DCA-2 Flashcards by Jonathan Marshall

What environment variables must be set to allow client to communicate with UCP via CLI?

DOCKER

DOCKER_HOST

DOCKER_CERT_PATH

DOCKER_PATH

DOCKER_HOST

DOCKER_CERT_PATH

How well did you know this?

Not at all

Perfectly

What is the command-line interface used to interact with UCP from a shell?

docker-ucp

docker

docker-ee

docker-ucp-cli

docker

How well did you know this?

Not at all

Perfectly

Universal Control Plane (UCP), lets you authorize users to view, edit, and use cluster resources by granting role-based permissions against resource sets.

True
False

True

How well did you know this?

Not at all

Perfectly

To authorize access to cluster resources across your organization, which of the following high-level steps must UCP administrators take?

Configure subjects (users, teams, and service accounts).

Define custom roles (or use defaults) by adding permitted operations per type of resource.

Configure resource sets of Swarm collections or Kubernetes namespaces.

Create grants by combining subject + role + resource set

Configure subjects (users, teams, and service accounts).

Define custom roles (or use defaults) by adding permitted operations per type of resource.

Configure resource sets of Swarm collections or Kubernetes namespaces.

Create grants by combining subject + role + resource set

How well did you know this?

Not at all

Perfectly

Which of the statements best describes “Subjects” in the Access Control Model?

A subject represents a user, team, organization

A subject does not represent a service account.

A subject can be granted a role that defines permitted operations against one or more resource sets.

A subject represents a service account.

A subject represents a user, team, organization

A subject can be granted a role that defines permitted operations against one or more resource sets.

A subject represents a service account.

How well did you know this?

Not at all

Perfectly

A group of teams that share a specific set of permissions forms a collection.

True
False

False

How well did you know this?

Not at all

Perfectly

Which of the statements best describe “Roles” in the Access Control Model?

Roles define what operations are allowed on a resource.

A role is a set of permitted operations against a type of resource, like a container or volume, which can only be assigned to individual users.

Most organizations use multiple roles to fine-tune appropriate access to users and teams.

All of the above

Roles define what operations are allowed on a resource.

Most organizations use multiple roles to fine-tune appropriate access to users and teams.

How well did you know this?

Not at all

Perfectly

Which of the statements best describe “Resource sets” in Access Control Model?

A collection of resources in Docker Swarm

A collection in Kubernetes

A namespace in Kubernetes

A namespace in Docker Swarm

A collection of resources in Docker Swarm

A namespace in Kubernetes

How well did you know this?

Not at all

Perfectly

Which of the statements best describe “Grants” in the Access Control Model?

Grants define which users can access what resources in what way.

A grant is made up of a role and a resource set.

A grant is made up of a subject, a role, and a resource set.

Grants are effectively Access Control Lists (ACLs) which provide comprehensive access policies for an entire organization when grouped together.

Grants define which users can access what resources in what way.

A grant is made up of a subject, a role, and a resource set.

Grants are effectively Access Control Lists (ACLs) which provide comprehensive access policies for an entire organization when grouped together.

How well did you know this?

Not at all

Perfectly

Only an administrator can manage grants, subjects, roles, and access to resources.

True
False

True

How well did you know this?

Not at all

Perfectly

Docker Enterprise Edition provides … , where in we can create users and group them into teams which are nothing but group of users and tie them up with an organization.

DTR
UCP
UCP Agent
RBAC

RBAC

How well did you know this?

Not at all

Perfectly

Which of the following is a common workflow for RBAC in Docker EE is

Create users, teams, and organization

Create custom roles with a set of permissions

Combine resources sets using a collection

Create users, teams, and organization

Create custom roles with a set of permissions

Combine resources sets using a collection

How well did you know this?

Not at all

Perfectly

The … allows you to authorize a remote Docker engine to a specific user account managed in Docker EE, absorbing all associated RBAC controls in the process

DTR

UCP

Client bundle

RBAC

Client Bundle

How well did you know this?

Not at all

Perfectly

A client bundle is a group of certificates downloadable directly from the Docker Trusted Registry (DTR) user interface within the admin section for “My Profile”

True
False

False

How well did you know this?

Not at all

Perfectly

Using …. in Docker EE we can control who can access and make changes to your cluster and applications.

DTR
UCP
Client bundle
RBAC

RBAC

How well did you know this?

Not at all

Perfectly

What are the minimum hardware requirements to install UCP?

4GB RAM, 2vCPUs and 10GB disk space for the /var partition for manager nodes, 2GB RAM and 500MB disk space for the /var partition for worker nodes

8GB RAM, 2vCPUs and 10GB disk space for the /var partition for manager nodes, 4GB RAM and 500MB disk space for the /var partition for worker nodes

8GB RAM, 2vCPUs and 10GB disk space for the /var/lib/docker partition for manager nodes, 4GB RAM and 500MB disk space for the /var/lib/docker partition for worker nodes

4GB RAM, 2vCPUs and 10GB disk space for the /var/lib/docker partition for manager nodes, 2GB RAM and 500MB disk space for the /var/lib/docker partition for worker nodes

8GB RAM, 2vCPUs and 10GB disk space for the /var partition for manager nodes, 4GB RAM and 500MB disk space for the /var partition for worker nodes

How well did you know this?

Not at all

Perfectly

What are the features of Docker Trusted Registry (DTR)?

Built-in Access Control

Image and Job Management

Automated image builds

Security Scanning

Dockerfile management in SCM

Image Signing

Built-in Access Control

Image and Job Management

Security Scanning

Image Signing

How well did you know this?

Not at all

Perfectly

A group of teams that share a specific set of permissions forms a collection.

True
False

False

How well did you know this?

Not at all

Perfectly

When using the built-in authentication mechanism, you can create users to grant them fine-grained permissions.
Which of the following statements best describes managing users in DTR?

Users are shared across UCP and DTR.

When you create a new user in UCP, that user becomes available in DTR and vice versa.

Check the Trusted Registry admin option, if you want to grant permissions for the user to be a UCP and DTR administrator.

Users are not shared across UCP and DTR

Users are shared across UCP and DTR.

When you create a new user in UCP, that user becomes available in DTR and vice versa.

Check the Trusted Registry admin option, if you want to grant permissions for the user to be a UCP and DTR administrator.

How well did you know this?

Not at all

Perfectly

When a user creates a repository, by default other users will also have permissions to make changes to the repository.

True
False

False

How well did you know this?

Not at all

Perfectly

By default, DTR has one organization called ‘docker-datacenter’, that is shared between DTR and UCP.

True
False

True

How well did you know this?

Not at all

Perfectly

What is the command to pull the docker repository owned by an organization?

docker get DTR-DOMAIN-NAME/ORG/REPOSITORY:TAG

docker pull DTR-DOMAIN-NAME/ORG/REPOSITORY:TAG

docker download DTR-DOMAIN-NAME/ORG/REPOSITORY:TAG

docker fetch DTR-DOMAIN-NAME/ORG/REPOSITORY:TAG

docker pull DTR-DOMAIN-NAME/ORG/REPOSITORY:TAG

How well did you know this?

Not at all

Perfectly

Which of the following is the docker image addressing convention?

Registry-Address/Image-or-Repository-Name/User-Or-Account-Name

Registry-Address/User-Or-Account-Name/Image-or-Repository-Name

User-Or-Account-Name/Image-or-Repository-Name/Registry-Address

Image-or-Repository-Name/User-Or-Account-Name/Registry-Address

Registry-Address/User-Or-Account-Name/Image-or-Repository-Name

How well did you know this?

Not at all

Perfectly

If we do not specify a registry information then it is assumed to be the default registry at docker hub at the address docker.io.

True
False

True

How well did you know this?

Not at all

Perfectly

DTR only supports creating private repositories. True False

False

By default, when pushing an image to DTR, it automatically creates a new repository if one does not already exist by that name. True False

False

You cannot configure DTR to allow pushing to repositories that don’t exist yet. True False

False

We can use the CLI to enable pushing to repositories that don’t exist yet. True False

True

DTR is a vulnerability scanner that analyzes container images for security vulnerabilities triggered by a manual request only. True False

False

In which service does DTR image scanning occur? A service known as the dtr-jobrunner container A service known as the dtr-registry container A service known as the dtr-api container A service known as the dtr-runner container

A service known as the dtr-jobrunner container

Extracts a copy of the image layers from backend storage. Extracts the files from the layer into a working directory inside the dtr-jobrunner container. Executes the scanner against the files in this working directory, collecting a series of scanning data. Once the scanning data is collected, the working directory for the layer will remain on the job-runner until garbage collection is initiated. All of the above

In which of the following will image scanning look for known vulnerabilities OS packages Suspicious user accounts Libraries IP Tables rules that are not required Other dependencies that are defined in a container image All of the above

OS packages Libraries Other dependencies that are defined in a container image

You may also configure DTR to initiate scans automatically when an image is pushed. True False

True

Once the scan is complete, a report shows all the vulnerabilities detected categorized as __________. Major Minor Warning Critical INFO All of the above

Major Minor Critical

With Docker Trusted Registry you can promote an existing image, based on a policy, to be pushed to a new environment. True False

True

With Docker Trusted Registry, we need to rebuild the image in each stage to promote to different environments (e.g. Dev, Test, Stage, and Prod) True False

False

A promotion can only be configured to another repository within the same registry. True False

False

Which statement best describes Garbage Collection in DTR? Automatically removes unused image layers to save disk space at a scheduled interval. Garbage Collection setting is available under the system -> garbage collection section. By default, garbage collection is enabled. All of the above

Automatically removes unused image layers to save disk space at a scheduled interval. Garbage Collection setting is available under the system -> garbage collection section.

You may configure garbage collection to run at a specific interval. True False

True

Under the hood, each image stored in DTR is made up of multiple files, what are they? A list of image layers that are unioned which represents the image filesystem A configuration file that contains the architecture of the image and other metadata A manifest file containing the list of all layers and configuration file for an image

A list of image layers that are unioned which represents the image filesystem A configuration file that contains the architecture of the image and other metadata A manifest file containing the list of all layers and configuration file for an image

DTR ships with Notary built-in so that you can use Docker Content Trust (DCT) to sign and verify images. True False

True

What are the key components of Docker Trusted Registry (DTR) for signing an image? Notary Server Notary Signer Docker Hub Universal Control Plane (UCP)

Notary Server | Notary Signer

Which statements best describe Notary? Notary is a tool for publishing and managing trusted collections of content. The official Docker Hub Notary servers are located at https://docker.io With Notary anyone can provide trust over arbitrary collections of data. Notary uses Globally Unique Names (GUNs) to identify trust collections.

Notary is a tool for publishing and managing trusted collections of content. With Notary anyone can provide trust over arbitrary collections of data. Notary uses Globally Unique Names (GUNs) to identify trust collections.

DCT is integrated with the Docker CLI, and allows you to _____________________. Configure repositories Add signers Sign images using the docker trust command

Configure repositories Add signers Sign images using the docker trust command

You are required to configure your environment to prevent untrusted images from being deployed on the cluster. What approach would you choose to ensure images deployed in the cluster are secure and trusted? Configure RBAC and provide access to repositories to privileged users only Enable vulnerability scanning on images on push Configure UCP to Run only signed images. And enforce image signing for all images using DCT

Configure UCP to Run only signed images. And enforce image signing for all images using DCT

In a Docker swarm cluster, when a failed node is brought back online it is ready to accept new workloads and existing workloads are automatically rebalanced. True False

False

What is the command to rebalance the docker swarm cluster workloads if absolutely necessary? docker service update SERVICE-NAME docker service update --force SERVICE-NAME docker update service SERVICE-NAME docker update service --force SERVICE-NAME

docker service update --force SERVICE-NAME

A swarm cluster runs with 5 manager and 5 worker nodes with 10 replicas of an application running across all worker nodes. Which of the below statements are true when 3 manager nodes do go down at the same time. Since 2 manager nodes are available the cluster continues to operate normally Cluster operates in a degraded mode with no management functionalities The applications continue to work as normal without impacting users Applications are killed and users are impacted

Cluster operates in a degraded mode with no management functionalities The applications continue to work as normal without impacting users

We could add a new node to the cluster as a manager but we cannot promote an existing worker node to be the manager. True False

False

You should have at least 3 managers in the swarm cluster to support manager node failures. True False

True

Which statement best describes Quorum? Quorum is the minimum number of nodes that must be available for the cluster to function properly. In case of 3 manager nodes, the quorum is 3 It is recommended to maintain an odd number of managers to withstand network-wide outages. In case of 5 manager nodes, the quorum is 3

Quorum is the minimum number of nodes that must be available for the cluster to function properly. It is recommended to maintain an odd number of managers to withstand network-wide outages. In case of 5 manager nodes, the quorum is 3

Which of the below configurations can tolerate 3 manager node failures? ``` 4 Manager 2 Worker Node Cluster 5 Manager 5 Worker Node Cluster 6 Manager 5 Worker Node Cluster 7 Manager 3 Worker Node Cluster 7 Manager 5 Worker Node Cluster 8 Manager 6 Worker Node Cluster 8 Manager 2 Worker Node Cluster ```

7 Manager 3 Worker Node Cluster 7 Manager 5 Worker Node Cluster 8 Manager 6 Worker Node Cluster 8 Manager 2 Worker Node Cluster

For any given number of N nodes, What is the quorum value? Total number of nodes divided by 3 + 1 (Quorum = (N/3)+1) Total number of nodes divided by 2 + 1 (Quorum = (N/2)+1) Total number of nodes divided by 2 – 1 (Quorum = (N/2)-1) Total number of nodes divided by 3 – 1 (Quorum = (N/3)-1)

Total number of nodes divided by 2 + 1 (Quorum = (N/2)+1)

What is the command to forcefully create a cluster from its current state? docker swarm init docker swarm init --force docker swarm init --force-cluster docker swarm init --force-new-cluster

docker swarm init --force-new-cluster

What is the command to promote a node to manager in docker swarm cluster? docker promote node NODENAME docker node promote NODENAME docker promote worker node NODENAME docker node promote worker NODENAME

docker node promote NODENAME

Which of the following statements are true? Select all the answers that apply. On every docker host, docker stores data about the object it manages under the /var/lib/docker directory. On a swarm manager node, it stores data about the swarm cluster in the /var/lib/docker/swarm directory. On every docker host, docker stores data about the object it manages under the /var/run/docker directory. On a swarm manager node, it stores data about the swarm cluster in the /var/run/docker/swarm directory.

On every docker host, docker stores data about the object it manages under the /var/lib/docker directory. On a swarm manager node, it stores data about the swarm cluster in the /var/lib/docker/swarm directory.

The RAFT DB helps in restoring the services and any other configuration in a swarm cluster. True False

True

What are the steps that we need to follow to backup the swarm database? Create a tar backup of the swarm data at /var/lib/docker/swarm and restart the docker service. Stop docker service, create a tar backup of the swarm data at /var/lib/docker/swarm, start the docker. Stop docker service, create a tar backup of the docker data at /var/lib/docker, start the docker None of the above

Stop docker service, create a tar backup of the swarm data at /var/lib/docker/swarm, start the docker.

It is recommended to perform a backup on the swarm leader node. True False

False

What is the command to enable automatic locking of managers with an encryption key? docker swarm init --lock=true docker swarm init --autolock=true docker swarm init --autounlock=false docker swarm init --unlock=false

docker swarm init --autolock=true

What is the command to disable auto lock for a docker swarm cluster that has it enabled already? docker swarm update --autolock=false docker update swarm --autolock=false docker swarm update --auto-unlock=true docker update swarm --auto-unlock=true

docker swarm update --autolock=false

The auto lock key is required when the cluster is restored, so it must be kept safe in an external password manager. True False

True

The auto lock key is backed up along with the Swarm backup. True False

False

What are the prerequisites for restoring swarm? You must use the same IP as the node from which you made the backup. You must restore the backup on the same Docker Engine version. If auto-lock was enabled on the old Swarm, the unlock key is required to perform the restore. You can find the list of manager IP addresses in state.json in the zip file

You must use the same IP as the node from which you made the backup. You must restore the backup on the same Docker Engine version. If auto-lock was enabled on the old Swarm, the unlock key is required to perform the restore. You can find the list of manager IP addresses in state.json in the zip file

Which of the following steps are required on each manager node to restore data to a new swarm? Shut down the Docker Engine on the node you selected for the restore Uninstall Docker on the node Remove the /var/lib/docker directory on the new Swarm if it exists. Remove the contents of the /var/lib/docker/swarm directory on the new Swarm if it exists. Restore the /var/lib/docker/swarm directory with the contents of the backup Install Docker on the node Start Docker on the new node. Unlock the swarm if necessary Re-initialize the swarm so that the node does not attempt to connect to nodes that were part of the old swarm, and presumably no longer exist.

Shut down the Docker Engine on the node you selected for the restore Remove the contents of the /var/lib/docker/swarm directory on the new Swarm if it exists. Restore the /var/lib/docker/swarm directory with the contents of the backup Start Docker on the new node. Unlock the swarm if necessary Re-initialize the swarm so that the node does not attempt to connect to nodes that were part of the old swarm, and presumably no longer exist.

To take a backup of UCP, which docker image would you need to run with the backup command? docker/ucp-backup docker/ucp docker/backup docker/backup-ucp

docker/ucp

You can only take backup of UCP via CLI. True False

False

In order to take a backup of UCP, you need to backup each UCP manager node. True False

False

Which of the following statements are true about UCP backup? Backups can be utilized for restoring clusters on a cluster with a newer version of Docker Enterprise. More than one backup at the same time is supported. For crashed clusters, backup capability is not guaranteed. UCP backup includes swarm workloads. UCP backup includes Kubernetes workloads.

For crashed clusters, backup capability is not guaranteed. UCP backup includes Kubernetes workloads.

Which of the following ways a UCP backup can be created? CLI GUI API

CLI GUI API

To restore an existing UCP installation from a backup, you need to uninstall UCP from the swarm by using the uninstall-ucp command. True False

True

Which of the following are included in a UCP backup? User, Team and Organization details Docker Swarm Services Kubernetes Namespaces Certificates and Keys Access Control Details Overlay Networks Docker Images Docker Swarm Secrets

User, Team and Organization details Kubernetes Namespaces Certificates and Keys Access Control Details

Which of the following data does Docker Trusted Registry maintain? Configurations Notary Data Certificates and Keys Access Control to repos and Images

Configurations Notary Data Certificates and Keys Access Control to repos and Imagesk

What is the command to perform a backup of DTR node? Run the docker/dtr backup command Run the docker/dtr-backup command Run the docker/backup-dtr command Run the docker/backup dtr command

Run the docker/dtr backup command

To create a backup of DTR, you don’t need to backup the DTR metadata, only backing up image content is enough. True False

False

Since you need your DTR replica ID during a backup, which of the following covers a few ways for you to determine your replica ID? UCP web interface UCP client bundle SSH Access

UCP web interface UCP client bundle SSH Access

What is the command to restore the DTR from a backup tar (e.g dtr-metadata-backup.tar) ? docker run -i --rm docker/dtr-restore < dtr-metadata-backup.tar docker run -i --rm docker/dtr restore < dtr-metadata-backup.tar docker run -i --rm docker/restore-dtr < dtr-metadata-backup.tar docker run -i --rm docker/restore dtr < dtr-metadata-backup.tar

docker run -i --rm docker/dtr restore < dtr-metadata-backup.tar

What is the recommended approach of taking a backup of images stored by Docker Trusted Registry? Store image data on local disk and backup image and DTR metadata together into a tarball Store image data on a shared network storage and use supported backup mechanisms available for that network storage

Store image data on a shared network storage and use supported backup mechanisms available for that network storage

docker run -i --rm docker/dtr restore < dtr-metadata-backup.tar

Which of the following are included in a UCP backup? User, Team and Organization details Docker Swarm Services Kubernetes Namespaces Certificates and Keys Access Control Details Docker Images

User, Team and Organization details Kubernetes Namespaces Certificates and Keys Access Control Details

The auto lock key is required when the cluster is restored, so it must be kept safe in an external password manager. True False

True

To create a backup of DTR, you don’t need to backup the DTR metadata, only backing up image content is enough. True False

False

What are the prerequisites for restoring a swarm? You must use the same IP as the node from which you made the backup. You must restore the backup on the same Docker Engine version. If auto-lock was enabled on the old Swarm, the unlock key is required to perform the restore.

What are the recommended hardware requirements to install DTR in a production environment? - 16GB RAM, 4vCPUs and 25 - 100 of free disk space - 16GB RAM, 2vCPUs and 100GB of free disk space - 8GB RAM, 2vCPUs and 100GB of free disk space - 8GB RAM, 4vCPUs and 25 - 100GB of free disk space

16GB RAM, 4vCPUs and 25 - 100 of free disk space

Which of the below is a recommended best practice while taking backups of a swarm cluster? - Perform the backup operations from a swarm worker node - Perform the backup operations from a swarm manager node that is not a leader - Perform the backup operations from a swarm manager node that is a leader

- Perform the backup operations from a swarm manager node that is not a leader

What will happen if the container consumes more memory than its limit?

The container will be killed with an Out of Memory exception

Which component is responsible for performing all of these operations: Maintaining the layered architecture, creating a write-able layer, moving files across layers to enable Copy-OnWrite etc?

Storage drivers

What are the different access modes configurable on a persistent volume?

ReadOnlyMany,ReadWriteMany,ReadWriteOnce

Which statement best describes a kubernetes storage class?

A StorageClass provides a way for administrators to describe the “classes” of storage they offer, Each StorageClass contains the fields provisioner, parameters, and reclaimPolicy. The StorageClass objects can use a provisioner that can dynamically provision storage on supported storage providers.

Which statements best describe a PersistentVolumeClaim?

A PersistentVolumeClaim (PVC) is a request for storage by a user A PVC will be automatically bound to a PV on creation when a PV is available Claims can request specific size and access modes

What is a recommended best practice for installing packages and libraries using the apt-get package manager while building an image?

Use the RUN instruction and have the apt-get update and apt-get install commands on the same instruction

What is the command to change the tag of httpd:latest to httpd:v1

docker image tag httpd:latest httpd:v1

After building the below code with an image named webapp, What will happen when you run docker run webapp sleep 1000?

docker overrides the CMD instruction with sleep 1000

Which command can be used to deploy exactly one instance of the application on all the nodes in the cluster?

docker service create --mode=global webapp

Which statement best describes Quorum?

Quorum is the minimum number of nodes that must be available for the cluster to function properly.

What is the command to deploy a service named webapp on a node which has a type=cpu-optimized label?

docker service create --constraint=node.labels.type==cpu-optimized webapp

The webapp:v1 had some bugs and we fixed them in webapp:v2. We want to update the service to use the image webapp:v2. What is the right command?

docker service update --image=webapp:v2 webapp

To list the services created by a stack, run …

docker stack services

How do you configure all key-value pairs in a Secret object as environment variables within a container?

envFrom.secretRef

Which of the following are correct commands to create config maps? Select all the answers that apply.

kubectl create configmap CONFIGMAP-NAME --from-literal=KEY1=VALUE1 --from-literal=KEY2=VALUE2,kubectl create configmap CONFIGMAP-NAME --from-file=/tmp/env

Where do you configure the configMapKeyRef in a pod to use environment variables defined in a ConfigMap?

spec.containers.env.valueFrom

What flags are used to configure encryption on docker daemon without any authentication?

tls, tlscert, tlskey

What is the type and the name of the network created for the DTR services to communicate with each other?

overlay/dtr-ol

Which of the following solutions support network policies?

kube-router,Calico,Weave-Net

Which command is used to get the events of the container named webapp?

docker system events --filter ‘container=webapp’

When you create a swarm service and do not specify a user-defined overlay network, it connects to the … network by default

ingress

What are the recommended hardware requirements to install DTR in a production environment?

16GB RAM, 4vCPUs and 25-100GB of free disk space.

Which of the below is a recommended best practice while taking backups of a swarm cluster?

Perform the backup operations from a swarm manager node that is not a leader

What will happen if the –memory-swap is set to 0?

the setting is ignored, and the value is treated as unset

How many manager nodes must be online in a cluster with 13 manager nodes for the swarm cluster to continue to operate?

Where do you specify image names in a pod definition YAML file to be deployed on Kubernetes?

spec.containers.image

What is the command to rebalance the docker swarm cluster workloads?

docker service update --force

Which option of the docker service command can be used to update 4 replicas at a time of a service named mywebapp?

--update-parallelism 4

What is the command to change the role of a manager node named manager1 to a worker node in a Docker Swarm cluster?

docker node demote manager1

Which command can be used to return the current autolock key used to lock a docker swarm cluster?

docker swarm unlock-key

How do you inject configmap into a pod in Kubernetes?

Using envFrom and configMapRef

The … assigns tasks to nodes in Docker Swarm.

dispatcher

What is the high level command to restore the DTR from a backup tar named dtr-metadata-backup.tar ?

docker run -i --rm docker/dtr restore < dtr-metadata-backup.tar

Which of the below commands may be used to change the default logging driver to splunk?

echo ‘{“log-driver”: “splunk”}’ > /etc/docker/daemon.json

Refer to the Dockerfile below and identify which value should be added to the --from= option in the second stage to copy the application build from the first stage.

0,builder

Which of the below can help minimize the image size?

Only install necessary packages within the image Combine multiple dependent instructions into a single instruction and clean up temporary files Use multi-stage builds

What is the command to find images with a name containing busybox, at least 3 stars and are official builds

docker search --filter is-official=true --filter stars=3 busybox

To scan an image, DTR ________________.

Universal Control Plane (UCP), lets you authorize users to view, edit, and use cluster resources by granting role-based permissions against resource sets.

True

Which statement best describes docker volume plugin?

Docker Engine volume plugins enables Engine deployments to be integrated with external storage systems such as Amazon EBS, The local volume plugin helps to create a volume on Docker host and store its data under the /var/lib/docker/volumes/ directory.

Which of the following are a valid storage driver supported by Docker?

AUFS, overlay2 Device Mapper

Which option is used to change the default storage driver to use devicemapper?

{“storage-driver”: “devicemapper”}

Which statements best describe Persistent Volume in Kubernetes?

A PersistentVolume (PV) is a piece of storage in the cluster that has been provisioned by an administrator or dynamically provisioned using Storage Class, It is a resource in the cluster just like a node is a cluster resource.

ETCD by default listens on port 2780.

False

What types of networks will be created when you initialize a swarm or join a Docker host to an existing swarm?

bridge | ingress

After an update to a service named webapp we realized that something is wrong with the new version and we want to revert back to the old version. How can we achieve that?

docker service rollback webapp

overlay2, aufs, and devicemapper all operate at the file level rather than the block level.

False

Using RUN apt-get update && apt-get install -y ensures your Dockerfile installs the latest package versions everytime an image is built. This technique is known as ……

Cache busting

What is the recommended approach to load a set of configurations into the pod in the form of a file to the path /var/configs?

Create a ConfigMap with the required configurations, configure it as a volume in the pod definition file and then mount the volume as a file at /var/configs

UCP has its own built-in authentication mechanism and integrates with LDAP and AD services.

True

If the service type is NodePort, then Kubernetes will allocate a port on every worker node.

True

What is the command to apply disk=ssd label to worker1 in a swarm cluster.

docker node update --label-add disk=ssd worker1

A client bundle is a group of certificates downloadable directly from the Docker Trusted Registry (DTR) user interface within the admin section for “My Profile”

False

What option may be used to change the default behaviour of a failed task during an update in swarm?

--update-failure-action

Which component is responsible to serve the UCP components such as the web UI, the authentication API, metrics server, proxy and data stores used by UCP in the form of containers?

UCP Agent

The routing mesh enables each node in the swarm to accept connections on published ports for any service running in the swarm, even if there’s no task running on the node.

True

In which service does the DTR image scanning occur?

A service known as the dtr-jobrunner container

What component is responsible for instructing a worker to run a task?

scheduler

What are the 4 top level fields a kubernetes definition file for POD contains?

apiVersion metadata kind spec

Which command can be used to list the tasks in a stack named webapp?

docker stack ps webapp

Which command can be used to increase the number of replicas from 2 to 4 of a service named webapp? Select the all right answer

docker service update --replicas=4 webapp docker service scale webapp=4

Which of the below statements are correct?

Traffic to port 39376 on all nodes in the cluster is routed to port 9376 on a random POD with the label app web, Traffic to port 80 on the service is routed to port 9376 on a random POD with the label app web

Which command can be used to get the logs of a swarm service?

docker service logs SERVICE-NAME

Create a service using the my-web-server image and map UDP port 80 in the container to port 5000 on the overlay network.

docker service create -p 5000:80/udp my-web-server docker service create --publish published=5000,target=80,protocol=udp my-web-server

Which formula can be used to calculate the Quorum of N nodes?

N / 2 +1

What is the default range of ports that Kubernetes uses for NodePort if one is not specified?

30000-32767

Which among the following statements are true without any change made to the default behavior of network policies in the namespace?

As soon as a network policy is associated with a POD all ingress and egress traffic to that POD are denied except allowed by the network policy

What is the command to stop all running containers on the host?

docker container stop $(docker container ls -q)

Which of the following is the correct format for CMD instruction?

CMD [“executable”,“param1”,“param2”] CMD [“param1”,“param2”] CMD command param1 param2

What are the features of docker trusted registry (DTR)?

Built-in Access Control Image and Job Management Security Scanning Image Signing

Which image is used to deploy the Docker Trusted Registry?

docker/dtr

Print the value of ‘Architecture’ and ‘Os’ of an image named webapp

docker image inspect webapp -f '{{.Os}} {{.Architecture}}'

While building a docker image from code stored in a remote URL, which command will be used to build from a directory called docker in the branch dev?

docker build https://github.com/kk/dca.git#dev:docker

Which of the statements best describe “Resource sets” in Access Control Model?

To control user access, cluster resources are grouped into Docker Swarm collections or Kubernetes namespaces. Together, collections and namespaces are named resource sets.

What is the sequence of operations to be followed while configuring a storage class for an application?

Create a storage class with a provisioned create a PVC with the storage class, and then use the PVC in the volumes section in the pod definition file

overlay2, aufs, and devicemapper all operate at the file level rather than the block level.

False

What is the command to delete the persistent volumes?

kubectl delete pv PV-NAME

What is a linux feature that allows isolation of containers from the Docker host?

Namespaces

What component is responsible for managing CPU resources and allocating the time of the CPU between different processes?

CFS

Which of the following steps are required on each manager node to restore data to a new swarm?

Shut down the Docker Engine on the node you select for the restore Remove the contents of the /var/lib/docker/swarm directory on the new Swarm if it exists Restore the /var/lib/docker/swarm directory with the contents of the backup Start Docker on the new node. Unlock the swarm if necessary Re-initialize the swarm so that the node does not attempt to connect to nodes that were part of the old swarm, and presumably no longer exist.

Where is the log of the webapp container, with id 78373635, stored on the Docker Host?

/var/lib/docker/containers/78373635/78373635.json

Which statement best describes a Kubernetes node? (Choose 3) A machine part of the Kubernetes cluster that runs workloads A Virtual Machine that hosts workloads part of a Kubernetes cluster A Physical Machine that hosts workloads part of a Kubernetes cluster A machine that automatically schedules the pods across the nodes in the cluster. A tool to start a Kubernetes cluster.

A machine part of the Kubernetes cluster that runs workloads A Virtual Machine that hosts workloads part of a Kubernetes cluster A Physical Machine that hosts workloads part of a Kubernetes cluster

Which statement best describes kubectl in Kubernetes? kubectl is an agent that runs on Kubernetes nodes kubectl is used to bring up the Kubernetes cluster The Kubernetes command-line tool kubectl is a tool that lets you run Kubernetes locally

The Kubernetes command-line tool

Which of the below are the container orchestration tools? Apache Mesos Docker Swarm ETCD Kubernetes Apache HTTPD

Apache Mesos Docker Swarm Kubernetes

What are the features of Kubernetes? Self-healing & Batch execution Secrets & configuration management Container Image Management Automated rollouts and rollbacks

Self-healing & Batch execution Secrets & configuration management Automated rollouts and rollbacks

Which statement best describes a control plane component? The control plane's components decides how workloads are placed across the nodes in the cluster kube-proxy is one of the control plane component kube-scheduler is one of the control plane component kube-controller is one of the control plane component

The control plane's components decides how workloads are placed across the nodes in the cluster kube-scheduler is one of the control plane component kube-controller is one of the control plane component

Which statement best describes the Worker Node component? kubelet and container runtime are the worker node components kube-proxy is one of the worker node component kube-scheduler is one of the worker node component kube-apiserver is one of the worker node component

kubelet and container runtime are the worker node components kube-proxy is one of the worker node component

Which of the following statements best describes ETCD? Select the correct answer Etcd serves as the backing datastore for Kubernetes cluster data ETCD is a worker node component ETCD is a distributed reliable key-value store None of the above

Etcd serves as the backing datastore for Kubernetes cluster data ETCD is a distributed reliable key-value store

ETCD by default listens on port 2780. True False

False

Which of the following are components deployed only on a Master Node in a Kubernetes cluster? Kube Scheduler Kube Controller Manager Kube Api-server Kubelet Kube-Proxy

Kube Scheduler Kube Controller Manager Kube Api-server

Which of the following is the etcd command line tool? etcd etcdctl kubectl etcdcli

etcdctl

Which of the below comes under Kubernetes Hosted Solutions? Google Compute Engine (GCE) Google Kubernetes Engine (GKE) Azure Kubernetes Service (AKS) Amazon EC2 Service

Google Kubernetes Engine (GKE) Azure Kubernetes Service (AKS)

What is a component of the Kubernetes control plane that allows external users or services to manage the Kubernetes cluster? Kubernetes Scheduler ETCDCTL Kube API Server Kube Proxy

Kube API Server

Which of the following component watches for newly created pods and selects a node for them to run on? kube-proxy kube-node-controller kube-scheduler kubelet Agent

kube-scheduler

What is the purpose of the replication controller? Responsible for noticing and responding when nodes go down. An agent that runs on each node in the cluster. It makes sure that containers are running in a Pod. Responsible for maintaining the correct number of replicas of PODs at all times. Replication controller makes sure that a pod or a homogeneous set of pods is always up and available

Responsible for maintaining the correct number of replicas of PODs at all times. Replication controller makes sure that a pod or a homogeneous set of pods is always up and available

Which component on the worker node is responsible for maintaining network rules on nodes? kubelet kube-proxy kubelet kube-apiserver

kube-proxy

Which of the following are the container runtimes that Kubernetes supports. Docker Containerd CRI-O LXC

Docker Containerd CRI-O

Which of the following are the types of controllers in Kubernetes? Node-Controller Replication-Controller Endpoint-Controller Deployment-Controller

Node-Controller Replication-Controller Endpoint-Controller Deployment-Controller

Which of the following statements best describes kube-scheduler? The kube-scheduler is only responsible for deciding which pod goes on which node. It places the pod on the nodes Kube-scheduler is a worker node component All of the above

The kube-scheduler is only responsible for deciding which pod goes on which node.

Which statements best describe a POD in Kubernetes? Kubernetes deploys applications in the form of Pods A Pod can contain only one container To scale up an application, increase the number of containers in a Pod. Every container in the pod gets its own hostname and IP address

Kubernetes deploys applications in the form of Pods

Which statement best describes Multi-Container POD? Select all the answers that apply. Multi-container Pods can share resources and dependencies, communicate with one another, and coordinate when and how they are terminated A single pod can have multiple containers A single pod can have multiple containers of the same kind to scale up. It is recommended to always use multi-container pods to improve performance of applications.

Multi-container Pods can share resources and dependencies, communicate with one another, and coordinate when and how they are terminated A single pod can have multiple containers

What is the command to deploy a nginx pod? kubectl deploy nginx --image nginx kubectl run nginx --image nginx kubectl start -it nginx bash kubelet run nginx --image nginx

kubectl run nginx --image nginx

What is the command to list all the pods that are in a default namespace? Select all the answers that apply. kubectl list pods -n default kubectl get pods kubectl list pods kubectl get pods -n default

kubectl get pods kubectl get pods -n default

Which of the following statement is correct? Select all the answers that apply. Pods can only be created via kubectl commands Pods can be created with kubectl commands as well as via API calls. Pods can only be created via API calls. None of the above

Pods can be created with kubectl commands as well as via API calls.

What is the command to check which nodes are the pods placed on? Select all the answers that apply. kubectl get pods kubectl get pods -o wide kubectl describe pod kubectl get nodes

kubectl get pods -o wide kubectl describe pod

What is the command to delete the pod? kubectl pod delete kubectl delete kubectl delete pod kubectl pod --delete

kubectl delete pod

What are the possible ways to update the pod image? Select all the answers that apply. You cannot update a pod image once a pod is created. Update the pod-definition file and use kubectl apply command. Use kubectl edit pod command and specify the new image None of the above

Update the pod-definition file and use kubectl apply command. Use kubectl edit pod command and specify the new image

What are the 4 top level fields a Kubernetes definition file for POD contains? apiVersion templates metadata labels kind spec namespaces containers

apiVersion metadata kind spec

What is the command to create a pod with the pod-definition.yaml file? kubectl run -f pod-definition.yaml kubectl pod -f pod-definition.yaml kubectl create -f pod-definition.yaml kubectl apply -f pod-definition.yaml

kubectl create -f pod-definition.yaml kubectl apply -f pod-definition.yaml

How do you specify image names in a pod definition YAML file? containers. image spec. containers.image template. containers.image kind. containers.image

spec.containers.image

How do you add labels to a pod in a pod definition YAML file? labels spec. labels spec. containers.labels metadata. labels

metadata.labels

What is the command to delete a pod via a pod-definition file? kubectl remove -f pod-definition.yaml kubectl rm -f pod-definition.yaml kubectl delete -f pod-definition.yaml kubectl del -f pod-definition.yaml

kubectl delete -f pod-definition.yaml

Inspect the below pod-definition file and answer the following questions: ``` apiVersion: v1 kind: Pod metadata: name: myapp-pod labels: app: myapp spec: containers: - name: nginx-container image: nginx - name: agent image: agent ``` How many containers are created when this pod is created? 1 2 3 4

``` apiVersion: v1 kind: Pod metadata: name: myapp-pod labels: app: myapp spec: containers: - name: nginx-container image: nginx - name: agent image: agent ``` How many IP addresses are consumed by the pod when it’s created? 1 2 3 4

The label selector is the core grouping primitive in Kubernetes. What kind of selectors are supported? Equality-Based Value-Based Operator-Based Set-Based

Equality-Based Set-Based

A ReplicaSet is one of the Kubernetes controllers? True False

True

Which statements best describe replication controllers and replica sets? Select all answers that apply. Replication Controller is the older technology that is being replaced by a ReplicaSet. There is no difference between Replication controller and ReplicaSet. The replication controller supports equality based selectors whereas the replica set supports equality based as well as set based selectors. ReplicaSet is the new way to set up replication.

Replication Controller is the older technology that is being replaced by a ReplicaSet. The replication controller supports equality based selectors whereas the replica set supports equality based as well as set based selectors. ReplicaSet is the new way to set up replication.

Which of the following commands are used to list all the ReplicaSets? Select all the answers that apply. kubectl get services kubectl get rs kubectl get replicaset kubectl get pods

kubectl get rs kubectl get replicaset

What is a Label in Kubernetes? A way to expose traffic A type of Deployment A way to group related things using key/value pairs None of the above

A way to group related things using key/value pairs

What is the command to list all the labels of a ReplicaSet? kubectl get rs --show-labels kubectl get rs --labels kubectl get rs -l kubectl get rs --details

kubectl get rs --show-labels

What is the command to delete a replication controller nginx? kubectl get rc nginx kubectl remove rc nginx kubectl rm rc nginx kubectl delete rc nginx

kubectl delete rc nginx

What is the command to delete a ReplicaSets triage? kubectl get rs triage kubectl remove rs triage kubectl rm rs triage kubectl delete rs triage

kubectl delete rs triage

How do you scale replica sets? Select all the answers that apply. Update the number of replicas in the replicaset-definition.yaml definition file and apply. Update using the kubectl scale command. Delete and recreate a replica set. Create a new replica set with the desired number of pods and delete the old replica set.

Update the number of replicas in the replicaset-definition.yaml definition file and apply. Update using the kubectl scale command.

You are required to deploy an application in the form of containers that can easily scale up or down and supports upgrade of applications by maintaining information about different revisions. What is the recommended approach to deploying the application? Create a POD Create a ReplicaSet Create a Replication Controller Create a Deployment

Create a Deployment

What command would you use to create a Deployment? Select the correct answer kubectl get deployments kubectl get nodes kubectl create kubectl run

kubectl create

What is the flag that you use along with "kubectl create" to scale a deployment in Kubernetes? - -image - -label - -replicas - -scale

--replicas

What is the command to get the list of deployments. Select all the answers that apply. kubectl get deploy kubectl get deployment kubectl get deployments kubectl get deployments.apps

kubectl get deploy kubectl get deployment kubectl get deployments kubectl get deployments.apps

What is the command to create the deployment using the deployment definition file? kubectl deployment -f deploy-definition.yaml kubectl create -f deploy-definition.yaml kubectl deploy -f deploy-definition.yaml kubectl get -f deploy-definition.yaml

kubectl create -f deploy-definition.yaml

Which of the following subcommands of kubectl can be used to get additional details of an object? kubectl details kubectl info kubectl check kubectl describe

kubectl describe

What is the command to delete a deployment? kubectl deployment delete deployment-name kubectl delete deployment deployment-name kubectl deployment-name delete deployment kubectl deployment-name deployment delete

kubectl delete deployment deployment-name

Which statement best describes deployment in Kubernetes? Select all the answers that apply. Deployments create PODs and not ReplicaSets. Deployments create ReplicaSets that create PODs. Deployments support rolling updates and roll backs of applications. Deployments support rolling updates but not roll backs.

Deployments create ReplicaSets that create PODs. Deployments support rolling updates and roll backs of applications.

Which of the following statements about Kubernetes deployments are correct? You describe a desired state in a Deployment, and the Deployment Controller changes the actual state to the desired state at a controlled rate. You can define Deployments to create new ReplicaSets, or to remove existing Deployments and adopt all their resources with new Deployments. You may manually update the ReplicaSets owned by a Deployment. You should not manually update the ReplicaSets owned by a Deployment.

You describe a desired state in a Deployment, and the Deployment Controller changes the actual state to the desired state at a controlled rate. You can define Deployments to create new ReplicaSets, or to remove existing Deployments and adopt all their resources with new Deployments. You should not manually update the ReplicaSets owned by a Deployment.

What is the command to update the deployment in Kubernetes? Let’s update the nginx Pods to use the nginx:1.16.1 image instead of the nginx:1.14.2 image. kubectl set image deployment.v1.apps/nginx-deployment nginx=nginx:1.16.1 kubectl set image deployment/nginx-deployment nginx=nginx:1.16.1 kubectl set --image=deployment/nginx-deployment nginx=nginx:1.16.1 kubectl edit deployment.v1.apps/nginx-deployment

kubectl set image deployment.v1.apps/nginx-deployment nginx=nginx:1.16.1 kubectl set image deployment/nginx-deployment nginx=nginx:1.16.1 kubectl edit deployment.v1.apps/nginx-deployment

Where do you configure the selector labels in the deployment YAML file? metadata. selector spec. selector spec. template.selector spec. template.metadata.selector

spec.selector

Where do you configure the pod images in the deployment YAML file? metadata. image spec. containers.image spec. template.spec.containers.image spec. template.containers.image

spec.template.spec.containers.image

Rolling updates allows deployments to update with zero downtime ? True False

True

What is the apiVersion for Kubernetes deployment? v1 apps/v1 app/v1 apps/v

apps/v1

What kubectl command can be used to perform a Deployment update? kubectl set image kubectl rollout update kubectl rolling-update kubectl update

kubectl set image

What is the command to check the status of a deployment rollout named nginx-deploy? kubectl rollout status deployment/nginx-deploy kubectl rollout undo deployment/nginx-deploy kubectl rollout update deployment/nginx-deploy kubectl deployment status nginx-deploy

kubectl rollout status deployment/nginx-deploy

What is the command used to rollback to the previous deployment? kubectl set image kubectl rollout undo kubectl rollout status kubectl rollout start

kubectl rollout undo

What is the command used to view previous rollout revisions and configurations? kubectl rollout status kubectl rollout history kubectl rollout undo kubectl rollout pause

kubectl rollout history

You performed an upgrade of images on a deployment recently. You’d like to check what command was run during the last update. However the output of the rollout history command does not show the command. What may be the cause? The upgrade was done using a kubectl apply command The command run to upgrade did not use the –record flag. The kubectl set command was used to perform the upgrade The API server was down when the upgrade was performed

The command run to upgrade did not use the –record flag.

Which of the following are the deployment strategy types in Kubernetes? RollingUpdate BlueGreen Canary Recreate

RollingUpdate Recreate

Which of the following is the default deployment strategy in Kubernetes deployments? Recreate RollingUpdate Redeploy BlueGreen

RollingUpdate

If .spec.strategy.type is set to Recreate, then all existing pods are killed before new ones are created. True False

True

If .spec.strategy.type is set to RollingUpdate, then all new PODs are created first and then all existing pods are killed at once. True False

False

``` apiVersion: apps/v1 kind: Deployment metadata: name: web-application labels: app: web spec: replicas: 3 selector: matchLabels: app: nginx template: metadata: labels: app: nginx spec: containers: - name: nginx image: nginx:1.14.2 ports: - containerPort: 80 - name: logger image: log-agent:1.2 - name: monitor image: monitor-agent:1.0 ``` This is an invalid configuration because the selector matchLabel nginx does not match the label web set on the deployment This is an invalid configuration because there are more than 1 containers configured in the template This is an invalid configuration because the selector field must come under the template section and not directly under spec This is an invalid configuration because the API version is not set correctly This is a valid configuration

This is a valid configuration

Each container inside a POD gets its own IP address assigned.

False

How many IP addresses are consumed by 3 PODs each with 2 containers? 3 6 2 9

Which of the following are valid service types in Kubernetes? NodePort ClusterIP LoadBalancer ExternalName ElasticLoadBalancer

NodePort ClusterIP LoadBalancer ExternalName

What is the command to list the Kubernetes services? Select all the answers that apply. kubectl get svc kubectl list services kubectl get services kubectl list svc

kubectl get svc kubectl get services

What is the command to delete a Kubernetes service? kubectl delete svc SERVICE-NAME kubectl rm service SERVICE-NAME kubectl del services SERVICE-NAME kubectl delete services SERVICE-NAME

kubectl delete svc SERVICE-NAME kubectl delete services SERVICE-NAME

Which of the following statements are correct about NodePort? Select all the answers that apply. NodePort exposes a service on the same port as that of the exposed port on containers in the PODs. NodePort exposes a service internally within the hosts only. NodePort exposes a service to make it externally accessible on a port on the nodes. None of the Above

NodePort exposes a service to make it externally accessible on a port on the nodes.

If the service type is NodePort, then Kubernetes will allocate a port on every worker node. . True False

True

What is the default range of ports that Kubernetes uses for NodePort if one is not specified? 32767-64000 30000-32767 32000-32767 80-8080

30000-32767

A NodePort service exposes a deployment only on the nodes on which the PODs of that deployment are running. True False

False

An application has 2 tiers – a web service that must be externally accessible to users and a database service that must be accessible within the cluster only. What service types should be configured? Web – NodePort, Database – LoadBalancer Web – ClusterIP, Database – ClusterIP Web – NodePort, Database – ClusterIP Web – ClusterIP, Database – NodePort

Web – NodePort, Database – ClusterIP

ClusterIP is the default service type for Kubernetes service. True False

True

``` apiVersion: v1 kind: Service metadata: name: web-service labels: obj: web-service app: web spec: selector: app: web type: NodePort ports: - protocol: TCP port: 80 targetPort: 9376 nodePort: 39376 ``` For this service to discover the web service, what must be the label set on the PODs hosting the web service? obj: web-service app: web app: web-service obj: web

app:web

9376

``` apiVersion: v1 kind: Service metadata: name: web-service labels: obj: web-service app: web spec: selector: app: web type: NodePort ports: - protocol: TCP port: 80 targetPort: 9376 nodePort: 39376 ``` A user is trying to access the application using the Nodes IP and Port number. What port must the user try to connect to? 80 9376 8080 39376

39376

``` apiVersion: v1 kind: Service metadata: name: web-service labels: obj: web-service app: web spec: selector: app: web type: NodePort ports: - protocol: TCP port: 80 targetPort: 9376 nodePort: 39376 ``` Which of the below statements are correct? Traffic to port 39376 on the node hosting the pod in the cluster is routed to port 9376 on a POD with the label app web on the same node Traffic to port 39376 on all nodes in the cluster is routed to port 9376 on a random POD with the label app web Traffic to port 80 on the service is routed to port 9376 on a random POD with the label app web Traffic to port 80 on the node is routed to port 9376 on the service

Traffic to port 39376 on all nodes in the cluster is routed to port 9376 on a random POD with the label app web Traffic to port 80 on the service is routed to port 9376 on a random POD with the label app web

Which of the following statements is true about configuring commands and arguments in Kubernetes? Select all the answers that apply. To define a command, include the command field in the configuration file. To define a command, include the args field in the configuration file. To define arguments for the command, include the command field in the configuration file. To define arguments for the command, include the args field in the configuration file.

To define a command, include the command field in the configuration file. To define arguments for the command, include the args field in the configuration file.

The command and arguments that you define in the configuration file override the default command and arguments configured in the container image. True False

True

Which field of Kubernetes pod definition file corresponds to the entrypoint instruction in the Dockerfile? ENTRYPOINT instruction in Dockerfile corresponds to command in kubernetes definition file ENTRYPOINT instruction in Dockerfile corresponds to args in kubernetes definition file CMD instruction in Dockerfile corresponds to args in kubernetes definition file CMD instruction in Dockerfile corresponds to command in kubernetes definition file

ENTRYPOINT instruction in Dockerfile corresponds to command in kubernetes definition file CMD instruction in Dockerfile corresponds to args in kubernetes definition file

How do you set environment variables in a pod definition file? Using environment section Using env section Using env_var section Using variables section

Using env section

Which of the following flags can be used to pass an environment variable while creating a pod with docker run command? docker run --environment APP_COLOR=pink simple-webapp-color docker run --env APP_COLOR=pink simple-webapp-color docker run -e APP_COLOR=pink simple-webapp-color docker run -v APP_COLOR=pink simple-webapp-color

docker run --env APP_COLOR=pink simple-webapp-color docker run -e APP_COLOR=pink simple-webapp-color

What are the different ways of setting up environment variables in Kubernetes? Select all the answers that apply. plain key-value pair configmap from disk secrets

plain key-value pair configmap secrets

Where is the env instruction set in a Kubernetes pod definition file? spec. containers.env spec. env spec. template.spec.env spec. template.env

spec.containers.env

Which of the below are valid instructions to set environment variables in a Dockerfile? ENVIRONMENT name=value ENV name=value ENV name value VAR name value

ENV name=value ENV name value

What is the command to create config maps? Select all the answers that apply. kubectl create configmap CONFIGMAP-NAME --from-literal=KEY1=VALUE1 --from-literal=KEY2=VALUE2 kubectl create configmap CONFIGMAP-NAME --from-file=/tmp/env kubectl create configmap CONFIGMAP-NAME --file=/tmp/env kubectl create configmap CONFIGMAP-NAME --literal=KEY1=VALUE1 KEY2=VALUE2

kubectl create configmap CONFIGMAP-NAME --from-literal=KEY1=VALUE1 --from-literal=KEY2=VALUE2 kubectl create configmap CONFIGMAP-NAME --from-file=/tmp/env

What is the command to list configmaps? Select all the answers that apply. kubectl get pods kubectl get cm kubectl get configmap kubectl get maps

kubectl get cm kubectl get configmap

What is the command to display details of the ConfigMap? kubectl get configmap CONFIGMAP-NAME kubectl describe configmap CONFIGMAP-NAME kubectl list configmap CONFIGMAP-NAME kubectl get configmap CONFIGMAP-NAME --details

kubectl describe configmap CONFIGMAP-NAME

You can pass in the --from-file argument multiple times to create a ConfigMap from multiple data sources. True False

True

What is the flag that we can use to define a literal value from the command line? - -env - -from-literal - -literal - -text

--from-literal

Which statements best describe configmaps? ConfigMap is an API object mainly used to store confidential data in key-value pairs. ConfigMap is an API object mainly used to store non-confidential data in key-value pairs. Pods can consume ConfigMaps as environment variables, command-line arguments, or as configuration files in a volume. ConfigMap provides secrecy or encryption

ConfigMap is an API object mainly used to store non-confidential data in key-value pairs. Pods can consume ConfigMaps as environment variables, command-line arguments, or as configuration files in a volume.

How do you inject configmap into a pod? Using envFrom and configMapRef Using env and configMapRef Using envFrom and configMap Using env and configMap

Using envFrom and configMapRef

Where do you configure the configMapKeyRef in a pod to use environment variables defined in a ConfigMap? spec. containers.env spec. env.valueFrom spec. containers.valueFrom spec. containers.env.valueFrom

spec.containers.env.valueFrom

What is the recommended approach to load a set of configurations into the pod in the form of a file to /var/configs? Add a separate env parameter for each config and use a startup script to write to a file Create a ConfigMap with the required configurations, configure it as a volume in the pod definition file and then mount the volume as a file at /var/configs Create a ConfigMap with the required configurations, configure it as an env variable in the pod definition file and use a startup script to write to a file

Create a ConfigMap with the required configurations, configure it as a volume in the pod definition file and then mount the volume as a file at /var/configs

What is the command to list the Kubernetes secrets? kubectl list secrets kubectl get secrets kubectl secrets kubectl secrets --list

kubectl get secrets

What is the command to display details of the secret? kubectl get secret SECRET-NAME kubectl describe secret SECRET-NAME kubectl list secret SECRET-NAME kubectl get secret SECRET-NAME --details

kubectl describe secret SECRET-NAME

What is the command to create a secret using the "kubectl create secret" command? kubectl create secret test-secret --from-literal='username=my-app' --from-literal='password=39528$vdg7Jb' kubectl create secret opaque test-secret --from-literal='username=my-app' --from-literal='password=39528$vdg7Jb' kubectl create secret credentials test-secret --from-literal='username=my-app' --from-literal='password=39528$vdg7Jb' kubectl create secret generic test-secret --from-literal='username=my-app' --from-literal='password=39528$vdg7Jb'

kubectl create secret generic test-secret --from-literal='username=my-app' --from-literal='password=39528$vdg7Jb'

How do you configure all key-value pairs in a Secret as container environment variables? env.secreRef envFrom.secret envFrom.secretRef envFrom.secretRefKey

envFrom.secretRef

Which statements best describe Kubernetes secrets? Kubernetes secrets let you store and manage sensitive information, such as passwords, OAuth tokens, and ssh keys. Storing confidential information in a Secret is safer. Users can create Secrets and the system also creates some Secrets. It is safe to check in secrets into source code repositories.

Kubernetes secrets let you store and manage sensitive information, such as passwords, OAuth tokens, and ssh keys. Storing confidential information in a Secret is safer. Users can create Secrets and the system also creates some Secrets.

Secrets store sensitive information in an encrypted format. True False

False

You can pass in the --from-file argument multiple times to create a secret from multiple data sources. True False

True

what is the default Secret type if omitted from a Secret configuration file? kubernetes. io/tls kubernetes. io/ssh-auth Opaque kubernetes.io/dockercfg

Opaque

To define a command, include the command field in the configuration file. To define arguments for the command, include the args field in the configuration file.

The command and arguments that you define in the configuration file override the default command and arguments configured in the container image. True False

True

ENTRYPOINT instruction in Dockerfile corresponds to command in kubernetes definition file CMD instruction in Dockerfile corresponds to args in kubernetes definition file

How do you set environment variables in a pod definition file? Using environment section Using env section Using env_var section Using variables section

Using env section

docker run --env APP_COLOR=pink simple-webapp-color docker run -e APP_COLOR=pink simple-webapp-color

What are the different ways of setting up environment variables in Kubernetes? Select all the answers that apply. plain key-value pair configmap from disk secrets

plain key-value pair configmap secrets

Where is the env instruction set in a Kubernetes pod definition file? spec. containers.env spec. env spec. template.spec.env spec. template.env

spec.containers.env

Which of the below are valid instructions to set environment variables in a Dockerfile? ENVIRONMENT name=value ENV name=value ENV name value VAR name value

ENV name=value ENV name value

kubectl create configmap CONFIGMAP-NAME --from-literal=KEY1=VALUE1 --from-literal=KEY2=VALUE2 kubectl create configmap CONFIGMAP-NAME --from-file=/tmp/env

What is the command to list configmaps? Select all the answers that apply. kubectl get pods kubectl get cm kubectl get configmap kubectl get maps

kubectl get cm kubectl get configmap

kubectl describe configmap CONFIGMAP-NAME

You can pass in the --from-file argument multiple times to create a ConfigMap from multiple data sources. True False

True

What is the flag that we can use to define a literal value from the command line? - -env - -from-literal - -literal - -text

--from-literal

How do you inject configmap into a pod? Using envFrom and configMapRef Using env and configMapRef Using envFrom and configMap Using env and configMap

Using envFrom and configMapRef

spec.containers.env.valueFrom

Create a ConfigMap with the required configurations, configure it as a volume in the pod definition file and then mount the volume as a file at /var/configs

What is the command to list the Kubernetes secrets? kubectl list secrets kubectl get secrets kubectl secrets kubectl secrets --list

kubectl get secrets

What is the command to display details of the secret? kubectl get secret SECRET-NAME kubectl describe secret SECRET-NAME kubectl list secret SECRET-NAME kubectl get secret SECRET-NAME --details

kubectl describe secret SECRET-NAME

kubectl create secret generic test-secret --from-literal='username=my-app' --from-literal='password=39528$vdg7Jb'

How do you configure all key-value pairs in a Secret as container environment variables? env.secreRef envFrom.secret envFrom.secretRef envFrom.secretRefKey

envFrom.secretRef

Secrets store sensitive information in an encrypted format. True False

False

You can pass in the --from-file argument multiple times to create a secret from multiple data sources. True False

True

what is the default Secret type if omitted from a Secret configuration file? kubernetes. io/tls kubernetes. io/ssh-auth Opaque kubernetes.io/dockercfg

Opaque

Which statement best describes the readiness probe? The kubelet uses readiness probes to know when a container is ready to start accepting traffic. The kubelet uses readiness probes to know when to restart a container The readiness probes run on the container during it's entire lifecycle.

The kubelet uses readiness probes to know when a container is ready to start accepting traffic. The readiness probes run on the container during it's entire lifecycle.

Readiness probes are configured similarly to liveness probes. The only difference is that you use the readinessProbe field instead of the livenessProbe field. True False

True

What are the different types of probes? Command HTTP TCP CURL

Command HTTP TCP

If a readiness probe starts to fail, Kubernetes stops sending traffic to the pod until it passes. True False

True

The kubelet uses liveness probes to know when a container is ready to start accepting traffic. True False

False

Which statement best describes the liveness probe? The kubelet uses liveness probes to know when a container is ready to start accepting traffic. The kubelet uses liveness probes to know when to restart a container The liveness probes may be configured with an HTTP test to check if a container is live. The liveness probe runs before the readiness probe is run on the container

The kubelet uses liveness probes to know when to restart a container The liveness probes may be configured with an HTTP test to check if a container is live.

Which of the following would be the result/state of a probe? Select the all right answers SUCCESS FAILURE UNKNOWN PENDING

SUCCESS FAILURE UNKNOWN

If a Container does not provide a liveness probe, the default state is Failure. True False

False

If the liveness probe fails, the kubelet kills the container, and the container is subjected to its restart policy. True False

True

Liveness probes let Kubernetes know if your app is alive or stuck/dead. True False

True

The traffic from a web server fetching data from a database server may be categorized as Ingress Egress

Egress

Which of the following solutions support network policies? kube-router Calico Flannel Weave-Net

kube-router Calico Weave-net

Which of the following statements best describes Kubernetes network policies? If you want to control traffic flow at the IP address or port level, then you might consider using Kubernetes NetworkPolicies. NetworkPolicies are an application-centric construct which allow you to specify how a pod is allowed to communicate with various network "entities" over the network Network Policies are implemented by the network plugin Pods become isolated by having a NetworkPolicy that selects them

If you want to control traffic flow at the IP address or port level, then you might consider using Kubernetes NetworkPolicies. NetworkPolicies are an application-centric construct which allow you to specify how a pod is allowed to communicate with various network "entities" over the network Network Policies are implemented by the network plugin Pods become isolated by having a NetworkPolicy that selects them

Kubernetes Network Policies can control traffic flow at the OSI layer 3 or 4. True False

True

By default, pods are isolated; they block traffic from any source. True False

False

What is the default traffic flow configuration between pods in a Kubernetes cluster? All traffic is allowed between different pods in the cluster All traffic is denied between different pods in the cluster Traffic between different pods must be explicitly allowed using rules

All traffic is allowed between different pods in the cluster

Which among the following statements are true without any change made to the default behaviour of network policies in the namespace? As soon as a network policy is associated with a POD traffic between all PODs in the namespace is denied As soon as a network policy is associated with a POD all ingress and egress traffic to that POD are denied except allowed by the network policy As soon as a network policy is associated with a POD all ingress and egress traffic to that POD are allowed except for the the ones blocked by the network polic

As soon as a network policy is associated with a POD all ingress and egress traffic to that POD are denied except allowed by the network policy

Which statement best describes docker volume plugin? Docker Engine volume plugins enables Engine deployments to be integrated with external storage systems such as Amazon EBS The local volume plugin helps to create a volume on Docker host and store its data under the /var/lib/docker/volumes/ directory. ZFS, BTRFS and Device Mapper are some of the supported volume drivers Volume plugins should not write data to the /var/lib/docker/ directory, including /var/lib/docker/volumes.

Docker Engine volume plugins enables Engine deployments to be integrated with external storage systems such as Amazon EBS The local volume plugin helps to create a volume on Docker host and store its data under the /var/lib/docker/volumes/ directory. Volume plugins should not write data to the /var/lib/docker/ directory, including /var/lib/docker/volumes.

Which of the following is the default volume driver plugin used in Kubernetes? BlockBridge local DRBD Flocker

local

What are the types of volumes that Kubernetes supports? hostPath configMap emptyDir local

hostPath configMap emptyDir local

Which statements best describe emptyDir volume type? An emptyDir volume is first created when a Pod is assigned to a node, and still exists after a pod termination. An emptyDir volume is first created when a Pod is assigned to a node, and exists as long as that Pod is running on that node. The emptyDir volume is initially empty When a Pod is removed from a node for any reason, the data in the emptyDir is deleted permanently

An emptyDir volume is first created when a Pod is assigned to a node, and exists as long as that Pod is running on that node. The emptyDir volume is initially empty When a Pod is removed from a node for any reason, the data in the emptyDir is deleted permanently

Which statements best describe hostPath volume type? A hostPath volume mounts a file or directory from the host node's file system into your Pod. Running a container that needs access to Docker internals, use a hostPath of /var/lib/docker You either need to run your process as root in a privileged Container or modify the file permissions on the host to be able to write to a hostPath The hostPath volume type is initially empty

You either need to run your process as root in a privileged Container or modify the file permissions on the host to be able to write to a hostPath

Which statements best describe Persistent Volume in Kubernetes? A PersistentVolume (PV) is a piece of storage in the cluster that has been provisioned by an administrator or dynamically provisioned using Storage Class It is a resource in the cluster just like a node is a cluster resource. PVs are volume plugins like Volumes PVs are not volume plugins

A PersistentVolume (PV) is a piece of storage in the cluster that has been provisioned by an administrator or dynamically provisioned using Storage Class It is a resource in the cluster just like a node is a cluster resource. PVs are volume plugins like Volumes

A Persistent Volume is a cluster-wide pool of storage volumes. True False

True

What is the command to list the persistent volumes? kubectl list pv kubectl get pv kubectl get persistentvolume kubectl list persistentvolume

kubectl get pv kubectl get persistentvolume

What is the command to delete the persistent volumes? kubectl delete pv PV-NAME kubectl del pv PV-NAME kubectl rm pv PV-NAME kubectl erase pv PV-NAME

kubectl delete pv PV-NAME

What is the status of a volume after it is created but not yet bound to a claim? Available Bound Released Failed

Available

What is the status of a volume when it is associated with a claim? Available Bound Released Failed

Bound

What are the different access modes configurable on a persistent volume? ReadOnlyMany ReadWrite ReadWriteMany ReadOnly ReadWriteOnce

ReadOnlyMany ReadWriteMany ReadWriteOnce

Once the Persistent Volume Claim is created, you need to manually bind the persistent volumes to claim. True False

False

Which statements best describe a PersistentVolumeClaim? A PersistentVolumeClaim (PVC) is a request for storage by a user. A PVC will be automatically bound to a PV on creation when a PV is available Claims can request specific size and access modes A PVC will not automatically bound to a PV on creation of a PV

A PersistentVolumeClaim (PVC) is a request for storage by a user. A PVC will be automatically bound to a PV on creation when a PV is available Claims can request specific size and access modes

A PV of 100 GB is in an available state. A PVC with a requirement of 50 GB storage is created. What would happen if there are no other PVs or PVCs created? The PVC would bind to the PV with 100 GB The PVC will be in a pending state as there is no PV with the same amount of storage

The PVC would bind to the PV with 100 GB

What happens to the PV by default when the associated PVC is deleted? The PV is deleted automatically. The PV is left as is until it is manually deleted by an administrator The data in the PV is scrubbed and the PV is made available for other PVCs

The PV is left as is until it is manually deleted by an administrator

Which statement best describes a Kubernetes Storage Class? A StorageClass provides a way for administrators to describe the "classes" of storage they offer Each StorageClass contains the fields provisioner, parameters, and reclaimPolicy. Any user can set the name and other parameters of a class when first creating StorageClass objects The StorageClass objects can use a provisioner that can dynamically provision storage on supported storage providers.

A StorageClass provides a way for administrators to describe the "classes" of storage they offer Each StorageClass contains the fields provisioner, parameters, and reclaimPolicy. The StorageClass objects can use a provisioner that can dynamically provision storage on supported storage providers.

What is the kubectl command to list the storage classes in kubectl? kubectl list sc kubectl get sc kubectl get storageclass kubectl list storageclass

kubectl get sc | kubectl get storageclass

What is the sequence of operations to be followed while configuring a storage class for an application? Create a storage class with a provisioner, create a persistent volume with definition using the storage class, create a PVC and then use the PVC in the volumes section in the pod definition file Create a storage class with a provisioner, create a PVC with the storage class, and then use the PVC in the volumes section in the pod definition file Create a storage class, and use it directly in the volumes section in the pod definition file

Create a storage class with a provisioner, create a PVC with the storage class, and then use the PVC in the volumes section in the pod definition file

A ReplicaSet is one of the Kubernetes controllers? True False

True

What is a Label in Kubernetes? A way to expose traffic A type of Deployment A way to group related things using key/value pairs None of the above

A way to group related things using key/value pairs

What is the command to delete a replication controller nginx? kubectl get rc nginx kubectl remove rc nginx kubectl rm rc nginx kubectl delete rc nginx

kubectl delete rc nginx

What is the flag that you use along with the kubectl create command to deploy multiple instances of an application in Kubernetes? - -image - -label - -replicas - -scale

--replicas

Where do you configure the selector labels in the deployment YAML file? metadata. selector spec. selector spec. template.selector spec. template.metadata.selector

spec.selector

How do you add labels to a pod in a pod definition YAML file? labels spec. labels spec. containers.labels metadata. labels

metadata.labels

What are the 4 top level fields of a Kubernetes definition file for ConfigMap? apiVersion templates metadata data kind spec containers

apiVersion metadata data kind

What is the command to delete the pod busybox? kubectl pod delete busybox kubectl delete busybox kubectl delete pod/busybox kubectl pod busybox --delete

kubectl delete pod/busybox

What is the command to deploy a pod with the name jenkins and image jenkins? kubectl deploy jenkins --image jenkins kubectl run jenkins --image jenkins kubectl start -it jenkins sh kubelet run jenkins --image jenkins

kubectl run jenkins --image jenkins

Which of the following are the container runtimes that Kubernetes supports? Docker Containerd CRI-O LXC

Docker Containerd CRI-O

What is a component of the Kubernetes control plane that allows external users or services to manage the Kubernetes cluster? Kubernetes Scheduler ETCDCTL Kube API Server Kube Proxy

Kube API Server

Which of the following are components deployed only on a Master Node in a Kubernetes cluster? Kube Scheduler Kube Controller Manager Kube Api-server Kubelet Kube-Proxy

Kube Scheduler Kube Controller Manager Kube Api-server

ETCD by default listens on port 2780. True False

False

kubelet and container runtime are the worker node components kube-proxy is one of the worker node component

Which of the below are the container orchestration tools? Kubernetes Docker Swarm Google Compute Engine Apache Mesos ETCD

Kubernetes Docker Swarm Apache Mesos

What is the command to list all the pods that are in a netpol namespace? Select all the answers that apply. kubectl list pods -n netpol kubectl get pods kubectl list pods -n netpol kubectl get pods -n netpol

kubectl get pods -n netpol

Deployments create ReplicaSets that create PODs. Deployments support rolling updates and roll backs of applications.

Where do you configure the pod images in the deployment YAML file? metadata. image spec. containers.image spec. template.spec.containers.image spec. template.containers.image

spec.template.spec.containers.image

What kubectl command can be used to perform a Deployment update? kubectl set image kubectl rollout update kubectl rolling-update kubectl update

kubectl set image

Which of the following are the deployment strategy types in Kubernetes? RollingUpdate BlueGreen Canary Recreate

RollingUpdate Recreate

Each container inside a POD does not get its own IP address assigned. All containers inside a POD share a single IP address. True False

True

Which among the following statements are true without any change made to the default behaviour of network policies in the namespace? As soon as a network policy is associated with a POD traffic between all PODs in the namespace is denied As soon as a network policy is associated with a POD all ingress and egress traffic to that POD are denied except those allowed by the network policy As soon as a network policy is associated with a POD all ingress and egress traffic to that POD are allowed except for the the ones blocked by the network policy

As soon as a network policy is associated with a POD all ingress and egress traffic to that POD are denied except those allowed by the network policy

Which of the following statements are correct about ClusterIP? ClusterIP exposes a service on the same port as that of the exposed port on containers in the PODs. ClusterIP exposes a service internally within the hosts only. ClusterIP exposes a service to make it externally accessible on a port on the nodes. None of the Above

ClusterIP exposes a service internally within the hosts only.

The command and arguments that you define in the Kubernetes definition file override the default command and arguments configured in the container image. True False

True

How do you set environment variables in a pod definition file? Using environment section Using env section Using env_var section Using variables section

Using the env section

Which command is used to make some changes into the already existing PersistentVolumeClaim mysql-pvc? kubectl describe pvc mysql-pvc kubectl get pvc mysql-pvc kubectl pvc edit mysql-pvc kubectl edit persistentvolumeclaim mysql-pvc

kubectl edit persistentvolumeclaim mysql-pvc

What is the command to display details of the secret user-list? kubectl get secret user-list kubectl describe secret user-list kubectl list secret user-list kubectl get secret user-list --details

kubectl describe secret user-list

What is the command to list configmaps? Select all the answers that apply. kubectl get pods kubectl get cm kubectl get configmap kubectl get maps

kubectl get cm kubectl get configmap

You can pass in the --from-file argument multiple times to create a ConfigMap from multiple data sources. True False

True

Which statement best describes the readiness probe? The kubelet uses readiness probes to know when a container is ready to start accepting traffic. The kubelet uses readiness probes to know when to restart a container The Readiness probes run on the container during its whole lifecycle. All of the above

The kubelet uses readiness probes to know when a container is ready to start accepting traffic. The Readiness probes run on the container during its whole lifecycle.

The kubelet uses liveness probes to know when a container is ready to start accepting traffic. True False

False

Liveness probes let Kubernetes know if your app is alive or stuck/dead. True False

True

Which of the following statements best describes Kubernetes network policies? Consider using Kubernetes NetworkPolicies if you want to control traffic flow at the IP address or port level. NetworkPolicies are an application-centric construct which allow you to specify how a pod is allowed to communicate with various network "entities" over the network Network Policies are implemented by the Kubernetes NetworkPolicy Controller All of the above

Consider using Kubernetes NetworkPolicies if you want to control traffic flow at the IP address or port level. NetworkPolicies are an application-centric construct which allow you to specify how a pod is allowed to communicate with various network "entities" over the network

Which service type is used to expose applications outside the Kubernetes cluster? NodePort ClusterIP ExternalName ElasticLoadBalancer

NodePort

If .spec.strategy.type is set to RollingUpdate, then all new PODs are created first and then all existing pods are killed at once. True False

False

Which kubectl command is used to display more details of the storage classes? kubectl list sc kubectl info sc kubectl describe storageclass kubectl list storageclass

kubectl describe storageclass

Which of the following is not backed up when performing a Docker Trusted Registry (DTR) metadata backup? - Repository metadata - DTR configurations - Docker images - Role-based access control (RBAC) settings

Docker images A DTR metadata backup does not include the images themselves.

Which of the following commands will ensure that a container uses a maximum of 1 GB of active memory? docker run --memory-swap 2G nginx docker run --memory 1G nginx docker run --memory-reservation 1G nginx docker run --memory-swap 2G --memory-reservation 1G nginx

docker run --memory 1G nginx

We have set a value for "log-level" in /etc/docker/daemon.json. How would we set up the same value by passing a flag to dockerd instead? Pass the --debug flag to dockerd. Pass the --log flag to dockerd. Pass the --log-level flag to dockerd. Pass the --logging flag to dockerd.

Pass the --log-level flag to dockerd The dockerd flags share the same names as the values set in /etc/docker/daemon.json

Dave needs Docker to use a custom stop signal for halting his software. How can he build an image that will instruct Docker on which stop signal to use? - Dave should use the STOPSIGNAL directive - Dave should locate the process and kill it manually - Dave should use the STOP directive - Dave should use the docker stop command.

- Dave should use the STOPSIGNAL directive The STOPSIGNAL directive instructs Docker on which stop signal to use for halting a container process.

How is the ADD directive different from COPY? (Choose two) - The ADD directive can extract an archive into the image. - The ADD directive can pull a file from an external URL. - The ADD directive can transfer a specific file between build stages. - The ADD directive can transfer files over to a specific location inside the image

- The ADD directive can extract an archive into the image. "The add directive can extract archives while the COPY command cannot" - The ADD directive can pull a file from an external URL. "The ADD directive can pull from a URL while COPY cannot"

What does the HEALTHCHECK directive do? It sets a command that will be used by the Docker daemon to determine whether the container is healthy. The HEALTHCHECK directive sets a command that is used to determine container health. It sets a command that will be used to fix the container if it becomes unhealthy. It restarts the container if it becomes unhealthy. It sets a command that will be used to inform the container of the health status of the docker daemon.

- It sets a command that will be used by the Docker daemon to determine whether the container is healthy. "The HEALTHCHECK directive sets a command that is used to determine container health."

How would we go about keeping track of changes made to an image in source control (i.e., git)? We would use Docker Trusted Registry (DTR) to handle this. We would push the image layers to a source control repository. Maintain tags for each new version within the Docker registry. We would store the Dockerfile in source control.

- We would store the Dockerfile in source control. "We can keep the Dockerfile in source control to track any changes made to the Dockerfile."

What would be the runtime working directory of a container built from the following Dockerfile? FROM alpine WORKDIR /x WORKDIR /y WORKDIR z CMD pwd - /z - / - /x /y/z

/y/z This would be the runtime working directory because WORKDIR /y sets up an absolute directory, and then WORKDIR z sets the directory relative to /y.

How can we flatten an existing multi-layered image into a single layer? We can use a multi-stage build. We can use the --flatten flag with the docker build command. We would not include any RUN directives in our Dockerfile. We can run a container from the image, export it, and then import it as a new image.

- We can run a container from the image, export it, and then import it as a new image. "This procedure will flatten an image into a single layer."

A Kubernetes ClusterIP service called user-db exists in the auth-gateway namespace. The user-db Service's cluster IP is 10.23.254.63. Which of the following addresses could be used to communicate with this service from a pod located in the default namespace? 10-23-254-63.auth-gateway.pod.cluster.local 10.23.254.63 The Service's cluster IP address can be used to communicate with the Service from anywhere within the cluster. user-db The shortened domain name can only be used to reach the Service from within the same Namespace. Selected user-db.auth-gateway.svc.cluster.local The Service's fully-qualified domain name can be used to locate the Service, even from another Namespace.

- 10.23.254.63 "The Service's cluster IP address can be used to communicate with the Service from anywhere within the cluster." - user-db.auth-gateway.svc.cluster.local "The Service's fully-qualified domain name can be used to locate the Service, even from another Namespace."

Daniel has some nodes with labels that specify the availability zone of each node. He wants to run a service that can run tasks on any node and that do not have the label availability_zone=east. Which command should he use? docker service create --placement-pref node.labels.availability_zone==west nginx docker service create --constraint node.labels.availability_zone!=east nginx docker service create --label node.labels.availability_zone!=east nginx docker service create --constraint node.labels.availability_zone==west nginx

docker service create --constraint node.labels.availability_zone!=east nginx "This command will prevent the service's tasks from running on nodes with the availability_zone==east label."

What command would we use to locate the layered file system data for an image on a machine? docker image layers docker image inspect docker layer inspect docker pull history

docker image inspect The docker image inspect command will return the image metadata, including the location of the layered file system data.

How can we use multi-stage builds to generate small, efficient Docker images? We can leverage the implementation of multi-stage builds, which will shorten the build processing times. We can copy only specific files from previous stages so that we can keep the image as small as possible. We can build the image, and then run diagnostics on it in a separate stage to make it more efficient. We can use separate build stages to delete files from the image.

- We can copy only specific files from previous stages so that we can keep the image as small as possible. "This is the primary use case for multi-stage builds."

What is the primary purpose of a Docker registry? It stores and organizes Dockerfiles. It builds images. It provides a central location for storing and distributing images. Scan images for vulnerabilities.

- It provides a central location for storing and distributing images. "This is what a Docker registry does."

What tool should we use if we need to manage a multi-container application as a unit on a single Docker host? We should use Docker Compose. We should use Docker Swarm. We should use a Docker stack. We should execute docker-run.

- We should use Docker Compose. "Docker Compose allows us to manage complex, multi-container applications on a single host."

Eric has an application that consists of multiple different containers that interact with one another. What should he use to manage this application in a Docker Swarm? Eric should use docker-compose. Eric should use a service with multiple tasks. Eric should use a task. Eric should use a stack.

- Eric should use a stack. "Docker stacks are designed for managing multi-container applications in a swarm."

Which of the following scenarios would still allow the quorum to complete maintenance in a swarm cluster? (Choose two) A 3-node cluster with 2 nodes down. A 3-node cluster with 1 node down. A 7-node cluster with 3 nodes down. A 4-node cluster with 2 nodes down.

- A 3-node cluster with 1 node down. "More than half of the nodes are still up, so the quorum is maintained in this scenario." - A 7-node cluster with 3 nodes down. "More than half of the nodes are still up, so the quorum is maintained in this scenario."

What flag should we use to specify a custom volume driver when creating a volume alongside a service that has docker service create? --driver --volume-driver --mount volume-driver= --volumedriver

--mount volume-driver= "This will create the volume with the specified driver."

Which of the following is true of filesystem storage models? (Choose two) They are efficient with write-heavy workloads. They store data in regular files on the host machine. They are used by overlay2 and aufs. The overlay2 and aufs storage drivers both use filesystem storage models. They use an external, object-based store.

- They store data in regular files on the host machine. "Filesystem storage models simulate a file system and store the data in regular files onto the host machine." - They are used by overlay2 and aufs. "The overlay2 and aufs storage drivers both use filesystem storage models."

Which of the following statements about the overlay network driver is accurate? Networking components are created on nodes dynamically when tasks get scheduled on the node. The network must be set up manually on each node. The network is set up on every node in the cluster as soon as the network faces creation. The overlay driver only allows communication between containers running on the same host.

- Networking components are created on nodes dynamically when tasks get scheduled on the node. "The overlay network driver dynamically creates networking components on the node when a relevant task gets scheduled on that node."

Which of the following commands will attach the tasks of a new service to an existing overlay network called my-overlay? docker service create --network-driver overlay nginx docker service create --n my-overlay nginx docker service create --network my-overlay nginx docker service create --attach my-overlay nginx

- docker service create --network my-overlay nginx "This command will attach the service's tasks to a specified network."

Which of the following commands will create a new bridge network? docker network create --network-driver bridge my-network docker network create --driver overlay my-network docker network create --network bridge my-network docker network create my-network

- docker network create my-network "Since the bridge is the default, a new bridge network will generate even when --driver is not specified."

What Linux feature does Docker use to allow containers to listen on ports lower than 1024 without running as root on the host? Capabilities Namespaces Linux jails Control Groups

- Capabilities "Capabilities are used by Docker to provide granular permissions to container processes, such as listening on low ports without the need for root access."

Which of the following is not a namespace used by Docker? pid uts net mem

- mem "This is not a namespace used by Docker."

How can we provide custom certificates to the Universal Control Plane (UCP) and Docker Trusted Registry (DTR)? We can push new certificates via the UCP web API. We must supply the certificates during the UCP and DTR installation process. docker ucp config --cert We can upload certificates via the UCP and DTR web UIs.

- We can upload certificates via the UCP and DTR web UIs. "We can upload certificates in the administrative settings section for both UCP and DTR."

Which command allows us to create an encrypted overlay network? docker network create --opt encrypted my-net docker network create --encrypted --driver overlay my-net docker network create --secure --driver overlay my-net docker network create --opt encrypted --driver overlay my-net This command will create an encrypted overlay network.

- docker network create --opt encrypted --driver overlay my-net "This command will create an encrypted overlay network."

What is the name of Docker feature that enables us to sign images and verify image signatures before running them? Docker Image Trust Docker registry Docker Content Trust Docker Trusted Registry

- Docker Content Trust "Docker Content Trust allows us to sign images and verify signatures before running them."

We have a group of people who need similar permissions in Universal Control Plane (UCP). How can we manage their permissions as a group without having to assign individual permissions to each user manually? Add grants to one user to give them the permissions they need, and then copy that user's permissions to the other users. Create a role with several permissions assigned, and then assign each user to that shared role. Assign the users to a team, and then assign grants to the entire team, giving them the permissions they need. Create a GrantBundle and assign it to each user.

- Assign the users to a team, and then assign grants to the entire team, giving them the permissions they need. "UCP uses teams to manage users who all need the same set of permissions."

Dylan is getting ready to run a container. He needs this container to auto-restart whenever its process exits, but he doesn't want it to restart if the container had manually stopped earlier. Which restart policy should he use? unless-stopped on-failure always manual-control

- unless-stopped "This restart policy will always restart the container unless it was stopped explicitly."

What procedure should we follow to upgrade the Docker engine on an Ubuntu server? Install newer versions of the docker-ce and docker-ce-cli packages. We must install newer versions of the packages in order to upgrade Docker. Stop Docker, remove the packages, and then reinstall the packages with a newer version. Remove all containers, stop Docker, and then install the newer version. Stop Docker, then install the packages with the newer version.

- Install newer versions of the docker-ce and docker-ce-cli packages. "We must install newer versions of the packages in order to upgrade Docker."

What Linux feature does Docker use in order to limit memory usage for containers? Capabilities The mem namespace. Control groups (cgroups) Namespaces

- Control groups (cgroups) "Docker uses cgroups to limit memory usage for containers."

Which of the following is true about the creation of private Docker registries? We cannot secure a private registry in Docker Community Edition (CE). We can create our own registry by running a container with the registry image. We need Docker Trusted Registry (DTR) present if we want to generate a private registry. We need a Docker EE license to have our own private registry created.

- We can create our own registry by running a container with the registry image. "Running this image will create a private Docker registry."

What does the CMD directive do? It runs a command on the host when the container starts. It sets the default command for the image that runs if no other command is specified. It runs a command within the image and commits it to the result. It executes a command during the build process.

- It sets the default command for the image that runs if no other command is specified. "The CMD directive sets the default command."

What type of data exists in the writable file system layer created by a container? The data would consist of only container logs. It would be only the data from the base image. The data would consist of only changes from the previous layer that were made by the container. A snapshot of all of the data in its current state would reside in the layer.

- The data would consist of only changes from the previous layer that were made by the container. "Each file system layer contains only the changes made from the previous layer."

Which of the following commands can we use to view detailed metadata about a container? (Choose two) docker query docker metadata docker inspect docker container inspect

- docker inspect " This command will allow us to query metadata about any Docker object." - docker container inspect " This command will allow us to find metadata about any container."

What command would we use to list the services that are part of a stack called web-store? docker service ls web-store docker stack services web-store docker stack ps web-store docker service ls

- docker stack services web-store "This command will list the services that are part of the stack."

We have some containerized software that needs to have a reference to the hostname of the node that the software is running on. Which of the following commands will let us pass the node hostname as an environment variable into each task in a service? docker service create --pass-node-hostname=true nginx docker service create --env NODE_HOSTNAME="{{Hostname}}" nginx docker service create --env NODE_HOSTNAME="{{.Node.Hostname}}" nginx docker service create -e NODE_HOSTNAME nginx

- docker service create --env NODE_HOSTNAME="{{.Node.Hostname}}" nginx "This command will create an environment variable in each task that contains the node hostname."

What command should we use if we want to view logs for all of the tasks in a service called my-service? docker container logs my-service docker task logs my-service docker logs my-service docker service logs my-service This command will retrieve logs for all of the tasks in the service.

- docker service logs my-service "This command will retrieve logs for all of the tasks in the service."

How would we rotate a docker swarm unlock-key and ensure that all nodes receive the new key? We would run the docker swarm unlock-key --rotate command on one manager node. We would generate a new key and save it in a file located at /etc/docker/swarm/unlock.key. We can use the docker swarm unlock command. We would run the docker swarm unlock-key --rotate command on all manager nodes.

- We would run the docker swarm unlock-key --rotate command on one manager node. "This command will automatically rotate the key and handle all orchestration between nodes."

Which of the following configurations would be best for enabling direct-lvm mode with devicemapper? Set dm.directlvm_device in /etc/docker/daemon.json. Set dm.mode=direct-lvm in /etc/docker/daemon.json. Set dm.direct-lvm=true in /etc/docker/daemon.json. Set dm.loop-lvm=false in /etc/docker/daemon.json.

- Set dm.directlvm_device in /etc/docker/daemon.json. "We can enable direct-lvm by setting this value in daemon.json to a block storage device."

Anastasia has created a container with a volume called shared-data. She wants to create a new container that can access the same data as the first container, but she wants this new container only to be able to read the data, not modify it. How can she accomplish this? This task is not possible for Anastasia to complete because we cannot mount the same volume to two containers. Anastasia can use docker run --name new-container -v shared-data:/tmp:ro nginx. Anastasia can create a bind mount for the new container that points to the physical location of the shared volume on the host. Anastasia can use docker run --name new-container -v shared-data:/tmp nginx.

- Anastasia can use: docker run --name new-container -v shared-data:/tmp:ro nginx "This command will mount the shared volume to the new container in read-only mode."

What volume driver allows you to create and access external storage that can be shared across a Docker Swarm cluster using SSH? overlay2 overlay devicemapper vieux/sshfs

vieux/sshfs "This is a custom driver that uses SSH to access remote storage from any node in the cluster."

Which of the following statements about Docker image vulnerability scanning is accurate? Docker Enterprise Edition (EE) will prevent you from running images that contain vulnerabilities. We need a Docker Enterprise Edition (EE) license to scan images within our registry. Docker Trusted Registry (DTR) will scan all images by default. Image vulnerability scanning inspects images before they're running on a host.

- We need a Docker Enterprise Edition (EE) license to scan images within our registry. "We need Docker Trusted Registry to scan images within our registry, which requires Docker EE."

How can you enable Docker Content Trust (DCT) in Docker Community Edition (CE)? Set the CONTENT_TRUST environment variable to 1. Pass the --content-trust flag to dockerd. Set "content-trust": true in /etc/docker/daemon.json. Set the DOCKER_CONTENT_TRUST environment variable to 1.

- Set the DOCKER_CONTENT_TRUST environment variable to 1. "Setting this environment variable to 1 will enable DCT."

Which of the following is a secure method for allowing a Docker client to authenticate with a registry that uses a self-signed certificate? docker login --trust-ca docker login --accept-cert We add the registry to the insecure-registries list in /etc/docker/daemon.json. We add the self-signed certificate as a trusted registry certificate under /etc/docker/certs.d/.

- We add the self-signed certificate as a trusted registry certificate under /etc/docker/certs.d/. "Utilizing /etc/docker/certs.d/ is the secure way to authenticate with a registry that uses a self-signed certificate."

Which of the following is the correct docker image address to be used to access an image named payapp hosted under the organization payroll at a private registry registry.company.io?

registry.company.io/payroll/payapp

What will happen if the –memory-swap is set to 0?

the setting is ignored, and the value is treated as unset

Which of the following modes is used to configure the device-mapper storage driver

loop-lvm direct-lvm

Which statements best describe a PersistentVolumeClaim?

A PersistentVolumeClaim (PVC) is a request for storage by a user. A PVC will be automatically bound to a PV on creation when a PV is available Claims can request specific size and access modes

Where do you configure the configMapKeyRef in a pod to use environment variables defined in a ConfigMap?

spec.containers.env.valueFrom

Run a webapp container, and make sure that No logs are configured for this container

docker run -it --log-driver none webapp

What is the command to rebalance the docker swarm cluster workloads?

docker service update --force

Which statements best describe Persistent Volume in kubernetes?

Which option is used to change the default storage driver to use devicemapper?

{“storage-driver”: “devicemapper”}

Which of the below can help minimize the image size?

Only install necessary packages within the image Combine multiple dependent instructions into a single instruction and cleanup temporary files Use multi-stage builds

Which command is used to delete the stopped containers?

docker container prune docker container rm $(docker container ls -aq)

A government facility runs a secure data center with no internet connectivity. A new application requires access to docker images hosted on docker hub. What is the best approach to solve this?

Pull docker images from a host with access to docker hub convert to a tarball using docker image save command, and copy to the restricted environment and extract the tarball

Which of the below commands may be used to change the default logging driver to splunk?

echo ‘{“log-driver”: “splunk”}’ > /etc/docker/daemon.json

Which command can be used to enable the debugging mode on the Docker Host?

echo ‘{“debug”: true}’ > /etc/docker/daemon.json

Which command can be used to start the docker engine enterprise service on a systemctl configured system?

sudo systemctl start docker

What is a Linux feature that prevents a process within the container from performing filesystem related operations such as altering attributes of certain files?

Kernel Capabilities

Which command can be used to list the tasks in a stack named webapp?

docker stack ps webapp

Which formula can be used to calculate the Quorum of N nodes?

N/2 + 1

Which of the following is the correct format for CMD instruction

CMD [“executable”,“param1”,“param2”] CMD [“param1”,“param2”], CMD command param1 param2

How would we go about backing up images in the Docker Trusted Registry (DTR)? Back up everything in /var/lib/docker/volumes. Run a docker pull on all of the images to transfer them to another host. Execute a container using the dtr image with the backup-images command. Create a backup of everything in the DTR image storage volume.

Create a backup of everything in the DTR image storage volume. "To back up images, back up the contents of the volume DTR used to store images." ------------------------------------------------------------------------------- /var/lib/docker/volumes//_data. Volume Names: https://docs.mirantis.com/msr/2.8/ref-arch/volumes.html dtr-ca- Root key material for the MSR root CA that issues certificates dtr-notary- Certificate and keys for the Notary components dtr-postgres- Vulnerability scans data dtr-registry- Docker images data, if MSR is configured to store images on the local filesystem dtr-rethink- Repository metadata dtr-nfs-registry-

How should we give a user permission to interact with the Docker daemon on a machine without giving them unnecessary additional access? Give the user the root user credentials so they can run docker commands as root. Add the user to the docker group. Give the user the ability to run docker commands with sudo. Have them log in as the docker user.

- Add the user to the docker group. "Docker provides the docker group for the purpose of giving users permission to solely access Docker."

Which of the following is not backed up when performing a Docker Trusted Registry (DTR) metadata backup? Role-based access control (RBAC) settings. DTR Configurations Repository metadata. Docker images. A DTR metadata backup does not include the images themselves.

- Docker images. "A DTR metadata backup does not include the images themselves."

Which of the following best describes the procedure for backing up Docker Trusted Registry (DTR) metadata? Run a container from the dtr image with the backup command. Create an archive for all of the data under the /var/data/dtr directory. Run a container from the dtr image with the destroy command.

- Run a container from the dtr image with the backup command. "This is the basic procedure for backing up DTR."

What does the EXPOSE directive do? It makes a container's port accessible externally. It automatically publishes ports when running a container. It causes the container to listen on a port. It documents ports intended for publishing at the time of running a container.

- It documents ports intended for publishing at the time of running a container. "The EXPOSE directive documents the ports that should be published when running a container from the image."

Amanda is having some network issues and needs to do some troubleshooting. How can she inject a nicolaka/netshoot container into the sandbox of an existing container called nginx-container? Amanda can use docker run --inject-container nginx-container nicolaka/netshoot. Amanda can use docker run --network nginx-container nicolaka/netshoot. Amanda can use docker run --network container:nginx-container nicolaka/netshoot. Amanda can use docker run --network-debug nginx-container nicolaka/netshoot.

Amanda can use: docker run --network container:nginx-container nicolaka/netshoot. "This command will inject the netshoot container into the sandbox of the existing container."

Which of the following network drivers is the default for connecting containers on the same host? overlay macvlan host bridge

- bridge "The bridge network driver is the default and is used to connect containers on the same host."

Given Docker's architecture and built-in security features, which of the following security scenarios should we be concerned about the most? If an attacker gains access to the Docker daemon, they could use it to execute commands as root on the host. An attacker may intercept swarm-level traffic between swarm nodes and obtain sensitive information from the data. If an attacker gains control of a container, they could use it to affect other containers on the same host directly. An attacker could set up a false machine under their control and join it to the swarm cluster to steal sensitive data, causing containers with sensitive data to execute on a fake device.

- If an attacker gains access to the Docker daemon, they could use it to execute commands as root on the host. "The Docker daemon must run as root, so it is essential to ensure that it's being protected and has limited access to it."

Which of the statements best describe “Grants” in the Access Control Model?

Grants are effectively Access Control Lists (ACLs) that provide comprehensive access policies for an entire organization when grouped together. Grants define which users can access what resources in what way., - A grant is made up of a subject a role a resource set

What is the type and the name of the network created for the DTR services to communicate with each other?

overlay/dtr-ol

Amanda wants to execute a one-time job using a Docker container. However, occasionally, this job fails and needs to restart. Amanda doesn't want to restart it manually if it fails. Which command should she use to make sure that the container executes the one-time job successfully? docker run --restart unless-stopped cleanup-job docker run --recover-failure cleanup-job docker run --restart failure-only cleanup-job docker run --restart on-failure cleanup-job

docker run --restart on-failure cleanup-job "This restart policy will only restart the container if it exits with a non-zero exit code."

Bob has set up a new Docker server. The overlay2 driver is the default for the server, but he wants to use devicemapper instead. Which of the following are ways to implement this change? Add the --storage-driver flag to the dockerd call in Docker's unit file. We can set the storage driver by passing the --storage-driver flag to dockerd. Selected Reformat the storage disk. Use a different Docker version. Set storage-driver to devicemapper in /etc/docker/daemon.json. We can set the storage driver in /etc/docker/daemon.json.

- Add the --storage-driver flag to the dockerd call in Docker's unit file. "We can set the storage driver by passing the --storage-driver flag to dockerd." - Set storage-driver to devicemapper in /etc/docker/daemon.json. "We can set the storage driver in /etc/docker/daemon.json."

Which of the following statements does not apply to the WORKDIR directive? It can use both absolute and relative paths. It affects only the build and does not impact containers that run from the image. The WORKDIR directive affects the containers by setting the working directory at the container runtime. It sets the working directory for the container at runtime. It sets the working directory for subsequent build steps.

- It affects only the build and does not impact containers that run from the image. "The WORKDIR directive affects the containers by setting the working directory at the container runtime."

Which flag allows us to return specific fields with docker inspect? --format --pretty --field-limit --filter

--format "The --format flag allows us to supply a Go template so that we can return specific data fields that are in a particular format."

How would we back up the metadata for Docker Swarm? We can run the swarm image with the backup command. We can back up the contents of /etc/docker/swarm. We can back up the contents of /usr/local/swarm. While the Docker daemon stops, we can back up the contents of /var/lib/docker/swarm on a Swarm manager.

While the Docker daemon stops, we can back up the contents of /var/lib/docker/swarm on a Swarm manager. "We can back up Docker Swarm metadata by backing up the contents of this directory."

Which of the following tasks can we perform to set a custom DNS server for a container? We can use the --dns flag with docker run. We can set "dns" in /etc/docker/daemon.json. We can use the --nameserver flag with docker run. We can use the --dns-override flag with docker run.

We can use the --dns flag with docker run. "This method would allow us to set a custom DNS server for the container."

DCA-2 Flashcards

(451 cards)