Docker DCA Docker Certified Associate Exam Practice Test

Answer : B

= Authentication is not a type of Linux kernel namespace that provides container isolation. Namespaces are a feature of the Linux kernel that partitions kernel resources such that one set of processes sees one set of resources and another set of processes sees a different set of resources.Docker uses six different namespaces to isolate containersfrom the host and from each other: PID, USER, UTS, IPC, MNT, and NET12. Authentication is not one of them. Authentication is a process of verifying the identity of a user or a system, which is usually done by using credentials such as passwords, tokens, or certificates. Authentication does not directly affect the isolation of containers, although it can be used to control access to them.Reference:

Docker security | Docker Docs

Securing Docker Containers with Linux Kernel Features | Infosec

Answer : B

= Uninstalling the 'docker-ce' package before installing the 'docker-ee' package will not upgrade Docker Engine CE to Docker Engine EE. It will only remove the existing Docker Engine CE installation and install a new Docker Engine EE installation. This means that any existing containers, images, volumes, networks, and other Docker resources will be lost.To upgrade Docker Engine CE to Docker Engine EE without losing any data, youneed to use the migration tool provided by Docker1or follow the steps described in the Docker documentation2or other online guides34.Reference:

1: Migrate to Engine 1.10 | Docker Docs

2: Install Docker Engine | Docker Docs

3: Switching Docker 18.09 Community Edition to Enterprise Engine with no ...

4: How to upgrade Docker 18.09 Community Edition to Docker Enterprise 18.09

Answer : A

= This is a function of UCP, as it integrates with Docker Trusted Registry (DTR) to provide built-in security and access control for your images. DTR allows you to enforce security policies and only allow running applications that use Docker images you know and trust. You can sign your images with Docker Content Trust (DCT) to prove their authenticity and integrity.UCP will verify the signatures of the images before deploying them to the cluster12.Reference:

Universal Control Plane overview | dockerlabs

How to Sign Your Docker Images to Increase Trust - How-To Geek

Answer : B

This command will not display a list of volumes for a specific container, as it will show detailed information on the container itself, such as its configuration, network settings, state, and log path1.To display a list of volumes for a specific container, you need to use the--formatoption with a custom template that filters the output by theMountsfield2. For example, the following command will show the source and destination of the volumes mounted in the nginx container:

docker container inspect --format=' { {range .Mounts}} { {.Source}} -> { {.Destination}} { {end}}' nginxReference:

docker container inspect | Docker Docs

How to Use Docker Inspect Command - Linux Handbook

Answer : A

Label constraints can be used to schedule containers to meet the security policy requirements. Label constraints are a way to specify which nodes a service can run on based on the labels assigned to the nodes. Labels are key-value pairs that can be attached to any node in the swarm. For example, you can label nodes asdevelopmentorproductiondepending on their intended use. Then, you can use the--constraintoption when creating or updating a service to filter the nodes based on their labels. For example, to run a service only on development nodes, you can use:

docker service create --constraint'node.labels.environment == development'...

To run a service only on production nodes, you can use:

docker service create --constraint'node.labels.environment == production'...

This way, you can ensure that development and production containers run on separate nodes in the swarm, as required by the security policy.Reference:

Using placement constraints with Docker Swarm

Multiple label placement constraints in docker swarm

Machine constraints in Docker swarm

How can set service constraint to multiple value

Answer : A

= Setting INSECURE_REGISTRY in the /etc/docker/default configuration file is one way to configure the Docker engine to use a registry without a trusted TLS certificate.This option tells the Docker daemon to accept insecure connections to the specified registry, bypassing the certificate verification1.However, this method is not recommended, as it exposes the registry and the Docker engine to potential security risks2.A better way to use a registry without a trusted TLS certificate is to add the registry's CA certificate to the Docker daemon's trust store, as described in the Docker documentation3or other online guides4.Reference:

1: How to build docker registry without SSL

2: Verify repository client with certificates | Docker Docs

3: ''docker pull'' certificate signed by unknown authority

4: Login to docker registry with client certificate under windows

Answer : B

The action willnotupgrade Docker Engine CE to Docker Engine EE.Disabling the Docker service viachkconfigorsystemctlwill only stop the Docker daemon from running, but it will not change the version or edition of the Docker engine1.To upgrade Docker Engine CE to Docker Engine EE, you need to follow these steps2:

Download your Docker Enterprise license from theDocker Store).

Install thedocker-eepackage from the Docker repository.

Restart the Docker service and verify the version and edition.Reference: Start or stop the Docker daemon),How to upgrade Docker 18.09 Community Edition to Docker Enterprise 18.09)