DCA-2 Flashcards
What environment variables must be set to allow client to communicate with UCP via CLI?
DOCKER
DOCKER_HOST
DOCKER_CERT_PATH
DOCKER_PATH
DOCKER_HOST
DOCKER_CERT_PATH
What is the command-line interface used to interact with UCP from a shell?
docker-ucp
docker
docker-ee
docker-ucp-cli
docker
Universal Control Plane (UCP), lets you authorize users to view, edit, and use cluster resources by granting role-based permissions against resource sets.
True
False
True
To authorize access to cluster resources across your organization, which of the following high-level steps must UCP administrators take?
Configure subjects (users, teams, and service accounts).
Define custom roles (or use defaults) by adding permitted operations per type of resource.
Configure resource sets of Swarm collections or Kubernetes namespaces.
Create grants by combining subject + role + resource set
Configure subjects (users, teams, and service accounts).
Define custom roles (or use defaults) by adding permitted operations per type of resource.
Configure resource sets of Swarm collections or Kubernetes namespaces.
Create grants by combining subject + role + resource set
Which of the statements best describes “Subjects” in the Access Control Model?
A subject represents a user, team, organization
A subject does not represent a service account.
A subject can be granted a role that defines permitted operations against one or more resource sets.
A subject represents a service account.
A subject represents a user, team, organization
A subject can be granted a role that defines permitted operations against one or more resource sets.
A subject represents a service account.
A group of teams that share a specific set of permissions forms a collection.
True
False
False
Which of the statements best describe “Roles” in the Access Control Model?
Roles define what operations are allowed on a resource.
A role is a set of permitted operations against a type of resource, like a container or volume, which can only be assigned to individual users.
Most organizations use multiple roles to fine-tune appropriate access to users and teams.
All of the above
Roles define what operations are allowed on a resource.
Most organizations use multiple roles to fine-tune appropriate access to users and teams.
Which of the statements best describe “Resource sets” in Access Control Model?
A collection of resources in Docker Swarm
A collection in Kubernetes
A namespace in Kubernetes
A namespace in Docker Swarm
A collection of resources in Docker Swarm
A namespace in Kubernetes
Which of the statements best describe “Grants” in the Access Control Model?
Grants define which users can access what resources in what way.
A grant is made up of a role and a resource set.
A grant is made up of a subject, a role, and a resource set.
Grants are effectively Access Control Lists (ACLs) which provide comprehensive access policies for an entire organization when grouped together.
Grants define which users can access what resources in what way.
A grant is made up of a subject, a role, and a resource set.
Grants are effectively Access Control Lists (ACLs) which provide comprehensive access policies for an entire organization when grouped together.
Only an administrator can manage grants, subjects, roles, and access to resources.
True
False
True
Docker Enterprise Edition provides … , where in we can create users and group them into teams which are nothing but group of users and tie them up with an organization.
DTR
UCP
UCP Agent
RBAC
RBAC
Which of the following is a common workflow for RBAC in Docker EE is
Create users, teams, and organization
Create custom roles with a set of permissions
Combine resources sets using a collection
Create users, teams, and organization
Create custom roles with a set of permissions
Combine resources sets using a collection
The … allows you to authorize a remote Docker engine to a specific user account managed in Docker EE, absorbing all associated RBAC controls in the process
DTR
UCP
Client bundle
RBAC
Client Bundle
A client bundle is a group of certificates downloadable directly from the Docker Trusted Registry (DTR) user interface within the admin section for “My Profile”
True
False
False
Using …. in Docker EE we can control who can access and make changes to your cluster and applications.
DTR
UCP
Client bundle
RBAC
RBAC
What are the minimum hardware requirements to install UCP?
4GB RAM, 2vCPUs and 10GB disk space for the /var partition for manager nodes, 2GB RAM and 500MB disk space for the /var partition for worker nodes
8GB RAM, 2vCPUs and 10GB disk space for the /var partition for manager nodes, 4GB RAM and 500MB disk space for the /var partition for worker nodes
8GB RAM, 2vCPUs and 10GB disk space for the /var/lib/docker partition for manager nodes, 4GB RAM and 500MB disk space for the /var/lib/docker partition for worker nodes
4GB RAM, 2vCPUs and 10GB disk space for the /var/lib/docker partition for manager nodes, 2GB RAM and 500MB disk space for the /var/lib/docker partition for worker nodes
8GB RAM, 2vCPUs and 10GB disk space for the /var partition for manager nodes, 4GB RAM and 500MB disk space for the /var partition for worker nodes
What are the features of Docker Trusted Registry (DTR)?
Built-in Access Control
Image and Job Management
Automated image builds
Security Scanning
Dockerfile management in SCM
Image Signing
Built-in Access Control
Image and Job Management
Security Scanning
Image Signing
A group of teams that share a specific set of permissions forms a collection.
True
False
False
When using the built-in authentication mechanism, you can create users to grant them fine-grained permissions.
Which of the following statements best describes managing users in DTR?
Users are shared across UCP and DTR.
When you create a new user in UCP, that user becomes available in DTR and vice versa.
Check the Trusted Registry admin option, if you want to grant permissions for the user to be a UCP and DTR administrator.
Users are not shared across UCP and DTR
Users are shared across UCP and DTR.
When you create a new user in UCP, that user becomes available in DTR and vice versa.
Check the Trusted Registry admin option, if you want to grant permissions for the user to be a UCP and DTR administrator.
When a user creates a repository, by default other users will also have permissions to make changes to the repository.
True
False
False
By default, DTR has one organization called ‘docker-datacenter’, that is shared between DTR and UCP.
True
False
True
What is the command to pull the docker repository owned by an organization?
docker get DTR-DOMAIN-NAME/ORG/REPOSITORY:TAG
docker pull DTR-DOMAIN-NAME/ORG/REPOSITORY:TAG
docker download DTR-DOMAIN-NAME/ORG/REPOSITORY:TAG
docker fetch DTR-DOMAIN-NAME/ORG/REPOSITORY:TAG
docker pull DTR-DOMAIN-NAME/ORG/REPOSITORY:TAG
Which of the following is the docker image addressing convention?
Registry-Address/Image-or-Repository-Name/User-Or-Account-Name
Registry-Address/User-Or-Account-Name/Image-or-Repository-Name
User-Or-Account-Name/Image-or-Repository-Name/Registry-Address
Image-or-Repository-Name/User-Or-Account-Name/Registry-Address
Registry-Address/User-Or-Account-Name/Image-or-Repository-Name
If we do not specify a registry information then it is assumed to be the default registry at docker hub at the address docker.io.
True
False
True
DTR only supports creating private repositories.
True
False
False
By default, when pushing an image to DTR, it automatically creates a new repository if one does not already exist by that name.
True
False
False
You cannot configure DTR to allow pushing to repositories that don’t exist yet.
True
False
False
We can use the CLI to enable pushing to repositories that don’t exist yet.
True
False
True
DTR is a vulnerability scanner that analyzes container images for security vulnerabilities triggered by a manual request only.
True
False
False
In which service does DTR image scanning occur?
A service known as the dtr-jobrunner container
A service known as the dtr-registry container
A service known as the dtr-api container
A service known as the dtr-runner container
A service known as the dtr-jobrunner container
Extracts a copy of the image layers from backend storage.
Extracts the files from the layer into a working directory inside the dtr-jobrunner container.
Executes the scanner against the files in this working directory, collecting a series of scanning data.
Once the scanning data is collected, the working directory for the layer will remain on the job-runner until garbage collection is initiated.
All of the above
Extracts a copy of the image layers from backend storage.
Extracts the files from the layer into a working directory inside the dtr-jobrunner container.
Executes the scanner against the files in this working directory, collecting a series of scanning data.
In which of the following will image scanning look for known vulnerabilities
OS packages
Suspicious user accounts
Libraries
IP Tables rules that are not required
Other dependencies that are defined in a container image
All of the above
OS packages
Libraries
Other dependencies that are defined in a container image
You may also configure DTR to initiate scans automatically when an image is pushed.
True
False
True
Once the scan is complete, a report shows all the vulnerabilities detected categorized as __________.
Major
Minor
Warning
Critical
INFO
All of the above
Major
Minor
Critical
With Docker Trusted Registry you can promote an existing image, based on a policy, to be pushed to a new environment.
True
False
True
With Docker Trusted Registry, we need to rebuild the image in each stage to promote to different environments (e.g. Dev, Test, Stage, and Prod)
True
False
False
A promotion can only be configured to another repository within the same registry.
True
False
False
Which statement best describes Garbage Collection in DTR?
Automatically removes unused image layers to save disk space at a scheduled interval.
Garbage Collection setting is available under the system -> garbage collection section.
By default, garbage collection is enabled.
All of the above
Automatically removes unused image layers to save disk space at a scheduled interval.
Garbage Collection setting is available under the system -> garbage collection section.
You may configure garbage collection to run at a specific interval.
True
False
True
Under the hood, each image stored in DTR is made up of multiple files, what are they?
A list of image layers that are unioned which represents the image filesystem
A configuration file that contains the architecture of the image and other metadata
A manifest file containing the list of all layers and configuration file for an image
A list of image layers that are unioned which represents the image filesystem
A configuration file that contains the architecture of the image and other metadata
A manifest file containing the list of all layers and configuration file for an image
DTR ships with Notary built-in so that you can use Docker Content Trust (DCT) to sign and verify images.
True
False
True
What are the key components of Docker Trusted Registry (DTR) for signing an image?
Notary Server
Notary Signer
Docker Hub
Universal Control Plane (UCP)
Notary Server
Notary Signer
Which statements best describe Notary?
Notary is a tool for publishing and managing trusted collections of content.
The official Docker Hub Notary servers are located at https://docker.io
With Notary anyone can provide trust over arbitrary collections of data.
Notary uses Globally Unique Names (GUNs) to identify trust collections.
Notary is a tool for publishing and managing trusted collections of content.
With Notary anyone can provide trust over arbitrary collections of data.
Notary uses Globally Unique Names (GUNs) to identify trust collections.
DCT is integrated with the Docker CLI, and allows you to _____________________.
Configure repositories
Add signers
Sign images using the docker trust command
Configure repositories
Add signers
Sign images using the docker trust command
You are required to configure your environment to prevent untrusted images from being deployed on the cluster. What approach would you choose to ensure images deployed in the cluster are secure and trusted?
Configure RBAC and provide access to repositories to privileged users only
Enable vulnerability scanning on images on push
Configure UCP to Run only signed images. And enforce image signing for all images using DCT
Configure UCP to Run only signed images. And enforce image signing for all images using DCT
In a Docker swarm cluster, when a failed node is brought back online it is ready to accept new workloads and existing workloads are automatically rebalanced.
True
False
False
What is the command to rebalance the docker swarm cluster workloads if absolutely necessary?
docker service update SERVICE-NAME
docker service update –force SERVICE-NAME
docker update service SERVICE-NAME
docker update service –force SERVICE-NAME
docker service update –force SERVICE-NAME
A swarm cluster runs with 5 manager and 5 worker nodes with 10 replicas of an application running across all worker nodes. Which of the below statements are true when 3 manager nodes do go down at the same time.
Since 2 manager nodes are available the cluster continues to operate normally
Cluster operates in a degraded mode with no management functionalities
The applications continue to work as normal without impacting users
Applications are killed and users are impacted
Cluster operates in a degraded mode with no management functionalities
The applications continue to work as normal without impacting users
We could add a new node to the cluster as a manager but we cannot promote an existing worker node to be the manager.
True
False
False
You should have at least 3 managers in the swarm cluster to support manager node failures.
True
False
True
Which statement best describes Quorum?
Quorum is the minimum number of nodes that must be available for the cluster to function properly.
In case of 3 manager nodes, the quorum is 3
It is recommended to maintain an odd number of managers to withstand network-wide outages.
In case of 5 manager nodes, the quorum is 3
Quorum is the minimum number of nodes that must be available for the cluster to function properly.
It is recommended to maintain an odd number of managers to withstand network-wide outages.
In case of 5 manager nodes, the quorum is 3
Which of the below configurations can tolerate 3 manager node failures?
4 Manager 2 Worker Node Cluster 5 Manager 5 Worker Node Cluster 6 Manager 5 Worker Node Cluster 7 Manager 3 Worker Node Cluster 7 Manager 5 Worker Node Cluster 8 Manager 6 Worker Node Cluster 8 Manager 2 Worker Node Cluster
7 Manager 3 Worker Node Cluster
7 Manager 5 Worker Node Cluster
8 Manager 6 Worker Node Cluster
8 Manager 2 Worker Node Cluster
For any given number of N nodes, What is the quorum value?
Total number of nodes divided by 3 + 1 (Quorum = (N/3)+1)
Total number of nodes divided by 2 + 1 (Quorum = (N/2)+1)
Total number of nodes divided by 2 – 1 (Quorum = (N/2)-1)
Total number of nodes divided by 3 – 1 (Quorum = (N/3)-1)
Total number of nodes divided by 2 + 1 (Quorum = (N/2)+1)
What is the command to forcefully create a cluster from its current state?
docker swarm init
docker swarm init –force
docker swarm init –force-cluster
docker swarm init –force-new-cluster
docker swarm init –force-new-cluster
What is the command to promote a node to manager in docker swarm cluster?
docker promote node NODENAME
docker node promote NODENAME
docker promote worker node NODENAME
docker node promote worker NODENAME
docker node promote NODENAME
Which of the following statements are true? Select all the answers that apply.
On every docker host, docker stores data about the object it manages under the /var/lib/docker directory.
On a swarm manager node, it stores data about the swarm cluster in the /var/lib/docker/swarm directory.
On every docker host, docker stores data about the object it manages under the /var/run/docker directory.
On a swarm manager node, it stores data about the swarm cluster in the /var/run/docker/swarm directory.
On every docker host, docker stores data about the object it manages under the /var/lib/docker directory.
On a swarm manager node, it stores data about the swarm cluster in the /var/lib/docker/swarm directory.
The RAFT DB helps in restoring the services and any other configuration in a swarm cluster.
True
False
True
What are the steps that we need to follow to backup the swarm database?
Create a tar backup of the swarm data at /var/lib/docker/swarm and restart the docker service.
Stop docker service, create a tar backup of the swarm data at /var/lib/docker/swarm, start the docker.
Stop docker service, create a tar backup of the docker data at /var/lib/docker, start the docker
None of the above
Stop docker service, create a tar backup of the swarm data at /var/lib/docker/swarm, start the docker.
It is recommended to perform a backup on the swarm leader node.
True
False
False
What is the command to enable automatic locking of managers with an encryption key?
docker swarm init –lock=true
docker swarm init –autolock=true
docker swarm init –autounlock=false
docker swarm init –unlock=false
docker swarm init –autolock=true
What is the command to disable auto lock for a docker swarm cluster that has it enabled already?
docker swarm update –autolock=false
docker update swarm –autolock=false
docker swarm update –auto-unlock=true
docker update swarm –auto-unlock=true
docker swarm update –autolock=false
The auto lock key is required when the cluster is restored, so it must be kept safe in an external password manager.
True
False
True
The auto lock key is backed up along with the Swarm backup.
True
False
False
What are the prerequisites for restoring swarm?
You must use the same IP as the node from which you made the backup.
You must restore the backup on the same Docker Engine version.
If auto-lock was enabled on the old Swarm, the unlock key is required to perform the restore.
You can find the list of manager IP addresses in state.json in the zip file
You must use the same IP as the node from which you made the backup.
You must restore the backup on the same Docker Engine version.
If auto-lock was enabled on the old Swarm, the unlock key is required to perform the restore.
You can find the list of manager IP addresses in state.json in the zip file
Which of the following steps are required on each manager node to restore data to a new swarm?
Shut down the Docker Engine on the node you selected for the restore
Uninstall Docker on the node
Remove the /var/lib/docker directory on the new Swarm if it exists.
Remove the contents of the /var/lib/docker/swarm directory on the new Swarm if it exists.
Restore the /var/lib/docker/swarm directory with the contents of the backup
Install Docker on the node
Start Docker on the new node. Unlock the swarm if necessary
Re-initialize the swarm so that the node does not attempt to connect to nodes that were part of the old swarm, and presumably no longer exist.
Shut down the Docker Engine on the node you selected for the restore
Remove the contents of the /var/lib/docker/swarm directory on the new Swarm if it exists.
Restore the /var/lib/docker/swarm directory with the contents of the backup
Start Docker on the new node. Unlock the swarm if necessary
Re-initialize the swarm so that the node does not attempt to connect to nodes that were part of the old swarm, and presumably no longer exist.
To take a backup of UCP, which docker image would you need to run with the backup command?
docker/ucp-backup
docker/ucp
docker/backup
docker/backup-ucp
docker/ucp
You can only take backup of UCP via CLI.
True
False
False
In order to take a backup of UCP, you need to backup each UCP manager node.
True
False
False
Which of the following statements are true about UCP backup?
Backups can be utilized for restoring clusters on a cluster with a newer version of Docker Enterprise.
More than one backup at the same time is supported.
For crashed clusters, backup capability is not guaranteed.
UCP backup includes swarm workloads.
UCP backup includes Kubernetes workloads.
For crashed clusters, backup capability is not guaranteed.
UCP backup includes Kubernetes workloads.
Which of the following ways a UCP backup can be created?
CLI
GUI
API
CLI
GUI
API
To restore an existing UCP installation from a backup, you need to uninstall UCP from the swarm by using the uninstall-ucp command.
True
False
True
Which of the following are included in a UCP backup?
User, Team and Organization details
Docker Swarm Services
Kubernetes Namespaces
Certificates and Keys
Access Control Details
Overlay Networks
Docker Images
Docker Swarm Secrets
User, Team and Organization details
Kubernetes Namespaces
Certificates and Keys
Access Control Details
Which of the following data does Docker Trusted Registry maintain?
Configurations
Notary Data
Certificates and Keys
Access Control to repos and Images
Configurations
Notary Data
Certificates and Keys
Access Control to repos and Imagesk
What is the command to perform a backup of DTR node?
Run the docker/dtr backup command
Run the docker/dtr-backup command
Run the docker/backup-dtr command
Run the docker/backup dtr command
Run the docker/dtr backup command
To create a backup of DTR, you don’t need to backup the DTR metadata, only backing up image content is enough.
True
False
False
Since you need your DTR replica ID during a backup, which of the following covers a few ways for you to determine your replica ID?
UCP web interface
UCP client bundle
SSH Access
UCP web interface
UCP client bundle
SSH Access
What is the command to restore the DTR from a backup tar (e.g dtr-metadata-backup.tar) ?
docker run -i –rm docker/dtr-restore < dtr-metadata-backup.tar
docker run -i –rm docker/dtr restore < dtr-metadata-backup.tar
docker run -i –rm docker/restore-dtr < dtr-metadata-backup.tar
docker run -i –rm docker/restore dtr < dtr-metadata-backup.tar
docker run -i –rm docker/dtr restore < dtr-metadata-backup.tar
What is the recommended approach of taking a backup of images stored by Docker Trusted Registry?
Store image data on local disk and backup image and DTR metadata together into a tarball
Store image data on a shared network storage and use supported backup mechanisms available for that network storage
Store image data on a shared network storage and use supported backup mechanisms available for that network storage
What is the command to restore the DTR from a backup tar (e.g dtr-metadata-backup.tar) ?
docker run -i –rm docker/dtr-restore < dtr-metadata-backup.tar
docker run -i –rm docker/dtr restore < dtr-metadata-backup.tar
docker run -i –rm docker/restore-dtr < dtr-metadata-backup.tar
docker run -i –rm docker/restore dtr < dtr-metadata-backup.tar
docker run -i –rm docker/dtr restore < dtr-metadata-backup.tar
Which of the following are included in a UCP backup?
User, Team and Organization details
Docker Swarm Services
Kubernetes Namespaces
Certificates and Keys
Access Control Details
Docker Images
User, Team and Organization details
Kubernetes Namespaces
Certificates and Keys
Access Control Details
The auto lock key is required when the cluster is restored, so it must be kept safe in an external password manager.
True
False
True
To create a backup of DTR, you don’t need to backup the DTR metadata, only backing up image content is enough.
True
False
False
What are the prerequisites for restoring a swarm?
You must use the same IP as the node from which you made the backup.
You must restore the backup on the same Docker Engine version.
If auto-lock was enabled on the old Swarm, the unlock key is required to perform the restore.
You must use the same IP as the node from which you made the backup.
You must restore the backup on the same Docker Engine version.
If auto-lock was enabled on the old Swarm, the unlock key is required to perform the restore.
What are the recommended hardware requirements to install DTR in a production environment?
- 16GB RAM, 4vCPUs and 25 - 100 of free disk space
- 16GB RAM, 2vCPUs and 100GB of free disk space
- 8GB RAM, 2vCPUs and 100GB of free disk space
- 8GB RAM, 4vCPUs and 25 - 100GB of free disk space
16GB RAM, 4vCPUs and 25 - 100 of free disk space
Which of the below is a recommended best practice while taking backups of a swarm cluster?
- Perform the backup operations from a swarm worker node
- Perform the backup operations from a swarm manager node that is not a leader
- Perform the backup operations from a swarm manager node that is a leader
- Perform the backup operations from a swarm manager node that is not a leader
What will happen if the container consumes more memory than its limit?
The container will be killed with an Out of Memory exception
Which component is responsible for performing all of these operations: Maintaining the layered architecture, creating a write-able layer, moving files across layers to enable Copy-OnWrite etc?
Storage drivers
What are the different access modes configurable on a persistent volume?
ReadOnlyMany,ReadWriteMany,ReadWriteOnce
Which statement best describes a kubernetes storage class?
A StorageClass provides a way for administrators to describe the “classes” of storage they offer,
Each StorageClass contains the fields provisioner, parameters, and reclaimPolicy.
The StorageClass objects can use a provisioner that can dynamically provision storage on supported storage providers.
Which statements best describe a PersistentVolumeClaim?
A PersistentVolumeClaim (PVC) is a request for storage by a user
A PVC will be automatically bound to a PV on creation when a PV is available
Claims can request specific size and access modes
What is a recommended best practice for installing packages and libraries using the apt-get package manager while building an image?
Use the RUN instruction and have the apt-get update and apt-get install commands on the same instruction
What is the command to change the tag of httpd:latest to httpd:v1
docker image tag httpd:latest httpd:v1
After building the below code with an image named webapp, What will happen when you run docker run webapp sleep 1000?
docker overrides the CMD instruction with sleep 1000
Which command can be used to deploy exactly one instance of the application on all the nodes in the cluster?
docker service create –mode=global webapp
Which statement best describes Quorum?
Quorum is the minimum number of nodes that must be available for the cluster to function properly.
What is the command to deploy a service named webapp on a node which has a type=cpu-optimized label?
docker service create –constraint=node.labels.type==cpu-optimized webapp
The webapp:v1 had some bugs and we fixed them in webapp:v2. We want to update the service to use the image webapp:v2. What is the right command?
docker service update –image=webapp:v2 webapp
To list the services created by a stack, run …
docker stack services
How do you configure all key-value pairs in a Secret object as environment variables within a container?
envFrom.secretRef
Which of the following are correct commands to create config maps? Select all the answers that apply.
kubectl create configmap CONFIGMAP-NAME –from-literal=KEY1=VALUE1 –from-literal=KEY2=VALUE2,kubectl create configmap CONFIGMAP-NAME –from-file=/tmp/env
Where do you configure the configMapKeyRef in a pod to use environment variables defined in a ConfigMap?
spec.containers.env.valueFrom
What flags are used to configure encryption on docker daemon without any authentication?
tls, tlscert, tlskey
What is the type and the name of the network created for the DTR services to communicate with each other?
overlay/dtr-ol
Which of the following solutions support network policies?
kube-router,Calico,Weave-Net
Which command is used to get the events of the container named webapp?
docker system events –filter ‘container=webapp’
When you create a swarm service and do not specify a user-defined overlay network, it connects to the … network by default
ingress
What are the recommended hardware requirements to install DTR in a production environment?
16GB RAM, 4vCPUs and 25-100GB of free disk space.
Which of the below is a recommended best practice while taking backups of a swarm cluster?
Perform the backup operations from a swarm manager node that is not a leader
What will happen if the –memory-swap is set to 0?
the setting is ignored, and the value is treated as unset
How many manager nodes must be online in a cluster with 13 manager nodes for the swarm cluster to continue to operate?
7
Where do you specify image names in a pod definition YAML file to be deployed on Kubernetes?
spec.containers.image
What is the command to rebalance the docker swarm cluster workloads?
docker service update –force
Which option of the docker service command can be used to update 4 replicas at a time of a service named mywebapp?
–update-parallelism 4
What is the command to change the role of a manager node named manager1 to a worker node in a Docker Swarm cluster?
docker node demote manager1
Which command can be used to return the current autolock key used to lock a docker swarm cluster?
docker swarm unlock-key
How do you inject configmap into a pod in Kubernetes?
Using envFrom and configMapRef
The … assigns tasks to nodes in Docker Swarm.
dispatcher
What is the high level command to restore the DTR from a backup tar named dtr-metadata-backup.tar ?
docker run -i –rm docker/dtr restore < dtr-metadata-backup.tar
Which of the below commands may be used to change the default logging driver to splunk?
echo ‘{“log-driver”: “splunk”}’ > /etc/docker/daemon.json
Refer to the Dockerfile below and identify which value should be added to the –from= option in the second stage to copy the application build from the first stage.
0,builder
Which of the below can help minimize the image size?
Only install necessary packages within the image
Combine multiple dependent instructions into a single instruction and clean up temporary files
Use multi-stage builds
What is the command to find images with a name containing busybox, at least 3 stars and are official builds
docker search –filter is-official=true –filter stars=3 busybox
To scan an image, DTR ________________.
Extracts a copy of the image layers from backend storage.
Extracts the files from the layer into a working directory inside the dtr-jobrunner container.
Executes the scanner against the files in this working directory, collecting a series of scanning data.
Once the scanning data is collected, the working directory for the layer is removed.
Universal Control Plane (UCP), lets you authorize users to view, edit, and use cluster resources by granting role-based permissions against resource sets.
True
Which statement best describes docker volume plugin?
Docker Engine volume plugins enables Engine deployments to be integrated with external storage systems such as Amazon EBS,
The local volume plugin helps to create a volume on Docker host and store its data under the /var/lib/docker/volumes/ directory.
Which of the following are a valid storage driver supported by Docker?
AUFS,
overlay2
Device Mapper
Which option is used to change the default storage driver to use devicemapper?
{“storage-driver”: “devicemapper”}
Which statements best describe Persistent Volume in Kubernetes?
A PersistentVolume (PV) is a piece of storage in the cluster that has been provisioned by an administrator or dynamically provisioned using Storage Class, It is a resource in the cluster just like a node is a cluster resource.
ETCD by default listens on port 2780.
False
What types of networks will be created when you initialize a swarm or join a Docker host to an existing swarm?
bridge
ingress
After an update to a service named webapp we realized that something is wrong with the new version and we want to revert back to the old version. How can we achieve that?
docker service rollback webapp
overlay2, aufs, and devicemapper all operate at the file level rather than the block level.
False
Using RUN apt-get update && apt-get install -y ensures your Dockerfile installs the latest package versions everytime an image is built. This technique is known as ……
Cache busting
What is the recommended approach to load a set of configurations into the pod in the form of a file to the path /var/configs?
Create a ConfigMap with the required configurations, configure it as a volume in the pod definition file and then mount the volume as a file at /var/configs
UCP has its own built-in authentication mechanism and integrates with LDAP and AD services.
True
If the service type is NodePort, then Kubernetes will allocate a port on every worker node.
True
What is the command to apply disk=ssd label to worker1 in a swarm cluster.
docker node update –label-add disk=ssd worker1
A client bundle is a group of certificates downloadable directly from the Docker Trusted Registry (DTR) user interface within the admin section for “My Profile”
False
What option may be used to change the default behaviour of a failed task during an update in swarm?
–update-failure-action
Which component is responsible to serve the UCP components such as
the web UI,
the authentication API,
metrics server,
proxy and data stores used by UCP in the form of containers?
UCP Agent
The routing mesh enables each node in the swarm to accept connections on published ports for any service running in the swarm, even if there’s no task running on the node.
True
In which service does the DTR image scanning occur?
A service known as the dtr-jobrunner container
What component is responsible for instructing a worker to run a task?
scheduler
What are the 4 top level fields a kubernetes definition file for POD contains?
apiVersion
metadata
kind
spec
Which command can be used to list the tasks in a stack named webapp?
docker stack ps webapp
Which command can be used to increase the number of replicas from 2 to 4 of a service named webapp? Select the all right answer
docker service update –replicas=4 webapp
docker service scale webapp=4
Which of the below statements are correct?
Traffic to port 39376 on all nodes in the cluster is routed to port 9376 on a random POD with the label app web,
Traffic to port 80 on the service is routed to port 9376 on a random POD with the label app web
Which command can be used to get the logs of a swarm service?
docker service logs SERVICE-NAME
Create a service using the my-web-server image and map UDP port 80 in the container to port 5000 on the overlay network.
docker service create -p 5000:80/udp my-web-server
docker service create –publish published=5000,target=80,protocol=udp my-web-server
Which formula can be used to calculate the Quorum of N nodes?
N / 2 +1
What is the default range of ports that Kubernetes uses for NodePort if one is not specified?
30000-32767
Which among the following statements are true without any change made to the default behavior of network policies in the namespace?
As soon as a network policy is associated with a POD all ingress and egress traffic to that POD are denied except allowed by the network policy
What is the command to stop all running containers on the host?
docker container stop $(docker container ls -q)
Which of the following is the correct format for CMD instruction?
CMD [“executable”,“param1”,“param2”]
CMD [“param1”,“param2”]
CMD command param1 param2
What are the features of docker trusted registry (DTR)?
Built-in Access Control
Image and Job Management
Security Scanning
Image Signing
Which image is used to deploy the Docker Trusted Registry?
docker/dtr
Print the value of ‘Architecture’ and ‘Os’ of an image named webapp
docker image inspect webapp -f ‘{{.Os}} {{.Architecture}}’
While building a docker image from code stored in a remote URL, which command will be used to build from a directory called docker in the branch dev?
docker build https://github.com/kk/dca.git#dev:docker
Which of the statements best describe “Resource sets” in Access Control Model?
To control user access, cluster resources are grouped into Docker Swarm collections or Kubernetes namespaces.
Together, collections and namespaces are named resource sets.
What is the sequence of operations to be followed while configuring a storage class for an application?
Create a storage class with a provisioned
create a PVC with the storage class, and then use the PVC in the volumes section in the pod definition file
overlay2, aufs, and devicemapper all operate at the file level rather than the block level.
False
What is the command to delete the persistent volumes?
kubectl delete pv PV-NAME
What is a linux feature that allows isolation of containers from the Docker host?
Namespaces
What component is responsible for managing CPU resources and allocating the time of the CPU between different processes?
CFS
Which of the following steps are required on each manager node to restore data to a new swarm?
Shut down the Docker Engine on the node you select for the restore
Remove the contents of the /var/lib/docker/swarm directory on the new Swarm if it exists
Restore the /var/lib/docker/swarm directory with the contents of the backup
Start Docker on the new node. Unlock the swarm if necessary
Re-initialize the swarm so that the node does not attempt to connect to nodes that were part of the old swarm, and presumably no longer exist.
Where is the log of the webapp container, with id 78373635, stored on the Docker Host?
/var/lib/docker/containers/78373635/78373635.json
Which statement best describes a Kubernetes node? (Choose 3)
A machine part of the Kubernetes cluster that runs workloads
A Virtual Machine that hosts workloads part of a Kubernetes cluster
A Physical Machine that hosts workloads part of a Kubernetes cluster
A machine that automatically schedules the pods across the nodes in the cluster.
A tool to start a Kubernetes cluster.
A machine part of the Kubernetes cluster that runs workloads
A Virtual Machine that hosts workloads part of a Kubernetes cluster
A Physical Machine that hosts workloads part of a Kubernetes cluster
Which statement best describes kubectl in Kubernetes?
kubectl is an agent that runs on Kubernetes nodes
kubectl is used to bring up the Kubernetes cluster
The Kubernetes command-line tool
kubectl is a tool that lets you run Kubernetes locally
The Kubernetes command-line tool
Which of the below are the container orchestration tools?
Apache Mesos
Docker Swarm
ETCD
Kubernetes
Apache HTTPD
Apache Mesos
Docker Swarm
Kubernetes
What are the features of Kubernetes?
Self-healing & Batch execution
Secrets & configuration management
Container Image Management
Automated rollouts and rollbacks
Self-healing & Batch execution
Secrets & configuration management
Automated rollouts and rollbacks
Which statement best describes a control plane component?
The control plane’s components decides how workloads are placed across the nodes in the cluster
kube-proxy is one of the control plane component
kube-scheduler is one of the control plane component
kube-controller is one of the control plane component
The control plane’s components decides how workloads are placed across the nodes in the cluster
kube-scheduler is one of the control plane component
kube-controller is one of the control plane component
Which statement best describes the Worker Node component?
kubelet and container runtime are the worker node components
kube-proxy is one of the worker node component
kube-scheduler is one of the worker node component
kube-apiserver is one of the worker node component
kubelet and container runtime are the worker node components
kube-proxy is one of the worker node component
Which of the following statements best describes ETCD? Select the correct answer
Etcd serves as the backing datastore for Kubernetes cluster data
ETCD is a worker node component
ETCD is a distributed reliable key-value store
None of the above
Etcd serves as the backing datastore for Kubernetes cluster data
ETCD is a distributed reliable key-value store
ETCD by default listens on port 2780.
True
False
False
Which of the following are components deployed only on a Master Node in a Kubernetes cluster?
Kube Scheduler
Kube Controller Manager
Kube Api-server
Kubelet
Kube-Proxy
Kube Scheduler
Kube Controller Manager
Kube Api-server
Which of the following is the etcd command line tool?
etcd
etcdctl
kubectl
etcdcli
etcdctl
Which of the below comes under Kubernetes Hosted Solutions?
Google Compute Engine (GCE)
Google Kubernetes Engine (GKE)
Azure Kubernetes Service (AKS)
Amazon EC2 Service
Google Kubernetes Engine (GKE)
Azure Kubernetes Service (AKS)
What is a component of the Kubernetes control plane that allows external users or services to manage the Kubernetes cluster?
Kubernetes Scheduler
ETCDCTL
Kube API Server
Kube Proxy
Kube API Server
Which of the following component watches for newly created pods and selects a node for them to run on?
kube-proxy
kube-node-controller
kube-scheduler
kubelet Agent
kube-scheduler
What is the purpose of the replication controller?
Responsible for noticing and responding when nodes go down.
An agent that runs on each node in the cluster. It makes sure that containers are running in a Pod.
Responsible for maintaining the correct number of replicas of PODs at all times.
Replication controller makes sure that a pod or a homogeneous set of pods is always up and available
Responsible for maintaining the correct number of replicas of PODs at all times.
Replication controller makes sure that a pod or a homogeneous set of pods is always up and available
Which component on the worker node is responsible for maintaining network rules on nodes?
kubelet
kube-proxy
kubelet
kube-apiserver
kube-proxy
Which of the following are the container runtimes that Kubernetes supports.
Docker
Containerd
CRI-O
LXC
Docker
Containerd
CRI-O
Which of the following are the types of controllers in Kubernetes?
Node-Controller
Replication-Controller
Endpoint-Controller
Deployment-Controller
Node-Controller
Replication-Controller
Endpoint-Controller
Deployment-Controller
Which of the following statements best describes kube-scheduler?
The kube-scheduler is only responsible for deciding which pod goes on which node.
It places the pod on the nodes
Kube-scheduler is a worker node component
All of the above
The kube-scheduler is only responsible for deciding which pod goes on which node.
Which statements best describe a POD in Kubernetes?
Kubernetes deploys applications in the form of Pods
A Pod can contain only one container
To scale up an application, increase the number of containers in a Pod.
Every container in the pod gets its own hostname and IP address
Kubernetes deploys applications in the form of Pods
Which statement best describes Multi-Container POD? Select all the answers that apply.
Multi-container Pods can share resources and dependencies, communicate with one another, and coordinate when and how they are terminated
A single pod can have multiple containers
A single pod can have multiple containers of the same kind to scale up.
It is recommended to always use multi-container pods to improve performance of applications.
Multi-container Pods can share resources and dependencies, communicate with one another, and coordinate when and how they are terminated
A single pod can have multiple containers
What is the command to deploy a nginx pod?
kubectl deploy nginx –image nginx
kubectl run nginx –image nginx
kubectl start -it nginx bash
kubelet run nginx –image nginx
kubectl run nginx –image nginx
What is the command to list all the pods that are in a default namespace? Select all the answers that apply.
kubectl list pods -n default
kubectl get pods
kubectl list pods
kubectl get pods -n default
kubectl get pods
kubectl get pods -n default
Which of the following statement is correct? Select all the answers that apply.
Pods can only be created via kubectl commands
Pods can be created with kubectl commands as well
as via API calls.
Pods can only be created via API calls.
None of the above
Pods can be created with kubectl commands as well as via API calls.
What is the command to check which nodes are the pods placed on? Select all the answers that apply.
kubectl get pods
kubectl get pods -o wide
kubectl describe pod
kubectl get nodes
kubectl get pods -o wide
kubectl describe pod
What is the command to delete the pod?
kubectl pod delete
kubectl delete
kubectl delete pod
kubectl pod –delete
kubectl delete pod
What are the possible ways to update the pod image? Select all the answers that apply.
You cannot update a pod image once a pod is created.
Update the pod-definition file and use kubectl apply command.
Use kubectl edit pod command and specify the new image
None of the above
Update the pod-definition file and use kubectl apply command.
Use kubectl edit pod command and specify the new image
What are the 4 top level fields a Kubernetes definition file for POD contains?
apiVersion
templates
metadata
labels
kind
spec
namespaces
containers
apiVersion
metadata
kind
spec
What is the command to create a pod with the pod-definition.yaml file?
kubectl run -f pod-definition.yaml
kubectl pod -f pod-definition.yaml
kubectl create -f pod-definition.yaml
kubectl apply -f pod-definition.yaml
kubectl create -f pod-definition.yaml
kubectl apply -f pod-definition.yaml
How do you specify image names in a pod definition YAML file?
containers. image
spec. containers.image
template. containers.image
kind. containers.image
spec.containers.image
How do you add labels to a pod in a pod definition YAML file?
labels
spec. labels
spec. containers.labels
metadata. labels
metadata.labels
What is the command to delete a pod via a pod-definition file?
kubectl remove -f pod-definition.yaml
kubectl rm -f pod-definition.yaml
kubectl delete -f pod-definition.yaml
kubectl del -f pod-definition.yaml
kubectl delete -f pod-definition.yaml
Inspect the below pod-definition file and answer the following questions:
apiVersion: v1
kind: Pod
metadata:
name: myapp-pod
labels:
app: myapp
spec:
containers:
- name: nginx-container
image: nginx
- name: agent
image: agent
How many containers are created when this pod is created?
1
2
3
4
2
apiVersion: v1
kind: Pod
metadata:
name: myapp-pod
labels:
app: myapp
spec:
containers:
- name: nginx-container
image: nginx
- name: agent
image: agent
How many IP addresses are consumed by the pod when it’s created?
1
2
3
4
1
The label selector is the core grouping primitive in Kubernetes. What kind of selectors are supported?
Equality-Based
Value-Based
Operator-Based
Set-Based
Equality-Based
Set-Based
A ReplicaSet is one of the Kubernetes controllers?
True
False
True
Which statements best describe replication controllers and replica sets? Select all answers that apply.
Replication Controller is the older technology that is being replaced by a ReplicaSet.
There is no difference between Replication controller and ReplicaSet.
The replication controller supports equality based selectors whereas the replica set supports equality based as well as set based selectors.
ReplicaSet is the new way to set up replication.
Replication Controller is the older technology that is being replaced by a ReplicaSet.
The replication controller supports equality based selectors whereas the replica set supports equality based as well as set based selectors.
ReplicaSet is the new way to set up replication.
Which of the following commands are used to list all the ReplicaSets? Select all the answers that apply.
<code>kubectl get services</code>
<code>kubectl get rs</code>
<code>kubectl get replicaset</code>
<code>kubectl get pods</code>
<code>kubectl get rs</code>
<code>kubectl get replicaset</code>
What is a Label in Kubernetes?
A way to expose traffic
A type of Deployment
A way to group related things using key/value pairs
None of the above
A way to group related things using key/value pairs
What is the command to list all the labels of a ReplicaSet?
kubectl get rs –show-labels
kubectl get rs –labels
kubectl get rs -l
kubectl get rs –details
kubectl get rs –show-labels
What is the command to delete a replication controller nginx?
kubectl get rc nginx
kubectl remove rc nginx
kubectl rm rc nginx
kubectl delete rc nginx
kubectl delete rc nginx
What is the command to delete a ReplicaSets triage?
kubectl get rs triage
kubectl remove rs triage
kubectl rm rs triage
kubectl delete rs triage
kubectl delete rs triage
How do you scale replica sets? Select all the answers that apply.
Update the number of replicas in the replicaset-definition.yaml definition file and apply.
Update using the kubectl scale command.
Delete and recreate a replica set.
Create a new replica set with the desired number of pods and delete the old replica set.
Update the number of replicas in the replicaset-definition.yaml definition file and apply.
Update using the kubectl scale command.
You are required to deploy an application in the form of containers that can easily scale up or down and supports upgrade of applications by maintaining information about different revisions. What is the recommended approach to deploying the application?
Create a POD
Create a ReplicaSet
Create a Replication Controller
Create a Deployment
Create a Deployment
What command would you use to create a Deployment? Select the correct answer
kubectl get deployments
kubectl get nodes
kubectl create
kubectl run
kubectl create
What is the flag that you use along with “kubectl create” to scale a deployment in Kubernetes?
- -image
- -label
- -replicas
- -scale
–replicas
What is the command to get the list of deployments. Select all the answers that apply.
kubectl get deploy
kubectl get deployment
kubectl get deployments
kubectl get deployments.apps
kubectl get deploy
kubectl get deployment
kubectl get deployments
kubectl get deployments.apps
What is the command to create the deployment using the deployment definition file?
kubectl deployment -f deploy-definition.yaml
kubectl create -f deploy-definition.yaml
kubectl deploy -f deploy-definition.yaml
kubectl get -f deploy-definition.yaml
kubectl create -f deploy-definition.yaml
Which of the following subcommands of kubectl can be used to get additional details of an object?
kubectl details
kubectl info
kubectl check
kubectl describe
kubectl describe
What is the command to delete a deployment?
kubectl deployment delete deployment-name
kubectl delete deployment deployment-name
kubectl deployment-name delete deployment
kubectl deployment-name deployment delete
kubectl delete deployment deployment-name
Which statement best describes deployment in Kubernetes? Select all the answers that apply.
Deployments create PODs and not ReplicaSets.
Deployments create ReplicaSets that create PODs.
Deployments support rolling updates and roll backs of applications.
Deployments support rolling updates but not roll backs.
Deployments create ReplicaSets that create PODs.
Deployments support rolling updates and roll backs of applications.
Which of the following statements about Kubernetes deployments are correct?
You describe a desired state in a Deployment, and the Deployment Controller changes the actual state to the desired state at a controlled rate.
You can define Deployments to create new ReplicaSets, or to remove existing Deployments and adopt all their resources with new Deployments.
You may manually update the ReplicaSets owned by a Deployment.
You should not manually update the ReplicaSets owned by a Deployment.
You describe a desired state in a Deployment, and the Deployment Controller changes the actual state to the desired state at a controlled rate.
You can define Deployments to create new ReplicaSets, or to remove existing Deployments and adopt all their resources with new Deployments.
You should not manually update the ReplicaSets owned by a Deployment.
What is the command to update the deployment in Kubernetes?
Let’s update the nginx Pods to use the nginx:1.16.1 image instead of the nginx:1.14.2 image.
kubectl set image deployment.v1.apps/nginx-deployment nginx=nginx:1.16.1
kubectl set image deployment/nginx-deployment nginx=nginx:1.16.1
kubectl set –image=deployment/nginx-deployment nginx=nginx:1.16.1
kubectl edit deployment.v1.apps/nginx-deployment
kubectl set image deployment.v1.apps/nginx-deployment nginx=nginx:1.16.1
kubectl set image deployment/nginx-deployment nginx=nginx:1.16.1
kubectl edit deployment.v1.apps/nginx-deployment
Where do you configure the selector labels in the deployment YAML file?
metadata. selector
spec. selector
spec. template.selector
spec. template.metadata.selector
spec.selector
Where do you configure the pod images in the deployment YAML file?
metadata. image
spec. containers.image
spec. template.spec.containers.image
spec. template.containers.image
spec.template.spec.containers.image
Rolling updates allows deployments to update with zero downtime ?
True
False
True
What is the apiVersion for Kubernetes deployment?
v1
apps/v1
app/v1
apps/v
apps/v1
What kubectl command can be used to perform a Deployment update?
kubectl set image
kubectl rollout update
kubectl rolling-update
kubectl update
kubectl set image
What is the command to check the status of a deployment rollout named nginx-deploy?
kubectl rollout status deployment/nginx-deploy
kubectl rollout undo deployment/nginx-deploy
kubectl rollout update deployment/nginx-deploy
kubectl deployment status nginx-deploy
kubectl rollout status deployment/nginx-deploy
What is the command used to rollback to the previous deployment?
<code>kubectl set image</code>
<code>kubectl rollout undo</code>
<code>kubectl rollout status</code>
<code>kubectl rollout start</code>
<code>kubectl rollout undo</code>
What is the command used to view previous rollout revisions and configurations?
kubectl rollout status
kubectl rollout history
kubectl rollout undo
kubectl rollout pause
kubectl rollout history
You performed an upgrade of images on a deployment recently. You’d like to check what command was run during the last update. However the output of the rollout history command does not show the command. What may be the cause?
The upgrade was done using a kubectl apply command
The command run to upgrade did not use the –record flag.
The kubectl set command was used to perform the upgrade
The API server was down when the upgrade was performed
The command run to upgrade did not use the –record flag.
Which of the following are the deployment strategy types in Kubernetes?
RollingUpdate
BlueGreen
Canary
Recreate
RollingUpdate
Recreate
Which of the following is the default deployment strategy in Kubernetes deployments?
Recreate
RollingUpdate
Redeploy
BlueGreen
RollingUpdate
If .spec.strategy.type is set to Recreate, then all existing pods are killed before new ones are created.
True
False
True
If .spec.strategy.type is set to RollingUpdate, then all new PODs are created first and then all existing pods are killed at once.
True
False
False
apiVersion: apps/v1
kind: Deployment
metadata:
name: web-application
labels:
app: web
spec:
replicas: 3
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
- name: logger
image: log-agent:1.2
- name: monitor
image: monitor-agent:1.0
This is an invalid configuration because the selector matchLabel nginx does not match the label web set on the deployment
This is an invalid configuration because there are more than 1 containers configured in the template
This is an invalid configuration because the selector field must come under the template section and not directly under spec
This is an invalid configuration because the API version is not set correctly
This is a valid configuration
This is a valid configuration
apiVersion: apps/v1
kind: Deployment
metadata:
name: web-application
labels:
app: web
spec:
replicas: 3
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
- name: logger
image: log-agent:1.2
- name: monitor
image: monitor-agent:1.0
How many containers would be created in total when this deployment is created (excluding the PAUSE containers)?
3
6
9
1
9
apiVersion: apps/v1
kind: Deployment
metadata:
name: web-application
labels:
app: web
spec:
replicas: 3
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
- name: logger
image: log-agent:1.2
- name: monitor
image: monitor-agent:1.0
How many IP addresses would be consumed when the deployment is created?
3
6
9
1
3
Each container inside a POD gets its own IP address assigned.
False
How many IP addresses are consumed by 3 PODs each with 2 containers?
3
6
2
9
3
Which of the following are valid service types in Kubernetes?
NodePort
ClusterIP
LoadBalancer
ExternalName
ElasticLoadBalancer
NodePort
ClusterIP
LoadBalancer
ExternalName
What is the command to list the Kubernetes services? Select all the answers that apply.
kubectl get svc
kubectl list services
kubectl get services
kubectl list svc
kubectl get svc
kubectl get services
What is the command to delete a Kubernetes service?
kubectl delete svc SERVICE-NAME
kubectl rm service SERVICE-NAME
kubectl del services SERVICE-NAME
kubectl delete services SERVICE-NAME
kubectl delete svc SERVICE-NAME
kubectl delete services SERVICE-NAME
Which of the following statements are correct about NodePort? Select all the answers that apply.
NodePort exposes a service on the same port as that of the exposed port on containers in the PODs.
NodePort exposes a service internally within the hosts only.
NodePort exposes a service to make it externally accessible on a port on the nodes.
None of the Above
NodePort exposes a service to make it externally accessible on a port on the nodes.
If the service type is NodePort, then Kubernetes will allocate a port on every worker node. .
True
False
True
What is the default range of ports that Kubernetes uses for NodePort if one is not specified?
32767-64000
30000-32767
32000-32767
80-8080
30000-32767
A NodePort service exposes a deployment only on the nodes on which the PODs of that deployment are running.
True
False
False
An application has 2 tiers – a web service that must be externally accessible to users and a database service that must be accessible within the cluster only. What service types should be configured?
Web – NodePort, Database – LoadBalancer
Web – ClusterIP, Database – ClusterIP
Web – NodePort, Database – ClusterIP
Web – ClusterIP, Database – NodePort
Web – NodePort, Database – ClusterIP
ClusterIP is the default service type for Kubernetes service.
True
False
True
apiVersion: v1
kind: Service
metadata:
name: web-service
labels:
obj: web-service
app: web
spec:
selector:
app: web
type: NodePort
ports:
- protocol: TCP
port: 80
targetPort: 9376
nodePort: 39376
For this service to discover the web service, what must be the label set on the PODs hosting the web service?
obj: web-service
app: web
app: web-service
obj: web
app:web
apiVersion: v1
kind: Service
metadata:
name: web-service
labels:
obj: web-service
app: web
spec:
selector:
app: web
type: NodePort
ports:
- protocol: TCP
port: 80
targetPort: 9376
nodePort: 39376
What port on the PODs is the web service most likely exposed on?
80
9376
8080
39376
9376
apiVersion: v1
kind: Service
metadata:
name: web-service
labels:
obj: web-service
app: web
spec:
selector:
app: web
type: NodePort
ports:
- protocol: TCP
port: 80
targetPort: 9376
nodePort: 39376
A user is trying to access the application using the Nodes IP and Port number. What port must the user try to connect to?
80
9376
8080
39376
39376
apiVersion: v1
kind: Service
metadata:
name: web-service
labels:
obj: web-service
app: web
spec:
selector:
app: web
type: NodePort
ports:
- protocol: TCP
port: 80
targetPort: 9376
nodePort: 39376
Which of the below statements are correct?
Traffic to port 39376 on the node hosting the pod in the cluster is routed to port 9376 on a POD with the label app web on the same node
Traffic to port 39376 on all nodes in the cluster is routed to port 9376 on a random POD with the label app web
Traffic to port 80 on the service is routed to port 9376 on a random POD with the label app web
Traffic to port 80 on the node is routed to port 9376 on the service
Traffic to port 39376 on all nodes in the cluster is routed to port 9376 on a random POD with the label app web
Traffic to port 80 on the service is routed to port 9376 on a random POD with the label app web
Which of the following statements is true about configuring commands and arguments in Kubernetes? Select all the answers that apply.
To define a command, include the command field in the configuration file.
To define a command, include the args field in the configuration file.
To define arguments for the command, include the command field in the configuration file.
To define arguments for the command, include the args field in the configuration file.
To define a command, include the command field in the configuration file.
To define arguments for the command, include the args field in the configuration file.
The command and arguments that you define in the configuration file override the default command and arguments configured in the container image.
True
False
True
Which field of Kubernetes pod definition file corresponds to the entrypoint instruction in the Dockerfile?
ENTRYPOINT instruction in Dockerfile corresponds to command in kubernetes definition file
ENTRYPOINT instruction in Dockerfile corresponds to args in kubernetes definition file
CMD instruction in Dockerfile corresponds to args in kubernetes definition file
CMD instruction in Dockerfile corresponds to command in kubernetes definition file
ENTRYPOINT instruction in Dockerfile corresponds to command in kubernetes definition file
CMD instruction in Dockerfile corresponds to args in kubernetes definition file
How do you set environment variables in a pod definition file?
Using environment section
Using env section
Using env_var section
Using variables section
Using env section
Which of the following flags can be used to pass an environment variable while creating a pod with docker run command?
docker run –environment APP_COLOR=pink simple-webapp-color
docker run –env APP_COLOR=pink simple-webapp-color
docker run -e APP_COLOR=pink simple-webapp-color
docker run -v APP_COLOR=pink simple-webapp-color
docker run –env APP_COLOR=pink simple-webapp-color
docker run -e APP_COLOR=pink simple-webapp-color
What are the different ways of setting up environment variables in Kubernetes? Select all the answers that apply.
plain key-value pair
configmap
from disk
secrets
plain key-value pair
configmap
secrets
Where is the env instruction set in a Kubernetes pod definition file?
spec. containers.env
spec. env
spec. template.spec.env
spec. template.env
spec.containers.env
Which of the below are valid instructions to set environment variables in a Dockerfile?
ENVIRONMENT name=value
ENV name=value
ENV name value
VAR name value
ENV name=value
ENV name value
What is the command to create config maps? Select all the answers that apply.
kubectl create configmap CONFIGMAP-NAME –from-literal=KEY1=VALUE1 –from-literal=KEY2=VALUE2
kubectl create configmap CONFIGMAP-NAME –from-file=/tmp/env
kubectl create configmap CONFIGMAP-NAME –file=/tmp/env
kubectl create configmap CONFIGMAP-NAME –literal=KEY1=VALUE1 KEY2=VALUE2
kubectl create configmap CONFIGMAP-NAME –from-literal=KEY1=VALUE1 –from-literal=KEY2=VALUE2
kubectl create configmap CONFIGMAP-NAME –from-file=/tmp/env
What is the command to list configmaps? Select all the answers that apply.
kubectl get pods
kubectl get cm
kubectl get configmap
kubectl get maps
kubectl get cm
kubectl get configmap
What is the command to display details of the ConfigMap?
kubectl get configmap CONFIGMAP-NAME
kubectl describe configmap CONFIGMAP-NAME
kubectl list configmap CONFIGMAP-NAME
kubectl get configmap CONFIGMAP-NAME –details
kubectl describe configmap CONFIGMAP-NAME
You can pass in the –from-file argument multiple times to create a ConfigMap from multiple data sources.
True
False
True
What is the flag that we can use to define a literal value from the command line?
- -env
- -from-literal
- -literal
- -text
–from-literal
Which statements best describe configmaps?
ConfigMap is an API object mainly used to store confidential data in key-value pairs.
ConfigMap is an API object mainly used to store non-confidential data in key-value pairs.
Pods can consume ConfigMaps as environment variables, command-line arguments, or as configuration files in a volume.
ConfigMap provides secrecy or encryption
ConfigMap is an API object mainly used to store non-confidential data in key-value pairs.
Pods can consume ConfigMaps as environment variables, command-line arguments, or as configuration files in a volume.
How do you inject configmap into a pod?
Using envFrom and configMapRef
Using env and configMapRef
Using envFrom and configMap
Using env and configMap
Using envFrom and configMapRef
Where do you configure the configMapKeyRef in a pod to use environment variables defined in a ConfigMap?
spec. containers.env
spec. env.valueFrom
spec. containers.valueFrom
spec. containers.env.valueFrom
spec.containers.env.valueFrom
What is the recommended approach to load a set of configurations into the pod in the form of a file to /var/configs?
Add a separate env parameter for each config and use a startup script to write to a file
Create a ConfigMap with the required configurations, configure it as a volume in the pod definition file and then mount the volume as a file at /var/configs
Create a ConfigMap with the required configurations, configure it as an env variable in the pod definition file and use a startup script to write to a file
Create a ConfigMap with the required configurations, configure it as a volume in the pod definition file and then mount the volume as a file at /var/configs
What is the command to list the Kubernetes secrets?
kubectl list secrets
kubectl get secrets
kubectl secrets
kubectl secrets –list
kubectl get secrets
What is the command to display details of the secret?
kubectl get secret SECRET-NAME
kubectl describe secret SECRET-NAME
kubectl list secret SECRET-NAME
kubectl get secret SECRET-NAME –details
kubectl describe secret SECRET-NAME
What is the command to create a secret using the “kubectl create secret” command?
kubectl create secret test-secret –from-literal=’username=my-app’ –from-literal=’password=39528$vdg7Jb’
kubectl create secret opaque test-secret –from-literal=’username=my-app’ –from-literal=’password=39528$vdg7Jb’
kubectl create secret credentials test-secret –from-literal=’username=my-app’ –from-literal=’password=39528$vdg7Jb’
kubectl create secret generic test-secret –from-literal=’username=my-app’ –from-literal=’password=39528$vdg7Jb’
kubectl create secret generic test-secret –from-literal=’username=my-app’ –from-literal=’password=39528$vdg7Jb’
How do you configure all key-value pairs in a Secret as container environment variables?
env.secreRef
envFrom.secret
envFrom.secretRef
envFrom.secretRefKey
envFrom.secretRef
Which statements best describe Kubernetes secrets?
Kubernetes secrets let you store and manage sensitive information, such as passwords, OAuth tokens, and ssh keys.
Storing confidential information in a Secret is safer.
Users can create Secrets and the system also creates some Secrets.
It is safe to check in secrets into source code repositories.
Kubernetes secrets let you store and manage sensitive information, such as passwords, OAuth tokens, and ssh keys.
Storing confidential information in a Secret is safer.
Users can create Secrets and the system also creates some Secrets.
Secrets store sensitive information in an encrypted format.
True
False
False
You can pass in the –from-file argument multiple times to create a secret from multiple data sources.
True
False
True
what is the default Secret type if omitted from a Secret configuration file?
kubernetes. io/tls
kubernetes. io/ssh-auth
Opaque
kubernetes.io/dockercfg
Opaque
Which of the following statements is true about configuring commands and arguments in Kubernetes? Select all the answers that apply.
To define a command, include the command field in the configuration file.
To define a command, include the args field in the configuration file.
To define arguments for the command, include the command field in the configuration file.
To define arguments for the command, include the args field in the configuration file.
To define a command, include the command field in the configuration file.
To define arguments for the command, include the args field in the configuration file.
The command and arguments that you define in the configuration file override the default command and arguments configured in the container image.
True
False
True
Which field of Kubernetes pod definition file corresponds to the entrypoint instruction in the Dockerfile?
ENTRYPOINT instruction in Dockerfile corresponds to command in kubernetes definition file
ENTRYPOINT instruction in Dockerfile corresponds to args in kubernetes definition file
CMD instruction in Dockerfile corresponds to args in kubernetes definition file
CMD instruction in Dockerfile corresponds to command in kubernetes definition file
ENTRYPOINT instruction in Dockerfile corresponds to command in kubernetes definition file
CMD instruction in Dockerfile corresponds to args in kubernetes definition file
How do you set environment variables in a pod definition file?
Using environment section
Using env section
Using env_var section
Using variables section
Using env section
Which of the following flags can be used to pass an environment variable while creating a pod with docker run command?
docker run –environment APP_COLOR=pink simple-webapp-color
docker run –env APP_COLOR=pink simple-webapp-color
docker run -e APP_COLOR=pink simple-webapp-color
docker run -v APP_COLOR=pink simple-webapp-color
docker run –env APP_COLOR=pink simple-webapp-color
docker run -e APP_COLOR=pink simple-webapp-color
What are the different ways of setting up environment variables in Kubernetes? Select all the answers that apply.
plain key-value pair
configmap
from disk
secrets
plain key-value pair
configmap
secrets
Where is the env instruction set in a Kubernetes pod definition file?
spec. containers.env
spec. env
spec. template.spec.env
spec. template.env
spec.containers.env
Which of the below are valid instructions to set environment variables in a Dockerfile?
ENVIRONMENT name=value
ENV name=value
ENV name value
VAR name value
ENV name=value
ENV name value
What is the command to create config maps? Select all the answers that apply.
kubectl create configmap CONFIGMAP-NAME –from-literal=KEY1=VALUE1 –from-literal=KEY2=VALUE2
kubectl create configmap CONFIGMAP-NAME –from-file=/tmp/env
kubectl create configmap CONFIGMAP-NAME –file=/tmp/env
kubectl create configmap CONFIGMAP-NAME –literal=KEY1=VALUE1 KEY2=VALUE2
kubectl create configmap CONFIGMAP-NAME –from-literal=KEY1=VALUE1 –from-literal=KEY2=VALUE2
kubectl create configmap CONFIGMAP-NAME –from-file=/tmp/env
What is the command to list configmaps? Select all the answers that apply.
kubectl get pods
kubectl get cm
kubectl get configmap
kubectl get maps
kubectl get cm
kubectl get configmap
What is the command to display details of the ConfigMap?
kubectl get configmap CONFIGMAP-NAME
kubectl describe configmap CONFIGMAP-NAME
kubectl list configmap CONFIGMAP-NAME
kubectl get configmap CONFIGMAP-NAME –details
kubectl describe configmap CONFIGMAP-NAME
You can pass in the –from-file argument multiple times to create a ConfigMap from multiple data sources.
True
False
True
What is the flag that we can use to define a literal value from the command line?
- -env
- -from-literal
- -literal
- -text
–from-literal
Which statements best describe configmaps?
ConfigMap is an API object mainly used to store confidential data in key-value pairs.
ConfigMap is an API object mainly used to store non-confidential data in key-value pairs.
Pods can consume ConfigMaps as environment variables, command-line arguments, or as configuration files in a volume.
ConfigMap provides secrecy or encryption
ConfigMap is an API object mainly used to store non-confidential data in key-value pairs.
Pods can consume ConfigMaps as environment variables, command-line arguments, or as configuration files in a volume.
How do you inject configmap into a pod?
Using envFrom and configMapRef
Using env and configMapRef
Using envFrom and configMap
Using env and configMap
Using envFrom and configMapRef
Where do you configure the configMapKeyRef in a pod to use environment variables defined in a ConfigMap?
spec. containers.env
spec. env.valueFrom
spec. containers.valueFrom
spec. containers.env.valueFrom
spec.containers.env.valueFrom
What is the recommended approach to load a set of configurations into the pod in the form of a file to /var/configs?
Add a separate env parameter for each config and use a startup script to write to a file
Create a ConfigMap with the required configurations, configure it as a volume in the pod definition file and then mount the volume as a file at /var/configs
Create a ConfigMap with the required configurations, configure it as an env variable in the pod definition file and use a startup script to write to a file
Create a ConfigMap with the required configurations, configure it as a volume in the pod definition file and then mount the volume as a file at /var/configs
What is the command to list the Kubernetes secrets?
kubectl list secrets
kubectl get secrets
kubectl secrets
kubectl secrets –list
kubectl get secrets
What is the command to display details of the secret?
kubectl get secret SECRET-NAME
kubectl describe secret SECRET-NAME
kubectl list secret SECRET-NAME
kubectl get secret SECRET-NAME –details
kubectl describe secret SECRET-NAME
What is the command to create a secret using the “kubectl create secret” command?
kubectl create secret test-secret –from-literal=’username=my-app’ –from-literal=’password=39528$vdg7Jb’
kubectl create secret opaque test-secret –from-literal=’username=my-app’ –from-literal=’password=39528$vdg7Jb’
kubectl create secret credentials test-secret –from-literal=’username=my-app’ –from-literal=’password=39528$vdg7Jb’
kubectl create secret generic test-secret –from-literal=’username=my-app’ –from-literal=’password=39528$vdg7Jb’
kubectl create secret generic test-secret –from-literal=’username=my-app’ –from-literal=’password=39528$vdg7Jb’
How do you configure all key-value pairs in a Secret as container environment variables?
env.secreRef
envFrom.secret
envFrom.secretRef
envFrom.secretRefKey
envFrom.secretRef
Which statements best describe Kubernetes secrets?
Kubernetes secrets let you store and manage sensitive information, such as passwords, OAuth tokens, and ssh keys.
Storing confidential information in a Secret is safer.
Users can create Secrets and the system also creates some Secrets.
It is safe to check in secrets into source code repositories.
Kubernetes secrets let you store and manage sensitive information, such as passwords, OAuth tokens, and ssh keys.
Storing confidential information in a Secret is safer.
Users can create Secrets and the system also creates some Secrets.
Secrets store sensitive information in an encrypted format.
True
False
False
You can pass in the –from-file argument multiple times to create a secret from multiple data sources.
True
False
True
what is the default Secret type if omitted from a Secret configuration file?
kubernetes. io/tls
kubernetes. io/ssh-auth
Opaque
kubernetes.io/dockercfg
Opaque
Which statement best describes the readiness probe?
The kubelet uses readiness probes to know when a container is ready to start accepting traffic.
The kubelet uses readiness probes to know when to restart a container
The readiness probes run on the container during it’s entire lifecycle.
The kubelet uses readiness probes to know when a container is ready to start accepting traffic.
The readiness probes run on the container during it’s entire lifecycle.
Readiness probes are configured similarly to liveness probes. The only difference is that you use the readinessProbe field instead of the livenessProbe field.
True
False
True
What are the different types of probes?
Command
HTTP
TCP
CURL
Command
HTTP
TCP
If a readiness probe starts to fail, Kubernetes stops sending traffic to the pod until it passes.
True
False
True
The kubelet uses liveness probes to know when a container is ready to start accepting traffic.
True
False
False
Which statement best describes the liveness probe?
The kubelet uses liveness probes to know when a container is ready to start accepting traffic.
The kubelet uses liveness probes to know when to restart a container
The liveness probes may be configured with an HTTP test to check if a container is live.
The liveness probe runs before the readiness probe is run on the container
The kubelet uses liveness probes to know when to restart a container
The liveness probes may be configured with an HTTP test to check if a container is live.
Which of the following would be the result/state of a probe? Select the all right answers
SUCCESS
FAILURE
UNKNOWN
PENDING
SUCCESS
FAILURE
UNKNOWN
If a Container does not provide a liveness probe, the default state is Failure.
True
False
False
If the liveness probe fails, the kubelet kills the container, and the container is subjected to its restart policy.
True
False
True
Liveness probes let Kubernetes know if your app is alive or stuck/dead.
True
False
True
The traffic from a web server fetching data from a database server may be categorized as
Ingress
Egress
Egress
Which of the following solutions support network policies?
kube-router
Calico
Flannel
Weave-Net
kube-router
Calico
Weave-net
Which of the following statements best describes Kubernetes network policies?
If you want to control traffic flow at the IP address or port level, then you might consider using Kubernetes NetworkPolicies.
NetworkPolicies are an application-centric construct which allow you to specify how a pod is allowed to communicate with various network “entities” over the network
Network Policies are implemented by the network plugin
Pods become isolated by having a NetworkPolicy that selects them
If you want to control traffic flow at the IP address or port level, then you might consider using Kubernetes NetworkPolicies.
NetworkPolicies are an application-centric construct which allow you to specify how a pod is allowed to communicate with various network “entities” over the network
Network Policies are implemented by the network plugin
Pods become isolated by having a NetworkPolicy that selects them
Kubernetes Network Policies can control traffic flow at the OSI layer 3 or 4.
True
False
True
By default, pods are isolated; they block traffic from any source.
True
False
False
What is the default traffic flow configuration between pods in a Kubernetes cluster?
All traffic is allowed between different pods in the cluster
All traffic is denied between different pods in the cluster
Traffic between different pods must be explicitly allowed using rules
All traffic is allowed between different pods in the cluster
Which among the following statements are true without any change made to the default behaviour of network policies in the namespace?
As soon as a network policy is associated with a POD traffic between all PODs in the namespace is denied
As soon as a network policy is associated with a POD all ingress and egress traffic to that POD are denied except allowed by the network policy
As soon as a network policy is associated with a POD all ingress and egress traffic to that POD are allowed except for the the ones blocked by the network polic
As soon as a network policy is associated with a POD all ingress and egress traffic to that POD are denied except allowed by the network policy
Which statement best describes docker volume plugin?
Docker Engine volume plugins enables Engine deployments to be integrated with external storage systems such as Amazon EBS
The local volume plugin helps to create a volume on Docker host and store its data under the /var/lib/docker/volumes/ directory.
ZFS, BTRFS and Device Mapper are some of the supported volume drivers
Volume plugins should not write data to the /var/lib/docker/ directory, including /var/lib/docker/volumes.
Docker Engine volume plugins enables Engine deployments to be integrated with external storage systems such as Amazon EBS
The local volume plugin helps to create a volume on Docker host and store its data under the /var/lib/docker/volumes/ directory.
Volume plugins should not write data to the /var/lib/docker/ directory, including /var/lib/docker/volumes.
Which of the following is the default volume driver plugin used in Kubernetes?
BlockBridge
local
DRBD
Flocker
local
What are the types of volumes that Kubernetes supports?
hostPath
configMap
emptyDir
local
hostPath
configMap
emptyDir
local
Which statements best describe emptyDir volume type?
An emptyDir volume is first created when a Pod is assigned to a node, and still exists after a pod termination.
An emptyDir volume is first created when a Pod is assigned to a node, and exists as long as that Pod is running on that node.
The emptyDir volume is initially empty
When a Pod is removed from a node for any reason, the data in the emptyDir is deleted permanently
An emptyDir volume is first created when a Pod is assigned to a node, and exists as long as that Pod is running on that node.
The emptyDir volume is initially empty
When a Pod is removed from a node for any reason, the data in the emptyDir is deleted permanently
Which statements best describe hostPath volume type?
A hostPath volume mounts a file or directory from the host node’s file system into your Pod.
Running a container that needs access to Docker internals, use a hostPath of /var/lib/docker
You either need to run your process as root in a privileged Container or modify the file permissions on the host to be able to write to a hostPath
The hostPath volume type is initially empty
You either need to run your process as root in a privileged Container or modify the file permissions on the host to be able to write to a hostPath
Which statements best describe Persistent Volume in Kubernetes?
A PersistentVolume (PV) is a piece of storage in the cluster that has been provisioned by an administrator or dynamically provisioned using Storage Class
It is a resource in the cluster just like a node is a cluster resource.
PVs are volume plugins like Volumes
PVs are not volume plugins
A PersistentVolume (PV) is a piece of storage in the cluster that has been provisioned by an administrator or dynamically provisioned using Storage Class
It is a resource in the cluster just like a node is a cluster resource.
PVs are volume plugins like Volumes
A Persistent Volume is a cluster-wide pool of storage volumes.
True
False
True
What is the command to list the persistent volumes?
kubectl list pv
kubectl get pv
kubectl get persistentvolume
kubectl list persistentvolume
kubectl get pv
kubectl get persistentvolume
What is the command to delete the persistent volumes?
kubectl delete pv PV-NAME
kubectl del pv PV-NAME
kubectl rm pv PV-NAME
kubectl erase pv PV-NAME
kubectl delete pv PV-NAME
What is the status of a volume after it is created but not yet bound to a claim?
Available
Bound
Released
Failed
Available
What is the status of a volume when it is associated with a claim?
Available
Bound
Released
Failed
Bound
What are the different access modes configurable on a persistent volume?
ReadOnlyMany
ReadWrite
ReadWriteMany
ReadOnly
ReadWriteOnce
ReadOnlyMany
ReadWriteMany
ReadWriteOnce
Once the Persistent Volume Claim is created, you need to manually bind the persistent volumes to claim.
True
False
False
Which statements best describe a PersistentVolumeClaim?
A PersistentVolumeClaim (PVC) is a request for storage by a user.
A PVC will be automatically bound to a PV on creation when a PV is available
Claims can request specific size and access modes
A PVC will not automatically bound to a PV on creation of a PV
A PersistentVolumeClaim (PVC) is a request for storage by a user.
A PVC will be automatically bound to a PV on creation when a PV is available
Claims can request specific size and access modes
A PV of 100 GB is in an available state. A PVC with a requirement of 50 GB storage is created. What would happen if there are no other PVs or PVCs created?
The PVC would bind to the PV with 100 GB
The PVC will be in a pending state as there is no PV with the same amount of storage
The PVC would bind to the PV with 100 GB
What happens to the PV by default when the associated PVC is deleted?
The PV is deleted automatically.
The PV is left as is until it is manually deleted by an administrator
The data in the PV is scrubbed and the PV is made available for other PVCs
The PV is left as is until it is manually deleted by an administrator
Which statement best describes a Kubernetes Storage Class?
A StorageClass provides a way for administrators to describe the “classes” of storage they offer
Each StorageClass contains the fields provisioner, parameters, and reclaimPolicy.
Any user can set the name and other parameters of a class when first creating StorageClass objects
The StorageClass objects can use a provisioner that can dynamically provision storage on supported storage providers.
A StorageClass provides a way for administrators to describe the “classes” of storage they offer
Each StorageClass contains the fields provisioner, parameters, and reclaimPolicy.
The StorageClass objects can use a provisioner that can dynamically provision storage on supported storage providers.
What is the kubectl command to list the storage classes in kubectl?
kubectl list sc
kubectl get sc
kubectl get storageclass
kubectl list storageclass
kubectl get sc
kubectl get storageclass
What is the sequence of operations to be followed while configuring a storage class for an application?
Create a storage class with a provisioner, create a persistent volume with definition using the storage class, create a PVC and then use the PVC in the volumes section in the pod definition file
Create a storage class with a provisioner, create a PVC with the storage class, and then use the PVC in the volumes section in the pod definition file
Create a storage class, and use it directly in the volumes section in the pod definition file
Create a storage class with a provisioner, create a PVC with the storage class, and then use the PVC in the volumes section in the pod definition file
A ReplicaSet is one of the Kubernetes controllers?
True
False
True
What is a Label in Kubernetes?
A way to expose traffic
A type of Deployment
A way to group related things using key/value pairs
None of the above
A way to group related things using key/value pairs
What is the command to delete a replication controller nginx?
kubectl get rc nginx
kubectl remove rc nginx
kubectl rm rc nginx
kubectl delete rc nginx
kubectl delete rc nginx
What is the flag that you use along with the kubectl create command to deploy multiple instances of an application in Kubernetes?
- -image
- -label
- -replicas
- -scale
–replicas
Where do you configure the selector labels in the deployment YAML file?
metadata. selector
spec. selector
spec. template.selector
spec. template.metadata.selector
spec.selector
How do you add labels to a pod in a pod definition YAML file?
labels
spec. labels
spec. containers.labels
metadata. labels
metadata.labels
What are the 4 top level fields of a Kubernetes definition file for ConfigMap?
apiVersion
templates
metadata
data
kind
spec
containers
apiVersion
metadata
data
kind
What is the command to delete the pod busybox?
kubectl pod delete busybox
kubectl delete busybox
kubectl delete pod/busybox
kubectl pod busybox –delete
kubectl delete pod/busybox
What is the command to deploy a pod with the name jenkins and image jenkins?
kubectl deploy jenkins –image jenkins
kubectl run jenkins –image jenkins
kubectl start -it jenkins sh
kubelet run jenkins –image jenkins
kubectl run jenkins –image jenkins
Which of the following are the container runtimes that Kubernetes supports?
Docker
Containerd
CRI-O
LXC
Docker
Containerd
CRI-O
What is a component of the Kubernetes control plane that allows external users or services to manage the Kubernetes cluster?
Kubernetes Scheduler
ETCDCTL
Kube API Server
Kube Proxy
Kube API Server
Which of the following are components deployed only on a Master Node in a Kubernetes cluster?
Kube Scheduler
Kube Controller Manager
Kube Api-server
Kubelet
Kube-Proxy
Kube Scheduler
Kube Controller Manager
Kube Api-server
ETCD by default listens on port 2780.
True
False
False
Which statement best describes the Worker Node component?
kubelet and container runtime are the worker node components
kube-proxy is one of the worker node component
kube-scheduler is one of the worker node component
All of the above
kubelet and container runtime are the worker node components
kube-proxy is one of the worker node component
Which of the below are the container orchestration tools?
Kubernetes
Docker Swarm
Google Compute Engine
Apache Mesos
ETCD
Kubernetes
Docker Swarm
Apache Mesos
What is the command to list all the pods that are in a netpol namespace? Select all the answers that apply.
kubectl list pods -n netpol
kubectl get pods
kubectl list pods -n netpol
kubectl get pods -n netpol
kubectl get pods -n netpol
Which statement best describes deployment in Kubernetes? Select all the answers that apply.
Deployments create PODs and not ReplicaSets.
Deployments create ReplicaSets that create PODs.
Deployments support rolling updates and roll backs of applications.
Deployments support rolling updates but not roll backs.
Deployments create ReplicaSets that create PODs.
Deployments support rolling updates and roll backs of applications.
Where do you configure the pod images in the deployment YAML file?
metadata. image
spec. containers.image
spec. template.spec.containers.image
spec. template.containers.image
spec.template.spec.containers.image
What kubectl command can be used to perform a Deployment update?
kubectl set image
kubectl rollout update
kubectl rolling-update
kubectl update
kubectl set image
Which of the following are the deployment strategy types in Kubernetes?
RollingUpdate
BlueGreen
Canary
Recreate
RollingUpdate
Recreate
Each container inside a POD does not get its own IP address assigned. All containers inside a POD share a single IP address.
True
False
True
Which among the following statements are true without any change made to the default behaviour of network policies in the namespace?
As soon as a network policy is associated with a POD traffic between all PODs in the namespace is denied
As soon as a network policy is associated with a POD all ingress and egress traffic to that POD are denied except those allowed by the network policy
As soon as a network policy is associated with a POD all ingress and egress traffic to that POD are allowed except for the the ones blocked by the network policy
As soon as a network policy is associated with a POD all ingress and egress traffic to that POD are denied except those allowed by the network policy
Which of the following statements are correct about ClusterIP?
ClusterIP exposes a service on the same port as that of the exposed port on containers in the PODs.
ClusterIP exposes a service internally within the hosts only.
ClusterIP exposes a service to make it externally accessible on a port on the nodes.
None of the Above
ClusterIP exposes a service internally within the hosts only.
The command and arguments that you define in the Kubernetes definition file override the default command and arguments configured in the container image.
True
False
True
How do you set environment variables in a pod definition file?
Using environment section
Using env section
Using env_var section
Using variables section
Using the env section
Which command is used to make some changes into the already existing PersistentVolumeClaim mysql-pvc?
kubectl describe pvc mysql-pvc
kubectl get pvc mysql-pvc
kubectl pvc edit mysql-pvc
kubectl edit persistentvolumeclaim mysql-pvc
kubectl edit persistentvolumeclaim mysql-pvc
What is the command to display details of the secret user-list?
kubectl get secret user-list
kubectl describe secret user-list
kubectl list secret user-list
kubectl get secret user-list –details
kubectl describe secret user-list
What is the command to list configmaps? Select all the answers that apply.
kubectl get pods
kubectl get cm
kubectl get configmap
kubectl get maps
kubectl get cm
kubectl get configmap
You can pass in the –from-file argument multiple times to create a ConfigMap from multiple data sources.
True
False
True
Which statement best describes the readiness probe?
The kubelet uses readiness probes to know when a container is ready to start accepting traffic.
The kubelet uses readiness probes to know when to restart a container
The Readiness probes run on the container during its whole lifecycle.
All of the above
The kubelet uses readiness probes to know when a container is ready to start accepting traffic.
The Readiness probes run on the container during its whole lifecycle.
The kubelet uses liveness probes to know when a container is ready to start accepting traffic.
True
False
False
Liveness probes let Kubernetes know if your app is alive or stuck/dead.
True
False
True
Which of the following statements best describes Kubernetes network policies?
Consider using Kubernetes NetworkPolicies if you want to control traffic flow at the IP address or port level.
NetworkPolicies are an application-centric construct which allow you to specify how a pod is allowed to communicate with various network “entities” over the network
Network Policies are implemented by the Kubernetes NetworkPolicy Controller
All of the above
Consider using Kubernetes NetworkPolicies if you want to control traffic flow at the IP address or port level.
NetworkPolicies are an application-centric construct which allow you to specify how a pod is allowed to communicate with various network “entities” over the network
Which service type is used to expose applications outside the Kubernetes cluster?
NodePort
ClusterIP
ExternalName
ElasticLoadBalancer
NodePort
If .spec.strategy.type is set to RollingUpdate, then all new PODs are created first and then all existing pods are killed at once.
True
False
False
Which kubectl command is used to display more details of the storage classes?
kubectl list sc
kubectl info sc
<code>kubectl describe storageclass</code>
kubectl list storageclass
<code>kubectl describe storageclass</code>
Which of the following is not backed up when performing a Docker Trusted Registry (DTR) metadata backup?
- Repository metadata
- DTR configurations
- Docker images
- Role-based access control (RBAC) settings
Docker images
A DTR metadata backup does not include the images themselves.
Which of the following commands will ensure that a container uses a maximum of 1 GB of active memory?
docker run –memory-swap 2G nginx
docker run –memory 1G nginx
docker run –memory-reservation 1G nginx
docker run –memory-swap 2G –memory-reservation 1G nginx
docker run –memory 1G nginx
We have set a value for “log-level” in /etc/docker/daemon.json. How would we set up the same value by passing a flag to dockerd instead?
Pass the –debug flag to dockerd.
Pass the –log flag to dockerd.
Pass the –log-level flag to dockerd.
Pass the –logging flag to dockerd.
Pass the –log-level flag to dockerd
The dockerd flags share the same names as the values set in /etc/docker/daemon.json
Dave needs Docker to use a custom stop signal for halting his software. How can he build an image that will instruct Docker on which stop signal to use?
- Dave should use the STOPSIGNAL directive
- Dave should locate the process and kill it manually
- Dave should use the STOP directive
- Dave should use the docker stop command.
- Dave should use the STOPSIGNAL directive
The STOPSIGNAL directive instructs Docker on which stop signal to use for halting a container process.
How is the ADD directive different from COPY? (Choose two)
- The ADD directive can extract an archive into the image.
- The ADD directive can pull a file from an external URL.
- The ADD directive can transfer a specific file between build stages.
- The ADD directive can transfer files over to a specific location inside the image
- The ADD directive can extract an archive into the image.
“The add directive can extract archives while the COPY command cannot”
- The ADD directive can pull a file from an external URL.
“The ADD directive can pull from a URL while COPY cannot”
What does the HEALTHCHECK directive do?
It sets a command that will be used by the Docker daemon to determine whether the container is healthy.
The HEALTHCHECK directive sets a command that is used to determine container health.
It sets a command that will be used to fix the container if it becomes unhealthy.
It restarts the container if it becomes unhealthy.
It sets a command that will be used to inform the container of the health status of the docker daemon.
- It sets a command that will be used by the Docker daemon to determine whether the container is healthy.
“The HEALTHCHECK directive sets a command that is used to determine container health.”
How would we go about keeping track of changes made to an image in source control (i.e., git)?
We would use Docker Trusted Registry (DTR) to handle this.
We would push the image layers to a source control repository.
Maintain tags for each new version within the Docker registry.
We would store the Dockerfile in source control.
- We would store the Dockerfile in source control.
“We can keep the Dockerfile in source control to track any changes made to the Dockerfile.”
What would be the runtime working directory of a container built from the following Dockerfile?
FROM alpine
WORKDIR /x
WORKDIR /y
WORKDIR z
CMD pwd
- /z
- /
- /x
/y/z
/y/z
This would be the runtime working directory because WORKDIR /y sets up an absolute directory, and then WORKDIR z sets the directory relative to /y.
How can we flatten an existing multi-layered image into a single layer?
We can use a multi-stage build.
We can use the –flatten flag with the docker build command.
We would not include any RUN directives in our Dockerfile.
We can run a container from the image, export it, and then import it as a new image.
- We can run a container from the image, export it, and then import it as a new image.
“This procedure will flatten an image into a single layer.”
A Kubernetes ClusterIP service called user-db exists in the auth-gateway namespace. The user-db Service’s cluster IP is 10.23.254.63. Which of the following addresses could be used to communicate with this service from a pod located in the default namespace?
10-23-254-63.auth-gateway.pod.cluster.local
10.23.254.63
The Service’s cluster IP address can be used to communicate with the Service from anywhere within the cluster.
user-db
The shortened domain name can only be used to reach the Service from within the same Namespace.
Selected
user-db.auth-gateway.svc.cluster.local
The Service’s fully-qualified domain name can be used to locate the Service, even from another Namespace.
- 10.23.254.63
“The Service’s cluster IP address can be used to communicate with the Service from anywhere within the cluster.”
- user-db.auth-gateway.svc.cluster.local
“The Service’s fully-qualified domain name can be used to locate the Service, even from another Namespace.”
Daniel has some nodes with labels that specify the availability zone of each node. He wants to run a service that can run tasks on any node and that do not have the label availability_zone=east. Which command should he use?
docker service create –placement-pref node.labels.availability_zone==west nginx
docker service create –constraint node.labels.availability_zone!=east nginx
docker service create –label node.labels.availability_zone!=east nginx
docker service create –constraint node.labels.availability_zone==west nginx
docker service create –constraint node.labels.availability_zone!=east nginx
“This command will prevent the service’s tasks from running on nodes with the availability_zone==east label.”
What command would we use to locate the layered file system data for an image on a machine?
docker image layers
docker image inspect
docker layer inspect
docker pull history
docker image inspect
The docker image inspect command will return the image metadata, including the location of the layered file system data.
How can we use multi-stage builds to generate small, efficient Docker images?
We can leverage the implementation of multi-stage builds, which will shorten the build processing times.
We can copy only specific files from previous stages so that we can keep the image as small as possible.
We can build the image, and then run diagnostics on it in a separate stage to make it more efficient.
We can use separate build stages to delete files from the image.
- We can copy only specific files from previous stages so that we can keep the image as small as possible.
“This is the primary use case for multi-stage builds.”
What is the primary purpose of a Docker registry?
It stores and organizes Dockerfiles.
It builds images.
It provides a central location for storing and distributing images.
Scan images for vulnerabilities.
- It provides a central location for storing and distributing images.
“This is what a Docker registry does.”
What tool should we use if we need to manage a multi-container application as a unit on a single Docker host?
We should use Docker Compose.
We should use Docker Swarm.
We should use a Docker stack.
We should execute docker-run.
- We should use Docker Compose.
“Docker Compose allows us to manage complex, multi-container applications on a single host.”
Eric has an application that consists of multiple different containers that interact with one another. What should he use to manage this application in a Docker Swarm?
Eric should use docker-compose.
Eric should use a service with multiple tasks.
Eric should use a task.
Eric should use a stack.
- Eric should use a stack.
“Docker stacks are designed for managing multi-container applications in a swarm.”
Which of the following scenarios would still allow the quorum to complete maintenance in a swarm cluster? (Choose two)
A 3-node cluster with 2 nodes down.
A 3-node cluster with 1 node down.
A 7-node cluster with 3 nodes down.
A 4-node cluster with 2 nodes down.
- A 3-node cluster with 1 node down.
“More than half of the nodes are still up, so the quorum is maintained in this scenario.”
- A 7-node cluster with 3 nodes down.
“More than half of the nodes are still up, so the quorum is maintained in this scenario.”
What flag should we use to specify a custom volume driver when creating a volume alongside a service that has docker service create?
–driver
–volume-driver
–mount volume-driver=
–volumedriver
–mount volume-driver=
“This will create the volume with the specified driver.”
Which of the following is true of filesystem storage models? (Choose two)
They are efficient with write-heavy workloads.
They store data in regular files on the host machine.
They are used by overlay2 and aufs.
The overlay2 and aufs storage drivers both use filesystem storage models.
They use an external, object-based store.
- They store data in regular files on the host machine.
“Filesystem storage models simulate a file system and store the data in regular files onto the host machine.”
- They are used by overlay2 and aufs.
“The overlay2 and aufs storage drivers both use filesystem storage models.”
Which of the following statements about the overlay network driver is accurate?
Networking components are created on nodes dynamically when tasks get scheduled on the node.
The network must be set up manually on each node.
The network is set up on every node in the cluster as soon as the network faces creation.
The overlay driver only allows communication between containers running on the same host.
- Networking components are created on nodes dynamically when tasks get scheduled on the node.
“The overlay network driver dynamically creates networking components on the node when a relevant task gets scheduled on that node.”
Which of the following commands will attach the tasks of a new service to an existing overlay network called my-overlay?
docker service create –network-driver overlay nginx
docker service create –n my-overlay nginx
docker service create –network my-overlay nginx
docker service create –attach my-overlay nginx
- docker service create –network my-overlay nginx
“This command will attach the service’s tasks to a specified network.”
Which of the following commands will create a new bridge network?
docker network create –network-driver bridge my-network
docker network create –driver overlay my-network
docker network create –network bridge my-network
docker network create my-network
- docker network create my-network
“Since the bridge is the default, a new bridge network will generate even when –driver is not specified.”
What Linux feature does Docker use to allow containers to listen on ports lower than 1024 without running as root on the host?
Capabilities
Namespaces
Linux jails
Control Groups
- Capabilities
“Capabilities are used by Docker to provide granular permissions to container processes, such as listening on low ports without the need for root access.”
Which of the following is not a namespace used by Docker?
pid
uts
net
mem
- mem
“This is not a namespace used by Docker.”
How can we provide custom certificates to the Universal Control Plane (UCP) and Docker Trusted Registry (DTR)?
We can push new certificates via the UCP web API.
We must supply the certificates during the UCP and DTR installation process.
docker ucp config –cert
We can upload certificates via the UCP and DTR web UIs.
- We can upload certificates via the UCP and DTR web UIs.
“We can upload certificates in the administrative settings section for both UCP and DTR.”
Which command allows us to create an encrypted overlay network?
docker network create –opt encrypted my-net
docker network create –encrypted –driver overlay my-net
docker network create –secure –driver overlay my-net
docker network create –opt encrypted –driver overlay my-net
This command will create an encrypted overlay network.
- docker network create –opt encrypted –driver overlay my-net
“This command will create an encrypted overlay network.”
What is the name of Docker feature that enables us to sign images and verify image signatures before running them?
Docker Image Trust
Docker registry
Docker Content Trust
Docker Trusted Registry
- Docker Content Trust
“Docker Content Trust allows us to sign images and verify signatures before running them.”
We have a group of people who need similar permissions in Universal Control Plane (UCP). How can we manage their permissions as a group without having to assign individual permissions to each user manually?
Add grants to one user to give them the permissions they need, and then copy that user’s permissions to the other users.
Create a role with several permissions assigned, and then assign each user to that shared role.
Assign the users to a team, and then assign grants to the entire team, giving them the permissions they need.
Create a GrantBundle and assign it to each user.
- Assign the users to a team, and then assign grants to the entire team, giving them the permissions they need.
“UCP uses teams to manage users who all need the same set of permissions.”
Dylan is getting ready to run a container. He needs this container to auto-restart whenever its process exits, but he doesn’t want it to restart if the container had manually stopped earlier. Which restart policy should he use?
unless-stopped
on-failure
always
manual-control
- unless-stopped
“This restart policy will always restart the container unless it was stopped explicitly.”
What procedure should we follow to upgrade the Docker engine on an Ubuntu server?
Install newer versions of the docker-ce and docker-ce-cli packages.
We must install newer versions of the packages in order to upgrade Docker.
Stop Docker, remove the packages, and then reinstall the packages with a newer version.
Remove all containers, stop Docker, and then install the newer version.
Stop Docker, then install the packages with the newer version.
- Install newer versions of the docker-ce and docker-ce-cli packages.
“We must install newer versions of the packages in order to upgrade Docker.”
What Linux feature does Docker use in order to limit memory usage for containers?
Capabilities
The mem namespace.
Control groups (cgroups)
Namespaces
- Control groups (cgroups)
“Docker uses cgroups to limit memory usage for containers.”
Which of the following is true about the creation of private Docker registries?
We cannot secure a private registry in Docker Community Edition (CE).
We can create our own registry by running a container with the registry image.
We need Docker Trusted Registry (DTR) present if we want to generate a private registry.
We need a Docker EE license to have our own private registry created.
- We can create our own registry by running a container with the registry image.
“Running this image will create a private Docker registry.”
What does the CMD directive do?
It runs a command on the host when the container starts.
It sets the default command for the image that runs if no other command is specified.
It runs a command within the image and commits it to the result.
It executes a command during the build process.
- It sets the default command for the image that runs if no other command is specified.
“The CMD directive sets the default command.”
What type of data exists in the writable file system layer created by a container?
The data would consist of only container logs.
It would be only the data from the base image.
The data would consist of only changes from the previous layer that were made by the container.
A snapshot of all of the data in its current state would reside in the layer.
- The data would consist of only changes from the previous layer that were made by the container.
“Each file system layer contains only the changes made from the previous layer.”
Which of the following commands can we use to view detailed metadata about a container? (Choose two)
docker query
docker metadata
docker inspect
docker container inspect
- docker inspect
” This command will allow us to query metadata about any Docker object.”
- docker container inspect
” This command will allow us to find metadata about any container.”
What command would we use to list the services that are part of a stack called web-store?
docker service ls web-store
docker stack services web-store
docker stack ps web-store
docker service ls
- docker stack services web-store
“This command will list the services that are part of the stack.”
We have some containerized software that needs to have a reference to the hostname of the node that the software is running on. Which of the following commands will let us pass the node hostname as an environment variable into each task in a service?
docker service create –pass-node-hostname=true nginx
docker service create –env NODE_HOSTNAME=”{{Hostname}}” nginx
docker service create –env NODE_HOSTNAME=”{{.Node.Hostname}}” nginx
docker service create -e NODE_HOSTNAME nginx
- docker service create –env NODE_HOSTNAME=”{{.Node.Hostname}}” nginx
“This command will create an environment variable in each task that contains the node hostname.”
What command should we use if we want to view logs for all of the tasks in a service called my-service?
docker container logs my-service
docker task logs my-service
docker logs my-service
docker service logs my-service
This command will retrieve logs for all of the tasks in the service.
- docker service logs my-service
“This command will retrieve logs for all of the tasks in the service.”
How would we rotate a docker swarm unlock-key and ensure that all nodes receive the new key?
We would run the docker swarm unlock-key –rotate command on one manager node.
We would generate a new key and save it in a file located at /etc/docker/swarm/unlock.key.
We can use the docker swarm unlock command.
We would run the docker swarm unlock-key –rotate command on all manager nodes.
- We would run the docker swarm unlock-key –rotate command on one manager node.
“This command will automatically rotate the key and handle all orchestration between nodes.”
Which of the following configurations would be best for enabling direct-lvm mode with devicemapper?
Set dm.directlvm_device in /etc/docker/daemon.json.
Set dm.mode=direct-lvm in /etc/docker/daemon.json.
Set dm.direct-lvm=true in /etc/docker/daemon.json.
Set dm.loop-lvm=false in /etc/docker/daemon.json.
- Set dm.directlvm_device in /etc/docker/daemon.json.
“We can enable direct-lvm by setting this value in daemon.json to a block storage device.”
Anastasia has created a container with a volume called shared-data. She wants to create a new container that can access the same data as the first container, but she wants this new container only to be able to read the data, not modify it. How can she accomplish this?
This task is not possible for Anastasia to complete because we cannot mount the same volume to two containers.
Anastasia can use docker run –name new-container -v shared-data:/tmp:ro nginx.
Anastasia can create a bind mount for the new container that points to the physical location of the shared volume on the host.
Anastasia can use docker run –name new-container -v shared-data:/tmp nginx.
- Anastasia can use:
docker run –name new-container -v shared-data:/tmp:ro nginx
“This command will mount the shared volume to the new container in read-only mode.”
What volume driver allows you to create and access external storage that can be shared across a Docker Swarm cluster using SSH?
overlay2
overlay
devicemapper
vieux/sshfs
vieux/sshfs
“This is a custom driver that uses SSH to access remote storage from any node in the cluster.”
Which of the following statements about Docker image vulnerability scanning is accurate?
Docker Enterprise Edition (EE) will prevent you from running images that contain vulnerabilities.
We need a Docker Enterprise Edition (EE) license to scan images within our registry.
Docker Trusted Registry (DTR) will scan all images by default.
Image vulnerability scanning inspects images before they’re running on a host.
- We need a Docker Enterprise Edition (EE) license to scan images within our registry.
“We need Docker Trusted Registry to scan images within our registry, which requires Docker EE.”
How can you enable Docker Content Trust (DCT) in Docker Community Edition (CE)?
Set the CONTENT_TRUST environment variable to 1.
Pass the –content-trust flag to dockerd.
Set “content-trust”: true in /etc/docker/daemon.json.
Set the DOCKER_CONTENT_TRUST environment variable to 1.
- Set the DOCKER_CONTENT_TRUST environment variable to 1.
“Setting this environment variable to 1 will enable DCT.”
Which of the following is a secure method for allowing a Docker client to authenticate with a registry that uses a self-signed certificate?
docker login –trust-ca
docker login –accept-cert
We add the registry to the insecure-registries list in /etc/docker/daemon.json.
We add the self-signed certificate as a trusted registry certificate under /etc/docker/certs.d/.
- We add the self-signed certificate as a trusted registry certificate under /etc/docker/certs.d/.
“Utilizing /etc/docker/certs.d/ is the secure way to authenticate with a registry that uses a self-signed certificate.”
Which of the following is the correct docker image address to be used to access an image named payapp hosted under the organization payroll at a private registry registry.company.io?
registry.company.io/payroll/payapp
What will happen if the –memory-swap is set to 0?
the setting is ignored, and the value is treated as unset
Which of the following modes is used to configure the device-mapper storage driver
loop-lvm
direct-lvm
Which statements best describe a PersistentVolumeClaim?
A PersistentVolumeClaim (PVC) is a request for storage by a user.
A PVC will be automatically bound to a PV on creation when a PV is available
Claims can request specific size and access modes
Where do you configure the configMapKeyRef in a pod to use environment variables defined in a ConfigMap?
spec.containers.env.valueFrom
Run a webapp container, and make sure that No logs are configured for this container
docker run -it –log-driver none webapp
What is the command to rebalance the docker swarm cluster workloads?
docker service update –force
Which statements best describe Persistent Volume in kubernetes?
A PersistentVolume (PV) is a piece of storage in the cluster that has been provisioned by an administrator or dynamically provisioned using Storage Class
It is a resource in the cluster just like a node is a cluster resource.
Which option is used to change the default storage driver to use devicemapper?
{“storage-driver”: “devicemapper”}
Which of the below can help minimize the image size?
Only install necessary packages within the image
Combine multiple dependent instructions into a single instruction and cleanup temporary files
Use multi-stage builds
Which command is used to delete the stopped containers?
docker container prune
docker container rm $(docker container ls -aq)
A government facility runs a secure data center with no internet connectivity. A new application requires access to docker images hosted on docker hub. What is the best approach to solve this?
Pull docker images from a host with access to docker hub
convert to a tarball using docker image save
command, and copy to the restricted environment and extract the tarball
Which of the below commands may be used to change the default logging driver to splunk?
echo ‘{“log-driver”: “splunk”}’ > /etc/docker/daemon.json
Which command can be used to enable the debugging mode on the Docker Host?
echo ‘{“debug”: true}’ > /etc/docker/daemon.json
Which command can be used to start the docker engine enterprise service on a systemctl configured system?
sudo systemctl start docker
What is a Linux feature that prevents a process within the container from performing filesystem related operations such as altering attributes of certain files?
Kernel Capabilities
Which command can be used to list the tasks in a stack named webapp?
docker stack ps webapp
Which formula can be used to calculate the Quorum of N nodes?
N/2 + 1
Which of the following is the correct format for CMD instruction
CMD [“executable”,“param1”,“param2”]
CMD [“param1”,“param2”],
CMD command param1 param2
How would we go about backing up images in the Docker Trusted Registry (DTR)?
Back up everything in /var/lib/docker/volumes.
Run a docker pull on all of the images to transfer them to another host.
Execute a container using the dtr image with the backup-images command.
Create a backup of everything in the DTR image storage volume.
Create a backup of everything in the DTR image storage volume.
“To back up images, back up the contents of the volume DTR used to store images.”
/var/lib/docker/volumes//_data.
Volume Names: https://docs.mirantis.com/msr/2.8/ref-arch/volumes.html
dtr-ca-
Root key material for the MSR root CA that issues certificates
dtr-notary-
Certificate and keys for the Notary components
dtr-postgres-
Vulnerability scans data
dtr-registry-
Docker images data, if MSR is configured to store images on the local filesystem
dtr-rethink-
Repository metadata
dtr-nfs-registry-
How should we give a user permission to interact with the Docker daemon on a machine without giving them unnecessary additional access?
Give the user the root user credentials so they can run docker commands as root.
Add the user to the docker group.
Give the user the ability to run docker commands with sudo.
Have them log in as the docker user.
- Add the user to the docker group.
“Docker provides the docker group for the purpose of giving users permission to solely access Docker.”
Which of the following is not backed up when performing a Docker Trusted Registry (DTR) metadata backup?
Role-based access control (RBAC) settings.
DTR Configurations
Repository metadata.
Docker images.
A DTR metadata backup does not include the images themselves.
- Docker images.
“A DTR metadata backup does not include the images themselves.”
Which of the following best describes the procedure for backing up Docker Trusted Registry (DTR) metadata?
Run a container from the dtr image with the backup command.
Create an archive for all of the data under the /var/data/dtr directory.
Run a container from the dtr image with the destroy command.
- Run a container from the dtr image with the backup command.
“This is the basic procedure for backing up DTR.”
What does the EXPOSE directive do?
It makes a container’s port accessible externally.
It automatically publishes ports when running a container.
It causes the container to listen on a port.
It documents ports intended for publishing at the time of running a container.
- It documents ports intended for publishing at the time of running a container.
“The EXPOSE directive documents the ports that should be published when running a container from the image.”
Amanda is having some network issues and needs to do some troubleshooting. How can she inject a nicolaka/netshoot container into the sandbox of an existing container called nginx-container?
Amanda can use docker run –inject-container nginx-container nicolaka/netshoot.
Amanda can use docker run –network nginx-container nicolaka/netshoot.
Amanda can use docker run –network container:nginx-container nicolaka/netshoot.
Amanda can use docker run –network-debug nginx-container nicolaka/netshoot.
Amanda can use:
docker run –network container:nginx-container nicolaka/netshoot.
“This command will inject the netshoot container into the sandbox of the existing container.”
Which of the following network drivers is the default for connecting containers on the same host?
overlay
macvlan
host
bridge
- bridge
“The bridge network driver is the default and is used to connect containers on the same host.”
Given Docker’s architecture and built-in security features, which of the following security scenarios should we be concerned about the most?
If an attacker gains access to the Docker daemon, they could use it to execute commands as root on the host.
An attacker may intercept swarm-level traffic between swarm nodes and obtain sensitive information from the data.
If an attacker gains control of a container, they could use it to affect other containers on the same host directly.
An attacker could set up a false machine under their control and join it to the swarm cluster to steal sensitive data, causing containers with sensitive data to execute on a fake device.
- If an attacker gains access to the Docker daemon, they could use it to execute commands as root on the host.
“The Docker daemon must run as root, so it is essential to ensure that it’s being protected and has limited access to it.”
Which of the statements best describe “Grants” in the Access Control Model?
Grants are effectively Access Control Lists (ACLs) that provide comprehensive access policies for an entire organization when grouped together.
Grants define which users can access what resources in what way.,
- A grant is made up of
a subject
a role
a resource set
What is the type and the name of the network created for the DTR services to communicate with each other?
overlay/dtr-ol
Amanda wants to execute a one-time job using a Docker container. However, occasionally, this job fails and needs to restart. Amanda doesn’t want to restart it manually if it fails. Which command should she use to make sure that the container executes the one-time job successfully?
docker run –restart unless-stopped cleanup-job
docker run –recover-failure cleanup-job
docker run –restart failure-only cleanup-job
docker run –restart on-failure cleanup-job
docker run –restart on-failure cleanup-job
“This restart policy will only restart the container if it exits with a non-zero exit code.”
Bob has set up a new Docker server. The overlay2 driver is the default for the server, but he wants to use devicemapper instead. Which of the following are ways to implement this change?
Add the –storage-driver flag to the dockerd call in Docker’s unit file.
We can set the storage driver by passing the –storage-driver flag to dockerd.
Selected
Reformat the storage disk.
Use a different Docker version.
Set storage-driver to devicemapper in /etc/docker/daemon.json.
We can set the storage driver in /etc/docker/daemon.json.
- Add the –storage-driver flag to the dockerd call in Docker’s unit file.
“We can set the storage driver by passing the –storage-driver flag to dockerd.”
- Set storage-driver to devicemapper in /etc/docker/daemon.json.
“We can set the storage driver in /etc/docker/daemon.json.”
Which of the following statements does not apply to the WORKDIR directive?
It can use both absolute and relative paths.
It affects only the build and does not impact containers that run from the image.
The WORKDIR directive affects the containers by setting the working directory at the container runtime.
It sets the working directory for the container at runtime.
It sets the working directory for subsequent build steps.
- It affects only the build and does not impact containers that run from the image.
“The WORKDIR directive affects the containers by setting the working directory at the container runtime.”
Which flag allows us to return specific fields with docker inspect?
–format
–pretty
–field-limit
–filter
–format
“The –format flag allows us to supply a Go template so that we can return specific data fields that are in a particular format.”
How would we back up the metadata for Docker Swarm?
We can run the swarm image with the backup command.
We can back up the contents of /etc/docker/swarm.
We can back up the contents of /usr/local/swarm.
While the Docker daemon stops, we can back up the contents of /var/lib/docker/swarm on a Swarm manager.
While the Docker daemon stops, we can back up the contents of /var/lib/docker/swarm on a Swarm manager.
“We can back up Docker Swarm metadata by backing up the contents of this directory.”
Which of the following tasks can we perform to set a custom DNS server for a container?
We can use the –dns flag with docker run.
We can set “dns” in /etc/docker/daemon.json.
We can use the –nameserver flag with docker run.
We can use the –dns-override flag with docker run.
We can use the –dns flag with docker run.
“This method would allow us to set a custom DNS server for the container.”
