Docker
A container named "analytics" that stores results in a volume called "data" was created. docker run -d --name=analytics -v data:/data app1 How are the results accessed in "data" with another container called "app2"? docker run -d --name=reports --volumes-from=analytics app2 docker run -d --name=reports --volume=data app2 docker run -d --name=reports --mount=app1 app2 docker run -d --name=reports --volume=app1 app2
1
A docker service 'web' is running with a scale factor of 1 (replicas = 1). Bob intends to use the command 'docker service update --replicas=3 web'. Alice intends to use the command 'docker service scale web=3'. How do the outcomes oft these two commands differ? Both Bob's and Alice's commands result in exactly the same outcome, which is 3 instances of the 'web' service. Bob's command updates the number of replicas of the 'web' service to 3. Alice's command results in an error. Bob's command only updates the service definition, but no new replicas are started. Alice's command results in the actual scaling up of the 'web' service. Bob's command results in an error. Alice's command updates the number of replicas of the 'web' service to 3.
1
An application image runs in multiple environments, and each environment uses different certificates and ports, what is the best practice to deploy the containers? 1 Create a config file for each environment 2 Create a Dockerfile for each environment, specifying ports and Docker secrets for certificates 3 Create images that contain the specific configuration for every environment 4 Create a Dockerfile for each environment, specifying ports and ENV variables for certificates
1
Docker image is built up from a series of layers and each layer represents an instruction in the image's Dockerfile. True or false? TRUE FALSE
1
Docker security scan can be started by all users including those with read-only access. True or false? FALSE TRUE
1
Dockerfile option EXPOSE publish the port to external systems. True or false? FALSE TRUE
1
What Dockerfile option EXPOSE does? 1 Informs Docker that the container listens on the specified network ports at runtime 2 Label a container that will run as an executable 3 Expose defaults for an executing container 4 Adds metadata to an image
1
What is one way of directly transferring a Docker Image from one Docker host in another? docker save' the image to save it as TAR file and copy it over to the target host. Then use 'docker load' to un-TAR the image back as a Docker image. There is no way of directly transferring Docker images between hosts. A Docker Registry must be used ad an intermediary. docker commit' to save the image outside of the Docker filesystem. Then transfer the file over to the target host and 'docker start' to start the container again. docker push' the image to the IP address of the target host.
1
What is the docker command to remove one or more images? docker image rm docker image delete docker delete docker remove
1
What is the function of docker inspect command? 1 Return low-level info on Docker objects 2 Display system-wide info 3 - Inspect changes to files or directories on a container's filesystem 4 To manage Docker configs
1
What is the image storage solution that is part of Docker Enterprise Edition called? Docker Trusted Registry Universal Control Plane Docker Hub Docker Registry
1
Which of the following commands will automatically create a volume when a container is started? 1 docker container run --name nginxtest --volumes=/app nginx 2 docker container run --name nginxtest -- volumes myvol:/app:new nginx 3... -v myvol:/app nginx 4... -v /app:monut nginx
1
Which of the following constitutes a production-ready devicemapper configuration for the Docker engine? 1 Utilize the '--storage-opt dm.directlvm_device' Docker daemon option, specifying a block device 2 Nothing, devicemapper comes ready for production usage out of the box 3 Create a volume group in devicemapper and utlize the '--dm.thinpooldev' Docker daemon option, specifying the volume group 4 Format a partition with xfs and mount it at '/var/lib/docker'
1
Which of the following is NOT how to create an efficient image via a Dockerfile? Combine multiple applications into a single container Start with an appropriate base image Use multi-stage builds Avoid installing unnecessary packages
1
Which of the following is supported by control groups? 1 Limit CPU usage within a container 2 Manage certificates 3 Collect net 4 Isolate processes in a container
1
Which of the following is the correct command to tag an image? docker tag SOURCE_IMAGE[:TAG] TARGET_IMAGE[:TAG] docker tag image SOURCE_IMAGE[:TAG] TARGET_IMAGE[:TAG] docker tag TARGET_IMAGE[:TAG] SOURCE_IMAGE[:TAG] docker build tag SOURCE_IMAGE[:TAG] TARGET_IMAGE[:TAG]
1
Which of the following is the docker command to enable autolock on an existing swarm cluster? docker swarm update --autolock=true docker swarm autolock docker swarm --autolock=true docker swarm update --autolock-swarm=true
1
Which of the 2 are types of namespaces used by Docker to provide isolation? Network Process ID Storage Authetnication
1+2
After creating a new service named 'http', you notice tha the new service is not registering as healthy. How do you view the list of historical tasks for that service by using the command line? 1 docker service ps http 2 docker service inspect http 3 docker inspect http 4 docker ps http
2
How do you configure Docker engine to use a registry that is not configured with TLS certificates from a trusted CA? Set INSECURE_REGISTRY in the '/etc/docker/default' configuration file Pass the '--insecure-registry' flag to the daemon at run time Set and export the IGNORE_TLS environment variable on the command line Set IGNORE_TLS in the 'daemon.json' configuration file.
2
If installing Docker using devicemapper for storage with the Intent to run production workloads, how should devicemapper be configured? loop-lvm direct-lvm aufs-lvm overlay-lvm
2
What behavior is expected when a service is created with the following command: 'docker service create --publish 8080:80 nginx' Only a single node in the cluster will listen on port 80 and forward to port 8080 in the container. All nodes in the cluster will listen on port 8080 and forward to port 80 in the container. All nodes in the cluster will listen on port 80 and forward to port 8080 in the container. Only a single node in the cluster will listen on port 8080 and forward to port 80 in the container.
2
What is the recommended way to configure the daemon flags and environment variables for your Docker daemon in a platform independent way? Set the configuration DOCKER_OPTS in '/etc/default/docker' Set the configuration options in '/etc/docker/daemon.json' Using 'docker config' to set the configuration options. Set the configuration options using the ENV variable
2
Which of the following is true about using the -P option when creating a new container? 1 Docker gives extended privileges to the container 2 Docker binds each exposed container port to a random port on all the host's interface 3 Docker binds each exposed container port to a random port on a specified host interface 4 Docker binds each exposed container port with the same port on the host
2
Which of the following statements is true about secrets? 1 Secret are stored unencrypted on manager nodes 2 Secrets can be created using standard input (STDIN) and a file 3 Secrets can be modified after they are created 4 Secrets can be created from any node in the cluster
2
Which statement is true? CMD is used to run the software is the image along with any arguments CMD shell format uses this form ["param", param", "param"] ENTRYPOINT cannot be overriden in the "docker container run" command ENTRYPOINT cannot be used in conjuction with CMD
2
You can monitor the status of UCP by using the web UI or the CLI. True or false? FALSE TRUE
2
You have just executed 'docker swarm leave' on a node. What command can be run on the same node to confirm it has left the cluster? 1 docker node status 2 docker system info 3 docker system status 4 docker node ls
2
What is the difference between the ADD and COPY dockerfile instructions? (choosen 2) ADD supports regular expression handling while COPY does not. ADD supports compression format handling while COPY does not. ADD support remote URL handling while COPY does not. COPY supports compression format handling while ADD does not. COPY supports regular expression handling while ADD does not.
2+3
A server is running low on disk space. What command can be used to check the disk usage of images, containers, and volumes for Docker engine? 1 docker system ps 2 docker system prune 3 docker system df 4 docker system free
3
A service 'wordpress' is running using a password string to connect to a non-Dockerized database service. The password string is passed into the 'wordpress' service as a Docker secret. Per security policy, the password on the database was changed. Identity the correct sequence of steps to rotate the secret from the old password to the new password. Create a new docker secret with the new password. Trigger a rolling secret update by using the 'docker secret update' command Create a new docker secret with the new password. Remove the existing service using 'docker service rm'. Start a new service with the new secret using "--secret=<new password>" Create a new docker secret with a new password. Trigger a rolling update of the "wordpress" service, by using "-- secret-rm" & "--secret-add" to remove the old secret and add the updated secret. Trigger an update to the service by using 'docker service update --secret=<new password>'
3
A user is having problems running Docker. Which of the following will start Docker in debug mode? Start the 'dockerd' process manually with the '--logging' flag set to debug Start the 'dockerd' process manually with the '--raw-logs' flag set to debug Set the debug key to true in the 'daemon.json' file. Set the logging key to debug in the 'daemon.json' file.
3
From a DevOps process standpoint, it is best practice to keep changes to an application in version control. Which of the following will allow changes to a docker Image to be stored in a version control system? 1 A docker-compose.yml file 2 docker save 3 docker commit 4 dockerfile
3
In Docker Trusted Registry, how would a user prevent an image, for example 'nginx:latest' from being overwritten by another user with push access to the repository? 1 - Remove push access from all the other users 2 - Keep a backup copy of the image on another repository 3 - Use the DTR web UI to make the tag immutable 4 - Tag the image with 'nginx:immutable'
3
The following health check exists in a Dockerfile: 'HEALTCHECK CMD curl --fail http://localhost/health || exit 1' Which of the following describes its purpose? Defines the health check endpoint on the localhost interface for external monitoring tools to monitor the health of the docker engine. Defines the health check for the containerized application so that the application health can be monitored by the Docker engine Defines the action taken when container health fails, which in this case will kill the container with exit status 1 Defines the health check endpoint on the local host interface for containers to monitor the health of the docker engine
3
What is the difference between a resource limit and a resource reservation when scheduling services? 1 A resource limit and a resource reservation can be used interchangeably 2 A resource limit is used to find a host with adequate resources for scheduling a har dlimit for your service, while a reservation is hard limit for your service 3 A resource limit is hard limit for your service, while a reservation is used to find a host with adequate resources for scheduling 4 A resource limit is a soft limit for your service, while a reservation is a hard limit and the docker engine will do its best to keep your service at the limit
3
What is the purpose of a client bundle in the universal Control Plane? Provide a new user instructions for how to login to the UCP Group multiple users in a team in the UCP Authenticate a user using client certs to the UCP Provide a user with a Docker client binary compatible iwth the UCP
3
Which command interactively monitors all container activity in the Docker engine? 1 docker container logs 2 docker system logs 3 docker system events 4 docker container events
3
Which of the Dockerfile options executes any commands in a new layer on top of the current image and commit the results? ONBUILD CMD RUN FROM
3
Which of the following docker image commands display detailed information on one or more images? docker image detail docker image history docker image inspect? docker image ls
3
Which of the following is NOT backed up when performing a Docker Trusted backup operation? Access control to repos and images DTR configurations Image blobs Repository metadata
3
Which of the following is the correct command to store an image to a registry? docker commit [OPTIONS] NAME[:TAG] docker store [OPTIONS] NAME[:TAG] docker push [OPTIONS] NAME[:TAG] docker upload [OPTIONS] NAME[:TAG]
3
Which of the following statements is incorrect? The column 'size' of docker ps -s output shows the amount of data that is used for the writable layer of each container. The column 'virtual size' of docker ps -s output shows the amount of data used for the read-only image data used by the container plus the container's writable layer 'size'. When a container is deleted, the writable layer is persisted. Copy-on-write is a Docker strategy of sharing and copying files for maximum efficiency.
3
Which of these swarm manager configurations will cause the cluster to be in a lost quorum state? 5 managers of which 3 are healthy 1 manager of which 1 is healthy 4 managers of which 2 are healthy 3 managers of which 2 are healthy
3
Which statement is true about DTR garbage collection? Garbage collection removes unused volumes from cluster nodes Garbage collection removes exited containers from cluster nodes. Garbage collection removes unreferenced image layers from DTR's backend storage. Garbage collection removes DTR images that are older than a configurable of days
3
Following the principle of least privilege, which of the following methods can be used to securely grant access to the specific user to communicate to a Docker engine? (Choose two.) 1 Utilize the '--host 127.0.0.1:2375 option to the Docker daemon to listen on port 2375 over TCP on localhost 2 Give the user root access to the server to allow them to run Docker commands as root 3 Add the user to the docker group on the server or specify the group? with the '--group' Docker daemon option 4 Utilize openssl to create TLS client and server certificates, configuring the Docker engine to use with mutual TLS over TCP 5 Utilize the '--host 0.0.0.0:2375 option to the Docker daemon to listen on port 2375 over TCP on all interfaces
3+4
When seven managers are in a swarm cluster how would they be distributed across three datacenters or availability zones? 3/3/2001 5/1/2001 4/2/2001 3/2/2002
3//2/2002
What Dockerfile option LABEL does? 1 Tells Docker how to test a container to check that it is still working 2 provides defaults for an executing container 3 Label a container that will run as an executable 4 Adds metadata to an image
4
What is the docker command for displaying layers of a Docker image? docker info docker layers docker image layers docker history
4
What is the docker command to pull an image or a repository from a registry? docker deploy docker build docker checkout docker pull
4
What is the purpose of Docker Content Trust? 1 - Indicating an image on Docker Hub is an official image 2 - Enabling mutual TLS between the Docker client and server 3 - Docker registry TLS verification and encryption 4 - Signing and verification of image tags
4
What is used by the kernel to Isolate resources when running Docker containers? Namespaces Overlay networks Volumes Control groups (also know as cgroups)
4
When using the Docker client to push an image to a registry, what environment variable is used to instruct the client to perform signing of the image? NOTARY_ENABLE=1 DOCKER_PUSH_SIGN=1 DOCKER_IMAGE_SIGN=1 DOCKER_CONTENT_TRUST=1
4
Which flag for a service would allow a container to consume more than 2 GB of memory only when there is no memory contention but would also prevent a container from consuming more than 4GB of memory, in any case? --limit-memory 2GB --reserve-memory 4GB --memory-swap 4GB --limit-memory 2GB --memory-swap 2GB --limit-memory 4GB --limit-memory 4GB --reserve-memory 2GB
4
Which of the following commands starts a Redis container and configures it to always restart unless it is explicitly stopped or Docker is restarted? docker run -d --restart-policy unless-stopped redis' docker run -d --failure omit-stopped redis' docker run -d --restart omit-stopped redis' docker run -d --restart unless-stopped redis'
4
Which of the following is NOT a valid way to tag a Docker image? Tag an image referenced by image ID Tag an image referenced by Name Tag an image referenced by Name and Tag Tag an image referenced by user ID
4
Which of the following is required to install Docker EE from a package repository? License key obtained from Docker Hub License key obtained from Docker Store Repository URL obtained from Docker Hub Repository URL obtained from Docker Store
4
Which of the following is true about overlay networks? 1 - Overlay networks are created on all cluster nodes when you create the overlay network. 2 - Overlay networks are only created on the manager nodes 3 - Overlay networks are created only on the manager node that you created the overlay networking on 4 - Overlay networks are first created on the manager nodes. Then they are created on the worker nodes once a task is scheduled on the specific worker node.
4
Which of the following modes can be used for service discovery of a Docker swarm service (Pick 2 correct answers) Network Address Translation(NAT) with --endpoint-mode nat Ingress with --endpoint-mode ingress Overlay with --endpoint-mode overlay DNS Round-Robin with --endpoint-mode dnsrr Virtual IP (VIP) with --endpoint-mode vip
4+5
Each container shares common writeable container layer. True or falser?
False
What is the default format of docker inspect output? xml html yaml json
4
Which one of the following commands will result in the volume being removed automatically once the container has exited? docker run --del -v /foo busybox' docker run --read-only -v /foo busybox' docker run --remove -v /foo busybox' docker run --rm -v /foo busybox'
4
Which set of commands can identify the publishd port(s) for a container? (Choose 1.) docker info','docker network inspect' docker port inspect', 'docker container inspect' docker network inspect','docker port' docker container inspect', docker port'
4
Which of the following Dockerfile options creates a mount point with the specified name and marks it as holding externally mounted volumes from native host or other containers? ONBUILD WORKDIR VOLUME RUN
VOLUME
Which service mode is used to deploy a single task of a service to each node? spread universal replicated distributed global
global