DCA-2

Question 1

What environment variables must be set to allow client to communicate with UCP via CLI?

DOCKER

DOCKER_HOST

DOCKER_CERT_PATH

DOCKER_PATH

Answer 1

DOCKER_HOST

DOCKER_CERT_PATH

Question 2

What is the command-line interface used to interact with UCP from a shell?

docker-ucp

docker

docker-ee

docker-ucp-cli

Answer 2

docker

Question 3

Universal Control Plane (UCP), lets you authorize users to view, edit, and use cluster resources by granting role-based permissions against resource sets.

True
False

Answer 3

True

Question 4

To authorize access to cluster resources across your organization, which of the following high-level steps must UCP administrators take?

Configure subjects (users, teams, and service accounts).

Define custom roles (or use defaults) by adding permitted operations per type of resource.

Configure resource sets of Swarm collections or Kubernetes namespaces.

Create grants by combining subject + role + resource set

Answer 4

Configure subjects (users, teams, and service accounts).

Define custom roles (or use defaults) by adding permitted operations per type of resource.

Configure resource sets of Swarm collections or Kubernetes namespaces.

Create grants by combining subject + role + resource set

Question 5

Which of the statements best describes “Subjects” in the Access Control Model?

A subject represents a user, team, organization

A subject does not represent a service account.

A subject can be granted a role that defines permitted operations against one or more resource sets.

A subject represents a service account.

Answer 5

A subject represents a user, team, organization

A subject can be granted a role that defines permitted operations against one or more resource sets.

A subject represents a service account.

Question 6

A group of teams that share a specific set of permissions forms a collection.

True
False

Answer 6

False

Question 7

Which of the statements best describe “Roles” in the Access Control Model?

Roles define what operations are allowed on a resource.

A role is a set of permitted operations against a type of resource, like a container or volume, which can only be assigned to individual users.

Most organizations use multiple roles to fine-tune appropriate access to users and teams.

All of the above

Answer 7

Roles define what operations are allowed on a resource.

Most organizations use multiple roles to fine-tune appropriate access to users and teams.

Question 8

Which of the statements best describe “Resource sets” in Access Control Model?

A collection of resources in Docker Swarm

A collection in Kubernetes

A namespace in Kubernetes

A namespace in Docker Swarm

Answer 8

A collection of resources in Docker Swarm

A namespace in Kubernetes

Question 9

Which of the statements best describe “Grants” in the Access Control Model?

Grants define which users can access what resources in what way.

A grant is made up of a role and a resource set.

A grant is made up of a subject, a role, and a resource set.

Grants are effectively Access Control Lists (ACLs) which provide comprehensive access policies for an entire organization when grouped together.

Answer 9

Grants define which users can access what resources in what way.

A grant is made up of a subject, a role, and a resource set.

Grants are effectively Access Control Lists (ACLs) which provide comprehensive access policies for an entire organization when grouped together.

Question 10

Only an administrator can manage grants, subjects, roles, and access to resources.

True
False

Answer 10

True

Question 11

Docker Enterprise Edition provides … , where in we can create users and group them into teams which are nothing but group of users and tie them up with an organization.

DTR
UCP
UCP Agent
RBAC

Answer 11

RBAC

Question 12

Which of the following is a common workflow for RBAC in Docker EE is

Create users, teams, and organization

Create custom roles with a set of permissions

Combine resources sets using a collection

Answer 12

Create users, teams, and organization

Create custom roles with a set of permissions

Combine resources sets using a collection

Question 13

The … allows you to authorize a remote Docker engine to a specific user account managed in Docker EE, absorbing all associated RBAC controls in the process

DTR

UCP

Client bundle

RBAC

Answer 13

Client Bundle

Question 14

A client bundle is a group of certificates downloadable directly from the Docker Trusted Registry (DTR) user interface within the admin section for “My Profile”

True
False

Answer 14

False

Question 15

Using …. in Docker EE we can control who can access and make changes to your cluster and applications.

DTR
UCP
Client bundle
RBAC

Answer 15

RBAC

Question 16

What are the minimum hardware requirements to install UCP?

4GB RAM, 2vCPUs and 10GB disk space for the /var partition for manager nodes, 2GB RAM and 500MB disk space for the /var partition for worker nodes

8GB RAM, 2vCPUs and 10GB disk space for the /var partition for manager nodes, 4GB RAM and 500MB disk space for the /var partition for worker nodes

8GB RAM, 2vCPUs and 10GB disk space for the /var/lib/docker partition for manager nodes, 4GB RAM and 500MB disk space for the /var/lib/docker partition for worker nodes

4GB RAM, 2vCPUs and 10GB disk space for the /var/lib/docker partition for manager nodes, 2GB RAM and 500MB disk space for the /var/lib/docker partition for worker nodes

Answer 16

8GB RAM, 2vCPUs and 10GB disk space for the /var partition for manager nodes, 4GB RAM and 500MB disk space for the /var partition for worker nodes

Question 17

What are the features of Docker Trusted Registry (DTR)?

Built-in Access Control

Image and Job Management

Automated image builds

Security Scanning

Dockerfile management in SCM

Image Signing

Answer 17

Built-in Access Control

Image and Job Management

Security Scanning

Image Signing

Question 18

A group of teams that share a specific set of permissions forms a collection.

True
False

Answer 18

False

Question 19

When using the built-in authentication mechanism, you can create users to grant them fine-grained permissions.
Which of the following statements best describes managing users in DTR?

Users are shared across UCP and DTR.

When you create a new user in UCP, that user becomes available in DTR and vice versa.

Check the Trusted Registry admin option, if you want to grant permissions for the user to be a UCP and DTR administrator.

Users are not shared across UCP and DTR

Answer 19

Users are shared across UCP and DTR.

When you create a new user in UCP, that user becomes available in DTR and vice versa.

Check the Trusted Registry admin option, if you want to grant permissions for the user to be a UCP and DTR administrator.

Question 20

When a user creates a repository, by default other users will also have permissions to make changes to the repository.

True
False

Answer 20

False

Question 21

By default, DTR has one organization called ‘docker-datacenter’, that is shared between DTR and UCP.

True
False

Answer 21

True

Question 22

What is the command to pull the docker repository owned by an organization?

docker get DTR-DOMAIN-NAME/ORG/REPOSITORY:TAG

docker pull DTR-DOMAIN-NAME/ORG/REPOSITORY:TAG

docker download DTR-DOMAIN-NAME/ORG/REPOSITORY:TAG

docker fetch DTR-DOMAIN-NAME/ORG/REPOSITORY:TAG

Answer 22

docker pull DTR-DOMAIN-NAME/ORG/REPOSITORY:TAG

Question 23

Which of the following is the docker image addressing convention?

Registry-Address/Image-or-Repository-Name/User-Or-Account-Name

Registry-Address/User-Or-Account-Name/Image-or-Repository-Name

User-Or-Account-Name/Image-or-Repository-Name/Registry-Address

Image-or-Repository-Name/User-Or-Account-Name/Registry-Address

Answer 23

Registry-Address/User-Or-Account-Name/Image-or-Repository-Name

Question 24

If we do not specify a registry information then it is assumed to be the default registry at docker hub at the address docker.io.

True
False

Answer 24

True

Question 25

DTR only supports creating private repositories.

True
False

Answer 25

False

Question 26

By default, when pushing an image to DTR, it automatically creates a new repository if one does not already exist by that name.

True
False

Answer 26

False

Question 27

You cannot configure DTR to allow pushing to repositories that don’t exist yet.

True
False

Answer 27

False

Question 28

We can use the CLI to enable pushing to repositories that don’t exist yet.

True
False

Answer 28

True

Question 29

DTR is a vulnerability scanner that analyzes container images for security vulnerabilities triggered by a manual request only.

True
False

Answer 29

False

Question 30

In which service does DTR image scanning occur?

A service known as the dtr-jobrunner container
A service known as the dtr-registry container
A service known as the dtr-api container
A service known as the dtr-runner container

Answer 30

A service known as the dtr-jobrunner container

Question 31

Extracts a copy of the image layers from backend storage.

Extracts the files from the layer into a working directory inside the dtr-jobrunner container.

Executes the scanner against the files in this working directory, collecting a series of scanning data.

Once the scanning data is collected, the working directory for the layer will remain on the job-runner until garbage collection is initiated.

All of the above

Answer 31

Extracts a copy of the image layers from backend storage.

Extracts the files from the layer into a working directory inside the dtr-jobrunner container.

Executes the scanner against the files in this working directory, collecting a series of scanning data.

Question 32

In which of the following will image scanning look for known vulnerabilities

OS packages

Suspicious user accounts

Libraries

IP Tables rules that are not required

Other dependencies that are defined in a container image

All of the above

Answer 32

OS packages

Libraries

Other dependencies that are defined in a container image

Question 33

You may also configure DTR to initiate scans automatically when an image is pushed.

True
False

Answer 33

True

Question 34

Once the scan is complete, a report shows all the vulnerabilities detected categorized as __________.

Major

Minor

Warning

Critical

INFO

All of the above

Answer 34

Major

Minor

Critical

Question 35

With Docker Trusted Registry you can promote an existing image, based on a policy, to be pushed to a new environment.

True
False

Answer 35

True

Question 36

With Docker Trusted Registry, we need to rebuild the image in each stage to promote to different environments (e.g. Dev, Test, Stage, and Prod)

True
False

Answer 36

False

Question 37

A promotion can only be configured to another repository within the same registry.

True
False

Answer 37

False

Question 38

Which statement best describes Garbage Collection in DTR?

Automatically removes unused image layers to save disk space at a scheduled interval.

Garbage Collection setting is available under the system -> garbage collection section.

By default, garbage collection is enabled.

All of the above

Answer 38

Automatically removes unused image layers to save disk space at a scheduled interval.

Garbage Collection setting is available under the system -> garbage collection section.

Question 39

You may configure garbage collection to run at a specific interval.

True
False

Answer 39

True

Question 40

Under the hood, each image stored in DTR is made up of multiple files, what are they?

A list of image layers that are unioned which represents the image filesystem

A configuration file that contains the architecture of the image and other metadata

A manifest file containing the list of all layers and configuration file for an image

Answer 40

A list of image layers that are unioned which represents the image filesystem

A configuration file that contains the architecture of the image and other metadata

A manifest file containing the list of all layers and configuration file for an image

Question 41

DTR ships with Notary built-in so that you can use Docker Content Trust (DCT) to sign and verify images.

True
False

Answer 41

True

Question 42

What are the key components of Docker Trusted Registry (DTR) for signing an image?

Notary Server
Notary Signer
Docker Hub
Universal Control Plane (UCP)

Answer 42

Notary Server

Notary Signer

Question 43

Which statements best describe Notary?

Notary is a tool for publishing and managing trusted collections of content.

The official Docker Hub Notary servers are located at https://docker.io

With Notary anyone can provide trust over arbitrary collections of data.

Notary uses Globally Unique Names (GUNs) to identify trust collections.

Answer 43

Notary is a tool for publishing and managing trusted collections of content.

With Notary anyone can provide trust over arbitrary collections of data.

Notary uses Globally Unique Names (GUNs) to identify trust collections.

Question 44

DCT is integrated with the Docker CLI, and allows you to _____________________.

Configure repositories

Add signers

Sign images using the docker trust command

Answer 44

Configure repositories

Add signers

Sign images using the docker trust command

Question 45

You are required to configure your environment to prevent untrusted images from being deployed on the cluster. What approach would you choose to ensure images deployed in the cluster are secure and trusted?

Configure RBAC and provide access to repositories to privileged users only

Enable vulnerability scanning on images on push

Configure UCP to Run only signed images. And enforce image signing for all images using DCT

Answer 45

Configure UCP to Run only signed images. And enforce image signing for all images using DCT

Question 46

In a Docker swarm cluster, when a failed node is brought back online it is ready to accept new workloads and existing workloads are automatically rebalanced.

True
False

Answer 46

False

Question 47

What is the command to rebalance the docker swarm cluster workloads if absolutely necessary?

docker service update SERVICE-NAME
docker service update –force SERVICE-NAME
docker update service SERVICE-NAME
docker update service –force SERVICE-NAME

Answer 47

docker service update –force SERVICE-NAME

Question 48

A swarm cluster runs with 5 manager and 5 worker nodes with 10 replicas of an application running across all worker nodes. Which of the below statements are true when 3 manager nodes do go down at the same time.

Since 2 manager nodes are available the cluster continues to operate normally

Cluster operates in a degraded mode with no management functionalities

The applications continue to work as normal without impacting users

Applications are killed and users are impacted

Answer 48

Cluster operates in a degraded mode with no management functionalities

The applications continue to work as normal without impacting users

Question 49

We could add a new node to the cluster as a manager but we cannot promote an existing worker node to be the manager.

True
False

Answer 49

False

Question 50

You should have at least 3 managers in the swarm cluster to support manager node failures.

True
False

Answer 50

True

Question 51

Which statement best describes Quorum?

Quorum is the minimum number of nodes that must be available for the cluster to function properly.

In case of 3 manager nodes, the quorum is 3

It is recommended to maintain an odd number of managers to withstand network-wide outages.

In case of 5 manager nodes, the quorum is 3

Answer 51

Quorum is the minimum number of nodes that must be available for the cluster to function properly.

It is recommended to maintain an odd number of managers to withstand network-wide outages.

In case of 5 manager nodes, the quorum is 3

Question 52

Which of the below configurations can tolerate 3 manager node failures?

 4 Manager 2 Worker Node Cluster
 5 Manager 5 Worker Node Cluster
 6 Manager 5 Worker Node Cluster
 7 Manager 3 Worker Node Cluster
 7 Manager 5 Worker Node Cluster
 8 Manager 6 Worker Node Cluster
 8 Manager 2 Worker Node Cluster

Answer 52

7 Manager 3 Worker Node Cluster
7 Manager 5 Worker Node Cluster
8 Manager 6 Worker Node Cluster
8 Manager 2 Worker Node Cluster

Question 53

For any given number of N nodes, What is the quorum value?

Total number of nodes divided by 3 + 1 (Quorum = (N/3)+1)

Total number of nodes divided by 2 + 1 (Quorum = (N/2)+1)

Total number of nodes divided by 2 – 1 (Quorum = (N/2)-1)

Total number of nodes divided by 3 – 1 (Quorum = (N/3)-1)

Answer 53

Total number of nodes divided by 2 + 1 (Quorum = (N/2)+1)

Question 54

What is the command to forcefully create a cluster from its current state?

docker swarm init
docker swarm init –force
docker swarm init –force-cluster
docker swarm init –force-new-cluster

Answer 54

docker swarm init –force-new-cluster

Question 55

What is the command to promote a node to manager in docker swarm cluster?

docker promote node NODENAME
docker node promote NODENAME
docker promote worker node NODENAME
docker node promote worker NODENAME

Answer 55

docker node promote NODENAME

Question 56

Which of the following statements are true? Select all the answers that apply.

On every docker host, docker stores data about the object it manages under the /var/lib/docker directory.

On a swarm manager node, it stores data about the swarm cluster in the /var/lib/docker/swarm directory.

On every docker host, docker stores data about the object it manages under the /var/run/docker directory.

On a swarm manager node, it stores data about the swarm cluster in the /var/run/docker/swarm directory.

Answer 56

On every docker host, docker stores data about the object it manages under the /var/lib/docker directory.

On a swarm manager node, it stores data about the swarm cluster in the /var/lib/docker/swarm directory.

Question 57

The RAFT DB helps in restoring the services and any other configuration in a swarm cluster.

True
False

Answer 57

True

Question 58

What are the steps that we need to follow to backup the swarm database?

Create a tar backup of the swarm data at /var/lib/docker/swarm and restart the docker service.

Stop docker service, create a tar backup of the swarm data at /var/lib/docker/swarm, start the docker.

Stop docker service, create a tar backup of the docker data at /var/lib/docker, start the docker

None of the above

Answer 58

Stop docker service, create a tar backup of the swarm data at /var/lib/docker/swarm, start the docker.

Question 59

It is recommended to perform a backup on the swarm leader node.

True
False

Answer 59

False

Question 60

What is the command to enable automatic locking of managers with an encryption key?

docker swarm init –lock=true
docker swarm init –autolock=true
docker swarm init –autounlock=false
docker swarm init –unlock=false

Answer 60

docker swarm init –autolock=true

Question 61

What is the command to disable auto lock for a docker swarm cluster that has it enabled already?

docker swarm update –autolock=false
docker update swarm –autolock=false
docker swarm update –auto-unlock=true
docker update swarm –auto-unlock=true

Answer 61

docker swarm update –autolock=false

Question 62

The auto lock key is required when the cluster is restored, so it must be kept safe in an external password manager.

True
False

Answer 62

True

Question 63

The auto lock key is backed up along with the Swarm backup.

True
False

Answer 63

False

Question 64

What are the prerequisites for restoring swarm?

You must use the same IP as the node from which you made the backup.

You must restore the backup on the same Docker Engine version.

If auto-lock was enabled on the old Swarm, the unlock key is required to perform the restore.

You can find the list of manager IP addresses in state.json in the zip file

Answer 64

You must use the same IP as the node from which you made the backup.

You must restore the backup on the same Docker Engine version.

If auto-lock was enabled on the old Swarm, the unlock key is required to perform the restore.

You can find the list of manager IP addresses in state.json in the zip file

Question 65

Which of the following steps are required on each manager node to restore data to a new swarm?

Shut down the Docker Engine on the node you selected for the restore

Uninstall Docker on the node

Remove the /var/lib/docker directory on the new Swarm if it exists.

Remove the contents of the /var/lib/docker/swarm directory on the new Swarm if it exists.

Restore the /var/lib/docker/swarm directory with the contents of the backup

Install Docker on the node

Start Docker on the new node. Unlock the swarm if necessary

Re-initialize the swarm so that the node does not attempt to connect to nodes that were part of the old swarm, and presumably no longer exist.

Answer 65

Shut down the Docker Engine on the node you selected for the restore

Remove the contents of the /var/lib/docker/swarm directory on the new Swarm if it exists.

Restore the /var/lib/docker/swarm directory with the contents of the backup

Start Docker on the new node. Unlock the swarm if necessary

Re-initialize the swarm so that the node does not attempt to connect to nodes that were part of the old swarm, and presumably no longer exist.

Question 66

To take a backup of UCP, which docker image would you need to run with the backup command?

docker/ucp-backup
docker/ucp
docker/backup
docker/backup-ucp

Answer 66

docker/ucp

Question 67

You can only take backup of UCP via CLI.

True
False

Answer 67

False

Question 68

In order to take a backup of UCP, you need to backup each UCP manager node.

True
False

Answer 68

False

Question 69

Which of the following statements are true about UCP backup?

Backups can be utilized for restoring clusters on a cluster with a newer version of Docker Enterprise.

More than one backup at the same time is supported.

For crashed clusters, backup capability is not guaranteed.

UCP backup includes swarm workloads.

UCP backup includes Kubernetes workloads.

Answer 69

For crashed clusters, backup capability is not guaranteed.

UCP backup includes Kubernetes workloads.

Question 70

Which of the following ways a UCP backup can be created?

CLI

GUI

API

Answer 70

CLI

GUI

API

Question 71

To restore an existing UCP installation from a backup, you need to uninstall UCP from the swarm by using the uninstall-ucp command.

True
False

Answer 71

True

Question 72

Which of the following are included in a UCP backup?

User, Team and Organization details

Docker Swarm Services

Kubernetes Namespaces

Certificates and Keys

Access Control Details

Overlay Networks

Docker Images

Docker Swarm Secrets

Answer 72

User, Team and Organization details

Kubernetes Namespaces

Certificates and Keys

Access Control Details

Question 73

Which of the following data does Docker Trusted Registry maintain?

Configurations

Notary Data

Certificates and Keys

Access Control to repos and Images

Answer 73

Configurations

Notary Data

Certificates and Keys

Access Control to repos and Imagesk

Question 74

What is the command to perform a backup of DTR node?

Run the docker/dtr backup command

Run the docker/dtr-backup command

Run the docker/backup-dtr command

Run the docker/backup dtr command

Answer 74

Run the docker/dtr backup command

Question 75

To create a backup of DTR, you don’t need to backup the DTR metadata, only backing up image content is enough.

True
False

Answer 75

False

Question 76

Since you need your DTR replica ID during a backup, which of the following covers a few ways for you to determine your replica ID?

UCP web interface

UCP client bundle

SSH Access

Answer 76

UCP web interface

UCP client bundle

SSH Access

Question 77

What is the command to restore the DTR from a backup tar (e.g dtr-metadata-backup.tar) ?

docker run -i –rm docker/dtr-restore < dtr-metadata-backup.tar

docker run -i –rm docker/dtr restore < dtr-metadata-backup.tar

docker run -i –rm docker/restore-dtr < dtr-metadata-backup.tar

docker run -i –rm docker/restore dtr < dtr-metadata-backup.tar

Answer 77

docker run -i –rm docker/dtr restore < dtr-metadata-backup.tar

Question 78

What is the recommended approach of taking a backup of images stored by Docker Trusted Registry?

Store image data on local disk and backup image and DTR metadata together into a tarball

Store image data on a shared network storage and use supported backup mechanisms available for that network storage

Answer 78

Store image data on a shared network storage and use supported backup mechanisms available for that network storage

Question 79

What is the command to restore the DTR from a backup tar (e.g dtr-metadata-backup.tar) ?

docker run -i –rm docker/dtr-restore < dtr-metadata-backup.tar

docker run -i –rm docker/dtr restore < dtr-metadata-backup.tar

docker run -i –rm docker/restore-dtr < dtr-metadata-backup.tar

docker run -i –rm docker/restore dtr < dtr-metadata-backup.tar

Answer 79

docker run -i –rm docker/dtr restore < dtr-metadata-backup.tar

Question 80

Which of the following are included in a UCP backup?

User, Team and Organization details

Docker Swarm Services

Kubernetes Namespaces

Certificates and Keys

Access Control Details

Docker Images

Answer 80

User, Team and Organization details

Kubernetes Namespaces

Certificates and Keys

Access Control Details

Question 81

The auto lock key is required when the cluster is restored, so it must be kept safe in an external password manager.

True
False

Answer 81

True

Question 82

To create a backup of DTR, you don’t need to backup the DTR metadata, only backing up image content is enough.

True
False

Answer 82

False

Question 83

What are the prerequisites for restoring a swarm?

You must use the same IP as the node from which you made the backup.

You must restore the backup on the same Docker Engine version.

If auto-lock was enabled on the old Swarm, the unlock key is required to perform the restore.

Answer 83

You must use the same IP as the node from which you made the backup.

You must restore the backup on the same Docker Engine version.

If auto-lock was enabled on the old Swarm, the unlock key is required to perform the restore.

Question 84

What are the recommended hardware requirements to install DTR in a production environment?

• 16GB RAM, 4vCPUs and 25 - 100 of free disk space
• 16GB RAM, 2vCPUs and 100GB of free disk space
• 8GB RAM, 2vCPUs and 100GB of free disk space
• 8GB RAM, 4vCPUs and 25 - 100GB of free disk space

Answer 84

16GB RAM, 4vCPUs and 25 - 100 of free disk space

Question 85

Which of the below is a recommended best practice while taking backups of a swarm cluster?

• Perform the backup operations from a swarm worker node
• Perform the backup operations from a swarm manager node that is not a leader
• Perform the backup operations from a swarm manager node that is a leader

Answer 85

• Perform the backup operations from a swarm manager node that is not a leader

Question 86

What will happen if the container consumes more memory than its limit?

Answer 86

The container will be killed with an Out of Memory exception

Question 87

Which component is responsible for performing all of these operations: Maintaining the layered architecture, creating a write-able layer, moving files across layers to enable Copy-OnWrite etc?

Answer 87

Storage drivers

Question 88

What are the different access modes configurable on a persistent volume?

Answer 88

ReadOnlyMany,ReadWriteMany,ReadWriteOnce

Question 89

Which statement best describes a kubernetes storage class?

Answer 89

A StorageClass provides a way for administrators to describe the “classes” of storage they offer,

Each StorageClass contains the fields provisioner, parameters, and reclaimPolicy.

The StorageClass objects can use a provisioner that can dynamically provision storage on supported storage providers.

Question 90

Which statements best describe a PersistentVolumeClaim?

Answer 90

A PersistentVolumeClaim (PVC) is a request for storage by a user

A PVC will be automatically bound to a PV on creation when a PV is available

Claims can request specific size and access modes

Question 91

What is a recommended best practice for installing packages and libraries using the apt-get package manager while building an image?

Answer 91

Use the RUN instruction and have the apt-get update and apt-get install commands on the same instruction

Question 92

What is the command to change the tag of httpd:latest to httpd:v1

Answer 92

docker image tag httpd:latest httpd:v1

Question 93

After building the below code with an image named webapp, What will happen when you run docker run webapp sleep 1000?

Answer 93

docker overrides the CMD instruction with sleep 1000

Question 94

Which command can be used to deploy exactly one instance of the application on all the nodes in the cluster?

Answer 94

docker service create –mode=global webapp

Question 95

Which statement best describes Quorum?

Answer 95

Quorum is the minimum number of nodes that must be available for the cluster to function properly.

Question 96

What is the command to deploy a service named webapp on a node which has a type=cpu-optimized label?

Answer 96

docker service create –constraint=node.labels.type==cpu-optimized webapp

Question 97

The webapp:v1 had some bugs and we fixed them in webapp:v2. We want to update the service to use the image webapp:v2. What is the right command?

Answer 97

docker service update –image=webapp:v2 webapp

Question 98

To list the services created by a stack, run …

Answer 98

docker stack services

Question 99

How do you configure all key-value pairs in a Secret object as environment variables within a container?

Answer 99

envFrom.secretRef

Question 100

Which of the following are correct commands to create config maps? Select all the answers that apply.

Answer 100

kubectl create configmap CONFIGMAP-NAME –from-literal=KEY1=VALUE1 –from-literal=KEY2=VALUE2,kubectl create configmap CONFIGMAP-NAME –from-file=/tmp/env

Question 101

Where do you configure the configMapKeyRef in a pod to use environment variables defined in a ConfigMap?

Answer 101

spec.containers.env.valueFrom

Question 102

What flags are used to configure encryption on docker daemon without any authentication?

Answer 102

tls, tlscert, tlskey

Question 103

What is the type and the name of the network created for the DTR services to communicate with each other?

Answer 103

overlay/dtr-ol

Question 104

Which of the following solutions support network policies?

Answer 104

kube-router,Calico,Weave-Net

Question 105

Which command is used to get the events of the container named webapp?

Answer 105

docker system events –filter ‘container=webapp’

Question 106

When you create a swarm service and do not specify a user-defined overlay network, it connects to the … network by default

Answer 106

ingress

Question 107

What are the recommended hardware requirements to install DTR in a production environment?

Answer 107

16GB RAM, 4vCPUs and 25-100GB of free disk space.

Question 108

Which of the below is a recommended best practice while taking backups of a swarm cluster?

Answer 108

Perform the backup operations from a swarm manager node that is not a leader

Question 109

What will happen if the –memory-swap is set to 0?

Answer 109

the setting is ignored, and the value is treated as unset

Question 110

How many manager nodes must be online in a cluster with 13 manager nodes for the swarm cluster to continue to operate?

Answer 110

7

Question 111

Where do you specify image names in a pod definition YAML file to be deployed on Kubernetes?

Answer 111

spec.containers.image

Question 112

What is the command to rebalance the docker swarm cluster workloads?

Answer 112

docker service update –force

Question 113

Which option of the docker service command can be used to update 4 replicas at a time of a service named mywebapp?

Answer 113

–update-parallelism 4

Question 114

What is the command to change the role of a manager node named manager1 to a worker node in a Docker Swarm cluster?

Answer 114

docker node demote manager1

Question 115

Which command can be used to return the current autolock key used to lock a docker swarm cluster?

Answer 115

docker swarm unlock-key

Question 116

How do you inject configmap into a pod in Kubernetes?

Answer 116

Using envFrom and configMapRef

Question 117

The … assigns tasks to nodes in Docker Swarm.

Answer 117

dispatcher

Question 118

What is the high level command to restore the DTR from a backup tar named dtr-metadata-backup.tar ?

Answer 118

docker run -i –rm docker/dtr restore < dtr-metadata-backup.tar

Question 119

Which of the below commands may be used to change the default logging driver to splunk?

Answer 119

echo ‘{“log-driver”: “splunk”}’ > /etc/docker/daemon.json

Question 120

Refer to the Dockerfile below and identify which value should be added to the –from= option in the second stage to copy the application build from the first stage.

Answer 120

0,builder

Question 121

Which of the below can help minimize the image size?

Answer 121

Only install necessary packages within the image

Combine multiple dependent instructions into a single instruction and clean up temporary files

Use multi-stage builds

Question 122

What is the command to find images with a name containing busybox, at least 3 stars and are official builds

Answer 122

docker search –filter is-official=true –filter stars=3 busybox

Question 123

To scan an image, DTR ________________.

Answer 123

Extracts a copy of the image layers from backend storage.

Extracts the files from the layer into a working directory inside the dtr-jobrunner container.

Executes the scanner against the files in this working directory, collecting a series of scanning data.

Once the scanning data is collected, the working directory for the layer is removed.

Question 124

Universal Control Plane (UCP), lets you authorize users to view, edit, and use cluster resources by granting role-based permissions against resource sets.

Answer 124

True

Question 125

Which statement best describes docker volume plugin?

Answer 125

Docker Engine volume plugins enables Engine deployments to be integrated with external storage systems such as Amazon EBS,

The local volume plugin helps to create a volume on Docker host and store its data under the /var/lib/docker/volumes/ directory.

Question 126

Which of the following are a valid storage driver supported by Docker?

Answer 126

AUFS,
overlay2
Device Mapper

Question 127

Which option is used to change the default storage driver to use devicemapper?

Answer 127

{“storage-driver”: “devicemapper”}

Question 128

Which statements best describe Persistent Volume in Kubernetes?

Answer 128

A PersistentVolume (PV) is a piece of storage in the cluster that has been provisioned by an administrator or dynamically provisioned using Storage Class, It is a resource in the cluster just like a node is a cluster resource.

Question 129

ETCD by default listens on port 2780.

Answer 129

False

Question 130

What types of networks will be created when you initialize a swarm or join a Docker host to an existing swarm?

Answer 130

bridge

ingress

Question 131

After an update to a service named webapp we realized that something is wrong with the new version and we want to revert back to the old version. How can we achieve that?

Answer 131

docker service rollback webapp

Question 132

overlay2, aufs, and devicemapper all operate at the file level rather than the block level.

Answer 132

False

Question 133

Using RUN apt-get update && apt-get install -y ensures your Dockerfile installs the latest package versions everytime an image is built. This technique is known as ……

Answer 133

Cache busting

Question 134

What is the recommended approach to load a set of configurations into the pod in the form of a file to the path /var/configs?

Answer 134

Create a ConfigMap with the required configurations, configure it as a volume in the pod definition file and then mount the volume as a file at /var/configs

Question 135

UCP has its own built-in authentication mechanism and integrates with LDAP and AD services.

Answer 135

True

Question 136

If the service type is NodePort, then Kubernetes will allocate a port on every worker node.

Answer 136

True

Question 137

What is the command to apply disk=ssd label to worker1 in a swarm cluster.

Answer 137

docker node update –label-add disk=ssd worker1

Question 138

A client bundle is a group of certificates downloadable directly from the Docker Trusted Registry (DTR) user interface within the admin section for “My Profile”

Answer 138

False

Question 139

What option may be used to change the default behaviour of a failed task during an update in swarm?

Answer 139

–update-failure-action

Question 140

Which component is responsible to serve the UCP components such as
the web UI,
the authentication API,
metrics server,
proxy and data stores used by UCP in the form of containers?

Answer 140

UCP Agent

Question 141

The routing mesh enables each node in the swarm to accept connections on published ports for any service running in the swarm, even if there’s no task running on the node.

Answer 141

True

Question 142

In which service does the DTR image scanning occur?

Answer 142

A service known as the dtr-jobrunner container

Question 143

What component is responsible for instructing a worker to run a task?

Answer 143

scheduler

Question 144

What are the 4 top level fields a kubernetes definition file for POD contains?

Answer 144

apiVersion
metadata
kind
spec

Question 145

Which command can be used to list the tasks in a stack named webapp?

Answer 145

docker stack ps webapp

Question 146

Which command can be used to increase the number of replicas from 2 to 4 of a service named webapp? Select the all right answer

Answer 146

docker service update –replicas=4 webapp

docker service scale webapp=4

Question 147

Which of the below statements are correct?

Answer 147

Traffic to port 39376 on all nodes in the cluster is routed to port 9376 on a random POD with the label app web,

Traffic to port 80 on the service is routed to port 9376 on a random POD with the label app web

Question 148

Which command can be used to get the logs of a swarm service?

Answer 148

docker service logs SERVICE-NAME

Question 149

Create a service using the my-web-server image and map UDP port 80 in the container to port 5000 on the overlay network.

Answer 149

docker service create -p 5000:80/udp my-web-server

docker service create –publish published=5000,target=80,protocol=udp my-web-server

Question 150

Which formula can be used to calculate the Quorum of N nodes?

Answer 150

N / 2 +1

Question 151

What is the default range of ports that Kubernetes uses for NodePort if one is not specified?

Answer 151

30000-32767

Question 152

Which among the following statements are true without any change made to the default behavior of network policies in the namespace?

Answer 152

As soon as a network policy is associated with a POD all ingress and egress traffic to that POD are denied except allowed by the network policy

Question 153

What is the command to stop all running containers on the host?

Answer 153

docker container stop $(docker container ls -q)

Question 154

Which of the following is the correct format for CMD instruction?

Answer 154

CMD [“executable”,“param1”,“param2”]

CMD [“param1”,“param2”]

CMD command param1 param2

Question 155

What are the features of docker trusted registry (DTR)?

Answer 155

Built-in Access Control

Image and Job Management

Security Scanning

Image Signing

Question 156

Which image is used to deploy the Docker Trusted Registry?

Answer 156

docker/dtr

Question 157

Print the value of ‘Architecture’ and ‘Os’ of an image named webapp

Answer 157

docker image inspect webapp -f ‘{{.Os}} {{.Architecture}}’

Question 158

While building a docker image from code stored in a remote URL, which command will be used to build from a directory called docker in the branch dev?

Answer 158

docker build https://github.com/kk/dca.git#dev:docker

Question 159

Which of the statements best describe “Resource sets” in Access Control Model?

Answer 159

To control user access, cluster resources are grouped into Docker Swarm collections or Kubernetes namespaces.

Together, collections and namespaces are named resource sets.

Question 160

What is the sequence of operations to be followed while configuring a storage class for an application?

Answer 160

Create a storage class with a provisioned

create a PVC with the storage class, and then use the PVC in the volumes section in the pod definition file

Question 161

overlay2, aufs, and devicemapper all operate at the file level rather than the block level.

Answer 161

False

Question 162

What is the command to delete the persistent volumes?

Answer 162

kubectl delete pv PV-NAME

Question 163

What is a linux feature that allows isolation of containers from the Docker host?

Answer 163

Namespaces

Question 164

What component is responsible for managing CPU resources and allocating the time of the CPU between different processes?

Answer 164

CFS

Question 165

Which of the following steps are required on each manager node to restore data to a new swarm?

Answer 165

Shut down the Docker Engine on the node you select for the restore

Remove the contents of the /var/lib/docker/swarm directory on the new Swarm if it exists

Restore the /var/lib/docker/swarm directory with the contents of the backup

Start Docker on the new node. Unlock the swarm if necessary

Re-initialize the swarm so that the node does not attempt to connect to nodes that were part of the old swarm, and presumably no longer exist.

Question 166

Where is the log of the webapp container, with id 78373635, stored on the Docker Host?

Answer 166

/var/lib/docker/containers/78373635/78373635.json

Question 167

Which statement best describes a Kubernetes node? (Choose 3)

A machine part of the Kubernetes cluster that runs workloads

A Virtual Machine that hosts workloads part of a Kubernetes cluster

A Physical Machine that hosts workloads part of a Kubernetes cluster

A machine that automatically schedules the pods across the nodes in the cluster.

A tool to start a Kubernetes cluster.

Answer 167

A machine part of the Kubernetes cluster that runs workloads

A Virtual Machine that hosts workloads part of a Kubernetes cluster

A Physical Machine that hosts workloads part of a Kubernetes cluster

Question 168

Which statement best describes kubectl in Kubernetes?

kubectl is an agent that runs on Kubernetes nodes

kubectl is used to bring up the Kubernetes cluster

The Kubernetes command-line tool

kubectl is a tool that lets you run Kubernetes locally

Answer 168

The Kubernetes command-line tool

Question 169

Which of the below are the container orchestration tools?

Apache Mesos

Docker Swarm

ETCD

Kubernetes

Apache HTTPD

Answer 169

Apache Mesos

Docker Swarm

Kubernetes

Question 170

What are the features of Kubernetes?

Self-healing & Batch execution

Secrets & configuration management

Container Image Management

Automated rollouts and rollbacks

Answer 170

Self-healing & Batch execution

Secrets & configuration management

Automated rollouts and rollbacks

Question 171

Which statement best describes a control plane component?

The control plane’s components decides how workloads are placed across the nodes in the cluster

kube-proxy is one of the control plane component

kube-scheduler is one of the control plane component

kube-controller is one of the control plane component

Answer 171

The control plane’s components decides how workloads are placed across the nodes in the cluster

kube-scheduler is one of the control plane component

kube-controller is one of the control plane component

Question 172

Which statement best describes the Worker Node component?

kubelet and container runtime are the worker node components

kube-proxy is one of the worker node component

kube-scheduler is one of the worker node component

kube-apiserver is one of the worker node component

Answer 172

kubelet and container runtime are the worker node components

kube-proxy is one of the worker node component

Question 173

Which of the following statements best describes ETCD? Select the correct answer

Etcd serves as the backing datastore for Kubernetes cluster data

ETCD is a worker node component

ETCD is a distributed reliable key-value store

None of the above

Answer 173

Etcd serves as the backing datastore for Kubernetes cluster data

ETCD is a distributed reliable key-value store

Question 174

ETCD by default listens on port 2780.

True
False

Answer 174

False

Question 175

Which of the following are components deployed only on a Master Node in a Kubernetes cluster?

Kube Scheduler

Kube Controller Manager

Kube Api-server

Kubelet

Kube-Proxy

Answer 175

Kube Scheduler

Kube Controller Manager

Kube Api-server

Question 176

Which of the following is the etcd command line tool?

etcd

etcdctl

kubectl

etcdcli

Answer 176

etcdctl

Question 177

Which of the below comes under Kubernetes Hosted Solutions?

Google Compute Engine (GCE)

Google Kubernetes Engine (GKE)

Azure Kubernetes Service (AKS)

Amazon EC2 Service

Answer 177

Google Kubernetes Engine (GKE)

Azure Kubernetes Service (AKS)

Question 178

What is a component of the Kubernetes control plane that allows external users or services to manage the Kubernetes cluster?

Kubernetes Scheduler

ETCDCTL

Kube API Server

Kube Proxy

Answer 178

Kube API Server

Question 179

Which of the following component watches for newly created pods and selects a node for them to run on?

kube-proxy

kube-node-controller

kube-scheduler

kubelet Agent

Answer 179

kube-scheduler

Question 180

What is the purpose of the replication controller?

Responsible for noticing and responding when nodes go down.

An agent that runs on each node in the cluster. It makes sure that containers are running in a Pod.

Responsible for maintaining the correct number of replicas of PODs at all times.

Replication controller makes sure that a pod or a homogeneous set of pods is always up and available

Answer 180

Responsible for maintaining the correct number of replicas of PODs at all times.

Replication controller makes sure that a pod or a homogeneous set of pods is always up and available

Question 181

Which component on the worker node is responsible for maintaining network rules on nodes?

kubelet

kube-proxy

kubelet

kube-apiserver

Answer 181

kube-proxy

Question 182

Which of the following are the container runtimes that Kubernetes supports.

Docker

Containerd

CRI-O

LXC

Answer 182

Docker

Containerd

CRI-O

Question 183

Which of the following are the types of controllers in Kubernetes?

Node-Controller

Replication-Controller

Endpoint-Controller

Deployment-Controller

Answer 183

Node-Controller

Replication-Controller

Endpoint-Controller

Deployment-Controller

Question 184

Which of the following statements best describes kube-scheduler?

The kube-scheduler is only responsible for deciding which pod goes on which node.

It places the pod on the nodes

Kube-scheduler is a worker node component

All of the above

Answer 184

The kube-scheduler is only responsible for deciding which pod goes on which node.

Question 185

Which statements best describe a POD in Kubernetes?

Kubernetes deploys applications in the form of Pods

A Pod can contain only one container

To scale up an application, increase the number of containers in a Pod.

Every container in the pod gets its own hostname and IP address

Answer 185

Kubernetes deploys applications in the form of Pods

Question 186

Which statement best describes Multi-Container POD? Select all the answers that apply.

Multi-container Pods can share resources and dependencies, communicate with one another, and coordinate when and how they are terminated

A single pod can have multiple containers

A single pod can have multiple containers of the same kind to scale up.

It is recommended to always use multi-container pods to improve performance of applications.

Answer 186

Multi-container Pods can share resources and dependencies, communicate with one another, and coordinate when and how they are terminated

A single pod can have multiple containers

Question 187

What is the command to deploy a nginx pod?

kubectl deploy nginx –image nginx

kubectl run nginx –image nginx

kubectl start -it nginx bash

kubelet run nginx –image nginx

Answer 187

kubectl run nginx –image nginx

Question 188

What is the command to list all the pods that are in a default namespace? Select all the answers that apply.

kubectl list pods -n default

kubectl get pods

kubectl list pods

kubectl get pods -n default

Answer 188

kubectl get pods

kubectl get pods -n default

Question 189

Which of the following statement is correct? Select all the answers that apply.

Pods can only be created via kubectl commands

Pods can be created with kubectl commands as well
as via API calls.

Pods can only be created via API calls.

None of the above

Answer 189

Pods can be created with kubectl commands as well as via API calls.

Question 190

What is the command to check which nodes are the pods placed on? Select all the answers that apply.

kubectl get pods

kubectl get pods -o wide

kubectl describe pod

kubectl get nodes

Answer 190

kubectl get pods -o wide

kubectl describe pod

Question 191

What is the command to delete the pod?

kubectl pod delete

kubectl delete

kubectl delete pod

kubectl pod –delete

Answer 191

kubectl delete pod

Question 192

What are the possible ways to update the pod image? Select all the answers that apply.

You cannot update a pod image once a pod is created.

Update the pod-definition file and use kubectl apply command.

Use kubectl edit pod command and specify the new image

None of the above

Answer 192

Update the pod-definition file and use kubectl apply command.

Use kubectl edit pod command and specify the new image

Question 193

What are the 4 top level fields a Kubernetes definition file for POD contains?

apiVersion

templates

metadata

labels

kind

spec

namespaces

containers

Answer 193

apiVersion

metadata

kind

spec

Question 194

What is the command to create a pod with the pod-definition.yaml file?

kubectl run -f pod-definition.yaml

kubectl pod -f pod-definition.yaml

kubectl create -f pod-definition.yaml

kubectl apply -f pod-definition.yaml

Answer 194

kubectl create -f pod-definition.yaml

kubectl apply -f pod-definition.yaml

Question 195

How do you specify image names in a pod definition YAML file?

containers. image
spec. containers.image
template. containers.image
kind. containers.image

Answer 195

spec.containers.image

Question 196

How do you add labels to a pod in a pod definition YAML file?

labels

spec. labels
spec. containers.labels
metadata. labels

Answer 196

metadata.labels

Question 197

What is the command to delete a pod via a pod-definition file?

kubectl remove -f pod-definition.yaml

kubectl rm -f pod-definition.yaml

kubectl delete -f pod-definition.yaml

kubectl del -f pod-definition.yaml

Answer 197

kubectl delete -f pod-definition.yaml

Question 198

Inspect the below pod-definition file and answer the following questions:

apiVersion: v1
kind: Pod
metadata:
  name: myapp-pod
  labels:
    app: myapp
spec:
  containers: 
   - name: nginx-container
     image: nginx
   - name: agent
     image: agent

How many containers are created when this pod is created?

1
2
3
4

Answer 198

2

Question 199

apiVersion: v1
kind: Pod
metadata:
  name: myapp-pod
  labels:
    app: myapp
spec:
  containers: 
   - name: nginx-container
     image: nginx
   - name: agent
     image: agent

How many IP addresses are consumed by the pod when it’s created?

1
2
3
4

Answer 199

1

Question 200

The label selector is the core grouping primitive in Kubernetes. What kind of selectors are supported?

Equality-Based

Value-Based

Operator-Based

Set-Based

Answer 200

Equality-Based

Set-Based

Question 201

A ReplicaSet is one of the Kubernetes controllers?

True
False

Answer 201

True

Question 202

Which statements best describe replication controllers and replica sets? Select all answers that apply.

Replication Controller is the older technology that is being replaced by a ReplicaSet.

There is no difference between Replication controller and ReplicaSet.

The replication controller supports equality based selectors whereas the replica set supports equality based as well as set based selectors.

ReplicaSet is the new way to set up replication.

Answer 202

Replication Controller is the older technology that is being replaced by a ReplicaSet.

The replication controller supports equality based selectors whereas the replica set supports equality based as well as set based selectors.

ReplicaSet is the new way to set up replication.

Question 203

Which of the following commands are used to list all the ReplicaSets? Select all the answers that apply.

<code>kubectl get services</code>

<code>kubectl get rs</code>

<code>kubectl get replicaset</code>

<code>kubectl get pods</code>

Answer 203

<code>kubectl get rs</code>

<code>kubectl get replicaset</code>

Question 204

What is a Label in Kubernetes?

A way to expose traffic

A type of Deployment

A way to group related things using key/value pairs

None of the above

Answer 204

A way to group related things using key/value pairs

Question 205

What is the command to list all the labels of a ReplicaSet?

kubectl get rs –show-labels

kubectl get rs –labels

kubectl get rs -l

kubectl get rs –details

Answer 205

kubectl get rs –show-labels

Question 206

What is the command to delete a replication controller nginx?

kubectl get rc nginx

kubectl remove rc nginx

kubectl rm rc nginx

kubectl delete rc nginx

Answer 206

kubectl delete rc nginx

Question 207

What is the command to delete a ReplicaSets triage?

kubectl get rs triage

kubectl remove rs triage

kubectl rm rs triage

kubectl delete rs triage

Answer 207

kubectl delete rs triage

Question 208

How do you scale replica sets? Select all the answers that apply.

Update the number of replicas in the replicaset-definition.yaml definition file and apply.

Update using the kubectl scale command.

Delete and recreate a replica set.

Create a new replica set with the desired number of pods and delete the old replica set.

Answer 208

Update the number of replicas in the replicaset-definition.yaml definition file and apply.

Update using the kubectl scale command.

Question 209

You are required to deploy an application in the form of containers that can easily scale up or down and supports upgrade of applications by maintaining information about different revisions. What is the recommended approach to deploying the application?

Create a POD

Create a ReplicaSet

Create a Replication Controller

Create a Deployment

Answer 209

Create a Deployment

Question 210

What command would you use to create a Deployment? Select the correct answer

kubectl get deployments

kubectl get nodes

kubectl create

kubectl run

Answer 210

kubectl create

Question 211

What is the flag that you use along with “kubectl create” to scale a deployment in Kubernetes?

• -image
• -label
• -replicas
• -scale

Answer 211

–replicas

Question 212

What is the command to get the list of deployments. Select all the answers that apply.

kubectl get deploy

kubectl get deployment

kubectl get deployments

kubectl get deployments.apps

Answer 212

kubectl get deploy

kubectl get deployment

kubectl get deployments

kubectl get deployments.apps

Question 213

What is the command to create the deployment using the deployment definition file?

kubectl deployment -f deploy-definition.yaml

kubectl create -f deploy-definition.yaml

kubectl deploy -f deploy-definition.yaml

kubectl get -f deploy-definition.yaml

Answer 213

kubectl create -f deploy-definition.yaml

Question 214

Which of the following subcommands of kubectl can be used to get additional details of an object?

kubectl details

kubectl info

kubectl check

kubectl describe

Answer 214

kubectl describe

Question 215

What is the command to delete a deployment?

kubectl deployment delete deployment-name

kubectl delete deployment deployment-name

kubectl deployment-name delete deployment

kubectl deployment-name deployment delete

Answer 215

kubectl delete deployment deployment-name

Question 216

Which statement best describes deployment in Kubernetes? Select all the answers that apply.

Deployments create PODs and not ReplicaSets.

Deployments create ReplicaSets that create PODs.

Deployments support rolling updates and roll backs of applications.

Deployments support rolling updates but not roll backs.

Answer 216

Deployments create ReplicaSets that create PODs.

Deployments support rolling updates and roll backs of applications.

Question 217

Which of the following statements about Kubernetes deployments are correct?

You describe a desired state in a Deployment, and the Deployment Controller changes the actual state to the desired state at a controlled rate.

You can define Deployments to create new ReplicaSets, or to remove existing Deployments and adopt all their resources with new Deployments.

You may manually update the ReplicaSets owned by a Deployment.

You should not manually update the ReplicaSets owned by a Deployment.

Answer 217

You describe a desired state in a Deployment, and the Deployment Controller changes the actual state to the desired state at a controlled rate.

You can define Deployments to create new ReplicaSets, or to remove existing Deployments and adopt all their resources with new Deployments.

You should not manually update the ReplicaSets owned by a Deployment.

Question 218

What is the command to update the deployment in Kubernetes?
Let’s update the nginx Pods to use the nginx:1.16.1 image instead of the nginx:1.14.2 image.

kubectl set image deployment.v1.apps/nginx-deployment nginx=nginx:1.16.1

kubectl set image deployment/nginx-deployment nginx=nginx:1.16.1

kubectl set –image=deployment/nginx-deployment nginx=nginx:1.16.1

kubectl edit deployment.v1.apps/nginx-deployment

Answer 218

kubectl set image deployment.v1.apps/nginx-deployment nginx=nginx:1.16.1

kubectl set image deployment/nginx-deployment nginx=nginx:1.16.1

kubectl edit deployment.v1.apps/nginx-deployment

Question 219

Where do you configure the selector labels in the deployment YAML file?

metadata. selector
spec. selector
spec. template.selector
spec. template.metadata.selector

Answer 219

spec.selector

Question 220

Where do you configure the pod images in the deployment YAML file?

metadata. image
spec. containers.image
spec. template.spec.containers.image
spec. template.containers.image

Answer 220

spec.template.spec.containers.image

Question 221

Rolling updates allows deployments to update with zero downtime ?

True
False

Answer 221

True

Question 222

What is the apiVersion for Kubernetes deployment?

v1
apps/v1
app/v1
apps/v

Answer 222

apps/v1

Question 223

What kubectl command can be used to perform a Deployment update?

kubectl set image

kubectl rollout update

kubectl rolling-update

kubectl update

Answer 223

kubectl set image

Question 224

What is the command to check the status of a deployment rollout named nginx-deploy?

kubectl rollout status deployment/nginx-deploy

kubectl rollout undo deployment/nginx-deploy

kubectl rollout update deployment/nginx-deploy

kubectl deployment status nginx-deploy

Answer 224

kubectl rollout status deployment/nginx-deploy

Question 225

What is the command used to rollback to the previous deployment?

<code>kubectl set image</code>

<code>kubectl rollout undo</code>

<code>kubectl rollout status</code>

<code>kubectl rollout start</code>

Answer 225

<code>kubectl rollout undo</code>

Question 226

What is the command used to view previous rollout revisions and configurations?

kubectl rollout status

kubectl rollout history

kubectl rollout undo

kubectl rollout pause

Answer 226

kubectl rollout history

Question 227

You performed an upgrade of images on a deployment recently. You’d like to check what command was run during the last update. However the output of the rollout history command does not show the command. What may be the cause?

The upgrade was done using a kubectl apply command

The command run to upgrade did not use the –record flag.

The kubectl set command was used to perform the upgrade

The API server was down when the upgrade was performed

Answer 227

The command run to upgrade did not use the –record flag.

Question 228

Which of the following are the deployment strategy types in Kubernetes?

RollingUpdate

BlueGreen

Canary

Recreate

Answer 228

RollingUpdate

Recreate

Question 229

Which of the following is the default deployment strategy in Kubernetes deployments?

Recreate

RollingUpdate

Redeploy

BlueGreen

Answer 229

RollingUpdate

Question 230

If .spec.strategy.type is set to Recreate, then all existing pods are killed before new ones are created.

True
False

Answer 230

True

Question 231

If .spec.strategy.type is set to RollingUpdate, then all new PODs are created first and then all existing pods are killed at once.

True
False

Answer 231

False

Question 232

apiVersion: apps/v1
kind: Deployment
metadata:
  name: web-application
  labels:
    app: web
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: nginx:1.14.2
        ports:
        - containerPort: 80
      - name: logger
        image: log-agent:1.2
      - name: monitor
        image: monitor-agent:1.0

This is an invalid configuration because the selector matchLabel nginx does not match the label web set on the deployment

This is an invalid configuration because there are more than 1 containers configured in the template

This is an invalid configuration because the selector field must come under the template section and not directly under spec

This is an invalid configuration because the API version is not set correctly

This is a valid configuration

Answer 232

This is a valid configuration

Question 233

apiVersion: apps/v1
kind: Deployment
metadata:
  name: web-application
  labels:
    app: web
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: nginx:1.14.2
        ports:
        - containerPort: 80
      - name: logger
        image: log-agent:1.2
      - name: monitor
        image: monitor-agent:1.0

How many containers would be created in total when this deployment is created (excluding the PAUSE containers)?

3
6
9
1

Answer 233

9

Question 234

apiVersion: apps/v1
kind: Deployment
metadata:
  name: web-application
  labels:
    app: web
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: nginx:1.14.2
        ports:
        - containerPort: 80
      - name: logger
        image: log-agent:1.2
      - name: monitor
        image: monitor-agent:1.0

How many IP addresses would be consumed when the deployment is created?

3
6
9
1

Answer 234

3

Question 235

Each container inside a POD gets its own IP address assigned.

Answer 235

False

Question 236

How many IP addresses are consumed by 3 PODs each with 2 containers?

3
6
2
9

Answer 236

3

Question 237

Which of the following are valid service types in Kubernetes?

NodePort

ClusterIP

LoadBalancer

ExternalName

ElasticLoadBalancer

Answer 237

NodePort

ClusterIP

LoadBalancer

ExternalName

Question 238

What is the command to list the Kubernetes services? Select all the answers that apply.

kubectl get svc

kubectl list services

kubectl get services

kubectl list svc

Answer 238

kubectl get svc

kubectl get services

Question 239

What is the command to delete a Kubernetes service?

kubectl delete svc SERVICE-NAME

kubectl rm service SERVICE-NAME

kubectl del services SERVICE-NAME

kubectl delete services SERVICE-NAME

Answer 239

kubectl delete svc SERVICE-NAME

kubectl delete services SERVICE-NAME

Question 240

Which of the following statements are correct about NodePort? Select all the answers that apply.

NodePort exposes a service on the same port as that of the exposed port on containers in the PODs.

NodePort exposes a service internally within the hosts only.

NodePort exposes a service to make it externally accessible on a port on the nodes.

None of the Above

Answer 240

NodePort exposes a service to make it externally accessible on a port on the nodes.

Question 241

If the service type is NodePort, then Kubernetes will allocate a port on every worker node. .

True
False

Answer 241

True

Question 242

What is the default range of ports that Kubernetes uses for NodePort if one is not specified?

32767-64000
30000-32767
32000-32767
80-8080

Answer 242

30000-32767

Question 243

A NodePort service exposes a deployment only on the nodes on which the PODs of that deployment are running.

True
False

Answer 243

False

Question 244

An application has 2 tiers – a web service that must be externally accessible to users and a database service that must be accessible within the cluster only. What service types should be configured?

Web – NodePort, Database – LoadBalancer

Web – ClusterIP, Database – ClusterIP

Web – NodePort, Database – ClusterIP

Web – ClusterIP, Database – NodePort

Answer 244

Web – NodePort, Database – ClusterIP

Question 245

ClusterIP is the default service type for Kubernetes service.

True
False

Answer 245

True

Question 246

apiVersion: v1
kind: Service
metadata:
  name: web-service
  labels:
    obj: web-service
    app: web
spec:
  selector:
    app: web
  type: NodePort
  ports:
    - protocol: TCP
      port: 80
      targetPort: 9376
      nodePort: 39376

For this service to discover the web service, what must be the label set on the PODs hosting the web service?

obj: web-service
app: web
app: web-service
obj: web

Answer 246

app:web

Question 247

apiVersion: v1
kind: Service
metadata:
  name: web-service
  labels:
    obj: web-service
    app: web
spec:
  selector:
    app: web
  type: NodePort
  ports:
    - protocol: TCP
      port: 80
      targetPort: 9376
      nodePort: 39376

What port on the PODs is the web service most likely exposed on?

80
9376
8080
39376

Answer 247

9376

Question 248

apiVersion: v1
kind: Service
metadata:
  name: web-service
  labels:
    obj: web-service
    app: web
spec:
  selector:
    app: web
  type: NodePort
  ports:
    - protocol: TCP
      port: 80
      targetPort: 9376
      nodePort: 39376

A user is trying to access the application using the Nodes IP and Port number. What port must the user try to connect to?

80
9376
8080
39376

Answer 248

39376

Question 249

apiVersion: v1
kind: Service
metadata:
  name: web-service
  labels:
    obj: web-service
    app: web
spec:
  selector:
    app: web
  type: NodePort
  ports:
    - protocol: TCP
      port: 80
      targetPort: 9376
      nodePort: 39376

Which of the below statements are correct?

Traffic to port 39376 on the node hosting the pod in the cluster is routed to port 9376 on a POD with the label app web on the same node

Traffic to port 39376 on all nodes in the cluster is routed to port 9376 on a random POD with the label app web

Traffic to port 80 on the service is routed to port 9376 on a random POD with the label app web

Traffic to port 80 on the node is routed to port 9376 on the service

Answer 249

Traffic to port 39376 on all nodes in the cluster is routed to port 9376 on a random POD with the label app web

Traffic to port 80 on the service is routed to port 9376 on a random POD with the label app web

Question 250

Which of the following statements is true about configuring commands and arguments in Kubernetes? Select all the answers that apply.

To define a command, include the command field in the configuration file.

To define a command, include the args field in the configuration file.

To define arguments for the command, include the command field in the configuration file.

To define arguments for the command, include the args field in the configuration file.

Answer 250

To define a command, include the command field in the configuration file.

To define arguments for the command, include the args field in the configuration file.

Question 251

The command and arguments that you define in the configuration file override the default command and arguments configured in the container image.

True
False

Answer 251

True

Question 252

Which field of Kubernetes pod definition file corresponds to the entrypoint instruction in the Dockerfile?

ENTRYPOINT instruction in Dockerfile corresponds to command in kubernetes definition file

ENTRYPOINT instruction in Dockerfile corresponds to args in kubernetes definition file

CMD instruction in Dockerfile corresponds to args in kubernetes definition file

CMD instruction in Dockerfile corresponds to command in kubernetes definition file

Answer 252

ENTRYPOINT instruction in Dockerfile corresponds to command in kubernetes definition file

CMD instruction in Dockerfile corresponds to args in kubernetes definition file

Question 253

How do you set environment variables in a pod definition file?

Using environment section

Using env section

Using env_var section

Using variables section

Answer 253

Using env section

Question 254

Which of the following flags can be used to pass an environment variable while creating a pod with docker run command?

docker run –environment APP_COLOR=pink simple-webapp-color

docker run –env APP_COLOR=pink simple-webapp-color

docker run -e APP_COLOR=pink simple-webapp-color

docker run -v APP_COLOR=pink simple-webapp-color

Answer 254

docker run –env APP_COLOR=pink simple-webapp-color

docker run -e APP_COLOR=pink simple-webapp-color

Question 255

What are the different ways of setting up environment variables in Kubernetes? Select all the answers that apply.

plain key-value pair

configmap

from disk

secrets

Answer 255

plain key-value pair

configmap

secrets

Question 256

Where is the env instruction set in a Kubernetes pod definition file?

spec. containers.env
spec. env
spec. template.spec.env
spec. template.env

Answer 256

spec.containers.env

Question 257

Which of the below are valid instructions to set environment variables in a Dockerfile?

ENVIRONMENT name=value

ENV name=value

ENV name value

VAR name value

Answer 257

ENV name=value

ENV name value

Question 258

What is the command to create config maps? Select all the answers that apply.

kubectl create configmap CONFIGMAP-NAME –from-literal=KEY1=VALUE1 –from-literal=KEY2=VALUE2

kubectl create configmap CONFIGMAP-NAME –from-file=/tmp/env

kubectl create configmap CONFIGMAP-NAME –file=/tmp/env

kubectl create configmap CONFIGMAP-NAME –literal=KEY1=VALUE1 KEY2=VALUE2

Answer 258

kubectl create configmap CONFIGMAP-NAME –from-literal=KEY1=VALUE1 –from-literal=KEY2=VALUE2

kubectl create configmap CONFIGMAP-NAME –from-file=/tmp/env

Question 259

What is the command to list configmaps? Select all the answers that apply.

kubectl get pods

kubectl get cm

kubectl get configmap

kubectl get maps

Answer 259

kubectl get cm

kubectl get configmap

Question 260

What is the command to display details of the ConfigMap?

kubectl get configmap CONFIGMAP-NAME

kubectl describe configmap CONFIGMAP-NAME

kubectl list configmap CONFIGMAP-NAME

kubectl get configmap CONFIGMAP-NAME –details

Answer 260

kubectl describe configmap CONFIGMAP-NAME

Question 261

You can pass in the –from-file argument multiple times to create a ConfigMap from multiple data sources.

True
False

Answer 261

True

Question 262

What is the flag that we can use to define a literal value from the command line?

• -env
• -from-literal
• -literal
• -text

Answer 262

–from-literal

Question 263

Which statements best describe configmaps?

ConfigMap is an API object mainly used to store confidential data in key-value pairs.

ConfigMap is an API object mainly used to store non-confidential data in key-value pairs.

Pods can consume ConfigMaps as environment variables, command-line arguments, or as configuration files in a volume.

ConfigMap provides secrecy or encryption

Answer 263

ConfigMap is an API object mainly used to store non-confidential data in key-value pairs.

Pods can consume ConfigMaps as environment variables, command-line arguments, or as configuration files in a volume.

Question 264

How do you inject configmap into a pod?

Using envFrom and configMapRef

Using env and configMapRef

Using envFrom and configMap

Using env and configMap

Answer 264

Using envFrom and configMapRef

Question 265

Where do you configure the configMapKeyRef in a pod to use environment variables defined in a ConfigMap?

spec. containers.env
spec. env.valueFrom
spec. containers.valueFrom
spec. containers.env.valueFrom

Answer 265

spec.containers.env.valueFrom

Question 266

What is the recommended approach to load a set of configurations into the pod in the form of a file to /var/configs?

Add a separate env parameter for each config and use a startup script to write to a file

Create a ConfigMap with the required configurations, configure it as a volume in the pod definition file and then mount the volume as a file at /var/configs

Create a ConfigMap with the required configurations, configure it as an env variable in the pod definition file and use a startup script to write to a file

Answer 266

Create a ConfigMap with the required configurations, configure it as a volume in the pod definition file and then mount the volume as a file at /var/configs

Question 267

What is the command to list the Kubernetes secrets?

kubectl list secrets

kubectl get secrets

kubectl secrets

kubectl secrets –list

Answer 267

kubectl get secrets

Question 268

What is the command to display details of the secret?

kubectl get secret SECRET-NAME

kubectl describe secret SECRET-NAME

kubectl list secret SECRET-NAME

kubectl get secret SECRET-NAME –details

Answer 268

kubectl describe secret SECRET-NAME

Question 269

What is the command to create a secret using the “kubectl create secret” command?

kubectl create secret test-secret –from-literal=’username=my-app’ –from-literal=’password=39528$vdg7Jb’

kubectl create secret opaque test-secret –from-literal=’username=my-app’ –from-literal=’password=39528$vdg7Jb’

kubectl create secret credentials test-secret –from-literal=’username=my-app’ –from-literal=’password=39528$vdg7Jb’

kubectl create secret generic test-secret –from-literal=’username=my-app’ –from-literal=’password=39528$vdg7Jb’

Answer 269

kubectl create secret generic test-secret –from-literal=’username=my-app’ –from-literal=’password=39528$vdg7Jb’

Question 270

How do you configure all key-value pairs in a Secret as container environment variables?

env.secreRef

envFrom.secret

envFrom.secretRef

envFrom.secretRefKey

Answer 270

envFrom.secretRef

Question 271

Which statements best describe Kubernetes secrets?

Kubernetes secrets let you store and manage sensitive information, such as passwords, OAuth tokens, and ssh keys.

Storing confidential information in a Secret is safer.

Users can create Secrets and the system also creates some Secrets.

It is safe to check in secrets into source code repositories.

Answer 271

Kubernetes secrets let you store and manage sensitive information, such as passwords, OAuth tokens, and ssh keys.

Storing confidential information in a Secret is safer.

Users can create Secrets and the system also creates some Secrets.

Question 272

Secrets store sensitive information in an encrypted format.

True
False

Answer 272

False

Question 273

You can pass in the –from-file argument multiple times to create a secret from multiple data sources.

True
False

Answer 273

True

Question 274

what is the default Secret type if omitted from a Secret configuration file?

kubernetes. io/tls
kubernetes. io/ssh-auth

Opaque

kubernetes.io/dockercfg

Answer 274

Opaque

Question 275

Which of the following statements is true about configuring commands and arguments in Kubernetes? Select all the answers that apply.

To define a command, include the command field in the configuration file.

To define a command, include the args field in the configuration file.

To define arguments for the command, include the command field in the configuration file.

To define arguments for the command, include the args field in the configuration file.

Answer 275

To define a command, include the command field in the configuration file.

To define arguments for the command, include the args field in the configuration file.

Question 276

The command and arguments that you define in the configuration file override the default command and arguments configured in the container image.

True
False

Answer 276

True

Question 277

Which field of Kubernetes pod definition file corresponds to the entrypoint instruction in the Dockerfile?

ENTRYPOINT instruction in Dockerfile corresponds to command in kubernetes definition file

ENTRYPOINT instruction in Dockerfile corresponds to args in kubernetes definition file

CMD instruction in Dockerfile corresponds to args in kubernetes definition file

CMD instruction in Dockerfile corresponds to command in kubernetes definition file

Answer 277

ENTRYPOINT instruction in Dockerfile corresponds to command in kubernetes definition file

CMD instruction in Dockerfile corresponds to args in kubernetes definition file

Question 278

How do you set environment variables in a pod definition file?

Using environment section

Using env section

Using env_var section

Using variables section

Answer 278

Using env section

Question 279

Which of the following flags can be used to pass an environment variable while creating a pod with docker run command?

docker run –environment APP_COLOR=pink simple-webapp-color

docker run –env APP_COLOR=pink simple-webapp-color

docker run -e APP_COLOR=pink simple-webapp-color

docker run -v APP_COLOR=pink simple-webapp-color

Answer 279

docker run –env APP_COLOR=pink simple-webapp-color

docker run -e APP_COLOR=pink simple-webapp-color

Question 280

What are the different ways of setting up environment variables in Kubernetes? Select all the answers that apply.

plain key-value pair

configmap

from disk

secrets

Answer 280

plain key-value pair

configmap

secrets

Question 281

Where is the env instruction set in a Kubernetes pod definition file?

spec. containers.env
spec. env
spec. template.spec.env
spec. template.env

Answer 281

spec.containers.env

Question 282

Which of the below are valid instructions to set environment variables in a Dockerfile?

ENVIRONMENT name=value

ENV name=value

ENV name value

VAR name value

Answer 282

ENV name=value

ENV name value

Question 283

What is the command to create config maps? Select all the answers that apply.

kubectl create configmap CONFIGMAP-NAME –from-literal=KEY1=VALUE1 –from-literal=KEY2=VALUE2

kubectl create configmap CONFIGMAP-NAME –from-file=/tmp/env

kubectl create configmap CONFIGMAP-NAME –file=/tmp/env

kubectl create configmap CONFIGMAP-NAME –literal=KEY1=VALUE1 KEY2=VALUE2

Answer 283

kubectl create configmap CONFIGMAP-NAME –from-literal=KEY1=VALUE1 –from-literal=KEY2=VALUE2

kubectl create configmap CONFIGMAP-NAME –from-file=/tmp/env

Question 284

What is the command to list configmaps? Select all the answers that apply.

kubectl get pods

kubectl get cm

kubectl get configmap

kubectl get maps

Answer 284

kubectl get cm

kubectl get configmap

Question 285

What is the command to display details of the ConfigMap?

kubectl get configmap CONFIGMAP-NAME

kubectl describe configmap CONFIGMAP-NAME

kubectl list configmap CONFIGMAP-NAME

kubectl get configmap CONFIGMAP-NAME –details

Answer 285

kubectl describe configmap CONFIGMAP-NAME

Question 286

You can pass in the –from-file argument multiple times to create a ConfigMap from multiple data sources.

True
False

Answer 286

True

Question 287

What is the flag that we can use to define a literal value from the command line?

• -env
• -from-literal
• -literal
• -text

Answer 287

–from-literal

Question 288

Which statements best describe configmaps?

ConfigMap is an API object mainly used to store confidential data in key-value pairs.

ConfigMap is an API object mainly used to store non-confidential data in key-value pairs.

Pods can consume ConfigMaps as environment variables, command-line arguments, or as configuration files in a volume.

ConfigMap provides secrecy or encryption

Answer 288

ConfigMap is an API object mainly used to store non-confidential data in key-value pairs.

Pods can consume ConfigMaps as environment variables, command-line arguments, or as configuration files in a volume.

Question 289

How do you inject configmap into a pod?

Using envFrom and configMapRef

Using env and configMapRef

Using envFrom and configMap

Using env and configMap

Answer 289

Using envFrom and configMapRef

Question 290

Where do you configure the configMapKeyRef in a pod to use environment variables defined in a ConfigMap?

spec. containers.env
spec. env.valueFrom
spec. containers.valueFrom
spec. containers.env.valueFrom

Answer 290

spec.containers.env.valueFrom

Question 291

What is the recommended approach to load a set of configurations into the pod in the form of a file to /var/configs?

Add a separate env parameter for each config and use a startup script to write to a file

Create a ConfigMap with the required configurations, configure it as a volume in the pod definition file and then mount the volume as a file at /var/configs

Create a ConfigMap with the required configurations, configure it as an env variable in the pod definition file and use a startup script to write to a file

Answer 291

Create a ConfigMap with the required configurations, configure it as a volume in the pod definition file and then mount the volume as a file at /var/configs

Question 292

What is the command to list the Kubernetes secrets?

kubectl list secrets

kubectl get secrets

kubectl secrets

kubectl secrets –list

Answer 292

kubectl get secrets

Question 293

What is the command to display details of the secret?

kubectl get secret SECRET-NAME

kubectl describe secret SECRET-NAME

kubectl list secret SECRET-NAME

kubectl get secret SECRET-NAME –details

Answer 293

kubectl describe secret SECRET-NAME

Question 294

What is the command to create a secret using the “kubectl create secret” command?

kubectl create secret test-secret –from-literal=’username=my-app’ –from-literal=’password=39528$vdg7Jb’

kubectl create secret opaque test-secret –from-literal=’username=my-app’ –from-literal=’password=39528$vdg7Jb’

kubectl create secret credentials test-secret –from-literal=’username=my-app’ –from-literal=’password=39528$vdg7Jb’

kubectl create secret generic test-secret –from-literal=’username=my-app’ –from-literal=’password=39528$vdg7Jb’

Answer 294

kubectl create secret generic test-secret –from-literal=’username=my-app’ –from-literal=’password=39528$vdg7Jb’

Question 295

How do you configure all key-value pairs in a Secret as container environment variables?

env.secreRef

envFrom.secret

envFrom.secretRef

envFrom.secretRefKey

Answer 295

envFrom.secretRef

Question 296

Which statements best describe Kubernetes secrets?

Kubernetes secrets let you store and manage sensitive information, such as passwords, OAuth tokens, and ssh keys.

Storing confidential information in a Secret is safer.

Users can create Secrets and the system also creates some Secrets.

It is safe to check in secrets into source code repositories.

Answer 296

Kubernetes secrets let you store and manage sensitive information, such as passwords, OAuth tokens, and ssh keys.

Storing confidential information in a Secret is safer.

Users can create Secrets and the system also creates some Secrets.

Question 297

Secrets store sensitive information in an encrypted format.

True
False

Answer 297

False

Question 298

You can pass in the –from-file argument multiple times to create a secret from multiple data sources.

True
False

Answer 298

True

Question 299

what is the default Secret type if omitted from a Secret configuration file?

kubernetes. io/tls
kubernetes. io/ssh-auth

Opaque

kubernetes.io/dockercfg

Answer 299

Opaque

Question 300

Which statement best describes the readiness probe?

The kubelet uses readiness probes to know when a container is ready to start accepting traffic.

The kubelet uses readiness probes to know when to restart a container

The readiness probes run on the container during it’s entire lifecycle.

Answer 300

The kubelet uses readiness probes to know when a container is ready to start accepting traffic.

The readiness probes run on the container during it’s entire lifecycle.

Question 301

Readiness probes are configured similarly to liveness probes. The only difference is that you use the readinessProbe field instead of the livenessProbe field.

True
False

Answer 301

True

Question 302

What are the different types of probes?

Command

HTTP

TCP

CURL

Answer 302

Command

HTTP

TCP

Question 303

If a readiness probe starts to fail, Kubernetes stops sending traffic to the pod until it passes.

True
False

Answer 303

True

Question 304

The kubelet uses liveness probes to know when a container is ready to start accepting traffic.

True
False

Answer 304

False

Question 305

Which statement best describes the liveness probe?

The kubelet uses liveness probes to know when a container is ready to start accepting traffic.

The kubelet uses liveness probes to know when to restart a container

The liveness probes may be configured with an HTTP test to check if a container is live.

The liveness probe runs before the readiness probe is run on the container

Answer 305

The kubelet uses liveness probes to know when to restart a container

The liveness probes may be configured with an HTTP test to check if a container is live.

Question 306

Which of the following would be the result/state of a probe? Select the all right answers

SUCCESS

FAILURE

UNKNOWN

PENDING

Answer 306

SUCCESS

FAILURE

UNKNOWN

Question 307

If a Container does not provide a liveness probe, the default state is Failure.

True
False

Answer 307

False

Question 308

If the liveness probe fails, the kubelet kills the container, and the container is subjected to its restart policy.

True
False

Answer 308

True

Question 309

Liveness probes let Kubernetes know if your app is alive or stuck/dead.

True
False

Answer 309

True

Question 310

The traffic from a web server fetching data from a database server may be categorized as

Ingress
Egress

Answer 310

Egress

Question 311

Which of the following solutions support network policies?

kube-router

Calico

Flannel

Weave-Net

Answer 311

kube-router

Calico

Weave-net

Question 312

Which of the following statements best describes Kubernetes network policies?

If you want to control traffic flow at the IP address or port level, then you might consider using Kubernetes NetworkPolicies.

NetworkPolicies are an application-centric construct which allow you to specify how a pod is allowed to communicate with various network “entities” over the network

Network Policies are implemented by the network plugin

Pods become isolated by having a NetworkPolicy that selects them

Answer 312

If you want to control traffic flow at the IP address or port level, then you might consider using Kubernetes NetworkPolicies.

NetworkPolicies are an application-centric construct which allow you to specify how a pod is allowed to communicate with various network “entities” over the network

Network Policies are implemented by the network plugin

Pods become isolated by having a NetworkPolicy that selects them

Question 313

Kubernetes Network Policies can control traffic flow at the OSI layer 3 or 4.

True
False

Answer 313

True

Question 314

By default, pods are isolated; they block traffic from any source.

True
False

Answer 314

False

Question 315

What is the default traffic flow configuration between pods in a Kubernetes cluster?

All traffic is allowed between different pods in the cluster

All traffic is denied between different pods in the cluster

Traffic between different pods must be explicitly allowed using rules

Answer 315

All traffic is allowed between different pods in the cluster

Question 316

Which among the following statements are true without any change made to the default behaviour of network policies in the namespace?

As soon as a network policy is associated with a POD traffic between all PODs in the namespace is denied

As soon as a network policy is associated with a POD all ingress and egress traffic to that POD are denied except allowed by the network policy

As soon as a network policy is associated with a POD all ingress and egress traffic to that POD are allowed except for the the ones blocked by the network polic

Answer 316

As soon as a network policy is associated with a POD all ingress and egress traffic to that POD are denied except allowed by the network policy

Question 317

Which statement best describes docker volume plugin?

Docker Engine volume plugins enables Engine deployments to be integrated with external storage systems such as Amazon EBS

The local volume plugin helps to create a volume on Docker host and store its data under the /var/lib/docker/volumes/ directory.

ZFS, BTRFS and Device Mapper are some of the supported volume drivers

Volume plugins should not write data to the /var/lib/docker/ directory, including /var/lib/docker/volumes.

Answer 317

Docker Engine volume plugins enables Engine deployments to be integrated with external storage systems such as Amazon EBS

The local volume plugin helps to create a volume on Docker host and store its data under the /var/lib/docker/volumes/ directory.

Volume plugins should not write data to the /var/lib/docker/ directory, including /var/lib/docker/volumes.

Question 318

Which of the following is the default volume driver plugin used in Kubernetes?

BlockBridge
local
DRBD
Flocker

Answer 318

local

Question 319

What are the types of volumes that Kubernetes supports?

hostPath
configMap
emptyDir
local

Answer 319

hostPath
configMap
emptyDir
local

Question 320

Which statements best describe emptyDir volume type?

An emptyDir volume is first created when a Pod is assigned to a node, and still exists after a pod termination.

An emptyDir volume is first created when a Pod is assigned to a node, and exists as long as that Pod is running on that node.

The emptyDir volume is initially empty

When a Pod is removed from a node for any reason, the data in the emptyDir is deleted permanently

Answer 320

An emptyDir volume is first created when a Pod is assigned to a node, and exists as long as that Pod is running on that node.

The emptyDir volume is initially empty

When a Pod is removed from a node for any reason, the data in the emptyDir is deleted permanently

Question 321

Which statements best describe hostPath volume type?

A hostPath volume mounts a file or directory from the host node’s file system into your Pod.

Running a container that needs access to Docker internals, use a hostPath of /var/lib/docker

You either need to run your process as root in a privileged Container or modify the file permissions on the host to be able to write to a hostPath

The hostPath volume type is initially empty

Answer 321

You either need to run your process as root in a privileged Container or modify the file permissions on the host to be able to write to a hostPath

Question 322

Which statements best describe Persistent Volume in Kubernetes?

A PersistentVolume (PV) is a piece of storage in the cluster that has been provisioned by an administrator or dynamically provisioned using Storage Class

It is a resource in the cluster just like a node is a cluster resource.

PVs are volume plugins like Volumes

PVs are not volume plugins

Answer 322

A PersistentVolume (PV) is a piece of storage in the cluster that has been provisioned by an administrator or dynamically provisioned using Storage Class

It is a resource in the cluster just like a node is a cluster resource.

PVs are volume plugins like Volumes

Question 323

A Persistent Volume is a cluster-wide pool of storage volumes.

True
False

Answer 323

True

Question 324

What is the command to list the persistent volumes?

kubectl list pv

kubectl get pv

kubectl get persistentvolume

kubectl list persistentvolume

Answer 324

kubectl get pv

kubectl get persistentvolume

Question 325

What is the command to delete the persistent volumes?

kubectl delete pv PV-NAME

kubectl del pv PV-NAME

kubectl rm pv PV-NAME

kubectl erase pv PV-NAME

Answer 325

kubectl delete pv PV-NAME

Question 326

What is the status of a volume after it is created but not yet bound to a claim?

Available

Bound

Released

Failed

Answer 326

Available

Question 327

What is the status of a volume when it is associated with a claim?

Available
Bound
Released
Failed

Answer 327

Bound

Question 328

What are the different access modes configurable on a persistent volume?

ReadOnlyMany

ReadWrite

ReadWriteMany

ReadOnly

ReadWriteOnce

Answer 328

ReadOnlyMany

ReadWriteMany

ReadWriteOnce

Question 329

Once the Persistent Volume Claim is created, you need to manually bind the persistent volumes to claim.

True
False

Answer 329

False

Question 330

Which statements best describe a PersistentVolumeClaim?

A PersistentVolumeClaim (PVC) is a request for storage by a user.

A PVC will be automatically bound to a PV on creation when a PV is available

Claims can request specific size and access modes

A PVC will not automatically bound to a PV on creation of a PV

Answer 330

A PersistentVolumeClaim (PVC) is a request for storage by a user.

A PVC will be automatically bound to a PV on creation when a PV is available

Claims can request specific size and access modes

Question 331

A PV of 100 GB is in an available state. A PVC with a requirement of 50 GB storage is created. What would happen if there are no other PVs or PVCs created?

The PVC would bind to the PV with 100 GB

The PVC will be in a pending state as there is no PV with the same amount of storage

Answer 331

The PVC would bind to the PV with 100 GB

Question 332

What happens to the PV by default when the associated PVC is deleted?

The PV is deleted automatically.

The PV is left as is until it is manually deleted by an administrator

The data in the PV is scrubbed and the PV is made available for other PVCs

Answer 332

The PV is left as is until it is manually deleted by an administrator

Question 333

Which statement best describes a Kubernetes Storage Class?

A StorageClass provides a way for administrators to describe the “classes” of storage they offer

Each StorageClass contains the fields provisioner, parameters, and reclaimPolicy.

Any user can set the name and other parameters of a class when first creating StorageClass objects

The StorageClass objects can use a provisioner that can dynamically provision storage on supported storage providers.

Answer 333

A StorageClass provides a way for administrators to describe the “classes” of storage they offer

Each StorageClass contains the fields provisioner, parameters, and reclaimPolicy.

The StorageClass objects can use a provisioner that can dynamically provision storage on supported storage providers.

Question 334

What is the kubectl command to list the storage classes in kubectl?

kubectl list sc
kubectl get sc
kubectl get storageclass
kubectl list storageclass

Answer 334

kubectl get sc

kubectl get storageclass

Question 335

What is the sequence of operations to be followed while configuring a storage class for an application?

Create a storage class with a provisioner, create a persistent volume with definition using the storage class, create a PVC and then use the PVC in the volumes section in the pod definition file

Create a storage class with a provisioner, create a PVC with the storage class, and then use the PVC in the volumes section in the pod definition file

Create a storage class, and use it directly in the volumes section in the pod definition file

Answer 335

Create a storage class with a provisioner, create a PVC with the storage class, and then use the PVC in the volumes section in the pod definition file

Question 336

A ReplicaSet is one of the Kubernetes controllers?

True
False

Answer 336

True

Question 337

What is a Label in Kubernetes?

A way to expose traffic

A type of Deployment

A way to group related things using key/value pairs

None of the above

Answer 337

A way to group related things using key/value pairs

Question 338

What is the command to delete a replication controller nginx?

kubectl get rc nginx

kubectl remove rc nginx

kubectl rm rc nginx

kubectl delete rc nginx

Answer 338

kubectl delete rc nginx

Question 339

What is the flag that you use along with the kubectl create command to deploy multiple instances of an application in Kubernetes?

• -image
• -label
• -replicas
• -scale

Answer 339

–replicas

Question 340

Where do you configure the selector labels in the deployment YAML file?

metadata. selector
spec. selector
spec. template.selector
spec. template.metadata.selector

Answer 340

spec.selector

Question 341

How do you add labels to a pod in a pod definition YAML file?

labels

spec. labels
spec. containers.labels
metadata. labels

Answer 341

metadata.labels

Question 342

What are the 4 top level fields of a Kubernetes definition file for ConfigMap?

apiVersion

templates

metadata

data

kind

spec

containers

Answer 342

apiVersion

metadata

data

kind

Question 343

What is the command to delete the pod busybox?

kubectl pod delete busybox

kubectl delete busybox

kubectl delete pod/busybox

kubectl pod busybox –delete

Answer 343

kubectl delete pod/busybox

Question 344

What is the command to deploy a pod with the name jenkins and image jenkins?

kubectl deploy jenkins –image jenkins

kubectl run jenkins –image jenkins

kubectl start -it jenkins sh

kubelet run jenkins –image jenkins

Answer 344

kubectl run jenkins –image jenkins

Question 345

Which of the following are the container runtimes that Kubernetes supports?

Docker

Containerd

CRI-O

LXC

Answer 345

Docker

Containerd

CRI-O

Question 346

What is a component of the Kubernetes control plane that allows external users or services to manage the Kubernetes cluster?

Kubernetes Scheduler

ETCDCTL

Kube API Server

Kube Proxy

Answer 346

Kube API Server

Question 347

Which of the following are components deployed only on a Master Node in a Kubernetes cluster?

Kube Scheduler

Kube Controller Manager

Kube Api-server

Kubelet

Kube-Proxy

Answer 347

Kube Scheduler

Kube Controller Manager

Kube Api-server

Question 348

ETCD by default listens on port 2780.

True
False

Answer 348

False

Question 349

Which statement best describes the Worker Node component?

kubelet and container runtime are the worker node components

kube-proxy is one of the worker node component

kube-scheduler is one of the worker node component

All of the above

Answer 349

kubelet and container runtime are the worker node components

kube-proxy is one of the worker node component

Question 350

Which of the below are the container orchestration tools?

Kubernetes

Docker Swarm

Google Compute Engine

Apache Mesos

ETCD

Answer 350

Kubernetes

Docker Swarm

Apache Mesos

Question 351

What is the command to list all the pods that are in a netpol namespace? Select all the answers that apply.

kubectl list pods -n netpol

kubectl get pods

kubectl list pods -n netpol

kubectl get pods -n netpol

Answer 351

kubectl get pods -n netpol

Question 352

Which statement best describes deployment in Kubernetes? Select all the answers that apply.

Deployments create PODs and not ReplicaSets.

Deployments create ReplicaSets that create PODs.

Deployments support rolling updates and roll backs of applications.

Deployments support rolling updates but not roll backs.

Answer 352

Deployments create ReplicaSets that create PODs.

Deployments support rolling updates and roll backs of applications.

Question 353

Where do you configure the pod images in the deployment YAML file?

metadata. image
spec. containers.image
spec. template.spec.containers.image
spec. template.containers.image

Answer 353

spec.template.spec.containers.image

Question 354

What kubectl command can be used to perform a Deployment update?

kubectl set image

kubectl rollout update

kubectl rolling-update

kubectl update

Answer 354

kubectl set image

Question 355

Which of the following are the deployment strategy types in Kubernetes?

RollingUpdate

BlueGreen

Canary

Recreate

Answer 355

RollingUpdate

Recreate

Question 356

Each container inside a POD does not get its own IP address assigned. All containers inside a POD share a single IP address.

True

False

Answer 356

True

Question 357

Which among the following statements are true without any change made to the default behaviour of network policies in the namespace?

As soon as a network policy is associated with a POD traffic between all PODs in the namespace is denied

As soon as a network policy is associated with a POD all ingress and egress traffic to that POD are denied except those allowed by the network policy

As soon as a network policy is associated with a POD all ingress and egress traffic to that POD are allowed except for the the ones blocked by the network policy

Answer 357

As soon as a network policy is associated with a POD all ingress and egress traffic to that POD are denied except those allowed by the network policy

Question 358

Which of the following statements are correct about ClusterIP?

ClusterIP exposes a service on the same port as that of the exposed port on containers in the PODs.
ClusterIP exposes a service internally within the hosts only.
ClusterIP exposes a service to make it externally accessible on a port on the nodes.
None of the Above

Answer 358

ClusterIP exposes a service internally within the hosts only.

Question 359

The command and arguments that you define in the Kubernetes definition file override the default command and arguments configured in the container image.

True
False

Answer 359

True

Question 360

How do you set environment variables in a pod definition file?

Using environment section

Using env section

Using env_var section

Using variables section

Answer 360

Using the env section

Question 361

Which command is used to make some changes into the already existing PersistentVolumeClaim mysql-pvc?

kubectl describe pvc mysql-pvc

kubectl get pvc mysql-pvc

kubectl pvc edit mysql-pvc

kubectl edit persistentvolumeclaim mysql-pvc

Answer 361

kubectl edit persistentvolumeclaim mysql-pvc

Question 362

What is the command to display details of the secret user-list?

kubectl get secret user-list

kubectl describe secret user-list

kubectl list secret user-list

kubectl get secret user-list –details

Answer 362

kubectl describe secret user-list

Question 363

What is the command to list configmaps? Select all the answers that apply.

kubectl get pods

kubectl get cm

kubectl get configmap

kubectl get maps

Answer 363

kubectl get cm

kubectl get configmap

Question 364

You can pass in the –from-file argument multiple times to create a ConfigMap from multiple data sources.

True

False

Answer 364

True

Question 365

Which statement best describes the readiness probe?

The kubelet uses readiness probes to know when a container is ready to start accepting traffic.

The kubelet uses readiness probes to know when to restart a container

The Readiness probes run on the container during its whole lifecycle.

All of the above

Answer 365

The kubelet uses readiness probes to know when a container is ready to start accepting traffic.

The Readiness probes run on the container during its whole lifecycle.

Question 366

The kubelet uses liveness probes to know when a container is ready to start accepting traffic.

True
False

Answer 366

False

Question 367

Liveness probes let Kubernetes know if your app is alive or stuck/dead.

True
False

Answer 367

True

Question 368

Which of the following statements best describes Kubernetes network policies?

Consider using Kubernetes NetworkPolicies if you want to control traffic flow at the IP address or port level.

NetworkPolicies are an application-centric construct which allow you to specify how a pod is allowed to communicate with various network “entities” over the network

Network Policies are implemented by the Kubernetes NetworkPolicy Controller

All of the above

Answer 368

Consider using Kubernetes NetworkPolicies if you want to control traffic flow at the IP address or port level.

NetworkPolicies are an application-centric construct which allow you to specify how a pod is allowed to communicate with various network “entities” over the network

Question 369

Which service type is used to expose applications outside the Kubernetes cluster?

NodePort

ClusterIP

ExternalName

ElasticLoadBalancer

Answer 369

NodePort

Question 370

If .spec.strategy.type is set to RollingUpdate, then all new PODs are created first and then all existing pods are killed at once.

True
False

Answer 370

False

Question 371

Which kubectl command is used to display more details of the storage classes?

kubectl list sc

kubectl info sc

<code>kubectl describe storageclass</code>

kubectl list storageclass

Answer 371

<code>kubectl describe storageclass</code>

Question 372

Which of the following is not backed up when performing a Docker Trusted Registry (DTR) metadata backup?

• Repository metadata
• DTR configurations
• Docker images
• Role-based access control (RBAC) settings

Answer 372

Docker images

A DTR metadata backup does not include the images themselves.

Question 373

Which of the following commands will ensure that a container uses a maximum of 1 GB of active memory?

docker run –memory-swap 2G nginx

docker run –memory 1G nginx

docker run –memory-reservation 1G nginx

docker run –memory-swap 2G –memory-reservation 1G nginx

Answer 373

docker run –memory 1G nginx

Question 374

We have set a value for “log-level” in /etc/docker/daemon.json. How would we set up the same value by passing a flag to dockerd instead?

Pass the –debug flag to dockerd.

Pass the –log flag to dockerd.

Pass the –log-level flag to dockerd.

Pass the –logging flag to dockerd.

Answer 374

Pass the –log-level flag to dockerd

The dockerd flags share the same names as the values set in /etc/docker/daemon.json

Question 375

Dave needs Docker to use a custom stop signal for halting his software. How can he build an image that will instruct Docker on which stop signal to use?

• Dave should use the STOPSIGNAL directive
• Dave should locate the process and kill it manually
• Dave should use the STOP directive
• Dave should use the docker stop command.

Answer 375

• Dave should use the STOPSIGNAL directive

The STOPSIGNAL directive instructs Docker on which stop signal to use for halting a container process.

Question 376

How is the ADD directive different from COPY? (Choose two)

• The ADD directive can extract an archive into the image.
• The ADD directive can pull a file from an external URL.
• The ADD directive can transfer a specific file between build stages.
• The ADD directive can transfer files over to a specific location inside the image

Answer 376

• The ADD directive can extract an archive into the image.

“The add directive can extract archives while the COPY command cannot”

• The ADD directive can pull a file from an external URL.

“The ADD directive can pull from a URL while COPY cannot”

Question 377

What does the HEALTHCHECK directive do?

It sets a command that will be used by the Docker daemon to determine whether the container is healthy.

The HEALTHCHECK directive sets a command that is used to determine container health.

It sets a command that will be used to fix the container if it becomes unhealthy.

It restarts the container if it becomes unhealthy.

It sets a command that will be used to inform the container of the health status of the docker daemon.

Answer 377

• It sets a command that will be used by the Docker daemon to determine whether the container is healthy.

“The HEALTHCHECK directive sets a command that is used to determine container health.”

Question 378

How would we go about keeping track of changes made to an image in source control (i.e., git)?

We would use Docker Trusted Registry (DTR) to handle this.

We would push the image layers to a source control repository.

Maintain tags for each new version within the Docker registry.

We would store the Dockerfile in source control.

Answer 378

• We would store the Dockerfile in source control.

“We can keep the Dockerfile in source control to track any changes made to the Dockerfile.”

Question 379

What would be the runtime working directory of a container built from the following Dockerfile?

FROM alpine

WORKDIR /x
WORKDIR /y
WORKDIR z

CMD pwd

• /z
• /
• /x

/y/z

Answer 379

/y/z

This would be the runtime working directory because WORKDIR /y sets up an absolute directory, and then WORKDIR z sets the directory relative to /y.

Question 380

How can we flatten an existing multi-layered image into a single layer?

We can use a multi-stage build.

We can use the –flatten flag with the docker build command.

We would not include any RUN directives in our Dockerfile.

We can run a container from the image, export it, and then import it as a new image.

Answer 380

• We can run a container from the image, export it, and then import it as a new image.

“This procedure will flatten an image into a single layer.”

Question 381

A Kubernetes ClusterIP service called user-db exists in the auth-gateway namespace. The user-db Service’s cluster IP is 10.23.254.63. Which of the following addresses could be used to communicate with this service from a pod located in the default namespace?

10-23-254-63.auth-gateway.pod.cluster.local

10.23.254.63

The Service’s cluster IP address can be used to communicate with the Service from anywhere within the cluster.

user-db

The shortened domain name can only be used to reach the Service from within the same Namespace.

Selected
user-db.auth-gateway.svc.cluster.local

The Service’s fully-qualified domain name can be used to locate the Service, even from another Namespace.

Answer 381

• 10.23.254.63

“The Service’s cluster IP address can be used to communicate with the Service from anywhere within the cluster.”

• user-db.auth-gateway.svc.cluster.local

“The Service’s fully-qualified domain name can be used to locate the Service, even from another Namespace.”

Question 382

Daniel has some nodes with labels that specify the availability zone of each node. He wants to run a service that can run tasks on any node and that do not have the label availability_zone=east. Which command should he use?

docker service create –placement-pref node.labels.availability_zone==west nginx

docker service create –constraint node.labels.availability_zone!=east nginx

docker service create –label node.labels.availability_zone!=east nginx

docker service create –constraint node.labels.availability_zone==west nginx

Answer 382

docker service create –constraint node.labels.availability_zone!=east nginx

“This command will prevent the service’s tasks from running on nodes with the availability_zone==east label.”

Question 383

What command would we use to locate the layered file system data for an image on a machine?

docker image layers

docker image inspect

docker layer inspect

docker pull history

Answer 383

docker image inspect

The docker image inspect command will return the image metadata, including the location of the layered file system data.

Question 384

How can we use multi-stage builds to generate small, efficient Docker images?

We can leverage the implementation of multi-stage builds, which will shorten the build processing times.

We can copy only specific files from previous stages so that we can keep the image as small as possible.

We can build the image, and then run diagnostics on it in a separate stage to make it more efficient.

We can use separate build stages to delete files from the image.

Answer 384

• We can copy only specific files from previous stages so that we can keep the image as small as possible.

“This is the primary use case for multi-stage builds.”

Question 385

What is the primary purpose of a Docker registry?

It stores and organizes Dockerfiles.

It builds images.

It provides a central location for storing and distributing images.

Scan images for vulnerabilities.

Answer 385

• It provides a central location for storing and distributing images.

“This is what a Docker registry does.”

Question 386

What tool should we use if we need to manage a multi-container application as a unit on a single Docker host?

We should use Docker Compose.

We should use Docker Swarm.

We should use a Docker stack.

We should execute docker-run.

Answer 386

• We should use Docker Compose.

“Docker Compose allows us to manage complex, multi-container applications on a single host.”

Question 387

Eric has an application that consists of multiple different containers that interact with one another. What should he use to manage this application in a Docker Swarm?

Eric should use docker-compose.

Eric should use a service with multiple tasks.

Eric should use a task.

Eric should use a stack.

Answer 387

• Eric should use a stack.

“Docker stacks are designed for managing multi-container applications in a swarm.”

Question 388

Which of the following scenarios would still allow the quorum to complete maintenance in a swarm cluster? (Choose two)

A 3-node cluster with 2 nodes down.

A 3-node cluster with 1 node down.

A 7-node cluster with 3 nodes down.

A 4-node cluster with 2 nodes down.

Answer 388

• A 3-node cluster with 1 node down.

“More than half of the nodes are still up, so the quorum is maintained in this scenario.”

• A 7-node cluster with 3 nodes down.

“More than half of the nodes are still up, so the quorum is maintained in this scenario.”

Question 389

What flag should we use to specify a custom volume driver when creating a volume alongside a service that has docker service create?

–driver

–volume-driver

–mount volume-driver=

–volumedriver

Answer 389

–mount volume-driver=

“This will create the volume with the specified driver.”

Question 390

Which of the following is true of filesystem storage models? (Choose two)

They are efficient with write-heavy workloads.

They store data in regular files on the host machine.

They are used by overlay2 and aufs.

The overlay2 and aufs storage drivers both use filesystem storage models.

They use an external, object-based store.

Answer 390

• They store data in regular files on the host machine.

“Filesystem storage models simulate a file system and store the data in regular files onto the host machine.”

• They are used by overlay2 and aufs.

“The overlay2 and aufs storage drivers both use filesystem storage models.”

Question 391

Which of the following statements about the overlay network driver is accurate?

Networking components are created on nodes dynamically when tasks get scheduled on the node.

The network must be set up manually on each node.

The network is set up on every node in the cluster as soon as the network faces creation.

The overlay driver only allows communication between containers running on the same host.

Answer 391

• Networking components are created on nodes dynamically when tasks get scheduled on the node.

“The overlay network driver dynamically creates networking components on the node when a relevant task gets scheduled on that node.”

Question 392

Which of the following commands will attach the tasks of a new service to an existing overlay network called my-overlay?

docker service create –network-driver overlay nginx

docker service create –n my-overlay nginx

docker service create –network my-overlay nginx

docker service create –attach my-overlay nginx

Answer 392

• docker service create –network my-overlay nginx

“This command will attach the service’s tasks to a specified network.”

Question 393

Which of the following commands will create a new bridge network?

docker network create –network-driver bridge my-network

docker network create –driver overlay my-network

docker network create –network bridge my-network

docker network create my-network

Answer 393

• docker network create my-network

“Since the bridge is the default, a new bridge network will generate even when –driver is not specified.”

Question 394

What Linux feature does Docker use to allow containers to listen on ports lower than 1024 without running as root on the host?

Capabilities

Namespaces

Linux jails

Control Groups

Answer 394

• Capabilities

“Capabilities are used by Docker to provide granular permissions to container processes, such as listening on low ports without the need for root access.”

Question 395

Which of the following is not a namespace used by Docker?

pid

uts

net

mem

Answer 395

• mem

“This is not a namespace used by Docker.”

Question 396

How can we provide custom certificates to the Universal Control Plane (UCP) and Docker Trusted Registry (DTR)?

We can push new certificates via the UCP web API.

We must supply the certificates during the UCP and DTR installation process.

docker ucp config –cert

We can upload certificates via the UCP and DTR web UIs.

Answer 396

• We can upload certificates via the UCP and DTR web UIs.

“We can upload certificates in the administrative settings section for both UCP and DTR.”

Question 397

Which command allows us to create an encrypted overlay network?

docker network create –opt encrypted my-net

docker network create –encrypted –driver overlay my-net

docker network create –secure –driver overlay my-net

docker network create –opt encrypted –driver overlay my-net

This command will create an encrypted overlay network.

Answer 397

• docker network create –opt encrypted –driver overlay my-net

“This command will create an encrypted overlay network.”

Question 398

What is the name of Docker feature that enables us to sign images and verify image signatures before running them?

Docker Image Trust

Docker registry

Docker Content Trust

Docker Trusted Registry

Answer 398

• Docker Content Trust

“Docker Content Trust allows us to sign images and verify signatures before running them.”

Question 399

We have a group of people who need similar permissions in Universal Control Plane (UCP). How can we manage their permissions as a group without having to assign individual permissions to each user manually?

Add grants to one user to give them the permissions they need, and then copy that user’s permissions to the other users.

Create a role with several permissions assigned, and then assign each user to that shared role.

Assign the users to a team, and then assign grants to the entire team, giving them the permissions they need.

Create a GrantBundle and assign it to each user.

Answer 399

• Assign the users to a team, and then assign grants to the entire team, giving them the permissions they need.

“UCP uses teams to manage users who all need the same set of permissions.”

Question 400

Dylan is getting ready to run a container. He needs this container to auto-restart whenever its process exits, but he doesn’t want it to restart if the container had manually stopped earlier. Which restart policy should he use?

unless-stopped

on-failure

always

manual-control

Answer 400

• unless-stopped

“This restart policy will always restart the container unless it was stopped explicitly.”

Question 401

What procedure should we follow to upgrade the Docker engine on an Ubuntu server?

Install newer versions of the docker-ce and docker-ce-cli packages.

We must install newer versions of the packages in order to upgrade Docker.

Stop Docker, remove the packages, and then reinstall the packages with a newer version.

Remove all containers, stop Docker, and then install the newer version.

Stop Docker, then install the packages with the newer version.

Answer 401

• Install newer versions of the docker-ce and docker-ce-cli packages.

“We must install newer versions of the packages in order to upgrade Docker.”

Question 402

What Linux feature does Docker use in order to limit memory usage for containers?

Capabilities

The mem namespace.

Control groups (cgroups)

Namespaces

Answer 402

• Control groups (cgroups)

“Docker uses cgroups to limit memory usage for containers.”

Question 403

Which of the following is true about the creation of private Docker registries?

We cannot secure a private registry in Docker Community Edition (CE).

We can create our own registry by running a container with the registry image.

We need Docker Trusted Registry (DTR) present if we want to generate a private registry.

We need a Docker EE license to have our own private registry created.

Answer 403

• We can create our own registry by running a container with the registry image.

“Running this image will create a private Docker registry.”

Question 404

What does the CMD directive do?

It runs a command on the host when the container starts.

It sets the default command for the image that runs if no other command is specified.

It runs a command within the image and commits it to the result.

It executes a command during the build process.

Answer 404

• It sets the default command for the image that runs if no other command is specified.

“The CMD directive sets the default command.”

Question 405

What type of data exists in the writable file system layer created by a container?

The data would consist of only container logs.

It would be only the data from the base image.

The data would consist of only changes from the previous layer that were made by the container.

A snapshot of all of the data in its current state would reside in the layer.

Answer 405

• The data would consist of only changes from the previous layer that were made by the container.

“Each file system layer contains only the changes made from the previous layer.”

Question 406

Which of the following commands can we use to view detailed metadata about a container? (Choose two)

docker query

docker metadata

docker inspect

docker container inspect

Answer 406

• docker inspect

” This command will allow us to query metadata about any Docker object.”

• docker container inspect

” This command will allow us to find metadata about any container.”

Question 407

What command would we use to list the services that are part of a stack called web-store?

docker service ls web-store

docker stack services web-store

docker stack ps web-store

docker service ls

Answer 407

• docker stack services web-store

“This command will list the services that are part of the stack.”

Question 408

We have some containerized software that needs to have a reference to the hostname of the node that the software is running on. Which of the following commands will let us pass the node hostname as an environment variable into each task in a service?

docker service create –pass-node-hostname=true nginx

docker service create –env NODE_HOSTNAME=”{{Hostname}}” nginx

docker service create –env NODE_HOSTNAME=”{{.Node.Hostname}}” nginx

docker service create -e NODE_HOSTNAME nginx

Answer 408

• docker service create –env NODE_HOSTNAME=”{{.Node.Hostname}}” nginx

“This command will create an environment variable in each task that contains the node hostname.”

Question 409

What command should we use if we want to view logs for all of the tasks in a service called my-service?

docker container logs my-service

docker task logs my-service

docker logs my-service

docker service logs my-service

This command will retrieve logs for all of the tasks in the service.

Answer 409

• docker service logs my-service

“This command will retrieve logs for all of the tasks in the service.”

Question 410

How would we rotate a docker swarm unlock-key and ensure that all nodes receive the new key?

We would run the docker swarm unlock-key –rotate command on one manager node.

We would generate a new key and save it in a file located at /etc/docker/swarm/unlock.key.

We can use the docker swarm unlock command.

We would run the docker swarm unlock-key –rotate command on all manager nodes.

Answer 410

• We would run the docker swarm unlock-key –rotate command on one manager node.

“This command will automatically rotate the key and handle all orchestration between nodes.”

Question 411

Which of the following configurations would be best for enabling direct-lvm mode with devicemapper?

Set dm.directlvm_device in /etc/docker/daemon.json.

Set dm.mode=direct-lvm in /etc/docker/daemon.json.

Set dm.direct-lvm=true in /etc/docker/daemon.json.

Set dm.loop-lvm=false in /etc/docker/daemon.json.

Answer 411

• Set dm.directlvm_device in /etc/docker/daemon.json.

“We can enable direct-lvm by setting this value in daemon.json to a block storage device.”

Question 412

Anastasia has created a container with a volume called shared-data. She wants to create a new container that can access the same data as the first container, but she wants this new container only to be able to read the data, not modify it. How can she accomplish this?

This task is not possible for Anastasia to complete because we cannot mount the same volume to two containers.

Anastasia can use docker run –name new-container -v shared-data:/tmp:ro nginx.

Anastasia can create a bind mount for the new container that points to the physical location of the shared volume on the host.

Anastasia can use docker run –name new-container -v shared-data:/tmp nginx.

Answer 412

• Anastasia can use:
  docker run –name new-container -v shared-data:/tmp:ro nginx

“This command will mount the shared volume to the new container in read-only mode.”

Question 413

What volume driver allows you to create and access external storage that can be shared across a Docker Swarm cluster using SSH?

overlay2

overlay

devicemapper

vieux/sshfs

Answer 413

vieux/sshfs

“This is a custom driver that uses SSH to access remote storage from any node in the cluster.”

Question 414

Which of the following statements about Docker image vulnerability scanning is accurate?

Docker Enterprise Edition (EE) will prevent you from running images that contain vulnerabilities.

We need a Docker Enterprise Edition (EE) license to scan images within our registry.

Docker Trusted Registry (DTR) will scan all images by default.

Image vulnerability scanning inspects images before they’re running on a host.

Answer 414

• We need a Docker Enterprise Edition (EE) license to scan images within our registry.

“We need Docker Trusted Registry to scan images within our registry, which requires Docker EE.”

Question 415

How can you enable Docker Content Trust (DCT) in Docker Community Edition (CE)?

Set the CONTENT_TRUST environment variable to 1.

Pass the –content-trust flag to dockerd.

Set “content-trust”: true in /etc/docker/daemon.json.

Set the DOCKER_CONTENT_TRUST environment variable to 1.

Answer 415

• Set the DOCKER_CONTENT_TRUST environment variable to 1.

“Setting this environment variable to 1 will enable DCT.”

Question 416

Which of the following is a secure method for allowing a Docker client to authenticate with a registry that uses a self-signed certificate?

docker login –trust-ca

docker login –accept-cert

We add the registry to the insecure-registries list in /etc/docker/daemon.json.

We add the self-signed certificate as a trusted registry certificate under /etc/docker/certs.d/.

Answer 416

• We add the self-signed certificate as a trusted registry certificate under /etc/docker/certs.d/.

“Utilizing /etc/docker/certs.d/ is the secure way to authenticate with a registry that uses a self-signed certificate.”

Question 417

Which of the following is the correct docker image address to be used to access an image named payapp hosted under the organization payroll at a private registry registry.company.io?

Answer 417

registry.company.io/payroll/payapp

Question 418

What will happen if the –memory-swap is set to 0?

Answer 418

the setting is ignored, and the value is treated as unset

Question 419

Which of the following modes is used to configure the device-mapper storage driver

Answer 419

loop-lvm

direct-lvm

Question 420

Which statements best describe a PersistentVolumeClaim?

Answer 420

A PersistentVolumeClaim (PVC) is a request for storage by a user.

A PVC will be automatically bound to a PV on creation when a PV is available

Claims can request specific size and access modes

Question 421

Where do you configure the configMapKeyRef in a pod to use environment variables defined in a ConfigMap?

Answer 421

spec.containers.env.valueFrom

Question 422

Run a webapp container, and make sure that No logs are configured for this container

Answer 422

docker run -it –log-driver none webapp

Question 423

What is the command to rebalance the docker swarm cluster workloads?

Answer 423

docker service update –force

Question 424

Which statements best describe Persistent Volume in kubernetes?

Answer 424

A PersistentVolume (PV) is a piece of storage in the cluster that has been provisioned by an administrator or dynamically provisioned using Storage Class

It is a resource in the cluster just like a node is a cluster resource.

Question 425

Which option is used to change the default storage driver to use devicemapper?

Answer 425

{“storage-driver”: “devicemapper”}

Question 426

Which of the below can help minimize the image size?

Answer 426

Only install necessary packages within the image

Combine multiple dependent instructions into a single instruction and cleanup temporary files

Use multi-stage builds

Question 427

Which command is used to delete the stopped containers?

Answer 427

docker container prune

docker container rm $(docker container ls -aq)

Question 428

A government facility runs a secure data center with no internet connectivity. A new application requires access to docker images hosted on docker hub. What is the best approach to solve this?

Answer 428

Pull docker images from a host with access to docker hub

convert to a tarball using docker image save

command, and copy to the restricted environment and extract the tarball

Question 429

Which of the below commands may be used to change the default logging driver to splunk?

Answer 429

echo ‘{“log-driver”: “splunk”}’ > /etc/docker/daemon.json

Question 430

Which command can be used to enable the debugging mode on the Docker Host?

Answer 430

echo ‘{“debug”: true}’ > /etc/docker/daemon.json

Question 431

Which command can be used to start the docker engine enterprise service on a systemctl configured system?

Answer 431

sudo systemctl start docker

Question 432

What is a Linux feature that prevents a process within the container from performing filesystem related operations such as altering attributes of certain files?

Answer 432

Kernel Capabilities

Question 433

Which command can be used to list the tasks in a stack named webapp?

Answer 433

docker stack ps webapp

Question 434

Which formula can be used to calculate the Quorum of N nodes?

Answer 434

N/2 + 1

Question 435

Which of the following is the correct format for CMD instruction

Answer 435

CMD [“executable”,“param1”,“param2”]

CMD [“param1”,“param2”],

CMD command param1 param2

Question 436

How would we go about backing up images in the Docker Trusted Registry (DTR)?

Back up everything in /var/lib/docker/volumes.

Run a docker pull on all of the images to transfer them to another host.

Execute a container using the dtr image with the backup-images command.

Create a backup of everything in the DTR image storage volume.

Answer 436

Create a backup of everything in the DTR image storage volume.

“To back up images, back up the contents of the volume DTR used to store images.”

/var/lib/docker/volumes//_data.

Volume Names: https://docs.mirantis.com/msr/2.8/ref-arch/volumes.html

dtr-ca-

Root key material for the MSR root CA that issues certificates

dtr-notary-

Certificate and keys for the Notary components

dtr-postgres-

Vulnerability scans data

dtr-registry-

Docker images data, if MSR is configured to store images on the local filesystem

dtr-rethink-

Repository metadata

dtr-nfs-registry-

Question 437

How should we give a user permission to interact with the Docker daemon on a machine without giving them unnecessary additional access?

Give the user the root user credentials so they can run docker commands as root.

Add the user to the docker group.

Give the user the ability to run docker commands with sudo.

Have them log in as the docker user.

Answer 437

• Add the user to the docker group.

“Docker provides the docker group for the purpose of giving users permission to solely access Docker.”

Question 438

Which of the following is not backed up when performing a Docker Trusted Registry (DTR) metadata backup?

Role-based access control (RBAC) settings.

DTR Configurations

Repository metadata.

Docker images.

A DTR metadata backup does not include the images themselves.

Answer 438

• Docker images.

“A DTR metadata backup does not include the images themselves.”

Question 439

Which of the following best describes the procedure for backing up Docker Trusted Registry (DTR) metadata?

Run a container from the dtr image with the backup command.

Create an archive for all of the data under the /var/data/dtr directory.

Run a container from the dtr image with the destroy command.

Answer 439

• Run a container from the dtr image with the backup command.

“This is the basic procedure for backing up DTR.”

Question 440

What does the EXPOSE directive do?

It makes a container’s port accessible externally.

It automatically publishes ports when running a container.

It causes the container to listen on a port.

It documents ports intended for publishing at the time of running a container.

Answer 440

• It documents ports intended for publishing at the time of running a container.

“The EXPOSE directive documents the ports that should be published when running a container from the image.”

Question 441

Amanda is having some network issues and needs to do some troubleshooting. How can she inject a nicolaka/netshoot container into the sandbox of an existing container called nginx-container?

Amanda can use docker run –inject-container nginx-container nicolaka/netshoot.

Amanda can use docker run –network nginx-container nicolaka/netshoot.

Amanda can use docker run –network container:nginx-container nicolaka/netshoot.

Amanda can use docker run –network-debug nginx-container nicolaka/netshoot.

Answer 441

Amanda can use:

docker run –network container:nginx-container nicolaka/netshoot.

“This command will inject the netshoot container into the sandbox of the existing container.”

Question 442

Which of the following network drivers is the default for connecting containers on the same host?

overlay

macvlan

host

bridge

Answer 442

• bridge

“The bridge network driver is the default and is used to connect containers on the same host.”

Question 443

Given Docker’s architecture and built-in security features, which of the following security scenarios should we be concerned about the most?

If an attacker gains access to the Docker daemon, they could use it to execute commands as root on the host.

An attacker may intercept swarm-level traffic between swarm nodes and obtain sensitive information from the data.

If an attacker gains control of a container, they could use it to affect other containers on the same host directly.

An attacker could set up a false machine under their control and join it to the swarm cluster to steal sensitive data, causing containers with sensitive data to execute on a fake device.

Answer 443

• If an attacker gains access to the Docker daemon, they could use it to execute commands as root on the host.

“The Docker daemon must run as root, so it is essential to ensure that it’s being protected and has limited access to it.”

Question 444

Which of the statements best describe “Grants” in the Access Control Model?

Answer 444

Grants are effectively Access Control Lists (ACLs) that provide comprehensive access policies for an entire organization when grouped together.

Grants define which users can access what resources in what way.,

• A grant is made up of
  a subject
  a role
  a resource set

Question 445

What is the type and the name of the network created for the DTR services to communicate with each other?

Answer 445

overlay/dtr-ol

Question 446

Amanda wants to execute a one-time job using a Docker container. However, occasionally, this job fails and needs to restart. Amanda doesn’t want to restart it manually if it fails. Which command should she use to make sure that the container executes the one-time job successfully?

docker run –restart unless-stopped cleanup-job

docker run –recover-failure cleanup-job

docker run –restart failure-only cleanup-job

docker run –restart on-failure cleanup-job

Answer 446

docker run –restart on-failure cleanup-job

“This restart policy will only restart the container if it exits with a non-zero exit code.”

Question 447

Bob has set up a new Docker server. The overlay2 driver is the default for the server, but he wants to use devicemapper instead. Which of the following are ways to implement this change?

Add the –storage-driver flag to the dockerd call in Docker’s unit file.

We can set the storage driver by passing the –storage-driver flag to dockerd.

Selected
Reformat the storage disk.

Use a different Docker version.

Set storage-driver to devicemapper in /etc/docker/daemon.json.

We can set the storage driver in /etc/docker/daemon.json.

Answer 447

• Add the –storage-driver flag to the dockerd call in Docker’s unit file.

“We can set the storage driver by passing the –storage-driver flag to dockerd.”

• Set storage-driver to devicemapper in /etc/docker/daemon.json.

“We can set the storage driver in /etc/docker/daemon.json.”

Question 448

Which of the following statements does not apply to the WORKDIR directive?

It can use both absolute and relative paths.

It affects only the build and does not impact containers that run from the image.

The WORKDIR directive affects the containers by setting the working directory at the container runtime.

It sets the working directory for the container at runtime.

It sets the working directory for subsequent build steps.

Answer 448

• It affects only the build and does not impact containers that run from the image.

“The WORKDIR directive affects the containers by setting the working directory at the container runtime.”

Question 449

Which flag allows us to return specific fields with docker inspect?

–format

–pretty

–field-limit

–filter

Answer 449

–format

“The –format flag allows us to supply a Go template so that we can return specific data fields that are in a particular format.”

Question 450

How would we back up the metadata for Docker Swarm?

We can run the swarm image with the backup command.

We can back up the contents of /etc/docker/swarm.

We can back up the contents of /usr/local/swarm.

While the Docker daemon stops, we can back up the contents of /var/lib/docker/swarm on a Swarm manager.

Answer 450

While the Docker daemon stops, we can back up the contents of /var/lib/docker/swarm on a Swarm manager.

“We can back up Docker Swarm metadata by backing up the contents of this directory.”

Question 451

Which of the following tasks can we perform to set a custom DNS server for a container?

We can use the –dns flag with docker run.

We can set “dns” in /etc/docker/daemon.json.

We can use the –nameserver flag with docker run.

We can use the –dns-override flag with docker run.

Answer 451

We can use the –dns flag with docker run.

“This method would allow us to set a custom DNS server for the container.”