.
Containers are "burstable" by default—they consume what they need from the host's shared pool. If CPU is available, a container uses it; when demand peaks, they share available resources. You can impose hard limits using `--memory` and `--cpus` flags, but the default model enables high density by avoiding resource over-allocation.
16Which technology is designed specifically to champion the "microservices" architectural pattern?
CorrectC: Docker Containers
Docker containers are the technological foundation of microservices architecture. Their lightweight nature, rapid startup, minimal resource overhead, and easy orchestration enable teams to decompose monolithic applications into dozens or hundreds of small, independently deployable services. Containers make microservices economically viable.
IncorrectC: Docker Containers
Docker containers are the technological foundation of microservices architecture. Their lightweight nature, rapid startup, minimal resource overhead, and easy orchestration enable teams to decompose monolithic applications into dozens or hundreds of small, independently deployable services. Containers make microservices economically viable.
17What is a "Docker Image"?
CorrectB: A read-only, layered template containing the application source code, libraries, and dependencies needed to create a container.
A Docker image is a blueprint—an immutable, layered snapshot of a container's filesystem, environment variables, exposed ports, and entry point. Images are composed of stacked layers (each layer representing a Dockerfile instruction). Containers are running instances of images. Images are stored in registries (Docker Hub); containers run on Docker hosts.
IncorrectB: A read-only, layered template containing the application source code, libraries, and dependencies needed to create a container.
A Docker image is a blueprint—an immutable, layered snapshot of a container's filesystem, environment variables, exposed ports, and entry point. Images are composed of stacked layers (each layer representing a Dockerfile instruction). Containers are running instances of images. Images are stored in registries (Docker Hub); containers run on Docker hosts.
18What is a "Virtual Machine Image" (e.g., an OVA or VHD file)?
CorrectD: A massive file representing a complete snapshot of a bootable operating system, installed applications, and a virtualized file system.
A VM image (OVA, VHD, VMDK, etc.) is a complete, portably snapshot of everything inside a VM: the OS kernel, system libraries, installed software, configuration files, and data. It's essentially a portable "clone" of a fully configured server. These files are typically gigabytes in size and can be imported into any compatible hypervisor.
IncorrectD: A massive file representing a complete snapshot of a bootable operating system, installed applications, and a virtualized file system.
A VM image (OVA, VHD, VMDK, etc.) is a complete, portably snapshot of everything inside a VM: the OS kernel, system libraries, installed software, configuration files, and data. It's essentially a portable "clone" of a fully configured server. These files are typically gigabytes in size and can be imported into any compatible hypervisor.
19When an application inside a Docker container makes a system call, where is that call processed?
CorrectC: It is passed directly to the host operating system's shared kernel.
Containers do not intercept or translate system calls. When containerized code calls `read()`, `write()`, `fork()`, or other syscalls, those are invoked directly on the host kernel through namespaces. The kernel enforces that the call operates only within the container's isolated namespace. This direct syscall path is why containers are so efficient compared to VMs.
IncorrectC: It is passed directly to the host operating system's shared kernel.
Containers do not intercept or translate system calls. When containerized code calls `read()`, `write()`, `fork()`, or other syscalls, those are invoked directly on the host kernel through namespaces. The kernel enforces that the call operates only within the container's isolated namespace. This direct syscall path is why containers are so efficient compared to VMs.
20Which of the following represents a common Type 1 (Bare-Metal) Hypervisor used for deploying VMs?
CorrectA: VMware ESXi
VMware ESXi is a Type 1 hypervisor—it runs directly on physical hardware without a host OS. Docker Desktop is a container runtime (not a hypervisor). VirtualBox is a Type 2 hypervisor (runs on top of an OS). Kubernetes is an orchestration platform. Type 1 hypervisors (ESXi, Hyper-V, KVM) are preferred for production VMs because they eliminate the host OS overhead.
IncorrectA: VMware ESXi
VMware ESXi is a Type 1 hypervisor—it runs directly on physical hardware without a host OS. Docker Desktop is a container runtime (not a hypervisor). VirtualBox is a Type 2 hypervisor (runs on top of an OS). Kubernetes is an orchestration platform. Type 1 hypervisors (ESXi, Hyper-V, KVM) are preferred for production VMs because they eliminate the host OS overhead.
Docker vs Virtual Machines — Concepts
1How does Docker achieve process, network, and mount isolation between containers on the same Linux host?
CorrectB: By leveraging Linux Kernel Namespaces.
Linux namespaces are kernel features that partition global system resources, creating isolated views. PID namespaces isolate processes (container's PID 1 is invisible outside), network namespaces isolate networking, mount namespaces isolate filesystems (including /proc, /sys, /dev). Namespaces are the technical foundation of container isolation.
IncorrectB: By leveraging Linux Kernel Namespaces.
Linux namespaces are kernel features that partition global system resources, creating isolated views. PID namespaces isolate processes (container's PID 1 is invisible outside), network namespaces isolate networking, mount namespaces isolate filesystems (including /proc, /sys, /dev). Namespaces are the technical foundation of container isolation.
2Which underlying Linux kernel feature does Docker use to limit and monitor the amount of CPU, memory, and disk I/O a container can consume?
CorrectA: Control Groups (cgroups)
Control Groups (cgroups) are kernel mechanisms that enforce resource limits and quota. You can restrict a container to 2 CPUs, 512 MB RAM, or 100 MB/s disk I/O using cgroups. Cgroups also monitor resource usage in real-time. Namespaces provide isolation; cgroups provide resource enforcement—both are essential for container management.
IncorrectA: Control Groups (cgroups)
Control Groups (cgroups) are kernel mechanisms that enforce resource limits and quota. You can restrict a container to 2 CPUs, 512 MB RAM, or 100 MB/s disk I/O using cgroups. Cgroups also monitor resource usage in real-time. Namespaces provide isolation; cgroups provide resource enforcement—both are essential for container management.
3What distinguishes a Type 1 Hypervisor from a Type 2 Hypervisor?
CorrectB: Type 1 runs directly on the bare-metal hardware; Type 2 runs as an application on top of a host operating system.
Type 1 (bare-metal) hypervisors like ESXi, Hyper-V, and KVM boot directly on physical hardware and manage VMs without a host OS. Type 2 hypervisors like VirtualBox, VMware Fusion, and Parallels run as applications on a host OS (Windows, macOS). Type 1 is for data centers; Type 2 is for desktops.
IncorrectB: Type 1 runs directly on the bare-metal hardware; Type 2 runs as an application on top of a host operating system.
Type 1 (bare-metal) hypervisors like ESXi, Hyper-V, and KVM boot directly on physical hardware and manage VMs without a host OS. Type 2 hypervisors like VirtualBox, VMware Fusion, and Parallels run as applications on a host OS (Windows, macOS). Type 1 is for data centers; Type 2 is for desktops.
4In a traditional VM architecture, what is a "Virtual Switch" (vSwitch) used for?
CorrectA: Routing traffic between the host's physical network adapter and the virtual network adapters of the VMs.
A vSwitch is a virtual network switch managed by the hypervisor. It bridges the physical network interface to virtual network interfaces assigned to VMs. vSwitches can be in "Bridged" mode (VMs get real network access) or "NAT" mode (VMs share the host's IP). Network policies, VLANs, and port mirroring can be configured on vSwitches.
IncorrectA: Routing traffic between the host's physical network adapter and the virtual network adapters of the VMs.
A vSwitch is a virtual network switch managed by the hypervisor. It bridges the physical network interface to virtual network interfaces assigned to VMs. vSwitches can be in "Bridged" mode (VMs get real network access) or "NAT" mode (VMs share the host's IP). Network policies, VLANs, and port mirroring can be configured on vSwitches.
5How do Docker containers fundamentally manage persistent data storage?
CorrectB: Data is strictly written to the container's writable layer and is lost permanently when the container is deleted, unless external Volumes or Bind Mounts are used.
By default, container data is ephemeral—the writable layer is deleted with the container. To persist data, you must use Docker Volumes (managed by Docker, stored in /var/lib/docker/volumes/) or Bind Mounts (host filesystem directories mounted into the container). Without these, data loss occurs on container deletion.
IncorrectB: Data is strictly written to the container's writable layer and is lost permanently when the container is deleted, unless external Volumes or Bind Mounts are used.
By default, container data is ephemeral—the writable layer is deleted with the container. To persist data, you must use Docker Volumes (managed by Docker, stored in /var/lib/docker/volumes/) or Bind Mounts (host filesystem directories mounted into the container). Without these, data loss occurs on container deletion.
6What file system technology enables Docker to build lightweight, rapidly deployable images by stacking read-only layers?
CorrectC: Union File Systems (e.g., OverlayFS)
Union File Systems (UnionFS, AUFS, OverlayFS) allow multiple read-only layers to be stacked and presented as a single filesystem. Each Dockerfile instruction creates a layer; at runtime, all layers are merged. The container gets a thin writable layer on top. This enables sharing of base layers and rapid image distribution.
IncorrectC: Union File Systems (e.g., OverlayFS)
Union File Systems (UnionFS, AUFS, OverlayFS) allow multiple read-only layers to be stacked and presented as a single filesystem. Each Dockerfile instruction creates a layer; at runtime, all layers are merged. The container gets a thin writable layer on top. This enables sharing of base layers and rapid image distribution.
7From a security standpoint, what is the primary risk associated with Docker containers sharing the host kernel?
CorrectA: A kernel panic or severe vulnerability exploited in one container can potentially compromise the host and all other containers running on it.
Container isolation relies on kernel security. A kernel vulnerability (like CVE-2021-22555, Dirty Pipe) exploited within a container can escalate to host root, compromising all containers and the host. This is why kernel security updates are critical for container environments. VMs avoid this risk because a guest OS exploit cannot directly hit the hypervisor.
IncorrectA: A kernel panic or severe vulnerability exploited in one container can potentially compromise the host and all other containers running on it.
Container isolation relies on kernel security. A kernel vulnerability (like CVE-2021-22555, Dirty Pipe) exploited within a container can escalate to host root, compromising all containers and the host. This is why kernel security updates are critical for container environments. VMs avoid this risk because a guest OS exploit cannot directly hit the hypervisor.
8If high-density scaling (packing the absolute maximum number of isolated applications onto a single server) is the primary goal, which technology is superior?
CorrectD: Docker Containers
A single server might run 5–10 VMs (limited by RAM and hypervisor overhead) but hundreds or thousands of lightweight containers. Each container overhead is minimal (a few MB plus namespace/cgroup bookkeeping). A microservices architecture with containers achieves 10–100x higher application density than VMs on identical hardware.
IncorrectD: Docker Containers
A single server might run 5–10 VMs (limited by RAM and hypervisor overhead) but hundreds or thousands of lightweight containers. Each container overhead is minimal (a few MB plus namespace/cgroup bookkeeping). A microservices architecture with containers achieves 10–100x higher application density than VMs on identical hardware.
9Which networking mode is the default for Docker containers, creating an internal private network on the host and using NAT to access the external internet?
CorrectB: Bridge Network Mode
Bridge mode is the default: Docker creates a bridge interface (docker0) on the host. Containers attach to this bridge with internal IPs (e.g., 172.17.0.2). NAT rules (iptables) map container ports to host ports. A container's port 8080 might map to host:8080, making it accessible externally. Host mode bypasses this; overlay mode supports multi-host networking.
IncorrectB: Bridge Network Mode
Bridge mode is the default: Docker creates a bridge interface (docker0) on the host. Containers attach to this bridge with internal IPs (e.g., 172.17.0.2). NAT rules (iptables) map container ports to host ports. A container's port 8080 might map to host:8080, making it accessible externally. Host mode bypasses this; overlay mode supports multi-host networking.
10How does process visibility differ for a system administrator accessing the underlying host machine?
CorrectA: The admin cannot see processes running inside VMs, but can view processes running inside containers using standard commands like `top` or `ps`.
VM processes are hidden—the hypervisor emulates separate process spaces, making VM processes invisible to the host. Container processes are visible on the host because they run natively on the host kernel. An administrator can `ps aux` and see all container processes. This makes container debugging easier but also means the host can see and manage container internals.
IncorrectA: The admin cannot see processes running inside VMs, but can view processes running inside containers using standard commands like `top` or `ps`.
VM processes are hidden—the hypervisor emulates separate process spaces, making VM processes invisible to the host. Container processes are visible on the host because they run natively on the host kernel. An administrator can `ps aux` and see all container processes. This makes container debugging easier but also means the host can see and manage container internals.
11What is the fundamental role of `containerd` in modern Docker architectures?
CorrectB: It is an industry-standard core container runtime responsible for managing the complete container lifecycle (image transfer, execution, and storage) beneath the Docker engine.
Containerd is an abstraction layer between Docker CLI and the kernel. Docker delegates container management to containerd, which handles image pulling, filesystem setup, and delegation to `runc` for execution. Kubernetes uses containerd directly, bypassing Docker entirely. This separation allows container runtimes to evolve independently of the Docker daemon.
IncorrectB: It is an industry-standard core container runtime responsible for managing the complete container lifecycle (image transfer, execution, and storage) beneath the Docker engine.
Containerd is an abstraction layer between Docker CLI and the kernel. Docker delegates container management to containerd, which handles image pulling, filesystem setup, and delegation to `runc` for execution. Kubernetes uses containerd directly, bypassing Docker entirely. This separation allows container runtimes to evolve independently of the Docker daemon.
12When an application runs inside a VM, what must happen to hardware instructions generated by the Guest OS?
CorrectB: They must be trapped and translated by the hypervisor before being passed to the physical CPU, introducing computational overhead.
VMs are not true "pass-through" execution. Privileged instructions (changing memory mappings, enabling interrupts, etc.) from the guest are trapped by the hypervisor and translated to equivalent operations. This interception is called "VM exit." Modern CPUs provide hardware-assisted virtualization (like Intel VT-x) that accelerates this, but overhead still exists.
IncorrectB: They must be trapped and translated by the hypervisor before being passed to the physical CPU, introducing computational overhead.
VMs are not true "pass-through" execution. Privileged instructions (changing memory mappings, enabling interrupts, etc.) from the guest are trapped by the hypervisor and translated to equivalent operations. This interception is called "VM exit." Modern CPUs provide hardware-assisted virtualization (like Intel VT-x) that accelerates this, but overhead still exists.
13Why is running Docker inside a Virtual Machine a highly common architectural pattern in enterprise environments?
CorrectB: It provides the rapid deployment benefits of containers while leveraging the strong, hardware-level security boundaries and mature management tools of VMs.
A common production architecture is "Containers in VMs": run Docker on Linux VMs managed by a hypervisor (ESXi, Hyper-V, etc.). This combines container agility (inner layer) with VM isolation and compliance benefits (outer layer). If a container escapes, it's confined to the VM. If a kernel exploit hits the host, the VM boundary provides defense-in-depth.
IncorrectB: It provides the rapid deployment benefits of containers while leveraging the strong, hardware-level security boundaries and mature management tools of VMs.
A common production architecture is "Containers in VMs": run Docker on Linux VMs managed by a hypervisor (ESXi, Hyper-V, etc.). This combines container agility (inner layer) with VM isolation and compliance benefits (outer layer). If a container escapes, it's confined to the VM. If a kernel exploit hits the host, the VM boundary provides defense-in-depth.
14In a microservices architecture, why are containers preferred over virtual machines for continuous integration/continuous deployment (CI/CD) pipelines?
CorrectA: Containers are ephemeral and can be built, spun up, tested, and destroyed in seconds, whereas deploying full VMs for every minor code test is vastly too slow and resource-heavy.
CI/CD pipelines need rapid iteration: build → test → deploy → destroy. Containers excel here: Docker images are built in seconds, spun up in milliseconds, run integration tests, then are discarded. VMs take minutes to boot and consume significant resources, making per-commit VM deployment economically infeasible. Containers enable test parallelization.
IncorrectA: Containers are ephemeral and can be built, spun up, tested, and destroyed in seconds, whereas deploying full VMs for every minor code test is vastly too slow and resource-heavy.
CI/CD pipelines need rapid iteration: build → test → deploy → destroy. Containers excel here: Docker images are built in seconds, spun up in milliseconds, run integration tests, then are discarded. VMs take minutes to boot and consume significant resources, making per-commit VM deployment economically infeasible. Containers enable test parallelization.
15What is an "Init Process" (PID 1) in the context of virtual machines vs. containers?
CorrectA: A VM boots a full init system (like systemd) to start multiple background services, whereas a container typically runs the application executable directly as PID 1 without background OS services.
A VM boots systemd or init, which spawns background services (sshd, syslog, cron, etc.)—a full OS environment. A container's PID 1 is usually the application (e.g., `java -jar app.jar`). If the application exits, the container stops. This design principle—one process per container—aligns with the Unix philosophy and microservices patterns.
IncorrectA: A VM boots a full init system (like systemd) to start multiple background services, whereas a container typically runs the application executable directly as PID 1 without background OS services.
A VM boots systemd or init, which spawns background services (sshd, syslog, cron, etc.)—a full OS environment. A container's PID 1 is usually the application (e.g., `java -jar app.jar`). If the application exits, the container stops. This design principle—one process per container—aligns with the Unix philosophy and microservices patterns.
16Which feature allows a Virtual Machine to be moved from one physical host to another without disrupting the running application?
CorrectB: Live Migration (e.g., vMotion)
Live migration (vMotion, KVM live migration) pauses a running VM, copies its memory to a target host, and resumes it there—downtime is sub-second. Containers don't support true live migration because they're process-based, not OS-based. Orchestrators like Kubernetes instead recreate containers on new hosts (rolling updates, minimal disruption).
IncorrectB: Live Migration (e.g., vMotion)
Live migration (vMotion, KVM live migration) pauses a running VM, copies its memory to a target host, and resumes it there—downtime is sub-second. Containers don't support true live migration because they're process-based, not OS-based. Orchestrators like Kubernetes instead recreate containers on new hosts (rolling updates, minimal disruption).
17How does OS patching differ between VMs and immutable Docker containers?
CorrectA: VMs are typically patched in-place while running, whereas vulnerable containers are destroyed and replaced entirely with a newly built, patched image.
VMs are mutable: you SSH in and run `apt update && apt upgrade`. Containers follow an immutable paradigm: rebuild the image with updated packages, push the new image, and orchestrate replacement of old containers. This "immutable infrastructure" approach improves reliability and auditability over in-place patching.
IncorrectA: VMs are typically patched in-place while running, whereas vulnerable containers are destroyed and replaced entirely with a newly built, patched image.
VMs are mutable: you SSH in and run `apt update && apt upgrade`. Containers follow an immutable paradigm: rebuild the image with updated packages, push the new image, and orchestrate replacement of old containers. This "immutable infrastructure" approach improves reliability and auditability over in-place patching.
18Which configuration file is used to programmatically define the exact layers, dependencies, and environment variables needed to construct a Docker image?
CorrectC: A Dockerfile
A Dockerfile is a text file containing instructions (FROM, RUN, COPY, EXPOSE, CMD) that Docker uses to build images layer-by-layer. Each instruction creates a layer; `docker build` executes them sequentially. Dockerfiles enable version control, reproducible builds, and Infrastructure-as-Code for containerized applications.
IncorrectC: A Dockerfile
A Dockerfile is a text file containing instructions (FROM, RUN, COPY, EXPOSE, CMD) that Docker uses to build images layer-by-layer. Each instruction creates a layer; `docker build` executes them sequentially. Dockerfiles enable version control, reproducible builds, and Infrastructure-as-Code for containerized applications.
19What is the primary function of "Docker Compose"?
CorrectB: It is a tool for defining and running multi-container Docker applications using a single YAML file to configure application services.
Docker Compose is a multi-container orchestrator for single hosts. A `docker-compose.yml` file defines services (web, database, cache, etc.), their images, ports, volumes, environment variables, and dependencies. `docker-compose up` launches the entire stack. It's ideal for local development and CI environments; Kubernetes handles production multi-host orchestration.
IncorrectB: It is a tool for defining and running multi-container Docker applications using a single YAML file to configure application services.
Docker Compose is a multi-container orchestrator for single hosts. A `docker-compose.yml` file defines services (web, database, cache, etc.), their images, ports, volumes, environment variables, and dependencies. `docker-compose up` launches the entire stack. It's ideal for local development and CI environments; Kubernetes handles production multi-host orchestration.
20If a legacy application strictly requires a specific, older version of the Windows Kernel (e.g., Windows Server 2008), which deployment method is mandatory?
CorrectC: A Virtual Machine
Docker containers run on the host kernel; you cannot choose a different kernel. If the application requires Windows Server 2008 kernel features (like specific APIs or driver compatibility), you must use a VM with Windows Server 2008 Guest OS. Containers' kernel-sharing model prevents this flexibility.
IncorrectC: A Virtual Machine
Docker containers run on the host kernel; you cannot choose a different kernel. If the application requires Windows Server 2008 kernel features (like specific APIs or driver compatibility), you must use a VM with Windows Server 2008 Guest OS. Containers' kernel-sharing model prevents this flexibility.
Docker vs Virtual Machines — Advanced
1In the context of container security, what is a "Container Escape" vulnerability?
CorrectB: An attack where a malicious user breaks out of the container's isolated namespaces to gain root access to the underlying host operating system.
A container escape is a security breach where an attacker exploits a kernel vulnerability or misconfiguration to break out of the container's namespace isolation and gain access to the host. Famous examples include dirty cow, runc race conditions, and runC breakouts. Escaped containers can compromise all sibling containers and the host itself.
IncorrectB: An attack where a malicious user breaks out of the container's isolated namespaces to gain root access to the underlying host operating system.
A container escape is a security breach where an attacker exploits a kernel vulnerability or misconfiguration to break out of the container's namespace isolation and gain access to the host. Famous examples include dirty cow, runc race conditions, and runC breakouts. Escaped containers can compromise all sibling containers and the host itself.
2Which hardware-assisted virtualization technology is critical for running modern Type 1 hypervisors efficiently on Intel processors?
CorrectC: Intel Virtualization Technology (Intel VT-x)
Intel VT-x (AMD SVM for AMD) provides hardware-level virtualization support: CPU modes (VMX root/non-root), extended page tables, and direct I/O access. Without hardware assistance, hypervisors must emulate privileged instructions in software (binary translation), which is slow. Modern hypervisors require hardware virtualization extensions.
IncorrectC: Intel Virtualization Technology (Intel VT-x)
Intel VT-x (AMD SVM for AMD) provides hardware-level virtualization support: CPU modes (VMX root/non-root), extended page tables, and direct I/O access. Without hardware assistance, hypervisors must emulate privileged instructions in software (binary translation), which is slow. Modern hypervisors require hardware virtualization extensions.
3How does the low-level OCI (Open Container Initiative) runtime `runc` interact with the Linux kernel?
CorrectB: It spawns and runs containers strictly according to the OCI specification by interfacing directly with kernel namespaces and cgroups, independent of the higher-level Docker daemon.
Runc is the OCI-compliant low-level container runtime. It reads an OCI runtime specification (json file describing namespaces, cgroups, mount points), then calls kernel APIs (clone(), unshare(), setns()) to create isolated processes. Docker and Kubernetes use runc (via containerd) to actually execute containers. Runc is the bridge between high-level container orchestrators and the kernel.
IncorrectB: It spawns and runs containers strictly according to the OCI specification by interfacing directly with kernel namespaces and cgroups, independent of the higher-level Docker daemon.
Runc is the OCI-compliant low-level container runtime. It reads an OCI runtime specification (json file describing namespaces, cgroups, mount points), then calls kernel APIs (clone(), unshare(), setns()) to create isolated processes. Docker and Kubernetes use runc (via containerd) to actually execute containers. Runc is the bridge between high-level container orchestrators and the kernel.
4What is the performance impact of network Address Translation (NAT) overhead in standard Docker Bridge networks compared to VM hypervisor vSwitches?
CorrectA: Docker bridge networks utilizing iptables NAT can introduce noticeable CPU overhead and latency in high-throughput microservice environments, whereas VM vSwitches often utilize SR-IOV for direct hardware access.
iptables-based NAT in Docker (DNAT/SNAT) adds CPU overhead per packet. vSwitches can offload to SR-IOV NICs, bypassing the host kernel for VM traffic. In high-throughput scenarios (>10 Gbps), Docker bridge networking is slower than VM vSwitches. Overlay networking, host networking, or socket-based approaches reduce this gap.
IncorrectA: Docker bridge networks utilizing iptables NAT can introduce noticeable CPU overhead and latency in high-throughput microservice environments, whereas VM vSwitches often utilize SR-IOV for direct hardware access.
iptables-based NAT in Docker (DNAT/SNAT) adds CPU overhead per packet. vSwitches can offload to SR-IOV NICs, bypassing the host kernel for VM traffic. In high-throughput scenarios (>10 Gbps), Docker bridge networking is slower than VM vSwitches. Overlay networking, host networking, or socket-based approaches reduce this gap.
5Which technology attempts to blend the hardware-level security of a Virtual Machine with the speed and lightweight footprint of a container?
CorrectA: Kata Containers (or Firecracker microVMs)
Kata Containers and Firecracker run application containers inside minimal, purpose-built VMs instead of relying on kernel namespace isolation. Each container gets its own lightweight VM (boots in milliseconds, uses minimal RAM). This provides VM-level security isolation while maintaining container speed. Popular with untrusted workload isolation (e.g., AWS Lambda).
IncorrectA: Kata Containers (or Firecracker microVMs)
Kata Containers and Firecracker run application containers inside minimal, purpose-built VMs instead of relying on kernel namespace isolation. Each container gets its own lightweight VM (boots in milliseconds, uses minimal RAM). This provides VM-level security isolation while maintaining container speed. Popular with untrusted workload isolation (e.g., AWS Lambda).
6When tuning high-performance databases, why might an architect choose a bare-metal server or heavily optimized VM over a standard Docker container utilizing a bind mount?
CorrectC: Storage I/O abstraction layers, UnionFS overhead, and host kernel caching conflicts can introduce unpredictable latencies compared to direct block storage access in VMs or bare metal.
Containerized databases face latency issues: UnionFS layers add overhead, bind mount caching interactions with host page cache can cause unexpected stalls, and iptables NAT adds latency to network I/O. Bare metal or VM with direct storage access (no layering) offers predictable, low-latency I/O—critical for databases. High-performance applications often use VMs or bare metal.
IncorrectC: Storage I/O abstraction layers, UnionFS overhead, and host kernel caching conflicts can introduce unpredictable latencies compared to direct block storage access in VMs or bare metal.
Containerized databases face latency issues: UnionFS layers add overhead, bind mount caching interactions with host page cache can cause unexpected stalls, and iptables NAT adds latency to network I/O. Bare metal or VM with direct storage access (no layering) offers predictable, low-latency I/O—critical for databases. High-performance applications often use VMs or bare metal.
7What is the fundamental difference between how Docker Desktop runs on Windows versus native Linux?
CorrectA: On Windows, Docker utilizes a lightweight utility VM (often via WSL 2 or Hyper-V) to host the necessary Linux kernel, whereas on native Linux, it utilizes the host kernel directly.
Docker requires a Linux kernel (for namespaces, cgroups). On Linux, it uses the native kernel. On Windows 10/11, Docker Desktop runs a lightweight Linux VM (WSL 2 or Hyper-V) and communicates with it. On macOS, Docker also runs a hidden Linux VM. This explains why Docker on Windows is slightly slower than native Linux.
IncorrectA: On Windows, Docker utilizes a lightweight utility VM (often via WSL 2 or Hyper-V) to host the necessary Linux kernel, whereas on native Linux, it utilizes the host kernel directly.
Docker requires a Linux kernel (for namespaces, cgroups). On Linux, it uses the native kernel. On Windows 10/11, Docker Desktop runs a lightweight Linux VM (WSL 2 or Hyper-V) and communicates with it. On macOS, Docker also runs a hidden Linux VM. This explains why Docker on Windows is slightly slower than native Linux.
8In an enterprise Kubernetes cluster, what replaces Docker as the orchestrator to manage thousands of containers across hundreds of VMs?
CorrectB: The Kubelet and the Kubernetes Control Plane
Kubernetes is a container orchestrator that manages containers across multiple host nodes. The Kubelet (node agent) communicates with the Control Plane (API server, scheduler, controller manager). Kubernetes abstracts away individual hosts, scheduling containers/pods based on resource requests, tolerations, and affinity rules. Docker is a runtime; Kubernetes is the orchestrator above it.
IncorrectB: The Kubelet and the Kubernetes Control Plane
Kubernetes is a container orchestrator that manages containers across multiple host nodes. The Kubelet (node agent) communicates with the Control Plane (API server, scheduler, controller manager). Kubernetes abstracts away individual hosts, scheduling containers/pods based on resource requests, tolerations, and affinity rules. Docker is a runtime; Kubernetes is the orchestrator above it.
9What specific vulnerability does running a Docker container in "Privileged Mode" introduce?
CorrectC: It disables namespace and cgroup restrictions, granting the container near-total root capabilities over the host system, making container escape trivial.
Privileged mode (`--privileged`) removes namespace and cgroup restrictions, giving the container access to host device nodes, full CPU/memory/network capabilities, and capability to mount the host filesystem. A privileged container can easily gain host root access—it's essentially unrestricted access. Only use for legitimate low-level tasks (like container runtimes themselves).
IncorrectC: It disables namespace and cgroup restrictions, granting the container near-total root capabilities over the host system, making container escape trivial.
Privileged mode (`--privileged`) removes namespace and cgroup restrictions, giving the container access to host device nodes, full CPU/memory/network capabilities, and capability to mount the host filesystem. A privileged container can easily gain host root access—it's essentially unrestricted access. Only use for legitimate low-level tasks (like container runtimes themselves).
10How does "Memory Overcommitment" differ fundamentally between a Hypervisor managing VMs and a host managing Docker containers?
CorrectA: Hypervisors utilize complex ballooning and page-sharing drivers to overcommit memory safely, whereas Docker relies entirely on the Linux kernel's OOM (Out Of Memory) killer to terminate greedy container processes if the host exhausts its RAM.
Hypervisors implement memory ballooning: guests negotiate, swell, and shrink virtual balloons to elastically balance memory. Containers use kernel OOM-killer: when memory is exhausted, the OOM killer selects and terminates the most memory-hungry process. Hypervisors are more graceful; container approach is harsher but simpler.
IncorrectA: Hypervisors utilize complex ballooning and page-sharing drivers to overcommit memory safely, whereas Docker relies entirely on the Linux kernel's OOM (Out Of Memory) killer to terminate greedy container processes if the host exhausts its RAM.
Hypervisors implement memory ballooning: guests negotiate, swell, and shrink virtual balloons to elastically balance memory. Containers use kernel OOM-killer: when memory is exhausted, the OOM killer selects and terminates the most memory-hungry process. Hypervisors are more graceful; container approach is harsher but simpler.
11What is "Nested Virtualization" and why is it a complex challenge in cloud environments?
CorrectB: The ability to run a hypervisor (and VMs) inside another virtual machine, which requires the underlying host hypervisor to expose hardware virtualization extensions (like VT-x) to the guest VM.
Nested virtualization (e.g., running KVM VMs inside Hyper-V VMs) requires the host hypervisor to expose CPU virtualization flags to the guest. Most cloud providers disable this for performance and security reasons. However, modern processors and cloud platforms are improving support. Deeply nested architectures suffer severe performance degradation.
IncorrectB: The ability to run a hypervisor (and VMs) inside another virtual machine, which requires the underlying host hypervisor to expose hardware virtualization extensions (like VT-x) to the guest VM.
Nested virtualization (e.g., running KVM VMs inside Hyper-V VMs) requires the host hypervisor to expose CPU virtualization flags to the guest. Most cloud providers disable this for performance and security reasons. However, modern processors and cloud platforms are improving support. Deeply nested architectures suffer severe performance degradation.
12Which Linux kernel security module is commonly integrated with Docker to enforce mandatory access control (MAC) policies, restricting the system calls a container can make?
CorrectD: AppArmor or SELinux
AppArmor and SELinux are Linux MAC modules that define which capabilities processes can exercise. Docker can enforce AppArmor profiles per container, restricting privileged syscalls (mount, ptrace, etc.). Seccomp (also used by Docker) achieves similar goals by filtering syscalls. Together, they reduce the kernel attack surface containers expose.
IncorrectD: AppArmor or SELinux
AppArmor and SELinux are Linux MAC modules that define which capabilities processes can exercise. Docker can enforce AppArmor profiles per container, restricting privileged syscalls (mount, ptrace, etc.). Seccomp (also used by Docker) achieves similar goals by filtering syscalls. Together, they reduce the kernel attack surface containers expose.
13In a scenario where strict regulatory compliance mandates complete logical separation of tenant data at the hardware level, which deployment model is strictly required?
CorrectC: Deploying distinct Virtual Machines on isolated, dedicated bare-metal hosts (Type 1 Hypervisor) for each tenant.
Regulatory frameworks like HIPAA, PCI-DSS, and others mandate physical/hardware isolation for multi-tenant environments. Containers share the kernel, so namespace isolation is perceived as insufficient. VMs on isolated bare-metal hosts provide hardware-level segregation and audit trails separating each tenant completely. More expensive but legally necessary.
IncorrectC: Deploying distinct Virtual Machines on isolated, dedicated bare-metal hosts (Type 1 Hypervisor) for each tenant.
Regulatory frameworks like HIPAA, PCI-DSS, and others mandate physical/hardware isolation for multi-tenant environments. Containers share the kernel, so namespace isolation is perceived as insufficient. VMs on isolated bare-metal hosts provide hardware-level segregation and audit trails separating each tenant completely. More expensive but legally necessary.
14What role does "Seccomp" (Secure Computing Mode) play in container security?
CorrectB: It filters and restricts the specific Linux system calls a containerized process is permitted to execute, minimizing the kernel attack surface.
Seccomp (secure computing mode) is a Linux kernel feature that restricts which syscalls a process can call. A container can run with a seccomp profile that whitelists only necessary syscalls (e.g., read, write, mmap) and blocks everything else (e.g., ptrace, mount, reboot). This dramatically reduces the kernel attack surface a container can exploit.
IncorrectB: It filters and restricts the specific Linux system calls a containerized process is permitted to execute, minimizing the kernel attack surface.
Seccomp (secure computing mode) is a Linux kernel feature that restricts which syscalls a process can call. A container can run with a seccomp profile that whitelists only necessary syscalls (e.g., read, write, mmap) and blocks everything else (e.g., ptrace, mount, reboot). This dramatically reduces the kernel attack surface a container can exploit.
15How do lightweight microVMs (like AWS Firecracker) attempt to solve the density vs. security dilemma of traditional VMs and containers?
CorrectC: They utilize a minimalist, heavily stripped-down hypervisor and incredibly thin guest kernels to boot in milliseconds while maintaining rigid hardware-level isolation.
Firecracker is a KVM-based microVM hypervisor specifically designed for serverless. It boots a minimal Linux kernel in ~125ms and consumes ~5MB RAM per VM. This bridges containers (fast, dense) and VMs (secure). Each Lambda invocation gets its own microVM, providing isolation at container density.
IncorrectC: They utilize a minimalist, heavily stripped-down hypervisor and incredibly thin guest kernels to boot in milliseconds while maintaining rigid hardware-level isolation.
Firecracker is a KVM-based microVM hypervisor specifically designed for serverless. It boots a minimal Linux kernel in ~125ms and consumes ~5MB RAM per VM. This bridges containers (fast, dense) and VMs (secure). Each Lambda invocation gets its own microVM, providing isolation at container density.
16What is the fundamental mechanism behind Docker's "Copy-on-Write" (CoW) strategy?
CorrectA: When a container attempts to modify an existing file from a read-only image layer, the file is copied up to the container's writable layer before the modification occurs, preserving the underlying image.
CoW is an optimization technique used by UnionFS. Image layers are read-only and shared across containers. When a container modifies a file, only that modification is copied to the writable layer, not the entire file. This reduces disk I/O and storage space—multiple containers can safely modify the same "file" (each gets its own copy in the writable layer).
IncorrectA: When a container attempts to modify an existing file from a read-only image layer, the file is copied up to the container's writable layer before the modification occurs, preserving the underlying image.
CoW is an optimization technique used by UnionFS. Image layers are read-only and shared across containers. When a container modifies a file, only that modification is copied to the writable layer, not the entire file. This reduces disk I/O and storage space—multiple containers can safely modify the same "file" (each gets its own copy in the writable layer).
17Why might a highly optimized VM experience "VM Exit" overhead, and why is this irrelevant to Docker containers?
CorrectB: VM Exits occur when the hypervisor must intervene to handle privileged instructions or hardware interrupts generated by the Guest OS, causing a context switch. Containers share the host kernel, executing system calls directly without hypervisor intervention.
A VM Exit is when the hypervisor must intercept and handle a privileged instruction issued by guest OS code. Examples: memory mapped I/O, I/O port access, MSR writes. Each exit involves a context switch (guest→hypervisor→guest), adding latency. Containers avoid this: syscalls are handled directly by the host kernel in the container's privilege level.
IncorrectB: VM Exits occur when the hypervisor must intervene to handle privileged instructions or hardware interrupts generated by the Guest OS, causing a context switch. Containers share the host kernel, executing system calls directly without hypervisor intervention.
A VM Exit is when the hypervisor must intercept and handle a privileged instruction issued by guest OS code. Examples: memory mapped I/O, I/O port access, MSR writes. Each exit involves a context switch (guest→hypervisor→guest), adding latency. Containers avoid this: syscalls are handled directly by the host kernel in the container's privilege level.
18Which networking concept allows a Docker container to appear as a physical device on the host's actual network, possessing its own MAC address and bypassing NAT?
CorrectD: Macvlan Networking
Macvlan allows a container to have its own virtual MAC address on the host's physical network. The container appears as a separate physical device to the switch, receiving its own DHCP lease and IP. No NAT is involved. Useful for legacy applications expecting direct network presence, but incompatible with containers needing inter-container communication.
IncorrectD: Macvlan Networking
Macvlan allows a container to have its own virtual MAC address on the host's physical network. The container appears as a separate physical device to the switch, receiving its own DHCP lease and IP. No NAT is involved. Useful for legacy applications expecting direct network presence, but incompatible with containers needing inter-container communication.
19In the context of VM storage, what is "Thin Provisioning," and why does it necessitate careful host monitoring?
CorrectC: Creating a virtual disk that only consumes host storage space as data is actually written, risking a host storage outage if multiple VMs suddenly expand and overcommit the physical hardware.
Thin provisioning allocates disk space on-demand: a 100GB thin-provisioned VM initially consumes 0 bytes; as data is written, the file grows up to 100GB. If multiple VMs fail to monitor growth, the shared storage pool can become exhausted, causing VM crash. Monitoring and enforcement of quotas are critical. Thick provisioning pre-allocates space, avoiding this risk but wasting storage.
IncorrectC: Creating a virtual disk that only consumes host storage space as data is actually written, risking a host storage outage if multiple VMs suddenly expand and overcommit the physical hardware.
Thin provisioning allocates disk space on-demand: a 100GB thin-provisioned VM initially consumes 0 bytes; as data is written, the file grows up to 100GB. If multiple VMs fail to monitor growth, the shared storage pool can become exhausted, causing VM crash. Monitoring and enforcement of quotas are critical. Thick provisioning pre-allocates space, avoiding this risk but wasting storage.
20What is "Rootless Docker" and what specific security vulnerability does it primarily address?
CorrectB: It allows the Docker daemon and containers to run entirely within an unprivileged user namespace, mitigating the risk of an attacker gaining host root access if they manage a container escape.
Rootless Docker runs the Docker daemon and containers under an unprivileged user account, using user namespaces to map container root (UID 0) to a non-root host UID. If a container escapes, the attacker gains an unprivileged user shell, not host root. This dramatically reduces the blast radius of container escapes. Trade-off: some features (device access, privileged network ports) require workarounds.
IncorrectB: It allows the Docker daemon and containers to run entirely within an unprivileged user namespace, mitigating the risk of an attacker gaining host root access if they manage a container escape.
Rootless Docker runs the Docker daemon and containers under an unprivileged user account, using user namespaces to map container root (UID 0) to a non-root host UID. If a container escapes, the attacker gains an unprivileged user shell, not host root. This dramatically reduces the blast radius of container escapes. Trade-off: some features (device access, privileged network ports) require workarounds.
Conclusion: Making the Right Choice
Neither Docker nor Virtual Machines are universally "better" — they solve different problems and are often used together. Docker (containers) excel at rapid iteration, microservices, DevOps workflows, and cloud-native architecture. Virtual Machines excel at strong isolation, legacy system support, running diverse operating systems, and regulatory compliance scenarios.
The decision framework: Choose containers for modern, cloud-native applications with frequent deployments. Choose VMs for legacy systems, deeply isolated multi-tenant infrastructure, or when different operating systems are required. In practice, most production environments use both: VMs form the infrastructure foundation, while containers run the applications inside them.
Master these 60 MCQs, deeply understand the architectural differences, and you'll have the knowledge to design scalable, secure, and cost-effective infrastructure solutions. Good luck on your cloud journey! 🚀
📌 Key Takeaways — Docker vs Virtual Machines
- Architecture: Containers (OS-level virtualization) vs VMs (hardware virtualization).
- Kernel sharing: Containers share the host kernel; VMs each run a complete guest OS.
- Startup time: Containers start in milliseconds; VMs take minutes to boot.
- Resource overhead: Containers: 1-2% overhead; VMs: 20-50% overhead (dedicated OS + hypervisor).
- Isolation levels: Containers use namespaces (process, network, filesystem); VMs use hardware isolation.
- Security trade-offs: Containers: kernel vulnerabilities affect all containers; VMs: strong multi-tenant isolation.
- Hypervisors: Type 1 (bare-metal: ESXi) vs Type 2 (hosted: VirtualBox, Hyper-V).
- Use cases: Containers for microservices/DevOps; VMs for legacy systems and strong isolation.
- Docker components: Image (blueprint), Container (running instance), Registry (storage), Engine (runtime).
- Container escapes: Rare but critical; kernel exploits allow attacker access to host and sibling containers.
Quick Review & Summary
Use this table to quickly compare key characteristics before or after attempting the questions above.
| Characteristic | Docker Container | Virtual Machine |
|---|---|---|
| Virtualization Level | OS-level (shares kernel) | Hardware-level (separate OS) |
| Startup Time | Milliseconds | Minutes |
| Memory Overhead | 5-50 MB per container | 512 MB - 4 GB+ per VM |
| Isolation Level | Process/namespace isolation | Hardware-level isolation |
| Host OS Access | Kernel exploits possible | Hypervisor required |
| Density (per host) | Hundreds to thousands | Tens to hundreds |
| OS Diversity | Requires same kernel | Any compatible OS |
Frequently Asked Questions
Q. What is the difference between Docker and a Virtual Machine?
Q. What do these Docker vs VM MCQs cover?
Q. Are these MCQs suitable for cloud certification exam preparation (AWS, Azure, GCP)?
Q. What is the primary advantage of Containers over Virtual Machines?
Q. What is the primary advantage of Virtual Machines over Containers?
Q. What are Linux namespaces and cgroups?
Q. What is a Docker image, and how does it differ from a running container?
Q. What is the difference between a Type 1 and Type 2 Hypervisor?
Q. What does "container escape" mean, and why is it a critical security concern?
Q. What is "Rootless Docker," and why is it important for security?
Q. What is Kubernetes, and how does it relate to Docker?
Need to review the theory? Read the full Theory Guide: Docker vs Virtual Machines