DCA-2 Flashcards

Question 1

Q

What environment variables must be set to allow client to communicate with UCP via CLI?

DOCKER

DOCKER_HOST

DOCKER_CERT_PATH

DOCKER_PATH

Answer

A

DOCKER_HOST

DOCKER_CERT_PATH

Question 2

Q

What is the command-line interface used to interact with UCP from a shell?

docker-ucp

docker

docker-ee

docker-ucp-cli

Question 3

Q

Universal Control Plane (UCP), lets you authorize users to view, edit, and use cluster resources by granting role-based permissions against resource sets.

True
False

Question 4

Q

To authorize access to cluster resources across your organization, which of the following high-level steps must UCP administrators take?

Configure subjects (users, teams, and service accounts).

Define custom roles (or use defaults) by adding permitted operations per type of resource.

Configure resource sets of Swarm collections or Kubernetes namespaces.

Create grants by combining subject + role + resource set

Answer

A

Configure subjects (users, teams, and service accounts).

Define custom roles (or use defaults) by adding permitted operations per type of resource.

Configure resource sets of Swarm collections or Kubernetes namespaces.

Create grants by combining subject + role + resource set

Question 5

Q

Which of the statements best describes “Subjects” in the Access Control Model?

A subject represents a user, team, organization

A subject does not represent a service account.

A subject can be granted a role that defines permitted operations against one or more resource sets.

A subject represents a service account.

Answer

A

A subject represents a user, team, organization

A subject can be granted a role that defines permitted operations against one or more resource sets.

A subject represents a service account.

Question 6

Q

A group of teams that share a specific set of permissions forms a collection.

True
False

Question 7

Q

Which of the statements best describe “Roles” in the Access Control Model?

Roles define what operations are allowed on a resource.

A role is a set of permitted operations against a type of resource, like a container or volume, which can only be assigned to individual users.

Most organizations use multiple roles to fine-tune appropriate access to users and teams.

All of the above

Answer

A

Roles define what operations are allowed on a resource.

Most organizations use multiple roles to fine-tune appropriate access to users and teams.

Question 8

Q

Which of the statements best describe “Resource sets” in Access Control Model?

A collection of resources in Docker Swarm

A collection in Kubernetes

A namespace in Kubernetes

A namespace in Docker Swarm

Answer

A

A collection of resources in Docker Swarm

A namespace in Kubernetes

Question 9

Q

Which of the statements best describe “Grants” in the Access Control Model?

Grants define which users can access what resources in what way.

A grant is made up of a role and a resource set.

A grant is made up of a subject, a role, and a resource set.

Grants are effectively Access Control Lists (ACLs) which provide comprehensive access policies for an entire organization when grouped together.

Answer

A

Grants define which users can access what resources in what way.

A grant is made up of a subject, a role, and a resource set.

Grants are effectively Access Control Lists (ACLs) which provide comprehensive access policies for an entire organization when grouped together.

Question 10

Q

Only an administrator can manage grants, subjects, roles, and access to resources.

True
False

Question 11

Q

Docker Enterprise Edition provides … , where in we can create users and group them into teams which are nothing but group of users and tie them up with an organization.

DTR
UCP
UCP Agent
RBAC

Question 12

Q

Which of the following is a common workflow for RBAC in Docker EE is

Create users, teams, and organization

Create custom roles with a set of permissions

Combine resources sets using a collection

Answer

A

Create users, teams, and organization

Create custom roles with a set of permissions

Combine resources sets using a collection

Question 13

Q

The … allows you to authorize a remote Docker engine to a specific user account managed in Docker EE, absorbing all associated RBAC controls in the process

DTR

UCP

Client bundle

RBAC

Answer

A

Client Bundle

Question 14

Q

A client bundle is a group of certificates downloadable directly from the Docker Trusted Registry (DTR) user interface within the admin section for “My Profile”

True
False

Question 15

Q

Using …. in Docker EE we can control who can access and make changes to your cluster and applications.

DTR
UCP
Client bundle
RBAC

Question 16

Q

What are the minimum hardware requirements to install UCP?

4GB RAM, 2vCPUs and 10GB disk space for the /var partition for manager nodes, 2GB RAM and 500MB disk space for the /var partition for worker nodes

8GB RAM, 2vCPUs and 10GB disk space for the /var partition for manager nodes, 4GB RAM and 500MB disk space for the /var partition for worker nodes

8GB RAM, 2vCPUs and 10GB disk space for the /var/lib/docker partition for manager nodes, 4GB RAM and 500MB disk space for the /var/lib/docker partition for worker nodes

4GB RAM, 2vCPUs and 10GB disk space for the /var/lib/docker partition for manager nodes, 2GB RAM and 500MB disk space for the /var/lib/docker partition for worker nodes

Answer

A

8GB RAM, 2vCPUs and 10GB disk space for the /var partition for manager nodes, 4GB RAM and 500MB disk space for the /var partition for worker nodes

Question 17

Q

What are the features of Docker Trusted Registry (DTR)?

Built-in Access Control

Image and Job Management

Automated image builds

Security Scanning

Dockerfile management in SCM

Image Signing

Answer

A

Built-in Access Control

Image and Job Management

Security Scanning

Image Signing

Question 18

Q

A group of teams that share a specific set of permissions forms a collection.

True
False

Question 19

Q

When using the built-in authentication mechanism, you can create users to grant them fine-grained permissions.
Which of the following statements best describes managing users in DTR?

Users are shared across UCP and DTR.

When you create a new user in UCP, that user becomes available in DTR and vice versa.

Check the Trusted Registry admin option, if you want to grant permissions for the user to be a UCP and DTR administrator.

Users are not shared across UCP and DTR

Answer

A

Users are shared across UCP and DTR.

When you create a new user in UCP, that user becomes available in DTR and vice versa.

Check the Trusted Registry admin option, if you want to grant permissions for the user to be a UCP and DTR administrator.

Question 20

Q

When a user creates a repository, by default other users will also have permissions to make changes to the repository.

True
False

Question 21

Q

By default, DTR has one organization called ‘docker-datacenter’, that is shared between DTR and UCP.

True
False

Question 22

Q

What is the command to pull the docker repository owned by an organization?

docker get DTR-DOMAIN-NAME/ORG/REPOSITORY:TAG

docker pull DTR-DOMAIN-NAME/ORG/REPOSITORY:TAG

docker download DTR-DOMAIN-NAME/ORG/REPOSITORY:TAG

docker fetch DTR-DOMAIN-NAME/ORG/REPOSITORY:TAG

Answer

A

docker pull DTR-DOMAIN-NAME/ORG/REPOSITORY:TAG

Question 23

Q

Which of the following is the docker image addressing convention?

Registry-Address/Image-or-Repository-Name/User-Or-Account-Name

Registry-Address/User-Or-Account-Name/Image-or-Repository-Name

User-Or-Account-Name/Image-or-Repository-Name/Registry-Address

Image-or-Repository-Name/User-Or-Account-Name/Registry-Address

Answer

A

Registry-Address/User-Or-Account-Name/Image-or-Repository-Name

Question 24

Q

If we do not specify a registry information then it is assumed to be the default registry at docker hub at the address docker.io.

True
False

Question 25

Q

DTR only supports creating private repositories.

True
False

Question 26

Q

By default, when pushing an image to DTR, it automatically creates a new repository if one does not already exist by that name.

True
False

Question 27

Q

You cannot configure DTR to allow pushing to repositories that don’t exist yet.

True
False

Question 28

Q

We can use the CLI to enable pushing to repositories that don’t exist yet.

True
False

Question 29

Q

DTR is a vulnerability scanner that analyzes container images for security vulnerabilities triggered by a manual request only.

True
False

Question 30

Q

In which service does DTR image scanning occur?

A service known as the dtr-jobrunner container
A service known as the dtr-registry container
A service known as the dtr-api container
A service known as the dtr-runner container

Answer

A

A service known as the dtr-jobrunner container

Question 31

Q

Extracts a copy of the image layers from backend storage.

Extracts the files from the layer into a working directory inside the dtr-jobrunner container.

Executes the scanner against the files in this working directory, collecting a series of scanning data.

Once the scanning data is collected, the working directory for the layer will remain on the job-runner until garbage collection is initiated.

All of the above

Answer

A

Extracts a copy of the image layers from backend storage.

Extracts the files from the layer into a working directory inside the dtr-jobrunner container.

Executes the scanner against the files in this working directory, collecting a series of scanning data.

Question 32

Q

In which of the following will image scanning look for known vulnerabilities

OS packages

Suspicious user accounts

Libraries

IP Tables rules that are not required

Other dependencies that are defined in a container image

All of the above

Answer

A

OS packages

Libraries

Other dependencies that are defined in a container image

Question 33

Q

You may also configure DTR to initiate scans automatically when an image is pushed.

True
False

Question 34

Q

Once the scan is complete, a report shows all the vulnerabilities detected categorized as __________.

Major

Minor

Warning

Critical

INFO

All of the above

Answer

A

Major

Minor

Critical

Question 35

Q

With Docker Trusted Registry you can promote an existing image, based on a policy, to be pushed to a new environment.

True
False

Question 36

Q

With Docker Trusted Registry, we need to rebuild the image in each stage to promote to different environments (e.g. Dev, Test, Stage, and Prod)

True
False

Question 37

Q

A promotion can only be configured to another repository within the same registry.

True
False

Question 38

Q

Which statement best describes Garbage Collection in DTR?

Automatically removes unused image layers to save disk space at a scheduled interval.

Garbage Collection setting is available under the system -> garbage collection section.

By default, garbage collection is enabled.

All of the above

Answer

A

Automatically removes unused image layers to save disk space at a scheduled interval.

Garbage Collection setting is available under the system -> garbage collection section.

Question 39

Q

You may configure garbage collection to run at a specific interval.

True
False

Question 40

Q

Under the hood, each image stored in DTR is made up of multiple files, what are they?

A list of image layers that are unioned which represents the image filesystem

A configuration file that contains the architecture of the image and other metadata

A manifest file containing the list of all layers and configuration file for an image

Answer

A

A list of image layers that are unioned which represents the image filesystem

A configuration file that contains the architecture of the image and other metadata

A manifest file containing the list of all layers and configuration file for an image

Question 41

Q

DTR ships with Notary built-in so that you can use Docker Content Trust (DCT) to sign and verify images.

True
False

Question 42

Q

What are the key components of Docker Trusted Registry (DTR) for signing an image?

Notary Server
Notary Signer
Docker Hub
Universal Control Plane (UCP)

Answer

A

Notary Server

Notary Signer

Question 43

Q

Which statements best describe Notary?

Notary is a tool for publishing and managing trusted collections of content.

The official Docker Hub Notary servers are located at https://docker.io

With Notary anyone can provide trust over arbitrary collections of data.

Notary uses Globally Unique Names (GUNs) to identify trust collections.

Answer

A

Notary is a tool for publishing and managing trusted collections of content.

With Notary anyone can provide trust over arbitrary collections of data.

Notary uses Globally Unique Names (GUNs) to identify trust collections.

Question 44

Q

DCT is integrated with the Docker CLI, and allows you to _____________________.

Configure repositories

Add signers

Sign images using the docker trust command

Answer

A

Configure repositories

Add signers

Sign images using the docker trust command

Question 45

Q

You are required to configure your environment to prevent untrusted images from being deployed on the cluster. What approach would you choose to ensure images deployed in the cluster are secure and trusted?

Configure RBAC and provide access to repositories to privileged users only

Enable vulnerability scanning on images on push

Configure UCP to Run only signed images. And enforce image signing for all images using DCT

Answer

A

Configure UCP to Run only signed images. And enforce image signing for all images using DCT

Question 46

Q

In a Docker swarm cluster, when a failed node is brought back online it is ready to accept new workloads and existing workloads are automatically rebalanced.

True
False

Question 47

Q

What is the command to rebalance the docker swarm cluster workloads if absolutely necessary?

docker service update SERVICE-NAME
docker service update –force SERVICE-NAME
docker update service SERVICE-NAME
docker update service –force SERVICE-NAME

Answer

A

docker service update –force SERVICE-NAME

Question 48

Q

A swarm cluster runs with 5 manager and 5 worker nodes with 10 replicas of an application running across all worker nodes. Which of the below statements are true when 3 manager nodes do go down at the same time.

Since 2 manager nodes are available the cluster continues to operate normally

Cluster operates in a degraded mode with no management functionalities

The applications continue to work as normal without impacting users

Applications are killed and users are impacted

Answer

A

Cluster operates in a degraded mode with no management functionalities

The applications continue to work as normal without impacting users

Question 49

Q

We could add a new node to the cluster as a manager but we cannot promote an existing worker node to be the manager.

True
False

Question 50

Q

You should have at least 3 managers in the swarm cluster to support manager node failures.

True
False

Question 51

Q

Which statement best describes Quorum?

Quorum is the minimum number of nodes that must be available for the cluster to function properly.

In case of 3 manager nodes, the quorum is 3

It is recommended to maintain an odd number of managers to withstand network-wide outages.

In case of 5 manager nodes, the quorum is 3

Answer

A

Quorum is the minimum number of nodes that must be available for the cluster to function properly.

It is recommended to maintain an odd number of managers to withstand network-wide outages.

In case of 5 manager nodes, the quorum is 3

Question 52

Q

Which of the below configurations can tolerate 3 manager node failures?

 4 Manager 2 Worker Node Cluster
 5 Manager 5 Worker Node Cluster
 6 Manager 5 Worker Node Cluster
 7 Manager 3 Worker Node Cluster
 7 Manager 5 Worker Node Cluster
 8 Manager 6 Worker Node Cluster
 8 Manager 2 Worker Node Cluster

Answer

A

7 Manager 3 Worker Node Cluster
7 Manager 5 Worker Node Cluster
8 Manager 6 Worker Node Cluster
8 Manager 2 Worker Node Cluster

Question 53

Q

For any given number of N nodes, What is the quorum value?

Total number of nodes divided by 3 + 1 (Quorum = (N/3)+1)

Total number of nodes divided by 2 + 1 (Quorum = (N/2)+1)

Total number of nodes divided by 2 – 1 (Quorum = (N/2)-1)

Total number of nodes divided by 3 – 1 (Quorum = (N/3)-1)

Answer

A

Total number of nodes divided by 2 + 1 (Quorum = (N/2)+1)

Question 54

Q

What is the command to forcefully create a cluster from its current state?

docker swarm init
docker swarm init –force
docker swarm init –force-cluster
docker swarm init –force-new-cluster

Answer

A

docker swarm init –force-new-cluster

Question 55

Q

What is the command to promote a node to manager in docker swarm cluster?

docker promote node NODENAME
docker node promote NODENAME
docker promote worker node NODENAME
docker node promote worker NODENAME

Answer

A

docker node promote NODENAME

Question 56

Q

Which of the following statements are true? Select all the answers that apply.

On every docker host, docker stores data about the object it manages under the /var/lib/docker directory.

On a swarm manager node, it stores data about the swarm cluster in the /var/lib/docker/swarm directory.

On every docker host, docker stores data about the object it manages under the /var/run/docker directory.

On a swarm manager node, it stores data about the swarm cluster in the /var/run/docker/swarm directory.

Answer

A

On every docker host, docker stores data about the object it manages under the /var/lib/docker directory.

On a swarm manager node, it stores data about the swarm cluster in the /var/lib/docker/swarm directory.

Question 57

Q

The RAFT DB helps in restoring the services and any other configuration in a swarm cluster.

True
False

Question 58

Q

What are the steps that we need to follow to backup the swarm database?

Create a tar backup of the swarm data at /var/lib/docker/swarm and restart the docker service.

Stop docker service, create a tar backup of the swarm data at /var/lib/docker/swarm, start the docker.

Stop docker service, create a tar backup of the docker data at /var/lib/docker, start the docker

None of the above

Answer

A

Stop docker service, create a tar backup of the swarm data at /var/lib/docker/swarm, start the docker.

Question 59

Q

It is recommended to perform a backup on the swarm leader node.

True
False

Question 60

Q

What is the command to enable automatic locking of managers with an encryption key?

docker swarm init –lock=true
docker swarm init –autolock=true
docker swarm init –autounlock=false
docker swarm init –unlock=false

Answer

A

docker swarm init –autolock=true

Question 61

Q

What is the command to disable auto lock for a docker swarm cluster that has it enabled already?

docker swarm update –autolock=false
docker update swarm –autolock=false
docker swarm update –auto-unlock=true
docker update swarm –auto-unlock=true

Answer

A

docker swarm update –autolock=false

Question 62

Q

The auto lock key is required when the cluster is restored, so it must be kept safe in an external password manager.

True
False

Question 63

Q

The auto lock key is backed up along with the Swarm backup.

True
False

Question 64

Q

What are the prerequisites for restoring swarm?

You must use the same IP as the node from which you made the backup.

You must restore the backup on the same Docker Engine version.

If auto-lock was enabled on the old Swarm, the unlock key is required to perform the restore.

You can find the list of manager IP addresses in state.json in the zip file

Answer

A

You must use the same IP as the node from which you made the backup.

You must restore the backup on the same Docker Engine version.

If auto-lock was enabled on the old Swarm, the unlock key is required to perform the restore.

You can find the list of manager IP addresses in state.json in the zip file

Answer 36

A

Shut down the Docker Engine on the node you selected for the restore

Remove the contents of the /var/lib/docker/swarm directory on the new Swarm if it exists.

Restore the /var/lib/docker/swarm directory with the contents of the backup

Start Docker on the new node. Unlock the swarm if necessary

Re-initialize the swarm so that the node does not attempt to connect to nodes that were part of the old swarm, and presumably no longer exist.

Answer 37

A

docker/ucp

Answer 38

A

For crashed clusters, backup capability is not guaranteed.

UCP backup includes Kubernetes workloads.

Answer 39

A

CLI

GUI

API

Answer 40

A

User, Team and Organization details

Kubernetes Namespaces

Certificates and Keys

Access Control Details

Answer 41

A

Configurations

Notary Data

Certificates and Keys

Access Control to repos and Imagesk

Answer 42

A

Run the docker/dtr backup command

Answer 43

A

UCP web interface

UCP client bundle

SSH Access

Answer 44

A

docker run -i –rm docker/dtr restore < dtr-metadata-backup.tar

Answer 45

A

Store image data on a shared network storage and use supported backup mechanisms available for that network storage

Answer 46

A

docker run -i –rm docker/dtr restore < dtr-metadata-backup.tar

Answer 47

A

User, Team and Organization details

Kubernetes Namespaces

Certificates and Keys

Access Control Details

Answer 48

A

You must use the same IP as the node from which you made the backup.

You must restore the backup on the same Docker Engine version.

If auto-lock was enabled on the old Swarm, the unlock key is required to perform the restore.

Answer 49

A

16GB RAM, 4vCPUs and 25 - 100 of free disk space

Answer 50

A

Perform the backup operations from a swarm manager node that is not a leader

Answer 51

A

The container will be killed with an Out of Memory exception

Answer 52

A

Storage drivers

Answer 53

A

ReadOnlyMany,ReadWriteMany,ReadWriteOnce

Answer 54

A

A StorageClass provides a way for administrators to describe the “classes” of storage they offer,

Each StorageClass contains the fields provisioner, parameters, and reclaimPolicy.

The StorageClass objects can use a provisioner that can dynamically provision storage on supported storage providers.

Answer 55

A

A PersistentVolumeClaim (PVC) is a request for storage by a user

A PVC will be automatically bound to a PV on creation when a PV is available

Claims can request specific size and access modes

Answer 56

A

Use the RUN instruction and have the apt-get update and apt-get install commands on the same instruction

Answer 57

A

docker image tag httpd:latest httpd:v1

Answer 58

A

docker overrides the CMD instruction with sleep 1000

Answer 59

A

docker service create –mode=global webapp

Answer 60

A

Quorum is the minimum number of nodes that must be available for the cluster to function properly.

Answer 61

A

docker service create –constraint=node.labels.type==cpu-optimized webapp

Answer 62

A

docker service update –image=webapp:v2 webapp

Answer 63

A

docker stack services

Answer 64

A

envFrom.secretRef

Answer 65

A

kubectl create configmap CONFIGMAP-NAME –from-literal=KEY1=VALUE1 –from-literal=KEY2=VALUE2,kubectl create configmap CONFIGMAP-NAME –from-file=/tmp/env

Answer 66

A

spec.containers.env.valueFrom

Answer 67

A

tls, tlscert, tlskey

Answer 68

A

overlay/dtr-ol

Answer 69

A

kube-router,Calico,Weave-Net

Answer 70

A

docker system events –filter ‘container=webapp’

Answer 71

A

16GB RAM, 4vCPUs and 25-100GB of free disk space.

Answer 72

A

Perform the backup operations from a swarm manager node that is not a leader

Answer 73

A

the setting is ignored, and the value is treated as unset

Answer 74

A

spec.containers.image

Answer 75

A

docker service update –force

Answer 76

A

–update-parallelism 4

Answer 77

A

docker node demote manager1

Answer 78

A

docker swarm unlock-key

Answer 79

A

Using envFrom and configMapRef

Answer 80

A

dispatcher

Answer 81

A

docker run -i –rm docker/dtr restore < dtr-metadata-backup.tar

Answer 82

A

echo ‘{“log-driver”: “splunk”}’ > /etc/docker/daemon.json

Answer 83

A

0,builder

Answer 84

A

Only install necessary packages within the image

Combine multiple dependent instructions into a single instruction and clean up temporary files

Use multi-stage builds

Answer 85

A

docker search –filter is-official=true –filter stars=3 busybox

Answer 86

A

Extracts a copy of the image layers from backend storage.

Extracts the files from the layer into a working directory inside the dtr-jobrunner container.

Executes the scanner against the files in this working directory, collecting a series of scanning data.

Once the scanning data is collected, the working directory for the layer is removed.

Answer 87

A

Docker Engine volume plugins enables Engine deployments to be integrated with external storage systems such as Amazon EBS,

The local volume plugin helps to create a volume on Docker host and store its data under the /var/lib/docker/volumes/ directory.

Answer 88

A

AUFS,
overlay2
Device Mapper

Answer 89

A

{“storage-driver”: “devicemapper”}

Answer 90

A

A PersistentVolume (PV) is a piece of storage in the cluster that has been provisioned by an administrator or dynamically provisioned using Storage Class, It is a resource in the cluster just like a node is a cluster resource.

Answer 91

A

bridge

ingress

Answer 92

A

docker service rollback webapp

Answer 93

A

Cache busting

Answer 94

A

Create a ConfigMap with the required configurations, configure it as a volume in the pod definition file and then mount the volume as a file at /var/configs

Answer 95

A

docker node update –label-add disk=ssd worker1

Answer 96

A

–update-failure-action

Answer 97

A

UCP Agent

Answer 98

A

A service known as the dtr-jobrunner container

Answer 99

A

scheduler

Answer 100

A

apiVersion
metadata
kind
spec

Answer 101

A

docker stack ps webapp

Answer 102

A

docker service update –replicas=4 webapp

docker service scale webapp=4

Answer 103

A

Traffic to port 39376 on all nodes in the cluster is routed to port 9376 on a random POD with the label app web,

Traffic to port 80 on the service is routed to port 9376 on a random POD with the label app web

Answer 104

A

docker service logs SERVICE-NAME

Answer 105

A

docker service create -p 5000:80/udp my-web-server

docker service create –publish published=5000,target=80,protocol=udp my-web-server

Answer 106

A

30000-32767

Answer 107

A

As soon as a network policy is associated with a POD all ingress and egress traffic to that POD are denied except allowed by the network policy

Answer 108

A

docker container stop $(docker container ls -q)

Answer 109

A

CMD [“executable”,“param1”,“param2”]

CMD [“param1”,“param2”]

CMD command param1 param2

Answer 110

A

Built-in Access Control

Image and Job Management

Security Scanning

Image Signing

Answer 111

A

docker/dtr

Answer 112

A

docker image inspect webapp -f ‘{{.Os}} {{.Architecture}}’

Answer 113

A

docker build https://github.com/kk/dca.git#dev:docker

Answer 114

A

To control user access, cluster resources are grouped into Docker Swarm collections or Kubernetes namespaces.

Together, collections and namespaces are named resource sets.

Answer 115

A

Create a storage class with a provisioned

create a PVC with the storage class, and then use the PVC in the volumes section in the pod definition file

Answer 116

A

kubectl delete pv PV-NAME

Answer 117

A

Namespaces

Answer 118

A

Shut down the Docker Engine on the node you select for the restore

Remove the contents of the /var/lib/docker/swarm directory on the new Swarm if it exists

Restore the /var/lib/docker/swarm directory with the contents of the backup

Start Docker on the new node. Unlock the swarm if necessary

Re-initialize the swarm so that the node does not attempt to connect to nodes that were part of the old swarm, and presumably no longer exist.

Answer 119

A

/var/lib/docker/containers/78373635/78373635.json

Answer 120

A

A machine part of the Kubernetes cluster that runs workloads

A Virtual Machine that hosts workloads part of a Kubernetes cluster

A Physical Machine that hosts workloads part of a Kubernetes cluster

Answer 121

A

The Kubernetes command-line tool

Answer 122

A

Apache Mesos

Docker Swarm

Kubernetes

Answer 123

A

Self-healing & Batch execution

Secrets & configuration management

Automated rollouts and rollbacks

Answer 124

A

The control plane’s components decides how workloads are placed across the nodes in the cluster

kube-scheduler is one of the control plane component

kube-controller is one of the control plane component

Answer 125

A

kubelet and container runtime are the worker node components

kube-proxy is one of the worker node component

Answer 126

A

Etcd serves as the backing datastore for Kubernetes cluster data

ETCD is a distributed reliable key-value store

Answer 127

A

Kube Scheduler

Kube Controller Manager

Kube Api-server

Answer 128

A

Google Kubernetes Engine (GKE)

Azure Kubernetes Service (AKS)

Answer 129

A

Kube API Server

Answer 130

A

kube-scheduler

Answer 131

A

Responsible for maintaining the correct number of replicas of PODs at all times.

Replication controller makes sure that a pod or a homogeneous set of pods is always up and available

Answer 132

A

kube-proxy

Answer 133

A

Docker

Containerd

CRI-O

Answer 134

A

Node-Controller

Replication-Controller

Endpoint-Controller

Deployment-Controller

Answer 135

A

The kube-scheduler is only responsible for deciding which pod goes on which node.

Answer 136

A

Kubernetes deploys applications in the form of Pods

Answer 137

A

Multi-container Pods can share resources and dependencies, communicate with one another, and coordinate when and how they are terminated

A single pod can have multiple containers

Answer 138

A

kubectl run nginx –image nginx

Answer 139

A

kubectl get pods

kubectl get pods -n default

Answer 140

A

Pods can be created with kubectl commands as well as via API calls.

Answer 141

A

kubectl get pods -o wide

kubectl describe pod

Answer 142

A

kubectl delete pod

Answer 143

A

Update the pod-definition file and use kubectl apply command.

Use kubectl edit pod command and specify the new image

Answer 144

A

apiVersion

metadata

kind

spec

Answer 145

A

kubectl create -f pod-definition.yaml

kubectl apply -f pod-definition.yaml

Answer 146

A

spec.containers.image

Answer 147

A

metadata.labels

Answer 148

A

kubectl delete -f pod-definition.yaml

Answer 149

A

Equality-Based

Set-Based

Answer 150

A

Replication Controller is the older technology that is being replaced by a ReplicaSet.

The replication controller supports equality based selectors whereas the replica set supports equality based as well as set based selectors.

ReplicaSet is the new way to set up replication.

Answer 151

A

<code>kubectl get rs</code>

<code>kubectl get replicaset</code>

Answer 152

A

A way to group related things using key/value pairs

Answer 153

A

kubectl get rs –show-labels

Answer 154

A

kubectl delete rc nginx

Answer 155

A

kubectl delete rs triage

Answer 156

A

Update the number of replicas in the replicaset-definition.yaml definition file and apply.

Update using the kubectl scale command.

Answer 157

A

Create a Deployment

Answer 158

A

kubectl create

Answer 159

A

–replicas

Answer 160

A

kubectl get deploy

kubectl get deployment

kubectl get deployments

kubectl get deployments.apps

Answer 161

A

kubectl create -f deploy-definition.yaml

Answer 162

A

kubectl describe

Answer 163

A

kubectl delete deployment deployment-name

Answer 164

A

Deployments create ReplicaSets that create PODs.

Deployments support rolling updates and roll backs of applications.

Answer 165

A

You describe a desired state in a Deployment, and the Deployment Controller changes the actual state to the desired state at a controlled rate.

You can define Deployments to create new ReplicaSets, or to remove existing Deployments and adopt all their resources with new Deployments.

You should not manually update the ReplicaSets owned by a Deployment.

Answer 166

A

kubectl set image deployment.v1.apps/nginx-deployment nginx=nginx:1.16.1

kubectl set image deployment/nginx-deployment nginx=nginx:1.16.1

kubectl edit deployment.v1.apps/nginx-deployment

Answer 167

A

spec.selector

Answer 168

A

spec.template.spec.containers.image

Answer 169

A

kubectl set image

Answer 170

A

kubectl rollout status deployment/nginx-deploy

Answer 171

A

<code>kubectl rollout undo</code>

Answer 172

A

kubectl rollout history

Answer 173

A

The command run to upgrade did not use the –record flag.

Answer 174

A

RollingUpdate

Recreate

Answer 175

A

RollingUpdate

Answer 176

A

This is a valid configuration

Answer 177

A

NodePort

ClusterIP

LoadBalancer

ExternalName

Answer 178

A

kubectl get svc

kubectl get services

Answer 179

A

kubectl delete svc SERVICE-NAME

kubectl delete services SERVICE-NAME

Answer 180

A

NodePort exposes a service to make it externally accessible on a port on the nodes.

Answer 181

A

30000-32767

Answer 182

A

Web – NodePort, Database – ClusterIP

Answer 183

A

Traffic to port 39376 on all nodes in the cluster is routed to port 9376 on a random POD with the label app web

Traffic to port 80 on the service is routed to port 9376 on a random POD with the label app web

Answer 184

A

To define a command, include the command field in the configuration file.

To define arguments for the command, include the args field in the configuration file.

Answer 185

A

ENTRYPOINT instruction in Dockerfile corresponds to command in kubernetes definition file

CMD instruction in Dockerfile corresponds to args in kubernetes definition file

Answer 186

A

Using env section

Answer 187

A

docker run –env APP_COLOR=pink simple-webapp-color

docker run -e APP_COLOR=pink simple-webapp-color

Answer 188

A

plain key-value pair

configmap

secrets

Answer 189

A

spec.containers.env

Answer 190

A

ENV name=value

ENV name value

Answer 191

A

kubectl create configmap CONFIGMAP-NAME –from-literal=KEY1=VALUE1 –from-literal=KEY2=VALUE2

kubectl create configmap CONFIGMAP-NAME –from-file=/tmp/env

Answer 192

A

kubectl get cm

kubectl get configmap

Answer 193

A

kubectl describe configmap CONFIGMAP-NAME

Answer 194

A

–from-literal

Answer 195

A

ConfigMap is an API object mainly used to store non-confidential data in key-value pairs.

Pods can consume ConfigMaps as environment variables, command-line arguments, or as configuration files in a volume.

Answer 196

A

Using envFrom and configMapRef

Answer 197

A

spec.containers.env.valueFrom

Answer 198

A

Create a ConfigMap with the required configurations, configure it as a volume in the pod definition file and then mount the volume as a file at /var/configs

Answer 199

A

kubectl get secrets

Answer 200

A

kubectl describe secret SECRET-NAME

Answer 201

A

kubectl create secret generic test-secret –from-literal=’username=my-app’ –from-literal=’password=39528$vdg7Jb’

Answer 202

A

envFrom.secretRef

Answer 203

A

Kubernetes secrets let you store and manage sensitive information, such as passwords, OAuth tokens, and ssh keys.

Storing confidential information in a Secret is safer.

Users can create Secrets and the system also creates some Secrets.

Answer 204

A

To define a command, include the command field in the configuration file.

To define arguments for the command, include the args field in the configuration file.

Answer 205

A

ENTRYPOINT instruction in Dockerfile corresponds to command in kubernetes definition file

CMD instruction in Dockerfile corresponds to args in kubernetes definition file

Answer 206

A

Using env section

Answer 207

A

docker run –env APP_COLOR=pink simple-webapp-color

docker run -e APP_COLOR=pink simple-webapp-color

Answer 208

A

plain key-value pair

configmap

secrets

Answer 209

A

spec.containers.env

Answer 210

A

ENV name=value

ENV name value

Answer 211

A

kubectl create configmap CONFIGMAP-NAME –from-literal=KEY1=VALUE1 –from-literal=KEY2=VALUE2

kubectl create configmap CONFIGMAP-NAME –from-file=/tmp/env

Answer 212

A

kubectl get cm

kubectl get configmap

Answer 213

A

kubectl describe configmap CONFIGMAP-NAME

Answer 214

A

–from-literal

Answer 215

A

ConfigMap is an API object mainly used to store non-confidential data in key-value pairs.

Pods can consume ConfigMaps as environment variables, command-line arguments, or as configuration files in a volume.

Answer 216

A

Using envFrom and configMapRef

Answer 217

A

spec.containers.env.valueFrom

Answer 218

A

Create a ConfigMap with the required configurations, configure it as a volume in the pod definition file and then mount the volume as a file at /var/configs

Answer 219

A

kubectl get secrets

Answer 220

A

kubectl describe secret SECRET-NAME

Answer 221

A

kubectl create secret generic test-secret –from-literal=’username=my-app’ –from-literal=’password=39528$vdg7Jb’

Answer 222

A

envFrom.secretRef

Answer 223

A

Kubernetes secrets let you store and manage sensitive information, such as passwords, OAuth tokens, and ssh keys.

Storing confidential information in a Secret is safer.

Users can create Secrets and the system also creates some Secrets.

Answer 224

A

The kubelet uses readiness probes to know when a container is ready to start accepting traffic.

The readiness probes run on the container during it’s entire lifecycle.

Answer 225

A

Command

HTTP

TCP

Answer 226

A

The kubelet uses liveness probes to know when to restart a container

The liveness probes may be configured with an HTTP test to check if a container is live.

Answer 227

A

SUCCESS

FAILURE

UNKNOWN

Answer 228

A

kube-router

Calico

Weave-net

Answer 229

A

If you want to control traffic flow at the IP address or port level, then you might consider using Kubernetes NetworkPolicies.

NetworkPolicies are an application-centric construct which allow you to specify how a pod is allowed to communicate with various network “entities” over the network

Network Policies are implemented by the network plugin

Pods become isolated by having a NetworkPolicy that selects them

Answer 230

A

All traffic is allowed between different pods in the cluster

Answer 231

A

As soon as a network policy is associated with a POD all ingress and egress traffic to that POD are denied except allowed by the network policy

Answer 232

A

Docker Engine volume plugins enables Engine deployments to be integrated with external storage systems such as Amazon EBS

The local volume plugin helps to create a volume on Docker host and store its data under the /var/lib/docker/volumes/ directory.

Volume plugins should not write data to the /var/lib/docker/ directory, including /var/lib/docker/volumes.

Answer 233

A

hostPath
configMap
emptyDir
local

Answer 234

A

An emptyDir volume is first created when a Pod is assigned to a node, and exists as long as that Pod is running on that node.

The emptyDir volume is initially empty

When a Pod is removed from a node for any reason, the data in the emptyDir is deleted permanently

Answer 235

A

You either need to run your process as root in a privileged Container or modify the file permissions on the host to be able to write to a hostPath

Answer 236

A

A PersistentVolume (PV) is a piece of storage in the cluster that has been provisioned by an administrator or dynamically provisioned using Storage Class

It is a resource in the cluster just like a node is a cluster resource.

PVs are volume plugins like Volumes

Answer 237

A

kubectl get pv

kubectl get persistentvolume

Answer 238

A

kubectl delete pv PV-NAME

Answer 239

A

Available

Answer 240

A

ReadOnlyMany

ReadWriteMany

ReadWriteOnce

Answer 241

A

A PersistentVolumeClaim (PVC) is a request for storage by a user.

A PVC will be automatically bound to a PV on creation when a PV is available

Claims can request specific size and access modes

Answer 242

A

The PVC would bind to the PV with 100 GB

Answer 243

A

The PV is left as is until it is manually deleted by an administrator

Answer 244

A

A StorageClass provides a way for administrators to describe the “classes” of storage they offer

Each StorageClass contains the fields provisioner, parameters, and reclaimPolicy.

The StorageClass objects can use a provisioner that can dynamically provision storage on supported storage providers.

Answer 245

A

kubectl get sc

kubectl get storageclass

Answer 246

A

Create a storage class with a provisioner, create a PVC with the storage class, and then use the PVC in the volumes section in the pod definition file

Answer 247

A

A way to group related things using key/value pairs

Answer 248

A

kubectl delete rc nginx

Answer 249

A

–replicas

Answer 250

A

spec.selector

Answer 251

A

metadata.labels

Answer 252

A

apiVersion

metadata

data

kind

Answer 253

A

kubectl delete pod/busybox

Answer 254

A

kubectl run jenkins –image jenkins

Answer 255

A

Docker

Containerd

CRI-O

Answer 256

A

Kube API Server

Answer 257

A

Kube Scheduler

Kube Controller Manager

Kube Api-server

Answer 258

A

kubelet and container runtime are the worker node components

kube-proxy is one of the worker node component

Answer 259

A

Kubernetes

Docker Swarm

Apache Mesos

Answer 260

A

kubectl get pods -n netpol

Answer 261

A

Deployments create ReplicaSets that create PODs.

Deployments support rolling updates and roll backs of applications.

Answer 262

A

spec.template.spec.containers.image

Answer 263

A

kubectl set image

Answer 264

A

RollingUpdate

Recreate

Answer 265

A

As soon as a network policy is associated with a POD all ingress and egress traffic to that POD are denied except those allowed by the network policy

Answer 266

A

ClusterIP exposes a service internally within the hosts only.

Answer 267

A

Using the env section

Answer 268

A

kubectl edit persistentvolumeclaim mysql-pvc

Answer 269

A

kubectl describe secret user-list

Answer 270

A

kubectl get cm

kubectl get configmap

Answer 271

A

The kubelet uses readiness probes to know when a container is ready to start accepting traffic.

The Readiness probes run on the container during its whole lifecycle.

Answer 272

A

Consider using Kubernetes NetworkPolicies if you want to control traffic flow at the IP address or port level.

NetworkPolicies are an application-centric construct which allow you to specify how a pod is allowed to communicate with various network “entities” over the network

Answer 273

A

<code>kubectl describe storageclass</code>

Answer 274

A

Docker images

A DTR metadata backup does not include the images themselves.

Answer 275

A

docker run –memory 1G nginx

Answer 276

A

Pass the –log-level flag to dockerd

The dockerd flags share the same names as the values set in /etc/docker/daemon.json

Answer 277

A

Dave should use the STOPSIGNAL directive

The STOPSIGNAL directive instructs Docker on which stop signal to use for halting a container process.

Answer 278

A

The ADD directive can extract an archive into the image.

“The add directive can extract archives while the COPY command cannot”

The ADD directive can pull a file from an external URL.

“The ADD directive can pull from a URL while COPY cannot”

Answer 279

A

It sets a command that will be used by the Docker daemon to determine whether the container is healthy.

“The HEALTHCHECK directive sets a command that is used to determine container health.”

Answer 280

A

We would store the Dockerfile in source control.

“We can keep the Dockerfile in source control to track any changes made to the Dockerfile.”

Answer 281

A

/y/z

This would be the runtime working directory because WORKDIR /y sets up an absolute directory, and then WORKDIR z sets the directory relative to /y.

Answer 282

A

We can run a container from the image, export it, and then import it as a new image.

“This procedure will flatten an image into a single layer.”

Answer 283

A

10.23.254.63

“The Service’s cluster IP address can be used to communicate with the Service from anywhere within the cluster.”

user-db.auth-gateway.svc.cluster.local

“The Service’s fully-qualified domain name can be used to locate the Service, even from another Namespace.”

Answer 284

A

docker service create –constraint node.labels.availability_zone!=east nginx

“This command will prevent the service’s tasks from running on nodes with the availability_zone==east label.”

Answer 285

A

docker image inspect

The docker image inspect command will return the image metadata, including the location of the layered file system data.

Answer 286

A

We can copy only specific files from previous stages so that we can keep the image as small as possible.

“This is the primary use case for multi-stage builds.”

Answer 287

A

It provides a central location for storing and distributing images.

“This is what a Docker registry does.”

Answer 288

A

We should use Docker Compose.

“Docker Compose allows us to manage complex, multi-container applications on a single host.”

Answer 289

A

Eric should use a stack.

“Docker stacks are designed for managing multi-container applications in a swarm.”

Answer 290

A

A 3-node cluster with 1 node down.

“More than half of the nodes are still up, so the quorum is maintained in this scenario.”

A 7-node cluster with 3 nodes down.

“More than half of the nodes are still up, so the quorum is maintained in this scenario.”

Answer 291

A

–mount volume-driver=

“This will create the volume with the specified driver.”

Answer 292

A

They store data in regular files on the host machine.

“Filesystem storage models simulate a file system and store the data in regular files onto the host machine.”

They are used by overlay2 and aufs.

“The overlay2 and aufs storage drivers both use filesystem storage models.”

Answer 293

A

Networking components are created on nodes dynamically when tasks get scheduled on the node.

“The overlay network driver dynamically creates networking components on the node when a relevant task gets scheduled on that node.”

Answer 294

A

docker service create –network my-overlay nginx

“This command will attach the service’s tasks to a specified network.”

Answer 295

A

docker network create my-network

“Since the bridge is the default, a new bridge network will generate even when –driver is not specified.”

Answer 296

A

Capabilities

“Capabilities are used by Docker to provide granular permissions to container processes, such as listening on low ports without the need for root access.”

Answer 297

A

mem

“This is not a namespace used by Docker.”

Answer 298

A

We can upload certificates via the UCP and DTR web UIs.

“We can upload certificates in the administrative settings section for both UCP and DTR.”

Answer 299

A

docker network create –opt encrypted –driver overlay my-net

“This command will create an encrypted overlay network.”

Answer 300

A

Docker Content Trust

“Docker Content Trust allows us to sign images and verify signatures before running them.”

Answer 301

A

Assign the users to a team, and then assign grants to the entire team, giving them the permissions they need.

“UCP uses teams to manage users who all need the same set of permissions.”

Answer 302

A

unless-stopped

“This restart policy will always restart the container unless it was stopped explicitly.”

Answer 303

A

Install newer versions of the docker-ce and docker-ce-cli packages.

“We must install newer versions of the packages in order to upgrade Docker.”

Answer 304

A

Control groups (cgroups)

“Docker uses cgroups to limit memory usage for containers.”

Answer 305

A

We can create our own registry by running a container with the registry image.

“Running this image will create a private Docker registry.”

Answer 306

A

It sets the default command for the image that runs if no other command is specified.

“The CMD directive sets the default command.”

Answer 307

A

The data would consist of only changes from the previous layer that were made by the container.

“Each file system layer contains only the changes made from the previous layer.”

Answer 308

A

docker inspect

” This command will allow us to query metadata about any Docker object.”

docker container inspect

” This command will allow us to find metadata about any container.”

Answer 309

A

docker stack services web-store

“This command will list the services that are part of the stack.”

Answer 310

A

docker service create –env NODE_HOSTNAME=”{{.Node.Hostname}}” nginx

“This command will create an environment variable in each task that contains the node hostname.”

Answer 311

A

docker service logs my-service

“This command will retrieve logs for all of the tasks in the service.”

Answer 312

A

We would run the docker swarm unlock-key –rotate command on one manager node.

“This command will automatically rotate the key and handle all orchestration between nodes.”

Answer 313

A

Set dm.directlvm_device in /etc/docker/daemon.json.

“We can enable direct-lvm by setting this value in daemon.json to a block storage device.”

Answer 314

A

Anastasia can use:
docker run –name new-container -v shared-data:/tmp:ro nginx

“This command will mount the shared volume to the new container in read-only mode.”

Answer 315

A

vieux/sshfs

“This is a custom driver that uses SSH to access remote storage from any node in the cluster.”

Answer 316

A

We need a Docker Enterprise Edition (EE) license to scan images within our registry.

“We need Docker Trusted Registry to scan images within our registry, which requires Docker EE.”

Answer 317

A

Set the DOCKER_CONTENT_TRUST environment variable to 1.

“Setting this environment variable to 1 will enable DCT.”

Answer 318

A

We add the self-signed certificate as a trusted registry certificate under /etc/docker/certs.d/.

“Utilizing /etc/docker/certs.d/ is the secure way to authenticate with a registry that uses a self-signed certificate.”

Answer 319

A

registry.company.io/payroll/payapp

Answer 320

A

the setting is ignored, and the value is treated as unset

Answer 321

A

loop-lvm

direct-lvm

Answer 322

A

A PersistentVolumeClaim (PVC) is a request for storage by a user.

A PVC will be automatically bound to a PV on creation when a PV is available

Claims can request specific size and access modes

Answer 323

A

spec.containers.env.valueFrom

Answer 324

A

docker run -it –log-driver none webapp

Answer 325

A

docker service update –force

Answer 326

A

A PersistentVolume (PV) is a piece of storage in the cluster that has been provisioned by an administrator or dynamically provisioned using Storage Class

It is a resource in the cluster just like a node is a cluster resource.

Answer 327

A

{“storage-driver”: “devicemapper”}

Answer 328

A

Only install necessary packages within the image

Combine multiple dependent instructions into a single instruction and cleanup temporary files

Use multi-stage builds

Answer 329

A

docker container prune

docker container rm $(docker container ls -aq)

Answer 330

A

Pull docker images from a host with access to docker hub

convert to a tarball using docker image save

command, and copy to the restricted environment and extract the tarball

Answer 331

A

echo ‘{“log-driver”: “splunk”}’ > /etc/docker/daemon.json

Answer 332

A

echo ‘{“debug”: true}’ > /etc/docker/daemon.json

Answer 333

A

sudo systemctl start docker

Answer 334

A

Kernel Capabilities

Answer 335

A

docker stack ps webapp

Answer 336

A

CMD [“executable”,“param1”,“param2”]

CMD [“param1”,“param2”],

CMD command param1 param2

Answer 337

A

Create a backup of everything in the DTR image storage volume.

“To back up images, back up the contents of the volume DTR used to store images.”

/var/lib/docker/volumes//_data.

Volume Names: https://docs.mirantis.com/msr/2.8/ref-arch/volumes.html

dtr-ca-

Root key material for the MSR root CA that issues certificates

dtr-notary-

Certificate and keys for the Notary components

dtr-postgres-

Vulnerability scans data

dtr-registry-

Docker images data, if MSR is configured to store images on the local filesystem

dtr-rethink-

Repository metadata

dtr-nfs-registry-

Answer 338

A

Add the user to the docker group.

“Docker provides the docker group for the purpose of giving users permission to solely access Docker.”

Answer 339

A

Docker images.

“A DTR metadata backup does not include the images themselves.”

Answer 340

A

Run a container from the dtr image with the backup command.

“This is the basic procedure for backing up DTR.”

Answer 341

A

It documents ports intended for publishing at the time of running a container.

“The EXPOSE directive documents the ports that should be published when running a container from the image.”

Answer 342

A

Amanda can use:

docker run –network container:nginx-container nicolaka/netshoot.

“This command will inject the netshoot container into the sandbox of the existing container.”

Answer 343

A

bridge

“The bridge network driver is the default and is used to connect containers on the same host.”

Answer 344

A

If an attacker gains access to the Docker daemon, they could use it to execute commands as root on the host.

“The Docker daemon must run as root, so it is essential to ensure that it’s being protected and has limited access to it.”

Answer 345

A

Grants are effectively Access Control Lists (ACLs) that provide comprehensive access policies for an entire organization when grouped together.

Grants define which users can access what resources in what way.,

A grant is made up of
a subject
a role
a resource set

Answer 346

A

overlay/dtr-ol

Answer 347

A

docker run –restart on-failure cleanup-job

“This restart policy will only restart the container if it exits with a non-zero exit code.”

Answer 348

A

Add the –storage-driver flag to the dockerd call in Docker’s unit file.

“We can set the storage driver by passing the –storage-driver flag to dockerd.”

Set storage-driver to devicemapper in /etc/docker/daemon.json.

“We can set the storage driver in /etc/docker/daemon.json.”

Answer 349

A

It affects only the build and does not impact containers that run from the image.

“The WORKDIR directive affects the containers by setting the working directory at the container runtime.”

Answer 350

A

–format

“The –format flag allows us to supply a Go template so that we can return specific data fields that are in a particular format.”

Answer 351

A

While the Docker daemon stops, we can back up the contents of /var/lib/docker/swarm on a Swarm manager.

“We can back up Docker Swarm metadata by backing up the contents of this directory.”

Answer 352

A

We can use the –dns flag with docker run.

“This method would allow us to set a custom DNS server for the container.”

Brainscape's Knowledge GenomeTM

DCA-2 Flashcards

Brainscape's Knowledge Genome^TM