An application can pass tests locally and still fail after deployment because the runtime environment changed: different OS packages, missing libraries, incompatible dependency versions, or different startup configuration.
Docker reduces this class of problem by packaging the application with its runtime, libraries, and system dependencies into a container image. Runtime configuration, secrets, networking, and storage are still supplied by the environment that runs the container.
For interviews, focus on what Docker does and does not own: container isolation, image contents, build structure, container networking, and the boundary between containers and orchestration.
Across the technology deep dives, keep the boundary clear: Docker packages and runs containers on a host, Kubernetes orchestrates containers across hosts, and Prometheus observes the running system through metrics.
The diagram shows how a command flows from the Docker client to the daemon, how the daemon pulls images from a registry and delegates execution to the container runtime, and how a running container layers a writable filesystem on top of read-only image layers.