Docker Certified Associate Exam Practice Test

Page: 1 / 14
Total 183 questions
Question 1

Seven managers are in a swarm cluster.

Is this how should they be distributed across three datacenters or availability zones?

Solution: 4-2-1



Answer : B

= This is not how the seven managers should be distributed across three datacenters or availability zones.A swarm cluster is a group of Docker hosts that are running in swarm mode and act as managers or workers1.A manager node is responsible for maintaining the swarm state and orchestrating the services2.A swarm cluster needs a quorum of managers to operate, which means a majority of managers must be available and able to communicate with each other3.

The problem with distributing the seven managers as 4-2-1 is that it creates a split-brain scenario, where the cluster can lose the quorum if one datacenter or availability zone fails. For example, if the datacenter with four managers goes down, the remaining three managers will not have enough votes to form a quorum, and the cluster will stop functioning.Similarly, if the datacenter with one manager goes down, the cluster will lose the tie-breaking vote and will not be able to elect a leader4.

A better way to distribute the seven managers across three datacenters or availability zones is to use 3-2-2, which ensures that the cluster can tolerate the failure of any one datacenter or availability zone and still maintain the quorum. For example, if the datacenter with three managers goes down, the remaining four managers will have enough votes to form a quorum and elect a leader.Similarly, if the datacenter with two managers goes down, the remaining five managers will have enough votes to form a quorum and elect a leader4.Reference:

Swarm mode overview | Docker Docs

Administer and maintain a swarm of Docker Engines | Docker Docs

Raft consensus in swarm mode | Docker Docs

Docker Swarm: How to distribute managers across availability zones? - Stack Overflow


Question 2

Is this statement correct?

Solution: A Dockerfile stores the Docker daemon's configuration options.



Answer : B

The statement isnotcorrect. A Dockerfile does not store the Docker daemon's configuration options.A Dockerfile is a text document that contains all the commands a user could call on the command line to assemble an image1. A Dockerfile is used to build images, not to configure the Docker daemon.The Docker daemon's configuration options are stored in a JSON file, which is usually located at /etc/docker/daemon.json on Linux systems, or C:\ProgramData\docker\config\daemon.json on Windows2.The JSON file allows you to customize the Docker daemon's behavior, such as enabling debug mode, setting TLS certificates, or changing the data directory2.Reference:Dockerfile reference),Docker daemon configuration overview)


Question 3

An application image runs in multiple environments, with each environment using different certificates and ports.

Is this a way to provision configuration to containers at runtime?

Solution: Create images that contain the specific configuration for every environment.



Answer : B

= Creating images that contain the specific configuration for every environment is not a way to provision configuration to containers at runtime.This approach violates the principle of separating application code from configuration, and makes the images less portable and reusable across different environments1.It also increases the maintenance overhead and the risk of configuration drift, as any change in the configuration would require rebuilding and redeploying the images2.To provision configuration to containers at runtime, you should use a different mechanism, such as environment variables, command-line arguments, or config maps345.Reference:

Configuration management with Containers | Kubernetes

Environment variables in Compose | Docker Docs

Override the default command | Docker Docs

Configuration management with Containers | Kubernetes


Question 4

Is this a type of Linux kernel namespace that provides container isolation?

Solution. Host



Answer : B

= Host is not a type of Linux kernel namespace that provides container isolation.Linux namespaces are a feature of the Linux kernel that partitions kernel resources such that one set of processes sees one set of resources while another set of processes sees a different set of resources1.There are eight kinds of namespaces available: Mount, Process, User, Network, UTS, IPC, Cgroup, and Time1.Host is a parameter that can be used to run a container in the host's network namespace, which means the container shares the same network interfaces and configuration as the host2.Reference:

Linux namespaces - Wikipedia

Network settings | Docker Documentation


Question 5

You configure a local Docker engine to enforce content trust by setting the environment variable

DOCKER_CONTENT_TRUST=1.

If myorg/myimage: 1.0 is unsigned, does Docker block this command?

Solution: docker container run myorg/myimage:1.0



Answer : A

Docker will block the commanddocker container run myorg/myimage:1.0if the image tagmyorg/myimage:1.0is unsigned and the environment variableDOCKER_CONTENT_TRUST=1is set.The reason is that settingDOCKER_CONTENT_TRUST=1enables Docker Content Trust (DCT), which is a feature that allows users to verify the integrity and publisher of Docker images using digital signatures1. When DCT is enabled, Docker will only pull, run, or build images that have valid signatures.If an image tag is unsigned or has an invalid signature, Docker will reject the operation and display an error message2.Therefore, to run an unsigned image with DCT enabled, you need to either disable DCT by settingDOCKER_CONTENT_TRUST=0or use the--disable-content-trustflag, or sign the image tag with a valid key3.Reference:

Content trust in Docker

Determine if Docker image is signed or unsigned

Signing Images and Enabling Docker Content Trust


Question 6

You configure a local Docker engine to enforce content trust by setting the environment variable

DOCKER_CONTENT_TRUST=1.

If myorg/myimage: 1.0 is unsigned, does Docker block this command?

Solution: docker image inspect myorg/myimage: 1.0



Answer : A

= Docker will block the commanddocker image inspect myorg/myimage: 1.0if the image tag is unsigned and the environment variable DOCKER_CONTENT_TRUST is set to 1.This is because Docker Content Trust (DCT) enables the verification of the integrity and publisher of Docker images using digital signatures1.When DCT is enabled, Docker will only pull, run, or inspect images that have a valid signature2.If the image tag is not signed, Docker will reject the command and display an error message, such asNo valid trust data for 1.03. To inspect an unsigned image, you need to either disable DCT by setting DOCKER_CONTENT_TRUST to 0, or use the--disable-content-trustflag with the command.Reference:

Content trust in Docker | Docker Docs

Enable and disable content trust in Docker | Docker Docs

Docker Content Trust: What It Is and How It Secures Container Images

[docker image inspect | Docker Docs]


Question 7

Is this a supported user authentication method for Universal Control Plane?

Solution. LDAP



Answer : A

: = LDAP is a supported user authentication method for Universal Control Plane (UCP). UCP has its own built-in authentication mechanism and integrates with LDAP and Active Directory. It also supports Role Based Access Control (RBAC) and Docker Content Trust. UCP allows you to configure LDAP as an authentication method and connect it to your LDAP server.You need to provide the LDAP URL, the base DN, the bind DN and password, and the user and group search settings12.Reference:

SAML | Docker Docs

Universal Control Plane overview | dockerlabs


Page:    1 / 14   
Total 183 questions