Which of the following is supported by control groups?
- A . Manage certificates
- B . Collect net
- C . Limit CPU usage within a container
- D . Isolate processes in a container
Will this Linux kernel facility limit a Docker container’s access to host resources, such as CPU or memory?
Solution: seccomp
- A . Yes
- B . No
How do you change the default logging driver for the docker daemon in Linux?
- A . Set the value of log-driver to the name of the logging driver In the daemon.json In /etc/doc
- B . Use the -log-driver’ flag when you run a container.
- C . At the command line, type: docker log driver set <driver name>
- D . Install a logging agent on the Linux host.
A server is running low on disk space.
What command can be used to check the disk usage of images, containers, and volumes for Docker engine?
- A . ‘docker system df’
- B . ‘docker system prune’
- C . ‘docker system free’
- D . ‘docker system ps’
What is the difference between a resource limit and a resource reservation when scheduling services?
- A . A resource limit and a resource reservation can be used interchangeably.
- B . A resource limit is a soft limit for your service, while a reservation is hard limit and the docker engine will do its best to keep your service at the limit.
- C . A resource limit is used to find a host with adequate resources for scheduling a hard limit for your service, while a reservation is hard limit for your service.
- D . A resource limit is hard limit for your service, while a reservation is used to find a host with adequate
resources for scheduling. Correct
Which of the following commands is used to display system-wide Docker configuration on a host?
- A . docker info
- B . docker status
- C . docker inspect
- D . docker system
Which of the following statements is true about secrets?
- A . Secrets can be created from any node in the cluster.
- B . Secrets can be modified after they are created.
- C . Secret are stored unencrypted on manager nodes.
- D . Secrets can be created using standard input (STDIN) and a file.
Will this command list all nodes in a swarm cluster from the command line?
Solution: ‘docker swarm nodes’
- A . Yes
- B . No
Does this describe the role of Control Groups (cgroups) when used with a Docker container?
Solution: role-based access control to clustered resources
- A . Yes
- B . No
In the context of a swarm mode cluster, does this describe a node?
Solution: a virtual machine participating in the swarm
- A . Yes
- B . No
In the context of a swarm mode cluster, does this describe a node?
Solution: an instance of the Docker engine participating in the swarm
- A . Yes
- B . No
Which one of the following commands will show a list of volumes for a specific container?
- A . ‘docker container logs nginx –volumes’
- B . ‘docker container inspect nginx’
- C . ‘docker volume inspect nginx’
- D . ‘docker volume logs nginx –containers’
Which of the following commands starts a Redis container and configures it to always restart unless it is explicitly stopped or Docker is restarted?
- A . ‘docker run -d –restart-policy unless-stopped redis’
- B . ‘docker run -d –restart omit-stopped redis’
- C . ‘docker run -d –restart unless-stopped redis’
- D . ‘docker run -d –failure omit-stopped redis’
Is this a type of Linux kernel namespace that provides container isolation?
Solution: Authentication
- A . Yes
- B . No
Wha is the purpose of Docker Content Trust?
- A . Signing and verification of image tags
- B . Enabling mutual TLS between the Docker client and server
- C . Docker registry TLS verification and encryption
- D . Indicating an image on Docker Hub is an official image
You are troubleshooting a Kubernetes deployment called api, and want to see the events table for this object. Does this command display it?
Solution: kubectl events deployment api
- A . Yes
- B . No
You configure a local Docker engine to enforce content trust by setting the environment variable DOCKER_CONTENT_TRUST=1.
If myorg/myimage: 1.0 is unsigned, does Docker block this command?
Solution: docker service create myorg/myimage:1.0
- A . Yes
- B . No
Your organization has a centralized logging solution, such as Splunk.
Will this configure a Docker container to export container logs to the logging solution?
Solution: docker logs <container-id>
- A . Yes
- B . No
The Kubernetes yaml shown below describes a clusterIP service.
Is this a correct statement about how this service routes requests?
Solution: Traffic sent to the IP of any pod with the label app: nginx on port 8080 will be forwarded to port 80 in that pod.
- A . Yes
- B . No
You want to create a container that is reachable from its host’s network.
Does this action accomplish this?
Solution: Use –link to access the container on the bridge network.
- A . Yes
- B . No
Which ‘docker run’ flag lifts cgroup limitations?
- A . ‘docker run –isolation’
- B . ‘docker run –cap-drop’
- C . ‘docker run –privileged’
- D . ‘docker run –cpu-period’
Is this the purpose of Docker Content Trust?
Solution: Enable mutual TLS between the Docker client and server.
- A . Yes
- B . No
How do you configure Docker engine to use a registry that is not configured with TLS certificates from a trusted CA?
- A . Set IGNORE_TLS in the ‘daemon.json’ configuration file.
- B . Set and export the IGNORE_TLS environment variable on the command line
- C . Set INSECURE_REGISTRY in the ‘/etc/docker/default’ configuration file
- D . Pass the ‘–insecure.-registry’ flag to the daemon at run time
Is this a function of UCP?
Solution: enforces the deployment of signed images to the cluster
- A . Yes
- B . No
The Kubernetes yaml shown below describes a clusterIP service.
Is this a correct statement about how this service routes requests?
Solution: Traffic sent to the IP of this service on port 8080 will be routed to port 80 in a random pod with the label aPP: nginx.
- A . Yes
- B . No
Does this describe the role of Control Groups (cgroups) when used with a Docker container?
Solution: accounting and limiting of resources
- A . Yes
- B . No
Will this Linux kernel facility limit a Docker container’s access to host resources, such as CPU or memory?
Solution: namespaces
- A . Yes
- B . No
Seven managers are in a swarm cluster.
Is this how should they be distributed across three datacenters or availability zones?
Solution: 3-3-1
- A . Yes
- B . No
You created a new service named ‘http’ and discover it is not registering as healthy.
Will this command enable you to view the list of historical tasks for this service?
Solution: ‘docker service ps http’
- A . Yes
- B . No
What is the recommended way to configure the daemon flags and environment variables for your Docker daemon in a platform independent way?
- A . Set the configuration options using the ENV variable
- B . Set the configuration options in ‘/etc/docker/daemon.json’
- C . Set the configuration DOCKER_OPTS in ‘/etc/default/docker’
- D . Using ‘docker config’ to set the configuration options.
Will this sequence of steps completely delete an image from disk in the Docker Trusted Registry?
Solution: Delete the image and run garbage collection on the Docker Trusted Registry.
- A . Yes
- B . No
Is this statement correct?
Solution: A Dockerfile provides instructions for building a Docker image
- A . Yes
- B . No
Which of the following commands will create a swarm service which only listens on port 53 using the UDP protocol?
- A . docker service create –name dns-cache -p 53:53/udp dns-cache
- B . docker service create –name dns-cache -p 53:53 –service udp dns-cache
- C . docker service create –name dns-cache -p 53:53 ..constraint networking.protocol.udp=true dns-cache
- D . docker service create –name dns-cache -p 53:53 –udp dns-cache
After creating a new service named ‘http’, you notice that the new service is not registering as healthy.
How do you view the list of historical tasks for that service by using the command line?
- A . ‘docker inspect http’
- B . ‘docker service inspect http’
- C . ‘docker service ps http’
- D . ‘docker ps http’
You add a new user to the engineering organization in DTR.
Will this action grant them read/write access to the engineering/api repository?
Solution: Add them to a team in the engineering organization that has read/write access to the engineering/api repository.
- A . Yes
- B . No
Two development teams in your organization use Kubernetes and want to deploy their applications while ensuring that Kubernetes-specific resources, such as secrets, are grouped together for each application.
Is this a way to accomplish this?
Solution: Create one namespace for each application and add all the resources to it.
- A . Yes
- B . No
Is this an advantage of multi-stage builds?
Solution: optimizes Images by copying artifacts selectively from previous stages
- A . Yes
- B . No
Is this a supported user authentication method for Universal Control Plane? Solution: PAM
- A . Yes
- B . No
Will this command ensure that overlay traffic between service tasks is encrypted?
Solution: docker network create -d overlay -o encrypted=true <network-name>
- A . Yes
- B . No
Some Docker images take time to build through a Continuous Integration environment. You want to speed up builds and take advantage of build caching.
Where should the most frequently changed part of a Docker image be placed in a Dockerfile?
- A . at the bottom of the Dockerfile
- B . after the FROM directive
- C . at the top of the Dockerfile
- D . in the ENTRYPOINT directive
Will this command ensure that overlay traffic between service tasks is encrypted?
Solution: docker network create -d overlay –secure
- A . Yes
- B . No
Seven managers are in a swarm cluster.
Is this how should they be distributed across three datacenters or availability zones?
Solution: 3-2-2
- A . Yes
- B . No
Which set of commands can identify the publishd port(s) for a container? (Choose 1.)
- A . ‘docker port inspect’, ‘docker container inspect’
- B . ‘docker container inspect’, docker port’
- C . ‘docker info’,’docker network inspect’
- D . ‘docker network inspect’,’docker port’
Will this configuration achieve fault tolerance for managers in a swarm?
Solution: only two managers, one active and one passive.
- A . Yes
- B . No
What is one way of directly transferring a Docker Image from one Docker host in another?
- A . ‘docker push’ the image to the IP address of the target host.
- B . ‘docker commit’ to save the image outside of the Docker filesystem. Then transfer the file over to the target host and ‘docker start’ to start the container again.
- C . There is no way of directly transferring Docker images between hosts. A Docker Registry must be used ad an intermediary.
- D . ‘docker save’ the image to save it as TAR file and copy it over to the target host. Then use ‘docker load’ to un-TAR the image back as a Docker image.
You are running only Kubernetes workloads on a worker node that requires maintenance, such as installing patches or an OS upgrade
Which command must be run on the node to gracefully terminate all pods on the node, while marking the node as unschedulable?
- A . ‘docker node update –availability drain <node name>’
- B . ‘docker swarm leave’
- C . ‘kubectl drain <node name>’
- D . ‘kubectl cordon <node name>’
Will this action upgrade Docker Engine CE to Docker Engine EE?
Solution: Uninstall ‘docker-ce’ package before installing ‘docker-ee’ package.
- A . Yes
- B . No
A Kubernetes node is allocated a /26 CIDR block (64 unique IPs) for its address space.
If every pod on this node has exactly two containers in it, how many pods can this address space support on this node?
- A . 32
- B . 32 In every Kubernetes namespace
- C . 64 for every service routing to pods on this node
- D . 64
The following Docker Compose file is deployed as a stack:
Is this statement correct about this health check definition?
Solution: Health checks test for app health ten seconds apart. If the test fails, the container will be restarted three times before it gets rescheduled.
- A . Yes
- B . No
An application image runs in multiple environments, and each environment uses different certificates and ports, what is the best practice to deploy the containers?
- A . Create a Dockerfile for each environment, specifying ports and ENV variables for certificates.
- B . Create a Dockerfile for each environment, specifying ports and Docker secrets for certificates.
- C . Create images that contain the specific configuration for every environment.
- D . Create a config file for each environment.
What is the purpose of multi-stage builds?
- A . Better logical separation of Dockerfile instructions for better readability
- B . Optimizing images by copying artifacts selectively from previous stages
- C . Better caching when building Docker images
- D . Faster image builds by allowing parallel execution of Docker builds
A company’s security policy specifies that development and production containers must run on separate nodes in a given Swarm cluster.
Can this be used to schedule containers to meet the security policy requirements?
Solution: label contraints
- A . Yes
- B . No
Will this sequence of steps completely delete an image from disk in the Docker Trusted Registry?
Solution: Delete the image and delete the image repository from Docker Trusted Registry
- A . Yes
- B . No
In the context of a swarm mode cluster, does this describe a node?
Solution: a physical machine participating in the swarm
- A . Yes
- B . No
You have deployed a service to swarm.
Which command uses the Docker CLI to set the number of tasks of the services to 5? (choose 2)
- A . ‘docker service update –replicas=5 <service-id>’
- B . ‘docker replica update <service-id>=5’
- C . ‘docker update service <service-id>=5’
- D . ‘docker service replicas <service-id>=5’
- E . ‘docker service scale <service-id> = 5”
Will this configuration achieve fault tolerance for managers in a swarm?
Solution: an odd number of manager nodes, totaling more than two
- A . Yes
- B . No
Is this a Linux kernel namespace that is disabled by default and must be enabled at Docker engine runtime to be used?
Solution: net
- A . Yes
- B . No
Which of the following is true about using the ‘-P’ option when creating a new container?
- A . Docker binds each exposed container port to a random port on all the host’s interface
- B . Docker gives extended privileges to the container.
- C . Docker binds each exposed container port to a random port on a specified host interface
- D . Docker binds each exposed container port with the same port on the host
A
Explanation:
Controllare
In Docker Trusted Registry, how would a user prevent an image, for example ‘nginx:latest’ from being overwritten by another user with push access to the repository?
- A . Tag the image with ‘nginx:immutable’
- B . Remove push access from all other users.
- C . Use the DTR web UI to make the tag immutable.
- D . Keep a backup copy of the image on another repository.
Is this a Linux kernel namespace that is disabled by default and must be enabled at Docker engine runtime to be used?
Solution: user
- A . Yes
- B . No