Free Practice Questions for Docker DCA Exam

The set of commands docker container inspect and docker port can identify the published port(s) for a container. The docker container inspect command returns low-level information about a container, including its network settings and port bindings1. The docker port command lists port mappings or a specific mapping for the container2. Both commands can show which host port is mapped to which container port, and the protocol used. For example, docker container inspect -f '{{.NetworkSettings.Ports}}' container_name will show the port bindings for the container_name3. Similarly, docker port container_name will show the port mappings for the container_name. References:

docker container inspect

docker port

How to Expose and Publish Ports in Docker

[How to obtain the published ports from within a docker container?]

= Multi-stage builds allow you to use multiple FROM statements in your Dockerfile, each starting a new stage of the build1. This can help you achieve better logical separation of Dockerfile instructions for increased readability, as well as other benefits such as smaller image size, faster build time, and reduced security risks23. By separating your Dockerfile into different stages, you can organize your instructions by their purpose, such as building, testing, or deploying your application. You can also copy only the artifacts you need from one stage to another, leaving behind the unnecessary dependencies or tools1. This can make your Dockerfile easier to read and maintain, as well as improve the performance and security of your final image. References:

Multi-stage builds | Docker Docs

What Are Multi-Stage Docker Builds? - How-To Geek

Multi-stage | Docker Docs

Tagging the image with ‘nginx:immutable’ is not how a user can prevent an image, such as ‘nginx:latest’, from being overwritten by another user with push access to the repository.Tagging the image with ‘nginx:immutable’ will only create a new tag for the image, but it will not prevent the original tag from being overwritten. To prevent an image tag from being overwritten in Docker Trusted Registry, the user can use the DTR web UI to make the tag immutable1. This will prevent anyone from pushing a new image with the same tag, even if they have push access to the repository1. Alternatively, the user can also use the DTR API to make the tag immutable2. References: Prevent tags from being overwritten), DTR API reference)

 The solution will not work because a hostPath volume mounts a file or directory from the host node’s filesystem into the pod, not from the laptop1. The host node is the VM or machine where the pod is scheduled to run, not the machine where the kubectl commands are executed. Therefore, the /data directory on the laptop will not be accessible to the pod unless it is also present on the host node. A better solution would be to use a persistent volume that can be accessed from any node in the cluster, such as NFS, AWS EBS, or Azure Disk2. References:

1: Volumes | Kubernetes

2: Persistent Volumes | Kubernetes

The statement does not describe a node in the context of a swarm mode cluster. A node is a physical or virtual machine running Docker Engine 1.12 or later in swarm mode1. An instance of the Docker CLI connected to the swarm is not a node, but a client that can interact with the swarm through the Docker API2. The Docker CLI can be used to create a swarm, join nodes to a swarm, deploy services to a swarm, and manage swarm behavior3. References: How nodes work), Docker CLI), Swarm mode overview)

When content trust is enabled, Docker blocks any command that operates on unsigned images, such as docker service create. This is because Docker Content Trust (DCT) allows users to verify the integrity and publisher of specific image tags, using digital signatures stored on a Notary server. If an image tag is not signed, or the signature cannot be verified, Docker will refuse to pull, run, or build with that image. Therefore, if myorg/myimage:1.0 is unsigned, Docker will block the command docker service create myorg/myimage:1.0 and display an error message. References:

Content trust in Docker

Docker Content Trust: What It Is and How It Secures Container Images

Automation with content trust

 = The command kubectl describe deployment api displays the events table for the deployment object called api, along with other information such as labels, replicas, strategy, conditions, and pod template. The events table shows the history of actions that have affected the deployment, such as scaling, updating, or creating pods. This can help troubleshoot any issues with the deployment. To see only the events table, you can use the flag --show-events=true with the command. References:

Deployments | Kubernetes

kubectl - How to describe kubernetes resource - Stack Overflow

Kubectl: Get Deployments - Kubernetes - ShellHacks

kubernetes - Kubectl get deployment yaml file - Stack Overflow

 Docker Content Trust (DCT) is a feature that allows users to verify the integrity and publisher of container images they pull or deploy from a registry server, signed on a Notary server12. DCT does not verify or encrypt the Docker registry TLS, which is a separate mechanism for securing the communication between the Docker client and the registry server. The purpose of DCT is to ensure that the images are not tampered with or maliciously modified by anyone other than the original publisher3. References:

Content trust in Docker | Docker Docs

Docker Content Trust: What It Is and How It Secures Container Images

Automation with content trust | Docker Docs

 The command ‘kubectl get pods --all-namespaces -I env=development’ does not display all the pods in the cluster that are labeled as ‘env: development’. The reason is that the flag -I is not a valid option for kubectl get pods. The correct flag to use is --selector or -l, which allows you to filter pods by labels1. Labels are key-value pairs that can be attached to Kubernetes objects to identify, group, or select them2. For example, to label a pod with env=development, one can run:

kubectl label pods my-pod env=development

To display all the pods that have the label env=development, one can run:

kubectl get pods --selector env=development

or

kubectl get pods -l env=development

The --all-namespaces flag can be used to list pods across all namespaces3. Therefore, the correct command to display all the pods in the cluster that are labeled as ‘env: development’ is:

kubectl get pods --all-namespaces --selector env=development

or

kubectl get pods --all-namespaces -l env=development References:

kubectl Cheat Sheet | Kubernetes

Labels and Selectors | Kubernetes

kubectl get | Kubernetes

Docker allows the use of insecure registries through a specific configuration in the Docker daemon.By listing the insecure registries in the ‘daemon.json’ configuration file under the ‘insecure-registries’ key, Docker can interact with these registries even without a trusted TLS certificate1.This is particularly useful when setting up a private Docker registry1.However, it’s important to note that this configuration bypasses the security provided by TLS, and should be used with caution1.