Software pros, listen up! Today only, you can unlock 25% off on enrolling in 2 or more courses at once. Use Code: SAVINGS25
Search for products...
All Courses
Contact Us
MY ACCOUNT
/ Docker / By SkillCertPro
Practice Set 5
Your results are here!! for" Docker Certified Associate Practice Set 5 "
0 of 73 questions answered correctly
Your time: 00:00:03
Your Final Score is : 0
You have attempted : 0
Number of Correct Questions : 0 and scored 0
Number of Incorrect Questions : 0 and Negative marks 0
Average score
Your score
80.04%
0.00%
You can review your answers by clicking view questions.
Important Note : Open Reference Documentation Links in New Tab (Right Click and Open in New Tab).
Restart Test
View Answers
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
Answered
Review
1. Question
When doing operations with a remote Docker registry, what Docker feature allows you to enforce client-side signing and verification of image
tags?
Docker Certificate Checker
Docker Content Trust
It is not possible to enforce client-side signing and verification of image tags.
Docker Signing Authority
Unattempted
Docker Content Trust (DCT) provides the ability to use digital signatures for data sent to and received from remote Docker registries. These
signatures allow client-side or runtime verification of the integrity and publisher of specific image tags.
https://docs.docker.com/engine/security/trust/content_trust/#about-docker-content-trust-dct
2. Question
Which of the following could not represent a subject in the RBAC model?
user
root
team
organization
Unattempted
Subjects
A subject represents a user, team, or organization. A subject is granted a role for a collection of resources. These groups of users are the
same across UCP and DTR making RBAC management across the entire software pipeline uniform.
User – A single user or system account that an authentication backend (AD/LDAP) has validated.
Team – A group of users that share a set of permissions defined in the team itself. A team exists only as part of an organization, and all team
members are members of the organization. A team can exist in one organization only. Assign users to one or more teams and one or more
organizations.
Organization – The largest organizational unit in Docker Enterprise. Organizations group together teams to provide broader scope to apply
access policy against.
https://success.docker.com/article/security-best-practices#dtrsecurity
3. Question
It’s possible to set a secure certificate that is valid for multiple URLs. True or False?
FALSE
TRUE
Unattempted
Using external certificates is recommended when integrating with a corporate environment. Using external, officially-signed certificates
simplifies having to distribute internal Certificate Authority (CA) certificates. One best practice is to use the Certificate Authority for your
organization. Reduce the number of certificates by adding multiple Subject Alternative Names (SANs) to a single certificate. This allows the
certificate to be valid for multiple URLs. For example, you can set up a certificate for ucp.example.com, dtr.example.com, and all the
underlying hostnames and IP addresses. One certificate/key pair makes deploying certs easier.
https://success.docker.com/article/security-best-practices#dtrsecurity
4. Question
You can have a hybrid composition of users backed by an LDAP/AD group plus users set-up manually. True or False?
TRUE
FALSE
Unattempted
Subjects are individual users or teams within an organization. Teams are typically backed by an LDAP/AD group or search filter. It is also
possible to add users manually. But it is not possible to have a hybrid composition of users. In other words, the list of users within a team
should be derived from a directory server (e.g. AD) or should be added manually, not both.
https://success.docker.com/article/docker-enterprise-best-practices
5. Question
Where can you configure the option to integrate Docker with LDAP?
Docker Machine
Docker Trusted Registry
Universal Control Plane
Docker Compose
Unattempted
Docker UCP integrates with LDAP directory services, so that you can manage users and groups from your organization’s directory and it will
automatically propagate that information to UCP and DTR.
https://github.com/docker/docker.github.io
6. Question
What Docker feature allows you to restrict the syscalls available to a given process?
Seccomp
Cgroups
UnionFS
mnt
Unattempted
Seccomp (short for Secure Computing Mode) is a security feature of the Linux kernel, used to restrict the syscalls available to a given
process. This facility has been in the kernel in various forms since 2.6.12 and has been available in Docker Engine since 1.10. The current
implementation in Docker Engine provides a default set of restricted syscalls and also allows syscalls to be filtered via either a whitelist or a
blacklist on a per-container basis (i.e. different filters can be applied to different containers running in the same Engine). Seccomp profiles are
applied at container creation time and cannot be altered for running containers.
https://success.docker.com/article/security-best-practices
7. Question
A team of developers needs root access to a node. What’s the proper way to handle the situation?
Give root access only to users from an existing LDAP/AD infrastructure
Give root access only for a short period of time
Use RBAC Labels to give access to objects like images and running containers
None of the answers is correct
Unattempted
Limit Root Access to Node
Docker Enterprise uses a completely separate authentication backend from the host, providing a clear separation of duties. Docker Enterprise
can leverage an existing LDAP/AD infrastructure for authentication. It even utilizes RBAC Labels to control access to objects like images and
running containers, meaning teams of users can be given full access to running containers. With this access, users can watch the logs and
execute a shell inside the running container without needing to ever log into the host. Limiting the number of users that have access to the
host reduces the attack surface.
https://success.docker.com/article/security-best-practices
8. Question
You can configure DTR to use your own TLS certificates, so that it is automatically trusted by your users’s browser and client tools?
TRUE
FALSE
Unattempted
UCP services include a component called ucp-auth-api, which is the centralized service for identity and authentication used by UCP and DTR.
All UCP services are exposed using HTTPS, to ensure all communications between clients and UCP are encrypted.
By default, this is done using self-signed TLS certificates that are not trusted by client tools like web browsers. So when you try to access
UCP, your browser warns that it doesn’t trust UCP or that UCP has an invalid certificate. The same happens with other client tools.
You can configure UCP to use your own TLS certificates, so that it is automatically trusted by your browser and client tools.
https://github.com/docker/docker.github.io
9. Question
What Docker EE feature allows a user to always go back to the specific tag and trust it has not changed.
Image Mirroring
Image Immutability
Image Promotion Policy
There no feature like this.
Unattempted
Image Immutability
As of DTR 2.3.0, there is an option to set a repository to Immutable. Setting a repository to Immutable means the tags can not be
overwritten. This is a great feature for ensure the base images do not change over time. This next example is of the Alpine base image.
Ideally CI would update the base image and push to DTR with a specific tag. Being Immutable simply guarantees that an authorized user can
always go back to the specific tag and trust it has not changed. An Image Promotion Policy can extend on this.
https://success.docker.com/article/security-best-practices
10. Question
Which of the following commands can be used to reduce the surface of attack from a container?
--cap-add=ALL
--cap-add
None of the answers is correct.
--cap-drop
Unattempted
Linux capabilities are an even more granular way of reducing surface area. Docker Engine has a default list of capabilities that are kept for
newly-created containers, and by using the –cap-drop option for docker run, users can exclude additional capabilities from being used by
processes inside the container on a capability-by-capability basis. All privileges can be dropped with the –user option.
Likewise, capabilities that are, by default, not granted to new containers can be added with the –cap-add option. This is discouraged unless
absolutely necessary, and using –cap-add=ALL is highly discouraged.
Limiting the capabilities of a container reduces the attack surface.
https://success.docker.com/article/security-best-practices
https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities
11. Question
What security needs does mutual Transport Layer Security (MTLS) satisfy in a swarm? (select all that apply)
auditing
encrypt communication within the cluster
authentication
authorization
Unattempted
The swarm mode public key infrastructure (PKI) system built into Docker makes it simple to securely deploy a container orchestration
system. The nodes in a swarm use mutual Transport Layer Security (TLS) to authenticate, authorize, and encrypt the communications with
other nodes in the swarm.
https://docs.docker.com/engine/swarm/how-swarm-mode-works/pki/
12. Question
To get UCP traffic secured in Docker Swarm mode you need to generate certs externally or set up any CAs manually. True or False?
FALSE
TRUE
Unattempted
Control Plane Security
Docker Swarm comes with integrated PKI. All managers and nodes in the Swarm have a cryptographically signed identity in the form of
a signed certificate. All manager-to-manager and manager-to-node control communication is secured out of the box with TLS. There is no
need to generate certs externally or set up any CAs manually to get end-to-end control plane traffic secured in Docker Swarm mode.
Certificates are periodically and automatically rotated.
https://success.docker.com/article/networking#dockernetworksecurityandencryption
13. Question
Which of the following is not a valid role in UCP?
None
Restricted Control
View Only
Executor
Unattempted
The default roles in UCP are None, View Only, Restricted Control, Scheduler, and Full Control.
Each of these roles have a set of operations that define the permissions associated with the role. Additional custom roles can be defined by
combining a unique set of permissions. Custom roles can be leveraged to accommodate fine-grained access control as required for certain
organizations and security controls.
https://success.docker.com/article/docker-enterprise-best-practices
https://success.docker.com/article/security-best-practices
14. Question
Which of the following should be stored in a Secret file instead of Dockerfile or application’s source code? (select all that apply)
Generic strings or binary content (up to 500 kb in size)
Application metadata
Other important data such as the name of a database or internal server
Tags
Usernames and passwords
Unattempted
Secrets
A Docker secret is a blob of sensitive data that should not be transmitted over a network, such as:
· Usernames and passwords
· TLS certificates and keys
· SSH keys
· Other important data such as the name of a database or internal server
· Generic strings or binary content (up to 500 kb in size)
https://success.docker.com/article/security-best-practices
15. Question
A service ‘wordpress’ is running using a password string to connect to a non-dockerized database service. The password string is passed into
the ‘wordpress’ service as a docker secret. Per security policy, the password on the database was changed. Identify the correct sequence of
steps to rotate the secret from the old password to the new password.
Create a new docker secret with the new password. Trigger a rolling update of the "wordpress" service, by using "-- secret-rm" & "--secret-
add" to remove the old secret and add the updated secret.
Trigger an update to the service by using 'docker service update --secret='
Create a new docker secret with the new password. Remove the existing service using 'docker service rm'. Start a new service with the
new secret using "--secret="
Create a new docker secret with the new password. Trigger a rolling secret update by using the 'docker secret update' command.
Unattempted
Secret:
In terms of Docker Swarm services, a secret is a blob of data, such as a password, SSH private key, SSL certificate, or another piece of data
that should not be transmitted over a network or stored unencrypted in a Dockerfile or in your application’s source code.
https://docs.docker.com/engine/swarm/secrets/#about-secrets
Note: After you create a secret, you cannot update it. You can only remove and re-create it, and you cannot remove a secret that a service is
using.
https://docs.docker.com/engine/swarm/secrets/#advanced-example-use-secrets-with-a-wordpress-service
Add or remove secrets
Use the –secret-add or –secret-rm options add or remove a service’s secrets.
For example:
docker service update \
–secret-rm mysql_password \
–secret-add source=mysql_password_v2,target=wp_db_password,mode=0400 \
wordpress
This triggers a rolling restart of the WordPress service and the new secret is used.
The following example adds a secret named ssh-2 and removes ssh-1:
$ docker service update \
–secret-add source=ssh-2,target=ssh-2 \
–secret-rm ssh-1 \
Myservice
https://docs.docker.com/engine/reference/commandline/service_update/#add-or-remove-secrets
16. Question
Which of the following cases requires you to change the docker image layer entirely?
Command under CMD layer creates permission conflicts.
All of the above
File under ADD layer has bad Hex objects.
Components of base image have critical vulnerabilities.
Unattempted
If the vulnerability is in a base layer (such as an operating system) you might not be able to correct the issue in the image, since when one
base layer needs to be rebuilt, all subsequent layers also need to be rebuilt.
In this case, you might switch to a different version of the base layer, or you might find an equivalent, less vulnerable base layer. You might
also decide that the vulnerability or exposure is acceptable.
https://github.com/docker/docker.github.io
17. Question
You want to enable The Docker Security Scan process. But you are unable to do so. What could be the reason?
All answers are valid.
You are using Docker Community Edition.
You do not have the authority to download the security scanning licence for DTR.
Security Scanning in not enabled in DTR.
Unattempted
Image scan is a feature of Docker trusted Repository DTR, which is part of Docker Entreprise Edition.
To use the image scanning feature, make sure that you or your organization has purchased a DTR license that includes Docker Security
Scanning, and that your Docker ID can access and download this license from the Docker Hub.
After you get the license, you’ll need to Enable DTR security scanning.
https://github.com/docker/docker.github.io
18. Question
What is the purpose of Docker Content Trust?
Docker registry TLS verification and encryption
Enabling mutual TLS between the Docker client and server
Indicating an image on Docker Hub is an official image
Signing and verification of image tags
Unattempted
When communicating over an untrusted medium such as the internet, it is critical to ensure the integrity and the publisher of all the data a
system operates on. You use the Docker Engine to push and pull images (data) to a public or private registry. Content trust gives you the
ability to verify both the integrity and the publisher of all the data received from a registry over any channel.
Docker Content Trust (DCT) provides the ability to use digital signatures for data sent to and received from remote Docker registries. These
signatures allow client-side or runtime verification of the integrity and publisher of specific image tags.
https://docs.docker.com/engine/security/trust/content_trust/#about-docker-content-trust-dct
19. Question
When using the RBAC model, you want to control access to swarm resources by using collections. Which of the following will enable you to
do that?
Docker labels
None of the above.
Docker configs
Docker secrets
Unattempted
Collections
Docker Enterprise enables controlling access to swarm resources by using collections. A collection is a grouping of swarm cluster resources
that you access by specifying a directory-like path. Before grants can be implemented, collections need to be designed to group resources in
a way that makes sense for an organization.
The following example shows the potential access policy of an organization. Consider an organization with two application teams, Mobile and
Payments, that share cluster hardware resources, but still need to segregate access to the applications. Collections should be designed to
map to the organizational structure desired, in this case the two application teams.
Collections are implemented in UCP through the use of Docker labels. All resources within a given collection are labeled with the collection,
/production/mobile for instance.
https://success.docker.com/article/security-best-practices
20. Question
Are scan results of Docker security available in both UCP and DTR?
TRUE
FALSE
Unattempted
Docker Trusted Registry can scan images in your repositories to verify that they are free from known security vulnerabilities or exposures,
using Docker Security Scanning.
Docker Security Scanning is available as an add-on to Docker Trusted Registry, and an administrator configures it for your DTR instance.
https://github.com/docker/docker.github.io
21. Question
What is the purpose of client bundles in the Universal Control Plane?
Authenticate a user using client certificates to the Universal Control Plane
Provide a new user instructions for how to login to the Universal Control Plane
Group multiple users in a team in the Universal Control Plane
Provide a user with a Docker client binary compatible with the Universal Control Plane
Unattempted
A client bundle contains a private and public key pair that authorizes your requests in UCP.
Using client certificate bundle on your local computer, you can use it to authenticate your requests.
What is a client bundle?
A client bundle is a group of certificates downloadable directly from the Docker Universal Control Plane (UCP) user interface within the admin
section for “My Profile”.
This allows you to authorize a remote Docker engine to a specific user account managed in Docker EE, absorbing all associated RBAC
controls in the process. You can now execute docker swarm commands from your remote machine that take effect on the remote cluster.
https://www.docker.com/blog/get-familiar-docker-enterprise-edition-client-bundles/
22. Question
Which of the following commands can you use to enable autolock on an existing swarm cluster?
docker swarm --set-autolock=true
docker swarm autolock
docker swarm update --autolock-swarm=true
docker swarm update --autolock=true
Unattempted
Docker 1.13 introduces the ability to protect the mutual TLS encryption key and the key used to encrypt and decrypt secrets, by allowing you
to take ownership of these keys and to require manual unlocking of your managers. This feature is called autolock.
When Docker restarts, you must unlock the swarm first, using a key encryption key generated by Docker when the swarm was locked. You
can rotate this key encryption key at any time.
To enable autolock on an existing swarm, set the autolock flag to true.
docker swarm update –autolock=true
https://docs.docker.com/engine/swarm/swarm_manager_locking/#enable-or-disable-autolock-on-an-existing-swarm
23. Question
What happens if you create a Dockerfile and you don’t specify a USER directive?
None of the answers is correct.
By default, the user inside the container created from this Dockerfile is root.
Docker daemon will create a user with the minimum privileadge required to run the container
You will get an error at build time.
Unattempted
Container UID Management
By default the user inside the container is root. Using a defense in depth model, it is recommended that not all containers run as root. An
easy way to mitigate this is to use the –user declaration at run time. The container runs as the specified user, essentially removing root
access.
Developers should use root as little as possible inside the container. Developers should create their app containers with the USER declaration
in their Dockerfiles.
https://success.docker.com/article/security-best-practices
https://docs.docker.com/engine/reference/builder/#user
24. Question
Which of the following is not valid team permission in Docker Trusted Registry?
Read & Write
Manager
Admin
Read only
Unattempted
Team’s permissions
Permissions are cumulative. For example, if you have Write permissions, you automatically have Read permissions:
· Read access allows users to view, search, and pull a private repository in the same way as they can a public repository.
· Write access allows users to push to repositories on Docker Hub.
· Admin access allows users to modify the repositories “Description”, “Collaborators” rights, “Public/Private” visibility, and “Delete”.
https://docs.docker.com/docker-hub/orgs/#permissions-reference
25. Question
Which of the following options can you use for publishing and managing trusted collections of content?
DISA
Notary tool
docker secure command
docker trust command
Unattempted
As of Docker Engine 18.06 there is a docker trust command that will streamline the image signing process. The old is Notary. Notary is a tool
for publishing and managing trusted collections of content. Publishers can digitally sign collections and consumers can verify integrity and
origin of content. This ability is built on a straightforward key management and signing interface to create signed collections and configure
trusted publishers.
https://success.docker.com/article/security-best-practices
26. Question
What is the default period after which a node certificate expires in UCP?
None of the answers is correct
1 year
90 days
24 hours
Unattempted
Node Certificate Expiration
Universal Control Plane’s management plane uses a private CA and certificates for all internal communication. The client certificates
are automatically rotated on a schedule, providing a strong method for reducing the effect of a compromised node. There is an option to
reduce the default time interval of 90 days to a shorter interval, however shorter intervals do add stress to the UCP cluster. To adjust the
certificate rotation schedule, go to Admin -> Admin Settings -> Swarm and scroll down.
https://success.docker.com/article/security-best-practices
27. Question
Which of the following is not a valid entity in the grant permission model in UCP?
subject
resource sets
role
certificates
Unattempted
You can create by combining subject + role + resource set.
A grant defines who has how much access to what resources. Each grant is a 1:1:1 mapping of subject, role, and resource set.
For example, you can grant the “Prod Team” “Restricted Control” over services in the “/Production” collection.
https://github.com/docker/docker.github.io
28. Question
You need control of a sound device on the host server from a container. What command should you use?
docker run --device=/dev/snd:/dev/snd
None of the answers is correct.
docker run --privileged
docker run --cap-add=/dev/snd
Unattempted
By default, Docker containers are “unprivileged” and cannot, for example, run a Docker daemon inside a Docker container. This is because by
default a container is not allowed to access any devices, but a “privileged” container is given access to all devices (see the documentation on
cgroups devices).
When the operator executes docker run –privileged, Docker will enable access to all devices on the host as well as set some configuration in
AppArmor or SELinux to allow the container nearly all the same access to the host as processes running outside containers on the host.
Additional information about running with –privileged is available on the Docker Blog.
If you want to limit access to a specific device or devices you can use the –device flag. It allows you to specify one or more devices that will
be accessible within the container.
$ docker run –device=/dev/snd:/dev/snd …
Following the least privileged principle, you should use –device instead of –priviledged.
https://docs.docker.com/engine/reference/run/#/runtime-privilege-and-linux-capabilities
Docker Engine has a default list of capabilities for all newly created containers.
29. Question
The core component of UCP that is a globally-scheduled service is called?
ha-agent
ucp-manager
ucp-agent
ucp-daemon
Unattempted
When you deploy UCP, it starts running a globally scheduled service called ucp-agent. This service monitors the node where it’s running and
starts and stops UCP services, based on whether the node is a manager or a worker node.
https://github.com/docker/docker.github.io
30. Question
Which flags of docker swarm update command enable and/or disable autolock on an existing swarm? (select two)
--autolock=disable
--autolock=true
--autolock=enable
--autolock=false
Unattempted
Docker 1.13 introduces the ability to protect the mutual TLS encryption key and the key used to encrypt and decrypt secrets, by allowing you
to take ownership of these keys and to require manual unlocking of your managers. This feature is called autolock.
When Docker restarts, you must unlock the swarm first, using a key encryption key generated by Docker when the swarm was locked. You
can rotate this key encryption key at any time.
To enable autolock on an existing swarm, set the autolock flag to true.
docker swarm update –autolock=true
https://docs.docker.com/engine/swarm/swarm_manager_locking/#enable-or-disable-autolock-on-an-existing-swarm
31. Question
Which of the following statements is true about secrets?
Secrets can be modified after they are created
Secrets can be created using standard input (STDIN) and a file
Secrets are stored unencrypted on manager nodes
Secrets can be created from any node in the cluster
Unattempted
Secret:
In terms of Docker Swarm services, a secret is a blob of data, such as a password, SSH private key, SSL certificate, or another piece of data
that should not be transmitted over a network or stored unencrypted in a Dockerfile or in your application’s source code.
https://docs.docker.com/engine/swarm/secrets/#about-secrets
The command to create a secret from a file or standard input (STDIN) as content is:
docker secret create [OPTIONS] SECRET [file|-]
Since this is a cluster management command, it must be executed on a swarm manager node.
https://docs.docker.com/engine/reference/commandline/secret_create/
Note: After you create a secret, you cannot update it. You can only remove and re-create it, and you cannot remove a secret that a service is
using.
https://docs.docker.com/engine/swarm/secrets/#advanced-example-use-secrets-with-a-wordpress-service
Secrets are encrypted during transit and at rest in a Docker swarm (The secret is stored in the Raft log, which is encrypted)
32. Question
When initializing a swarm, what command can you use to specify your own externally-generated root Certificate Authority?
docker int swarm --external-cert
docker int swarm --external-ca
docker swarm init --external-ca
docker swarm init --external-cert
Unattempted
When you create a swarm by running docker swarm init, Docker designates itself as a manager node. By default, the manager node
generates a new root Certificate Authority (CA) along with a key pair, which are used to secure communications with other nodes that join
the swarm.
If you prefer, you can specify your own externally-generated root CA, using the –external-ca flag of the docker swarm init command.
https://docs.docker.com/engine/swarm/how-swarm-mode-works/pki/
33. Question
Each time a new node joins the swarm, the manager issues a certificate to the node. True or False?
FALSE
TRUE
Unattempted
The manager node also generates two tokens to use when you join additional nodes to the swarm: one worker token and one manager
token. Each token includes the digest of the root CA’s certificate and a randomly generated secret. When a node joins the swarm, the joining
node uses the digest to validate the root CA certificate from the remote manager. The remote manager uses the secret to ensure the joining
node is an approved node.
Each time a new node joins the swarm, the manager issues a certificate to the node. The certificate contains a randomly generated node ID
to identify the node under the certificate common name (CN) and the role under the organizational unit (OU). The node ID serves as the
cryptographically secure node identity for the lifetime of the node in the current swarm.
The diagram below illustrates how manager nodes and worker nodes encrypt communications using a minimum of TLS 1.2.
https://docs.docker.com/engine/swarm/how-swarm-mode-works/pki/
34. Question
Which of the following are available security features of Docker Engine? (select all that apply)
You can configure Docker`s trust features so that your users can push and pull trusted images
You can use certificate-based client-server authentication to verify a Docker daemon has the rights to access images on a registry
You can configure secure computing mode (Seccomp) policies to secure system calls in a container
You can protect the Docker daemon socket and ensure only trusted Docker client connections
Unattempted
By default, Docker runs through a non-networked UNIX socket.
It can also optionally communicate using an HTTP socket. If you need Docker to be reachable through the network in a safe manner, you can
enable TLS by specifying the tlsverify flag and pointing Docker’s tlscacert flag to a trusted CA certificate.
TLS must be enabled in order to have the Docker client and the daemon communicate securely over HTTPS.
Additionally, TLS ensures authenticity of the registry endpoint and that traffic to/from registry is encrypted.
To ensure the traffic between the Docker registry server and the Docker daemon (a client of the registry server) is encrypted and properly
authenticated use certificate-based client-server authentication.
https://docs.docker.com/engine/security/certificates/
In the daemon mode, it only allows connections from clients authenticated by a certificate signed by that CA.
In the client mode, it only connects to servers with a certificate signed by that CA.
https://docs.docker.com/engine/security/https/
Docker Content Trust (DCT) provides the ability to use digital signatures for data sent to and received from remote Docker registries. These
signatures allow client-side or runtime verification of the integrity and publisher of specific image tags.
https://docs.docker.com/engine/security/trust/content_trust/#about-docker-content-trust-dct
Docker Content Trust Signature Verification
The Docker Engine can be configured to only run signed images. The Docker Content Trust signature verification feature is built directly into
the dockerd binary.
This is configured in the Dockerd configuration file.
To enable this feature, trustpinning can be configured in daemon.json, whereby only repositories signed with a user-specified root key can be
pulled and run.
https://docs.docker.com/engine/security/security/#docker-content-trust-signature-verification
Secure computing mode (seccomp) is a Linux kernel feature. You can use it to restrict the actions available within the container. The
seccomp() system call operates on the seccomp state of the calling process. You can use this feature to restrict your application’s access.
https://docs.docker.com/engine/security/seccomp/
35. Question
You want to prevent Docker Swarm encryption keys from being stored insecurely on swarm managers. How can you enforce a lock on the
swarm cluster?
You can use the --autolock=true flag with the docker swarm update command.
You can find the critical files after the installation and delete them.
You can’t do it because Docker does not offer this functionality.
The autolock feature must be turned on when the cluster is initialized and cannot be enabled after the fact.
Unattempted
Sensitive information to containers running on a Swarm are normally stored in a secret.
A secret (usually containing credentials, certificates, and other private information) is provided to service at runtime. The secret is saved in
the Raft logs.
The Raft logs used by swarm managers are encrypted on disk by default.
When Docker restarts, both the TLS key used to encrypt communication among swarm nodes, and the key used to encrypt and decrypt Raft
logs on disk, are loaded into each manager node’s memory.
Docker 1.13 introduces the ability to protect the mutual TLS encryption key and the key used to encrypt and decrypt Raft logs at rest, by
allowing you to take ownership of these keys and to require manual unlocking of your managers. This feature is called autolock.
When Docker restarts, you must unlock the swarm first, using a key encryption key generated by Docker when the swarm was locked. You
can rotate this key encryption key at any time.
When you initialize a new swarm, you can use the –autolock flag to enable autolocking of swarm manager nodes when Docker restarts.
docker swarm init –autolock
To enable autolock on an existing swarm, set the autolock flag to true.
docker swarm update –autolock=true
https://docs.docker.com/engine/swarm/swarm_manager_locking/
https://medium.com/lucjuggery/raft-logs-on-swarm-mode-1351eff1e690
36. Question
Following the principle of least privilege, which of the following methods can you use to securely grant access to a specific user to
communicate to a Docker engine?
Utilize openssl to create TLS client and server certificates, configuring the Docker engine to use with mutual TLS over TCP.
Utilize the '--host 0.0.0.0:2375' option to the Docker daemon to listen on port 2375 over TCP on all interfaces.
Utilize the '--host 127.0.0.1:2375' option to the Docker daemon to listen on port 2375 over TCP on localhost
Give the user root access to the server to allow them to run Docker commands as root.
Unattempted
You don’t need to run the docker client with sudo or the docker group when you use certificate authentication. That means anyone with the
keys can give any instructions to your Docker daemon, giving them root access to the machine hosting the daemon. However, guard these
keys as you would a root password!
https://docs.docker.com/engine/security/https/
37. Question
Collections are groupings of objects within UCP. Which of the following is not a valid object for a collection?
nodes
containers
stacks
firewall rules
configs
Unattempted
Collections are groupings of objects within UCP. A collection can be made up of one or many of nodes, stacks, containers, services, volumes,
networks, secrets, or configs — or it can hold other collections.
To associate a node or a stack or any resource with a collection, that resource should share the label com.docker.ucp.access.label with the
collection.
A resource can be associated with zero or multiple collections, and a collection can have zero or multiple resources or other child collections
in it. Collections within collections allow the structuring of resource objects in a hierarchical nature and can significantly simplify access
control. Access provided at a top level collection is inherited by all its children, including any child collections.
https://success.docker.com/article/docker-enterprise-best-practices
38. Question
Which of the following is not an available feature after scanning a Docker image?
A link to CVE database
Remove Vulnerability
Layers affected
Severity
Unattempted
From the Components view, the CVE number, a link to CVE database, file path, layers affected, severity, and description of severity are
available.
https://success.docker.com/article/security-best-practices
39. Question
Docker security scan process can be started by all users including those with read-only access. True or false?
TRUE
FALSE
Unattempted
Only users with write access to a repository can manually start a scan. Users with read-only access can view the scan results, but cannot
start a new scan.
https://github.com/docker/docker.github.io
40. Question
Which of the following makes it possible to use a registry that is not configured with TLS certificates from a trusted CA?
Pass the '--engine-insecure-registry' flag to the daemon when started.
Set INSECURE_REGISTRY in the '/etc/docker/default' configuration file.
Set and export the IGNORE_TLS environment variable on the command line.
Set IGNORE_TLS in the 'daemon.json' configuration file.
Unattempted
While it’s highly recommended to secure your registry using a TLS certificate issued by a known CA, you can choose to use self-signed
certificates, or use your registry over an unencrypted HTTP connection. Either of these choices involves security trade-offs and additional
configuration steps.
This procedure configures Docker to entirely disregard security for your registry.
1. Edit the daemon.json file, whose default location is /etc/docker/daemon.json. Add the following content.
{
}
“insecure-registries”: [“myregistrydomain.com:5000”]
2. Restart Docker for the changes to take effect.
3. Repeat these steps on every Engine host that wants to access your registry.
Alternatively, you can pass the –engine-insecure-registry flag when the docker engine is started.
https://docs.docker.com/registry/insecure/
41. Question
Which kind of devicemapper should you configure when installing Docker with the intent to run production workloads?
loop-lvm
direct-lvm
aufs-lvm
overlay-lvm
Unattempted
Device Mapper is a kernel-based framework that underpins many advanced volume management technologies on Linux.
Docker’s devicemapper storage driver leverages the thin provisioning and snapshotting capabilities of this Device Mapper framework for
image and container management.
Device Mapper configuration modes:
· loop-lvm mode – is only appropriate for testing. The loop-lvm mode makes use of a ‘loopback’ mechanism that allows files on the local disk
to be read from and written to as if they were an actual physical disk or block device.
· direct-lvm mode – Production hosts using the devicemapper storage driver must use direct-lvm mode. This is faster than using loopback
devices, uses system resources more efficiently, and block devices can grow as needed. However, more setup is required than in loop-lvm
mode.
https://docs.docker.com/storage/storagedriver/device-mapper-driver/#configure-loop-lvm-mode-for-testing
42. Question
The devicemapper driver can only use a single block device?
TRUE
FALSE
Unattempted
The devicemapper driver uses block devices dedicated to Docker and operates at the block level, rather than the file level.
With Docker 17.06 and higher, Docker can manage the block device for you, simplifying configuration of direct-lvm mode. This is appropriate
for fresh Docker setups only.
You can only use a single block device. If you need to use multiple block devices, configure direct-lvm mode manually instead.
https://docs.docker.com/storage/storagedriver/device-mapper-driver/#configure-direct-lvm-mode-for-production
43. Question
Which of the following commands can you use to see the storage driver that Docker is currently using?
docker info
docker status
docker inspect
docker config
Unattempted
To display system-wide information use:
docker info [OPTIONS]
This command displays system wide information regarding the Docker installation. Information displayed includes the kernel version, number
of containers and images.
Depending on the storage driver in use, additional information can be shown, such as pool name, data file, metadata file, data space used,
total data space, metadata space used, and total metadata space.
https://docs.docker.com/engine/reference/commandline/info/
44. Question
What is the major difference between a container and an image?
The bottom writable layer
The size
The top writable layer
There is no difference
Unattempted
The major difference between a container and an image is the top writable layer. All writes to the container that add new or modify existing
data are stored in this writable layer. When the container is deleted, the writable layer is also deleted. The underlying image remains
unchanged.
Because each container has its own writable container layer, and all changes are stored in this container layer, multiple containers can share
access to the same underlying image and yet have their own data state. The diagram below shows multiple containers sharing the same
Ubuntu 18.04 image.
Docker uses storage drivers to manage the contents of the image layers and the writable container layer. Each storage driver handles the
implementation differently, but all drivers use stackable image layers and the copy-on-write (CoW) strategy.
https://docs.docker.com/storage/storagedriver/#container-and-layers
45. Question
If a container has files or directories in the directory to be mounted, the directory`s content is copied into the volume and then the volume is
mounted.
TRUE
FALSE
Unattempted
Populate a volume using a container
If you start a container which creates a new volume, and the container has files or directories in the directory to be mounted, the directory’s
contents are copied into the volume.
Then, the container mounts and uses the volume, and other containers which use the volume also have access to the pre-populated content.
To illustrate this, this example starts an nginx container and populates the new volume nginx-vol with the contents of the container’s
/usr/share/nginx/html directory, which is where Nginx stores its default HTML content.
The –mount and -v examples have the same end result.
$ docker run -d \
–name=nginxtest \
-v nginx-vol:/usr/share/nginx/html \
nginx:latest
https://docs.docker.com/storage/volumes/#populate-a-volume-using-a-container
46. Question
Data is stored in the host system`s memory when using what type of mount?
tmpfs
Regular
volumes
bind mounts
Unattempted
As opposed to volumes and bind mounts, a tmpfs mount is temporary, and only persisted in the host memory. When the container stops,
the tmpfs mount is removed, and files written there won’t be persisted.
This is useful to temporarily store sensitive files that you don’t want to persist in either the host or the container writable layer.
https://docs.docker.com/storage/tmpfs/
47. Question
A container named “analytics” that stores results in a volume called “data” was created.
docker run -d –name=analytics -v data:/data mydb
How are the results accessed in “data” with another container called “reports”?
docker run -d --name=reports --volumes-from=analytics app
docker run -d --name=reports --volume=mydb myapp
docker run -d --name=reports --mount=mydb myapp
docker run -d --name=reports --volume=data myapp
Unattempted
The docker run command provides a flag, –volumes-from, that will copy the mount definitions from one or more containers to the new
container.
By combining this flag and volumes, you can build shared-state relationships in a host-independent way.
https://docs.docker.com/engine/reference/commandline/run/#mount-volumes-from-container—volumes-from
48. Question
You have a running Ubuntu Container with bash as its default command.
Copy a file called “services.txt” to the tmp directory of the container.
Navigate inside the container and delete the /tmp directory.
Exit from the container and run docker diff command.
Which of the following would be the output of it (docker diff command)?
A /root/.bash_history C /root D /tmp
C /tmp A /tmp/service.txt D /tmp
C /root A /root/.bash_history D /tmp
None of the answers is correct
Unattempted
To inspect changes to files or directories on a container’s filesystem use:
docker diff CONTAINER
This lists the changed files and directories in a container?s filesystem since the container was created.
Three different types of change are tracked with different symbols:
A A file or directory was added
D A file or directory was deleted
C A file or directory was changed
https://docs.docker.com/engine/reference/commandline/diff/#description
49. Question
Which of the following statements about DTR garbage collection is true?
Garbage collection removes exited containers from cluster nodes.
Garbage collection removes DTR images that are older than a configurable of days.
Garbage collection removes unreferenced image layers from DTR's backend storage.
Garbage collection removes unused volumes from cluster nodes
Unattempted
In the context of the Docker registry, garbage collection is the process of removing blobs from the filesystem when they are no longer
referenced by a manifest. Blobs can include both layers and manifests.
Registry data can occupy considerable amounts of disk space. In addition, garbage collection can be a security consideration, when it is
desirable to ensure that certain layers no longer exist on the filesystem.
https://docs.docker.com/registry/garbage-collection/#about-garbage-collection
50. Question
Each container shares the writeable container layer. True or false?
TRUE
FALSE
Unattempted
A Docker image is built up from a series of layers. Each layer represents an instruction in the image’s Dockerfile. Each layer except the very
last one is read-only.
Each container has its own writable container layer, and all changes are stored in this container layer.
However, multiple containers can share access to the same underlying image and yet have their own data state. The diagram below shows
multiple containers sharing the same Ubuntu 18.04 image.
https://docs.docker.com/storage/storagedriver/#container-and-layers
51. Question
Which of the following commands will automatically create a volume when a container is run?
docker container run --name nginxtest -v /app:mount nginx
docker container run --name nginxtest --volume myvol:/app:new nginx
docker container run --name nginxtest -v myvol:/app nginx
docker container run --name nginxtest --volumes=/app nginx
Unattempted
To mount a volume use -v or –volume.
These flags consist of three fields, separated by colon characters (:). The fields must be in the correct order, and the meaning of each field is
not immediately obvious.
· In the case of named volumes, the first field is the name of the volume, and is unique on a given host machine. For anonymous volumes,
the first field is omitted.
· The second field is the path where the file or directory are mounted in the container.
· The third field is optional, and is a comma-separated list of options, such as ro. These options are discussed below.
If you start a container with a volume that does not yet exist, Docker creates the volume for you. The following example mounts the volume
myvol2 into /app/ in the container.
$ docker run -d \
–name devtest \
-v myvol2:/app \
nginx:latest
https://docs.docker.com/storage/volumes/
52. Question
You can define a PersistentVolumeClaim without specifying a class. True or False?
TRUE
FALSE
Unattempted
A PV can have a class, which is specified by setting the storageClassName attribute to the name of a StorageClass. A PV of a particular class
can only be bound to PVCs requesting that class. A PV with no storageClassName has no class and can only be bound to PVCs that request
no particular class.
https://kubernetes.io/docs/concepts/storage/persistent-volumes/#class
53. Question
What docker command can you use to remove unused volumes?
docker delete volume
docker prune volume
docker remove volume
docker volume prune
Unattempted
To remove all unused local volumes use:
docker volume prune [OPTIONS]
Unused local volumes are those which are not referenced by any containers
https://docs.docker.com/engine/reference/commandline/volume_prune/
54. Question
What command would we use to locate the layered file system data for an image on a machine?
docker image layers
docker pull history
docker layer inspect
docker image inspect
Unattempted
To display detailed information on one or more images use:
docker image inspect [OPTIONS] IMAGE [IMAGE…]
https://docs.docker.com/engine/reference/commandline/image_inspect/
55. Question
Which of the following commands can you use to create a bind mount? (select two)
docker run -d --name test --mount type=bind,source="$(pwd)"/testvol,target=/testvol ubuntu:latest
docker volume make testvol -ro
docker bind_mount create testvol
docker run -d --name test -v "$(pwd)"/testvol:/testvol ubuntu:latest
Unattempted
Bind mounts have been around since the early days of Docker. Bind mounts have limited functionality compared to volumes. When you use a
bind mount, a file or directory on the host machine is mounted into a container.
The file or directory is referenced by its full or relative path on the host machine. By contrast, when you use a volume, a new directory is
created within Docker’s storage directory on the host machine, and Docker manages that directory’s contents.
Use the following command to bind-mount the target/ directory into your container at /app/. Run the command from within the source
directory. The $(pwd) sub-command expands to the current working directory on Linux or macOS hosts.
The –mount and -v examples below produce the same result. You can’t run them both unless you remove the devtest container after running
the first one.
$ docker run -d \
-it \
–name devtest \
–mount type=bind,source=”$(pwd)”/target,target=/app \
nginx:latest
$ docker run -d \
-it \
–name devtest \
-v “$(pwd)”/target:/app \
nginx:latest
https://docs.docker.com/storage/bind-mounts/#differences-between–v-and—mount-behavior
56. Question
A server is running low on disk space. What command can you use to check the disk usage of images, containers, and volumes for Docker
engine?
docker system df
docker system prune
docker system ps
docker system free
Unattempted
The docker system df command displays information regarding the amount of disk space used by the docker daemon.
By default the command will just show a summary of the data used including images, containers and local volumes:
$ docker system df
https://docs.docker.com/engine/reference/commandline/system_df/#examples
57. Question
Which of the following commands will result in the volume being removed automatically once the container has exited?
docker run --del -v /foo busybox
docker run --read-only -v /foo busybox
docker run --rm -v /foo busybox
docker run --remove -v /foo busybox
Unattempted
Anonymous volumes can be cleaned up in two ways. First, anonymous volumes are automatically deleted when the container they were
created for are automatically cleaned up. This happens when containers are deleted via the docker run –rm or docker rm -v flags.
Remove one or more containers
docker rm [OPTIONS] CONTAINER [CONTAINER…]
Second, they can be manually deleted by issuing a docker volume remove command:
docker volume rm [OPTIONS] VOLUME [VOLUME…]
https://docs.docker.com/engine/reference/commandline/volume_rm/
58. Question
Which type of mount is best when you don’t want the data to persist either on the host machine or within the container?
tmpfs
volumes
Regular
bind mounts
Unattempted
As opposed to volumes and bind mounts, a tmpfs mount is temporary, and only persisted in the host memory. When the container stops,
the tmpfs mount is removed, and files written there won’t be persisted.
This is useful to temporarily store sensitive files that you don’t want to persist in either the host or the container writable layer.
https://docs.docker.com/storage/tmpfs/
59. Question
What kind of relationship exists between a PersistentVolume and a PersistentVolumeClaim?
one-to-many
one-to-one
many-to-many
None of the answers is correct.
Unattempted
A user creates, or in the case of dynamic provisioning, has already created, a PersistentVolumeClaim with a specific amount of storage
requested and with certain access modes. A control loop in the master watches for new PVCs, finds a matching PV (if possible), and binds
them together. If a PV was dynamically provisioned for a new PVC, the loop will always bind that PV to the PVC. Otherwise, the user will
always get at least what they asked for, but the volume may be in excess of what was requested. Once bound, PersistentVolumeClaim binds
are exclusive, regardless of how they were bound. A PVC to PV binding is a one-to-one mapping, using a ClaimRef which is a bi-directional
binding between the PersistentVolume and the PersistentVolumeClaim.
https://kubernetes.io/docs/concepts/storage/persistent-volumes/#binding
60. Question
Which of the following commands does not associate with docker volumes?
docker volume create
docker volume prune
docker volume backup
docker volume inspect
Unattempted
To manage volume, you could use:
docker volume COMMAND COMMAND
You can use subcommands to create, inspect, list, remove, or prune volumes.
Create a volume
docker volume create
Display detailed information on one or more volumes
docker volume inspect
List volumes
docker volume ls
Remove all unused local volumes
docker volume prune
Remove one or more volumes
docker volume rm
https://docs.docker.com/engine/reference/commandline/volume/
61. Question
Which of the following statements is false?
The column 'size' of docker ps -s output shows the amount of data that is used for the writable layer of each container.
When a container is deleted, the writable layer is persisted.
The column 'virtual size' of docker ps -s output shows the amount of data used for the read-only image data used by the container, plus
the container's writable layer 'size'.
Copy-on-write is a Docker strategy of sharing and copying files for maximum efficiency.
Unattempted
Container size on disk
To view the approximate size of a running container, you can use the docker ps -s command. Two different columns relate to size.
· size: the amount of data (on disk) that is used for the writable layer of each container.
· virtual size: the amount of data used for the read-only image data used by the container plus the container’s writable layer size. Multiple
containers may share some or all read-only image data. Two containers started from the same image share 100% of the read-only data,
while two containers with different images which have layers in common share those common layers. Therefore, you can’t just total the
virtual sizes. This over-estimates the total disk usage by a potentially non-trivial amount.
https://docs.docker.com/storage/storagedriver/#container-size-on-disk
Copy-on-write is a strategy of sharing and copying files for maximum efficiency. If a file or directory exists in a lower layer within the image,
and another layer (including the writable layer) needs read access to it, it just uses the existing file.
https://docs.docker.com/storage/storagedriver/#the-copy-on-write-cow-strategy
62. Question
Which of the following options constitutes a production-ready devicemapper configuration for the docker engine?
Format a partition with the xfs and mount it at '/var/lib/docker'
Utilize the '--storage-opt dm.directlvm_device' Docker daemon option, specifying a block device.
Create a volume group in devicemapper and utilize the '--dm.thinpooldev' Docker daemon option, specifying the volume group.
Nothing, devicemapper comes ready for production usage out of the box.
Unattempted
Particular storage-driver can be configured with options specified with –storage-opt flags. Options for devicemapper are prefixed with dm.
https://docs.docker.com/engine/reference/commandline/dockerd/#options-per-storage-driver
Device Mapper configuration modes:
· loop-lvm mode – is only appropriate for testing. The loop-lvm mode makes use of a ‘loopback’ mechanism that allows files on the local disk
to be read from and written to as if they were an actual physical disk or block device.
· direct-lvm mode – Production hosts using the devicemapper storage driver must use direct-lvm mode. This is faster than using loopback
devices, uses system resources more efficiently, and block devices can grow as needed. However, more setup is required than in loop-lvm
mode.
https://docs.docker.com/storage/storagedriver/device-mapper-driver/#configure-loop-lvm-mode-for-testing
63. Question
Which of the following is the docker command to remove one or more images?
docker remove
docker image rm
docker delete
docker image delete
Unattempted
Remove one or more images
docker image rm [OPTIONS] IMAGE [IMAGE…]
https://docs.docker.com/engine/reference/commandline/image_rm/
64. Question
You have created your company’s website with a feature to count the visitors and hosted it using containerized web-servers. Which of the
following provisions can potentially make you lose the track of your visitor count?
volumes
tmpfs
bind mounts
all of the above
Unattempted
Volumes and bind mounts let you share files between the host machine and container so that you can persist data even after the container is
stopped.
However, if you’re running Docker on Linux, you have a third option: tmpfs mounts.
As opposed to volumes and bind mounts, a tmpfs mount is temporary, and only persisted in the host memory. When the container stops,
the tmpfs mount is removed, and files written there won’t be persisted.
Therefore, this kind of mount is not recommended for storing state such as the visitor counts.
https://docs.docker.com/storage/tmpfs/
65. Question
If you want to create a container named ‘myweb’ with a volume inside at ‘/my/data/volume’, which command should you use?
docker run -d --name myweb -V /my/data/volume httpd:latest
docker run -d --name myweb -v myvol:/my/data/volume httpd:latest
docker run -d --name myweb --volumes myvol:/my/data/volume httpd:latest
None of the above.
Unattempted
-V and –volumes are incorrect flags.
Output message:
unknown shorthand flag: ‘V’ in -V
unknown flag: –volumes
To mount a volume use -v or –volume.
These flags consist of three fields, separated by colon characters (:). The fields must be in the correct order, and the meaning of each field is
not immediately obvious.
· In the case of named volumes, the first field is the name of the volume, and is unique on a given host machine. For anonymous volumes,
the first field is omitted.
· The second field is the path where the file or directory are mounted in the container.
· The third field is optional, and is a comma-separated list of options, such as ro. These options are discussed below.
If you start a container with a volume that does not yet exist, Docker creates the volume for you. The following example mounts the volume
myvol2 into /app/ in the container.
$ docker run -d \
–name devtest \
-v myvol2:/app \
nginx:latest
https://docs.docker.com/storage/volumes/
66. Question
Each storage driver has its own implementation, but all drivers use stackable image layers and the copy-on-write (CoW) strategy.
TRUE
FALSE
Unattempted
Docker uses storage drivers to manage the contents of the image layers and the writable container layer. Each storage driver handles the
implementation differently, but all drivers use stackable image layers and the copy-on-write (CoW) strategy.
https://docs.docker.com/storage/storagedriver/#container-and-layers
67. Question
PersistentVolume cannot be provisioned on-demand. True or False?
TRUE
FALSE
Unattempted
A PersistentVolume (PV) is a piece of storage in the cluster that has been provisioned by an administrator or dynamically provisioned using
Storage Classes.
https://kubernetes.io/docs/concepts/storage/persistent-volumes/#persistent-volumes
Dynamic volume provisioning allows storage volumes to be created on-demand. Without dynamic provisioning, cluster administrators have
to manually make calls to their cloud or storage provider to create new storage volumes, and then create PersistentVolume objects to
represent them in Kubernetes. The dynamic provisioning feature eliminates the need for cluster administrators to pre-provision storage.
Instead, it automatically provisions storage when it is requested by users.
https://kubernetes.io/docs/concepts/storage/dynamic-provisioning/#enabling-dynamic-provisioning
68. Question
Where does the docker daemon persist all docker related data on the host machine?
/etc/docker
none
/var/lib/docker
/var/lib/docker-ce
Unattempted
The Docker daemon persists all data in a single directory. This tracks everything related to Docker, including containers, images, volumes,
service definition, and secrets.
By default this directory is:
· /var/lib/docker on Linux.
· C:\ProgramData\docker on Windows.
https://docs.docker.com/config/daemon/#docker-daemon-directory
Usually, on Linux distributions:
“/etc” is used for configurations (.conf files etc). here you find all the configs and settings for your system.
“/var” is usually used for log files, ‘temporary’ files (like mail spool, printer spool, etc), databases, and all other data not tied to a specific user.
Logs are usually in “/var/log”, databases in “/var/lib” (mysql – “/var/lib/mysql”), etc.
https://en.wikipedia.org/wiki/Filesystem_Hierarchy_Standard
69. Question
What happened when a PersistentVolumeClaim can’t be satisfied?
None of the above.
Claim will remain unbound indefinitely
Claim will throw an error when defined
Clain will get as much resources as possible
Unattempted
Claims will remain unbound indefinitely if a matching volume does not exist. Claims will be bound as matching volumes become available.
For example, a cluster provisioned with many 50Gi PVs would not match a PVC requesting 100Gi. The PVC can be bound when a 100Gi PV
is added to the cluster.
https://kubernetes.io/docs/concepts/storage/persistent-volumes/#binding
70. Question
Which type of mount is best when you need to back up, restore, or migrate data from one Docker host to another?
tempfs
Regular
volumes
bind mounts
Unattempted
Volumes are the preferred mechanism for persisting data generated by and used by Docker containers. While bind mounts are dependent on
the directory structure of the host machine, volumes are completely managed by Docker. Volumes have several advantages over bind
mounts:
Volumes are easier to back up or migrate than bind mounts.
Volumes are useful for backups, restores, and migrations. Use the –volumes-from flag to create a new container that mounts that volume.
https://docs.docker.com/storage/volumes/#backup-restore-or-migrate-data-volumes
71. Question
Arrange the steps below in the correct sequence considering a copy-on-write operation;
A) Any modifications are made to this copy of the file, and the container cannot see the read-only copy of the file that exists in the lower layer.
B) Perform a copy_up operation on the first copy of the file that is found, to copy the file to the container`s writable layer.
C) Search through the image layers for the file to update. The process starts at the newest layer and works down to the base layer one layer at
a time. When results are found, they are added to a cache to speed future operations.
A, B, C
C, B, A
B, A, C
B, C, A
Unattempted
When an existing file in a container is modified, the storage driver performs a copy-on-write operation. The specifics steps involved depend
on the specific storage driver. For the aufs, overlay, and overlay2 drivers, the copy-on-write operation follows this rough sequence:
· Search through the image layers for the file to update. The process starts at the newest layer and works down to the base layer one layer at
a time. When results are found, they are added to a cache to speed future operations.
· Perform a copy_up operation on the first copy of the file that is found, to copy the file to the container’s writable layer.
· Any modifications are made to this copy of the file, and the container cannot see the read-only copy of the file that exists in the lower layer.
https://docs.docker.com/storage/storagedriver/#copying-makes-containers-efficient
72. Question
Which of the following statements is true for Docker Image?
Docker Images are created using Docker Compose.
Docker Image layers are downloaded as a tar file and stored at /var/lib/docker/aufs/
All the layers of docker image are read-only.
All the layers of a Docker Image are delta of the previous layer.
Unattempted
A Docker image is built up from a series of layers. Each layer represents an instruction in the image’s Dockerfile.
Each layer except the very last one is read-only.
Each layer is only a set of differences from the layer before it.
https://docs.docker.com/storage/storagedriver/#images-and-layers
73. Question
Which storage driver is used by default when installing Docker?
brtfs
ext4
zfs
overlay2
Unattempted
When possible, overlay2 is the recommended storage driver.
When installing Docker for the first time, overlay2 is used by default. Previously, aufs was used by default when available, but this is no
longer the case. If you want to use aufs on new installations going forward, you need to explicitly configure it, and you may need to install
extra packages, such as linux-image-extra.
https://docs.docker.com/storage/storagedriver/select-storage-driver/#docker-engine—community
Use Page numbers below to navigate to other practice tests
Pages:
1
2
3
4
5
6
7
8
9
10
11
12
← Previous Post
Next Post →
Skillcertpro
Quick Links
Important Links
ABOUT US
REFUND POLICY
FAQ
REFUND REQUEST
BROWSE ALL PRACTICE TESTS
TERMS & CONDITIONS
CONTACT FORM
PRIVACY POLICY
Privacy Policy
Software pros, listen up! Today only, you can unlock 25% off on enrolling in 2 or more courses at once. Use Code: SAVINGS25
Search for products...
All Courses
Contact Us
MY ACCOUNT
/ Docker / By SkillCertPro
Practice Set 6
Your results are here!! for" Docker Certified Associate Practice Set 6 "
0 of 60 questions answered correctly
Your time: 00:00:02
Your Final Score is : 0
You have attempted : 0
Number of Correct Questions : 0 and scored 0
Number of Incorrect Questions : 0 and Negative marks 0
Average score
Your score
80.58%
0.00%
You can review your answers by clicking view questions.
Important Note : Open Reference Documentation Links in New Tab (Right Click and Open in New Tab).
Restart Test
View Answers
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
Answered
Review
1. Question
You have been assigned a task to host your organization’s event blog using WordPress and MySQL database on a 25 active nodes swarm
cluster. Make sure that one task of MySQL database service is deployed on each active node in swarm cluster. Which of the following
commands will achieve your purpose?
docker service create --name mySQL --global mysql docker service create --name wordpress --replicas=25 wordpress ?
docker service create --name mySQL --mode global mysql docker service create --name wordpress --replicas=25 wordpress
docker service create --name mySQL --config global mysql docker service create --name wordpress --replicas=25 wordpress
None of the above
Unattempted
For replicated services, user need to specify the number of replica tasks for the swarm manager to schedule onto active nodes in cluster.
Whereas, in case of global service, scheduler places one task of service on each active node of the cluster. As asked in this question, to
deploy one task of MySQL service on each active node, we need to deploy mysql service as “global service” by setting the service mode to
“–mode global”.
2. Question
Which of the following mechanisms tries to place services evenly on appropriate nodes in a swarm cluster?
Placement Constraint
Placement Preference
Replicated Mode
Routing Mesh
Unattempted
Placement Preference evenly distributes services based on the label value of the nodes. If user has set a label value “default” for some
nodes in cluster, then user can set a placement preference to spread the service evenly across those nodes who have “default” label value.
To know more about placement preference, please visit this link: https://docs.docker.com/engine/swarm/services/
3. Question
Which of the following mechanisms is used to configure services to run only on nodes with specific metadata set?
Placement Preference
Placement Constraints
Routing Mesh
None of the above.
Unattempted
Placement Constraints are used to control the nodes on which a service can be deployed on. Unlike placement preference, in placement
constraints, service deployment can fail if the appropriate node does not exist. For more information, please follow the link:
https://docs.docker.com/engine/swarm/services/
4. Question
Which of the following ports on Docker Host is used to allow overlay network traffic in swarm mode?
TCP port 443
UDP port 7946
TCP port 2377
UDP port 4789
Unattempted
For more information, please follow the link: https://docs.docker.com/network/overlay/
5. Question
Which of the following statements about services is NOT correct?
A single service runs only one docker image.
HTTP server is an example of service.
Services are different blocks of a centralized computing application.
None of the above.
Unattempted
Services are different pieces of a DISTRIBUTED computing application. For more information, please follow the link:
https://docs.docker.com/engine/swarm/how-swarm-mode-works/services/
6. Question
Which of the following flags is used to publish container’s port(s) on an existing service in swarm?
--publish
--publish-add
--publish-all
None of the above.
Unattempted
“–publish-add” flag is used to add a published port on a running service. Whereas, “–publish” flag is used to publish a port while a service is
being created. For more information, please follow the link: https://docs.docker.com/engine/reference/commandline/service_update/
7. Question
What is the limitation of docker service scale command in swarm mode?
It can only scale UP the service.
It can only be applied on replicated services.
It can only scale one service at a time.
All of the above
Unattempted
Only replicated services can be scaled UP or DOWN to the desired number of replicas. For more information, please follow the link:
https://docs.docker.com/engine/reference/commandline/service_scale/
8. Question
Which of the following commands is used to revoke cluster management and orchestrating privileges from manager node?
docker node down
docker node rm
docker node demote
None of the above
Unattempted
9. Question
Which of the following commands is used to provide cluster management and orchestrating privileges to worker node?
docker node up
docker node promote
docker node demote
None of the above
Unattempted
10. Question
You have a 35 nodes swarm cluster. Out of which, 11 nodes are manager nodes. In order to avoid failure of set of machines or to perform
periodic maintenance tasks, Which one of the following is the optimal distribution of manager nodes?
6/4/1
5/5/1
5/2/4
4/4/3
Unattempted
Manager nodes are distributed across a minimum of 3 availability-zones to support failures of machines and to support periodic maintenance
tasks. Start distributing one manager node at a time in each zone until you are left with 0 manager nodes. For more information, please
follow the link: https://docs.docker.com/engine/swarm/admin_guide/
11. Question
Which of the following paths on docker Host is used by manager nodes to store swarm state and manager logs?
/var/log/docker/swarm
/var/lib/docker/swarm
/etc/docker/swarm
None of the above
Unattempted
For more information, please follow the link: https://docs.docker.com/engine/swarm/admin_guide/
12. Question
Which of the following tools is used to provision and manage Docker Engine on one or more virtual hosts?
docker toolbox
docker client
docker-machine
None of the above
Unattempted
For more information, please follow the link: https://docs.docker.com/machine/overview/
13. Question
Which of the following is the functionality of a storage driver?
To back-up docker image layers' data on Docker Daemon.
To write docker image layers' data on Docker Host
To manage the contents of image layers and writable container layers.
All of the above.
Unattempted
For more information, please follow the link: https://docs.docker.com/storage/storagedriver/
14. Question
Choice of storage mount options can affect the representation of data in the container.
TRUE
FALSE
Unattempted
Data within the container is exposed as either directory or individual files in container’s FS. So, the type of storage mount (volume, bind or
tmpfs) does not have any control on data’s representation. To differentiate among the storage mounts: volume, bind mount, and tmpfs, user
need to check the location where these mounts store container’s data on host system. For more information, please follow this link:
https://docs.docker.com/storage/
15. Question
Which of the following is the scope of uniqueness for auto-generated anonymous volume name?
docker hub
docker host
docker swarm cluster
none of the above
Unattempted
Any Volume name is unique across the docker host.
16. Question
Which of the following mounts can grant read/write permissions on host file system to a process running inside a container?
volume
bind mount
tmpfs
docker-cloud remote storage driver
Unattempted
For more information, please follow the link: https://docs.docker.com/storage/bind-mounts/
17. Question
You want to run a multi-container application with MySQL and WordPress containers running side-by-side. WordPress is dependent on MySQL
database container. Which of the following mounts can be used to save the WordPress login credentials to MySQL database?
volume
bind mount
tmpfs
all of the above
Unattempted
tmpfs is ephemeral and bind mount is less secure compared to volume so if the data to be stored is sensitive such as passwords or
credentials, volumes are the ideal choice among the provided options.
18. Question
Which of the following is NOT an argument of docker volume create command?
--opt
--tag
--driver
--name
Unattempted
For more information, please follow the link: https://docs.docker.com/engine/reference/commandline/volume_create/
19. Question
If you are using a Linux distribution to run Docker, which of the following storage drivers can NOT be used?
devicemapper
vfs
ext4
overlay2
Unattempted
ext4 is a supported backing filesystem for overlay, overlay2, and aufs storage drivers. For more information, please follow the link:
https://docs.docker.com/storage/storagedriver/select-storage-driver/
20. Question
Which of the following provisions of Docker supports modifications on storage drivers?
Docker for Linux Distributions
Docker Desktop for Mac
Docker Desktop for Windows
All of the above
Unattempted
For more information, please follow the link: https://docs.docker.com/storage/storagedriver/select-storage-driver/
21. Question
Which of the following offerings are used to sign a Docker Image on DTR?
QR code
trust metadata
image digest
CA certificate
Unattempted
For more information, please follow the link: https://docs.docker.com/ee/dtr/user/manage-images/sign-images/
22. Question
Which of the following steps are essential to help UCP trust signed images in Docker?
Delegate signing to the keys in UCP client bundle
Notary client configuration
Initialize trust metadata for the repository
All of the above.
Unattempted
For more information, please follow the link: https://docs.docker.com/ee/dtr/user/manage-images/sign-images/
23. Question
Which of the following tools allows users to implement RBAC?
Docker Hub
Docker Compose
Docker Universal Control Plane
Docker Swarm
Unattempted
For more information, please follow the link: https://docs.docker.com/ee/ucp/authorization/
24. Question
Docker Secrets are available for standalone containers and swarm services.
TRUE
FALSE
Unattempted
Docker secrets are only available to swarm services, not to standalone containers. To use this feature, consider adapting your container to
run as a service.
25. Question
Which of the following is NOT a docker native network driver?
host
bridge
load balancer
macvlan
Unattempted
Supported network drivers for Docker are: bridge, host, overlay, macvlan, and none. Also, Docker supports third-party network plugins
available on Docker Hub or from third party vendors. For more information, Please follow the link: https://docs.docker.com/network/
26. Question
Which of the following networks removes the network isolation between container and docker host?
ingress
bridge
host
macvlan
Unattempted
For more information, please follow the link: https://docs.docker.com/network/host/
27. Question
You have a running busybox container in the development environment, which is connected to the default bridge network. The testing team
connected the busybox container to a user-defined bridge network called “test-bridge”. Now, how many endpoints will busybox container
have?
1
2
3
0
Unattempted
One endpoint for default bridge network and one endpoint for user defined bridge network.
28. Question
Which of the following Linux technologies is responsible for the isolated nature of containers?
Isolated Networks
namespace
core isolation
cgroups
Unattempted
When a container starts running, each process of a container runs in a separate namespace. These namespaces provide a layer of isolation to
the respective processes in a container and limit their functionality to that particular namespace. For more information, please follow the link:
https://docs.docker.com/engine/docker-overview/
29. Question
Which of the following commands is used to connect the network to running container?
docker connect
docker network join
docker network connect
None of the above
Unattempted
For more information, please follow the link: https://docs.docker.com/engine/reference/commandline/network_connect/
30. Question
Which of the following editions are offered by Docker?
Docker Console Edition & Docker Enterprise Edition
Docker Community Edition & Docker Extended Edition
Docker Community Edition & Docker Enterprise Edition
Docker Container Edition and Docker Enhanced Edition
Unattempted
For more information, please follow the link: https://docs.docker.com/install/overview/
31. Question
Which of the following is not an update channel type in Docker CE?
Stable
Scratch
Test
Nightly
Unattempted
Docker CE has three types of update channels: stable, test, and nightly. For more information, please follow the link:
https://docs.docker.com/install/
32. Question
Which of the following commands will you use to log a forced stack trace to troubleshoot an unresponsive docker daemon?
$ sudo kill -SIGKILL $(pidof dockerd)
$ sudo kill -SIGTERM $(pidof dockerd)
$ sudo kill -SIGSTP $(pidof dockerd)
$ sudo kill -SIGUSR1 $(pidof dockerd)
Unattempted
If docker daemon is unresponsive, user can send SIGUSR1 signal to docker daemon to force stack trace on daemon to list out all the logs of
docker daemon till the point when stack trace was logged in. Stack trace will list out all threads running in docker daemon and helps to find
the location of the potential error without terminating daemon process. For more information, please follow the link:
https://docs.docker.com/config/daemon/
33. Question
What is the default extension of Dockerfile ?
.txt
.dockerfile
.yaml
None of the above
Unattempted
34. Question
Which of the following instructions sets the base image for subsequent instructions in Dockerfile?
CMD
FROM
ARG
RUN
Unattempted
For more information, please follow the link: https://docs.docker.com/engine/reference/builder/#from
35. Question
FROM instruction can be used only ONCE in a single Dockerfile.
TRUE
FALSE
Unattempted
FROM can appear multiple times within a single Dockerfile to create multiple images using a single build stage.
36. Question
What is the functionality of RUN instruction in Dockerfile?
It runs the Dockerfile and creates a new Docker Image.
It executes the command on the writable layer of the container and commits the result.
It executes command in a new layer on top of the current image and commits the result.
None of the above,
Unattempted
For more information, please follow the link: https://docs.docker.com/engine/reference/builder/#run
37. Question
Which of the following Dockerfile instructions is used to provide defaults for an executing container?
CMD
ENTRYPOINT
ENV
FROM
Unattempted
For more information, please follow the link: https://docs.docker.com/engine/reference/builder/#cmd
38. Question
You want to create a Docker container which has Ubuntu as its base image. You have written 3 CMD instructions CMD-A, CMD-B, and CMD-C
respectively in your Dockerfile and built Docker Image. Now, Which CMD instruction will be executed when the Ubuntu container starts
running?
CMD-A
CMD-B
CMD-C
Unattempted
Only the last CMD instruction in Dockerfile will be executed when a container starts running. For more information, please follow the link:
https://docs.docker.com/engine/reference/builder/#cmd
39. Question
Which of the following forms is the exec form of ENTRYPOINT Dockerfile instruction?
ENTRYPOINT [ “echo” : “$PATH” ]
ENTRYPOINT [ “echo”, $PATH ]
ENTRYPOINT [ “echo”, “$PATH” ]
ENTRYPOINT [ ‘echo’ : ‘$PATH’ ]
Unattempted
The exec form (preferred) of ENTRYPOINT is ENTRYPOINT [“executable”, “param1”, “param2”] For more information, please follow the link:
https://docs.docker.com/engine/reference/builder/#entrypoint
40. Question
How do ADD and COPY Dockerfile instructions differ from each other?
ADD only adds files to image file system, whereas COPY adds files as well as directories to image file-system.
ADD is used by single docker host whereas COPY is used by docker swarm clusters .
ADD supports local-tar extractions and remote URL downloads, whereas COPY supports only local file transfer.
All of the above.
Unattempted
For more information, please follow the link: https://docs.docker.com/engine/reference/builder/#add
https://docs.docker.com/engine/reference/builder/#copy
41. Question
What is the present working directory of the container based on the given Dockerfile?
FROM ubuntu:latest
WORKDIR /tmp
RUN apt-get update -y
WORKDIR hello-docker
WORKDIR messages
RUN echo “hello” > test.txt
CMD [“bash”]
/hello-docker/messages
/tmp/hello-docker/messages
/messages
/home/tmp/hello-docker/messages
Unattempted
The WORKDIR instruction can be used multiple times in a Dockerfile. If a relative path is provided, it will be relative to the path of the
previous WORKDIR instruction. For more information, please follow the link: https://docs.docker.com/engine/reference/builder/#workdir
42. Question
Which of the following commands is used to list out all the layers of a Docker Image?
docker images
docker list
docker history
docker inspect
Unattempted
For more information, please follow the link: https://docs.docker.com/engine/reference/commandline/history/
43. Question
Which of the following commands is used to backup Docker Images?
docker load
docker export
docker save
docker pull
Unattempted
docker save command saves one or more images to a tar archive which contains all the parent layers, all tags and versions, and all the
specified repo:tag of image(s). For more information, please follow the link: https://docs.docker.com/engine/reference/commandline/save/
44. Question
Which of the following commands is used to list out all the available docker images on the docker host?
docker image ls
docker list
docker image top
None of the above
Unattempted
docker image ls or docker images command lists all top level images, their repository and tags, and their size. For more information, please
follow the link: https://docs.docker.com/engine/reference/commandline/images/
45. Question
Which of the following is the default storage driver in Docker CE?
overlay2
overlay
aufs
devicemapper
Unattempted
For more information, please follow the link: https://docs.docker.com/storage/storagedriver/select-storage-driver/
46. Question
How a running container can be interpreted on a Linux host?
an application
a program
a process
a file
Unattempted
47. Question
What is the default container format of Docker containers?
libcontainer
Application Container Image (ACI)
LXD
None of the above
Unattempted
For more information, please follow the link: https://docs.docker.com/engine/docker-overview/
48. Question
Which of the following commands is used to create a MySQL version 5.4 database container?
docker run --name database --image mysql:5.4
docker create --name database --image mysql:5.4
docker create --name database mysql:5.4
docker run --name database mysql:5.4
Unattempted
The docker create command creates a writable container layer over the specified image and prepares it for running the specified command.
For more information, please follow the link: https://docs.docker.com/engine/reference/commandline/create/
49. Question
Which process’s output will be available on terminal as standard output as a result of docker attach command?
RUN
ENTRYPOINT/CMD
EXPOSE
FROM
Unattempted
For more information, please follow the link: https://docs.docker.com/engine/reference/commandline/attach/
50. Question
What will be the output of the following docker command?
docker exec -it test-ubuntu "sudo apt-get update -y"
It will execute the update command in a running container.
It will overwrite the default CMD command with “sudo apt-get update” command in running container.
The command format is not supported.
None of the above.
Unattempted
docker exec command does not support a chained or a quoted command. For more information, please follow the link:
https://docs.docker.com/engine/reference/commandline/exec/
51. Question
Which of the following commands is used to backup Docker containers?
docker save
docker export
docker tar -cvf
None of the above
Unattempted
docker export command exports a container’s filesystem as a tar archive. For more information, please follow the link:
https://docs.docker.com/engine/reference/commandline/export/
52. Question
Which of the following is NOT a node type in Docker Swarm?
manager
worker
master
None of the above
Unattempted
For more information, please follow the link: https://docs.docker.com/engine/swarm/key-concepts/
53. Question
Which of the following components of the swarm allocates IP addresses to all running tasks?
Dispatcher
Allocator
Orchestrator
Scheduler
Unattempted
For more information, please follow the link: https://docs.docker.com/engine/swarm/how-swarm-mode-works/services/
54. Question
You have a five node swarm cluster deployed on your local system. What will happen if the only manage node of the cluster fails?
swarm services will continue to run.
all member nodes will perform a re-election among them to elect a new manager
swarm cluster will stop all the processes until user configures a new manager of the cluster.
no action will be taken.
Unattempted
For more information, please follow the link: https://docs.docker.com/engine/swarm/how-swarm-mode-works/nodes/
55. Question
You have a swarm cluster which consists of 27 active nodes. Out of which, 9 nodes are managers and one node is the leader. What will be the
fault tolerance and quorum of this swarm cluster respectively?
14, 13
4, 5
13, 14
5, 4
Unattempted
The fault tolerance equation is (N-1)/2 and quorum equation is (N/2)+1 where N = total number of manager nodes in swarm cluster
56. Question
What is the default network for swarm services?
bridge
host
ingress
none
Unattempted
For more information, please follow the link: https://docs.docker.com/network/overlay/
57. Question
Which of the following orders is recommended to backup the components of Docker EE?
docker swarm > DTR > UCP
DTR > docker swarm >UCP
UCP > DTR > docker swarm
docker swarm > UCP > DTR
Unattempted
For more information, please follow the link: https://docs.docker.com/ee/backup/
58. Question
Containers on user-defined bridge network can communicate only via IP addresses.
TRUE
FALSE
Unattempted
Containers connected to default bridge network can only communicate with each other by IP addresses, unless user uses the –link option
(legacy). Whereas, on user-defined bridge network, containers can communicate with each other by name or alias.
59. Question
What does following error indicate?
x509: certificate signed by unknown authority
user is running a docker swarm command on manager without client certificate.
user is not registered on docker hub.
user have entered incorrect captcha.
user is running a docker command on UCP node without client certificate .
Unattempted
60. Question
Which of the following commands is used to start a docker daemon manually?
sudo docker daemon start
docker daemon start
docker start --daemon
dockerd
Unattempted
For more information, please follow the link: https://docs.docker.com/config/daemon/
Use Page numbers below to navigate to other practice tests
Pages:
1
2
3
4
5
6
7
8
9
10
11
12
← Previous Post
Next Post →
Skillcertpro
Quick Links
Important Links
ABOUT US
REFUND POLICY
FAQ
BROWSE ALL PRACTICE TESTS
REFUND REQUEST
TERMS & CONDITIONS
CONTACT FORM
PRIVACY POLICY
Privacy Policy
Software pros, listen up! Today only, you can unlock 25% off on enrolling in 2 or more courses at once. Use Code: SAVINGS25
Search for products...
All Courses
Contact Us
MY ACCOUNT
/ Docker / By SkillCertPro
Practice Set 7
Your results are here!! for" Docker Certified Associate Practice Set 7 "
0 of 60 questions answered correctly
Your time: 00:00:26
Your Final Score is : 0
You have attempted : 0
Number of Correct Questions : 0 and scored 0
Number of Incorrect Questions : 0 and Negative marks 0
Average score
Your score
84.88%
0.00%
You can review your answers by clicking view questions.
Important Note : Open Reference Documentation Links in New Tab (Right Click and Open in New Tab).
Restart Test
View Answers
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
Answered
Review
1. Question
Which of the following commands is used to remove dangling docker images?
docker rmi
docker image prune
docker rm
docker image remove
Unattempted
For more information, please follow the link: https://docs.docker.com/engine/reference/commandline/image_prune/
2. Question
What is the final outcome of a container created from the following Dockerfile?
FROM ubutu:trusty
RUN apt-get update -y
ENTRYPOINT [“/bin/ping”,”-c”,”6″]
CMD [“localhost”]
Container will ping localhost for 6 times and will return to its shell.
Container will remain in created state.
Container will ping the localhost for 6 times and will stop running.
Container will get stuck in infinite pinging loop.
Unattempted
Here, the container should run as executable to ping the localhost exactly 6 times. For that, ENTRYPOINT instruction is defined in exec form
with “/bin/ping” path as an executable. we have two parameters for this executable: -c flag and decimal count 6. It means the ping operation
will be performed exactly 6 times by the container. CMD will provide the default arguments (in this case “localhost”) for the executable in
ENTRYPOINT instruction. After pinging the localhost for 6 times, the container will gracefully stop as the CMD and ENTRYPOINT instructions
have been successfully performed.
3. Question
Which of the following network drivers utilizes VXLAN data plane to decouple docker network from the underlay physical network?
bridge
overlay
host
macvlan
Unattempted
4. Question
Which of the following is the default network driver for docker containers?
host
docker_gwbridge
bridge
overlay
Unattempted
For more information, please follow the link: https://docs.docker.com/network/
5. Question
You have created your company’s website with visitor counts and hosted it using containerized web-servers. Which of the following provisions
can potentially make you lose the track of your visitor count?
tmpfs
bind mounts
volumes
all of the above
Unattempted
tmpfs mount is temporary, and only persists in the host memory. When the container stops, the tmpfs mount is removed, and files written
there won’t be persisted.
6. Question
Which of the following Dockerfile instructions will configure a starting point for the executable container?
ENTRYPOINT
CMD
ENV
EXEC
Unattempted
For more information, please follow the link: https://docs.docker.com/engine/reference/builder/#entrypoint
7. Question
Which of the following commands is used to isolate manager node from further scheduling of service tasks?
docker node update --available drain manager
none of the above
docker node update --availability drain manager
docker node stop manager
Unattempted
It is advisable to drain a manager node so that it only performs swarm management tasks and is unavailable for task assignment.
8. Question
Which of the following is not managed by Docker hub?
organizations
containers
repositories
docker images
Unattempted
9. Question
Which of the following use cases is more suitable for ingress?
static landing page on single container nginx web-server.
a few dozen nginx replicas hosted on a swarm cluster with custom load balancing.
Super Mario flash game on Windows XP machine locally.
a few nginx web-server container replicas on a single host.
Unattempted
A single nginx container with static landing page of nginx web-server and few nginx container replicas on running on single host machine
does not require forwarding rule if ingress. Supre mario flash game is hosted on a local machine which does not require any sort of
networking.
10. Question
Which of the following file-systems is NOT supported by docker to serve as its backend of storage drivers?
brtfs
overlay2
ext4
zfs
Unattempted
For more information, please follow the link: https://docs.docker.com/storage/storagedriver/select-storage-driver/
11. Question
Which of the following units of the swarm determines on which node a task will be scheduled?
Scheduler
Dispatcher
Allocator
Orchestrator
Unattempted
For more information, please follow the link: https://docs.docker.com/engine/swarm/how-swarm-mode-works/services/
12. Question
Which of the following is NOT a part of the grant permission in UCP)?
role
subject
resource sets
certificates
Unattempted
For more information, please follow the link: https://docs.docker.com/ee/ucp/authorization/
13. Question
Which of the following commands is used by nodes to join the swarm cluster as worker node?
docker swarm --join --token
None of the above
docker swarm join --token
docker swarm join worker
Unattempted
The node joins as a manager node or worker node based upon the token you pass with the –token flag. If you pass a manager token, the
node joins as a manager. If you pass a worker token, the node joins as a worker.
14. Question
Which of the following commands is used to list out tasks of one or more services in swarm?
docker ps
docker services
docker service ls
docker service ps
Unattempted
For more information, please follow the link: https://docs.docker.com/engine/reference/commandline/service_ps/
15. Question
Which of the following units of the swarm instructs worker to run a task?
Allocator
Orchestrator
Dispatcher
Scheduler
Unattempted
For more information, please follow the link: https://docs.docker.com/engine/swarm/how-swarm-mode-works/services/
16. Question
Which of the following Dockerfile instructions confirms Docker’s core concepts of source control and cheap commits?
RUN
CMD
ARG
FROM
Unattempted
For more information, please follow the link: https://docs.docker.com/engine/reference/builder/#run
17. Question
Which of the following statements are true for Docker Image?
All the layers of docker image are read-only.
All the layers of a Docker Image are delta of the previous layer.
Docker Image layers are downloaded as a tar file and stored at /var/lib/docker/aufs/
Docker Images are created using Docker Compose.
Unattempted
For more information, please follow the link: https://docs.docker.com/storage/storagedriver/
18. Question
Which of the following commands is used to pretty-print the containers’ IDs, names and statuses in tabular form?
docker ps --format "{{.ID}}\t{{.Names}}\t{{.Status}}"
docker ps -format "table {{.ID}}\t{{.Names}}\t{{.Status}}"
docker ps --format "table {{.ID}}\t{{.Names}}\t{{.Status}}"
docker ps --format table “{{.ID}}\t{{.Names}}\t{{.Status}}”
Unattempted
For more information, please follow the link: https://docs.docker.com/engine/reference/commandline/ps/
19. Question
Which of the following vulnerabilities requires you to change the docker image layer entirely?
File under ADD layer has bad Hex objects.
All of the above
Components of base image have critical vulnerabilities.
Command under CMD layer creates permission conflicts.
Unattempted
For more information, please follow the link: https://docs.docker.com/v17.12/docker-cloud/builds/image-scan/
20. Question
Which of the following Dockerfile instructions informs Docker about the port on which container is listening?
EXPOSE
ENV
PORT
LABEL
Unattempted
For more information, please follow the link: https://docs.docker.com/engine/reference/builder/#expose
21. Question
Which of the following is the application of Universal Control Plane ?
To provide an integrated application management platform
To configure docker on a Linux host
To control all the running container processes
To create a docker swarm cluster
Unattempted
Docker Universal Control Plane (UCP) is the enterprise-grade cluster management solution from Docker which helps you manage your
Docker cluster and applications through a single interface.
22. Question
Which of the following is the default logging driver of Docker for Linux distributions?
syslog
fluentd
json-file
none
Unattempted
For more information, please follow the link: https://docs.docker.com/config/containers/logging/configure/
23. Question
Which of the following is the correct order of service creation process in swarm mode?
docker API > scheduler > allocator > dispatcher > orchestrator
docker API > orchestrator > dispatcher > allocator > orchestrator
docker API > orchestrator > allocator > dispatcher > scheduler
docker API > allocator > scheduler > dispatcher > orchestrator
Unattempted
For more information, please follow the link: https://docs.docker.com/engine/swarm/how-swarm-mode-works/services/
24. Question
Which of the following is responsible for merging host’s already present cached image layers with pulled image layers?
ext4
NTFS
swap
aufs
Unattempted
For more information, please follow the link: https://docs.docker.com/storage/storagedriver/aufs-driver/
25. Question
Which of the following provisions of Docker supports host networking?
Docker Desktop for Mac
Docker EE for Windows Server
Docker for Linux Distributions
Docker Desktop for Windows
Unattempted
For more information, please follow the link: https://docs.docker.com/network/host/
26. Question
Which of the following commands does not associate with docker volumes?
docker volume backup
docker volume create
docker volume inspect
docker volume prune
Unattempted
For more information, please follow the link: https://docs.docker.com/engine/reference/commandline/volume/
27. Question
What is a Dockerfile?
None of the options
Readme file for docker
Executable file to install docker
sequential set of instructions to build a docker image.
Unattempted
28. Question
Which of the following is NOT a swarm resource?
networks
volumes
dockerfiles
containers
Unattempted
Resource types that users can access in a Swarm collection include containers, networks, nodes, services, secrets, and volumes.
29. Question
Which of the following commands is used by worker nodes to leave swarm cluster gracefully?
docker swarm exit
docker swarm leave
docker node rm worker
None of the above
Unattempted
For more information, please follow the link: https://docs.docker.com/engine/reference/commandline/swarm_leave/
30. Question
The more number of managers in a swarm cluster, The more chances of better performance and scalability
TRUE
FALSE
Unattempted
Adding more manager nodes in a swarm cluster can increase the updation time for the swarm cluster, which can lead to a compromise in
write performance of swarm.
31. Question
What is the scope of the overlay network driver in Docker?
global
local
service
swarm
Unattempted
For more information, please follow the link: https://docs.docker.com/network/
32. Question
Which of the following units of the swarm passes a task to its corresponding node using HTTP request/response?
Dispatcher
Orchestrator
Scheduler
Allocator
Unattempted
For more information, please follow the link: https://docs.docker.com/engine/swarm/how-swarm-mode-works/services/
33. Question
Which of the following is NOT Docker Certified Infrastructure?
VMware
DigitalOcean
Amazon Web Services
Microsoft Azure
Unattempted
For more information, please follow the link: https://docs.docker.com/ee/supported-platforms/
34. Question
Which of the following are the supported team permission levels in Docker Trusted Registry?
Read only
none of the above
Manager
Read & Write
Unattempted
Three permission levels are available in DTR: read, read-write, and admin
35. Question
Which of the following is not an object of The Container Network Model ?
Sandbox
Services
End-point
Network Controller
Unattempted
36. Question
You want to search for a BusyBox official Docker Image with minimum rating of 30 stars. Which of the following commands will provide you
the correct results?
docker search --filter “is-official” --filer “stars=30” busybox
docker search --filter “is-official=true, stars=30” busybox
docker search --filter “is-official=true” --filter “stars=30” busybox
docker search --filter “is-official=True” --filter “stars=30” busybox
Unattempted
For more information, please follow the link: https://docs.docker.com/engine/reference/commandline/search/
37. Question
How does UCP provide authorized client certificate?
None of the options
As a Client Bundle (zip file)
As a QR code
As pop-up dialog box (zip file download link)
Unattempted
For more information, please follow the link: https://docs.docker.com/ee/ucp/user-access/cli/
38. Question
Which of the following Dockerfile instructions is used to add metadata to the docker image?
LABEL
ADD
ARG
METADATA
Unattempted
For more information, please follow the link: https://docs.docker.com/engine/reference/builder/#label
39. Question
Which docker network is used to connect one or more docker daemons of participating nodes in swarm cluster?
bridge
ingress
docker_gwbridge
overlay
Unattempted
For more information, please follow the link: https://docs.docker.com/network/overlay/
40. Question
Where does the docker daemon persist all docker related data on host machine?
/etc/docker
none
/var/lib/docker-ce
/var/lib/docker
Unattempted
For more information, please follow the link: https://docs.docker.com/config/daemon/
41. Question
In order to configure Docker daemon to start as the system boots up, which of the following commands is correct for most Linux distributions?
sudo systemctl up docker
sudo systemctl enable docker
sudo systemctl start docker
sudo systemctl default docker
Unattempted
Most of the current Linux distributions use “systemd” to manage which services to start when the system boots up. “enable” will mark a
particular service to start when the system boots, whereas “start” will immediately start the particular service.
42. Question
Which of the following flags is not supported by docker service create command?
-v
-p
-t
-l
Unattempted
The docker service create command does not support the -v or –volume flag. While mounting a volume into a service’s containers, you must
use the –mount flag.
43. Question
You want to run an nginx web-server container as a background process. Make sure that the container’s port 80 is mapped to port 8080 on
local host machine. As the final output, you should be able to access the default landing page of nginx web-server. Which of the following is
the correct command for it?
docker run -itd --name web-server -p 8080:80 nginx:latest
docker run -itd --name web-server -P nginx:latest
docker run --name web-server -p 8080:80 nginx:latest
docker run -itd --name web-server -p 80:8080 nginx:latest
Unattempted
The container named “web-server” will run as a background process (-d), with its STDIN open (-i), and will have a pseudo-TTY (-t). The “-p”
flag will make sure that localhost’s port 8080 is mapped with container’s port 80. And at last, mention the name of the official nginx webserver Docker Image and run the command.
44. Question
Which of the following commands returns a detailed information on Docker objects for a Docker Image?
docker image info
docker image history
docker image inspect
docker image stats
Unattempted
For more information, please follow the link: https://docs.docker.com/engine/reference/commandline/image_inspect/
45. Question
You want to initialise scan of your repository for vulnerabilities. But you are unable to do so. What could be the reason?
You are using Docker Community Edition.
Security Scanning in not enabled in DTR.
You do not have the authority to download the security scanning licence for DTR.
All of the above.
Unattempted
For more information, please follow the link: https://docs.docker.com/ee/dtr/admin/configure/set-up-vulnerability-scans/
46. Question
Which of the following network drivers connects the container’ s network stack directly to Docker Host?
overlay
bridge
host
macvlan
Unattempted
For more information, please follow the link: https://docs.docker.com/network/host/
47. Question
You have a running Ubuntu Container with bash as its default command. Copy a file called “services.txt” to the tmp directory of the container.
Navigate inside the container and delete the /tmp directory. Exit from the container and run docker diff command. Which of the following
would be the output of it (docker diff command)?
?A /root/.bash_history C /root D /tmp
C /tmp A /tmp/service.txt D /tmp
C /root A /root/.bash_history D /tmp
None of the above
Unattempted
“A” symbol is used when a file or directory was added. “C” symbol is used when a file or directory was changed. “D” symbol is used when a
file or directory was deleted.
48. Question
Task is a unidirectional mechanism.
TRUE
FALSE
Unattempted
For more information, please follow the link: https://docs.docker.com/engine/swarm/how-swarm-mode-works/services/
49. Question
Docker containers are the running instances of … ?
Docker Image
Dockerfile
both (a) and (b)
none of the options
Unattempted
For more information, please follow the link: https://docs.docker.com/engine/docker-overview/
50. Question
Which of the following are the supported orchestrators in Docker EE?
Kubernetes
Docker Swarm
Swarmkit
All of the above
Unattempted
For more information, please follow the link: https://docs.docker.com/ee/docker-ee-architecture/
51. Question
Which of the following platforms supports IPv6 networking in Docker?
Docker Desktop for Mac
Linux
Docker Desktop for Windows
Docker for iOS
Unattempted
For more information, please visit the following link: https://docs.docker.com/config/daemon/ipv6/
52. Question
Containers connected to a default bridge network do not forward their network traffic to the outside world.
TRUE
FALSE
Unattempted
For more information, please visit the following link: https://docs.docker.com/network/bridge/
53. Question
Which of the following containers manages the DTR authentication?
dtr-authdtr-signdtr-garantdtr-allowUnattempted
For more information, please visit the following link: https://docs.docker.com/ee/dtr/architecture/
54. Question
How many sub-networks can be created on the default bridge network?
2
4
1
3
Unattempted
For more information, please visit the following link: https://docs.docker.com/engine/reference/commandline/network_create/
55. Question
Which of the following ways is not used for container identification?
Container name
UUID long identifier
UUID short identifier
Uniform Resource Identifier
Unattempted
For more information, please visit the following link:https://docs.docker.com/engine/reference/run/
56. Question
The output of the following docker run command returned non-zero exit code. What could be the possible reason?
$ docker run –foo alpine echo $?
# flag provided but not defined: –foo
See ‘docker run –help’.
125
The container is Out-of-memory.
The container’s process has been terminated by CTRL+C.
The default command of the container could not be invoked.
There is an error with docker daemon.
Unattempted
For more information, please visit the following link: https://docs.docker.com/engine/reference/run/
57. Question
After pressing the key sequence CTRL+C, which of the following signals is sent to stop a running container?
SIGTERM
SIGINT
SIGKILL
COPY
Unattempted
For more information, please visit the following link: https://docs.docker.com/engine/reference/commandline/attach/
58. Question
What will be the outcome of a docker cp command if the SRC_PATH is a file and the DEST_PATH is a directory?
It will create a new file into DEST_PATH and copy the content of source file in it.
The DEST_PATH will be overwritten with the contents of the source file.
The source file will be copied into DEST_PATH and will be saved as the basename from SRC_PATH.
An error will pop up to indicate that source and destination types need to be the same.
Unattempted
For more information, please visit the following link: https://docs.docker.com/engine/reference/commandline/cp/
59. Question
True or False?
docker exec command only runs if the container’s primary process is running.
TRUE
FALSE
Unattempted
For more information, please visit the following link: https://docs.docker.com/engine/reference/commandline/exec/
60. Question
Which of the following commands is used to display the total disk space used by docker daemon?
docker stats
dockerd info
docker disk use
docker system df
Unattempted
For more information, please visit the following link: https://docs.docker.com/engine/reference/commandline/system_df/
Use Page numbers below to navigate to other practice tests
Pages:
1
2
3
4
5
6
7
8
9
10
11
12
← Previous Post
Next Post →
We help you to succeed in your certification exams
We have helped over thousands of working professionals to achieve their certification goals with our practice tests.
Skillcertpro
Quick Links
Important Links
ABOUT US
REFUND POLICY
FAQ
REFUND REQUEST
BROWSE ALL PRACTICE TESTS
TERMS & CONDITIONS
CONTACT FORM
PRIVACY POLICY
Privacy Policy
Software pros, listen up! Today only, you can unlock 25% off on enrolling in 2 or more courses at once. Use Code: SAVINGS25
Search for products...
All Courses
Contact Us
MY ACCOUNT
/ Docker / By SkillCertPro
Practice Set 8
Your results are here!! for" Docker Certified Associate Practice Set 8 "
0 of 60 questions answered correctly
Your time: 00:00:02
Your Final Score is : 0
You have attempted : 0
Number of Correct Questions : 0 and scored 0
Number of Incorrect Questions : 0 and Negative marks 0
Average score
Your score
75.82%
0.00%
You can review your answers by clicking view questions.
Important Note : Open Reference Documentation Links in New Tab (Right Click and Open in New Tab).
Restart Test
View Answers
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
Answered
Review
1. Question
Which of the following is the default mount point for a decrypted secret in a Linux container?
/run/secrets/
/var/lib/docker/secrets/
/run/internal/secrets/
/var/lib/docker/internal/secrets/
Unattempted
For more information, please visit the following link: https://docs.docker.com/engine/swarm/secrets/
2. Question
Which of the following commands is used to login into Docker registry?
docker hub login
docker login
docker registry login
docker client login
Unattempted
For more information, please visit the following link: https://docs.docker.com/engine/reference/commandline/login/
3. Question
Docker configs are encrypted and stored inside the container’s RAM.
TRUE
FALSE
Unattempted
Configs operate in a similar way to secrets, except that they are not encrypted at rest and are mounted directly into the container’s
filesystem without the use of RAM disks.
For more information, please visit the following link: https://docs.docker.com/engine/swarm/configs/
4. Question
Which of the following sockets are used by docker daemon to listen to Docker Engine API requests?
tcp
fd
unix
http
Unattempted
For more information, please visit the following link: https://docs.docker.com/engine/reference/commandline/dockerd/
5. Question
By default, how many layers of a docker image does docker daemon push to the Docker registry at a time?
3
4
1
5
Unattempted
For more information, please visit the following link: https://docs.docker.com/engine/reference/commandline/push/
6. Question
Here is a list of all the docker images stored on your docker host. Out of all these images, we want to remove images referencing to
the fd484f19954f image tag. Which of the following commands will return a flawless result?
REPOSITORY TAG IMAGE ID CREATED SIZE
img-1 latest fd484f19954f 23 seconds ago 7 B (virtual 4.964 MB)
img-2 latest fd484f19954f 23 seconds ago 7 B (virtual 4.964 MB)
img-3 latest fd484f19954f 23 seconds ago 7 B (virtual 4.964 MB)
img-4 latest ba458d17824c 30 seconds ago 7 B (virtual 4.964 MB)
img-5 latest ca562b85961a 52 seconds ago 7 B (virtual 4.964 MB)
Here is a list of all the docker images stored on your docker host. Out of all these images, we want to remove images referencing to
the fd484f19954f image tag. Which of the following commands will return a flawless result?
REPOSITORY TAG IMAGE ID CREATED SIZE
img-1 latest fd484f19954f 23 seconds ago 7 B (virtual 4.964 MB)
img-2 latest fd484f19954f 23 seconds ago 7 B (virtual 4.964 MB)
img-3 latest fd484f19954f 23 seconds ago 7 B (virtual 4.964 MB)
img-4 latest ba458d17824c 30 seconds ago 7 B (virtual 4.964 MB)
img-5 latest ca562b85961a 52 seconds ago 7 B (virtual 4.964 MB)
docker rmi fd484f19954f
docker rmi -f fd484f19954f
docker rmi --all
docker image prune --all
Unattempted
If an image has one or more tags referencing it, you must remove all of them before the image is removed or you can use the -f flag and
specify the image’s short or long ID, then this command untags and removes all images that match the specified ID.
For more information, please visit the following link: https://docs.docker.com/engine/reference/commandline/rmi
7. Question
Which of the following commands is used to update the container’s configuration dynamically?
docker update
docker container upgrade
docker config --update
docker settings update
Unattempted
For more information, please visit the following link: https://docs.docker.com/engine/reference/commandline/update/
8. Question
Which of the following algorithms is used by the manager node to manage the state of the swarm cluster?
Proof-of-Authority algorithm
Unique node list algorithm
SIEVE consensus algorithm
Raft consensus algorithm
Unattempted
For more information, please visit the following link: https://docs.docker.com/engine/swarm/admin_guide/
9. Question
How many cgroups are created for each container in Docker?
1
2
3
4
Unattempted
For more information, please visit the following link: https://docs.docker.com/config/containers/runmetrics/
10. Question
By default, a container can only consume 60% of the resources provided by the host’s kernel scheduler.
TRUE
FALSE
Unattempted
By default, a container has no resource constraints and can use as much of a given resource as the host’s kernel scheduler allows.
For more information, please visit the following link: https://docs.docker.com/config/containers/resource_constraints/
11. Question
Which of the following storage drivers is used for testing purposes and for systems without a copy-on-write strategy?
overlay2
aufs
devicemapper
vfs
Unattempted
For more information, please visit the following link: https://docs.docker.com/storage/storagedriver/select-storage-driver/
12. Question
Which of the following storage drivers are block-level storage drivers?
zfs
aufs
overlay2
devicemapper
Unattempted
devicemapper, btrfs, and zfs are block-level storage drivers.
For more information, please visit the following link: https://docs.docker.com/storage/storagedriver/select-storage-driver/
13. Question
The overlay storage driver only works with 2 layers: lowerdir and upperdir.
TRUE
FALSE
Unattempted
For more information, please visit the following link: https://docs.docker.com/storage/storagedriver/overlayfs-driver/
14. Question
Which of the following mechanisms is used by nodes to authenticate, authorize, and encrypt the communications with other nodes in the
swarm?
Zimmermann Real-Time Transport Protocol
Transport Level Security
GNU Privacy Guard
Double Ratchet Algorithm
Unattempted
For more information, please visit the following link: https://docs.docker.com/engine/swarm/how-swarm-mode-works/pki/
15. Question
Which of the following is the default AppArmor security profile for containers in Docker?
docker-app
docker-secure
docker-default
docker/apparmor
Unattempted
For more information, please visit the following link: https://docs.docker.com/engine/security/apparmor/
16. Question
By default, how much time does a node take to renew its certificate in a swarm cluster?
12 days
20 days
60 days
90 days
Unattempted
For more information, please visit the following link: https://docs.docker.com/engine/swarm/how-swarm-mode-works/pki/
17. Question
Which of the following commands is used to force a worker-1 node to leave the swarm cluster?
docker swarm leave --force
docker swarm leave --force worker-1
docker swarm exit --force
docker swarm exit --force worker-1
Unattempted
For more information, please visit the following link: https://docs.docker.com/engine/reference/commandline/swarm_leave/
18. Question
Which of the following role-grants does Kubernetes provide?
ClusterRoleBinding
NodeRoleBinding
RoleBinding
PodRoleBinding
Unattempted
For more information, please visit the following link: https://docs.docker.com/ee/ucp/admin/configure/configure-rbac-kube/
19. Question
If the type of orchestrator is changed, the existing workload will migrate to the new orchestrator automatically.
TRUE
FALSE
Unattempted
For more information, please visit the following link: https://docs.docker.com/ee/ucp/admin/configure/set-orchestrator-type/
20. Question
Which of the following commands is used to schedule swarm workloads on a node?
?docker node update \ --label-add com.docker.orchestrator.swarm=true
docker node update \ --label-add com.docker.ucp.orchestrator.swarm=true
docker node update \ --label-add com.docker.orchestrator.ucp.swarm=true
docker node update \ --add-label com.docker.orchestrator.ucp.swarm=true
Unattempted
For more information, please visit the following link: https://docs.docker.com/ee/ucp/admin/configure/set-orchestrator-type/
21. Question
Which of the following networks is used as the default network for kubernetes by Universal Control Plane?
Weave net
Flannel
Calico
Cilium
Unattempted
For more information, please visit the following link: https://docs.docker.com/ee/ucp/admin/configure/deploy-route-reflectors/
22. Question
The repository’s name should be ________ to ________ characters long.
1 to 255 characters
2 to 255 characters
3 to 255 characters
4 to 255 characters
Unattempted
For more information, please visit the following link: https://docs.docker.com/docker-hub/repos/
23. Question
Which of the following licences is followed by the official distribution of Docker?
MIT software licence
Creative Commons
BSD
Apache 2.0
Unattempted
For more information, please visit the following link: https://docs.docker.com/engine/docker-overview/
24. Question
Docker Trusted Registry can only be installed on-premise.
TRUE
FALSE
Unattempted
Docker Trusted Registry can be installed on-premise or on the cloud.
For more information, please visit the following link: https://docs.docker.com/ee/dtr/admin/install/system-requirements/
25. Question
According to Docker, how many nodes should be set up in a cluster to achieve high-availability on DTR?
minimum of 3 nodes
minimum of 2 nodes
minimum of 4 nodes
minimum of 5 nodes
Unattempted
For more information, please visit the following link: https://docs.docker.com/ee/dtr/admin/configure/set-up-high-availability/
26. Question
Which of the following endpoints exposed by DTR is used to monitor the health of DTR replicas?
/_ping
/_connect
/_staus
/_healthcheck
Unattempted
For more information, please visit the following link: https://docs.docker.com/ee/dtr/admin/configure/use-a-load-balancer/
27. Question
How would you define Notary in Docker Trusted Registry?
It is a tool for 3rd party volume management.
It is a tool for image storage, management, and disposal.
It is a tool for user authentication and management.
It is a tool for publishing and managing a trusted collection of content.
Unattempted
For more information, please visit the following link: https://docs.docker.com/notary/getting_started/
28. Question
Which of the following is the correct GUN format for naming Docker Images for Notary Client?
notary {cmd} docker.io/
notary {cmd} docker.io/library/
notary {cmd} docker.io/storage/
notary {cmd} docker.io/system/
Unattempted
For more information, please visit the following link: https://docs.docker.com/notary/getting_started/
29. Question
Which of the following is not a type of Webhook?
TAG_PULL
TAG_REPAIR
PUSH_MIRRORING
PROMOTION
Unattempted
For more information, please visit the following link: https://docs.docker.com/ee/dtr/admin/manage-webhooks/
30. Question
What is a Pause Container?
An emergency backup container used to backup pod’s state while pod approaches an error state.
A monitor container used to monitor and log the container’s boot process inside a pod.
An empty container which holds cgroups, reservations, namespaces of a pod before its individual container is created.
A container state between container creation state and before the container running state.
Unattempted
For more information, please visit the following link: https://docs.docker.com/ee/ucp/ucp-architecture/
31. Question
Is it possible to join a new node to a swarm cluster after removing Universal Control Plane from the cluster?
Yes, you can go to swarm manager terminal and use docker swarm join command.
No, because UCP’s removal blocks any other access to swarm cluster.
Yes, you can reinstall UCP on the cluster and then join the node.
No, because the cluster will be unstable for any new process initialization.
Unattempted
For more information, please visit the following link: https://docs.docker.com/ee/ucp/admin/install/uninstall/
32. Question
Which of the following is the core component of the Universal Control Plane?
ucp-controller
ucp-manager
ucp-worker
ucp-agent
Unattempted
For more information, please visit the following link: https://docs.docker.com/ee/ucp/ucp-architecture/
33. Question
Which of the following keys is not a Docker Trusted Content key?
tagging keys
offline keys
server-managed keys
CA keys
Unattempted
For more information, please visit the following link: https://docs.docker.com/engine/security/trust/content_trust/
34. Question
What is the role of the mode variable in Docker Content Trust?
It changes the operating mode of the docker engine.
It instructs the docker engine whether to enforce signed docker images or not.
It instructs the docker engine whether the image source is trustworthy or not.
It indicates the operating mode of Docker content trust.
Unattempted
For more information, please visit the following link: https://docs.docker.com/engine/security/trust/content_trust/
35. Question
By default, Docker runs through a non-networked UNIX socket.
TRUE
FALSE
Unattempted
For more information, please visit the following link: https://docs.docker.com/engine/security/https/
36. Question
What is a “Builder Pattern” in Docker?
It is a standard to write Dockerfiles.
It is a process of creating docker containers based on docker images.
It is a pattern followed and suggested by Docker Swarm to bootstrap a swarm cluster.
It is a design pattern used to maintain 2 individual Dockerfiles for app development and production purposes.
Unattempted
For more information, please visit the following link: https://docs.docker.com/develop/develop-images/multistage-build/
37. Question
Docker registry is an instance of Docker Hub.
TRUE
FALSE
Unattempted
Docker Hub is an instance of a Docker Registry. For more information, please visit the following
link: https://docs.docker.com/develop/develop-images/image_management/
38. Question
Which of the following flags is used to change the container’s default hostname?
--name
--ip
--hostname
--rename
Unattempted
For more information, please visit the following link: https://docs.docker.com/config/containers/container-networking/
39. Question
Services using the routing mesh are running in the ___________.
Swarm mode
Virtual IP mode
Global mode
DNSRR mode
Unattempted
For more information, please visit the following link: https://docs.docker.com/network/overlay/
40. Question
Which of the following commands is used to create an overlay network for standalone containers?
docker network create -d overlay test-overlay
docker network create -d overlay --attachable test-overlay
docker network create --ingress test-overlay
docker swarm create -d overlay test-service
Unattempted
For more information, please visit the following link: https://docs.docker.com/network/overlay/
41. Question
From whom does the container inherit the default DNS settings?
docker host
docker daemon
base image
docker registry
Unattempted
For more information, please visit the following link: https://docs.docker.com/config/containers/container-networking/
42. Question
What is the default location of the configuration files of Docker CLI?
/etc/docker/daemon.json
~/.docker
/var/lib/docker
/root/docker/docker_cli
Unattempted
For more information, please visit the following link: https://docs.docker.com/engine/reference/commandline/cli/
43. Question
How many characters can be contained in an image tag name?
32
256
64
128
Unattempted
For more information, please visit the following link: https://docs.docker.com/engine/reference/commandline/tag/
44. Question
Which of the following is the default mount point for a decrypted secret in a Windows container?
C:\ProgramData\Docker\secrets
C:\Users\Docker\secrets
C:\Docker\secrets
C:\Users\internal\Docker\secrets
Unattempted
For more information, please visit the following link: https://docs.docker.com/engine/swarm/secrets/
45. Question
Docker config is only supported by Linux containers.
TRUE
FALSE
Unattempted
Configs are supported on both Linux and Windows services.
For more information, please visit the following link: https://docs.docker.com/engine/swarm/configs/
46. Question
Which of the following networks is responsible for communication between DTR components running on different nodes?
dtr-br
dtr-macvlan
dtr-ol
dtr-host
Unattempted
For more information, please visit the following link: https://docs.docker.com/ee/dtr/architecture/
47. Question
DTR can be installed on a standalone Docker Engine.
TRUE
FALSE
Unattempted
DTR needs to be installed on a worker node that is being managed by UCP.
For more information, please visit the following link: https://docs.docker.com/ee/dtr/admin/install/
48. Question
Which of the following mechanisms is used to automatically delete unused image layers in DTR?
Image cleaner
Garbage collection
Garbage cleaner
Image collection
Unattempted
For more information, please visit the following link: https://docs.docker.com/ee/dtr/admin/configure/garbage-collection/
49. Question
There is a DTR cluster running 6 DTR replicas. Out of which, 1 replica is behaving a bit odd than its desired state. You have been assigned the
task to determine whether this cluster is healthy or not. Out of the following options, what will be your verdict?
Cluster is unhealthy because the majority of replicas are not working properly.
Cluster is healthy but it has lost its quorum.
Cluster is healthy because the majority of replicas are working fine.
Cluster is unhealthy because one replica is not working properly.
Unattempted
When one or more DTR replicas are unhealthy but the overall majority (n/2 + 1) is healthy and able to communicate with one another, your
DTR cluster is still functional and healthy.
For more information, please visit the following link: https://docs.docker.com/ee/admin/disaster-recovery/
50. Question
Which of the following security frameworks is used as the underlying framework in Notary to create, manage, and distribute the metadata to
ensure the integrity and origin of the content?
The Operator Framework (TOF)
The Update Framework (TUF)
Flux
Packer
Unattempted
For more information, please visit the following link: https://docs.docker.com/notary/getting_started/
51. Question
Webhooks are GET requests used to request data from the URL defined in Docker Hub.
TRUE
FALSE
Unattempted
You can use webhooks to cause an action in another service in response to a push event in the repository. Webhooks are POST requests
sent to a URL you define in Docker Hub.
For more information, please visit the following link: https://docs.docker.com/docker-hub/webhooks/
52. Question
Which of the following UCP services is used to collect Docker system information for troubleshooting?
ucp-sysinfo
ucp-dockerinfo
ucp-dsdata
ucp-dsinfo
Unattempted
For more information, please visit the following link: https://docs.docker.com/ee/ucp/ucp-architecture/
53. Question
Which of the following ports is generally used for Kubernetes Networking in UCP?
TCP 443
TCP 179
TCP 4789
TCP 6444
Unattempted
For more information, please visit the following link: https://docs.docker.com/ee/ucp/admin/install/system-requirements/
54. Question
Which of the following commands is used to create a backup of a UCP manager node?
docker container run \ --name ucp \ --volume /var/run/docker.sock:/var/run/docker.sock \ docker/ucp \ backup [command options] >
backup.tar
docker container commit \ --name ucp \ --volume /var/run/docker.sock:/var/run/docker.sock \ docker/ucp \ backup [command options] >
backup.tar
docker container create \ --name ucp \ --volume /var/run/docker.sock:/var/run/docker.sock \ docker/ucp \ backup [command options] >
backup.tar
docker container backup \ --name ucp \ --volume /var/run/docker.sock:/var/run/docker.sock \ docker/ucp \ backup [command options] >
backup.tar
Unattempted
For more information, please visit the following link: https://docs.docker.com/reference/ucp/3.2/cli/backup/
55. Question
Which of the following is the most suitable way to process the repository tag limits in DTR?
Last Input First Output
First Input First Output
Single Input Single Output
Multiple Input Multiple Output
Unattempted
For more information, please visit the following link: https://docs.docker.com/ee/dtr/user/tag-pruning/
56. Question
Which of the following in Docker content trust provides control over the image tag signing process?
Root certificates
Delegations
Docker Daemon
Docker Client
Unattempted
For more information, please visit the following link: https://docs.docker.com/engine/security/trust/trust_delegation/
57. Question
Docker files scanned by antivirus software can hang the execution of Docker commands.
TRUE
FALSE
Unattempted
For more information, please visit the following link: https://docs.docker.com/engine/security/antivirus/
58. Question
Given below is a tiny Dockerfile based on the “scratch” image. If we build a docker image based on this Dockerfile, what will be the first
filesystem layer of that docker image?
FROM scratch
ADD hello /
CMD [“/hello”]
scratch
baserc
ADD
CMD
Unattempted
For more information, please visit the following link: https://docs.docker.com/develop/develop-images/baseimages/
59. Question
Which of the following commands is used to target a specific build stage out of multi-stage builds?
docker build --target -t
docker build --source -t
docker build --build-stage -t
docker build --tag -t
Unattempted
For more information, please visit the following link: https://docs.docker.com/develop/develop-images/multistage-build/
60. Question
Which of the following commands is used to disable container networking for a swarm service?
?docker run --rm -itd \ --network none \ --name alpine-net \ alpine:latest
docker service create \ --replicas 3 \ --network none \ --name alpine-net \ alpine:latest
docker swarm create \ --network none \ --name alpine-net \ alpine:latest
None of the above.
Unattempted
None network driver is used to disable container networking with the conjunction of the custom network driver.
None is not available for swarm services so none of the commands achieves network disability.
For more information, please visit the following link: https://docs.docker.com/network/none/
https://docs.docker.com/network/
Use Page numbers below to navigate to other practice tests
Pages:
1
2
3
4
5
6
7
8
9
10
11
12
← Previous Post
Next Post →
Skillcertpro
Quick Links
Important Links
ABOUT US
REFUND POLICY
FAQ
REFUND REQUEST
BROWSE ALL PRACTICE TESTS
TERMS & CONDITIONS
CONTACT FORM
PRIVACY POLICY
Privacy Policy
Software pros, listen up! Today only, you can unlock 25% off on enrolling in 2 or more courses at once. Use Code: SAVINGS25
Search for products...
All Courses
Contact Us
MY ACCOUNT
/ Docker / By SkillCertPro
Practice Set 9
Your results are here!! for" Docker Certified Associate Practice Set 9 "
0 of 60 questions answered correctly
Your time: 00:00:04
Your Final Score is : 0
You have attempted : 0
Number of Correct Questions : 0 and scored 0
Number of Incorrect Questions : 0 and Negative marks 0
Average score
Your score
76.58%
0.00%
You can review your answers by clicking view questions.
Important Note : Open Reference Documentation Links in New Tab (Right Click and Open in New Tab).
Restart Test
View Answers
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
Answered
Review
1. Question
In which of the following modes can the macvlan network be created?
local mode
bridge mode
host mode
802.3q trunk bridge mode
Unattempted
For more information, please visit the following link: https://docs.docker.com/network/macvlan/
2. Question
What kind of encryption method is used to encrypt swarm service management traffic?
AES-SGCM
AES-CCM
AES-GCM
DES-CWC
Unattempted
For more information, please visit the following link: https://docs.docker.com/network/overlay/
3. Question
In which of the following networks does port mapping not take effect?
macvlan
overlay
bridge
host
Unattempted
For more information, please visit the following link: https://docs.docker.com/network/host/
4. Question
The container is assigned a single IP address for every Docker network it connects to.
TRUE
FALSE
Unattempted
The container is assigned a separate IP address for every Docker network it connects to. The IP address is assigned from the pool assigned
to the network, so the Docker daemon effectively acts as a DHCP server for each container.
For more information, please visit the following link: https://docs.docker.com/config/containers/container-networking/
5. Question
By default, How many IP addresses can be allocated to a single overlay network?
256
512
64
128
Unattempted
For more information, please visit the following link: https://docs.docker.com/engine/reference/commandline/network_create/
6. Question
Which of the following docker daemon flags can be used as an equivalent of com.docker.network.bridge.host_binding_ipv4 option while
creating a custom bridge network?
--name
--IPB4
--ip
--network
Unattempted
For more information, please visit the following link: https://docs.docker.com/engine/reference/commandline/network_create/
7. Question
Which of the following JSON encoding properties specifies the default format for the output of docker ps command?
pstatesFormat
statsFormat
pslistFormat
psFormat
Unattempted
For more information, please visit the following link: https://docs.docker.com/engine/reference/commandline/cli/
8. Question
What is the default value of the delay between two reset occurrences of a container?
300 ms
400 ms
100 ms
1000 ms
Unattempted
For more information, please visit the following link: https://docs.docker.com/engine/reference/run/
9. Question
Which of the following isolation technologies is used in Docker Desktop for Windows?
namespace
hypervisor
cgroups
users.
Unattempted
For more information, please visit the following link: https://docs.docker.com/engine/reference/commandline/build/
10. Question
What will be the outcome of docker cp command, if the SRC_PATH is a directory and the DEST_PATH is a file?
The contents in DEST_PATH will be overwritten by the source file’s content.
The contents of each file of SRC_PATH will be copied into separate files into the DEST_PATH.
DEST_PATH will be created as a directory and all the contents of the SRC_PATH will be copied into this directory.
An error will occur that it cannot copy a directory to a file.
Unattempted
For more information, please visit the following link: https://docs.docker.com/engine/reference/commandline/cp/
11. Question
Which of the following filesystem changes (in a file or directory) are tracked with docker diff command?
A file or directory was added.
A file or directory was renamed.
A file or directory was changed.
A file or directory was disabled.
Unattempted
For more information, please visit the following link: https://docs.docker.com/engine/reference/commandline/diff/
12. Question
Which of the following commands is used to display system-wide information of Docker?
docker info
docker inspect
docker engine
docker --about
Unattempted
For more information, please visit the following link: https://docs.docker.com/engine/reference/commandline/info/
13. Question
Docker secrets are available for standalone containers as well as for swarm services.
TRUE
FALSE
Unattempted
Docker secrets are only available to swarm services, not to standalone containers. To use this feature, consider adapting your container to
run as a service.
For more information, please visit the following link: https://docs.docker.com/engine/swarm/secrets/
14. Question
Which of the following is used to store the non-sensitive information outside the service’s image or running containers in Docker?
docker stats
docker locker
docker secrets
docker config
Unattempted
For more information, please visit the following link: https://docs.docker.com/engine/swarm/configs/
15. Question
Which of the following commands is used to create config from a file or STDIN?
docker create --config
docker config create
docker config run
docker run --config
Unattempted
For more information, please visit the following link: https://docs.docker.com/engine/reference/commandline/config_create/
16. Question
Which of the following logging drivers are mandatory for docker log command to successfully function?
splunk
journald
json-file
fluentd
Unattempted
For more information, please visit the following link: https://docs.docker.com/engine/reference/commandline/logs/
17. Question
By default, how many layers of docker image does docker daemon pull from the docker registry at a time?
1
2
3
4
Unattempted
For more information, please visit the following link: https://docs.docker.com/engine/reference/commandline/pull/
18. Question
Which of the following image layer storage drivers is used for Windows Images?
overlay2
aufs
windowsfilter
zfs
Unattempted
For more information, please visit the following link: https://docs.docker.com/engine/reference/commandline/dockerd/
19. Question
A container named app-env-db is serving the application environment for your upcoming app and it is ready to be deployed. You need to
commit the container and push the resulting docker image to the organization’s registry—dbstore, serving on port 32033. Which of the
following commands will help you to fulfil this task?
(Note: All the prerequisites to push the docker image to docker hub have already been fulfilled.)
?docker commit app-env-db test-env docker tag dbstore:32033/test-env:latest test-env docker push dbstore:32033/test-env:latest
docker commit app-env-db test-ENV docker tag test-ENV dbstore:32033/test-ENV:latest docker push dbstore:32033/test-ENV:latest
docker commit app-env-db test-env docker tag test-env dbstore:32033/test-env:latest docker push dbstore:32033/test-env:latest
docker commit app-env-db test-env docker tag test-env dbstore/test-env:latest docker push dbstore/img-env-db:latest
Unattempted
For more information, please visit the following link: https://docs.docker.com/engine/reference/commandline/push/
20. Question
While updating a swarm service, which of the following flags is used to configure the maximum number of service tasks that a scheduler can
update simultaneously?
--update-order
--update-parallelism
--update-max
--update-max-failure-ratio
Unattempted
For more information, please visit the following link: https://docs.docker.com/engine/reference/commandline/service_update/
21. Question
Which of the following flags can be passed to make docker daemon listen to a specific IP or port?
-p
-H
-l
-D
Unattempted
For more information, please visit the following link: https://docs.docker.com/engine/reference/commandline/dockerd/
22. Question
What is “live restore” in containers?
A configuration to backup and restore the live containers’ states in a named volume on the Docker host.
A configuration to keep containers alive while docker daemon is unavailable.
A configuration to backup and restore the swarm cluster’s current state on the docker host.
A configuration to revive deleted containers on the Docker host.
Unattempted
For more information, please visit the following link: https://docs.docker.com/config/containers/live-restore/
23. Question
Which of the following is a pseudo-file containing the CPU usage accumulated by the processes of a container?
cpuusage.stat
cpuacct.stat
cpushares.stat
cpus.stat
Unattempted
For more information, please visit the following link: https://docs.docker.com/config/containers/runmetrics/
24. Question
Which of the following octal values represents the world-writable file mode for tmpfs storage?
700
770
1777
77
Unattempted
For more information, please visit the following link: https://docs.docker.com/storage/tmpfs/https://docs.docker.com/storage/tmpfs/
25. Question
Which of the following are the supported backing filesystems of overlay2 storage driver?
ext4
xfs with ftype=1
zfs
direct-lvm
Unattempted
For more information, please visit the following link: https://docs.docker.com/storage/storagedriver/select-storage-driver/#supported-backingfilesystems
26. Question
How many lower OverlayFS layers does overlay2 natively support?
8
32
64
128
Unattempted
For more information, please visit the following link: https://docs.docker.com/storage/storagedriver/overlayfs-driver/
27. Question
Which operation does overlay/overlay2 storage driver perform to copy a file from lowerdir (image) to the upperdir (container)?
copy_uplayer
copy_up
copy_upperdir
copy_dn
Unattempted
For more information, please visit the following link: https://docs.docker.com/storage/storagedriver/
28. Question
Which of the following commands is used to get the state of tasks in the swarm cluster?
docker service ls
docker service ps
docker service stats
docker service describe
Unattempted
For more information, please visit the following link: https://docs.docker.com/engine/swarm/how-swarm-mode-works/swarm-task-states/
29. Question
Which of the following commands is used to generate a new root CA certificate and root CA key for the swarm cluster?
docker swarm ca
docker swarm ca --ca-generate
docker swarm ca --rotate
docker swarm ca --ca-generate --rotate
Unattempted
For more information, please visit the following link: https://docs.docker.com/engine/reference/commandline/swarm_ca/
30. Question
Which of the following options can compose a Kubernetes grant?
role
subject
resource
namespace
Unattempted
For more information, please visit the following link: https://docs.docker.com/ee/ucp/authorization/grant-permissions/
31. Question
Which of the following orchestrators are supported by Docker?
Swarm
Kubernetes
Mixed
vSphere
Unattempted
For more information, please visit the following link: https://docs.docker.com/ee/ucp/admin/configure/set-orchestrator-type/
32. Question
What will be the orchestrator type of a newly promoted worker node?
Swarm
Kubernetes
Mixed
It does not change.
Unattempted
For more information, please visit the following link: https://docs.docker.com/ee/ucp/admin/configure/set-orchestrator-type/
33. Question
Which of the following commands is used to schedule kubernetes workloads on a node?
?docker node update \ --label-add com.docker.ucp.orchestrator.kubernetes=true
docker node update \ --label-add com.docker.orchestrator.kubernetes=true
docker node update \ --label-add com.docker.orchestrator.ucp.kubernetes=true
docker node update \ --add-label com.docker.orchestrator.ucp.kubernetes=true
Unattempted
For more information, please visit the following link: https://docs.docker.com/ee/ucp/admin/configure/set-orchestrator-type/
34. Question
Which of the following commands is used to access audit logs of Universal Control Plane?
docker logs ucp-agent
docker logs ucp
docker logs ucp --audit
docker logs ucp-controller
Unattempted
For more information, please visit the following link: https://docs.docker.com/ee/ucp/admin/configure/enable-audit-logging/
35. Question
How many free private repositories can a user get with Docker Hub user account?
0
1
2
3
Unattempted
For more information, please visit the following link: https://docs.docker.com/docker-hub/repos/
36. Question
Which of the following actions can you not commit under Docker’s Apache 2.0 license?
Study the logic and create a parallel product.
Use Docker API in your own product to utilize containerization features
Modify Docker APIs for your research work.
Sell Docker APIs under your product's name without any accreditation to Docker.
Unattempted
For more information, please visit the following link: https://docs.docker.com/engine/docker-overview/
37. Question
Bind mounts can be managed directly by Docker CLI commands.
TRUE
FALSE
Unattempted
For more information, please visit the following link: https://docs.docker.com/storage/bind-mounts/
38. Question
What will happen if you use –mount flag to bind-mount container’s directory to a directory on Docker host which does not exist yet?
Docker will create a new directory on Docker host and backup all the data of mounted container directory.
Docker will create a directory with a warning of security vulnerabilities on Docker host.
Docker won't create any directory on Docker host and generate an error message.
Docker daemon will generate a warning and suggest to use --mount-to flag with directory location on Docker host to create that particular
directory.
Unattempted
For more information, please visit the following link: https://docs.docker.com/storage/bind-mounts/
39. Question
With Docker Desktop on Mac, you only get one VM, managed by Docker Desktop.
TRUE
FALSE
Unattempted
For more information, please visit the following link: https://docs.docker.com/docker-for-mac/docker-toolbox/
40. Question
What is the command that need to be executed to sign an image before pushing it to repository?
A. export TRUST_DOCKER_CONTENT=1
B. export TRUST_DOCKER_IMAGE=1
C. export SIGN_DOCKER_IMAGE=1
D. export DOCKER_CONTENT_TRUST=1
Unattempted
Reference: https://docs.docker.com/datacenter/dtr/2.3/guides/user/manage-images/sign-images/
41. Question
Docker security scan result is available in both UCP and DTR. True or false?
A. FALSE
B. TRUE
Unattempted
Reference: https://docs.docker.com/datacenter/dtr/2.3/guides/user/manage-images/scan-images-for-vulnerabilities/#the-docker-security-scanprocess
42. Question
What are the steps needed to sign images in a way that UCP trusts them? (select three)
A. Delegate signing to the keys in your UCP client bundle
B. Approve image sign on UCP
C. Configure Notary client
D. Initialize trust metadata for the repository
Unattempted
Reference: https://docs.docker.com/datacenter/dtr/2.3/guides/user/manage-images/sign-images/#sign-images-that-ucp-can-trust
43. Question
What are the requirements to install Docker Trusted Registry (DTR)? (Select all that apply)
A. All nodes must be a worker node managed by Universal Control Plan
B. Make sure the port 8080 and 8443 are open on the node
C. All nodes must have a fixed hostname
D. DTR can be installed on-premises or on a cloud provider
Unattempted
Reference: https://docs.docker.com/datacenter/dtr/2.4/guides/admin/install/system-requirements/
44. Question
Where do you create Docker Role Based Access Controls (RBAC)?
A. Docker Trusted Registry
B. Docker Machine
C. Universal Control Plane
D. Docker Compose
Unattempted
Reference: https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/
45. Question
Which of the following tool to use to create users and teams?
A. Docker Trusted Registry (DTR)
B. Docker Compose
C. Universal Control Plane (UCP)
D. Docker Machine
Unattempted
Reference: https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/create-and-manage-users/
46. Question
What is a grant made up of in Docker’s Role Based Access Controls (RBAC)? (select three)
A. Resource collection
B. Certificate
C. Role
D. Subject
Unattempted
Reference: https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/grant-permissions/
47. Question
What is the correct order to backup Docker EE components?
A. Back up UCP, swarm, then DTR
B. Back up swarm, DTR, then UCP
C. Back up DTR, UCP, then swarm
D. Back up swarm, UCP, then DTR
Unattempted
Reference: https://docs.docker.com/datacenter/ucp/2.2/guides/admin/backups-and-disaster-recovery/#backup-steps
48. Question
Where is the option to integrate Docker Enterprise with LDAP?
A. Universal Control Plane
B. Docker Trusted Registry
C. Docker Compose
D. Docker Machine
Unattempted
Reference: https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/external-auth/
49. Question
Which of the following items need to be considered before installing Docker Enterprise?
A. Docker Engine, DTR, and UCP version compatibility
B. Time Synchronization
C. Disk space
D. Network ports
E. All of the options
Unattempted
Reference: https://docs.docker.com/datacenter/ucp/2.2/guides/admin/install/system-requirements/#compatibility-and-maintenance-lifecycle
50. Question
You can monitor the status of UCP by using the web UI or the CLI. True or false?
A. TRUE
B. FALSE
Unattempted
Reference: https://docs.docker.com/datacenter/ucp/2.2/guides/admin/monitor-and-troubleshoot/#check-status-from-the-ui
51. Question
What is the endpoint that we can use to check the health of a single UCP manager node?
A. https:///_heartbeat
B. https:///_ping
C. https:///_health
D. https:///_status
Unattempted
Reference: https://docs.docker.com/datacenter/ucp/2.2/guides/admin/monitor-and-troubleshoot/#monitoring-automation
52. Question
What is the difference between UCP workers and managers?
A. ucp-agent service automatically starts serving all UCP components in manager node, and only a proxy service in worker node
B. ucp-agent service automatically starts serving all UCP components in worker node, and only a proxy service in manager node
Unattempted
Reference: https://docs.docker.com/datacenter/ucp/2.2/guides/architecture/#under-the-hood
53. Question
What are the two types of UCP client bundles?
A. Ops client bundles and dev client bundles
B. Docker CLI bundles and Docker web UI bundles
C. Docker UCP client bundles and DTR client bundles
D. Admin user certificate bundles and user certificate bundles
Unattempted
Reference: https://docs.docker.com/datacenter/ucp/2.2/guides/user/access-ucp/cli-based-access/
54. Question
What is the docker command to backup the UCP?
A. docker backup ucp
B. docker/ucp backup
Unattempted
Reference: https://docs.docker.com/datacenter/ucp/2.2/reference/cli/backup/
55. Question
How to configure the default logging driver?
A. Set the "log-driver" option in the daemon.json file
B. Use --log-driver flag
Unattempted
Reference: https://docs.docker.com/engine/admin/logging/overview/#configure-the-default-logging-driver
56. Question
What is the docker command to find the current logging driver for a running container?
A. docker status
B. docker info
C. docker inspect
D. docker config
Unattempted
Reference: https://docs.docker.com/engine/admin/logging/overview/#configure-the-logging-driver-for-a-container
57. Question
What is the docker command to create a container with custom DNS server(s)?
A. docker container create --dns=IP_ADDRESS
B. docker container create --custom-dns=IP_ADDRESS
C. docker container create --add-dns=IP_ADDRESS
D. docker container create --set-dns=IP_ADDRESS
Unattempted
Reference: https://docs.docker.com/engine/reference/commandline/container_create/#options
https://docs.docker.com/v17.09/engine/userguide/networking/default_network/configure-dns/
58. Question
What is the command to set DNS server for all Docker containers?
A. dockerd --dns-server IP_ADDRESS
B. dockerd --set-dns IP_ADDRESS
C. dockerd --dns-update IP_ADDRESS
D. dockerd --dns IP_ADDRESS
Unattempted
Reference: https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-dns-options
59. Question
What is the docker command to see container logs?
A. docker logs
B. docker debug
C. docker dump-logs
D. docker fetch-logs
Unattempted
Reference: https://docs.docker.com/engine/reference/commandline/logs/#parent-command
60. Question
What is the docker command to display detailed information on one or more networks?
A. docker inspect network
B. docker network status
C. docker network display
D. docker network inspect
Unattempted
Reference: https://docs.docker.com/engine/reference/commandline/network_inspect/
Use Page numbers below to navigate to other practice tests
Pages:
1
2
3
4
5
6
7
8
9
10
11
12
← Previous Post
Next Post →
Skillcertpro
Quick Links
Important Links
ABOUT US
REFUND POLICY
FAQ
REFUND REQUEST
BROWSE ALL PRACTICE TESTS
TERMS & CONDITIONS
CONTACT FORM
PRIVACY POLICY
Privacy Policy
Software pros, listen up! Today only, you can unlock 25% off on enrolling in 2 or more courses at once. Use Code: SAVINGS25
Search for products...
All Courses
Contact Us
MY ACCOUNT
/ Docker / By SkillCertPro
Practice Set 10
Your results are here!! for" Docker Certified Associate Practice Set 10 "
0 of 60 questions answered correctly
Your time: 00:00:02
Your Final Score is : 0
You have attempted : 0
Number of Correct Questions : 0 and scored 0
Number of Incorrect Questions : 0 and Negative marks 0
Average score
Your score
82.56%
0.00%
You can review your answers by clicking view questions.
Important Note : Open Reference Documentation Links in New Tab (Right Click and Open in New Tab).
Restart Test
View Answers
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
Answered
Review
1. Question
What is the docker command to add or update a node label?
A. docker node modify --set-label
B. docker node add --label
C. docker node update --set-label
D. docker node update --label-add
Unattempted
Reference: https://docs.docker.com/engine/reference/commandline/node_update/#examples
2. Question
Which of the following docker command can be used to find out all the ports mapped? (select three)
A. docker inspect
B. docker ps
C. docker port
D. docker network ls
Unattempted
Reference: https://docs.docker.com/engine/reference/commandline/port/#examples
3. Question
What is the docker command to increase number of replicas?
A. docker service scale
B. docker service build
C. docker service replica
D. docker service increase
Unattempted
Reference: https://docs.docker.com/engine/reference/commandline/service_scale/
4. Question
What is the docker command to update an existing service?
A. docker service update
B. docker service change
C. docker service config
D. docker service modify
Unattempted
Reference: https://docs.docker.com/engine/reference/commandline/service_update/
5. Question
What is the docker command to add or update a mount on a service?
A. docker service --add-update-mount
B. docker service update --mount-add
C. docker service set --add-update-mount
D. docker service --mount-volume
Unattempted
Reference: https://docs.docker.com/engine/reference/commandline/service_update/#add-or-remove-mounts
6. Question
What is the docker command to roll back to the previous version of a service?
A. docker service --rollback-version
B. docker service update --rollback-version
C. docker service update --rollback
D. docker service --rollback
Unattempted
Reference: https://docs.docker.com/engine/reference/commandline/service_update/#roll-back-to-the-previous-version-of-a-service
7. Question
What is the docker command to add or update a published port?
A. docker service set --add-port
B. docker service modify --add-update-port
C. docker service update --publish-port
D. docker service update --publish-add
Unattempted
Reference: https://docs.docker.com/engine/reference/commandline/service_update/#usage
8. Question
What is the docker command to add a network to a service?
A. docker service set --add-network
B. docker service update --network-add
C. docker service add-network
D. docker service modify --add-network
Unattempted
Reference: https://docs.docker.com/engine/reference/commandline/service_update/#usage
9. Question
What is the docker command to setup a swarm?
A. docker swarm init
B. docker init swarm
C. docker swarm create
D. docker create swarm
Unattempted
Reference: https://docs.docker.com/engine/reference/commandline/swarm/
10. Question
What is the docker run option to publish a port so that an application is accesible externally?
A. docker run --open-port
B. docker run --publish
C. docker run --expose
D. docker run --publish-port
Unattempted
Reference: https://docs.docker.com/engine/reference/run/#expose-incoming-ports
https://docs.docker.com/engine/reference/commandline/run/#options https://docs.docker.com/engine/reference/builder/#maintainerdeprecated
11. Question
Which of the followings are Docker Engine Security features? (select all that apply)
A. You can protect the Docker daemon socket and ensure only trusted Docker client connections
B. You can configure Docker’s trust features so that your users can push and pull trusted images
C. You can configure secure computing mode (Seccomp) policies to secure system calls in a container
D. You can use certificate-based client-server authentication to verify a Docker daemon has the rights to access images on a registry
Unattempted
Reference: https://docs.docker.com/engine/security/
12. Question
Which of the following is NOT true about Raft (docker consensus algorithm)?
A. If a quorum is not reached, the system will not process any more requests to schedule additional tasks
B. Raft requires a majority or quorum of (N/2) + 1 members
C. Raft tolerates up to (N-2)/2 failures
D. If a quorum is not reached, the existing tasks will keep running
Unattempted
Reference: https://docs.docker.com/engine/swarm/raft/
13. Question
What is the docker command to add or update a placement constraint?
A. docker service update --placement-constraint-add
B. docker service update --placement-pref-add
C. docker service update --constraint-add
D. docker service update --pref-add
Unattempted
Reference: https://docs.docker.com/engine/swarm/services/#placement-constraints
14. Question
What is the docker command to add a placement preference?
A. docker service update --constraint-add
B. docker service update --pref-add
C. docker service update --placement-constraint-add
D. docker service update --placement-pref-add
Unattempted
Reference: https://docs.docker.com/engine/swarm/services/#placement-preferences
15. Question
Publishing a service’s port using the routing mesh makes the service accessible at the published port on every swarm node. True or false?
A. TRUE
B. FALSE
Unattempted
Reference: https://docs.docker.com/engine/swarm/services/#publish-a-services-ports-using-the-routing-mesh
16. Question
What is the docker command to see the storage driver Docker is currently using?
A. docker status
B. docker info
C. docker inspect
D. docker config
Unattempted
Reference: https://docs.docker.com/engine/userguide/storagedriver/selectadriver/#check-and-set-your-current-storage-driver
17. Question
What is the recommended approach to set storage driver?
A. Use --storage-driver flag when running dockerd
B. Set the "storage-driver" option in the daemon.json file
Unattempted
Reference: https://docs.docker.com/engine/userguide/storagedriver/selectadriver/#check-and-set-your-current-storage-driver
18. Question
Which of the following is how to configure the Docker daemon to start on boot? (select two)
A. Use crond for Ubuntu 14.10 and below
B. Use startup for most current Linux distributions (RHEL, CentOS, Fedora, Ubuntu 16.04 and higher)
C. Use systemd for most current Linux distributions (RHEL, CentOS, Fedora, Ubuntu 16.04 and higher)
D. Use upstart for Ubuntu 14.10 and below
Unattempted
Reference: https://docs.docker.com/install/linux/linux-postinstall/#configure-docker-to-start-on-boot
19. Question
Which network driver type is best when you need containers running on different Docker hosts to communicate, or when multiple applications
work together using swarm services?
A. Host networks
B. Macvlan networks
C. Overlay networks
D. User-defined bridge networks
Unattempted
Reference: https://docs.docker.com/network/#network-drivers
20. Question
Which network driver type is best when you need multiple containers to communicate on the same Docker host?
A. Host networks
B. Overlay networks
C. User-defined bridge networks
D. Macvlan networks
Unattempted
Reference: https://docs.docker.com/network/#network-drivers
21. Question
Which network driver type is best when you are migrating from a VM setup or need your containers to look like physical hosts on your
network, each with a unique MAC address?
A. Host networks
B. Macvlan networks
C. User-defined bridge networks
D. Overlay networks
Unattempted
Reference: https://docs.docker.com/network/#network-drivers
22. Question
Which network driver type is best when the network stack should not be isolated from the Docker host, but you want other aspects of the
container to be isolated?
A. Macvlan networks
B. Overlay networks
C. User-defined bridge networks
D. Host networks
Unattempted
Reference: https://docs.docker.com/network/#network-drivers
23. Question
What is the docker command to connect a running container to an existing user-defined bridge?
A. docker network join
B. docker network attach
C. docker network connect
D. docker connect network
Unattempted
Reference: https://docs.docker.com/network/bridge/#connect-a-container-to-a-user-defined-bridge
24. Question
Which of the following statements is false?
A. Linked containers on the default bridge network share environment variables
B. User-defined bridges provide better isolation and interoperability between containerized applications
C. Containers can NOT be attached and detached from user-defined networks on the fly
D. Each user-defined network creates a configurable bridge
Unattempted
Reference: https://docs.docker.com/network/bridge/#differences-between-user-defined-bridges-and-the-default-bridge
25. Question
What is the docker command to create a bridge network?
A. docker network deploy
B. docker network create
C. docker create network
D. docker network add
Unattempted
Reference: https://docs.docker.com/network/bridge/#manage-a-user-defined-bridge
https://docs.docker.com/engine/reference/commandline/network_create/
26. Question
What type of network is ingress network?
A. macvlan network
B. overlay network
C. host network
D. bridge network
Unattempted
Reference: https://docs.docker.com/network/overlay/
27. Question
Which of the following is NOT one of the 3 main Docker Container Network Model components?
A. Endpoint
B. Sandbox
C. Routing
D. Network
Unattempted
Reference: https://github.com/docker/libnetwork/blob/master/docs/design.md
28. Question
What is the correct order to upgrade a Docker cluster?
A. Upgrade engine and kernel, DTR, and then UCP
B. Upgrade UCP, DTR, then engine and kernel
C. Upgrade DTR, UCP, then engine and kernel
D. Upgrade engine and kernel, UCP, and then DTR
Unattempted
Reference: https://success.docker.com/article/Upgrade_an_entire_cluster_with_CentOS,_Docker_Engine,_UCP,_and_DTR
29. Question
What is the docker command to add a node to a swarm?
A. docker swarm join
B. docker swarm create-node
C. docker swarm add-node
D. docker join swarm
Unattempted
Reference: rhttps://docs.docker.com/engine/reference/commandline/swarm/#usage
30. Question
Which of the Dockerfile options initializes a new build stage and sets the base image for subsequent instructions?
A. ONBUILD
B. FROM
C. RUN
D. CMD
Unattempted
see Dockerfile reference (https://docs.docker.com/engine/reference/builder/)
31. Question
Which one of the following commands will show a list of volumes for a specific container?
A. 'docker container inspect nginx'
B. 'docker volume logs nginx --containers'
C. 'docker volume inspect nginx'
D. 'docker container logs nginx --volumes'
Unattempted
32. Question
You have deployed a service to swarm. Which command uses the Docker CLI to set the number of tasks of the services to 5? (choose 2)
A. 'docker replica update =5'
B. 'docker service replicas =5'
C. docker update service =5'
D. docker service update --replicas=5 '
E. docker service scale = 5''
Unattempted
33. Question
Which of the following commands will ensure that overlay traffic between service tasks is encrypted?
A. docker network create -d overlay -o encrypted=true
B. docker network create -d overlay --secure
C. docker service create --network --secure
D. docker service create --network --encrypted
Unattempted
34. Question
You have created a Docker bridge network on a host with three containers attached, how do you make this containers accessible outside of
the host?
A. Use --link to access the containers on the bridge network
B. Use either EXPOSE or --publish to access the containers on the bridge network
C. Use network connect to access the containers on the bridge network
D. Use network attach to access the containers on the bridge network
Unattempted
35. Question
Which of the following namespaces is disabled by default and must be enabled at Docker engine runtime in order to be used?
A. net
B. user
C. pid
D. mnt
Unattempted
36. Question
Which of the following commands is used to display system-wide Docker configuration on a host?
A. docker inspect
B. docker system
C. docker info
D. docker status
Unattempted
37. Question
What is the difference between a replicated and a global service?
A. Replicated service can only be deployed on manager node. Global service can be deployed on both manager and worker node.
B. Number of identical tasks can be specified for a replicated service. There is no pre-specified number of tasks for global service.
C. Replicated service runs one task on every node. Global service runs multiple task on every node.
D. Good candidates for replicated service are monitoring agents that you want to run on every node in the swarm. Good candidates for
global service are http servers.
Unattempted
38. Question
What is the purpose of multi-stage builds?
A. Better logical separation of Dockerfile instructions for better readability
B. Faster image builds by allowing parallel execution of Docker builds
C. Better caching when building Docker images
D. Optimizing images by copying artifacts selectively from previous stages
Unattempted
39. Question
What does docker image rm command do?
A. Display detailed information on one or more images
B. Remove one or more images
C. Remove unused images
D. Show the history of an image
Unattempted
40. Question
Which of the following commands will create a swarm service which only listens on port 53 using the UDP protocol?
A. docker service create --name dns-cache -p 53:53 --service udp dns-cache
B. docker service create --name dns-cache -p 53:53 --udp dns-cache
C. docker service create --name dns-cache -p 53:53/udp dns-cache
D. docker service create --name dns-cache -p 53:53 --constraint networking-protocol-udp=true dns-cache
Unattempted
41. Question
The output of which command can be used to find the architecture and operating system an image is compatible with?
A. docker image info
B. docker image inspect --format {{.Architecture}} {{.OS}} '
C. docker image inspect --filter {{.Architecture}} {{.OS}} '
D. docker image ls
Unattempted
42. Question
What docker image prune command does?
A. Remove one or more images
B. Show the history of an image
C. Display detailed information on one or more images
D. Remove unused images
Unattempted
43. Question
A host machine has four CPUs available and two running containers. The sysadmin would like to assign two CPUs to each container. Which of
the following commands achieves this?
A. Set the '--cpuset-cpus' flag of the 'dockerd' process to the value 'even-spread'
B. Set the '--cpu-quota' flag to '1.3' on one container and '2,4' on the other container.
C. Set the '--cpuset-cpus' flag to '.5' on both containers
D. Set the '--cpuset-cpu's flag to '1.3' on one container and '2.4' on the other container.
Unattempted
44. Question
What are the two types of docker swarm services?
A. replicated and local services
B. replicated and global services
C. local and global services
D. distributed and replicated services
Unattempted
45. Question
Which of the following Dockerfile options creates a mount point with the specified name and marks it as holding externally mounted volumes
from native host or other containers?
A. ONBUILD
B. WORKDIR
C. VOLUME
D. RUN
Unattempted
46. Question
What Dockerfile option EXPOSE does?
A. Informs Docker that the container listens on the specified network ports at runtime
B. Label a container that will run as an executable
C. Expose defaults for an executing container
D. Adds metadata to an image
Unattempted
47. Question
Which of the following commands will automatically create a volume when a container is started?
A. docker container run --name nginxtest --volumes=/app nginx'
B. 'docker container run --name nginxtest --volumes myvol:/app:new nginx'
C. docker container run --name nginxtest -v myvol:/app nginx'
D. 'docker container run --name nginxtest -v /app:mount nginx'
Unattempted
48. Question
Which command interactively monitors all container activity in the Docker engine?
A. docker container logs
B. docker system logs
C. docker system events
D. docker container events
Unattempted
49. Question
A server is running low on disk space. What command can be used to check the disk usage of images, containers, and volumes for Docker
engine?
A. 'docker system ps'
B. 'docker system prune'
C. docker system df'
D. 'docker system free'
Unattempted
50. Question
Which of the following is true about using the ‘-P’ option when creating a new container?
A. Docker gives extended privileges to the container.
B. Docker binds each exposed container port to a random port on all the host's interface
C. Docker binds each exposed container port to a random port on a specified host interface
D. Docker binds each exposed container port with the same port on the host
Unattempted
51. Question
An application image runs in multiple environments, and each environment uses different certificates and ports, what is the best practice to
deploy the containers?
A. Create a config file for each environment.
B. Create a Dockerfile for each environment, specifying ports and Docker secrets for certificates.
C. Create images that contain the specific configuration for every environment.
D. Create a Dockerfile for each environment, specifying ports and ENV variables for certificates.
Unattempted
52. Question
Which of the following are types of namespaces used by Docker to provide isolation? (Choose 2.)
A. Network
B. Process ID
C. Storage
D. Authentication
E. Host
Unattempted
53. Question
You have just executed ‘docker swarm leave’ on a node. What command can be run on the same node to confirm it has left the cluster?
A. docker node status
B. docker system info
C. docker system status
D. docker node ls
Unattempted
54. Question
From a DevOps process standpoint, it is best practice to keep changes to an application in version control. Which of the following will allow
changes to a docker Image to be stored in a version control system?
A. A docker-compose.yml file
B. docker save
C. docker commit
D. A dockerfile
Unattempted
55. Question
Which of the following is the docker command to enable autolock on an existing swarm cluster?
A. docker swarm update --autolock=true
B. docker swarm autolock
C. docker swarm --autolock=true
D. docker swarm update --autolock-swarm=true
Unattempted
56. Question
When seven managers are in a swarm cluster how would they be distributed across three datacenters or availability zones?
A. 36953
B. 37012
C. 36983
D. 37317
Unattempted
57. Question
What Dockerfile option LABEL does?
A. Tells Docker how to test a container to check that it is still working
B. Provide defaults for an executing container
C. Label a container that will run as an executable
D. Adds metadata to an image
Unattempted
58. Question
What is the difference between a resource limit and a resource reservation when scheduling services?
A. A resource limit and a resource reservation can be used interchangeably.
B. A resource limit is used to find a host with adequate resources for scheduling a hard limit for your service, while a reservation is hard
limit for your service.
C. A resource limit is hard limit for your service, while a reservation is used to find a host with adequate resources for scheduling.
D. A resource limit is a soft limit for your service, while a reservation is hard limit and the docker engine will do its best to keep your
service at the limit.
Unattempted
59. Question
What service mode is used to deploy a single task of a service to each node?
A. spread
B. universal
C. replicated
D. distributed
E. global
Unattempted
60. Question
Which of the following is NOT how to create an efficient image via a Dockerfile?
A. Combine multiple applications into a single container
B. Start with an appropriate base image
C. Use multi-stage builds
D. Avoid installing unnecessary packages
Unattempted
Use Page numbers below to navigate to other practice tests
Pages:
1
2
3
4
5
6
7
8
9
10
11
12
← Previous Post
Next Post →
Skillcertpro
Quick Links
Important Links
ABOUT US
REFUND POLICY
FAQ
BROWSE ALL PRACTICE TESTS
REFUND REQUEST
TERMS & CONDITIONS
CONTACT FORM
PRIVACY POLICY
Privacy Policy
Software pros, listen up! Today only, you can unlock 25% off on enrolling in 2 or more courses at once. Use Code: SAVINGS25
Search for products...
All Courses
Contact Us
MY ACCOUNT
/ Docker / By SkillCertPro
Practice Set 11
Your results are here!! for" Docker Certified Associate Practice Set 11 "
0 of 49 questions answered correctly
Your time: 00:00:04
Your Final Score is : 0
You have attempted : 0
Number of Correct Questions : 0 and scored 0
Number of Incorrect Questions : 0 and Negative marks 0
Average score
Your score
85.73%
0.00%
You can review your answers by clicking view questions.
Important Note : Open Reference Documentation Links in New Tab (Right Click and Open in New Tab).
Restart Test
View Answers
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
Answered
Review
1. Question
What is the purpose of a client bundle in the Universal Control Plane?
A. Provide a new user instructions for how to login to the Universal Control Plane
B. Group multiple users in a team in the Universal Control Plane
C. Authenticate a user using client certificates to the Universal Control Plane
25
D. Provide a user with a Docker client binary compatible with the Universal Control Plane
Unattempted
2. Question
Wha is the purpose of Docker Content Trust?
A. Indicating an image on Docker Hub is an official image
B. Enabling mutual TLS between the Docker client and server
C. Docker registry TLS verification and encryption
D. Signing and verification of image tags
Unattempted
3. Question
A container named “analytics” that stores results in a volume called “data” was created. docker run -d –name=analytics -v data:/data app1 How
are the results accessed in “data” with another container called “app2”?
A. docker run -d --name=reports --volumes-from=analytics app2
B. docker run -d --name=reports --volume=data app2
C. docker run -d --name=reports --mount=app1 app2
D. docker run -d --name=reports --volume=app1 app2
Unattempted
4. Question
Which of the following statements is true about secrets?
A. Secret are stored unencrypted on manager nodes.
B. Secrets can be created using standard input (STDIN) and a file.
C. Secrets can be modified after they are created.
D. Secrets can be created from any node in the cluster.
Unattempted
5. Question
What is the function of docker inspect command?
A. To return low-level information on Docker objects
B. To display system-wide information
C. To inspect changes to files or directories on a container's filesystem
D. To manage Docker configs
Unattempted
6. Question
Which of the following constitutes a production-ready devicemapper configuration for the Docker engine?
A. Utilize the '--storage-opt dm.directlvm_device' Docker daemon option, specifying a block device
B. Nothing, devicemapper comes ready for production usage out of the box
C. Create a volume group in devicemapper and utilize the '--dm.thinpooldev' Docker daemon option, specifying the volume group
D. Format a partition with xfs and mount it at '/var/lib/docker'
Unattempted
7. Question
Which of the following is supported by control groups?
A. Limit CPU usage within a container
B. Manage certificates
C. Collect net
D. Isolate processes in a container
Unattempted
8. Question
Following the principle of least privilege, which of the following methods can be used to securely grant access to the specific user to
communicate to a Docker engine? (Choose two.)
A. Utilize the '--host 127.0.0.1:2375' option to the Docker daemon to listen on port 2375 over TCP on localhost
B. Give the user root access to the server to allow them to run Docker commands as root.
C. Add the user to the 'docker' group on the server or specify the groue? with the '--group' Docker daemon option.
D. Utilize openssl to create TLS client and server certificates, configuring the Docker engine to use with mutual TLS over TCP.
E. Utilize the '--host 0.0.0.0:2375' option to the Docker daemon to listen on port 2375 over TCP on all interfaces
Unattempted
9. Question
Which of these swarm manager configurations will cause the cluster to be in a lost quorum state?
A. 5 managers of which 3 are healthy
B. 1 manager of which 1 is healthy
C. 4 managers of which 2 are healthy
D. 3 managers of which 2 are healthy
Unattempted
10. Question
After creating a new service named ‘http’, you notice that the new service is not registering as healthy. How do you view the list of historical
tasks for that service by using the command line?
A. 'docker service ps http'
B. 'docker service inspect http'
C. 'docker inspect http'
D. 'docker ps http'
Unattempted
11. Question
Which of the following is true about overlay networks?
A. Overlay networks are created on all cluster nodes when you create the overlay network.
B. Overlay networks are only created on the manager nodes.
C. Overlay networks are created only on the manager node that you created the overlay networking on.
D. Overlay networks are first created on the manager nodes. Then they are created on the worker nodes once a task is scheduled on the
specific worker node.
Unattempted
12. Question
Each container shares common writeable container layer. True or false?
A. FALSE
B. TRUE
Unattempted
13. Question
In Docker Trusted Registry, how would a user prevent an image, for example ‘nginx:latest’ from being overwritten by another user with push
access to the repository?
A. Remove push access from all other users.
B. Keep a backup copy of the image on another repository.
C. Use the DTR web UI to make the tag immutable.
D. Tag the image with 'nginx:immutable'
Unattempted
14. Question
Which one of the following commands will result in the volume being removed automatically once the container has exited?
A. 'docker run --del -v /foo busybox'
B. 'docker run --read-only -v /foo busybox'
C. 'docker run --remove -v /foo busybox'
D. 'docker run --rm -v /foo busybox'
Unattempted
15. Question
What behavior is expected when a service is created with the following command: ‘docker service create –publish 8080:80 nginx’
A. Only a single node in the cluster will listen on port 80 and forward to port 8080 in the container.
B. All nodes in the cluster will listen on port 8080 and forward to port 80 in the container.
C. All nodes in the cluster will listen on port 80 and forward to port 8080 in the container.
D. Only a single node in the cluster will listen on port 8080 and forward to port 80 in the container.
Unattempted
16. Question
If installing Docker using devicemapper for storage with the Intent to run production workloads, how should devicemapper be configured?
A. loop-lvm
B. direct-lvm
C. aufs-lvm
D. overlay-lvm
Unattempted
17. Question
How do you configure Docker engine to use a registry that is not configured with TLS certificates from a trusted CA?
A. Set INSECURE_REGISTRY in the '/etc/docker/default' configuration file
B. Pass the '--insecure-registry' flag to the daemon at run time
C. Set and export the IGNORE_TLS environment variable on the command line
D. Set IGNORE_TLS in the 'daemon.json' configuration file.
Unattempted
18. Question
Which of the following commands starts a Redis container and configures it to always restart unless it is explicitly stopped or Docker is
restarted?
A. 'docker run -d --restart-policy unless-stopped redis'
B. 'docker run -d --failure omit-stopped redis'
C. 'docker run -d --restart omit-stopped redis'
D. docker run -d --restart unless-stopped redis'
Unattempted
19. Question
The following health check exists in a
Dockerfile: ‘HEALTCHECK CMD curl –fail http://localhost/health || exit 1′
Which of the following describes its purpose?
A. Defines the health check endpoint on the localhost interface for external monitoring tools to monitor the health of the docker engine.
B. Defines the health check for the containerized application so that the application health can be monitored by the Docker engine
C. Defines the action taken when container health fails, which in this case will kill the container with exit status 1
D. Defines the health check endpoint on the local host interface for containers to monitor the health of the docker engine
Unattempted
20. Question
Which of the following modes can be used for service discovery of a Docker swarm service (Pick 2 correct answers)
A. Network Address Translation(NAT) with --endpoint-mode nat
B. Ingress with --endpoint-mode ingress
C. Overlay with --endpoint-mode overlay
D. DNS Round-Robin with --endpoint-mode dnsrr
E. Virtual IP (VIP) with --endpoint-mode vip
Unattempted
21. Question
Which of the following is the correct command to tag an image?
A. docker tag SOURCE_IMAGE[:TAG] TARGET_IMAGE[:TAG]
B. docker tag image SOURCE_IMAGE[:TAG] TARGET_IMAGE[:TAG]
C. docker tag TARGET_IMAGE[:TAG] SOURCE_IMAGE[:TAG]
D. docker build tag SOURCE_IMAGE[:TAG] TARGET_IMAGE[:TAG]
Unattempted
22. Question
A service ‘wordpress’ is running using a password string to connect to a non-Dockerized database service. The password string is passed into
the ‘wordpress’ service as a Docker secret. Per security policy, the password on the database was changed. Identity the correct sequence of
steps to rotate the secret from the old password to the new password.
A. Create a new docker secret with the new password. Trigger a rolling secret update by using the 'docker secret update' command
B. Create a new docker secret with the new password. Remove the existing service using 'docker service rm'. Start a new service with
the new secret using "--secret="
C. Create a new docker secret with a new password. Trigger a rolling update of the "wordpress" service, by using "-- secret-rm" & "--
secret-add" to remove the old secret and add the updated secret.
D. Trigger an update to the service by using 'docker service update --secret='
Unattempted
23. Question
Docker image is built up from a series of layers and each layer represents an instruction in the image’s Dockerfile. True or false?
A. TRUE
B. FALSE
Unattempted
24. Question
Which statement is true?
A. CMD is used to run the software is the image along with any arguments
B. CMD shell format uses this form ["param", param", "param"]
C. ENTRYPOINT cannot be overriden in the "docker container run" command
D. ENTRYPOINT cannot be used in conjuction with CMD
Unattempted
25. Question
A docker service ‘web’ is running with a scale factor of 1 (replicas = 1). Bob intends to use the command ‘docker service update –replicas=3
web’. Alice intends to use the command ‘docker service scale web=3’. How do the outcomes oft these two commands differ?
A. Both Bob's and Alice's commands result in exactly the same outcome, which is 3 instances of the 'web' service.
B. Bob's command updates the number of replicas of the 'web' service to 3. Alice's command results in an error.
C. Bob's command only updates the service definition, but no new replicas are started. Alice's command results in the actual scaling up
of the 'web' service.
D. Bob's command results in an error. Alice's command updates the number of replicas of the 'web' service to 3.
Unattempted
26. Question
A user is having problems running Docker. Which of the following will start Docker in debug mode?
A. Start the 'dockerd' process manually with the '--logging' flag set to debug
B. Start the 'dockerd' process manually with the '--raw-logs' flag set to debug
C. Set the debug key to true in the 'daemon.json' file.
D. Set the logging key to debug in the 'daemon.json' file.
Unattempted
27. Question
Dockerfile option EXPOSE publish the port to external systems. True or false?
A. FALSE
B. TRUE
Unattempted
28. Question
Which statement is true about DTR garbage collection?
A. Garbage collection removes unused volumes from cluster nodes
B. Garbage collection removes exited containers from cluster nodes.
C. Garbage collection removes unreferenced image layers from DTR's backend storage.
D. Garbage collection removes DTR images that are older than a configurable of days
Unattempted
29. Question
Which of the following is required to install Docker EE from a package repository?
A. License key obtained from Docker Hub
B. License key obtained from Docker Store
C. Repository URL obtained from Docker Hub
D. Repository URL obtained from Docker Store
Unattempted
30. Question
Which flag for a service would allow a container to consume more than 2 GB of memory only when there is no memory contention but would
also prevent a container from consuming more than 4GB of memory, in any case?
A. --limit-memory 2GB --reserve-memory 4GB
B. --memory-swap 4GB --limit-memory 2GB
C. --memory-swap 2GB --limit-memory 4GB
D. --limit-memory 4GB --reserve-memory 2GB
Unattempted
31. Question
What is the recommended way to configure the daemon flags and environment variables for your Docker daemon in a platform independent
way?
A. Set the configuration DOCKER_OPTS in '/etc/default/docker'
B. Set the configuration options in '/etc/docker/daemon.json'
C. Using 'docker config' to set the configuration options.
D. Set the configuration options using the ENV variable
Unattempted
32. Question
You can monitor the status of UCP by using the web UI or the CLI. True or false?
A. FALSE
B. TRUE
Unattempted
33. Question
Which of the following is the correct command to store an image to a registry?
A. docker commit [OPTIONS] NAME[:TAG]
B. docker store [OPTIONS] NAME[:TAG]
C. docker push [OPTIONS] NAME[:TAG]
D. docker upload [OPTIONS] NAME[:TAG]
Unattempted
34. Question
Which of the following is NOT a valid way to tag a Docker image?
A. Tag an image referenced by image ID
B. Tag an image referenced by Name
C. Tag an image referenced by Name and Tag
D. Tag an image referenced by user ID
Unattempted
35. Question
What is the default format of docker inspect output?
A. xml
B. html
C. yaml
D. json
Unattempted
36. Question
Which set of commands can identify the publishd port(s) for a container? (Choose 1.)
A. 'docker info','docker network inspect'
B. 'docker port inspect', 'docker container inspect'
C. 'docker network inspect','docker port'
D. docker container inspect', docker port'
Unattempted
37. Question
Which of the following is NOT backed up when performing a Docker Trusted backup operation?
A. Access control to repos and images
B. DTR configurations
C. Image blobs
D. Repository metadata
Unattempted
38. Question
What is the difference between the ADD and COPY dockerfile instructions? (choosen 2)
A. ADD supports regular expression handling while COPY does not.
B. ADD supports compression format handling while COPY does not.
C. ADD support remote URL handling while COPY does not.
D. COPY supports compression format handling while ADD does not.
E. COPY supports regular expression handling while ADD does not.
Unattempted
39. Question
What is one way of directly transferring a Docker Image from one Docker host in another?
A. docker save' the image to save it as TAR file and copy it over to the target host. Then use 'docker load' to un-TAR the image back as a
Docker image.
B. There is no way of directly transferring Docker images between hosts. A Docker Registry must be used ad an intermediary.
C. 'docker commit' to save the image outside of the Docker filesystem. Then transfer the file over to the target host and 'docker start' to
start the container again.
D. 'docker push' the image to the IP address of the target host.
Unattempted
40. Question
Which of the following statements is incorrect?
A. The column 'size' of docker ps -s output shows the amount of data that is used for the writable layer of each container.
B. The column 'virtual size' of docker ps -s output shows the amount of data used for the read-only image data used by the container plus
the container's writable layer 'size'.
C. When a container is deleted, the writable layer is persisted.
D. Copy-on-write is a Docker strategy of sharing and copying files for maximum efficiency.
Unattempted
41. Question
What is the image storage solution that is part of Docker Enterprise Edition called?
A. Docker Trusted Registry
B. Universal Control Plane
C. Docker Hub
D. Docker Registry
Unattempted
42. Question
What is the docker command to remove one or more images?
A. docker image rm
B. docker image delete
C. docker delete
D. docker remove
Unattempted
43. Question
When using the Docker client to push an image to a registry, what environment variable is used to instruct the client to perform signing of the
image?
A. NOTARY_ENABLE=1
B. DOCKER_PUSH_SIGN=1
C. DOCKER_IMAGE_SIGN=1
D. DOCKER_CONTENT_TRUST=1
Unattempted
44. Question
What is the docker command for displaying layers of a Docker image?
A. docker info
B. docker layers
C. docker image layers
D. docker history
Unattempted
45. Question
What is used by the kernel to Isolate resources when running Docker containers?
A. Namespaces
B. Overlay networks
C. Volumes
D. Control groups (also know as cgroups)
Unattempted
46. Question
Which of the following docker image commands display detailed information on one or more images?
A. docker image detail
B. docker image history
C. docker image inspect?
D. docker image ls
Unattempted
47. Question
Which of the Dockerfile options executes any commands in a new layer on top of the current image and commit the results?
A. ONBUILD
B. CMD
C. RUN
D. FROM
Unattempted
48. Question
What is the docker command to pull an image or a repository from a registry?
A. docker deploy
B. docker build
C. docker checkout
D. docker pull
Unattempted
49. Question
Docker security scan can be started by all users including those with read-only access. True or false?
A. FALSE
B. TRUE
Unattempted
Use Last Page number to navigate to Master Cheat Sheet
Pages:
1
2
3
4
5
6
7
8
9
10
11
12
← Previous Post
Next Post →
Skillcertpro
Quick Links
Important Links
ABOUT US
REFUND POLICY
FAQ
REFUND REQUEST
BROWSE ALL PRACTICE TESTS
TERMS & CONDITIONS
CONTACT FORM
PRIVACY POLICY
Privacy Policy
Software pros, listen up! Today only, you can unlock 25% off on enrolling in 2 or more courses at once. Use Code: SAVINGS25
Search for products...
All Courses
Contact Us
MY ACCOUNT
/ Docker / By SkillCertPro
Docker Certified Associate Full Practice Tests
Total Questions: 682 – 11 Mock Exams & 1 Master Cheat Sheet
Practice Set 1
Your results are here!! for" Docker Certified Associate Practice Set 1 "
0 of 65 questions answered correctly
Your time: 00:00:02
Your Final Score is : 0
You have attempted : 0
Number of Correct Questions : 0 and scored 0
Number of Incorrect Questions : 0 and Negative marks 0
Average score
Your score
74.88%
0.00%
You can review your answers by clicking view questions.
Important Note : Open Reference Documentation Links in New Tab (Right Click and Open in New Tab).
Restart Test
View Answers
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
Answered
1. Question
Review
Which of the following flags is used to publish containers port(s) on an existing service in the swarm?
-p
--publish-add
--publish
--publish-all
Unattempted
You can change almost everything about an existing service using the docker service update command.
When creating a service, use the -p or –publish flag.
When updating an existing service, use the flag is –publish-add. There is also a –publish-rm flag to remove a port that was previously
published.
https://docs.docker.com/engine/reference/commandline/service_update/#add-or-remove-published-service-ports
2. Question
Which of the following units of the swarm can instruct a worker node to run a task?
Dispatcher
Scheduler
Orchestrator
Allocator
Unattempted
Tasks and scheduling
A task is the atomic unit of scheduling within a swarm. When you declare a desired service state by creating or updating a service, the
orchestrator realizes the desired state by scheduling tasks.
For instance, you define a service that instructs the orchestrator to keep three instances of an HTTP listener running at all times. The
orchestrator responds by creating three tasks. Each task is a slot that the scheduler fills by spawning a container.
https://docs.docker.com/engine/swarm/how-swarm-mode-works/services/#tasks-and-scheduling
3. Question
You have been asked to backup the swarm state on a Linux installation. By default, where can you find the swarm state and logs stored on the
manager nodes?
/etc/docker/swarm
/run/docker/swarm
/var/run/docker/swarm
/var/lib/docker/swarm
Unattempted
Docker manager nodes store the swarm state and manager logs in the /var/lib/docker/swarm/ directory.
Usually, on Linux distributions:
“/etc” is used for configurations (.conf files etc). here you find all the configs and settings for your system.
“/var” is usually used for log files, ‘temporary’ files (like mail spool, printer spool, etc), databases, and all other data not tied to a specific user.
Logs are usually in “/var/log”, databases in “/var/lib” (mysql – “/var/lib/mysql”), etc.
https://en.wikipedia.org/wiki/Filesystem_Hierarchy_Standard
4. Question
You have just executed docker swarm leave on a node. What command can you run on the same node to confirm it has left the cluster?
docker system status
docker node status
docker node ls
docker node inspect self
Unattempted
docker node inspect self –pretty
You can run docker node inspect on a manager node to view the details for an individual node. The output defaults to JSON format, but you
can pass the –pretty flag to print the results in human-readable format.
https://docs.docker.com/engine/swarm/manage-nodes/#inspect-an-individual-node
docker node ls [OPTIONS]
Lists all the nodes that the Docker Swarm manager knows about. This is a cluster management command and must be executed on a swarm
manager node. To learn about managers and workers, refer to the Swarm mode section in the documentation.
https://docs.docker.com/engine/reference/commandline/node_ls/
5. Question
Bob has an application that consists of multiple different services that interact with one another. What should he use to manage his services in
a Docker Swarm?
Bob should use a service with multiple tasks.
Bob should use a task.
Bob should use a stack.
Bob should use docker-compose.
Unattempted
Swarm never creates individual containers. Instead, all Swarm workloads are scheduled as services, which are scalable groups of containers.
Each of the services has a certain number of replicas or tasks.
A stack is used to describe a collection of swarm services that are related, most probably because they are part of the same application.
In that sense, we could also say that a stack describes an application that consists of one to many services that we want to run on the
swarm.
https://docs.docker.com/get-started/swarm-deploy/#describe-apps-using-stack-files
6. Question
Which flags for a service would allow a container to consume more than 2 GB of memory only when there is no memory contention but would
also prevent a container from consuming more than 4GB of memory in any other case?
--memory-swap 4GB --limit-memory 2GB
--memory-swap 2GB --limit-memory 4GB
--memory 4GB --memory-reservation 2GB
--limit-memory 2GB --reserve-memory 4GB
Unattempted
Memory reservation is a kind of memory soft limit that allows for greater sharing of memory. Under normal circumstances, containers can
use as much of the memory as needed and are constrained only by the hard limits set with the -m/–memory option.
When memory reservation is set, Docker detects memory contention or low memory and forces containers to restrict their consumption to a
reservation limit.
To set the maximum amount of memory the container can use one of the following.
-m or –memory=
To specify a soft limit which is activated when Docker detects contention or low memory on the host machine use the following flag:–
memory-reservation
If you use –memory-reservation, it must be set lower than –memory for it to take precedence. Because it is a soft limit, it does not
guarantee that the container doesn’t exceed the limit.
https://docs.docker.com/config/containers/resource_constraints/#memory
https://docs.docker.com/engine/reference/run/#user-memory-constraints
7. Question
Which of the following are valid fields to instruct the kube-scheduler on how to place each incoming Pod across your cluster? (Select all that
apply)
topologyKey
maxSkew
whenUnsatisfiable
global
Unattempted
You can define one or multiple topologySpreadConstraint to instruct the kube-scheduler on how to place each incoming Pod in relation to the
existing Pods across your cluster. The fields are:
· maxSkew describes the degree to which Pods may be unevenly distributed. It’s the maximum permitted difference between the number of
matching Pods in any two topology domains of a given topology type. It must be greater than zero.
· topologyKey is the key of node labels. If two Nodes are labelled with this key and have identical values for that label, the scheduler treats
both Nodes as being in the same topology. The scheduler tries to place a balanced number of Pods into each topology domain.
· whenUnsatisfiable indicates how to deal with a Pod if it doesn’t satisfy the spread constraint: DoNotSchedule (default) tells the scheduler
not to schedule it. ScheduleAnyway tells the scheduler to still schedule it while prioritizing nodes that minimize the skew.
· labelSelector is used to find matching Pods. Pods that match this label selector are counted to determine the number of Pods in their
corresponding topology domain. See Label Selectors for more details.
https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods
8. Question
You want to take a node down for maintenance. Which command will drain a node that has tasks assigned to it?
docker task update drain
docker node update --availability maintenance
docker node update --availability drain
docker service update --availability drain
Unattempted
You can change node availability.
For example, to change a manager node to Drain availability use:
$ docker node update –availability drain node-1
https://docs.docker.com/engine/swarm/manage-nodes/#change-node-availability
This is useful when you want to:
· drain a manager node so that only performs swarm management tasks and is unavailable for task assignment.
· drain a node so you can take it down for maintenance.
https://docs.docker.com/engine/swarm/swarm-tutorial/drain-node/
9. Question
What is the swarm unit that determines on which node a task will be scheduled?
Allocator
Orchestrator
Scheduler
Dispatcher
Unattempted
To deploy your application to a swarm, you submit a service definition to a manager node. The manager node dispatches units of work
called tasks to worker nodes.
https://docs.docker.com/engine/swarm/key-concepts/#nodes
10. Question
What is the purpose of a ConfigMap in Kubernetes?
To store confidential data in key-value pairs.
To keep all configurations in one place.
None of the answers is true.
To decouple environment-specific configuration from your application.
Unattempted
A ConfigMap is an API object used to store non-confidential data in key-value pairs. Pods can consume ConfigMaps as environment
variables, command-line arguments, or as configuration files in a volume.
A ConfigMap allows you to decouple environment-specific configuration from your container images, so that your applications are easily
portable.
Use a ConfigMap for setting configuration data separately from the application code.
For example, imagine that you are developing an application that you can run on your own computer (for development) and in the cloud (to
handle real traffic). You write the code to look in an environment variable named DATABASE_HOST. Locally, you set that variable to
localhost. In the cloud, you set it to refer to a Kubernetes Service that exposes the database component to your cluster.
https://kubernetes.io/docs/concepts/configuration/configmap/#motivation
11. Question
Which of the following mechanisms can you use to place services evenly on appropriate nodes in a swarm cluster?
Replicated Mode
Placement Constraint
Placement Preference
Routing Mesh
Unattempted
While placement constraints limit the nodes a service can run on, placement preferences try to place tasks on appropriate nodes in an
algorithmic way (currently, only spread evenly). For instance, if you assign each node a rack label, you can set a placement preference to
spread the service evenly across nodes with the rack label, by value. This way, if you lose a rack, the service is still running on nodes on other
racks.
Placement preferences are not strictly enforced. If no node has the label you specify in your preference, the service is deployed as though
the preference was not set.
https://docs.docker.com/engine/swarm/services/#control-service-placement
12. Question
Which of the following commands will ensure that a container uses a maximum of 1 GB of active memory?
docker run --memory-swap 2G --memory-reservation 1G
docker run --memory-reservation 1G nginx
docker run --memory-swap 1G nginx
docker run --memory 1G nginx
Unattempted
To set the maximum amount of memory the container can use one of the following flags
-m or –memory= or –memory
Possible values can take a positive integer, followed by a suffix of b, k, m, g to indicate bytes, kilobytes, megabytes, or gigabytes.
https://docs.docker.com/config/containers/resource_constraints/#memory
13. Question
Which swarm unit is in charge to pass a task to its corresponding node using the HTTP request/response protocol?
Dispatcher
Orchestrator
Scheduler
Allocator
Unattempted
Tasks and scheduling
A task is the atomic unit of scheduling within a swarm. When you declare a desired service state by creating or updating a service via HTTP
API endpoints, the orchestrator realizes the desired state by scheduling tasks.
For instance, you define a service that instructs the orchestrator to keep three instances of an HTTP listener running at all times.
The orchestrator responds by creating three tasks. Each task is a slot that the scheduler fills by spawning a container.
https://docs.docker.com/engine/swarm/how-swarm-mode-works/services/#tasks-and-scheduling
14. Question
Which availability mode needs to be set on a node when you need to perform maintenance on a node?
OFFLINE
MAINTENANCE
DRAIN
EVACUATE
Unattempted
Sometimes, such as planned maintenance times, you need to set a node to DRAIN availability.
DRAIN availability prevents a node from receiving new tasks from the swarm manager.
It also means the manager stops tasks running on the node and launches replica tasks on a node with ACTIVE availability.
https://docs.docker.com/engine/swarm/swarm-tutorial/drain-node/
15. Question
What kind of resource should you use when creating Pods that are expected to terminate, such as batch computations?
Deployment
Job
DaemonSet
StatefulSet
Unattempted
There are different kinds of resources for creating Pods:
· Use a Deployment, ReplicaSet or StatefulSet for Pods that are not expected to terminate, for example, web servers.
· Use a Job for Pods that are expected to terminate once their work is complete; for example, batch computations. Jobs are appropriate only
for Pods with restartPolicy equal to OnFailure or Never.
· Use a DaemonSet for Pods that need to run one per eligible node.
https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-lifetime
16. Question
What is the recommended mechanism to deploy containerized applications in Kubernetes?
Pods
None of the answers.
ReplicaSets
Deployments
Unattempted
Don’t use naked Pods (that is, Pods not bound to a ReplicaSet or Deployment) if you can avoid it. Naked Pods will not be rescheduled in the
event of a node failure.
A Deployment, which both creates a ReplicaSet to ensure that the desired number of Pods is always available and specifies a strategy to
replace Pods (such as RollingUpdate), is almost always preferable to creating Pods directly, except for some explicit restartPolicy: Never
scenarios. A Job may also be appropriate.
https://kubernetes.io/docs/concepts/configuration/overview/#naked-pods-vs-replicasets-deployments-and-jobs
A ReplicaSet ensures that a specified number of pod replicas are running at any given time. However, a Deployment is a higher-level concept
that manages ReplicaSets and provides declarative updates to Pods along with a lot of other useful features. Therefore, we recommend
using Deployments instead of directly using ReplicaSets, unless you require custom update orchestration or don’t require updates at all.
This actually means that you may never need to manipulate ReplicaSet objects: use a Deployment instead, and define your application in the
spec section.
https://kubernetes.io/docs/concepts/workloads/controllers/replicaset/#when-to-use-a-replicaset
17. Question
Which of the following scenarios will cause a swarm cluster to be in a lost quorum state?
4 managers of which 2 are healthy.
3 managers of which 2 are healthy.
1 manager of which 1 is healthy.
5 managers of which 3 are healthy.
Unattempted
In a swarm of N managers, a quorum (a majority) of manager nodes must always be available. For example, in a swarm with five managers,
a minimum of three must be operational and in communication with each other. In other words, the swarm can tolerate up to (N1)/2 permanent failures beyond which requests involving swarm management cannot be processed.
An odd number of managers is recommended because the next even number does not make the quorum easier to keep. For instance,
whether you have 3 or 4 managers, you can still only lose 1 manager and maintain the quorum. If you have 5 or 6 managers, you can still
only lose two.
https://docs.docker.com/engine/swarm/admin_guide/#maintain-the-quorum-of-managers
18. Question
What is the difference between a replicated service and a global service?
Replicated service runs one task on every node. Global service runs multiple task on every node
Replicated service can only be deployed on manager node. Global service can be deployed on both manager and worker node
A number of tasks can be specified for a replicated service. There is no pre-specified number of tasks for global service
Good candidates for replicated service are monitoring agents that you want to run on every node in the swarm. Good candidates for
global service are http servers.
Unattempted
REPLICATED OR GLOBAL SERVICES
Swarm mode has two types of services: replicated and global. For replicated services, you specify the number of replica tasks for the swarm
manager to schedule onto available nodes. For global services, the scheduler places one task on each available node that meets the service’s
placement constraints and resource requirements.
You control the type of service using the –mode flag. If you don’t specify a mode, the service defaults to replicated.
https://docs.docker.com/engine/swarm/services/#replicated-or-global-services
19. Question
Which of the following options allow you to scale an app? (select two)
Enable autoscaling
Change the replicas value in the docker-compose.yml file
Execute the 'docker stack deploy' command
Setting the app to the global mode.
Unattempted
Using either docker-compose.yml or a stack.
If the service is replicated (which is the default), specify the number of containers that should be running at any given time in the yml file.
https://docs.docker.com/compose/compose-file/
version: “3.8”
services:
worker:
image: dockersamples/worker
deploy:
mode: replicated
replicas: 6
20. Question
What docker command can you use to add or update a node label?
docker node update --set-label
docker node add --label
docker node update --label-add
docker node modify --set-label
Unattempted
To update metadata about a node, such as its availability, labels, or roles use:
docker node update [OPTIONS] NODE
To add or update a node label (key=value) use:
docker node update –label-add NODE
https://docs.docker.com/engine/reference/commandline/node_update/
21. Question
Which of the following flags is not supported by docker service create command?
-t
-l
-p
-v
Unattempted
The following flags are supported by docker service create command:
–label , -l
Service labels in order to set metadata on a service.
–publish , -p
Publish a port as a node port
–tty , -t
Allocate a pseudo-TTY
docker service command does not support -v or –volume flags. Instead the –mount flag is used when creating the service, or –mount-add
when updating the service.
The type of mount can be either volume, bind, tmpfs, or npipe. Defaults to volume if no type is specified.
For example:
$ docker service create \
–name my-service \
–replicas 3 \
–mount type=volume,source=my-volume,destination=/path/in/container \
nginx:alpine
Here, for each replica of the service, the engine requests a volume named “my-volume” from the default (“local”) volume driver where the
task is deployed. If the volume does not exist, the engine creates a new volume.
https://docs.docker.com/engine/reference/commandline/service_create/#add-bind-mounts-volumes-or-memory-filesystems
22. Question
What docker command can you use to add a placement preference to an existing service?
docker service update --pref-add
docker service update --placement-pref-add
docker service update --constraint-add
docker service update --placement-constraint-add
Unattempted
While placement constraints limit the nodes a service can run on, placement preferences try to place tasks on appropriate nodes in an
algorithmic way (currently, only spread evenly). For instance, if you assign each node a rack label, you can set a placement preference to
spread the service evenly across nodes with the rack label, by value. This way, if you lose a rack, the service is still running on nodes on other
racks.
Placement preferences are not strictly enforced. If no node has the label you specify in your preference, the service is deployed as though
the preference was not set.
The following example sets a preference to spread the deployment across nodes based on the value of the datacenter label. If some nodes
have datacenter=us-east and others have datacenter=us-west, the service is deployed as evenly as possible across the two sets of nodes.
$ docker service create \
–replicas 9 \
–name redis_2 \
–placement-pref ‘spread=node.labels.datacenter’ \
redis:3.0.6
When updating a service with docker service update, –placement-pref-add appends a new placement preference after all existing placement
preferences. –placement-pref-rm removes an existing placement preference that matches the argument.
In this diagram the containers are first placed by datacenters and then by the rack.
https://docs.docker.com/engine/swarm/services/#control-service-placement
23. Question
Paul has some containerized software that needs to reference the hostname of the node that the software is running on.
Which of the following commands can Paul use to pass the hostname, as an environment variable, into each task in a service?
docker service create -e NODE_HOSTNAME nginx
docker service create --env NODE_HOSTNAME="{?{.Node.Hostname}}" nginx
docker service create --pass-node-hostname=true nginx
docker service create --env NODE_HOSTNAME="{?{Hostname}}" nginx
Unattempted
To set environment variables use -e or –env flags:
For example, this sets an environment variable for all tasks in a service:
$ docker service create \
–name redis_2 \
–replicas 5 \
–env MYVAR=foo \
redis:3.0.6
Alternatively, you can use templates for some flags of service create, using the syntax provided by the Go’s text/template package.
The supported flags are the following :
–hostname
–mount
–env
Valid placeholders for the Go template are listed below:
Placeholder
Description
.Service.Name
Service name
.Service.ID
Service ID
.Service.Labels
Service labels
.Node.Hostname
Node Hostname
.Task.Name
Task name
.Node.ID
.Task.ID
.Task.Slot
Node ID
Task ID
Task slot
For example, we are going to set the template of the created containers based on the service’s name, the node’s ID, and the hostname
where it sits.
$ docker service create \
–name hosttempl \
–env=”{{.Node.ID}}”\
–hostname=”{{.Node.Hostname}}-{{.Service.Name}}”\
busybox top
https://docs.docker.com/engine/reference/commandline/service_create/#create-services-using-templates
24. Question
What is the default format of the output of the docker inspect command?
json
xml
html
yaml
Unattempted
Docker inspect provides detailed information on constructs controlled by Docker.
By default, docker inspect will render results in a JSON array.
https://docs.docker.com/engine/reference/commandline/inspect/
25. Question
In which of the following cases you need to define a readiness probe on a Kubernetes Pod template definition? (Select all that apply)
If you want your Container to be able to take itself down for maintenance.
If you want to start sending traffic to a Pod only when a probe succeeds.
If your Container needs to work on loading large data during startup.
If you want to be able to drain requests when the Pod is deleted.
Unattempted
If you’d like to start sending traffic to a Pod only when a probe succeeds, specify a readiness probe. In this case, the readiness probe might
be the same as the liveness probe, but the existence of the readiness probe in the spec means that the Pod will start without receiving any
traffic and only start receiving traffic after the probe starts succeeding. If your Container needs to work on loading large data, configuration
files, or migrations during startup, specify a readiness probe.
If you want your Container to be able to take itself down for maintenance, you can specify a readiness probe that checks an endpoint specific
to readiness that is different from the liveness probe.
Note that if you just want to be able to drain requests when the Pod is deleted, you do not necessarily need a readiness probe; on deletion,
the Pod automatically puts itself into an unready state regardless of whether the readiness probe exists. The Pod remains in the unready
state while it waits for the Containers in the Pod to stop.
https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#when-should-you-use-a-readiness-probe
26. Question
You have received a docker service inspect report that appears to be formatted as one big json. What option can you use in order to clean up
the format into something more readable?
--human
--pretty
--readable
--format="{?{.Structure.To.Review}}"
Unattempted
You can print the inspect output in a human-readable format instead of the default JSON output, by using the –pretty option.
https://docs.docker.com/engine/reference/commandline/service_inspect/#formatting
27. Question
Which of the following commands can you use to list the tasks of one or more services in swarm?
docker service ls
docker ps
docker services
docker service ps
Unattempted
To list the tasks that are running as part of the specified services use:
docker service ps [OPTIONS] SERVICE [SERVICE…]
https://docs.docker.com/engine/reference/commandline/service_ps/
28. Question
Which constraint role you use if you want to restrict a service to be scheduled only on the worker nodes in the Swarm cluster?
node.role == worker
swarm.role == worker
node.role != worker
swarm.role != manager
Unattempted
By default, swarm services can run on any node in the cluster. If you choose to constrain where services run, please note the following
examples.
To ensure a service runs on worker nodes rather than managers, use a node.role constraint in the service definition. For example:
docker service create \
–name nginx-workers-only \
–constraint node.role==worker \
nginx
https://success.docker.com/article/using-contraints-and-labels-to-control-the-placement-of-containers
Constraint expressions can either use a match (==) or exclude (!=) rule. Multiple constraints find nodes that satisfy every expression (AND
match).
https://docs.docker.com/engine/reference/commandline/service_create/#specify-service-constraints—constraint
29. Question
Which of the following is not a configuration option you can use when creating a docker service?
--network
--mount
--secret
--volume
Unattempted
When you create a service, you define its optimal state, that is, a number of replicas, network and storage resources available to it, ports the
service exposed to the outside world, and more).
https://docs.docker.com/engine/swarm/key-concepts/#what-is-a-swarm
–secret Specify secrets to expose to the service
–network Network attachments
–mount Attach a filesystem mount to the service
DIFFERENCES BETWEEN “–MOUNT” AND “–VOLUME”
The –mount flag supports most options that are supported by the -v or –volume flag for docker run, with some important exceptions:
Here all available configuration options when creating a service.
https://docs.docker.com/engine/reference/commandline/service_create/
30. Question
In which of the following scenarios might services remain in a pending state?
All nodes are paused or drained
The amount of memory reserved for a service cannot be satisfied
When imposed placement constraints cannot be honored
All of the scenarios are valid
Unattempted
Here are a few examples of when a service might remain in state pending.
· If all nodes are paused or drained, and you create a service, it is pending until a node becomes available. In reality, the first node to become
available gets all of the tasks, so this is not a good thing to do in a production environment.
· You can reserve a specific amount of memory for a service. If no node in the swarm has the required amount of memory, the service
remains in a pending state until a node is available which can run its tasks. If you specify a very large value, such as 500 GB, the task stays
pending forever, unless you really have a node which can satisfy it.
· You can impose placement constraints on the service, and the constraints may not be able to be honored at a given time.
https://docs.docker.com/engine/swarm/how-swarm-mode-works/services/#pending-services
31. Question
What kind of format is used for the output when the –pretty flag is not specified for the docker service inspect command?
json
yaml
txt
xml
Unattempted
You can print the inspect output in a human-readable format instead of the default JSON output, by using the –pretty option:
docker service inspect –pretty serviceName
https://docs.docker.com/engine/reference/commandline/service_inspect/#formatting
32. Question
When there are seven managers in a swarm cluster, how would they be distributed across three datacenters or availability zones?
3/2/2002
5/1/2001
4/2/2001
3/3/2001
Unattempted
Distribute manager nodes
In addition to maintaining an odd number of manager nodes, pay attention to datacenter topology when placing managers.
For optimal fault-tolerance, distribute manager nodes across a minimum of 3 availability-zones to support failures of an entire set of
machines or common maintenance scenarios.
If you suffer a failure in any of those zones, the swarm should maintain the quorum of manager nodes available to process requests and
rebalance workloads.
Swarm manager nodes
Repartition (on 3 Availability zones)
5
2-2-1
3
7
1-1-1
3-2-2
9
3-3-3
https://docs.docker.com/engine/swarm/admin_guide/#distribute-manager-nodes
33. Question
Which of the following is the correct order of steps taken when creating a service process in swarm mode?
docker API > orchestrator > allocator > dispatcher > scheduler
docker API > allocator > scheduler > dispatcher > orchestrator
docker API > scheduler > allocator > dispatcher > orchestrator
docker API > orchestrator > dispatcher > allocator > orchestrator
Unattempted
Tasks and scheduling
34. Question
Which of the following commands can you use to pretty-print the containers IDs, names, and statuses in tabular form?
docker ps --format "table {{.ID}}\t {{.Names}}\t {{.Status}}"
docker ps -format table {?{.ID}} {?{.Names}} {?{.Status}}
docker ps --format {?{.ID}} {?{.Names}} {?{.Status}}
docker ps --format table {?{.ID}} {?{.Names}} {?{.Status}}
Unattempted
Formatting
The formatting option –format pretty-prints container output using a Go template.
When using the –format option, the ps command will either output the data exactly as the template declares or, when using the table
directive, includes column headers as well.
https://docs.docker.com/engine/reference/commandline/ps/#formatting
The following example uses a template without headers and outputs the ID, name and status entries separated by a colon (:) for all running
containers.
Use “\t” for extra space between columns.
35. Question
Which of the following are valid ways to reference a secret from a Pod? (Select all that apply)
As ConfigMaps.
By the kubelet when pulling images for the Pod.
As files in a volume mounted on one or more of its containers.
As container environment variable.
Unattempted
A Secret is an object that contains a small amount of sensitive data such as a password, a token, or a key. Such information might otherwise
be put in a Pod specification or in an image. Users can create secrets and the system also creates some secrets.
To use a secret, a Pod needs to reference the secret. A secret can be used with a Pod in three ways:
· As files in a volume mounted on one or more of its containers.
· As container environment variable.
· By the kubelet when pulling images for the Pod.
https://kubernetes.io/docs/concepts/configuration/secret/#overview-of-secrets
36. Question
What docker command can you use to add or update a mount on an existing service?
docker service --add-update-mount
docker service update --mount-add
docker service set --add-update-mount
docker service --mount-volume
Unattempted
When you start a service and define a volume, each service container uses its own local volume. None of the containers can share this data if
you use the local volume driver, but some volume drivers do support shared storage.
The following example starts a nginx service with four replicas, each of which uses a local volume called myvol2.
$ docker service create -d \
–replicas=4 \
–name devtest-service \
–mount source=myvol2,target=/app \
nginx:latest
https://docs.docker.com/storage/volumes/#start-a-service-with-volumes
To update a service to add or update a mount on a service use:
$ docker service update –mount-add SERVICE
https://docs.docker.com/engine/reference/commandline/service_update/
37. Question
How can you deploy a new service with 4 instances of nginx with a single command?
docker service scale --replicas 4 --name myservice nginx
docker service create --replicas 4 --name myservice nginx
docker service scale myservice=4 nginx
docker service create --instances 4 --name myservice nginx
Unattempted
Since the service its newly create we use
docker service create [OPTIONS] IMAGE [COMMAND] [ARG…]
Use the –replicas flag to set the number of replica tasks for a replicated service.
The following command creates a redis service with 5 replica tasks:
$ docker service create –name redis –replicas=5 redis:3.0.6
https://docs.docker.com/engine/reference/commandline/service_create/#create-a-service-with-5-replica-tasks—replicas
38. Question
Which of the following commands can you use to view detailed metadata about a container? (select two)
docker metadata
docker query
docker container inspect
docker inspect
Unattempted
To display detailed information on one or more containers, use:
docker container inspect [OPTIONS] CONTAINER [CONTAINER…]
https://docs.docker.com/engine/reference/commandline/container_inspect/
39. Question
When Docker is running in swarm mode, you can still run standalone containers on any of the Docker hosts participating in the swarm.
TRUE
FALSE
Unattempted
When Docker is running in swarm mode, you can still run standalone containers on any of the Docker hosts participating in the swarm, as
well as swarm services.
A key difference between standalone containers and swarm services is that only swarm managers can manage a swarm, while standalone
containers can be started on any daemon. Docker daemons can participate in a swarm as managers, workers, or both.
One of the key advantages of swarm services over standalone containers is that you can modify a service’s configuration, including the
networks and volumes it is connected to, without the need to manually restart the service. Docker will update the configuration, stop the
service tasks with the out of date configuration, and create new ones matching the desired configuration.
https://docs.docker.com/engine/swarm/key-concepts/
40. Question
By default, a container has no resource constraints and can use as much of a given resource as the host`s kernel scheduler allows.
FALSE
TRUE
Unattempted
By default, a container has no resource constraints and can use as much of a given resource as the host’s kernel scheduler allows. Docker
provides ways to control how much memory, or CPU a container can use, setting runtime configuration flags of the docker run command.
https://docs.docker.com/config/containers/resource_constraints/#memory
41. Question
You want to use a secret as an environment variable in the Pod definition. Where should you place the secret’s name and key?
env[].valueFrom.secretKeyRef
env[].secret
None of the answers is correct.
env[].valueFrom.secret
Unattempted
Using Secrets as environment variables
To use a secret in an environment variable in a Pod:
· Create a secret or use an existing one. Multiple Pods can reference the same secret.
· Modify your Pod definition in each container that you wish to consume the value of a secret key to add an environment variable for each
secret key you wish to consume. The environment variable that consumes the secret key should populate the secret’s name and key in
env[].valueFrom.secretKeyRef.
· Modify your image and/or command line so that the program looks for values in the specified environment variables.
This is an example of a Pod that uses secrets from environment variables:
apiVersion: v1
kind: Pod
metadata:
name: secret-env-pod
spec:
containers:
– name: mycontainer
image: redis
env:
– name: SECRET_USERNAME
valueFrom:
secretKeyRef:
name: mysecret
key: username
https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-environment-variables
42. Question
Which of the following statements about swarm services is false?
Services are blocks that are run in a centralized environment.
Services are scalable groups of containers.
A single service runs only one single docker image.
An HTTP server is an example of a service.
Unattempted
To deploy an application image when Docker Engine is in swarm mode, you create a service. Frequently a service is the image for a
microservice within the context of some larger application.
Examples of services might include an HTTP server, a database, or any other type of executable program that you wish to run in
a distributed environment.
https://docs.docker.com/engine/swarm/how-swarm-mode-works/services/
43. Question
Which of the following scenarios would still allow the quorum to administrate tasks in a swarm cluster? (Choose two)
A 3-node cluster with 1 node down.
A 7-node cluster with 3 nodes down.
A 3-node cluster with 2 nodes down
A 4-node cluster with 2 nodes down.
Unattempted
Maintain the quorum of managers
If the swarm loses the quorum of managers, the swarm cannot perform administrative tasks such as scaling or updating services and joining
or removing nodes from the swarm.
Nevertheless, tasks on existing worker nodes continue to run.
Swarm is resilient to failures and the swarm can recover from any number of temporary node failures (machine reboots or crash with restart)
or other transient errors. However, a swarm cannot automatically recover if it loses a quorum.
In a swarm of N managers, a quorum (a majority) of manager nodes must always be available. For example, in a swarm with five managers,
a minimum of three must be operational and in communication with each other. In other words, the swarm can tolerate up to (N1)/2 permanent failures beyond which requests involving swarm management cannot be processed.
An odd number of managers is recommended because the next even number does not make the quorum easier to keep. For instance,
whether you have 3 or 4 managers, you can still only lose 1 manager and maintain the quorum. If you have 5 or 6 managers, you can still
only lose two.
https://docs.docker.com/engine/swarm/admin_guide/#maintain-the-quorum-of-managers
44. Question
Which of the following commands can you use to restart a docker container automatically, if the container exits due to an error, which
manifests as a non-zero exit code?
docker run --restart no nginx
docker run --restart failure-only nginx
docker run --restart unless-stopped nginx
docker run --restart on-failure nginx
Unattempted
To configure the restart policy for a container, use the –restart flag when using the docker run command. The value of the –restart flag can
be any of the following:
· no – Do not automatically restart the container. (the default)
· on-failure – Restart the container if it exits due to an error, which manifests as a non-zero exit code.
· always – Always restart the container if it stops. If it is manually stopped, it is restarted only when Docker daemon restarts or the container
itself is manually restarted. (See the second bullet listed in restart policy details)
· unless-stopped – Similar to always, except that when the container is stopped (manually or otherwise), it is not restarted even after Docker
daemon restarts.
https://docs.docker.com/config/containers/start-containers-automatically/
45. Question
Which of the following mechanisms can you use to configure services to run only on nodes with a specific metadata set?
Control groups
Placement Preference
Placement Constraints
Routing Mesh
Unattempted
While placement constraints limit the nodes a service can run on, placement preferences try to place tasks on appropriate nodes in an
algorithmic way (currently, only spread evenly). For instance, if you assign each node a rack label, you can set a placement preference to
spread the service evenly across nodes with the rack label, by value.
Placement constraints let you configure the service to run only on nodes with specific (arbitrary) metadata set, and cause the deployment to
fail if appropriate nodes do not exist.
https://docs.docker.com/engine/swarm/services/#control-service-placement
46. Question
Which docker command can you use to set up a swarm?
docker swarm init
docker init swarm
docker swarm create
docker create swarm
Unattempted
The command to initialize a swarm is:
docker swarm init [OPTIONS]
https://docs.docker.com/engine/reference/commandline/swarm_init/
When you run the docker swarm init command to create a swarm, the Docker Engine starts running in swarm mode and it creates a singlenode swarm on the current node.
The Engine sets up the swarm as follows:
· switches the current node into swarm mode.
· creates a swarm named default.
· designates the current node as a leader manager node for the swarm.
· names the node with the machine hostname.
· configures the manager to listen on an active network interface on port 2377.
· sets the current node to Active availability, meaning it can receive tasks from the scheduler.
· starts an internal distributed data store for Engines participating in the swarm to maintain a consistent view of the swarm and all services
running on it.
· by default, generates a self-signed root CA for the swarm.
· by default, generates tokens for worker and manager nodes to join the swarm.
· creates an overlay network named ingress for publishing service ports external to the swarm.
· creates an overlay default IP addresses and subnet mask for your networks
The output for docker swarm init provides the connection command to use when you join new worker nodes to the swarm
https://docs.docker.com/engine/swarm/swarm-mode/#create-a-swarm
47. Question
Which of the following is false about the docker consensus algorithm, Raft?
If a quorum is not reached, the system will not process any more requests to schedule additional tasks
Raft requires a majority or quorum of (N/2) + 1 members
If a quorum is not reached, the existing tasks will keep running
Raft tolerates up to (N-2)/2 failures
Unattempted
When the Docker Engine runs in swarm mode, manager nodes implement the Raft Consensus Algorithm to manage the global cluster state.
Raft requires a majority of managers, also called the quorum, to agree on proposed updates to the swarm, such as node additions or
removals.
https://docs.docker.com/engine/swarm/admin_guide/#operate-manager-nodes-in-a-swarm
If the swarm loses the quorum of managers, the swarm cannot perform administrative tasks such as scaling or updating services and joining
or removing nodes from the swarm.
Nevertheless, tasks on existing worker nodes continue to run.
Raft tolerates up to (N – 1)/2 failures and requires a majority or quorum of (N/2) + 1 members to agree on values proposed to the cluster.
This means that in a cluster of 5 Managers running Raft, if 3 nodes are unavailable, the system cannot process any more requests to
schedule additional tasks. The existing tasks keep running but the scheduler cannot rebalance tasks to cope with failures if the manager set
is not healthy.
https://docs.docker.com/engine/swarm/raft/
48. Question
What is the docker command to set the number of replicas for a service called “web” to 5?
docker service build web=5
docker service increase web=5
docker service scale web=5
docker service replica web=5
Unattempted
Containers running in a service are called “tasks” or “replicas”.
To scale the number of containers in the service you can use one of the following commands.
$ docker service scale =
$ docker service update –replicas=
For example, these commands are equivalent:
$ docker service scale web=5
$ docker service update –replicas=5 web
https://docs.docker.com/engine/swarm/swarm-tutorial/scale-service/
49. Question
Which of the following commands configures a Redis container to always restart unless it is explicitly stopped or Docker is restarted?
docker run -d --restart omit-stopped redis
docker run -d --restart-policy unless-stopped redis
docker run -d --restart unless-stopped redis
docker run -d --failure omit-stopped redis
Unattempted
To configure the restart policy for a container, use the –restart flag when using the docker run command. The value of the –restart flag can
be any of the following:
· no – Do not automatically restart the container. (the default)
· on-failure – Restart the container if it exits due to an error, which manifests as a non-zero exit code.
· always – Always restart the container if it stops. If it is manually stopped, it is restarted only when Docker daemon restarts or the container
itself is manually restarted. (See the second bullet listed in restart policy details)
· unless-stopped – Similar to always, except that when the container is stopped (manually or otherwise), it is not restarted even after Docker
daemon restarts.
https://docs.docker.com/config/containers/start-containers-automatically/
50. Question
What service mode should you use to deploy a single task of a service to each and every node?
Replicated
Spread
Global
Distributed
Universal
Unattempted
REPLICATED OR GLOBAL SERVICES
Swarm mode has two types of services: replicated and global.
For replicated services, you specify the number of replica tasks for the swarm manager to schedule onto available nodes.
For global services, the scheduler places one task on each available node that meets the service’s placement constraints and resource
requirements.
https://docs.docker.com/engine/swarm/services/#replicated-or-global-services
51. Question
What is the purpose of docker inspect command?
To display system-wide information
To return low-level information on Docker objects
To manage Docker configs
To inspect changes to files or directories on a container's filesystem
Unattempted
docker inspect command returns low-level information on Docker objects.
https://docs.docker.com/engine/reference/commandline/inspect/
52. Question
Chris wants to execute an application job using a Docker container. However, occasionally, this job fails and needs to be restarted. Chris
doesn’t want to restart it manually if it fails. Which command should he use to make sure that the container restarts automatically?
docker run --restart on-failure app
docker run --restart failure-only app
docker run --recover-failure app
docker run --restart unless-stopped app
Unattempted
To configure the restart policy for a container, use the –restart flag when using the docker run command. The value of the –restart flag can
be any of the following:
· no – Do not automatically restart the container. (the default)
· on-failure – Restart the container if it exits due to an error, which manifests as a non-zero exit code.
· always – Always restart the container if it stops. If it is manually stopped, it is restarted only when Docker daemon restarts or the container
itself is manually restarted. (See the second bullet listed in restart policy details)
· unless-stopped – Similar to always, except that when the container is stopped (manually or otherwise), it is not restarted even after Docker
daemon restarts.
https://docs.docker.com/config/containers/start-containers-automatically/
53. Question
Which of the following are valid use cases for Kubernetes Deployments? (Select all that apply)
To rollout a ReplicaSet.
Declare a new state of the Pods.
Maintains a sticky identity for each Pod.
Scale up to facilitate more load.
Unattempted
The following are typical use cases for Deployments:
· Create a Deployment to rollout a ReplicaSet. The ReplicaSet creates Pods in the background. Check the status of the rollout to see if it
succeeds or not.
· Declare the new state of the Pods by updating the PodTemplateSpec of the Deployment. A new ReplicaSet is created and the Deployment
manages moving the Pods from the old ReplicaSet to the new one at a controlled rate. Each new ReplicaSet updates the revision of the
Deployment.
· Rollback to an earlier Deployment revision if the current state of the Deployment is not stable. Each rollback updates the revision of the
Deployment.
· Scale up the Deployment to facilitate more load.
· Pause the Deployment to apply multiple fixes to its PodTemplateSpec and then resume it to start a new rollout.
· Use the status of the Deployment as an indicator that a rollout has stuck.
· Clean up older ReplicaSets that you don’t need anymore.
https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#use-case
Like a Deployment, a StatefulSet manages Pods that are based on an identical container spec. Unlike a Deployment, a StatefulSet maintains
a sticky identity for each of their Pods. These pods are created from the same spec, but are not interchangeable: each has a persistent
identifier that it maintains across any rescheduling.
https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/
54. Question
What docker command can you use to add a network to an existing service?
docker service modify --add-network
docker service set --add-network
docker service update --network-add
docker service add-network
Unattempted
You can change almost everything about an existing service using the docker service update command.
Use the –network-add or –network-rm flags to add or remove a network for a service.
Assuming that the my_web service from the previous section still exists, use the following command to add a network:
$ docker service update –network-add
https://docs.docker.com/engine/reference/commandline/service_update/#add-or-remove-network
55. Question
Without the quorum, administrative tasks are not possible, including scaling or updating services and joining or removing nodes from the
swarm.
FALSE
TRUE
Unattempted
Maintain the quorum of managers
If the swarm loses the quorum of managers, the swarm cannot perform administrative tasks such
as scaling or updating services and joining or removing nodes from the swarm.
Nevertheless, tasks on existing worker nodes continue to run.
https://docs.docker.com/engine/swarm/admin_guide/#maintain-the-quorum-of-managers
56. Question
When a container starts, it can be connected to multiple networks using –network. True or false?
FALSE
TRUE
Unattempted
Containers can join multiple networks that allow you to provide fine-grained network policy for connectivity and isolation.
By default, a container will be created with one network attached. If no network is specified then this will be the default docker0 network.
After the container has been created more networks can be attached to a container using the docker network connect command.
Docker only allows a single network to be specified with the docker run command. To connect multiple networks docker network connect is
used to connect additional networks.
https://success.docker.com/article/multiple-docker-networks
57. Question
What is the docker command to update an existing service?
docker service config
docker service modify
docker service update
docker service change
Unattempted
To update a service use:
docker service update [OPTIONS] SERVICE
https://docs.docker.com/engine/reference/commandline/service_update/
58. Question
In which state are service’s tasks initialized?
NEW
STARTING
PENDING
INIT
Unattempted
Tasks advance through a number of states until they complete or fail.
Tasks are initialized in the NEW state.
The task progresses forward through a number of states, and its state doesn’t go backward. For example, a task never goes from
COMPLETE to RUNNING.
https://docs.docker.com/engine/swarm/how-swarm-mode-works/swarm-task-states/
59. Question
A task is a unidirectional mechanism. True or False?
TRUE
FALSE
Unattempted
A task is a one-directional mechanism.
This means that it progresses monotonically through a series of states: assigned, prepared, running, etc. If the task fails the orchestrator
removes the task and its container and then creates a new task to replace it according to the desired state specified by the service.
https://docs.docker.com/engine/swarm/how-swarm-mode-works/services/#tasks-and-scheduling
60. Question
Which of the following is not a supported orchestrator in Docker EE?
Swarmkit
Minikube
Kubernetes
Docker Swarm
Unattempted
Choosing your orchestrator
Docker Enterprise provides access to the full API sets of three popular orchestrators:
· Kubernetes: full YAML object support
· SwarmKit: Service-centric, Compose file version 3
· “Classic” Swarm: Container-centric, Compose file version 2
Docker Enterprise proxies the underlying API of each orchestrator, giving you access to all of the capabilities of each orchestrator, along with
the benefits of Docker Enterprise, like role-based access control and Docker Content Trust.
61. Question
What is the limitation of docker service scale command in swarm mode?
All answers are true.
It can only scale one service at a time.
It can only be applied on replicated services.
It can only scale UP the service.
Unattempted
The scale command enables you to scale one or more replicated services either up or down to the desired number of replicas.
This command cannot be applied to services which are global services.
The following command tries to scale a global service to 10 tasks and returns an error.
$ docker service create –mode global –name backend backend:latest
b4g08uwuairexjub6ome6usqh
$ docker service scale backend=10
backend: scale can only be used with replicated mode
https://docs.docker.com/engine/reference/commandline/service_scale/
62. Question
What flag can you configure to a service to introduces a delay between tasks, so that the rolling restart happens gradually?
-update-wait
--update-pause
--wait-delay
--update-delay
Unattempted
When using ‘docker service create’ and ‘docker service update’ you can set a –update-delayflag to delay between updates.
For example:
$ docker service update –update-delay 30s redis
The –update-delay 30s setting introduces a 30 second delay between tasks so that the rolling restart happens gradually.
You can use the following units ns|us|ms|s|m|h.
https://docs.docker.com/engine/reference/commandline/service_update/#perform-a-rolling-restart-with-no-parameter-changes
63. Question
Which of the following commands can you use to exclude the manager node from running the tasks of a service?
docker node stop manager
docker node update --availability drain manager
docker update node --availability drain manager
docker node update drain manager
Unattempted
To prevent the scheduler from placing tasks on a manager node in a multi-node swarm, set the availability for the manager node to Drain.
The scheduler gracefully stops tasks on nodes in Drain mode and schedules the tasks on an Active node. The scheduler does not assign new
tasks to nodes with Drain availability.
https://docs.docker.com/engine/swarm/how-swarm-mode-works/nodes/#worker-nodes
You can change node availability.
For example, to change a manager node to Drain availability use:
$ docker node update –availability drain node-1
This is useful when you want to:
· drain a manager node so that only performs swarm management tasks and is unavailable for task assignment.
· drain a node so you can take it down for maintenance.
https://docs.docker.com/engine/swarm/manage-nodes/#change-node-availability
64. Question
Which of the following commands will show a list of volumes for a specific container?
docker volume logs nginx --containers
docker container inspect nginx
docker container logs nginx --volumes
docker volume inspect nginx
Unattempted
To display detailed information on one or more containers including the list of volume use:
docker container inspect [OPTIONS] CONTAINER [CONTAINER…]
https://docs.docker.com/engine/reference/commandline/container_inspect/
65. Question
What behavior is expected when a service is created with the following command: docker service create –publish 8080:80 nginx?
All nodes in the cluster will listen on port 80 and forward to port 8080 in the container.
Only a single node in the cluster will listen on port 80 and forward to port 8080 in the container.
Only a single node in the cluster will listen on port 8080 and forward to port 80 in the container.
All nodes in the cluster will listen on port 8080 and forward to port 80 in the container.
Unattempted
By default, ports are published using ingress mode.
This means that the swarm routing mesh makes the service accessible at the published port on every node regardless if there is a task for
the service running on the node.
However, if you set host mode explicitly, the port is only bound on nodes where the service is running, and a given port on a node can only
be bound once. You can only set the publication mode using the long syntax.
You can publish service ports to make them available externally to the swarm using the –publish flag.
The –publish flag can take two different styles of arguments.
The short version is positional and allows you to specify the published port and target port separated by a colon (:).
$ docker service create –name my_web –replicas 3 –publish 8080:80 nginx
Here, the published port is 8080 and the target port is of the container is 80.
There is also a long format, which is easier to read and allows you to specify more options.
$ docker service create –name my_web –replicas 3 –publish published=8080,target=80 nginx
https://docs.docker.com/engine/reference/commandline/service_create/#publish-service-ports-externally-to-the-swarm–p—publish
Use Page numbers below to navigate to other practice tests
Pages:
1
2
← Previous Post
3
4
5
6
7
8
9
10
11
12
Next Post →
Skillcertpro
Quick Links
Important Links
ABOUT US
REFUND POLICY
FAQ
REFUND REQUEST
BROWSE ALL PRACTICE TESTS
TERMS & CONDITIONS
CONTACT FORM
PRIVACY POLICY
Privacy Policy
Software pros, listen up! Today only, you can unlock 25% off on enrolling in 2 or more courses at once. Use Code: SAVINGS25
Search for products...
All Courses
Contact Us
MY ACCOUNT
/ Docker / By SkillCertPro
Practice Set 2
Your results are here!! for" Docker Certified Associate Practice Set 2 "
0 of 65 questions answered correctly
Your time: 00:00:02
Your Final Score is : 0
You have attempted : 0
Number of Correct Questions : 0 and scored 0
Number of Incorrect Questions : 0 and Negative marks 0
Average score
Your score
82.75%
0.00%
You can review your answers by clicking view questions.
Important Note : Open Reference Documentation Links in New Tab (Right Click and Open in New Tab).
Restart Test
View Answers
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
Answered
Review
1. Question
How do you view the list of historical tasks for a service called “redis” by using the command line?
docker inspect redis
docker service ps redis
docker ps redis
docker service inspect redis
Unattempted
The following command shows all the tasks that are part of the redis service:
$ docker service ps redis
In addition to running tasks, the output also shows the task history. For example, after updating the service to use the redis:3.0.6 image, the
output may look like this:
The number of items in the task history is determined by the –task-history-limit option that was set when initializing the swarm.
https://docs.docker.com/engine/reference/commandline/service_ps/
2. Question
Which of the following docker commands can you use to add or update a placement constraint?
docker service update --placement-pref-add
docker service update --placement-constraint-add
docker service update --pref-add
docker service update --constraint-add
Unattempted
PLACEMENT CONSTRAINTS
Use placement constraints to control the nodes a service can be assigned to.
In the following example, the service only runs on nodes with the label region set to east. If no appropriately-labeled nodes are available,
tasks will wait in Pending until they become available.
$ docker service create \
–name my-nginx \
–replicas 5 \
–constraint node.labels.region==east \
nginx
https://docs.docker.com/engine/swarm/services/#control-service-placement
3. Question
Which of the following commands can you use on a worker node to remove it from the swarm cluster gracefully?
docker leave swarm
docker swarm leave
docker swarm exit
docker node rm worker
Unattempted
To remove a node from the swarm use the following on the node itself:
docker swarm leave [OPTIONS]
When you run this command on a worker itself, that worker leaves the swarm.
https://docs.docker.com/engine/reference/commandline/swarm_leave/
4. Question
How can you see the information logged by a running container called “web”?
docker log inspect web
docker logs web
docker logview web
docker container logs web
Unattempted
To fetch the logs of a container use:
docker logs [OPTIONS] CONTAINER
The output might look like this:
The docker logs command batch-retrieves logs present at the time of execution.
https://docs.docker.com/engine/reference/commandline/logs/
5. Question
You need to host your organization’s event blog using WordPress and a MySQL database on a 25 swarm nodes cluster. You need to make
sure that only one task of MySQL database service is deployed on each active node in the swarm cluster. Which of the following commands
will achieve your goal?
docker service create --name mySQL --global mysql
docker service create --name mySQL --replicas=25 mysql
docker service create --name mySQL --mode global mysql
docker service create --name mySQL --config global mysql
Unattempted
You control the type of service using the –mode flag.
If you don’t specify a mode, the service defaults to replicated.
For replicated services, you specify the number of replica tasks you want to start using the –replicas flag. For example, to start a replicated
nginx service with 3 replica tasks:
$ docker service create \
–name my_web \
–replicas 3 \
nginx
To start a global service on each available node, pass –mode global to docker service create. Every time a new node becomes available, the
scheduler places a task for the global service on the new node. For example to start a service that runs alpine on every node in the swarm:
$ docker service create \
–name myservice \
–mode global \
alpine top
https://docs.docker.com/engine/swarm/services/#replicated-or-global-services
6. Question
A ____ is a group of one or more containers (such as Docker or Mesos containers), with shared storage/network, and a specification for how to
run the containers.
Pod
StatefulSet
Deployment
DaemonSet
Unattempted
A Pod (as in a pod of whales or pea pod) is a group of one or more containers (such as Docker containers), with shared storage/network, and
a specification for how to run the containers.
A Pod’s contents are always co-located and co-scheduled, and run in a shared context. A Pod models an application-specific “logical host” – it
contains one or more application containers which are relatively tightly coupled — in a pre-container world, being executed on the same
physical or virtual machine would mean being executed on the same logical host.
https://kubernetes.io/docs/concepts/workloads/pods/pod/#what-is-a-pod
7. Question
What docker command can you use to remove a published port?
docker service modify --publish-port-rm
docker service update --rm-port
docker service update --publish-rm
docker service update --publish-port-rm
Unattempted
You can change almost everything about an existing service using the docker service update command.
When creating a service, use the -p or –publish flag.
When updating an existing service, use the flag is –publish-add. There is also a –publish-rm flag to remove a port that was previously
published.
Assuming that the my_web service exists, use the following command to remove the published port 80.
$ docker service update –publish-rm 80 my_web
https://docs.docker.com/engine/swarm/services/#update-a-service
8. Question
You have deployed a service to swarm. Using the Docker CLI how can you set the number of tasks of this services to 5? (Choose 2)
docker replica update =5
docker service scale = 5
docker update service =5
docker service update --replicas=5
docker service replicas =5
Unattempted
To scale one or multiple replicated services use:
docker service scale SERVICE=REPLICAS [SERVICE=REPLICAS…]
The following command scales the “web” service to 5 tasks.
docker service scale web=5
Alternatively, you can use:
docker service update –replicas
For example
docker service update –replicas=5 web
This example also updates the number of replicas for the service to 5.
https://docs.docker.com/engine/reference/commandline/service_scale/
https://docs.docker.com/engine/reference/commandline/service_update/
9. Question
A ____ is an instance of the Docker engine that participates in the swarm.
Node
Service
Container
Server
Unattempted
A node is an instance of the Docker engine participating in the swarm. You can also think of this as a Docker node.
You can run one or more nodes on a single physical computer or cloud server, but production swarm deployments typically include Docker
nodes distributed across multiple physical and cloud machines.
https://docs.docker.com/engine/swarm/key-concepts/#nodes
10. Question
Which are the two types of docker swarm services?
distributed and replicated services
local and global services
replicated and global services
replicated and local services
Unattempted
REPLICATED OR GLOBAL SERVICES
Swarm mode has two types of services: replicated and global.
For replicated services, you specify the number of replica tasks for the swarm manager to schedule onto available nodes.
For global services, the scheduler places one task on each available node that meets the service’s placement constraints and resource
requirements.
https://docs.docker.com/engine/swarm/services/#replicated-or-global-services
11. Question
Recent problems with the service called ‘my_api’ in your cluster have caused your development team to request its removal from the cluster
while they address the problems. Which command do you need to execute to remove the service?
docker swarm remove my_api
docker rm my_api
docker service rm my_api
docker swarm --remove=my_api
Unattempted
To remove one or more services from the swarm use:
docker service rm SERVICE [SERVICE…]
Note: This is a cluster management command, and must be executed on a swarm manager node.
https://docs.docker.com/engine/reference/commandline/service_rm/
12. Question
Setting a node to DRAIN also removes standalone containers from that node, and thus freeing it up completely.
TRUE
FALSE
Unattempted
Setting a node to DRAIN does not remove standalone containers from that node, such as those created with docker run, docker-compose up,
or the Docker Engine API.
A node’s status, including DRAIN, only affects the node’s ability to schedule swarm service workloads.
https://docs.docker.com/engine/swarm/swarm-tutorial/drain-node/
DRAIN availability prevents a node from receiving new tasks from the swarm manager. It also means the manager stops tasks running on
the node and launches replica tasks on a node with ACTIVE availability.
https://docs.docker.com/engine/swarm/swarm-tutorial/drain-node/
13. Question
Which of the following fields are required in the YAML file when defining a Kubernetes object? (Select all that apply)
selector
spec
kind
apiVersion
Unattempted
Required Fields
In the .yaml file for the Kubernetes object you want to create, you’ll need to set values for the following fields:
apiVersion – Which version of the Kubernetes API you’re using to create this object
kind – What kind of object you want to create
metadata – Data that helps uniquely identify the object, including a name string, UID, and an optional namespace
spec – What state you desire for the object
https://kubernetes.io/docs/concepts/overview/working-with-objects/kubernetes-objects/#required-fields
14. Question
One of the nodes in your existing cluster is logging errors related to the storage subsystem and it needs to be taken offline. Which command
will allow you to gracefully remove the node when executed on the node itself?
docker swarm leave --gracefully
docker swarm unregister
docker swarm leave
docker swarm rm
Unattempted
To remove a node from the swarm use the following on the node itself:
docker swarm leave [OPTIONS]
When you run this command on a worker, that worker leaves the swarm.
You can use the –force option on a manager to remove it from the swarm. However, this does not reconfigure the swarm to ensure that
there are enough managers to maintain a quorum in the swarm.
The safe way to remove a manager from a swarm is to demote it to a worker and then direct it to leave the quorum without using –force.
https://docs.docker.com/engine/reference/commandline/swarm_leave/
15. Question
Which of the following commands will create a service called “dns_cache” in the swarm which only listens on port 53 using the UDP protocol?
docker service create --name dns-cache -p 53:53 --udp dns-cache
docker service create --name dns-cache -p 53:53 --service udp dns-cache
docker service create --name dns-cache -p 53:53/udp dns-cache
docker service create --name dns-cache -p 53:53 --constraint networking-protocol-udp=true dns-cache
Unattempted
Publish service ports externally to the swarm (-p, –publish)
You can publish service ports to make them available externally to the swarm using the –publish flag.
The –publish flag can take two different styles of arguments. The short version is positional, and allows you to specify the published port and
target port separated by a colon (:).
$ docker service create –name my_web –replicas 3 –publish 8080:80 nginx
There is also a long format, which is easier to read and allows you to specify more options. The long format is preferred. You cannot specify
the service’s mode when using the short format.
Here is an example of using the long format for the same service as above:
$ docker service create –name my_web –replicas 3 –publish published=8080,target=80 nginx
You can also specify the protocol to use, tcp, udp, or sctp. Defaults to tcp. To bind a port for both protocols, specify the -p or –publish flag
twice.
$ docker service create –name my_web –replicas 3 –publish 8080:80/udp nginx
https://docs.docker.com/engine/reference/commandline/service_create/#publish-service-ports-externally-to-the-swarm–p—publish
16. Question
You can apply restart policies using the –restart flag only to containers and not swarm services.
TRUE
FALSE
Unattempted
Docker provides restart policies to control whether your containers start automatically when they exit, or when Docker restarts. Restart
policies ensure that linked containers are started in the correct order. Docker recommends that you use restart policies, and avoid using
process managers to start containers.
Restart policies only apply to containers. Restart policies for swarm services are configured differently using other flags related to service
restart.
https://docs.docker.com/config/containers/start-containers-automatically/#restart-policy-details
https://docs.docker.com/engine/reference/run/#restart-policies—restart
17. Question
Which of the following commands can you use to roll back to the previous version of a service?
docker service update --rollback
docker service --rollback-version
docker service update --rollback-version
docker service --rollback
Unattempted
To rollback a specified service to its previous version from the swarm you can execute one of the following commands:
docker service rollback [OPTIONS] SERVICE
docker service update –rollback SERVICE
https://docs.docker.com/engine/reference/commandline/service_rollback/
18. Question
The higher the number of managers in a swarm cluster, the better performance, and scalability. True or false?
TRUE
FALSE
Unattempted
There is no limit on the number of manager nodes.
The decision about how many manager nodes to implement is a trade-off between performance and fault-tolerance.
Adding manager nodes to a swarm makes the swarm more fault-tolerant. However, additional manager nodes reduce write performance
because more nodes must acknowledge proposals to update the swarm state. This means more network round-trip traffic.
https://docs.docker.com/engine/swarm/admin_guide/#operate-manager-nodes-in-a-swarm
19. Question
When querying the configuration of a running container called ‘webApp’, which command would display the container’s IP Address?
docker run inspect webApp | grep IP
None of the answers is correct
docker inspect webApp | grep IPAddress
docker webApp inspect | grep IP
Unattempted
To return low-level information on Docker objects use:
docker inspect [OPTIONS] NAME|ID [NAME|ID…]
https://docs.docker.com/engine/reference/commandline/inspect/
20. Question
Which command returns detailed information on a Docker Image?
docker image stats
docker image inspect
docker image history
docker image info
Unattempted
To display detailed information on one or more images use:
docker image inspect [OPTIONS] IMAGE [IMAGE…]
https://docs.docker.com/engine/reference/commandline/image_inspect/
21. Question
A docker image is built up from a series of layers and each layer represents an instruction in the image’s Dockerfile. True or false?
FALSE
TRUE
Unattempted
Docker builds images automatically by reading the instructions from a Dockerfile text file that contains all commands, in order, needed to
build a given image.
A Docker image consists of read-only layers each of which represents a Dockerfile instruction.
https://docs.docker.com/develop/develop-images/dockerfile_best-practices/
22. Question
DTR only allows deleting images that are signed. True or false?
TRUE
FALSE
Unattempted
Delete signed images
DTR only allows deleting images if the image has not been signed. You first need to delete all the trust data associated with the image
before you are able to delete the image.
https://github.com/docker/docker.github.io
23. Question
Which docker command can be used to pull an image or a repository from a registry?
docker build
docker pull
docker checkout
docker deploy
Unattempted
Pull an image or a repository from a registry
docker image pull
Or
docker pull [OPTIONS] NAME[:TAG|@DIGEST]
https://docs.docker.com/engine/reference/commandline/pull/
24. Question
What happens when the RUN instruction is executed?
The RUN directive sets the default command for the image.
The RUN directive automatically runs a command when a new container gets created.
The RUN directive executes a command and commits the resulting changed files as a new layer in the image.
The RUN directive executes a command on the host when building an image.
Unattempted
In the Dockerfile context, The RUN instruction will execute any commands in a new layer on top of the current image and commit the results.
Layering RUN instructions and generating commits conforms to the core concepts of Docker where commits are cheap and containers can
be created from any point in an image’s history, much like source control.
https://docs.docker.com/engine/reference/builder/#run
25. Question
The Dockerfile instruction EXPOSE publish the port to external systems. True or false?
FALSE
TRUE
Unattempted
EXPOSE [/…]
The EXPOSE instruction informs Docker that the container listens on the specified network ports at runtime. You can specify whether the
port listens on TCP or UDP, and the default is TCP if the protocol is not specified.
The EXPOSE instruction does not actually publish the port. It functions as a type of documentation between the person who builds the
image and the person who runs the container, about which ports are intended to be published. To actually publish the port when running the
container, use the -p flag on docker run to publish and map one or more ports, or the -P flag to publish all exposed ports and map them to
high-order ports.
https://docs.docker.com/engine/reference/builder/#expose
26. Question
Environment variables set in a Dockerfile using ENV are persisted when a container is run from the resulting image. True or False.
FALSE
TRUE
Unattempted
ENV
ENV
ENV = …
The ENV instruction sets the environment variable to the value . This value will be in the environment for all subsequent instructions in the
build stage.
Also, the environment variables set using ENV will persist when a container is run from the resulting image. You can view the values using
docker inspect, and change them using docker run –env =.
https://docs.docker.com/engine/reference/builder/#env
27. Question
Is there any difference between the ADD and COPY instructions? (Choose two)
The ADD directive will remove the file from the source and add it to the destination.
The ADD directive can extract an archive into the image.
The ADD directive can pull a file from an external URL.
The ADD directive can transfer a specific file between build stages.
Unattempted
The ADD instruction operates similarly to the COPY instruction with two important differences.
The ADD instruction will additionally support:
· Fetch remote source files if a URL is specified
· Auto-extraction of archive files. Extract the files of any source that are determined to be of archive file type.
https://docs.docker.com/engine/reference/builder/#add
28. Question
Which command needs to be executed to sign an image before pushing it to a repository?
export SIGN_DOCKER_IMAGE=1
export TRUST_DOCKER_IMAGE=1
export TRUST_DOCKER_CONTENT=1
export DOCKER_CONTENT_TRUST=1
Unattempted
Docker Content Trust (DCT) allows you to verify the authenticity, integrity, and publication date of Docker images that are made available on
the Docker Hub Registry.
By default, Content Trust is disabled. To enable Content Trust for signing and verifying Docker images that you build, push to, or pull from
the Docker Hub, set the DOCKER_CONTENT_TRUST environment variable, for example:
export DOCKER_CONTENT_TRUST=1
https://docs.oracle.com/cd/E37670_01/E75728/html/section-xnz_cxk_ht.html
29. Question
What is the purpose of multi-stage builds?
Better logical separation of Dockerfile instructions for better readability
Better caching when building Docker images
Faster image builds by allowing parallel execution of Docker builds
Reduce the size of your final image since intermediate artifacts are left behind, and not saved in the final image.
Unattempted
Multi-stage builds allow you to drastically reduce the size of your final image, without struggling to reduce the number of intermediate layers
and files.
https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#use-multi-stage-builds
With multi-stage builds, you use multiple FROM statements in your Dockerfile. Each FROM instruction can use a different base, and each of
them begins a new stage of the build. You can selectively copy artifacts from one stage to another, leaving behind everything you don’t want
in the final image.
https://docs.docker.com/develop/develop-images/multistage-build/#use-multi-stage-builds
30. Question
Which statement is true about building docker images?
Only layers that have changed since the last build (and any following layers) are built.
An image has state and it can change.
Every Dockerfile can have only one FROM directive.
Every layer of the image is re-built every time docker build is executed.
Unattempted
When an image is updated or rebuilt, only layers that change need to be updated, and unchanged layers are cached locally. This is part of
why Docker images are so fast and lightweight. The sizes of each layer add up to equal the size of the final image.
An image does not have state and it never changes.
https://docs.docker.com/glossary/
FROM can appear multiple times within a single Dockerfile to create multiple images or use one build stage as a dependency for another.
https://docs.docker.com/engine/reference/builder/#from
31. Question
Who is responsible to run the docker build command?
docker cli
docker engine
docker daemon
docker-machine
Unattempted
The build is run by the Docker daemon, not by the CLI.
The first thing a build process does is send the entire context (recursively) to the daemon.
https://docs.docker.com/engine/reference/builder/
32. Question
What is the Dockerfile LABEL option used for?
Tells Docker how to test a container to check that it is still working.
Provide defaults for an executing container
Label a container that will run as an executable
Adds metadata to an image
Unattempted
LABEL
LABEL = = = …
The LABEL instruction adds metadata to an image. A LABEL is a key-value pair.
Example:
LABEL version=”1.0″
https://docs.docker.com/engine/reference/builder/#label
33. Question
It is good practice to have more than one CMD instruction in the Docker file. True or false?
TRUE
FALSE
Unattempted
There can only be one CMD instruction in a Dockerfile. If you list more than one CMD then only the last CMD will take effect.
The main purpose of a CMD is to provide defaults for an executing container.
https://docs.docker.com/engine/reference/builder/#cmd
34. Question
Which directive sets the working directory for any RUN, CMD, ENTRYPOINT, COPY and ADD instructions that follow it in the Dockerfile?
MKDIR
PWD
CD
WORKDIR
Unattempted
The WORKDIR instruction sets the working directory for any RUN, CMD, ENTRYPOINT, COPY and ADD instructions that follow it in the
Dockerfile. If the WORKDIR doesn’t exist, it will be created even if it’s not used in any subsequent Dockerfile instruction.
https://docs.docker.com/engine/reference/builder/#workdir
35. Question
Which of the following instructions can be used to specify variables that are available to the RUN instruction?
ENV
ARG
Both ARG and ENV are valid
Unattempted
You can use an ARG or an ENV instruction to specify variables that are available to the RUN instruction.
Environment variables defined using the ENV instruction always override an ARG instruction of the same name.
https://docs.docker.com/engine/reference/builder/#run#using-arg-variables
36. Question
Which of the following docker command can remove an image, even if that image is used by a running container?
docker remove [image name]
docker rm [image name] --force
docker rmi [image name] --force
None of the answers is correct.
Unattempted
To remove one or more images use:
docker rmi [OPTIONS] IMAGE [IMAGE…]
You cannot remove an image of a running container unless you use the –force or -f option.
https://docs.docker.com/engine/reference/commandline/rmi/
This removes (and un-tags) one or more images from the host node. If an image has multiple tags, using this command with the tag as a
parameter only removes the tag. If the tag is the only one for the image, both the image and the tag are removed.
This does not remove images from a registry.
37. Question
Which of the following is true about docker image rm command?
Remove dangling images.
Remove unused images.
Show the history of an image.
Remove one or more images.
Unattempted
To remove one or more images, use the following command:
docker image rm [OPTIONS] IMAGE [IMAGE…]
https://docs.docker.com/engine/reference/commandline/image_rm/
38. Question
Which directive informs Docker that a container listens on specified network ports at runtime?
LABEL
TAG
ENV
EXPOSE
Unattempted
EXPOSE [/…]
The EXPOSE instruction informs Docker that the container listens on the specified network ports at runtime. You can specify whether the
port listens on TCP or UDP, and the default is TCP if the protocol is not specified.
The EXPOSE instruction does not actually publish the port. It functions as a type of documentation between the person who builds the
image and the person who runs the container, about which ports are intended to be published. To actually publish the port when running the
container, use the -p flag on docker run to publish and map one or more ports, or the -P flag to publish all exposed ports and map them to
high-order ports.
https://docs.docker.com/engine/reference/builder/#expose
The ENV instruction sets the environment variable to the value . This value will be in the environment for all subsequent instructions in the
build stage.
39. Question
Which of the following docker component can be described as “a runtime instance of an image”?
Docker File
Node
Container
Image
Unattempted
A container is a runtime instance of a docker image.
A Docker container consists of
· A Docker image
· An execution environment
· A standard set of instructions
The concept is borrowed from Shipping Containers, which define a standard to ship goods globally. Docker defines a standard to ship
software.
https://docs.docker.com/glossary/
40. Question
It is good practice to use the root directory, /, as the PATH for building the docker image. True or False?
FALSE
TRUE
Unattempted
Warning
When building an image, do not use your root directory, /, as the PATH as it causes the build to transfer the entire contents of your hard drive
to the Docker daemon.
https://docs.docker.com/engine/reference/builder/
41. Question
Which of the following is not how you create an efficient image via a Dockerfile?
Sort multi-line arguments
Avoid installing unnecessary packages
Use multi-stage builds
Combine multiple applications into a single container
Unattempted
Best practices for writing Dockerfiles:
· Create ephemeral containers
· Understand build context
· Pipe Dockerfile through stdin
· Exclude with .dockerignore
· Use multi-stage builds
· Don’t install unnecessary packages
· Decouple applications
· Minimize the number of layers
· Sort multi-line arguments
· Leverage build cache
https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#create-ephemeral-containers
42. Question
It is good practice to have more than one RUN instruction in the Docker file?
FALSE
TRUE
Unattempted
The RUN instruction will execute any commands in a new layer on top of the current image and commit the results. The resulting committed
image will be used for the next step in the Dockerfile.
Layering RUN instructions and generating commits conforms to the core concepts of Docker where commits are cheap and containers can
be created from any point in an image’s history, much like source control.
Therefore, it’s ok to have more than one RUN instruction.
https://docs.docker.com/engine/reference/builder/#run
43. Question
Which of the below statements is false about WORKDIR instruction?
It affects only the build and does not impact containers that run from the image.
The WORKDIR instruction can resolve environment variables previously set using ENV.
It can use both absolute and relative paths.
The WORKDIR instruction can be used multiple times in a Dockerfile.
Unattempted
The WORKDIR instruction can be used multiple times in a Dockerfile.
· If a relative path is provided, it will be relative to the path of the previous WORKDIR instruction.
· If the WORKDIR doesn’t exist, it will be created even if it’s not used in any subsequent Dockerfile instruction.
The WORKDIR instruction can resolve environment variables previously set using ENV. You can only use environment variables explicitly set
in the Dockerfile. For example:
ENV DIRPATH /path
WORKDIR $DIRPATH/$DIRNAME
RUN pwd
https://docs.docker.com/engine/reference/builder/#workdir
44. Question
The following Dockerfile results in an image after the build. What happens when executing docker run using this image?
FROM ubuntu
RUN mkdir /myvol
RUN echo “hello world” > /myvol/greeting
VOLUME /myvol
It creates a new empty mount point at /myvol.
Nothing happens. The volume was created while building the image.
It creates a new mount point at /myvol and copy the greeting file into the newly created volume.
Unattempted
VOLUME [“/data”]
The VOLUME instruction creates a mount point with the specified name and marks it as holding externally mounted volumes from native
host or other containers. The value can be a JSON array, VOLUME [“/var/log/”], or a plain string with multiple arguments, such as VOLUME
/var/log or VOLUME /var/log /var/db.
https://docs.docker.com/engine/reference/builder/#volume
45. Question
Which command can you use to display the layers of a docker image?
docker image history
docker layers
docker image layers
docker image info
Unattempted
You can examine all the layers in an image by using the docker image history command. It will display the following:
· Abbreviated layer ID
· Age of the layer
· Initial command of the creating container
· Total file size of that layer
https://docs.docker.com/engine/reference/commandline/history/
46. Question
Both RUN and CMD instructions can be used interchangeably in the Dockerfile as they do the same thing.
FALSE
TRUE
Unattempted
The RUN instruction will execute any commands in a new layer on top of the current image and commit the results. The resulting committed
image will be used for the next step in the Dockerfile.
CMD instruction allows you to set a default command, which will be executed only when you run container without specifying a command. If
Docker container runs with a command, the default command will be ignored. If Dockerfile has more than one CMD instruction, all but last
CMD instructions are ignored.
https://docs.docker.com/engine/reference/builder/
47. Question
From a DevOps perspective, it is good practice to keep changes of an application in a version control system. Which of the following will allow
changes to a docker image to be maintained in a version control system?
docker save
A docker-compose.yaml file
A docker file
docker commit
Unattempted
To create a new image from a container’s changes use:
docker commit [OPTIONS] CONTAINER [REPOSITORY[:TAG]]
It can be useful to commit a container’s file changes or settings into a new image.
This allows you to export a working dataset to another server.
Still, it is better to use Dockerfiles to manage your images in a documented and maintainable way. The Version Control can be used mainly
for text-based files such as Dockerfiles, docker-compose.yml, and configuration files. Small binaries can also be kept in the same version
control. Examples of version control are git, svn, Team Foundation Server, Azure DevOps, and Clear Case.
https://success.docker.com/article/dev-pipeline
48. Question
Which of the following directive will execute a command at build time?
CMD
RUN
Unattempted
Note: Don’t confuse RUN with CMD. RUN actually runs a command and commits the result; CMD does not execute anything at build time,
but specifies the intended command for the image.
https://docs.docker.com/engine/reference/builder/#cmd
49. Question
Which docker command will display all top-level images available for containers to be instantiated from?
docker list
docker list all
docker ps
docker images
Unattempted
docker images [OPTIONS] [REPOSITORY[:TAG]]
The default docker images will show all top-level images, their repository and tags, and their size.
You can use –all, -a to show all images (default hides intermediate images)
https://docs.docker.com/engine/reference/commandline/images/
50. Question
Which command can be used to upload an image to a registry?
docker commit [OPTIONS] NAME[:TAG]
docker upload [OPTIONS] NAME[:TAG]
docker push [OPTIONS] NAME[:TAG]
docker store [OPTIONS] NAME[:TAG]
Unattempted
To push an image or a repository to a registry use:
docker image push [OPTIONS] NAME[:TAG]
https://docs.docker.com/engine/reference/commandline/image_push/
51. Question
What represents a Dockerfile?
A "readme" file for docker
Executable file to install docker
An archive with all necessary dependencies to install an app.
A sequential set of instructions to build a docker image.
Unattempted
Docker can build images automatically by reading the instructions from a Dockerfile.
A Dockerfile is a text document that contains all the commands a user could call on the command line to assemble an image.
Using docker build users can create an automated build that executes several command-line instructions in succession.
https://docs.docker.com/engine/reference/builder/
52. Question
What would be the output of the final pwd command of a container built from the following Dockerfile?
FROM alpine:latest
WORKDIR /a
WORKDIR b
WORKDIR c
CMD [ ‘/bin/bash’, ‘pwd’ ]
c
b
/a/b/c
/a
Unattempted
The WORKDIR instruction can be used multiple times in a Dockerfile.
If a relative path is provided, it will be relative to the path of the previous WORKDIR instruction. For example:
WORKDIR /a
WORKDIR b
WORKDIR c
RUN pwd
The output of the final pwd command in this Dockerfile would be /a/b/c.
https://docs.docker.com/engine/reference/builder/#workdir
53. Question
What is the final outcome of a container created from the following Dockerfile?
FROM busybox:latest
ENTRYPOINT [“/bin/ping”,”-c”,”5″]
CMD [“localhost”]
Container will remain in created state.
Container will ping localhost for 5 times and will return to its shell.
Container will ping the localhost for 5 times and will stop running.
Container will get stuck in infinite pinging loop.
Unattempted
CMD instruction allows you to set a default command, which will be executed only when you run container without specifying a command. If
Docker container runs with a command, the default command will be ignored. If Dockerfile has more than one CMD instruction, all but last
CMD instructions are ignored.
ENTRYPOINT instruction allows you to configure a container that will run as an executable. It looks similar to CMD, because it also allows
you to specify a command with parameters. The difference is ENTRYPOINT command and parameters are not ignored when Docker
container runs with command line parameters. (There is a way to ignore ENTTRYPOINT, but it is unlikely that you will do it.)
https://docs.docker.com/engine/reference/builder
54. Question
Which docker entity can be described as “an executable package that includes everything needed to run an application–the code or binary, a
runtime, libraries, environment variables, and configuration files”?
Node
Container
Docker File
Image
Unattempted
Images and containers
Fundamentally, a container is nothing but a running process, with some added encapsulation features applied to it in order to keep it isolated
from the host and from other containers.
An image includes everything needed to run an application – the code or binary, runtimes, dependencies, and any other filesystem objects
required.
https://docs.docker.com/get-started/#images-and-containers
55. Question
ARG variables are persisted into the built image the same as the ENV variables.
FALSE
TRUE
Unattempted
ARG [=]
The ARG instruction defines a variable that users can pass at build-time to the builder with the docker build command using the –build-arg =
flag.
https://docs.docker.com/engine/reference/builder/#arg
Unlike an ARG instruction, ENV values are always persisted in the built image.
The variable expansion technique in this example allows you to pass arguments from the command line and persist them in the final image
by leveraging the ENV instruction.
https://docs.docker.com/engine/reference/builder/#run#using-arg-variables
56. Question
Which of the following Dockerfile directive is used to add metadata to a docker image?
ADD
METADATA
ARG
LABEL
Unattempted
LABEL
LABEL = = = …
The LABEL instruction adds metadata to an image. A LABEL is a key-value pair.
Example:
LABEL version=”1.0″
https://docs.docker.com/engine/reference/builder/#label
57. Question
Docker reuses intermediate images for accelerating the docker build process.
FALSE
TRUE
Unattempted
In an image, a layer is modification to the image, represented by an instruction in the Dockerfile. Layers are applied in sequence to the base
image to create the final image.
When an image is updated or rebuilt, only layers that change need to be updated, and unchanged layers are cached locally. This is part of
why Docker images are so fast and lightweight. The sizes of each layer add up to equal the size of the final image.
https://docs.docker.com/glossary/
58. Question
A docker file must always be named Dockerfile?
FALSE
TRUE
Unattempted
The default filename is Dockerfile (without an extension), and using the default can make various tasks easier while working with containers.
However, you can name it whatever you like.
For example, check the following output:
https://stackoverflow.com/questions/26077543/how-to-name-dockerfiles
59. Question
Which statement is true?
ENTRYPOINT should be defined when using the container as an executable.
ENTRYPOINT cannot be used in conjuction with CMD
CMD cannot be overriden in the "docker container run" command
ENTRYPOINT cannot be overriden in the "docker container run" command
Unattempted
An ENTRYPOINT allows you to configure a container that will run as an executable.
You can override the ENTRYPOINT instruction using the docker run –entrypoint flag.
https://docs.docker.com/engine/reference/builder/#entrypoint
The main purpose of a CMD is to provide defaults for an executing container. These defaults can include an executable, or they can omit the
executable, in which case you must specify an ENTRYPOINT instruction as well.
If CMD is used to provide default arguments for the ENTRYPOINT instruction, both the CMD and ENTRYPOINT instructions should be
specified with the JSON array format.
The CMD instruction has three forms:
· CMD [“executable”,”param1″,”param2″] (exec form, this is the preferred form)
· CMD [“param1″,”param2”] (as default parameters to ENTRYPOINT)
· CMD command param1 param2 (shell form)
https://docs.docker.com/engine/reference/builder/#cmd
60. Question
What is the purpose of the FROM directive?
It pulls a file from an external source into the image.
It sets the working directory of containers ran using the image.
It indicates the build context.
It sets a base image that can be used for subsequent instructions.
Unattempted
The FROM instruction initializes a new build stage and sets the Base Image for subsequent instructions. As such, a valid Dockerfile must
start with a FROM instruction.
https://docs.docker.com/engine/reference/builder/#from
61. Question
Which of the following commands can be used to find the architecture and operating system an image is compatible with?
docker image ls
docker image inspect --format '{?{.Architecture}} {?{.Os}}'
docker image inspect --filter '{?{.Architecture}} {?{.Os}}'
docker image info
Unattempted
Docker inspect provides detailed information on constructs controlled by Docker.
By default, docker inspect will render results in a JSON array.
To display detailed information on one or more images use:
docker image inspect [OPTIONS] IMAGE [IMAGE…]
The options are:
–format , -f
Format the output using the given Go template
For the most part, you can pick out any field from the JSON in a fairly straightforward manner using the –format parameter.
$ docker inspect –format='{{.LogPath}}’ $INSTANCE_ID
https://docs.docker.com/engine/reference/commandline/inspect/
62. Question
Which of the Dockerfile directive executes any command in a new layer on top of the current image and commits the results?
FROM
CMD
RUN
ONBUILD
Unattempted
In the Dockerfile context, The RUN instruction will execute any commands in a new layer on top of the current image and commit the results.
Layering RUN instructions and generating commits conforms to the core concepts of Docker where commits are cheap and containers can
be created from any point in an image’s history, much like source control.
https://docs.docker.com/engine/reference/builder/#run
63. Question
Which is one way of directly transferring a docker image from one docker host to another?
Use docker commit to save the image outside of the Docker filesystem. Then transfer the file over to the target host and use 'docker
start' to start the container again.
There is no way of directly transferring Docker images between hosts. A Docker Registry must be used as an intermediary.
Use docker save to save the image as a TAR file and copy it over to the target host. Then use 'docker load' to un-TAR the image back as a
docker image.
Use docker push to transfer the image to the IP address of the target host.
Unattempted
To save one or more images to a tar archive (streamed to STDOUT by default) use:
docker save [OPTIONS] IMAGE [IMAGE…]
The achieve can be distributed through different channels such as: central file server, version-control system, sent it to you over email or
shared it via flash drive.
https://docs.docker.com/engine/reference/commandline/save/
Docker provides a command to load images into Docker from a file. With this tool, you can load images that you acquired through other
channels.
https://docs.docker.com/engine/reference/commandline/image_load/
64. Question
You want to search for a Ubuntu official Docker Image with a minimum rating of 30 stars. Which of the following commands will provide you
the correct results?
docker search --filter is-official --filer stars=30 ubuntu
docker search --filter is-official=true --filter stars=30 ubuntu
docker search --filter is-official=true, stars=30 ubuntu
docker search --filter is-official=True --filter stars=30 ubuntu
Unattempted
To search the Docker Hub for images use:
docker search [OPTIONS] TERM
The filtering flag (-f or –filter) format is a key=value pair. If there is more than one filter, then pass multiple flags (e.g. –filter isautomated=true –filter stars=3)
The currently supported filters are:
stars (int – number of stars the image has)
is-automated (boolean – true or false) – is the image automated or not
is-official (boolean – true or false) – is the image official or not
https://docs.docker.com/engine/reference/commandline/search/#filtering
65. Question
Which of the following flags can you use to specify a repository and a tag for saving the image after the build is done?
-p
-f
-t
-m
Unattempted
You can specify a repository and tag at which to save the new image if the build succeeds:
$ docker build -t myrepo/myapp .
The output could look like the following:
To tag the image into multiple repositories after the build, add multiple -t parameters when you run the build command:
$ docker build -t shykes/myapp:1.0.2 -t shykes/myapp:latest .
https://docs.docker.com/engine/reference/builder/#run#usage
Use Page numbers below to navigate to other practice tests
Pages:
1
2
3
4
5
6
7
8
9
10
11
12
← Previous Post
Next Post →
Skillcertpro
Quick Links
Important Links
ABOUT US
REFUND POLICY
FAQ
REFUND REQUEST
BROWSE ALL PRACTICE TESTS
TERMS & CONDITIONS
CONTACT FORM
PRIVACY POLICY
Privacy Policy
Software pros, listen up! Today only, you can unlock 25% off on enrolling in 2 or more courses at once. Use Code: SAVINGS25
Search for products...
All Courses
Contact Us
MY ACCOUNT
/ Docker / By SkillCertPro
Practice Set 3
Your results are here!! for" Docker Certified Associate Practice Set 3 "
0 of 65 questions answered correctly
Your time: 00:00:02
Your Final Score is : 0
You have attempted : 0
Number of Correct Questions : 0 and scored 0
Number of Incorrect Questions : 0 and Negative marks 0
Average score
Your score
77.67%
0.00%
You can review your answers by clicking view questions.
Important Note : Open Reference Documentation Links in New Tab (Right Click and Open in New Tab).
Restart Test
View Answers
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
Answered
Review
1. Question
Which of the following steps should you perform to sign images in a way that UCP trusts them? (select all that apply)
Initialize trust metadata for the repository
Configure Notary client
Approve image sign on UCP
Delegate signing to the keys in your UCP client bundle
Unattempted
By default, when you push an image to DTR, the Docker CLI client doesn’t sign the image.
You can configure the Docker CLI client to sign the images you push to DTR. This allows whoever pulls your image to validate if they are
getting the image you created, or a forged one.
To sign an image you can run:
export DOCKER_CONTENT_TRUST=1
docker push //:
This pushes the image to DTR and creates trust metadata. It also creates public and private key pairs to sign the trust metadata, and push
that metadata to the Notary Server internal to DTR.
Sign images that UCP can trust
With the command above you can sign your DTR images, but UCP doesn’t trust them because it can’t tie the private key you’re using to sign
the images to your UCP account.
To sign images in a way that UCP trusts them you need to:
· Configure your Notary client
· Initialize trust metadata for the repository
· Delegate signing to the keys in your UCP client bundle
https://github.com/docker/docker.github.io
2. Question
Which of the following components is not managed by Docker Hub?
organizations
docker images
repositories
containers
Unattempted
Docker Hub is a service provided by Docker for finding and sharing container images with your team. It provides the following major features:
· Repositories: Push and pull container images.
· Teams & Organizations: Manage access to private repositories of container images.
· Official Images: Pull and use high-quality container images provided by Docker.
· Publisher Images: Pull and use high-quality container images provided by external vendors. Certified images also include support and
guarantee compatibility with Docker Enterprise.
· Builds: Automatically build container images from GitHub and Bitbucket and push them to Docker Hub.
· Webhooks: Trigger actions after a successful push to a repository to integrate Docker Hub with other services.
https://docs.docker.com/docker-hub/
3. Question
Describe what the EXPOSE instruction does.
It automatically publishes ports when running a container.
It documents ports intended for publishing at the time of running a container.
It makes a container's port accessible externally.
It causes the container to listen on a port.
Unattempted
EXPOSE [/…]
The EXPOSE instruction informs Docker that the container listens on the specified network ports at runtime. You can specify whether the
port listens on TCP or UDP, and the default is TCP if the protocol is not specified.
The EXPOSE instruction does not actually publish the port. It functions as a type of documentation between the person who builds the
image and the person who runs the container, about which ports are intended to be published. To actually publish the port when running the
container, use the -p flag on docker run to publish and map one or more ports, or the -P flag to publish all exposed ports and map them to
high-order ports.
https://docs.docker.com/engine/reference/builder/#expose
4. Question
Which of the following statements describe what the ENV directive does?
It sets an environment variable on the host while the container is running
It sets environment variables that are only visible during later build steps
It sets environment variables that are made available in subsequent build steps and to containers at the runtime.
It sets environment variables that are only visible at the container runtime.
Unattempted
ENV
ENV
ENV = …
The ENV instruction sets the environment variable to the value . This value will be in the environment for all subsequent instructions in the
build stage.
Also, the environment variables set using ENV will persist when a container is run from the resulting image. You can view the values using
docker inspect, and change them using docker run –env =.
https://docs.docker.com/engine/reference/builder/#env
5. Question
Which of the following Dockerfile instructions will configure a starting point for the executable container?
ENTRYPOINT
ENV
CMD
EXEC
Unattempted
The RUN instruction will execute any commands in a new layer on top of the current image and commit the results. The resulting committed
image will be used for the next step in the Dockerfile.
ENTRYPOINT instruction allows you to configure a container that will run as an executable. It looks similar to CMD, because it also allows
you to specify a command with parameters. The difference is ENTRYPOINT command and parameters are not ignored when Docker
container runs with command line parameters. (There is a way to ignore ENTTRYPOINT, but it is unlikely that you will do it.)
CMD instruction allows you to set a default command, which will be executed only when you run container without specifying a command. If
Docker container runs with a command, the default command will be ignored. If Dockerfile has more than one CMD instruction, all but last
CMD instructions are ignored.
EXEC is not a Dockerfile instruction.
https://docs.docker.com/engine/reference/builder/
6. Question
Describe what the following instruction does when added to a Dockerfile.
HEALTCHECK CMD curl localhost:8080
It adds a health status in addition to its normal status to detect cases such as a web server that is stuck in an infinite loop, even though
the server process is still running.
Defines the health check endpoint on the local host interface for containers to monitor the health of the docker engine.
It adds a status to detect if a containerized application is running.
Defines the health check endpoint on the localhost interface for external monitoring tools to monitor the health of the docker engine.
Unattempted
Obs:
· Every shell command returns a status code
The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working.
The HEALTHCHECK instruction has two forms:
· HEALTHCHECK [OPTIONS] CMD command (check container health by running a command inside the container)
· HEALTHCHECK NONE (disable any healthcheck inherited from the base image)
When a container has a healthcheck specified, it has a health status in addition to its normal status.
The command after the CMD keyword can be either a shell command (e.g. HEALTHCHECK CMD /bin/check-running) or an exec array (as
with other Dockerfile commands; see e.g. ENTRYPOINT for details).
https://docs.docker.com/engine/reference/builder/#healthcheck
7. Question
What represents a build context that should be considered when building an image?
The configuration of the daemon
Dockerfile found in a specific path or URL
All the files found in a specific path or URL
All dependencies already installed on docker-machine
Unattempted
The docker build command builds an image from a Dockerfile and a context.
The build’s context is the set of files at a specified location PATH or URL. The PATH is a directory on your local filesystem. The URL is a Git
repository location.
A context is processed recursively. So, a PATH includes any subdirectories and the URL includes the repository and its submodules.
This example shows a build command that uses the current directory as context:
$ docker build .
Sending build context to Docker daemon 6.51 MB
…
You use the -f flag with docker build to point to a Dockerfile anywhere in your file system.
$ docker build -f /path/to/a/Dockerfile .
The build is run by the Docker daemon. The first thing a build process does is send the entire context (recursively) to the daemon.
In most cases, it’s best to start with an empty directory as context and keep your Dockerfile in that directory. Add only the files needed for
building the Dockerfile.
https://docs.docker.com/engine/reference/builder/
8. Question
FROM keyword can only appear multiple times within the Dockerfile?
TRUE
FALSE
Unattempted
FROM can appear multiple times within a single Dockerfile to create multiple images or use one build stage as a dependency for another.
Each FROM instruction clears any state created by previous instructions.
https://docs.docker.com/engine/reference/builder/#from
You use multiple FROM statements in your Dockerfile for multi-stage builds. Each FROM instruction can use a different base, and each of
them begins a new stage of the build. You can selectively copy artifacts from one stage to another, leaving behind everything you don’t want
in the final image.
https://docs.docker.com/develop/develop-images/multistage-build/#use-multi-stage-builds
9. Question
What would be the output of the final pwd command of a container built from the following Dockerfile?
FROM alpine
WORKDIR /a
WORKDIR /b
WORKDIR c
CMD pwd
/b/c
/
/c
/a
Unattempted
The WORKDIR instruction can be used multiple times in a Dockerfile.
If a relative path is provided, it will be relative to the path of the previous WORKDIR instruction. For example:
WORKDIR /a
WORKDIR b
WORKDIR c
RUN pwd
The output of the final pwd command in this Dockerfile would be /a/b/c.
https://docs.docker.com/engine/reference/builder/#workdir
10. Question
Which of the following directive can primarily be used for defining default arguments for an executing container?
CMD
LABEL
ENTRYPOINT
RUN
Unattempted
The main purpose of a CMD is to provide defaults for an executing container. These defaults can include an executable, or they can omit the
executable, in which case you must specify an ENTRYPOINT instruction as well.
If CMD is used to provide default arguments for the ENTRYPOINT instruction, both the CMD and ENTRYPOINT instructions should be
specified with the JSON array format.
https://docs.docker.com/engine/reference/builder/#cmd
11. Question
What command can you use to remove dangling docker images?
docker image remove
docker rm
docker image prune
docker rmi
Unattempted
Prune images
The docker image prune command allows you to clean up unused images. By default, docker image prune only cleans up dangling images. A
dangling image is one that is not tagged and is not referenced by any container. To remove dangling images:
$ docker image prune
To remove all images which are not used by existing containers, use the -a flag:
$ docker image prune -a
https://docs.docker.com/config/pruning/#prune-images
12. Question
What is the purpose of a HEALTCHECK instruction within a Dockerfile?
Defines the health check endpoint for external monitoring tools to monitor the health of the docker engine.
Defines a heartbeat interval.
To check if the server process is running.
Instructs Docker how to test a container to check that it is still working.
Unattempted
The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working. This can detect cases such as a web
server that is stuck in an infinite loop and unable to handle new connections, even though the server process is still running.
https://docs.docker.com/engine/reference/builder/#healthcheck
13. Question
When using the Docker client to push an image to a registry, which environment variable is used to instruct the client to perform signing of the
image?
DOCKER_PUSH_SIGN=1
NOTARY_ENABLE=1
DOCKER_IMAGE_SIGN=1
DOCKER_CONTENT_TRUST=1
Unattempted
By default, when you push an image to DTR, the Docker CLI client doesn’t sign the image.
You can configure the Docker CLI client to sign the images you push to DTR. This allows whoever pulls your image to validate if they are
getting the image you created, or a forged one.
To sign an image you can run:
export DOCKER_CONTENT_TRUST=1
14. Question
In Docker Trusted Registry, how would a user prevent an image from being overwritten by another user which has push access to the
repository?
Keep a backup copy of the image on another repository.
Tag the image with 'nginx:immutable'
Use the DTR web UI to make the tag immutable.
Remove push access from all other users.
Unattempted
By default, users with read and write access to a repository can push the same tag multiple times to that repository. For example, when user
A pushes an image to library/wordpress:latest, there is no preventing user B from pushing an image with the same name but a completely
different functionality. This can make it difficult to trace the image back to the build that generated it.
To prevent tags from being overwritten, you can configure a repository to be immutable in the DTR web UI. Once configured, DTR will not
allow anyone else to push another image tag with the same name.
https://github.com/docker/docker.github.io
15. Question
How can you find untagged images?
docker images --filter "tagged=false"
docker images --format "tagged=false"
docker images --filter "dangling=true"
docker images --format "dangling=true"
Unattempted
To show untagged images, or dangling, use:
docker images –filter “dangling=true”
This will display untagged images that are the leaves of the images tree (not intermediary layers). These images occur when a new build of
an image takes the repo:tag away from the image ID, leaving it as : or untagged. A warning will be issued if trying to remove an image when
a container is presently using it. By having this flag it allows for batch cleanup.
https://docs.docker.com/engine/reference/commandline/images/#filtering
16. Question
Which of the following statements are true about Dockerfile instructions? (Choose two)
COPY supports regular expression handling while ADD does not.
COPY supports compression format handling while ADD does not.
ADD supports remote URL handling while COPY does not.
ADD supports regular expression handling while COPY does not.
ADD supports compression format handling while COPY does not.
Unattempted
The ADD instruction operates similarly to the COPY instruction with two important differences.
The ADD instruction will additionally support:
· Fetch remote source files if a URL is specified
· Auto-extraction of archive files. Extract the files of any source that are determined to be of archive file type.
https://docs.docker.com/engine/reference/builder/#add
17. Question
When changes made to a Docker image are ready to be published, which of the following commands would make a new image available,
called ‘httpd:v2’?
docker checkin httpd:v2
docker tag httpd:v2 httpd:latest
docker tag httpd:v2 httpd:latest
docker tag httpd:latest httpd:v2
Unattempted
To create a tag TARGET_IMAGE that refers to SOURCE_IMAGE use:
docker tag SOURCE_IMAGE[:TAG] TARGET_IMAGE[:TAG]
https://docs.docker.com/engine/reference/commandline/tag/
18. Question
Which of the following commands is the correct way to tag an image?
docker tag TARGET_IMAGE[:TAG] SOURCE_IMAGE[:TAG]
docker build tag SOURCE_IMAGE[:TAG] TARGET_IMAGE[:TAG]
docker tag SOURCE_IMAGE[:TAG] TARGET_IMAGE[:TAG]
docker tag image SOURCE_IMAGE[:TAG] TARGET_IMAGE[:TAG]
Unattempted
To create a tag TARGET_IMAGE that refers to SOURCE_IMAGE use:
docker tag SOURCE_IMAGE[:TAG] TARGET_IMAGE[:TAG]
Example:
To tag a local image with name “myimage” into the “myrepositroy” repository with “version1.0”:
docker tag myimage myrepositroy/myimage:version1.0
https://docs.docker.com/engine/reference/commandline/tag/
19. Question
Which of the following options is NOT a valid way to tag a Docker image?
Tag an image referenced by user ID
Tag an image referenced by Name and Tag
Tag an image referenced by image ID
Tag an image referenced by Name
Unattempted
To create a tag TARGET_IMAGE that refers to SOURCE_IMAGE use:
docker tag SOURCE_IMAGE[:TAG] TARGET_IMAGE[:TAG]
Examples:
Tag an image referenced by ID
To tag a local image with ID “0e5574283393” into the “fedora” repository with “version1.0”:
$ docker tag 0e5574283393 fedora/httpd:version1.0
Tag an image referenced by Name
To tag a local image with name “httpd” into the “fedora” repository with “version1.0”:
$ docker tag httpd fedora/httpd:version1.0
Note that since the tag name is not specified, the alias is created for an existing local version httpd:latest.
Tag an image referenced by Name and Tag
To tag a local image with name “httpd” and tag “test” into the “fedora” repository with “version1.0.test”:
$ docker tag httpd:test fedora/httpd:version1.0.test
https://docs.docker.com/engine/reference/commandline/tag/#examples
20. Question
Can a Dockerfile start with any command?
FALSE
TRUE
Unattempted
The FROM instruction initializes a new build stage and sets the Base Image for subsequent instructions.
As such, a valid Dockerfile must start with a FROM instruction.
ARG is the only instruction that may precede FROM in the Dockerfile.
For example:
ARG CODE_VERSION=latest
FROM base:${CODE_VERSION}
https://docs.docker.com/engine/reference/builder/#from
21. Question
What is the purpose of the docker image prune command?
Remove one or more images
Show the history of an image
Display detailed information on one or more images
Remove unused images
Unattempted
Prune unused Docker objects
Docker takes a conservative approach to cleaning up unused objects, such as images, containers, volumes, and networks: these objects are
generally not removed unless you explicitly ask Docker to do so.
This can cause Docker to use extra disk space. For each type of object, Docker provides a prune command. In addition, you can use docker
system prune to clean up multiple types of objects at once.
Prune images
The docker image prune command allows you to clean up unused images. By default, docker image prune only cleans up dangling images. A
dangling image is one that is not tagged and is not referenced by any container. To remove dangling images:
$ docker image prune
To remove all images which are not used by existing containers, use the -a flag:
$ docker image prune -a
https://docs.docker.com/config/pruning/#prune-images
22. Question
Which of the following Dockerfile instruction would set up the base image that can serve as a starting point for establishing a new image?
START
FROM
ARG
BASE
Unattempted
The FROM instruction initializes a new build stage and sets the Base Image for subsequent instructions. As such, a valid Dockerfile must
start with a FROM instruction.
https://docs.docker.com/engine/reference/builder/#from
23. Question
Can you save a Docker image in multiple repositories after the build?
TRUE
FALSE
Unattempted
To tag the image into multiple repositories after the build, add multiple -t parameters when you run the build command:
$ docker build -t myrepo/myapp:1.0.2 -t myrepo/myapp:latest .
https://docs.docker.com/engine/reference/builder/#run#usage
24. Question
Which of the following is not an endpoint exposed by Docker Trusted Registry (DTR) that can be used to assess the health of a Docker Trusted
Registry replica?
/api/v0/meta/cluster_status
/nginx_status
/replica_status
/health
Unattempted
Health checks
DTR also exposes several endpoints you can use to assess if a DTR replica is healthy or not:
/health: Checks if the several components of a DTR replica are healthy, and returns a simple json response. This is useful for load balancing
or other automated health check tasks.
/load_balancer_status: Checks if the several components of a DTR replica can be reached, and displays that information in a table. This is
useful for an administrator to gauge the status of a DTR replica.
/nginx_status: Returns the number of connections being handled by the NGINX front-end used by DTR.
/api/v0/meta/cluster_status: Returns extensive information about all DTR replicas.
https://github.com/docker/docker.github.io
25. Question
How can you configure the Docker daemon to start as the system boots up? (select two)
Use crond for Ubuntu 14.10 and below
Use upstart for Ubuntu 14.10 and below
Use systemd for most current Linux distributions (RHEL, CentOS, Fedora, Ubuntu 16.04 and higher)
Use startup for most current Linux distributions (RHEL, CentOS, Fedora, Ubuntu 16.04 and higher)
Unattempted
Most current Linux distributions (RHEL, CentOS, Fedora, Ubuntu 16.04 and higher) use systemd to manage which services start when the
system boots. Ubuntu 14.10 and below use upstart.
$ sudo systemctl enable docker
To disable this behavior, use disable instead.
$ sudo systemctl disable docker
https://docs.docker.com/engine/install/linux-postinstall/#configure-docker-to-start-on-boot
26. Question
Which is the docker command to backup the UCP?
docker backup all
docker backup ucp
docker ucp backup
docker/ucp backup
Unattempted
To create a UCP backup you should run the following command:
$ docker container run \
–rm \
–log-driver none \
–name ucp \
–volume /var/run/docker.sock:/var/run/docker.sock \
–volume /tmp:/backup \
docker/ucp:3.2.6 backup \
–file mybackup.tar \
–passphrase “secret12chars” \
–include-logs=false
Here, the “docker/ucp” represents a docker image, “backup” is the command to execute.
This command should be run on a single UCP manager. This creates a tar archive with the contents of all volumes used by UCP and streams
it to stdout. Additionally, you can include the version such as:
docker/ucp:3.2.6 backup
https://github.com/docker/docker.github.io
27. Question
To configure Docker daemon to start as the system boots up, which of the following commands is correct for most Linux distributions?
sudo systemctl start docker
sudo systemctl up docker
sudo systemctl enable docker
sudo systemctl default docker
Unattempted
Most current Linux distributions (RHEL, CentOS, Fedora, Ubuntu 16.04 and higher) use systemd to manage which services start when the
system boots. Ubuntu 14.10 and below use upstart.
$ sudo systemctl enable docker
To disable this behavior, use disable instead.
$ sudo systemctl disable docker
https://docs.docker.com/engine/install/linux-postinstall/#configure-docker-to-start-on-boot
28. Question
Can you use the local file system if you are deploying DTR with high-availability?
FALSE
TRUE
Unattempted
For high-availability you can deploy multiple DTR replicas, one on each UCP worker node.
https://github.com/docker/docker.github.io
29. Question
What docker command can you use to find the current logging driver for a running container?
docker info
docker inspect
docker config
docker status
Unattempted
Docker includes multiple logging mechanisms to help you get information from running containers and services. These mechanisms are
called logging drivers.
To find the current logging driver for a running container, run the docker inspect command, substituting the container name or ID for :
$ docker inspect
https://docs.docker.com/config/containers/logging/configure/
30. Question
Which command can you use on a node to join the current node to the swarm cluster as a worker node?
docker swarm join worker
None of the above
docker swarm join --token
docker swarm --join --token
Unattempted
The Docker Engine joins the swarm depending on the join-token you provide to the docker swarm join command.
To retrieve the join command including the join token for worker nodes, run the following command on a manager node:
$ docker swarm join-token worker
To add a worker to this swarm, run the following command with the output from the previous command:
docker swarm join \
–token SWMTKN-1-49nj1cmql0jkz5s954yi3oex3nedyz0fb0xx14ie39trti4wxv-8vxv8rssmk743ojnwacrr2e7c \
192.168.99.100:2377
This node joined a swarm as a worker.
https://docs.docker.com/engine/swarm/join-nodes/#join-as-a-worker-node
31. Question
You can configure the daemon so that containers remain running if the daemon becomes unavailable. True or False.
TRUE
FALSE
Unattempted
By default, when the Docker daemon terminates, it shuts down running containers. Starting with Docker Engine 1.12, you can configure the
daemon so that containers remain running if the daemon becomes unavailable. This functionality is called live restore. The live restore option
helps reduce container downtime due to daemon crashes, planned outages, or upgrades.
https://docs.docker.com/config/containers/live-restore/
32. Question
Which is the recommended way to configure the daemon flags and environment variables for your Docker daemon in a platform-independent
way?
Using 'docker config' to set the configuration options.
Set the configuration options using the ENV variable
Set the configuration DOCKER_OPTS in '/etc/default/docker'
Set the configuration options in '/etc/docker/daemon.json'
Unattempted
There are a number of ways to configure the daemon flags and environment variables for your Docker daemon. The recommended way is to
use the platform-independent daemon.json
https://docs.docker.com/config/daemon/systemd/#custom-docker-daemon-options
33. Question
What are the hardware and software requirements to install Docker Trusted Registry (DTR)? (select all that apply)
Make sure the port 8080 and 8443 are open on the node
All nodes must be a worker node managed by Universal Control Plan
All nodes must have fixed hostname
DTR can be installed on-premises or on a cloud provider
Unattempted
You can install DTR on-premises or on a cloud provider. To install DTR, all nodes must:
· Be a worker node managed by UCP (Universal Control Plane). DTR replicas are installed one on each UCP worker node.
· Have a fixed hostname.
https://github.com/docker/docker.github.io
34. Question
To decrease the time to pull images for geographically dispersed users you can configure which DTR option?
DTR CDN
DTR cache
DTR Edge
DTR Local Registry
Unattempted
Cache deployment strategy
The main reason to use a DTR cache is so that users can pull images from a service that’s geographically closer to them.
In this example, a company has developers spread across three locations: United States, Asia, and Europe. Developers working in the US
office can pull their images from DTR without problem, but developers in the Asia and Europe offices complain that it takes them a long time
to pulls images.
To address that, you can deploy DTR caches in the Asia and Europe offices, so that developers working from there can pull images much
faster.
https://github.com/docker/docker.github.io
35. Question
Which of the following technologies make up container format? (select three)
Control Groups
Docker Daemon
UnionFS
Namespaces
Docker control plane
Unattempted
Docker Engine combines the namespaces, control groups, and UnionFS into a wrapper called a container format. The default container
format is libcontainer.
In the future, Docker may support other container formats by integrating with technologies such as BSD Jails or Solaris Zones.
https://docs.docker.com/get-started/overview/#container-format
36. Question
Which network allows Docker Trusted Registry components running on different nodes to communicate which each other and replicate Docker
Trusted Registry data?
dtr-vlan
dtr-hosts
dtr-br
dtr-ol
Unattempted
Networks used by DTR
To allow containers to communicate, when installing DTR the overlay networks should be created.
dtr-ol this allows DTR components running on different nodes to communicate, to replicate DTR data
https://github.com/docker/docker.github.io
37. Question
Which of the following is not backed up when performing a Docker Trusted Registry (DTR) backup?
Repository metadata.
DTR Configurations
Role-based access control (RBAC) settings.
Docker images.
Unattempted
DTR content backed-up
· Configurations – DTR settings and cluster configurations
· Repository metadata – Metadata such as image architecture, repositories, images deployed, and size
· Access control to repos and images – Data about who has access to which images and repositories
· Notary data – Signatures and digests for images that are signed
· Scan results – Information about vulnerabilities in your images
· Certificates and keys – Certificates, public keys, and private keys that are used for mutual TLS communication
DTR content NOT backed-up
· Image content – The images you push to DTR. This can be stored on the file system of the node running DTR, or other storage system,
depending on the configuration. Needs to be backed up separately, depends on DTR configuration
· Users, orgs, teams – Create a UCP backup to back up this data
· Vulnerability database – Can be redownloaded after a restore
https://github.com/docker/docker.github.io
38. Question
Which of the following options for resource limitation is representative of a Control Group (cgroup) when added to a container? (Choose the 2
correct answers)
-end=[#]
--cpus=[value]
--limit=[#]
--memory=[amount b/k/m/g]
Unattempted
–cpus=
Specify how much of the available CPU resources a container can use. For instance, if the host machine has two CPUs and you set –
cpus=”1.5″, the container is guaranteed at most one and a half of the CPUs. This is the equivalent of setting –cpu-period=”100000″ and –
cpu-quota=”150000″. Available in Docker 1.13 and higher.
-m or –memory=
The maximum amount of memory the container can use. If you set this option, the minimum allowed value is 4m (4 megabyte).
Most of these options take a positive integer, followed by a suffix of b, k, m, g, to indicate bytes, kilobytes, megabytes, or gigabytes.
https://docs.docker.com/config/containers/resource_constraints/
39. Question
You can monitor the status of UCP by using either the web UI, either the CLI?
TRUE
FALSE
Unattempted
You can monitor the status of UCP either by using the web UI, either the CLI.
https://github.com/docker/docker.github.io
40. Question
Which of the following components needs to be considered when making a backup for Docker EE? (select all that apply)
DTR
UCP
Swarm
RBAC
Unattempted
To back up Docker Enterprise, you must create individual backups for each of the following components:
1. Back up Docker Swarm. Back up Swarm resources like service and network definitions.
2. Back up Universal Control Plane (UCP). Back up UCP configurations such as Access control, Certificates and keys, volumes = All UCP
named volumes, which include all UCP component certs and data, Monitoring data gathered by UCP,
3. Back up Docker Trusted Registry (DTR). Back up DTR configurations, images, and metadata, Repository metadata, Access control to
repos and images, Notary data, Scan results.
If you do not create backups for all components, you cannot restore your deployment to its previous state.
Role-Based Access Control (RBAC) is part of UCP.
https://success.docker.com/article/backup-restore-best-practices
41. Question
Which of the following options best describes the procedure for backing up the Universal Control Plane (UCP) metadata?
Run a container from the ucp image with the backup command.
Create an archive for all of the data under the /var/data/ucp directory.
Run a container from the ucp image with the uninstall-ucp command.
Create an archive for all of the data under the /etc/docker/ucp directory.
Unattempted
Backups contain UCP configuration metadata to re-create configurations such as Administration Settings values such as LDAP and SAML,
and RBAC configurations (Collections, Grants, Roles, User, and more):
The following example shows how to create a UCP backup on a manager node, encrypt it by using a passphrase, decrypt it, verify its
contents, and store it locally on the node at /tmp/mybackup.tar:
$ docker container run \
–rm \
–log-driver none \
–name ucp \
–volume /var/run/docker.sock:/var/run/docker.sock \
–volume /tmp:/backup \
docker/ucp:3.2.6 backup \
–file mybackup.tar \
–passphrase “secret12chars” \
–include-logs=false
Here, the “docker/ucp” represents a docker image, “backup” is the command to execute.
https://github.com/docker/docker.github.io
42. Question
Which of the following namespaces is not activated by default?
pid
user
mnt
uts
Unattempted
Docker namespaces provide a layer of isolation. Each aspect of a container runs in a separate namespace and its access is limited to that
namespace.
Docker Engine uses namespaces such as the following on Linux:
· The pid namespace: Process isolation (PID: Process ID).
· The net namespace: Managing network interfaces (NET: Networking).
· The ipc namespace: Managing access to IPC resources (IPC: InterProcess Communication).
· The mnt namespace: Managing filesystem mount points (MNT: Mount).
· The uts namespace: Isolating kernel and version identifiers. (UTS: Unix Timesharing System).
However, for user namespace you have to start remapping UIDs in Docker Engine with the –userns-remap flag.
https://docs.docker.com/get-started/overview/#namespaces
https://success.docker.com/article/introduction-to-user-namespaces-in-docker-engine
43. Question
Which modes does Docker provide for delivering messages from the container to the log driver? (select two)
syncrhonous
non-blocking
blocking
asynchronous
Unattempted
Docker provides two modes for delivering messages from the container to the log driver:
· (default) direct, blocking delivery from container to driver
· non-blocking delivery that stores log messages in an intermediate per-container ring buffer for consumption by driver
https://docs.docker.com/config/containers/logging/configure/#configure-the-delivery-mode-of-log-messages-from-container-to-log-driver
44. Question
Which is the recommended way to installed Docker Engine on a production server?
None of the above
Install using the convenience script
Install from a package
Install using the repository
Unattempted
You can install Docker Engine in different ways, depending on your needs:
· Most users set up Docker’s repositories and install from them, for ease of installation and upgrade tasks. This is the recommended
approach.
· Some users download the RPM package and install it manually and manage upgrades completely manually. This is useful in situations such
as installing Docker on air-gapped systems with no access to the internet.
· In testing and development environments, some users choose to use automated convenience scripts to install Docker.
https://docs.docker.com/engine/install/centos/#installation-methods
45. Question
Which of the following commands can you use to display system-wide Docker configuration on a host?
docker status
docker info
docker inspect
docker system
Unattempted
To display system-wide information use:
docker info [OPTIONS]
This command displays system-wide information regarding the Docker installation. Information displayed includes the kernel version, number
of containers and images.
https://docs.docker.com/engine/reference/commandline/info/
46. Question
Which of the following products are included with a Docker EE software subscription? (select three)
Docker Universal Control Plane
Docker Swarm
Docker Trusted Registry
Docker Hub
Docker Engine with enterprise-grade support
Unattempted
Docker Enterprise components
Docker Enterprise has three major components, which together enable a full software supply chain, from image creation, to secure image
storage, to secure image deployment.
Docker Engine – Enterprise: The commercially supported Docker engine for creating images and running them in Docker containers.
Docker Trusted Registry (DTR): The production-grade image storage solution from Docker.
DTR is designed to scale horizontally as your usage increases. You can add more replicas to make DTR scale to your demand and for high
availability.
All DTR replicas run the same set of services, and changes to their configuration are propagated automatically to other replicas.
Universal Control Plane (UCP): Deploys applications from images, by managing orchestrators, like Kubernetes and Swarm.
UCP is designed for high availability (HA). You can join multiple UCP manager nodes to the cluster, and if one manager node fails, another
takes its place automatically without impact to the cluster.
Changes to the configuration of one UCP manager node are propagated automatically to other nodes.
https://github.com/docker/docker.github.io
47. Question
Which of the following is a step in backing up the Docker Swarm?
Back up the contents of /etc/docker/swarm on a Swarm manager.
Back up the layered file systems of all containers running within the swarm.
Back up the contents of /var/lib/docker/swarm on a Swarm manager.
Back up the contents of /etc/docker on a Swarm manager.
Unattempted
To backup the Swarm on Linux using Docker Engine >= 17.03, you can use the following steps.
Since this will need you to stop the engine of a manager, your cluster need to be healthy with at least 3 managers.
1. Select a manager node to do the operation. Try not to choose the leader one in order to avoid a new election inside the cluster.
2. Optional: Store the Docker version to a variable for easy addition to your backup name.
3. Stop the Docker Engine on the manager before backing up the data, so that no data is being changed during the backup.
4. Backup the entire Swarm folder /var/lib/docker/swarm.
5. Restart the manager Docker Engine.
https://success.docker.com/article/backup-restore-swarm-manager
Docker manager nodes store the swarm state and manager logs in the /var/lib/docker/swarm/
https://docs.docker.com/engine/swarm/admin_guide/#back-up-the-swarm
“/etc” is used for configurations (.conf files etc). here you find all the configs and settings for your system.
“/var” is usually used for log files, ‘temporary’ files (like mail spool, printer spool, etc), databases, and all other data not tied to a specific user.
Logs are usually in “/var/log”, databases in “/var/lib” (mysql – “/var/lib/mysql”), etc.
https://en.wikipedia.org/wiki/Filesystem_Hierarchy_Standard
48. Question
Which docker command can you use to add a node to a swarm?
docker join swarm
docker swarm add-node
docker swarm join
docker swarm create-node
Unattempted
To join a node to a swarm use the following command:
docker swarm join [OPTIONS] HOST:PORT
https://docs.docker.com/engine/reference/commandline/swarm_join/
49. Question
Which of the following endpoints exposed by Docker Trusted Registry (DTR) can be used to assess the health of a Docker Trusted Registry
replica?
/health
/api/health
/replica_status
/nginx/health
Unattempted
Health checks
DTR also exposes several endpoints you can use to assess if a DTR replica is healthy or not:
/health: Checks if the several components of a DTR replica are healthy, and returns a simple json response. This is useful for load balancing
or other automated health check tasks.
/load_balancer_status: Checks if the several components of a DTR replica can be reached, and displays that information in a table. This is
useful for an administrator to gauge the status of a DTR replica.
/nginx_status: Returns the number of connections being handled by the NGINX front-end used by DTR.
/api/v0/meta/cluster_status: Returns extensive information about all DTR replicas.
https://github.com/docker/docker.github.io
50. Question
Which of the following aspects of a container can make use of namespaces to provide isolation? (Choose 2)
Network
Host
Storage
Authentication
Process ID
Unattempted
Docker namespaces provide a layer of isolation. Each aspect of a container runs in a separate namespace and its access is limited to that
namespace.
Docker Engine uses namespaces such as the following on Linux:
· The pid namespace: Process isolation (PID: Process ID).
· The net namespace: Managing network interfaces (NET: Networking).
· The ipc namespace: Managing access to IPC resources (IPC: InterProcess Communication).
· The mnt namespace: Managing filesystem mount points (MNT: Mount).
· The uts namespace: Isolating kernel and version identifiers. (UTS: Unix Timesharing System).
https://docs.docker.com/get-started/overview/#namespaces
51. Question
From where can you get a repository URL for installing the Docker Enterprise Edition (EE)?
Docker Hub
Docker Trusted Registry
Docker Enterprise Hub
Docker Marketplace
Unattempted
To install Docker Enterprise, you will need the URL of the Docker Enterprise repository associated with your trial or subscription:
https://docs.mirantis.com/docker-enterprise/v3.0/dockeree-products/docker-engine-enterprise/dee-linux/rhel.html
This section lists what you need to consider before installing Docker Engine – Enterprise. Items that require action are explained below.
· Use storage driver overlay2 or devicemapper (direct-lvm mode in production).
· Find the URL for your Docker Engine – Enterprise repo at Docker Hub.
· Uninstall old versions of Docker.
· Remove old Docker repos from /etc/yum.repos.d/.
https://github.com/docker/docker.github.io
52. Question
How can you configure the default logging driver for containers?
Set the log-driver option in the key.json file
Use loging-driver –flag
Use --log-driver flag
Set the log-driver option in the deamon.json file
Unattempted
Each Docker daemon has a default logging driver, which each container uses unless you configure it to use a different logging driver.
To configure the Docker daemon to default to a specific logging driver, set the value of log-driver to the name of the logging driver in the
daemon.json file, which is located in /etc/docker/ on Linux hosts or C:\ProgramData\docker\config\ on Windows server hosts.
https://docs.docker.com/config/containers/logging/configure/
53. Question
What is used by the kernel to provide isolation for resources when running Docker containers?
Volumes
Overlay networks
Control groups
Namespaces
Unattempted
Linux namespaces provide isolation for running processes, limiting their access to system resources without the running process being
aware of the limitations.
https://docs.docker.com/engine/security/userns-remap/
Docker uses a this technology to provide the isolated workspace called the container. When you run a container, Docker creates a set of
namespaces for that container.
These namespaces provide a layer of isolation. Each aspect of a container runs in a separate namespace and its access is limited to that
namespace.
https://docs.docker.com/get-started/overview/#namespaces
54. Question
What is the purpose of the Universal Control Plane (UCP)?
To configure docker on a Linux host
To control all the running container processes
To provide an integrated application management platform
To create a docker swarm cluster
Unattempted
Docker Universal Control Plane (UCP) is the enterprise-grade cluster management solution from Docker.
With Docker, you can join up to thousands of physical or virtual machines together to create a container cluster that allows you to deploy
your applications at scale. UCP extends the functionality provided by Docker to make it easier to manage your cluster from a centralized
place.
https://docs.mirantis.com/docker-enterprise/v3.0/dockeree-products/ucp.html
55. Question
Which logging driver is not supported by Docker?
azurelogs
none
syslog
awslogs
gcplogs
Unattempted
The following logging drivers are supported.
Driver
Description
none No logs are available for the container and docker logs does not return any output.
local Logs are stored in a custom format designed for minimal overhead.
json-file The logs are formatted as JSON. The default logging driver for Docker.
syslog Writes logging messages to the syslog facility. The syslog daemon must be running on the host machine.
journald Writes log messages to journald. The journald daemon must be running on the host machine.
gelf
Writes log messages to a Graylog Extended Log Format (GELF) endpoint such as Graylog or Logstash.
fluentd Writes log messages to fluentd (forward input). The fluentd daemon must be running on the host machine.
awslogs Writes log messages to Amazon CloudWatch Logs.
splunk Writes log messages to splunk using the HTTP Event Collector.
etwlogs Writes log messages as Event Tracing for Windows (ETW) events. Only available on Windows platforms.
gcplogs Writes log messages to Google Cloud Platform (GCP) Logging.
logentries Writes log messages to Rapid7 Logentries.
https://docs.docker.com/config/containers/logging/configure/#supported-logging-drivers
56. Question
Which of the following features is supported by control groups?
Isolate processes in a container
Manage certificates
Limit CPU usage within a container
Collect logs
Unattempted
Control groups
Docker Engine on Linux also relies on another technology called control groups (cgroups).
A cgroup limits an application to a specific set of resources. Control groups allow Docker Engine to share available hardware resources to
containers and optionally enforce limits and constraints.
For example, you can limit the memory or CPU available to a specific container.
https://docs.docker.com/get-started/overview/#control-groups
57. Question
A user is having problems running Docker. How can you start Docker in debug mode?
Set the debug key to true in the 'daemon.json' file.
Start the 'dockerd' process manually with the '--raw-logs' flag set to debug
Start the 'dockerd' process manually with the '--logging' flag set to debug
Set the logging key to debug in the 'daemon.json' file.
Unattempted
There are two ways to enable debugging. The recommended approach is to set the debug key to true in the daemon.json file. This method
works for every Docker platform.
Find the daemon.json file, which is usually located in /etc/docker/. You may need to create this file, if it does not yet exist.
If the file is empty, add the following:
{
}
“debug”: true
After the daemon.json file is modified, you should send a HUP signal to the daemon to cause it to reload its configuration. On Linux hosts,
use the following command.
sudo kill -SIGHUP $(pidof dockerd)
Instead of following this procedure, you can also stop the Docker daemon and restart it manually with the debug flag -D. However, this may
result in Docker restarting with a different environment than the one the hosts’ startup scripts create, and this may make debugging more
difficult.
https://docs.docker.com/config/daemon/#enable-debugging
58. Question
Which of the following commands will set the Docker engine into debug mode?
echo '{"debug": true}' > /var/lib/docker/daemon.json ; sudo kill -HUP
echo '{"debug": true}' > /etc/docker/config.json ; sudo kill -HUP
echo '{"debug": true}' > /var/lib/docker/config.json ; sudo kill -HUP
echo '{"debug": true}' > /etc/docker/daemon.json ; sudo kill -HUP
Unattempted
To make the modifications and send the HUP signal in one-line use:
echo ‘{“debug”: true}’ > /etc/docker/daemon.json ; sudo kill -HUP
https://docs.docker.com/config/daemon/#enable-debugging
59. Question
Single sign-on (SSO) with UCP can only be configured at installation time?
FALSE
TRUE
Unattempted
To only authenticate once, you can configure DTR to have single sign-on (SSO) with UCP.
Users are shared between UCP and DTR by default, but the applications have separate browser-based interfaces which require
authentication.
When installing DTR, pass –dtr-external-url to enable SSO.
You can also enable single sign-on from the command line by reconfiguring your DTR.
To do so, run the following:
docker run –rm -it \
docker/dtr:2.7.6 reconfigure \
–dtr-external-url dtr.example.com \
…
https://github.com/docker/docker.github.io
60. Question
What flag can you pass to docker run to set various restrictions on resource usage such as stack size, open files, processes etc.?
--ulimit
--resource-limit
nproc
Unattempted
–default-ulimit allows you to set the default ulimit options to use for all containers. It takes the same options as –ulimit for docker run. If
these defaults are not set, ulimit settings will be inherited, if not set on docker run, from the Docker daemon. Any –ulimit options passed to
docker run will overwrite these defaults.
Be careful setting nproc with the ulimit flag as nproc is designed by Linux to set the maximum number of processes available to a user, not
to a container. For details please check the run reference.
https://docs.docker.com/engine/reference/commandline/dockerd/#default-ulimit-settings
61. Question
With which flag should you run docker swarm init, after restoring a swarm backup, to ensure that the node does not attempt to connect to
nodes that were part of the old swarm?
--force-init
--restore
--force
--force-new-cluster
Unattempted
–force-new-cluster
This flag forces an existing node that was part of a quorum that was lost to restart as a single node Manager without losing its data.
https://docs.docker.com/engine/reference/commandline/swarm_init/#–force-new-cluster
62. Question
You are using self-signed UCP certs and have a second DNS name that points to your internal controllers (UCP). When installing UCP, which
flag should you use to add this additional name?
-external-server-cert
--internal-server-cert
--san
--dns
Unattempted
UCP always runs with HTTPS enabled. When you connect to UCP, you need to make sure that the hostname that you use to connect is
recognized by UCP’s certificates.
If, for instance, you put UCP behind a load balancer that forwards its traffic to your UCP instance, your requests will be for the load balancer’s
hostname or IP address, not UCP’s. UCP will reject these requests unless you include the load balancer’s address as a Subject Alternative
Name (or SAN) in UCP’s certificates.
If you use your own TLS certificates, make sure that they have the correct SAN values
If you want to use the self-signed certificate that UCP has out of the box, you can set up the SANs when you install UCP with the –
san argument. You can also add them after installation.
https://github.com/docker/docker.github.io
63. Question
Which is the default logging driver of Docker for Linux distributions?
none
fluentd
json-file
syslog
Unattempted
To configure the Docker daemon to a specific logging driver, set the value of log-driver to the name of the logging driver in the daemon.json
file.
The default logging driver is json-file.
To find the current default logging driver for the Docker daemon, run docker info and search for Logging Driver. You can use the following
command on Linux, macOS, or PowerShell on Windows:
$ docker info –format ‘{{.LoggingDriver}}’
https://docs.docker.com/config/containers/logging/configure/#configure-the-default-logging-driver
64. Question
Which command can you use to start a docker daemon manually?
sudo docker daemon start
dockerd
docker start --daemon
docker daemon start
Unattempted
Start the daemon manually
If you don’t want to use a system utility to manage the Docker daemon, or just want to test things out, you can manually run it using the
dockerd command. You may need to use sudo, depending on your operating system configuration.
When you start Docker this way, it runs in the foreground and sends its logs directly to your terminal.
$ dockerd
INFO[0000] +job init_networkdriver()
INFO[0000] +job serveapi(unix:///var/run/docker.sock)
INFO[0000] Listening for HTTP on unix (/var/run/docker.sock)
To stop Docker when you have started it manually, issue a Ctrl+C in your terminal.
http://dockerlabs.collabnix.com/beginners/components/daemon/
65. Question
Which feature allows Docker Engine to share available hardware resources to containers and optionally enforce limits and constraints?
Virtualization Layers
Control Groups
Hardware Abstraction
HyperVisor
Unattempted
Control groups
Docker Engine on Linux also relies on another technology called control groups (cgroups).
A cgroup limits an application to a specific set of resources. Control groups allow Docker Engine to share available hardware resources to
containers and optionally enforce limits and constraints.
For example, you can limit the memory or CPU available to a specific container.
https://docs.docker.com/get-started/overview/#control-groups
Use Page numbers below to navigate to other practice tests
Pages:
1
2
3
4
5
6
7
8
9
10
11
12
← Previous Post
Next Post →
Skillcertpro
Quick Links
Important Links
ABOUT US
REFUND POLICY
FAQ
REFUND REQUEST
BROWSE ALL PRACTICE TESTS
TERMS & CONDITIONS
CONTACT FORM
PRIVACY POLICY
Privacy Policy
Software pros, listen up! Today only, you can unlock 25% off on enrolling in 2 or more courses at once. Use Code: SAVINGS25
Search for products...
All Courses
Contact Us
MY ACCOUNT
/ Docker / By SkillCertPro
Practice Set 4
Your results are here!! for" Docker Certified Associate Practice Set 4 "
0 of 65 questions answered correctly
Your time: 00:00:02
Your Final Score is : 0
You have attempted : 0
Number of Correct Questions : 0 and scored 0
Number of Incorrect Questions : 0 and Negative marks 0
Average score
Your score
75.12%
0.00%
You can review your answers by clicking view questions.
Important Note : Open Reference Documentation Links in New Tab (Right Click and Open in New Tab).
Restart Test
View Answers
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
Answered
Review
1. Question
How is called the image storage solution that is part of Docker Enterprise Edition?
Docker Registry
Universal Control Plane
Docker Trusted Registry
Docker Hub
Unattempted
Docker Trusted Registry (DTR) is the enterprise-grade image storage solution from Docker.
https://docs.mirantis.com/docker-enterprise/v3.0/dockeree-products/dtr.html
2. Question
A host machine has 4 CPUs available and 2 running containers. The sysadmin would like to assign 2 CPUs to each container. Which of the
following commands achieves this?
Set the '--cpuset-cpus' flag of the 'dockerd' process to the value 'even-spread'
Set the '--cpuset-cpus' flag to '.5' on both containers
Set the '--cpu-quota' flag to '0,2' on one container and '1,3' on the other container.
Set the '--cpuset-cpu's flag to '0,2' on one container and '1,3' on the other container.
Unattempted
By default, each container’s access to the host machine’s CPU cycles is unlimited. You can set various constraints to limit a given container’s
access to the host machine’s CPU cycles.
Several runtime flags allow you to configure the amount of access to CPU resources your container has. When you use these settings,
Docker modifies the settings for the container’s cgroup on the host machine.
–cpuset-cpus
Limit the specific CPUs or cores a container can use. A comma-separated list or hyphen-separated range of CPUs a container can use, if you
have more than one CPU. The first CPU is numbered 0. A valid value might be 0-3 (to use the first, second, third, and fourth CPU) or 1,3 (to
use the second and fourth CPU).
https://docs.docker.com/config/containers/resource_constraints/#cpu
We can set cpus in which to allow execution for containers.
Examples:
$ docker run -it –cpuset-cpus=”1,3″ ubuntu:14.04 /bin/bash
This means processes in container can be executed on cpu 1 and cpu 3.
$ docker run -it –cpuset-cpus=”0-2″ ubuntu:14.04 /bin/bash
This means processes in container can be executed on cpu 0, cpu 1 and cpu 2.
https://docs.docker.com/engine/reference/run/#cpuset-constraint
3. Question
What Linux technology does Docker use in order to limit memory usage for containers?
Namespaces
Control groups ( cgroups )
Capabilities
The mem namespace.
Unattempted
Control groups
Docker Engine on Linux also relies on another technology called control groups (cgroups).
A cgroup limits an application to a specific set of resources. Control groups allow Docker Engine to share available hardware resources to
containers and optionally enforce limits and constraints.
For example, you can limit the memory or CPU available to a specific container.
https://docs.docker.com/get-started/overview/#control-groups
4. Question
When you start manually the docker daemon you see an error like the one below. What should you do?
unable to configure the Docker daemon with file /etc/docker/daemon.json: the following directives are specified both as a flag and in the
configuration file: hosts: (from flag: [unix:///var/run/docker.sock], from file: [tcp://127.0.0.1:2376])
Adjust the flags you're using to start the daemon or modify the daemon.json to remove the conflict
Ensure the host is accessible on the network and try again
Restart your host to resolve the conflict
Verify that port 2376 is open
Unattempted
Troubleshoot conflicts between the daemon.json and startup scripts
If you use a daemon.json file and also pass options to the dockerd command manually or using start-up scripts, and these options conflict,
Docker fails to start with an error such as:
unable to configure the Docker daemon with file /etc/docker/daemon.json:
the following directives are specified both as a flag and in the configuration
file: hosts: (from flag: [unix:///var/run/docker.sock], from file: [tcp://127.0.0.1:2376])
If you see an error similar to this one and you are starting the daemon manually with flags, you may need to adjust your flags or the
daemon.json to remove the conflict.
https://docs.docker.com/config/daemon/#troubleshoot-conflicts-between-the-daemonjson-and-startup-scripts
5. Question
Which is the recommended approach to set the storage driver?
Use --storage-driver flag when running dockerd
Set the "storage-driver" option in the daemon.json file
Unattempted
There are a number of ways to configure the daemon flags and environment variables for your Docker daemon. The recommended way is to
use the platform-independent daemon.json file, which is located in /etc/docker/ on Linux by default.
https://docs.docker.com/config/daemon/systemd/#custom-docker-daemon-options
6. Question
What is the endpoint that we can use to check the health of a single UCP manager node?
https: :///_health
https:///_ heartbeat
https:///_ping
https:///_status
Unattempted
You can use the https:///_ping endpoint to check the health of a single UCP manager node.
When you access this endpoint, the UCP manager validates that all its internal components are working, and returns one of the following
HTTP error codes:
· 200, if all components are healthy
· 500, if one or more components are not healthy
https://github.com/docker/docker.github.io
7. Question
Which command can you use to interactively monitor all container activity in the Docker engine?
docker system events
docker container logs
docker container events
docker system logs
Unattempted
Use docker system events to get real-time events from the server.
These events differ per Docker object type such as containers, images, plugins, volumes and daemons.
https://docs.docker.com/engine/reference/commandline/system_events/
8. Question
Which of the following commands can you use to set a DNS server for all Docker containers?
dockerd --dns-update IP_ADDRESS
dockerd --set-dns IP_ADDRESS
dockerd --dns IP_ADDRESS
dockerd --dns-server IP_ADDRESS
Unattempted
By using dockerd you can start the Docker daemon manually. On a typical installation the Docker daemon is started by a system utility, not
manually by a user. However, this command can be useful to test things out and for troubleshooting problems.
To configure the DNS servers for all Docker containers you have to set the configuration at Docker daemon level.
By using dockerd command you can also configure it using flags.
For example, to set the DNS server for all Docker containers, use:
dockerd –dns IP_ADDRESS
To specify multiple DNS servers, use multiple –dns flags.
If the container cannot reach any of the IP addresses you specify, Google’s public DNS server 8.8.8.8 is added, so that your container can
resolve internet domains.
http://dockerlabs.collabnix.com/beginners/components/daemon/
https://docs.docker.com/config/containers/container-networking/
9. Question
Which of the following docker command can you use to connect a running container to an existing user-defined bridge?
docker network attach
docker network connect
docker connect network
docker network join
Unattempted
To connect a running container to an existing user-defined bridge, use the docker network connect command.
The following command connects an already-running my-nginx container to an already-existing my-net network:
$ docker network connect my-net my-nginx
https://docs.docker.com/network/bridge/#connect-a-container-to-a-user-defined-bridge
10. Question
Which of the following commands should you use to ensure that overlay traffic between service tasks is encrypted?
docker service create --network –encrypted
docker service create --network --secure
docker network create -d overlay -o encrypted=true
docker network create -d overlay --secure
Unattempted
Encrypt traffic on an overlay network
All swarm service management traffic is encrypted by default, using the AES algorithm in GCM mode. Manager nodes in the swarm rotate
the key used to encrypt gossip data every 12 hours.
To encrypt application data as well, add –opt encrypted when creating the overlay network. This enables IPSEC encryption at the level of the
vxlan. This encryption imposes a non-negligible performance penalty, so you should test this option before using it in production.
https://docs.docker.com/network/overlay/
To set driver specific options use:
–opt , -o
For example:
$ docker network create -d overlay \
–opt encrypted=true \
my-network -network
https://docs.docker.com/engine/reference/commandline/network_create/
11. Question
Which type of network driver is best when you are migrating from a VM setup or need your containers to look like physical hosts on your
network, each with a unique MAC address?
Macvlan networks
User-defined bridge networks
Host networks
Overlay networks
Unattempted
macvlan: Macvlan networks allow you to assign a MAC address to a container, making it appear as a physical device on your network. The
Docker daemon routes traffic to containers by their MAC addresses. Using the macvlan driver is sometimes the best choice when dealing
with legacy applications that expect to be directly connected to the physical network, rather than routed through the Docker host’s network
stack. See Macvlan networks.
https://docs.docker.com/network/#network-drivers
12. Question
Which of the following provides supports for host networking?
Docker EE for Windows Server
Docker for Linux Distributions
Docker Desktop for Mac
Docker Desktop for Windows
Unattempted
If you use the host network mode for a container, that container’s network stack is not isolated from the Docker host (the container shares
the host’s networking namespace), and the container does not get its own IP-address allocated.
For instance, if you run a container which binds to port 80 and you use host networking, the container’s application is available on port 80 on
the host’s IP address.
The host networking driver only works on Linux hosts, and is not supported on Docker Desktop for Mac, Docker Desktop for Windows, or
Docker EE for Windows Server.
Host mode networking can be useful to optimize performance, and in situations where a container needs to handle a large range of ports, as
it does not require network address translation (NAT), and no “userland-proxy” is created for each port.
https://docs.docker.com/network/host/
13. Question
Docker containers connect by default to which of the following network drivers?
host
bridge
docker_gwbridge
overlay
Unattempted
If you do not specify a network using the –network flag, and you do specify a network driver, your container is connected to the default
bridge network by default.
https://docs.docker.com/network/bridge/#use-the-default-bridge-network
14. Question
Which of the following statement is false about Virtual IP (VIP)?
Traffic to the VIP is automatically sent to all healthy tasks of that service across the overlay network.
When resolving the service's name, a VIP is returned.
There are multiple VIP for a service, one for each task.
When services are created in a Docker swarm cluster, they are automatically assigned a VIP that is part of the service's network.
Unattempted
Internal Load Balancing
When services are created in a Docker swarm cluster, they are automatically assigned a Virtual IP (VIP) that is part of the service’s network.
The VIP is returned when resolving the service’s name.
Traffic to the VIP is automatically sent to all healthy tasks of that service across the overlay network. This approach avoids any client-side load
balancing because only a single IP is returned to the client. Docker takes care of routing and equally distributes the traffic across the healthy
service tasks.
https://success.docker.com/article/ucp-service-discovery-swarm#interlockproxyusageexamples
15. Question
When running network in ‘host’ mode, what option of ‘docker run’ can you use to override the hostname of the container?
-n
--hostname
--name
-host
Unattempted
With the network set to host a container will share the host’s network stack and all interfaces from the host will be available to the container.
The container’s hostname will match the hostname on the host system.
Even in host network mode a container has its own UTS namespace by default.
As such –hostname and –domainname are allowed in host network mode and will only change the hostname and domain name inside the
container.
https://docs.docker.com/engine/reference/run/#network-settings
16. Question
Which of the following components is used to track IP addresses and to provide default subnets or IP addresses for the networks and
endpoints?
Network Sandbox
libnetwork
MACVLAN
IPAM drivers
Unattempted
IPAM Drivers — Docker has a native IP Address Management Driver that provides default subnets or IP addresses for the networks and
endpoints if they are not specified. IP addressing can also be manually assigned through network, container, and service create commands.
Remote IPAM drivers also exist and provide integration to existing IPAM tools.
https://success.docker.com/article/networking#networkscope
17. Question
You want to run an nginx web-server container as a background process. Which of the following is the correct command to make sure that the
port 80 of the container is mapped to port 8080 on localhost machine?
docker run -itd --name web-server -P nginx:latest
docker run -itd --name web-server -p 8080:80 nginx:latest
docker run -itd --name web-server -p 80:8080 nginx:latest
docker run --name web-server -p 8080:80 nginx:latest
Unattempted
To start a container in detached mode, you use -d=true or just -d option. By design, containers started in detached mode exit when the root
process used to run the container exits.
https://docs.docker.com/engine/reference/run/#detached–d
To make a port available to services outside of Docker, or to Docker containers which are not connected to the container’s network, use the –
publish or -p flag.
Here is anexample:
docker run -p 80:8080 ubuntu bash
This binds port 8080 of the container to TCP port 80 on the host machine.
https://docs.docker.com/engine/reference/commandline/run/#publish-or-expose-port–p—expose
https://docs.docker.com/config/containers/container-networking/#published-ports
18. Question
Which is the docker command to display detailed information on one or more networks?
docker network display
docker network status
docker inspect network
docker network inspect
Unattempted
To manage networks, you can use:
docker network COMMAND
To display detailed information on one or more networks you can use:
docker network inspect [OPTIONS] NETWORK [NETWORK…]
https://docs.docker.com/engine/reference/commandline/network_inspect/
19. Question
Which type of network driver is best when you need multiple containers to communicate on the same Docker host?
Overlay networks
Macvlan networks
Host networks
User-defined bridge networks
Unattempted
Different types and use cases for the built-in network drivers:
· User-defined bridge networks are best when you need multiple containers to communicate on the same Docker host.
· Host networks are best when the network stack should not be isolated from the Docker host, but you want other aspects of the container
to be isolated.
· Overlay networks are best when you need containers running on different Docker hosts to communicate, or when multiple applications
work together using swarm services.
· Macvlan networks are best when you are migrating from a VM setup or need your containers to look like physical hosts on your network,
each with a unique MAC address.
· Third-party network plugins allow you to integrate Docker with specialized network stacks.
https://docs.docker.com/network/#network-driver-summary#network-driver-summary
20. Question
Which docker run option can you use to publish a port so that an application is accessible externally?
docker run --publish-port
docker run --open-port
docker run --expose
docker run --publish
Unattempted
The following run command options work with container networking:
–expose
Expose a port or a range of ports inside the container. You expose ports using the EXPOSE keyword in the Dockerfile or the –expose flag to
docker run. Exposing ports is a way of documenting which ports are used, but does not actually map or open any ports. Exposing ports is
optional.
–publish-all or -P
Publish all exposed ports to the host interfaces. Docker binds each exposed port to a random port on the host. Use the -p flag to explicitly
map a single port or range of ports.
-p or –publish
It makes a port available to services outside of Docker, or to Docker containers which are not connected to the container’s network.
format: ip:hostPort:containerPort | ip::containerPort | hostPort:containerPort | containerPort
https://docs.docker.com/engine/reference/run/#expose-incoming-ports
https://docs.docker.com/config/containers/container-networking/
Example:
docker run -p 127.0.0.1:80:8080 ubuntu bash
21. Question
Which of the following networks is used as the default network for Kubernetes by Universal Control Plane?
Weave net
Calico
Flannel
Romana
Unattempted
Docker Universal Control Plane (UCP) uses Calico as the default Kubernetes networking solution. Calico is configured to create a Border
Gateway Protocol (BGP) mesh between all nodes in the cluster.
https://github.com/docker/docker.github.io
22. Question
Which of the following differences between user-defined bridge networks and the default bridge network is FALSE?
Linked containers on the default bridge network share environment variables.
User-defined bridges provide better isolation and interoperability between containerized applications.
Containers can be attached and detached from the default bridge network on the fly.
User-defined bridges provide automatic DNS resolution between containers.
Unattempted
Bridge networks apply to containers running on the same Docker daemon host.
When you start Docker, a default bridge network (also called bridge) is created automatically, and newly-started containers connect to it
unless otherwise specified.
You can also create user-defined custom bridge networks. User-defined bridge networks are superior to the default bridge network for the
following reasons:
· User-defined bridges provide automatic DNS resolution between containers.
· User-defined bridges provide better isolation.
· Containers can be attached and detached from user-defined networks on the fly.
· Each user-defined network creates a configurable bridge.
· Linked containers on the default bridge network share environment variables.
https://docs.docker.com/network/bridge/#differences-between-user-defined-bridges-and-the-default-bridge
23. Question
Which of the following network drivers uses VXLAN data plane to decouple docker network from the underlay physical network?
host
overlay
bridge
macvlan
Unattempted
Linux bridges only operate locally and cannot span across nodes.
So, for multi-host networking we need another mechanism. Linux VXLAN comes to the rescue.
When a container sends a data packet, the bridge realizes that the target of the packet is not on this host.
Now, each node participating in an overlay network gets a so-called VXLAN Tunnel Endpoint (VTEP) object, which intercepts the packet (the
packet at that moment is an OSI layer 2 data packet), wraps it with a header containing the target IP address of the host that runs the target
container (this makes it now an OSI layer 3 data packet), and sends it over the VXLAN tunnel.
The VTEP on the other side of the tunnel unpacks the data packet and forwards it to the local bridge, which in turn forwards it to the target
container.
24. Question
When you publish a port of a service in swarm mode it is published on every node in the cluster by default? True or false
TRUE
FALSE
Unattempted
When you create a swarm service, you can publish that service’s ports to hosts outside the swarm in two ways:
· You can rely on the routing mesh. When you publish a service port, the swarm makes the service accessible at the target port on every
node, regardless of whether there is a task for the service running on that node or not. This is less complex and is the right choice for many
types of services.
· You can publish a service task’s port directly on the swarm node where that service is running. This feature is available in Docker 1.13 and
higher. This bypasses the routing mesh and provides the maximum flexibility, including the ability for you to develop your own routing
framework. However, you are responsible for keeping track of where each task is running and routing requests to the tasks, and loadbalancing across the nodes.
By default, services are using the routing mesh which makes the service accessible at the published port on every swarm node. When a user
or process connects to a service, any worker node running a service task may respond.
To publish a service’s port directly on the node where it is running, use the mode=host option to the –publish flag.
For example:
$ docker service create \
–mode global \
–publish mode=host,target=80,published=8080 \
–name=nginx \
nginx:latest
https://docs.docker.com/engine/swarm/services/#publish-ports
25. Question
Which of the following network construct aim to provide isolation for a container?
IPAM Driver
Endpoint
Routing mesh
Sandbox
Unattempted
The sandbox perfectly isolates a container from the outside world. No inbound network connection is allowed into the sandboxed container.
Yet, it is very unlikely that a container will be of any value in a system if absolutely no communication with it is possible. To work around this,
we have element number two, which is the endpoint.
An endpoint is a controlled gateway from the outside world into the network’s sandbox that shields the container. The endpoint connects the
network sandbox, but not the container, to the third element of the model, which is the network. Also, the Endpoint construct exists so
the actual connection to the network can be abstracted away from the application. This helps maintain portability so that a service can use
different types of network drivers without being concerned with how it’s connected to that network.
https://success.docker.com/article/networking#networkscope
26. Question
Which address pool is used by Docker Swarm by default?
10.0.0.0/16
192.168.0.0/16
172.16.0.0/12
10.0.0.0/8
Unattempted
By default, Docker Swarm uses a default address pool 10.0.0.0/8 for global scope (overlay) networks.
Every network that does not have a subnet specified will have a subnet sequentially allocated from this pool. In some circumstances it may
be desirable to use a different default IP address pool for networks.
For example, if the default 10.0.0.0/8 range conflicts with already allocated address space in your network, then it is desirable to ensure that
networks use a different range without requiring Swarm users to specify each subnet with the –subnet command.
https://docs.docker.com/engine/swarm/swarm-mode/#configuring-default-address-pools
27. Question
Which of the following statements is false?
Linked containers on the user-defined networks can share environment variables
User-defined bridges provide better isolation and interoperability between containerized applications
Containers can be attached and detached from user-defined networks on the fly
Each user-defined network creates a configurable bridge
Unattempted
Linked containers on the default bridge network share environment variables.
First, –link option, which is considered legacy.
Originally, the only way to share environment variables between two containers was to link them using the –link flag. This type of variable
sharing is not possible with user-defined networks. However, there are superior ways to share environment variables. A few ideas:
are file or directory mounting, use docker-compose, secrets and configmaps.
User-defined bridges provide better isolation.
All containers without a –network specified, are attached to the default bridge network. This can be a risk, as unrelated
stacks/services/containers are then able to communicate.
Using a user-defined network provides a scoped network in which only containers attached to that network are able to communicate.
Containers can be attached and detached from user-defined networks on the fly.
Each user-defined network creates a configurable bridge
User-defined bridge networks are created and configured using docker network create. If different groups of applications have different
network requirements, you can configure each user-defined bridge separately, as you create it.
https://docs.docker.com/network/bridge/
28. Question
Which of the following commands can you use to create an overlay network for standalone containers?
docker network create -d overlay --attachable my-network
docker network create --ingress my-network
docker network create -d overlay my-network
docker swarm create -d overlay my-network
Unattempted
To create an overlay network which can be used by swarm services or standalone containers to communicate with other standalone
containers running on other Docker daemons, add the –attachable flag:
$ docker network create -d overlay –attachable my-attachable-overlay
https://docs.docker.com/network/overlay/
29. Question
Which docker command can be used to find all the ports mapped? (select all that apply).
docker ps
docker inspect
docker network ls
docker port
Unattempted
Docker port command only shows the port published externally.
https://docs.docker.com/engine/reference/commandline/port/
30. Question
Which type of network driver is best when you need containers running on different Docker hosts to communicate, or when multiple
applications work together using swarm services?
User-defined bridge networks
Overlay networks
Macvlan networks
Host networks
Unattempted
The overlay network driver creates a distributed network among multiple Docker daemon hosts. This network sits on top of (overlays) the
host-specific networks, allowing containers connected to it (including swarm service containers) to communicate securely when encryption is
enabled. Docker transparently handles routing of each packet to and from the correct Docker daemon host and the correct destination
container.
https://docs.docker.com/network/overlay/
31. Question
Which of the following is the default network for swarm services?
host
ingress
none
bridge
Unattempted
When you create a swarm service and do not connect it to a user-defined overlay network, it connects to the ingress network by default.
https://docs.docker.com/network/overlay/
32. Question
Which is the default method of exposing a service internally in Docker Kubernetes Service?
LoadBalancer
NodePort
ClusterIP
Ingress
Unattempted
Services will receive a cluster-scoped Virtual IP address also known as ClusterIP.
ClusterIP is the default method of exposing the service internally. Once the service is created and a VIP is associated with it, every kubeproxy running on every cluster node will program an iptables rule so that all traffic destined to that VIP will be redirected to one of the
Service’s backend pods instead.
If the service needs to be accessed from outside the cluster, then there are a couple of available options to doing so. Mainly NodePort and
LoadBalancer.
Ingress is another method that you can use. Ingress is technically not a Type of a service, but it’s another method for using Layer 7 based
routing to expose your services externally.
https://success.docker.com/article/ucp-service-discovery-k8s
33. Question
In which of the following modes can you create Macvlan networks? (select two)
Promiscuous mode
802.1q trunk bridge mode
Bridge mode
Direct mode
Unattempted
When you create a macvlan network, it can either be in bridge mode or 802.1q trunk bridge mode.
· In bridge mode, macvlan traffic goes through a physical device on the host.
· In 802.1q trunk bridge mode, traffic goes through an 802.1q sub-interface which Docker creates on the fly. This allows you to control
routing and filtering at a more granular level.
https://docs.docker.com/network/macvlan/#create-a-macvlan-network
34. Question
Which of the following is incorrect about overlay networks?
Overlay networks are only created on the manager nodes.
Overlay networks use VXLAN data plane to decouples the container network from the underlying physical network (the underlay).
Service management traffic is encrypted by default, but application data traffic can be encrypted as well
Docker transparently handles routing of each packet to and from the correct Docker daemon host and the correct destination container.
Unattempted
The overlay network driver creates a distributed network among multiple Docker daemon hosts.
This network sits on top of (overlays) the host-specific networks, allowing containers connected to it (including swarm service containers) to
communicate securely when encryption is enabled.
Docker transparently handles routing of each packet to and from the correct Docker daemon host and the correct destination container.
https://docs.docker.com/network/overlay/
35. Question
What network port is used on Docker host to allow overlay network traffic in swarm mode?
UDP port 7946
TCP port 443
TCP port 2377
UDP port 4789
Unattempted
When creating overlay networks, the are some prerequisites:
· Setup the firewall rules
You need the following ports open to traffic to and from each Docker host participating on an overlay network:
TCP port 2377 for cluster management communications
TCP and UDP port 7946 for communication among nodes
UDP port 4789 for overlay network traffic
· Before you can create an overlay network, you need to either initialize your Docker daemon as a swarm manager using docker swarm init or
join it to an existing swarm using docker swarm join. Either of these creates the default ingress overlay network which is used by swarm
services by default. You need to do this even if you never plan to use swarm services. Afterward, you can create additional user-defined
overlay networks.
https://docs.docker.com/network/overlay/#operations-for-all-overlay-networks
36. Question
Which type of network driver is best when you need containers running on different Docker hosts to communicate, or when multiple
applications work together using swarm services?
Macvlan networks
Overlay networks
User-defined bridge networks
Host networks
Unattempted
Different types and use cases for the built-in network drivers:
· User-defined bridge networks are best when you need multiple containers to communicate on the same Docker host.
· Host networks are best when the network stack should not be isolated from the Docker host, but you want other aspects of the container
to be isolated.
· Overlay networks are best when you need containers running on different Docker hosts to communicate, or when multiple applications
work together using swarm services.
· Macvlan networks are best when you are migrating from a VM setup or need your containers to look like physical hosts on your network,
each with a unique MAC address.
· Third-party network plugins allow you to integrate Docker with specialized network stacks.
https://docs.docker.com/network/#network-driver-summary#network-driver-summary
37. Question
What is the scope of the overlay network driver in Docker?
global
swarm
local
service
Unattempted
Network Scope
Docker network drivers have a concept of scope. The network scope is the domain of the driver which can be the local or swarm scope.
Local scope drivers provide connectivity and network services (such as DNS or IPAM) within the scope of the host.
Swarm scope drivers provide connectivity and network services across a swarm cluster. Swarm scope networks have the same network ID
across the entire cluster while local scope networks have a unique network ID on each host.
https://success.docker.com/article/networking#networkscope
You can check this by running:
$ docker network ls
38. Question
Which docker feature enables each node in the swarm to accept connections on published ports for a service running in the swarm, even if
there’s no task of that service running on the node?
routing mesh
firewall
VLANs
load balancer
Unattempted
Docker Engine swarm mode makes it easy to publish ports for services to make them available to resources outside the swarm.
All nodes participate in an ingress routing mesh.
The routing mesh enables each node in the swarm to accept connections on published ports for any service running in the swarm, even if
there’s no task running on the node.
The routing mesh routes all incoming requests to published ports on available nodes to an active container.
https://docs.docker.com/engine/swarm/ingress/
39. Question
Ingress network is a type of _____ network?
bridge network
macvlan network
host network
overlay network
Unattempted
Ingress is one of the types of overlay networks, which sits on top of (overlays) the host-specific networks and handles control and data traffic
related to swarm services.
https://docs.docker.com/network/overlay/#customize-the-default-ingress-network
40. Question
By default, in which mode are services running when using the routing mesh?
Virtual IP mode
DNSRR mode
Swarm mode
Global mode
Unattempted
Services using the routing mesh are running in virtual IP (VIP) mode. Even a service running on each node (by means of the –mode global
flag) uses the routing mesh. When using the routing mesh, there is no guarantee about which Docker node services client requests.
To bypass the routing mesh, you can start a service using DNS Round Robin (DNSRR) mode, by setting the –endpoint-mode flag to dnsrr.
https://docs.docker.com/network/overlay/#bypass-the-routing-mesh-for-a-swarm-service
41. Question
Which type of network driver is best when the network stack should not be isolated from the Docker host, but you want other aspects of the
container to be isolated?
User-defined bridge networks
Host networks
Overlay networks
Macvlan networks
Unattempted
If you use the host network mode for a container, that container’s network stack is not isolated from the Docker host (the container shares
the host’s networking namespace), and the container does not get its own IP-address allocated.
https://docs.docker.com/network/host/
Host networks are best when the network stack should not be isolated from the Docker host, but you want other aspects of the container to
be isolated.
https://docs.docker.com/network/#network-driver-summary
42. Question
Which of the following network drivers connects the network stack of the container directly to Docker Host?
bridge
overlay
macvlan
host
Unattempted
If you use the host network mode for a container, that container’s network stack is not isolated from the Docker host (the container shares
the host’s networking namespace), and the container does not get its own IP-address allocated.
https://docs.docker.com/network/host/
Host networks are best when the network stack should not be isolated from the Docker host, but you want other aspects of the container to
be isolated.
https://docs.docker.com/network/#network-driver-summary
43. Question
Which of the following is not a component of The Container Network Model?
End-point
Network Controller
Sandbox
Router
Unattempted
There are several high-level constructs in the CNM. They are all OS and infrastructure agnostic so that applications can have a uniform
experience no matter the infrastructure stack.
· Sandbox — A Sandbox contains the configuration of a container’s network stack. This includes the management of the container’s
interfaces, routing table, and DNS settings. An implementation of a Sandbox could be a Windows HNS or Linux Network Namespace, a
FreeBSD Jail, or other similar concept. A Sandbox may contain many endpoints from multiple networks.
· Endpoint — An Endpoint joins a Sandbox to a Network. The Endpoint construct exists so the actual connection to the network can be
abstracted away from the application. This helps maintain portability so that a service can use different types of network drivers without
being concerned with how it’s connected to that network.
· Network — The CNM does not specify a Network in terms of the OSI model. An implementation of a Network could be a Linux bridge, a
VLAN, etc. A Network is a collection of endpoints that have connectivity between them. Endpoints that are not connected to a network do
not have connectivity on a network.
https://success.docker.com/article/networking#cnmconstructs
44. Question
In Docker swarm, traffic can be routed to services based on hostname. True or false?
TRUE
FALSE
Unattempted
The swarm mode routing mesh is great for transport-layer routing. It routes to services using the service’s published ports.
However, if you want to route traffic to services based on hostname instead you have to use
the “Swarm Layer 7 Routing (Interlock)”.
This is a feature that enables service discovery on the application layer (L7). This Layer 7 Routing extends upon the swarm mode routing
mesh by adding application layer capabilities such as inspecting the HTTP header.
The Interlock Proxy works by using the HTTP/1.1 header field definition. Every HTTP/1.1 TCP request contains a Host: header.
https://success.docker.com/article/ucp-service-discovery-swarm#interlockproxyusageexamples
45. Question
You have created a Docker bridge network on a host with three containers attached. How can you make these containers accessible outside of
the host?
Use --link
Use network connect
Use EXPOSE together with --publish-all
Use network attach
Unattempted
The following run command options work with container networking:
–expose
Expose a port or a range of ports inside the container. You expose ports using the EXPOSE keyword in the Dockerfile or the –expose flag to
docker run. Exposing ports is a way of documenting which ports are used, but does not actually map or open any ports. Exposing ports is
optional.
–publish-all or -P
Publish all exposed ports to the host interfaces. Docker binds each exposed port to a random port on the host. Use the -p flag to explicitly
map a single port or range of ports.
-p or –publish
It makes a port available to services outside of Docker, or to Docker containers which are not connected to the container’s network.
format: ip:hostPort:containerPort | ip::containerPort | hostPort:containerPort | containerPort
https://docs.docker.com/engine/reference/run/#expose-incoming-ports
https://docs.docker.com/config/containers/container-networking/
46. Question
Containers on user-defined bridge network can communicate only via IP addresses. True or False?
FALSE
TRUE
Unattempted
Using a user-defined network provides a scoped network in which only containers attached to that network are able to communicate.
Furthermore, on user-defined networks, containers can not only communicate by IP address, but can also resolve a container name to an IP
address. This capability is called automatic service discovery.
https://docs.docker.com/network/network-tutorial-standalone/#use-user-defined-bridge-networks
However, containers connected to the default bridge network can communicate, but only by IP address, unless they are linked using the
legacy –link flag.
Obs. If you do not specify a network using the –network flag, and you do specify a network driver, your container is connected to the default
bridge network by default.
https://docs.docker.com/network/bridge/#connect-a-container-to-the-default-bridge-network
47. Question
Which option for exposing a service is best if your service is normally accessed via HTTP/HTTPS?
NodePort
LoadBalancer
Ingress
ClusterIP
Unattempted
NodePort service type is well suited for application services that require direct TCP/UDP access, like RabbitMQ for example.
If your service can be accessed using HTTP/HTTPs then Ingress is recommended.
Ingress is a Kubernetes API object that manages external access to the services in a cluster, typically HTTP/HTTPS.
https://success.docker.com/article/ucp-service-discovery-k8s
https://www.docker.com/blog/designing-your-first-application-kubernetes-communication-services-part3/
48. Question
Which option is true about using the -P flag when creating a new container?
Docker binds each exposed container port to a random port on all the host's interface.
Docker gives extended privileges to the container.
Docker binds each exposed container port to a random port on a specified host interface.
Docker binds each exposed container port with the same port on the host.
Unattempted
To publish all ports, use the -P flag. For example, the following command starts a container (in detached mode) and the -P flag publishes all
exposed ports of the container to random ports on the host interfaces.
$ docker run -d -P –name webserver nginx
https://docs.docker.com/config/containers/container-networking/
49. Question
Which of the following commands can you use to create a bridge network?
docker network deploy
docker create network
docker network create
docker network add
Unattempted
To create a new network use:
docker network create [OPTIONS] NETWORK
For example:
$ docker network create -d bridge my-bridge-network
The DRIVER accepts bridge or overlay which are the built-in network drivers. If you have installed a third party or your own custom network
driver you can specify that DRIVER here also. If you don’t specify the –driver option, the command automatically creates a bridge network for
you.
https://docs.docker.com/engine/reference/commandline/network_create/
50. Question
When creating a docker container called ‘web’ that is running an Apache Web Server on port 80, you can allow direct access to the container
service via the host’s IP by redirecting the host port 80 to the container port 80. Which command will accomplish this?
docker run -d --name myweb -p 80:80 httpd:latest
None of the answers is correct.
docker run --name myweb -P 80/80 httpd/latest
docker run -d --name myweb -P 80 httpd:latest
Unattempted
The following run command options work with container networking:
–publish-all or -P
Publish all exposed ports to the host interfaces. Docker binds each exposed port to a random port on the host. Use the -p flag to explicitly
map a single port or range of ports.
-p or –publish
It makes a port available to services outside of Docker, or to Docker containers which are not connected to the container’s network.
format: ip:hostPort:containerPort | ip::containerPort | hostPort:containerPort | containerPort
https://docs.docker.com/engine/reference/run/#expose-incoming-ports
https://docs.docker.com/config/containers/container-networking/
51. Question
Which docker network is used to connect the individual Docker daemon to the other daemons participating in the swarm?
bridge
docker_gwbridge
overlay
ingress
Unattempted
When you initialize a swarm or join a Docker host to an existing swarm, two new networks are created on that Docker host:
· an overlay network called ingress, which handles control and data traffic related to swarm services. When you create a swarm service and
do not connect it to a user-defined overlay network, it connects to the ingress network by default.
· a bridge network called docker_gwbridge, which connects the individual Docker daemon to the other daemons participating in the swarm.
https://docs.docker.com/network/overlay/
52. Question
Which of the following modes can be used for service discovery of a Docker swarm service (select 2 correct answers)?
Ingress with --endpoint-mode ingress
Network Address Translation(NAT) with --endpoint-mode nat
Virtual IP (VIP) with --endpoint-mode vip
Overlay with --endpoint-mode overlay
DNS Round-Robin with --endpoint-mode dnsrr
Unattempted
Docker uses embedded DNS to provide service discovery for containers running on a single Docker engine and tasks running in a Docker
swarm.
The Docker engine checks if the DNS query belongs to a container or service on each network that the requesting container belongs to. If it
does, then the Docker engine looks up the IP address that matches the name of a container, task, or service in a key-value store and returns
that IP or service Virtual IP (VIP) back to the requester. Here, all nodes participate in a network called routing mesh.
https://success.docker.com/article/ucp-service-discovery-swarm
DNS round robin (DNS RR) load balancing is another load balancing option for services (configured with –endpoint-mode dnsrr). In DNS RR
mode a VIP is not created for each service. The Docker DNS server resolves a service name to individual container IPs in round robin fashion.
https://success.docker.com/article/networking
To use an external load balancer without the routing mesh, set –endpoint-mode to dnsrr instead of the default value of vip.
In this case, there is not a single virtual IP. Instead, Docker sets up DNS entries for the service such that a DNS query for the service name
returns a list of IP addresses, and the client connects directly to one of these. You are responsible for providing the list of IP addresses and
ports to your load balancer. See Configure service discovery.
https://docs.docker.com/engine/swarm/ingress/#without-the-routing-mesh
53. Question
Which of the following commands will provide a list of all Docker networks together with their drivers currently configured on the Docker host?
docker info --networks
docker system --list-networks
docker network ls
docker system inspect networks
Unattempted
docker network ls [OPTIONS]
Lists all the networks the Engine daemon knows about. This includes the networks that span across multiple hosts in a cluster.
Example:
https://docs.docker.com/engine/reference/commandline/network_ls/
54. Question
Which of the following statement is false about ingress networks?
Default ingress overlay network is used by swarm services by default.
It transports mesh routing traffic from external clients to cluster services.
It is automatically created when you initialize a swarm or join a Docker host to an existing swarm
You cannot connect standalone containers to ingress networks.
Unattempted
The ingress network is created without the –attachable flag, which means that only swarm services can use it, and not standalone
containers.
You can connect standalone containers to user-defined overlay networks which are created with the –attachable flag.
https://docs.docker.com/network/overlay/#attach-a-standalone-container-to-an-overlay-network
The routing mesh allows all the swarm nodes to accept connections on the services published ports. When any swarm node receives traffic
destined to the published TCP/UDP port of a running service, it forwards the traffic to the service’s VIP using a pre-defined overlay network
called ingress. The ingress network behaves similarly to other overlay networks, but its sole purpose is to transport mesh routing traffic from
external clients to cluster services. It uses the same VIP-based internal load balancing as described in the previous section.
https://success.docker.com/article/ucp-service-discovery-swarm#interlockproxyusageexamples
55. Question
Which are the primary modes that Kubernetes uses to provide service discovery? (select two)
DNS
Environment Variables
Routing mesh
Interlock
Unattempted
Kubernetes supports two primary modes of finding a Service, environment variables(injected by the kubelet when pods are created) and
DNS. Both are valid options, however, the most common method to discover and reach a service from within Docker Kubernetes Service is
to use the embedded DNS service.
https://kubernetes.io/docs/concepts/services-networking/service/#discovering-services
56. Question
Which of the following is the docker command to create a container with custom DNS server(s)?
docker container create --set-dns=IP_ADDRESS
docker container create --cusom-dns=IP_ADDRESS
docker container create --add-dns=IP_ADDRESS
docker container create --dns=IP_ADDRESS
Unattempted
By default, a container inherits the DNS settings of the Docker daemon.
To specify a DNS server for an individual container use:
docker container create –dns=IP_ADDRESS
To specify multiple DNS servers, use multiple –dns flags. If the container cannot reach any of the IP addresses you specify, Google’s public
DNS server 8.8.8.8 is added, so that your container can resolve internet domains.
https://docs.docker.com/config/containers/container-networking/#dns-services
57. Question
Publishing a port for a service using the routing mesh makes the service accessible at the published port on every swarm node. True or false?
FALSE
TRUE
Unattempted
Docker Engine swarm mode makes it easy to publish ports for services to make them available to resources outside the swarm.
All nodes participate in an ingress routing mesh.
The routing mesh enables each node in the swarm to accept connections on published ports for any service running in the swarm, even if
there’s no task running on the node.
The routing mesh routes all incoming requests to published ports on available nodes to an active container.
https://docs.docker.com/engine/swarm/ingress/
58. Question
Which of the following options is best to enable developers to read logs?
Grant them SSH access to the host server to read the logs directly.
Enable centralized and remote logging using syslog.
None of the answers is correct.
Allow access only via docker logs.
Unattempted
Having a central location for all Engine and container logs is recommended. This provides “off-node” access to all the logs, empowering
developers without having to grant them SSH access.
To enable centralized logging, modify /etc/docker/daemon.json and add the following:
{
}
“log-level”: “syslog”,
“log-opts”: {syslog-address=tcp://192.x.x.x}
Then restart the daemon:
sudo systemctl restart docker
https://success.docker.com/article/security-best-practices
59. Question
Which of the following are the two types of UCP client bundles?
Ops client bundels and dev client bundles.
Docker CLI bundles and Docker web UI bundles.
Docker UCP Client bundles and DTR client bundles.
Admin user certificate bundles and user certificate bundles.
Unattempted
A client bundle contains a private and public key pair that authorizes your requests in UCP. In order to authenticate your requests, you can
download client certificate bundle to your local computer.
UCP issues different types of certificates depending on the user:
· User certificate bundles: only allow running docker commands through a UCP manager node.
· Admin user certificate bundles: allow running docker commands on the Docker Engine of any node.
https://github.com/docker/docker.github.io
60. Question
What should you do in the event that a cluster CA key or a manager node is compromised?
Remove the swarm root CA
Remove the node
Generate the swarm root CA
Rotate the swarm root CA
Unattempted
Rotating the CA certificate
In the event that a cluster CA key or a manager node is compromised, you can rotate the swarm root CA so that none of the nodes trust
certificates signed by the old root CA anymore.
Run docker swarm ca –rotate to generate a new CA certificate and key. If you prefer, you can pass the –ca-cert and –external-ca flags to
specify the root certificate and to use a root CA external to the swarm. Alternately, you can pass the –ca-cert and –ca-key flags to specify the
exact certificate and key you would like the swarm to use.
https://docs.docker.com/engine/swarm/how-swarm-mode-works/pki/
61. Question
What does the following error indicate?
x509: certificate signed by unknown authority
User is running a docker command on UCP node without client certificate.
User is running a docker swarm command on manager without client certificate.
User is not registered on docker hub.
User have entered incorrect captcha.
Unattempted
When you are running a docker command, Docker attempts to verify that the certificate in use is signed by UCP’s certificate authority and
that the domain name or IP used to connect to UCP is listed as a subject alternative name (SAN) in the UCP certificate.
If you see the following error “x509: certificate signed by unknown authority”, then Docker has not been provided with the ca certificate. To
resolve this issue, use a UCP client bundle to connect to UCP from the CLI.
https://success.docker.com/article/docker-login-to-dtr-fails-with-x509-certificate-error
62. Question
Which of the following options contribute directly to Docker security? (select all that apply)
Garbage Collection
Control groups
Seccomp
Namespaces
Unattempted
Garbage Collection
Garbage collection is an often-overlooked area from a security standpoint. Old, out-of-date images may contain security flaws or exploitable
vulnerabilities; removing unnecessary images is important. Garbage collection is a feature that ensures that unreferenced images (and layers)
are removed.
https://success.docker.com/article/security-best-practices
63. Question
Which of the following components can you use to create users and teams?
Docker Trusted Registry
Docker Machine
Universal Control Plane
Docker Compose
Unattempted
UCP has role-based access control (RBAC), so that you can control who can access and make changes to your cluster and applications.
Using the UI for Docker Enterprise of Docker Universal Control Plane (UCP), you authorize users to view, edit, and use cluster resources by
granting role-based permissions against resource sets.
To authorize access to cluster resources across your organization, UCP administrators might take the following high-level steps:
· Add and configure subjects (users, teams, and service accounts).
· Define custom roles (or use defaults) by adding permitted operations per type of resource.
· Group cluster resources into resource sets of Swarm collections or Kubernetes namespaces.
· Create grants by combining subject + role + resource set.
https://github.com/docker/docker.github.io
64. Question
What is the main difference between UCP workers and managers?
Ucp-agent service automatically starts serving UCP components and proxy service only on manger node.
Ucp-agent service automatically starts serving UCP components and proxy service only on worker node.
Ucp-agent service automatically starts serving all UCP components in manager node and only proxy service in worker node.
Ucp-agent service automatically starts serving UCP components in worker node, and only a proxy service in manager node.
Unattempted
When you deploy UCP, it starts running a globally scheduled service called ucp-agent. This service monitors the node where it’s running and
starts and stops UCP services, based on whether the node is a manager or a worker node.
If the node is a:
· Manager: the ucp-agent service automatically starts serving all UCP components, including the UCP web UI and data stores used by UCP.
The ucp-agent accomplishes this by deploying several containers on the node.
· Worker: on worker nodes, the ucp-agent service starts serving a proxy service that ensures only authorized users and other UCP services
can run Docker commands in that node.
https://docs.docker.com/ee/ucp/ucp-architecture/#ucp-internal-components
65. Question
In what form can UCP provide authorized client certificates?
As a QR code
As pop-up dialog box with a token
As a token
As a Client Bundle (zip file)
Unattempted
To use the Docker CLI with UCP, download a client certificate bundle(zip) by using the UCP web UI.
https://github.com/docker/docker.github.io
Use Page numbers below to navigate to other practice tests
Pages:
1
2
← Previous Post
3
4
5
6
7
8
9
10
11
12
Next Post →
Skillcertpro
Quick Links
Important Links
ABOUT US
REFUND POLICY
FAQ
REFUND REQUEST
BROWSE ALL PRACTICE TESTS
TERMS & CONDITIONS
CONTACT FORM
PRIVACY POLICY
Privacy Policy
