Docker Certified Associate (DCA) Certification
Which of the following namespaces is not enabled by default?
user
When creating an overlay network, what flag can we use to allow containers to attach to the network after it is created?
--attachable
Which flag allows us to return specific fields with docker inspect?
--format
What flag should we use to specify a custom volume driver when creating a volume alongside a service that has docker service create?
--mount volume-driver=<driver>
Which of the following scenarios would still allow the quorum to complete maintenance in a swarm cluster? (Choose two)
1. A 3-node cluster with 1 node down. 2. A 7-node cluster with 3 nodes down.
Bob has set up a new Docker server. The overlay2 driver is the default for the server, but he wants to use devicemapper instead. Which of the following are ways to implement this change? (Choose 2 Answers)
1. Set storage-driver to devicemapper in /etc/docker/daemon.json 2. Add the --storage-driver flag to the dockerd call in Docker's unit file.
How is the ADD directive different from COPY? (Choose two)
1. The ADD directive can extract an archive into the image. 2. The ADD directive can pull a file from an external URL.
Which of the following commands would successfully change the number of replicas to 5 in a service called my-service? (Choose two)
1. docker service scale my-service=5 2. docker service update --replicas 5 my-service
We have seven Swarm manager nodes total. How should we distribute them across just three availability zones?
3-2-2
A Kubernetes Pod is using a PersistentVolumeClaim for storage. The Pod is deleted, along with the PersistentVolumeClaim. Which of the following configurations would allow the PersistentVolume to be re-used without manual intervention?
A Recycle reclaimPolicy on the PersistentVolume.
In Kubernetes, Which of the following is needed in order to expand a PersistentVolumeClaim?
A StorageClass with allowVolumeExpansion=true
In Kubernetes, what happens when you perform a rolling update using a Deployment?
A new ReplicaSet is created, which gradually increases its replica count. Meanwhile, the old ReplicaSet gradually decreases its replica count as new Pods spin up.
Anastasia has created a container with a volume called shared-data. She wants to create a new container that can access the same data as the first container, but she wants this new container only to be able to read the data, not modify it. How can she accomplish this?
Anastasia can use docker run --name new-container -v shared-data:/tmp:ro nginx.
How would we back up Docker Swarm?
Back up the contents of /var/lib/docker/swarm on a Swarm manager.
What Linux feature does Docker use to allow containers to listen on ports lower than 1024 without running as root on the host?
Capabilities
What Linux feature does Docker use in order to limit memory usage for containers?
Control groups (cgroups)
How would we go about backing up images in the Docker Trusted Registry (DTR)?
Create a backup of everything in the DTR image storage volume.
What is the name of Docker feature that enables us to sign images and verify image signatures before running them?
Docker Content Trust
Which of the following is not backed up when performing a Docker Trusted Registry (DTR) metadata backup?
Docker images.
Erick has an application that consists of multiple different containers that interact with one another. What should he use to manage this application in a Docker Swarm?
Erick should use a stack.
Given Docker's architecture and built-in security features, which of the following security scenarios should we be concerned about the most?
If an attacker gains access to the Docker daemon, they could use it to execute commands as root on the host.
What is the term for a package containing all the software that's needed to run a Docker container?
Image
Which of the following statements does not apply to the WORKDIR directive?
It affects only the build and does not impact containers that run from the image.
What does the EXPOSE directive do?
It documents ports intended for publishing at the time of running a container.
What is the primary purpose of a Docker registry?
It provides a central location for storing and distributing images.
What does the FROM directive do?
It sets a base image that can be used as a platform to begin builds.
What does the CMD directive do?
It sets the default command for the image that runs if no other command is specified.
In terms of establishing a high level of availability, what is the benefit of having more manager nodes present in a swarm?
It would help bolster fault-tolerance
Which of the following statements about the overlay network driver is accurate?
Networking components are created on nodes dynamically when tasks get scheduled on the node.
Which of the following Kubernetes Node taint effects would evict existing Pods that do not tolerate the taint bearing that effect?
NoExecute
You have a web application frontend that will need to be accessed by users, and a backend database that will be accessed by the frontend Pods. Both of these components are running within your Kubernetes cluster. Which Service types should you use to expose the web frontend and the backend database, respectively?
NodePort, ClusterIP
Which of the following is true about building docker images?
Only layers that have changed since the last build (and any following layers) are built.
Which of the following best describes the procedure for backing up Docker Trusted Registry (DTR) metadata?
Run a container from the dtr image with the backup command
Which of the following best describes the procedure for backing up the Universal Control Plane (UCP) metadata?
Run a container from the ucp image with the backup command.
What concept in the Docker Container Network Model (CNM) refers to an isolated unit containing all networking components associated with a single container?
Sandbox
Which of the following configurations would be best for enabling direct-lvm mode with devicemapper?
Set dm.directlvm_device in /etc/docker/daemon.json.
Where can you add volumes to a Pod in Kubernetes?
The Pod specification.
What type of data exists in the writable file system layer created by a container?
The data would consist of only changes from the previous layer that were made by the container.
Which of the following is true of a service that has a port published in ingress mode?
The service will listen on all nodes on the cluster.
Tracy has a Docker Trusted Registry (DTR), and her development team has been mistakenly overwriting images in a repository by pushing a different image with an existing tag. How can she prevent this from happening?
Tracy can mark the repository as immutable.
Which of the following are insecure ways to allow a Docker client to authenticate against a registry that uses a self-signed certificate? (Choose two)
We add the registry to insecure-registries in /etc/docker/daemon.json. We pass the --insecure-registry flag to the Docker daemon.
Which of the following is a secure method for allowing a Docker client to authenticate with a registry that uses a self-signed certificate?
We add the self-signed certificate as a trusted registry certificate under /etc/docker/certs.d/.
How can we use multi-stage builds to generate small, efficient Docker images?
We can copy only specific files from previous stages so that we can keep the image as small as possible.
Which of the following is true about the creation of private Docker registries?
We can create our own registry by running a container with the registry image
What is an easy way to configure a client to communicate with Universal Control Plane (UCP) using client certificates?
We can download and use a client bundle.
How can we flatten an existing multi-layered image into a single layer?
We can run a container from the image, export it, and then import it as a new image.
How can we provide custom certificates to the Universal Control Plane (UCP) and Docker Trusted Registry (DTR)?
We can upload certificates via the UCP and DTR web UIs.
Which of the following tasks can we perform to set a custom DNS server for a container?
We can use the --dns flag with docker run.
Which of the following statements about Docker image vulnerability scanning is accurate?
We need a Docker Enterprise Edition (EE) license to scan images within our registry.
What tool should we use if we need to manage a multi-container application as a unit on a single Docker host?
We should use Docker Compose.
What should we use if we need to run multiple copies of a single image in a swarm?
We should use a service
How would we create a volume called new-volume without running a container?
We would run docker volume create new-volume.
How would we rotate a docker swarm unlock-key and ensure that all nodes receive the new key?
We would run the docker swarm unlock-key --rotate command on one manager node
How would we go about keeping track of changes made to an image in source control (i.e., git)?
We would store the Dockerfile in source control
Which of the following statements about Docker Content Trust (DCT) is accurate?
When Docker Content Trust is enabled, unsigned images will not be allowed to run on the system.
How would we back up the metadata for Docker Swarm?
While the Docker daemon stops, we can back up the contents of /var/lib/docker/swarm on a Swarm manager.
Which devicemapper mode should we use for a production environment?
direct-lvm
Which of the following commands will build an image from a Dockerfile located in the current directory and tag it as my-custom-image:1?
docker build -t my-custom-image:1 .
Which of the following commands can we use to locate the actual files that store a container's internal data?
docker container inspect <container>
Which of the following commands would we use to view a container's logs?
docker logs <container>
Which command allows us to create an encrypted overlay network?
docker network create --opt encrypted --driver overlay my-net
Which of the following commands will create a new bridge network?
docker network create my-network
Which of the following commands will allow us to add a label to a Docker Swarm node?
docker node update --label-add <label> <node name>
Nancy wants to run a container using an image called foo. She wants to publish the container's port 3001 to port 5050 on the host. Which of the following commands will accomplish this?
docker run -d -p 5050:3001 foo
Which of the following commands will allow us to mount the /my/path directory on the host to a container? (Choose two)
docker run -v /my/path:/tmp nginx docker run --mount source=/my/path,destination=/tmp nginx
Which of the following commands may result in the creation of a new named volume?
docker run -v my-vol:/tmp nginx
Sara wants to run a container using the busybox image, and she wants to pass a custom command to the container: echo Docker is great!. Which of the following commands will accomplish this?
docker run busybox echo Docker is great!
We have some containerized software that needs to have a reference to the hostname of the node that the software is running on. Which of the following commands will let us pass the node hostname as an environment variable into each task in a service?
docker service create --env NODE_HOSTNAME="{{.Node.Hostname}}" nginx
Which of the following commands will attach the tasks of a new service to an existing overlay network called my-overlay?
docker service create --network my-overlay nginx
Which of the following commands will publish a service's port, but only on nodes that are running a task for that service?
docker service create -p mode=host,published=8082,target=80 nginx
We have a service called nginx that has failing replicas. Which of the following commands can we utilize to list all of the replicas that are part of a service?
docker service ps nginx
What command would we use to list the services that are part of a stack called web-store?
docker stack services web-store
Which of the following commands would we use to retrieve a list of volumes on the current machine?
docker volume ls
Which network driver connects containers directly to a network stack on the host machine without any isolation?
host