Docker Certified Associate DCA Exam Questions

Answer : B

= Keeping a backup copy of the image on another repository is not how a user can prevent an image, such as 'nginx:latest', from being overwritten by another user with push access to the repository. This approach does not prevent the original image from being overwritten, it only provides a way to restore it from another source. However, this may not be reliable or efficient, as the backup repository may not be in sync with the original one, or may not be accessible at all times.To prevent an image from being overwritten by another user, the user can use the DTR web UI to make the tag immutable1. This feature allows the user to lock a specific tag, so that no one can push a new image with the same tag to the repository.This ensures that the image is always consistent and secure1.Reference:

Make a tag immutable | Docker Docs

Answer : B

= Uninstalling the 'docker-ce' package before installing the 'docker-ee' package will not upgrade Docker Engine CE to Docker Engine EE. It will only remove the existing Docker Engine CE installation and install a new Docker Engine EE installation. This means that any existing containers, images, volumes, networks, and other Docker resources will be lost.To upgrade Docker Engine CE to Docker Engine EE without losing any data, youneed to use the migration tool provided by Docker1or follow the steps described in the Docker documentation2or other online guides34.Reference:

1: Migrate to Engine 1.10 | Docker Docs

2: Install Docker Engine | Docker Docs

3: Switching Docker 18.09 Community Edition to Enterprise Engine with no ...

4: How to upgrade Docker 18.09 Community Edition to Docker Enterprise 18.09

Answer : B

= The strategy of creating a PersistentVolume with hostPath and a PersistentVolumeClaim to mount the /data directory on your laptop into a container will not work, because hostPath volumes are only suitable for single node testing or development. They are not portable across nodes and do not support dynamic provisioning. If you want to mount a local directory from your laptop into a Kubernetes pod, you need to use a different type of volume, such as NFS, hostPath CSI, or minikube. Alternatively, you can copy the files from your laptop to the container using kubectl cp command.Reference:

Volumes | Kubernetes

Configure a Pod to Use a PersistentVolume for Storage | Kubernetes

Mount a local directory to kubernetes pod - Stack Overflow

Kubernetes share a directory from your local system to kubernetes container - Stack Overflow

How to Mount a Host Directory Into a Docker Container

Answer : A

= Seccomp is a Linux kernel feature that allows you to restrict the actions available within the container. By using a seccomp profile, you can limit the system calls that a container can make, thus enhancing its security and isolation. Docker has a default seccomp profile that blocks some potentially dangerous system calls, such as mount, reboot, or ptrace. You can also pass a custom seccomp profile for a container using the--security-optoption. Seccomp can limit a container's access to host resources, such as CPU or memory, by blocking or filtering system calls that affect those resources, such as setpriority, sched_setaffinity, or mlock.Reference:

Seccomp security profiles for Docker

Hardening Docker Container Using Seccomp Security Profile

Answer : A

The --privileged flag lifts all the cgroup limitations for a container, as well as other security restrictions imposed by the Docker daemon1. This gives the container full access to the host's devices, resources, and capabilities, as if it was running directly on the host2. This can be useful for certain use cases that require elevated privileges, such as running Docker-in-Docker or debugging system issues3. However, using the --privileged flag also poses a security risk, as it exposes the host to potential attacks or damages from the container4. Therefore, it is not recommended to use the --privileged flag unless absolutely necessary, and only with trusted images and containers.

The other options are not correct because they do not lift all the cgroup limitations for a container, but only affect specific aspects of the container's resource allocation or isolation:

*The --cpu-period flag sets the CPU CFS (Completely Fair Scheduler) period for a container, which is the length of a CPU cycle in microseconds. This flag can be used in conjunction with the --cpu-quota flag to limit the CPU time allocated to a container. However, this flag does not affect other cgroup limitations, such as memory, disk, or network.

*The --isolation flag sets the isolation technology for a container, which is the mechanism that separates the container from the host or other containers. This flag is only available on Windows containers, and can be used to choose between process, hyperv, or process-isolated modes. However, this flag does not affect the cgroup limitations for a container, but only the level of isolation from the host or other containers.

*The --cap-drop flag drops one or more Linux capabilities for a container, which are the privileges that a process can use to perform certain actions on the system. This flag can be used to reduce the attack surface of a container by removing unnecessary or dangerous capabilities. However, this flag does not affect the cgroup limitations for a container, but only the capabilities granted to the container by the Docker daemon.

*Runtime privilege and Linux capabilities

*Docker Security: Using Containers Safely in Production

*Docker run reference

*Docker Security: Are Your Containers Tightly Secured to the Ship? SlideShare

*[Secure Engine]

*[Configure a Pod to Use a Limited Amount of CPU]

*[Limit a container's resources]

*[Managing Container Resources]

*[Isolation modes]

*[Windows Container Isolation Modes]

*[Windows Container Version Compatibility]

*[Docker and Linux Containers]

*[Docker Security Cheat Sheet]

*[Docker Security: Using Containers Safely in Production]

Answer : A

A Dockerfile is a text file that contains all the commands a user could run on the command line to create an image1.A Dockerfile is composed of instructions that specify the parent image, the packages to install, the files to copy, the ports to expose, and the commands to run2.A Dockerfile can be used to build a Docker image with thedocker buildcommand3.Reference:

Dockerfile reference | Docker Docs

What is a Dockerfile? A Step-by-Step Guide [2023 Updated] - Simplilearn

How to Build Docker Images with Dockerfile | Linuxize

Answer : B

The strategy willnotsuccessfully accomplish mounting the /data directory on your laptop into a container. Thecontainers. Mounts. hostBinding: /datais not a valid syntax for specifying a bind mount in a Kubernetes container specification. According to the Kubernetes documentation), the correct way to mount a host directory into a container is to use ahostPathvolume, which takes apathparameter that specifies the location on the host. For example, to mount the /data directory on your laptop into a container at /var/data, you can use the following YAML snippet:

spec:

containers:

-name:my-container

image:my-image

volumeMounts:

-name:data-volume

mountPath:/var/data

volumes:

-name:data-volume

hostPath:

path:/data

: Volumes),Use bind mounts)