Docker Certified Associate Exam Preparation

1. What is the docker command to find the current logging driver for a running container?

A. docker stats

B. docker info

C. docker config

D. docker inspect

2. When an application being managed by UCP fails, you would like a summary of all requests made to the UCP API in the hours leading up to the failure.

What must be configured correctly beforehand for this to be possible?

A. UCP audit logs must be set to the metadata or request level.

B. UCP logging levels must be set to the info or debug level.

C. All engines in the cluster must have their log driver set to the metadata or request level.

D. Set the logging level in the config object for the ucp-kube-api-server container to warning or higher.

Enable audit logging on UCP

Audit Logs capture all HTTP actions (GET, PUT, POST, PATCH, DELETE) to all UCP API, Swarm API and Kubernetes API endpoints that are invoked (except for the ignored list) and sent to Docker Engine via stdout. Creating audit logs is a UCP component that integrates with Swarm, K8s, and UCP APIs.

Logging Levels

None, Metadata, Request.

Benefits

Historical Troubleshooting - Audit logs are helpful in determining a sequence of past events that explain why an issue occured.

Security Analysis and Auditing - Security is one of the primary uses for audit logs. A full record of all user interactions with the container infrastructure gives your security team full visibility to questionable or attempted unauthorized accesses.

Chargeback - You can use audit logs and information about the resources to generate chargeback information.

Alerting - If there is a watch on an event stream or a notification created by the event, alerting features can be built on top of event tools that generate alerts for ops teams (PagerDuty, OpsGenie, Slack, or custom solutions).

3. Is this a type of Linux kernel namespace that provides container isolation?

Solution: Network

Yes

Solution: Storage

Solution: Authentication

Kernel namespaces

Namespaces provide the first and most straightforward form of isolation: processes running within a container cannot see, and even less affect, processes running in another container, or in the host system.

Each container also gets its own network stack, meaning that a container doesn’t get privileged access to the sockets or interfaces of another container. Of course, if the host system is setup accordingly, containers can interact with each other through their respective network interfaces — just like they can interact with external hosts. When you specify public ports for your containers or use links then IP traffic is allowed between containers. They can ping each other, send/receive UDP packets, and establish TCP connections, but that can be restricted if necessary. From a network architecture point of view, all containers on a given Docker host are sitting on bridge interfaces. This means that they are just like physical machines connected through a common Ethernet switch; no more, no less.

4. The Kubernetes yaml shown below describes a networkPolicy.

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: dca
  namespace: default
spec:
  podSelector:
    matchLabels:
      tire: backend
  policyTypes:
    - Ingress
  ingress:
    - from:
        - podSelector:
            matchLabels:
              tire: api

Will the networkPolicy BLOCK this traffic?

Solution: a request issued from a pod bearing the tier: backend label, to a pod bearing the tier: frontend label.

Solution: a request issued from a pod lacking the tier: api label, to a pod bearing the tier: backend label

Yes

5. Does this command display all the pods in the cluster that are labeled as "env: development"?

Solution: "kubectl get pods --all-namespaces -I env=development"

Yes

Solution: "kubectl get pods -I env=development"

Solution: "kubectl get pods --all-namespaces -label env=development"

LIST and WATCH filtering

6. Will this command display a list of volumes for a specific container?

Solution: "docker volume logs nginx --containers"

Solution: "docker volume inspect nginx"

Solution: "docker container logs nginx --volumes"

Solution: "docker container inspect nginx"

Yes

7. A host machine has four CPUs available and two running containers. The sysadmin would like to assign two CPUs to each container.

Which of the following commands achieves this?

A. Set the "--cpuset-cpus" flag to "1,3" on one container and "2,4" on the other container.

B. Set the "--cpuset-cpus" flag to ".5" on both containers.

C. Set the "--cpuset-cpus" flag of the "dockerd" process to the value "even-spread".

D. Set the "--cpu-quota" flag to "1,3" on one container and "2,4" on the other container.

CPU

--cpus=<value>

Specify how much of the available CPU resources a container can use. For instance, if the host machine has two CPUs and you set --cpus="1.5", the container is guaranteed at most one and a half of the CPUs.

--cpuset-cpus

Limit the specific CPUs or cores a container can use. A comma-separated list or hyphen-separated range of CPUs a container can use, if you have more than one CPU. The first CPU is numbered 0. A valid value might be 0-3 (to use the first, second, third, and fourth CPU) or 1,3 (to use the second and fourth CPU).

If you have 1 CPU, each of the following commands guarantees the container at most 50% of the CPU every second.

1	docker run -it --cpus=".5" ubuntu /bin/bash

Which is the equivalent to manually specifying --cpu-period and --cpu-quota.

1	docker run -it --cpu-period=100000 --cpu-quota=50000 ubuntu /bin/bash

8. The Kubernetes yaml shown below describes a clusterIP service.

apiVersion: v1
kind: Service
metadata:
  name: dca
spec:
  type: clusterIP
  selector:
    app: nginx
  ports:
    - port: 8080
      targetPort: 80
    - port: 4443
      targetPort: 443

Is this a correct statement about how this service routes requests?

Solution: Traffic sent to the IP of this service on port 8080 will be routed to port 80 in a random pod with the label app: nginx.

Yes

Solution: Traffic sent to the IP of any pod with the label app: nginx on port 8080 will be forwarded to port 80 in that pod.

9. A container named "analytics" that stores results in a volume called "data" was created.

docker run -d --name=analytics -v data:/data app1

How are the results accessed in "data" with another container called "app2"?

A. docker run -d --name=reports --volume=data app2

B. docker run -d --name=reports --volumes-from=analytics app2

C. docker run -d --name=reports --volume=app1 app2

D. docker run -d --name=reports --mount=app1 app2

Mount volumes from container (--volumes-from)

10. A user is having problems running Docker. Which of the following will start Docker in debug mode?

A. Set the debug key to true in the "daemon.json" file.

B. Start the "dockerd" process manually with the "--logging" flag set to debug.

C. Set the logging key to debug in the "daemon.json" file.

D. Start the "dockerd" process manually with the "--raw-logs" flag set to debug.

Enable debugging

11. Will this action upgrade Docker Engine CE to Docker Engine EE?

Solution: Uninstall "docker-ce" package before installing "docker-ee" package.

Yes

Solution: Delete "/var/lib/docker" directory.

Solution: Manually download the "docker-ee" package.

Yes

Uninstall old Docker versions

The Docker EE package is called docker-ee. Older versions were called docker or docker-engine. Uninstall all older versions and associated dependencies. The contents of /var/lib/docker/ are preserved, including images, containers, volumes, and networks. If you are upgrading from Docker CE to Docker EE, remove the Docker CE package as well.

12. Which of the following commands automatically create a volume when a container is started?

A. docker container run --name nginxtest --volume=/app nginx

B. docker container run --name nginxtest -v /app:mount nginx

C. docker container run --name nginxtest --volume myvol:/app:new nginx

D. docker container run --name nginxtest -v myvol:/app nginx

Start a container with a volume

If you start a container with a volume that does not yet exist, Docker creates the volume for you.

13. Following the principle of least privilege, which of the following methods can be used to securely grant access to the specific user to communicate to a Docker engine? (Choose two.)

A. Utilize the "--host 0.0.0.0:2375" option to the Docker daemon to listen on port 2375 over TCP on all interfaces.

B. Utilize openssl to create TLS client and server certificates, configuring the Docker engine to use with mutual TLS over TCP.

C. Utilize the "--host 127.0.0.1:2375" option to the Docker daemon to listen on port 2375 over TCP on localhost.

D. Give the user root access to the server to allow them to run Docker commands as root.

E. Add the user to the "docker" group on the server or specify the group with the "--group" Docker daemon option.

14. What is the purpose of a client bundle in the Universal Control Plane?

A. Authenticate a user using client certificates to the Universal Control Plane.

B. Provide a new user instructions for how to login to the Universal Control Plane.

C. Provide a user with a Docker client binary compatible with the Universal Control Plane.

D. Group multiple users in a team in the Universal Control Plane.

Get Familiar with Docker Enterprise Edition Client Bundles

A client bundle is a group of certificates downloadable directly from the Docker Universal Control Plane (UCP) user interface within the admin section for “My Profile”. This allows you to authorize a remote Docker engine to a specific user account managed in Docker EE, absorbing all associated RBAC controls in the process. You can now execute docker swarm commands from your remote machine that take effect on the remote cluster.

CLI-based access

Docker UCP secures your cluster with role-based access control, so that only authorized users can perform changes to the cluster.

Once you’ve downloaded a client certificate bundle, you can use it to authenticate your requests.

15. You want to mount external storage to a particular filesystem path in a container in a Kubernetes pod. What is the correct set of objects to use for this?

A. A volume in the pod specification, populated with a persistentVolumeClaim bound to a perslstentVolume defined by a storageClass.

B. A storageClass in the pod specification, populated with a volume which is bound to a provisioner defined by a persistentVolume.

C. A volume in the pod specification, populated with a storageClass which is bound to a provisioner defined by a persistentVolume.

D. A persistentVolume in the pod specification, populated with a persistentVolumeClaim which is bound to a volume defined by a storageClass.

Configure a Pod to Use a PersistentVolume for Storage

apiVersion: v1
kind: PersistentVolume
metadata:
  name: task-pv-volume
  labels:
    type: local
spec:
  storageClassName: ""
  capacity:
    storage: 10Mi
  accessModes:
    - ReadWriteOnce
  hostPath:
    path: "/mnt/data"

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: task-pv-claim
spec:
  storageClassName: ""
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 3Mi

apiVersion: v1
kind: Pod
metadata:
  name: task-pv-pod
spec:
  volumes:
    - name: task-pv-storage
      persistentVolumeClaim:
        claimName: task-pv-claim
  containers:
    - name: task-pv-container
      image: nginx
      ports:
        - containerPort: 80
          name: "http-server"
      volumeMounts:
        - mountPath: "/usr/share/nginx/html"
          name: task-pv-storage

Dynamic Volume Provisioning

apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: fast
provisioner: kubernetes.io/gce-pd
parameters:
  type: pd-ssd

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: claim
spec:
  accessModes:
    - ReadWriteOnce
  storageClassName: fast
  resources:
    requests:
      storage: 10Mi

16. Which of the following is true about using the "-P" option when creating a new container?

A. Docker binds each exposed container port to a random port on all the host's interface.

B. Docker gives extended privileges to the container.

C. Docker binds each exposed container port to a random port on a specified host's interface.

D. Docker binds each exposed container port with the same port on the host.

17. What is used by the kernel to isolate resources when running Docker containers?

A. Namespaces

B. Overlay networks

C. Volumes

D. Control groups (also know as cgroups)

18. Does this describe the role of Control Groups (cgroups) when used with a Docker container?

Solution: role-based access control to clustered resources.

Solution: accounting and limiting of resources.

Yes

Solution: user authorization to the Docker API.

Control groups

Control Groups are another key component of Linux Containers. They implement resource accounting and limiting. They provide many useful metrics, but they also help ensure that each container gets its fair share of memory, CPU, disk I/O; and, more importantly, that a single container cannot bring the system down by exhausting one of those resources.

19. What is one way of directly transferring a Docker Image from one Docker host in another?

A. "docker push" the image to the IP address of the target host.

B. "docker commit" to save the image outside of the Docker filesystem. Then transfer the file over to the target host and "docker start" to start the container again.

C. There is no way of directly transferring Docker images between hosts. A Docker Registry must be used ad an intermediary.

D. "docker save" the image to save it as TAR file and copy it over to the target host. Then use "docker load" to un-TAR the image back as a Docker image.

20. How do you configure Docker engine to use a registry that is not configured with TLS certificates from a trusted CA?

A. Set IGNORE_TLS in the "daemon.json" configuration file.

B. Set and export the IGNORE_TLS environment variable on the command line.

C. Set INSECURE_REGISTRY in the "/etc/docker/default" configuration file.

D. Pass the "--insecure-registry" flag to the daemon at runtime.

Test an insecure registry

Insecure registries

21. Which of the following are types of namespaces used by Docker to provide isolation? (Choose two.)

A. Host

B. Network

C. Process ID

D. Authentication

E. Storage

22. Which of the following commands will create a Swarm service which only listens on port 53 using the UDP protocol?

A. docker service create --name dns-cache -p 53:53/udp dns-cache

B. docker service create --name dns-cache -p 53:53 --service udp dns-cache

C. docker service create --name dns-cache -p 53:53 --constraint networking.protocol.udp=true dns-cache

D. docker service create --name dns-cache -p 53:53 --udp dns-cache

Publish service ports externally to the swarm (-p, --publish)

--publish 8080:80/tcp

--publish published=8080,target=80,protocol=tcp

23. Which of the following is true about overlay networks?

A. Overlay networks are created only on the manager node that you created the overlay networking on.

B. Overlay networks are created on all cluster nodes when you create the overlay network.

C. Overlay networks are first created on the manager nodes. Then they are created on the worker nodes once a task is scheduled on the specific worker node.

D. Overlay networks are only created on the manager nodes.

Create the services

On manager, create a new overlay network.

You don’t need to create the overlay network on the other nodes, because it will be automatically created when one of those nodes starts running a service task which requires it.

26. What is the recommended way to configure the daemon flags and environment variables for your Docker daemon in a platform independent way?

A. Set the configuration options using the ENV variable.

B. Set the configuration options in "/etc/docker/daemon.json".

C. Set the configuration DOCKER_OPTS in "/etc/default/docker".

D. Using "docker config" to set the configuration options.

27. A company's security policy specifies that development and production containers must run on separate nodes in a given Swarm cluster.

Can this be used to schedule containers to meet the security policy requirements?

Solution: label constraints

Solution: node taints

Solution: resource reservation

Placement constraints

Use placement constraints to control the nodes a service can be assigned to.

28. In the context of a Swarm mode cluster, does this describe a node?

Solution: an instance of the Docker engine participating in the Swarm.

Yes

Solution: a virtual machine participating in the swarm.

Solution: a physical machine participating in the swarm.

Nodes

30. You created a new service named "http" and discover it is not registering as healthy. Will this command enable you to view the list of historical tasks for this service?

Solution: "docker inspect http"

Solution: "docker service ps http"

Yes

Solution: "docker service inspect http"

docker service ps

In addition to running tasks, the output also shows the task history.

31. Will this sequence of steps completely delete an image from disk in the Docker Trusted Registry?

Solution: Delete the image and run garbage collection on the Docker Trusted Registry.

Yes

Solution: Delete the image and delete the image repository from Docker Trusted Registry.

Garbage collection

About garbage collection

In the context of the Docker registry, garbage collection is the process of removing blobs from the filesystem when they are no longer referenced by a manifest.

Garbage collection in practice

Filesystem layers are stored by their content address in the Registry. This has many advantages, one of which is that data is stored once and referred to by manifests.

Layers are therefore shared amongst manifests; each manifest maintains a reference to the layer. As long as a layer is referenced by one manifest, it cannot be garbage collected.

Manifests and layers can be deleted with the registry API. This API removes references to the target and makes them eligible for garbage collection. It also makes them unable to be read via the API.

If a layer is deleted, it is removed from the filesystem when garbage collection is run. If a manifest is deleted the layers to which it refers are removed from the filesystem if no other manifests refers to them.

More details about garbage collection

Garbage collection runs in two phases. First, in the "mark" phase, the process scans all the manifests in the registry. From these manifests, it constructs a set of content address digests. This set is the "mark set" and denotes the set of blobs to not delete. Secondly, in the "sweep" phase, the process scans all the blobs and if a blob’s content address digest is not in the mark set, the process deletes it.

32. Seven managers are in a swarm cluster.

Is this how should they be distributed across three datacenters or availability zones?

Solution: 5-1-1

Solution: 3-3-1

Solution: 3-2-2

Yes

Distribute manager nodes

33. You configure a local Docker engine to enforce content trust by setting the environment variable DOCKER_CONTENT_TRUST=1.

If myorg/myimage:1.0 is unsigned, does Docker block this command?

Solution: docker image import <tarball> myorg/myimage:1.0

Solution: docker service create myorg/myimage:1.0

Client Enforcement with Docker Content Trust

34. During development of an application meant to be orchestrated by Kubernetes, you want to mount the /data directory on your laptop into a container.

Will this strategy successfully accomplish this?

Solution: Add a volume to the pod that sets hostPath.path: /data, and then mount this volume into the pod's containers as desired.

Yes

Solution: Create a PersistentVolume with storageClass: "" and hostPath: /data, and a persistentVolumeClaim requesting this PV. Then use that PVC to populate a volume in a pod.

Yes

hostPath

Configure a Pod to Use a PersistentVolume for Storage

35. Two development teams in your organization use Kubernetes and want to deploy their applications while ensuring that Kubernetes-specific resources, such as secrets, are grouped together for each application.

Is this a way to accomplish this?

Solution: Create one namespace for each application and add all the resources to it.

Solution: Add all the resources to the default namespace.

Solution: Create one pod and add all the resources needed for each application.

36. Will this command mount the host's "/data" directory to the ubuntu container in read-only mode?

Solution: "docker run -v /data:/mydata --mode readonly ubuntu"

Solution: "docker run --add-volume /data /mydata -read-only ubuntu"

Solution: "docker run --volume /data:/mydata:ro ubuntu"

Yes

Use a read-only bind mount

docker run -d \
  -it \
  --name devtest \
  --mount type=bind,source="$(pwd)"/target,target=/app,readonly \
  nginx:latest

docker run -d \
  -it \
  --name devtest \
  -v "$(pwd)"/target:/app:ro \
  nginx:latest

37. What is the purpose of Docker Content Trust?

A. Signing and verification of image tags.

B. Enabling mutual TLS between the Docker client and server.

C. Docker registry TLS verification and encryption.

D. Indicating an image on Docker Hub is an official image.

Content trust in Docker

Docker Content Trust (DCT) provides the ability to use digital signatures for data sent to and received from remote Docker registries. These signatures allow client-side or runtime verification of the integrity and publisher of specific image tags.

Through DCT, image publishers can sign their images and image consumers can ensure that the images they pull are signed.

38. In Docker Trusted Registry, how would a user prevent an image, for example "nginx:latest" from being overwritten by another user with push access to the repository?

A. Tag the image with "nginx:immutable".

B. Remove push access from all other users.

C. Use the DTR web UI to make the tag immutable.

D. Keep a backup copy of the image on another repository.

40. A users attempts to set the system time from inside a Docker container are unsuccessful. Could this be blocking this operation?

Solution: inter-process communication

Solution: Linux capabilities

Yes

41. The following health check exists in a Dockerfile:

"HEALTCHECK CMD curl --fail http://localhost/health || exit 1"

Which of the following describes its purpose?

A. Defines the action taken when container health fails, which in this case will kill the container with exit status 1.

B. Defines the health check endpoint on the localhost interface for external monitoring tools to monitor the health of the docker engine.

C. Defines the health check endpoint on the localhost interface for containers to monitor the health of the docker engine.

D. Defines the health check for the containerized application so that the application health can be monitored by the Docker engine.

HEALTHCHECK

The HEALTHCHECK instruction has two forms:

HEALTHCHECK [OPTIONS] CMD command (check container health by running a command inside the container)
HEALTHCHECK NONE (disable any healthcheck inherited from the base image)

The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working. This can detect cases such as a web server that is stuck in an infinite loop and unable to handle new connections, even though the server process is still running.

The command’s exit status indicates the health status of the container. The possible values are:

0: success - the container is healthy and ready for use
1: unhealthy - the container is not working correctly
2: reserved - do not use this exit code

42. After creating a new service named "http", you notice that the new service is not registering as healthy. How do you view the list of historical tasks for that service by using the command line?

A. "docker inspect http"

B. "docker service inspect http"

C. "docker service ps http"

D. "docker ps http"

43. You are troubleshooting a Kubernetes deployment called api, and want to see the events table for this object. Does this command display it?

Solution: kubectl logs deployment api

Solution: kubectl events deployment api

Solution: kubectl describe deployment api

Yes

45. Which of the following modes can be used for service discovery of a Docker swarm service (Pick two correct answers)?

A. Virtual IP (VIP) with --endpoint-mode vip

B. Overlay with --endpoint-mode overlay

C. DNS Round-Robin with --endpoint-mode dnsrr

D. Ingress with --endpoint-mode ingress

E. Network Address Translation (NAT) with --endpoint-mode nat

Configure service discovery

Service discovery is the mechanism Docker uses to route a request from your service’s external clients to an individual swarm node, without the client needing to know how many nodes are participating in the service or their IP addresses or ports.

Service discovery can work in two different ways: internal connection-based load-balancing at Layers 3 and 4 using the embedded DNS and a virtual IP (VIP), or external and customized request-based load-balancing at Layer 7 using DNS round robin (DNSRR). You can configure this per service.

Bypass the routing mesh for a swarm service

Services using the routing mesh are running in virtual IP (VIP) mode.

To bypass the routing mesh, you can start a service using DNS Round Robin (DNSRR) mode, by setting the --endpoint-mode flag to dnsrr.

47. The output of which command can be used to find the architecture and operating system an image is compatible with?

A. docker image inspect --filter {{.Architecture}} {{.OS}} <image-id>

B. docker image ls <image-id>

C. docker image inspect --format {{.Architecture}} {{.OS}} <image-id>

D. docker image info <image-id>

49. How do you change the default logging driver for the docker daemon in Linux?

A. Set the value of log-driver to the name of the logging driver in the daemon.json in /etc/docker.

B. Use the --log-driver flag when you run a container.

C. At the command line, type: docker log driver set <driver name>.

D. Install a logging agent on the Linux host.

Configure logging drivers

52. A Kubernetes node is allocated a /26 CIDR block (64 unique IPs) for its address space.

If every pod on this node has exactly two containers in it, how many pods can this address space support on this node?

A. 32

B. 64

C. 32 in every Kubernetes namespace

D. 64 for every service routing to pods on this node

53. A docker service "web" is running with a scale factor of 1 (replicas = 1).

Bob intends to use the command "docker service update --replicas=3 web".

Alice intends to use the command "docker service scale web=3".

How do the outcomes of these two commands differ?

A. Bob's command results in an error. Alice's command updates the number of replicas of the "web" service to 3.

B. Bob's command only updates the service definition, but no new replicas are started. Alice's command results in the actual scaling up of the "web" service.

C. Bob's command updates the number of replicas of the "web" service to 3. Alice's command results in an error.

D. Both Bob's and Alice's commands result in exactly the same outcome, which is 3 instances of the "web" service.

docker service scale

docker service update

54. Which set of commands can identify the publishd port(s) for a container?

A. "docker port inspect", "docker container inspect"

B. "docker container inspect", "docker port"

C. "docker info", "docker network inspect"

D. "docker network inspect", "docker port"

docker port

56. You want to create a container that is reachable from its host's network. Does this action accomplish this?

Solution: Use either EXPOSE or --publish to access the containers on the bridge network.

Yes

Solution: Use --link to access the container on the bridge network.

Solution: Use network attach to access the containers on the bridge network.

57. Will this command list all nodes in a swarm cluster from the command line?

Solution: "docker swarm nodes"

Solution: "docker Is -a"

Solution: "docker node Is"

Yes

docker node ls

60. Is this an advantage of multi-stage builds?

Solution: better caching when building Docker images.

Solution: optimizes images by copying artifacts selectively from previous stages.

Yes

Multi-stage builds

There are several advantages for them:

Separate build-time dependencies from runtime dependencies
Reduce overall image size by shipping only what your app needs to run

61. An application image runs in multiple environments, with each environment using different certificates and ports.

Is this a way to provision configuration to containers at runtime?

Solution: Provision a Docker config object for each environment.

Yes

Store configuration data using Docker Configs

Docker swarm service configs allow you to store non-sensitive information, such as configuration files, outside a service’s image or running containers. This allows you to keep your images as generic as possible, without the need to bind-mount configuration files into the containers or use environment variables.

64. Will this command ensure that overlay traffic between service tasks is encrypted?

Solution: docker service create --network --secure

Solution: docker service create --network --encrypted

Solution: docker network create -d overlay --secure

Solution: docker network create -d overlay -o encrypted=true <network-name>

Yes

Encrypt traffic on an overlay network

To encrypt application data as well, add --opt encrypted when creating the overlay network.

65. If installing Docker using devicemapper for storage with the intent to run production workloads, how should devicemapper be configured?

A. direct-lvm

B. loop-lvm

C. overlay-lvm

D. aufs-lvm

Use the Device Mapper storage driver

66. You want to provide a configuration file to a container at runtime. Does this set of Kubernetes tools and steps accomplish this?

Solution: Mount the configuration file directly into the appropriate pod and container using the .spec.containers.configMounts key.

Solution: Turn the configuration file into a configMap object, use it to populate a volume associated with the pod, and mount that file from the volume to the appropriate container and path.

Yes

Solution: Turn the configuration file into a configMap object and mount it directly into the appropriate pod and container using the .spec.containers.configMounts key.

Configure a Pod to Use a ConfigMap

67. You have deployed a service to swarm. Which command uses the Docker CLI to set the number of tasks of the services to 5? (Choose two.)

A. docker service update --replicas=5 <service-id>

B. docker replica update <service-id>=5

C. docker update service <service-id>=5

D. docker service replicas <service-id>=5

E. docker service scale <service-id>=5

68. Which command interactively monitors all container activity in the Docker engine?

A. docker system logs

B. docker system events

C. docker container events

D. docker container logs

docker system events

73. Which of the following commands is used to display system-wide Docker configuration on a host?

A. docker info

B. docker status

C. docker inspect

D. docker system

74. Will this configuration achieve fault tolerance for managers in a swarm?

Solution: only two managers, one active and one passive.

Solution: an odd number of manager nodes, totaling more than two.

Yes

Add manager nodes for fault tolerance

75. Your organization has a centralized logging solution, such as Splunk.

Will this configure a Docker container to export container logs to the logging solution?

Solution: docker logs <container-id>

Solution: Set the log-driver and log-opt keys to values for the logging solution (Splunk) in the daemon.json file.

Yes

Solution: docker system events --filter splunk.

77. Are these conditions sufficient for Kubernetes to dynamically provision a persistentVolume, assuming there are no limitations on the amount and type of available external storage?

Solution: A default storageClass is specified, and subsequently a persistentVolumeClaim is created.

Yes

Solution: A default provisioner is specified, and subsequently a persistentVolumeClaim is created.

78. Which of the following is required to install Docker EE from a package repository?

A. Repository URL obtained from Docker Store

B. License key obtained from Docker Store

C. Repository URL obtained from Docker Hub

D. License key obtained from Docker Hub

Find your Docker EE repo URL

79. You have created a Docker bridge network on a host with three containers attached, how do you make this containers accessible outside of the host?

A. Use network attach to access the containers on the bridge network.

B. Use either EXPOSE or --publish to access the containers on the bridge network.

C. Use network connect to access the containers on the bridge network.

D. Use --link to access the containers on the bridge network.

80. You have just executed "docker swarm leave" on a node. What command can be run on the same node to confirm it has left the cluster?

A. docker node ls

B. docker system info

C. docker system status

docker swarm leave

When you run this command on a worker, that worker leaves the swarm.

You can use the --force option on a manager to remove it from the swarm. However, this does not reconfigure the swarm to ensure that there are enough managers to maintain a quorum in the swarm. The safe way to remove a manager from a swarm is to demote it to a worker and then direct it to leave the quorum without using --force. Only use --force in situations where the swarm will no longer be used after the manager leaves, such as in a single-node swarm.

81. Which of the following namespaces is disabled by default and must be enabled at Docker engine runtime in order to be used?

A. user

B. pid

C. net

D. mnt

Isolate containers with a user namespace

82. You are pulling images from a Docker Trusted Registry installation configured to use self-signed certificates, and this error appears:

x509: certificate signed by unknown authority.

You already downloaded the Docker Trusted Registry certificate authority certificate from https://dtr.example.com/ca.

How do you trust it? (Select two.)

A. Place the certificate in "/etc/docker/dtr/dtr.example.com.crt" and restart the Docker daemon on all cluster nodes.

B. Place the certificate in your OS certificate path, trust the certificate system-wide, and restart the Docker daemon across all cluster nodes.

C. Pass "--trust-certificate ca.crt" to the Docker client.

D. Pass --insecure-registry to the Docker client.

E. Place the certificate in "/etc/docker/certs.d/dtr.example com/ca.crt" on all cluster nodes.

Test an insecure registry

86. Is this a function of UCP?

Solution: scans images to detect any security vulnerability.

Solution: image role-based access control.

Yes

Solution: enforces the deployment of signed images to the cluster.

Container Security 101 — Scanning images for Vulnerabilities

88. Which of the following is NOT backed up when performing a Docker Trusted Registry backup operation?

A. Access control to repos and images

B. Repository metadata

C. Image blobs

D. DTR configurations

Backup UCP and DTR

89. Which flag for a service would allow a container to consume more than 2 GB of memory only when there is no memory contention but would also prevent a container from consuming more than 4GB of memory, in any case?

A. --limit-memory 2GB --reserve-memory 4GB

B. --limit-memory 4GB --reserve-memory 2GB

C. --memory-swap 2GB --limit-memory 4GB

D. --memory-swap 4GB --limit-memory 2GB

Limit a container’s access to memory

Docker can enforce hard memory limits, which allow the container to use no more than a given amount of user or system memory, or soft limits, which allow the container to use as much memory as it needs unless certain conditions are met, such as when the kernel detects low memory or contention on the host machine.

-m or --memory

The maximum amount of memory the container can use.

--memory-reservation

Allows you to specify a soft limit smaller than --memory which is activated when Docker detects contention or low memory on the host machine.

Specify memory requirements and constraints for a service (--reserve-memory and --limit-memory)

96. Which one of the following commands will result in the volume being removed automatically once the container has exited?

A. "docker run --del -v /foo busybox"

B. "docker run --read-only -v /foo busybox"

C. "docker run --rm -v /foo busybox"

D. "docker run --remove -v /foo busybox"

97. Which "docker run" flag lifts cgroup limitations?

A. "docker run --isolation"

B. "docker run --cap-drop"

C. "docker run --privileged"

D. "docker run --cpu-period"

Runtime privilege and Linux capabilities

The --privileged flag gives all capabilities to the container.

In addition to --privileged, the operator can have fine grain control over the capabilities using --cap-add and --cap-drop.

98. You are running only Kubernetes workloads on a worker node that requires maintenance, such as installing patches or an OS upgrade.

Which command must be run on the node to gracefully terminate all pods on the node, while marking the node as unschedulable?

A. docker node update --availability drain <node name>

B. docker swarm leave

C. kubectl drain <node name>

D. kubectl cordon <node name>

Safely Drain a Node

Manual Node administration

Marking a node as unschedulable prevents the scheduler from placing new pods onto that Node but does not affect existing Pods on the Node.

To mark a Node unschedulable, run:

1	kubectl cordon $NODENAME

102. The following Docker Compose file is deployed as a stack:

version: "3.1"
services:
  app:
    image: app:1.0
    healthcheck:
      test: "curl --fail http://localhost/health || exit 1"
      interval: 10s
      timeout: 5s
      retries: 3

Is this statement correct about this health check definition?

Solution: Health checks test for app health ten seconds apart. If the test fails, the container will be restarted three times before it gets rescheduled.

Solution: Health checks test for app health ten seconds apart. Three failed health checks transition the container into "unhealthy" status.

Yes

103. Two pods bear the same label, app: dev.

Will a label selector matching app: dev match both of these pods?

A. Yes, as long as all the containers in those pods are passing their livenessProbes and readinessProbes.

B. Yes, if both pods were pre-existing when the label selector was declared.

C. Yes, if the pods are in the same Kubernetes namespace as the object bearing the label selector.

D. Yes, if the pods are in the same Kubernetes namespace as the object bearing the label selector and both pods were pre existing when the label selector was declared.

106. When using the Docker client to push an image to a registry, what environment variable is used to instruct the client to perform signing of the image?

A. DOCKER_CONTENT_TRUST=1

B. DOCKER_IMAGE_SIGN=1

C. DOCKER_PUSH_SIGN=1

D. NOTARY_ENABLE=1

107. Which statement is correct about cluster management in Docker Enterprise Edition 3.x?

A. Clusters can contain Windows 10 and Windows Server 2016 only.

B. Clusters can contain Linux, Windows Server 2016 and 2019, and Linux on IBM z Systems.

C. Clusters can contain Linux only.

D. Clusters can contain Linux and Windows Server 2008 R2 only.

Supported platforms

108. Which of the following statements is true about secrets?

A. Secrets can be created from any node in the cluster.

B. Secrets can be modified after they are created.

C. Secret are stored unencrypted on manager nodes.

D. Secrets can be created using standard input (STDIN) and a file.

Manage sensitive data with Docker secrets

109. Will this Linux kernel facility limit a Docker container's access to host resources, such as CPU or memory?

Solution: seccomp

Solution: cgroups

Yes

Solution: namespaces

114. What is the docker command to setup a swarm?

A. docker swarm init

B. docker swarm create

C. docker init swarm

D. docker create swarm

116. A service "wordpress" is running using a password string to connect to a non-Dockerized database service. The password string is passed into the "wordpress" service as a Docker secret. Per security policy, the password on the database was changed. Identity the correct sequence of steps to rotate the secret from the old password to the new password.

A. Create a new docker secret with the new password. Trigger a rolling secret update by using the "docker secret update" command.

B. Trigger an update to the service by using docker service update --secret=<new password>.

C. Create a new docker secret with the new password. Remove the existing service using "docker service rm". Start a new service with the new secret using --secret=<new password>.

D. Create a new docker secret with a new password. Trigger a rolling update of the "wordpress" service, by using "--secret-rm" & "--secret-add" to remove the old secret and add the updated secret.

Add or remove secrets

Use the --secret-add or --secret-rm options add or remove a service’s secrets.

119. From a DevOps process standpoint, it is best practice to keep changes to an application in version control. Which of the following will allow changes to a docker image to be stored in a version control system?

A. docker commit

B. docker save

C. A docker-compose.yml file

D. A dockerfile

121. What is the difference between a resource limit and a resource reservation when scheduling services?

A. A resource limit and a resource reservation can be used interchangeably.

B. A resource limit is a soft limit for your service, while a reservation is hard limit and the docker engine will do its best to keep your service at the limit.

C. A resource limit is used to find a host with adequate resources for scheduling a hard limit for your service, while a reservation is hard limit for your service.

D. A resource limit is hard limit for your service, while a reservation is used to find a host with adequate resources for scheduling.

Specify memory requirements and constraints for a service (--reserve-memory and --limit-memory)

If your service needs a minimum amount of memory in order to run correctly, you can use --reserve-memory to specify that the service should only be scheduled on a node with this much memory available to reserve.

After a task is scheduled and running, --reserve-memory does not enforce a memory limit. Use --limit-memory to ensure that a task uses no more than a given amount of memory on a node.

124. Which statement is true?

A. CMD shell format uses this form ["param", param", "param"].

B. ENTRYPOINT cannot be used in conjuction with CMD.

C. CMD is used to run the software is the image along with any arguments.

D. ENTRYPOINT cannot be overriden in the "docker container run" command.

CMD

ENTRYPOINT

125. One of several containers in a pod is marked as unhealthy after failing its livenessProbe many times. Is this the action taken by the orchestrator to fix the unhealthy container?

Solution: Kubernetes automatically triggers a user-defined script to attempt to fix the unhealthy container.

Solution: The unhealthy container is restarted.

Yes

Solution: The controller managing the pod is autoscaled back to delete the unhealthy pod and alleviate load.

127. Which of the following commands starts a Redis container and configures it to always restart unless it is explicitly stopped or Docker is restarted?

A. "docker run -d --restart-policy unless-stopped redis"

B. "docker run -d --restart omit-stopped redis"

C. "docker run -d --restart unless-stopped redis"

D. "docker run -d --failure omit-stopped redis"

Restart policies (--restart)

on-failure[:max-retries]

Restart only if the container exits with a non-zero exit status.

unless-stopped

Restart the container unless it is explicitly stopped or Docker itself is stopped or restarted.

always

Always restart the container regardless of the exit status. When you specify always, the Docker daemon will try to restart the container indefinitely. The container will also always start on daemon startup, regardless of the current state of the container.

130. Which statement is true about DTR garbage collection?

A. Garbage collection removes unreferenced image layers from DTR's backend storage.

B. Garbage collection removes exited containers from cluster nodes.

C. Garbage collection removes DTR images that are older than a configurable of days.

D. Garbage collection removes unused volumes from cluster nodes.

133. What is the difference between the ADD and COPY dockerfile instructions? (choose two.)

A. ADD supports compression format handling while COPY does not.

B. COPY supports regular expression handling while ADD does not.

C. COPY supports compression format handling while ADD does not.

D. ADD support remote URL handling while COPY does not.

E. ADD supports regular expression handling while COPY does not.

ADD or COPY

135. Some Docker images take time to build through a Continuous Integration environment. You want to speed up builds and take advantage of build caching.

Where should the most frequently changed part of a Docker image be placed in a Dockerfile?

A. At the bottom of the Dockerfile.

B. After the FROM directive.

C. At the top of the Dockerfile.

D. In the ENTRYPOINT directive.

137. What service mode is used to deploy a single task of a service to each node?

A. replicated

B. spread

C. universal

D. distributed

E. global

140. A server is running low on disk space. What command can be used to check the disk usage of images, containers, and volumes for Docker engine?

A. "docker system df"

B. "docker system prune"

C. "docker system free"

D. "docker system ps"

docker system df

145. What behavior is expected when a service is created with the following command:

"docker service create --publish 8080:80 nginx"

A. All nodes in the cluster will listen on port 8080 and forward to port 80 in the container.

B. Only a single node in the cluster will listen on port 8080 and forward to port 80 in the container.

C. All nodes in the cluster will listen on port 80 and forward to port 8080 in the container.

D. Only a single node in the cluster will listen on port 80 and forward to port 8080 in the container.

146. Which of the following constitutes a production-ready devicemapper configuration for the Docker engine?

A. Create a volume group in devicemapper and utilize the "--dm.thinpooldev" Docker daemon option, specifying the volume group.

B. Format a partition with xfs and mount it at "/var/lib/docker".

C. Utilize the "--storage-opt dm.directlvm_device" Docker daemon option, specifying a block device.

D. Nothing, devicemapper comes ready for production usage out of the box.

Configure direct-lvm mode for production

152. Which networking drivers allow you to enable multi-host network connectivity between containers?

A. macvlan, ipvlan, and overlay

B. bridge, user-defined, host

C. bridge, macvlan, ipvlan, overlay

D. host, macvlan, overlay, user-defined

154. Which of these swarm manager configurations will cause the cluster to be in a lost quorum state?

A. 4 managers of which 2 are healthy.

B. 1 manager of which 1 is healthy.

C. 3 managers of which 2 are healthy.

D. 5 managers of which 3 are healthy.

155. You add a new user to the engineering organization in DTR.

Will this action grant them read/write access to the engineering/api repository?

Solution: Add the user directly to the list of users with read/write access under the repository's Permissions tab.

Yes

Solution: Add them to a team in the engineering organization that has read/write access to the engineering/api repository.

Yes

156. You set up an automatic pruning policy on a DTR repository to prune all images using Apache licenses. What effect does this have on images in this repository?

A. Matching images are untagged once they are older than the pruning threshold set in the repository's Settings tab.

B. Matching images are untagged during the next prune job.

C. Matching images are deleted during the next prune Job.

D. Matching images are untagged during the next prune job, and subsequently deleted once they are older than the pruning threshold set in the repository's Settings tab.

163. A persistentVolumeClaim (PVC) is created with the specification storageClass: "", and size requirements that cannot be satisfied by any existing persistentVolume.

Is this an action Kubernetes takes in this situation?

Solution: The PVC remains unbound until a persistentVolume that matches all requirements of the PVC becomes available.

Yes

164. Can this set of commands identify the published port(s) for a container?

Solution: "docker container inspect", "docker port"

Yes

166. Is this a supported user authentication method for Universal Control Plane?

Solution: PAM

Docker UCP has its own built-in authentication mechanism and integrates with LDAP services. It also has role-based access control (RBAC), so that you can control who can access and make changes to your cluster and applications.

169. Will a DTR security scan detect this?

Solution: licenses for known third party binary components.

170. Is this statement correct?

Solution: A Dockerfile provides instructions for building a Docker image.

Yes