Docker DCA Docker Certified Associate (DCA) Exam Exam Practice Test

The statement is correct. In the provided Kubernetes YAML, it’s defined that traffic sent to the IP of this service on port 8080 will be routed to port 80 in a random pod with the label app: nginx. This is because it’s a ClusterIP service type which is meant for internal communication within the cluster, and it uses selectors to route traffic to the correct pods. References: Docker Certified Associate Guide, DCA Prep Guide

 Deleting the image and the image repository from Docker Trusted Registry will not completely delete the image from disk. This is because deleting a repository or a tag only removes the reference to the image, but not the image itself. The image is still stored as a blob on the disk, and can be accessed by its digest1. To completely delete the image from disk, you need to enable the deletion feature in the registry configuration, and then use the API to delete the image by its manifest2. Alternatively, you can manually delete the image files from the registry storage directory, but this is not recommended3. After deleting the image, you also need to run the garbage collector to reclaim the disk space4. References:

• Docker Registry HTTP API V2
• How to delete images from a private docker registry?
• Remove docker image in registry by removing files/folders on server
• Garbage collection

 A node is a physical or virtual machine running Docker Engine in swarm mode1. A node can be either a manager or a worker, depending on its role in the cluster1. A physical machine participating in the swarm is a node, regardless of its role or availability2. References:

• How nodes work | Docker Docs
• Manage nodes in a swarm | Docker Docs

The networkPolicy will block the traffic from a pod bearing the tier: backend label, to a pod bearing the tier: frontend label. The networkPolicy specifies that only pods with the tier: frontend label can access the pods with the app: guestbook-api and tier: backend labels on port 801. Any other traffic to the backend pods will be denied by default2. Therefore, a request issued from a pod bearing the tier: backend label, to a pod bearing the tier: frontend label will be blocked by the networkPolicy. References: Connect a Frontend to a Backend Using Services), Network Policies)

= A Dockerfile does not store persistent data between deployments of a container. A Dockerfile is a text document that contains instructions for building a Docker image. A Docker image is a read-only template that defines the layers and configuration of a container. A Docker container is an isolated and ephemeral instance of a Docker image that runs on the Docker Engine. Docker containers are not meant to store persistent data, as any changes made to the container’s filesystem are lost when the container is removed. To store persistent data between deployments of a container, you need to use volumes or bind mounts. Volumes and bind mounts are ways to attach external storage to a container, so that the data is preserved even if the container is deleted. Volumes are managed by Docker and stored in a location on the host system that is independent of the container’s lifecycle. Bind mounts are files or directories on the host system that are mounted into a container. References:

• Persist container data
• Dockerfile reference
• Docker MySQL Persistence
• Persist the DB
• Docker - Dockerfile, persist data with VOLUME

= Storage is not a type of Linux kernel namespace that provides container isolation. Linux namespaces are a feature of the Linux kernel that partitions kernel resources such that one set of processes sees one set of resources while another set of processes sees a different set of resources1. The feature works by having the same namespace for a set of resources and processes, but those namespaces refer to distinct resources. Since kernel version 5.6, there are 8 kinds of namespaces: mount, UTS, IPC, PID, network, user, cgroup, and time2. Each kind of namespace isolates a different aspect of the system, such as file system mounts, host and domain names, inter-process communication, process IDs, network interfaces, user and group IDs, cgroups, and system time2. Storage is not one of them. References:

• 1: Linux namespaces - Wikipedia
• 2: Namespaces — The Linux Kernel documentation

= The command docker run -add-volume /data /mydata -read-only ubuntu will not mount the host’s /data directory to the ubuntu container in read-only mode. The reason is that the command has several syntax errors and invalid options. The correct command to mount a host directory to a container in read-only mode is docker run --mount type=bind,source=/data,target=/mydata,readonly ubuntu12. The command docker run -add-volume /data /mydata -read-only ubuntu has the following problems:

• The option -add-volume is not a valid option for docker run. The valid options for mounting a volume or a bind mount are --mount or -v12.
• The option -read-only is not a valid option for docker run. The valid option for making the container’s root filesystem read-only is --read-only3. However, this option will not affect the mounted volumes or bind mounts, which have their own readonly option12.
• The argument /data /mydata is not a valid argument for docker run. The argument for docker run should be the command to run inside the container, such as bash or ping4. The source and target of the volume or bind mount should be specified in the --mount or -v option, separated by a colon12.

Therefore, the command docker run -add-volume /data /mydata -read-only ubuntu will not work as intended, and will likely produce an error message or an unexpected result. References:

• Use bind mounts
• Use volumes
• docker run
• Docker run reference

To configure a Docker container to export container logs to a logging solution such as Splunk, you need to set the log-driver and log-opt keys to values for the logging solution in the daemon.json file. This will enable the Splunk logging driver, which sends container logs to HTTP Event Collector in Splunk Enterprise and Splunk Cloud1. You can also use the command-line flags --log-driver and --log-opt with docker run to use the Splunk driver for a specific container1. References:

• Splunk logging driver | Docker Docs
• Collecting docker logs and stats with Splunk | Splunk
• How to send Docker containers logs to Splunk?
• Splunk Logging Driver for Docker | Splunk

= Authentication is not a type of Linux kernel namespace that provides container isolation. Namespaces are a feature of the Linux kernel that partitions kernel resources such that one set of processes sees one set of resources and another set of processes sees a different set of resources. Docker uses six different namespaces to isolate containers from the host and from each other: PID, USER, UTS, IPC, MNT, and NET12. Authentication is not one of them. Authentication is a process of verifying the identity of a user or a system, which is usually done by using credentials such as passwords, tokens, or certificates. Authentication does not directly affect the isolation of containers, although it can be used to control access to them. References:

• Docker security | Docker Docs
• Securing Docker Containers with Linux Kernel Features | Infosec

n: = Using the DTR web UI to make all tags in the repository immutable is not a good way to prevent an image, such as ‘nginx:latest’, from being overwritten by another user with push access to the repository. This is because making all tags immutable would prevent any updates to the images in the repository, which may not be desirable for some use cases. For example, if a user wants to push a new version of ‘nginx:latest’ with a security patch, they would not be able to do so if the tag is immutable. A better way to prevent an image from being overwritten by another user is to use the DTR web UI to create a promotion policy that restricts who can push to a specific tag or repository1. Alternatively, the user can also use the DTR API to create a webhook that triggers a custom action when an image is pushed to a repository2. References:

• Prevent tags from being overwritten | Docker Docs
• Create webhooks | Docker Docs

= A DTR security scan will detect private keys copied to the image. DTR security scan is a feature of Docker Trusted Registry (DTR) that scans images to detect any security vulnerability1. DTR security scan uses the open source tool SecretScanner2 to find unprotected secrets in container images or file systems. SecretScanner can match the contents of images against a database of approximately 140 secret types, including private keys3. Therefore, if an image contains private keys, DTR security scan will report them as potential secrets and alert the user to remove them from the image. References:

• Scan images for vulnerabilities | Docker Docs
• GitHub - deepfence/SecretScanner: :unlock: Find secrets and passwords …
• SecretScanner/deepfence_secret_scanner.py at main · deepfence/SecretScanner

When content trust is enabled, Docker blocks any command that operates on unsigned images, such as docker service create. This is because Docker Content Trust (DCT) allows users to verify the integrity and publisher of specific image tags, using digital signatures stored on a Notary server. If an image tag is not signed, or the signature cannot be verified, Docker will refuse to pull, run, or build with that image. Therefore, if myorg/myimage:1.0 is unsigned, Docker will block the command docker service create myorg/myimage:1.0 and display an error message. References:

• Content trust in Docker
• Docker Content Trust: What It Is and How It Secures Container Images
• Automation with content trust

The statement is not correct. A Dockerfile does not store the Docker daemon’s configuration options. A Dockerfile is a text document that contains all the commands a user could call on the command line to assemble an image1. A Dockerfile is used to build images, not to configure the Docker daemon. The Docker daemon’s configuration options are stored in a JSON file, which is usually located at /etc/docker/daemon.json on Linux systems, or C:\ProgramData\docker\config\daemon.json on Windows2. The JSON file allows you to customize the Docker daemon’s behavior, such as enabling debug mode, setting TLS certificates, or changing the data directory2. References: Dockerfile reference), Docker daemon configuration overview)

= The command docker service create --network --secure will not ensure that overlay traffic between service tasks is encrypted. This is because the --secure option is not a valid option for the docker service create command1. To ensure that overlay traffic between service tasks is encrypted, you need to use the --opt encrypted option when creating the overlay network with the docker network create command2. For example, to create an encrypted overlay network named my-net, you can use the following command:

docker network create --driver overlay --opt encrypted my-net

Then, you can use the --network my-net option when creating the service with the docker service create command3. For example, to create a service named my-service using the nginx image and the my-net network, you can use the following command:

docker service create --name my-service --network my-net nginx

References:

• docker service create | Docker Docs
• Use overlay networks | Docker Docs
• Create a service | Docker Docs

Docker Universal Control Plane (UCP) has its own built-in authentication mechanism and integrates with LDAP services1. It also has role-based access control (RBAC), so that you can control who can access and make changes to your cluster and applications1. However, there is no mention of Docker ID being a supported user authentication method for UCP in the resources provided1234.

 Environment variables cannot be used to schedule containers to meet the security policy requirements. Environment variables are used to pass configuration data to the containers, not to control where they run1. To schedule containers to run on separate nodes in a Swarm cluster, you need to use node labels and service constraints23. Node labels are key-value pairs that you can assign to nodes to organize them into groups4. Service constraints are expressions that you can use to limit the nodes where a service can run based on the node labels. For example, you can label some nodes as env=dev and others as env=prod, and then use the constraint --constraint node.labels.env==dev or --constraint node.labels.env==prod when creating a service to ensure that it runs only on the nodes with the matching label. References:

• 1: Environment variables in Compose | Docker Docs
• 2: Deploy services to a swarm | Docker Docs
• 3: How to use Docker Swarm labels to deploy containers on specific nodes
• 4: Manage nodes in a swarm | Docker Docs
• [5]: Swarm mode routing mesh | Docker Docs
• [6]: Docker Swarm - How to set environment variables for tasks on various nodes

 Namespaces in Kubernetes are a way to create and organize virtual clusters within physical clusters where we can isolate a group of resources within a single cluster1. Namespace helps to organize resources such as pods, services, and volumes within the cluster2. By creating one namespace for each application and adding all the resources to it, the development teams can ensure that Kubernetes-specific resources, such as secrets, are grouped together for each application. This also provides a scope for names, a mechanism to attach authorization and policy, and a way to divide cluster resources between multiple users3. References:

• Namespaces | Kubernetes
• Kubernetes - Namespaces - GeeksforGeeks
• Namespaces Walkthrough | Kubernetes

= Simultaneously creating and tagging multiple images is not an advantage of multi-stage builds. Multi-stage builds are a feature that allows you to use multiple FROM statements in your Dockerfile, each starting a new stage of the build1. You can selectively copy artifacts from one stage to another, leaving behind everything you don’t want in the final image. This helps you to optimize the size and security of your images, as well as to simplify your build process12. However, multi-stage builds do not create or tag multiple images at once. Each Dockerfile produces one final image, which is the result of the last stage in the Dockerfile1. If you want to create and tag multiple images from a single Dockerfile, you need to use the --target option with the docker build command, and specify the name of the stage you want to build and tag3. References:

• Multi-stage builds | Docker Docs
• What Are Multi-Stage Docker Builds? - How-To Geek
• Stop at a specific build stage | Docker Docs

The answer depends on whether you want to access the container from the host’s network or from other containers on the same network. EXPOSE and --publish have different effects on the container’s port visibility. References: Docker run reference, Dockerfile reference, Docker networking overview

The command docker run --log-driver=splunk for every container at run time will configure a Docker container to export container logs to the logging solution. The reason is that the --log-driver option specifies the logging driver for the container, which determines how the container logs are handled1. The splunk logging driver is a plugin that sends container logs to HTTP Event Collector in Splunk Enterprise and Splunk Cloud2. To use the splunk logging driver, you also need to provide some additional options with the --log-opt flag, such as the Splunk token, URL, source, sourcetype, index, etc2. For example, to run a container with the splunk logging driver and send the logs to a Splunk instance with the URL https://splunk.example.com:8088  and the token 176fabb6-7811-4b3a-8ba0-4d49302e50f2, you can use:

docker run --log-driver=splunk --log-opt splunk-token=176fabb6-7811-4b3a-8ba0-4d49302e50f2 --log-opt splunk-url=https://splunk.example.com:8088 ...

This way, you can configure a Docker container to export container logs to Splunk, which is a centralized logging solution. Alternatively, you can also configure the splunk logging driver as the default logging driver for the Docker daemon by setting the log-driver and log-opts keys in the daemon.json file and restarting Docker3. This will apply the splunk logging driver to all containers unless overridden by the --log-driver option. References:

• Configure logging drivers
• Splunk logging driver
• Set the logging driver for the Docker daemon

The user namespace is a Linux kernel namespace that is disabled by default and must be enabled at Docker engine runtime to be used. The user namespace allows the host system to map its own uid and gid to some different uid and gid for containers’ processes. This improves the security of Docker by isolating the user and group ID number spaces, so that a process’s user and group ID can be different inside and outside of a user namespace1. To enable the user namespace, the daemon must start with --userns-remap flag with a parameter that specifies base uid/gid2. All containers are run with the same mapping range according to /etc/subuid and /etc/subgid3. References:

• Isolate containers with a user namespace
• Using User Namespaces on Docker
• Docker 1.10 Security Features, Part 3: User Namespace

The command docker Is -a does not list all nodes in a swarm cluster from the command line, but rather lists all containers, both running and stopped, on the current node1. To list all nodes in a swarm cluster, you need to use the command docker node ls from a manager node2. This command shows the node ID, hostname, status, availability, and manager status for each node in the swarm2. You can also use the --filter option to filter the output based on various criteria2. References: Docker Documentation, docker node ls

 The purpose of Docker Content Trust is not to indicate an image on Docker Hub is an official image. Docker Content Trust is a feature that allows users to verify the integrity and publisher of container images they pull or deploy from a registry server, signed on a Notary server1. Docker Content Trust uses digital signatures to ensure that the images are authentic and have not been tampered with2. Official images are a curated set of Docker repositories that are designed to be the best starting point for most users3. They are not necessarily signed by Docker Content Trust, although some of them are. To indicate an image on Docker Hub is an official image, you can look for the blue "official image" badge on the image page. References:

• Content trust in Docker | Docker Docs
• Docker Content Trust: What It Is and How It Secures Container Images
• Official Images on Docker Hub | Docker Docs
• [Docker Hub Quickstart | Docker Docs]

The command docker run -v /data:/mydata -mode readonly ubuntu will not mount the host’s /data1 directory to the ubuntu container in read-only mode. The command has several errors that prevent it from working correctly. First, the host directory should be /data1 instead of /data, as specified in the question. Second, the option flag should be --mode instead of -mode, and it should be placed before the image name. Third, the mode value should be ro instead of readonly, as per the Docker documentation1. The correct command should be docker run -v /data1:/mydata --mode ro ubuntu, which will mount the host’s /data1 directory as a read-only volume at /mydata inside the container1. References:

• docker run | Docker Docs

= The command docker network create -d overlay --secure  will not ensure that overlay traffic between service tasks is encrypted. The --secure option is not a valid flag for the docker network create command1. To enable encryption for an overlay network, you need to use the --opt encrypted flag instead23. This will create IPSEC tunnels between the nodes where the service tasks are scheduled, using the AES algorithm in GCM mode2. You can verify if an overlay network is encrypted by checking if the IPSEC tunnels were created using tools like netstat4. References:

• 1: docker network create | Docker Docs
• 2: Encrypt traffic on an overlay network | Docker Docs
• 3: Overlay network driver | Docker Docs
• 4: Docker: How to verify if an overlay network is encrypted - Stack Overflow

The statement is correct. In the provided Docker Compose file, a health check is defined for the service “app”. It uses curl to perform a health check on the application every 10 seconds (as specified by the “interval” parameter). If it fails three times (as specified by the “retries” parameter), then the container is marked as unhealthy. A health check is a way of checking the health of a running container and applying actions based on the result1. It can be used to monitor the status of the service and restart the container if it becomes unhealthy2. References:

• Compose file version 3 reference | Docker Docs
• Docker Compose & Health Checks – Gabriel’s World

= The command docker service create -name dns-cache -p 53:53 -udp dns-cache will not create a swarm service that only listens on port 53 using the UDP protocol. The reason is that the command has several syntax errors and invalid options. The correct command to create a swarm service that only listens on port 53 using the UDP protocol is docker service create --name dns-cache --publish published=53,target=53,protocol=udp dns-cache12. The command docker service create -name dns-cache -p 53:53 -udp dns-cache has the following problems:

• The option -name is not a valid option for docker service create. The valid option for specifying the service name is --name3.
• The option -p is not a valid option for docker service create. The valid option for publishing a port for a service is --publish1.
• The option -udp is not a valid option for docker service create. The valid option for specifying the protocol for a published port is protocol within the --publish option1.
• The argument 53:53 is not a valid argument for docker service create. The argument for docker service create should be the image name for the service, such as dns-cache3. The source and target of the published port should be specified in the --publish option, separated by a comma1.

Therefore, the command docker service create -name dns-cache -p 53:53 -udp dns-cache will not work as intended, and will likely produce an error message or an unexpected result. References:

• Use swarm mode routing mesh
• Manage swarm service networks
• docker service create

The networkPolicy shown in the image is a Kubernetes yaml file that describes a networkPolicy. This networkPolicy will not block traffic from a pod bearing the tier: backend label, to a pod bearing the tier: frontend label. This is because the networkPolicy is configured to allow ingress traffic from pods with the tier: backend label to pods with the tier: frontend label. References:

• Content trust in Docker | Docker Docs
• Docker Content Trust: What It Is and How It Secures Container Images
• Automation with content trust | Docker Docs

 The command ‘kubectl get pods --all-namespaces -I env=development’ does not display all the pods in the cluster that are labeled as ‘env: development’. The reason is that the flag -I is not a valid option for kubectl get pods. The correct flag to use is --selector or -l, which allows you to filter pods by labels1. Labels are key-value pairs that can be attached to Kubernetes objects to identify, group, or select them2. For example, to label a pod with env=development, one can run:

kubectl label pods my-pod env=development

To display all the pods that have the label env=development, one can run:

kubectl get pods --selector env=development

or

kubectl get pods -l env=development

The --all-namespaces flag can be used to list pods across all namespaces3. Therefore, the correct command to display all the pods in the cluster that are labeled as ‘env: development’ is:

kubectl get pods --all-namespaces --selector env=development

or

kubectl get pods --all-namespaces -l env=development References:

• kubectl Cheat Sheet | Kubernetes
• Labels and Selectors | Kubernetes
• kubectl get | Kubernetes

 A DTR security scan will detect licenses for known third party binary components. This is because DTR security scan uses a database of vulnerabilities and licenses that is updated regularly from Docker Server1. DTR security scan can identify the components and versions of the software packages that are present in the image layers, and report any known vulnerabilities or licenses associated with them2. This can help users to comply with the licensing requirements and avoid potential legal issues3. References:

• Set up vulnerability scans | Docker Docs
• Scan images for vulnerabilities | Docker Docs
• Container Security 101 — Scanning images for Vulnerabilities

= The conditions are sufficient for Kubernetes to dynamically provision a persistentVolume, because they include a default storageClass and a persistentVolumeClaim. A storageClass defines which provisioner should be used and what parameters should be passed to that provisioner when dynamic provisioning is invoked. A persistentVolumeClaim requests a specific size, access mode, and storageClass for the persistentVolume. If a persistentVolume that satisfies the claim exists or can be provisioned, the persistentVolumeClaim is bound to that persistentVolume. A default storageClass means that any persistentVolumeClaim that does not specify a storageClass will use the default one. Therefore, the conditions in the question are enough to enable dynamic provisioning of storage volumes on-demand. References:

• Dynamic Volume Provisioning | Kubernetes
• Persistent volumes and dynamic provisioning | Google Kubernetes Engine …

The command docker system events --filter splunk will not configure a Docker container to export container logs to the logging solution. The command docker system events will display real-time events from the Docker daemon, such as container creation, start, stop, etc. The --filter option will filter the events by various criteria, such as type, label, name, etc. However, there is no filter for splunk, and even if there was, it would only show the events related to Splunk, not the container logs. To configure a Docker container to export container logs to Splunk, you need to use the Splunk logging driver, which is a plugin that sends container logs to HTTP Event Collector in Splunk Enterprise and Splunk Cloud. You can use the --log-driver and --log-opt options when creating or running a container to specify the Splunk logging driver and its options, such as the Splunk token, URL, source, sourcetype, index, etc. Alternatively, you can configure the Splunk logging driver as the default logging driver for the Docker daemon by setting the log-driver and log-opts keys in the daemon.json file and restarting Docker. References:

• docker system events
• Splunk logging driver
• How to send Docker containers logs to Splunk?

 = Host is not a type of Linux kernel namespace that provides container isolation. Linux namespaces are a feature of the Linux kernel that partitions kernel resources such that one set of processes sees one set of resources while another set of processes sees a different set of resources1. There are eight kinds of namespaces available: Mount, Process, User, Network, UTS, IPC, Cgroup, and Time1. Host is a parameter that can be used to run a container in the host’s network namespace, which means the container shares the same network interfaces and configuration as the host2. References:

• Linux namespaces - Wikipedia
• Network settings | Docker Documentation

= Docker will block the command docker image inspect myorg/myimage: 1.0 if the image tag is unsigned and the environment variable DOCKER_CONTENT_TRUST is set to 1. This is because Docker Content Trust (DCT) enables the verification of the integrity and publisher of Docker images using digital signatures1. When DCT is enabled, Docker will only pull, run, or inspect images that have a valid signature2. If the image tag is not signed, Docker will reject the command and display an error message, such as No valid trust data for 1.03. To inspect an unsigned image, you need to either disable DCT by setting DOCKER_CONTENT_TRUST to 0, or use the --disable-content-trust flag with the command. References:

• Content trust in Docker | Docker Docs
• Enable and disable content trust in Docker | Docker Docs
• Docker Content Trust: What It Is and How It Secures Container Images
• [docker image inspect | Docker Docs]

To trust a self-signed certificate from a Docker Trusted Registry (DTR), you need to place the certificate in the appropriate location on all cluster nodes and restart the Docker daemon. There are two possible locations for the certificate, depending on your OS and Docker version1:

•/etc/docker/certs.d/dtr.example.com/ca.crt: This is the preferred location for Linux systems and Docker versions 1.13 and higher. This directory is scanned by Docker for certificates and keys for each registry domain2.

•Your OS certificate path: This is the fallback location for other OSes and Docker versions. You need to find the certificate store for your OS and copy the certificate there. You also need to trust the certificate system-wide, which may require additional steps depending on your OS3.

The other options are not correct because:

•Passing '-trust-certificate ca.crt to the Docker client is not a valid option. There is no such flag for the Docker client4.

•Placing the certificate in ‘/etc/docker/dtr/dtr.example.com.crt’ is not a valid location. The certificate should be in the /etc/docker/certs.d directory, not the /etc/docker/dtr directory1.

•Passing – insecure-registry to the Docker client is not a recommended option. This flag disables the TLS verification for the registry, which makes the communication insecure and vulnerable to attacks.

References:

•Use self-signed certificates | Docker Docs

•Test an insecure registry | Docker Docs

•Add TLS certificates as a trusted root authority to the host OS | Docker Docs

•docker | Docker Docs

•[Deploy a registry server | Docker Docs]

   = Using network connect to access the container on the bridge network does not accomplish creating a container that is reachable from its host’s network. The network connect command connects a container to an existing network, but it does not expose the container’s ports to the host1. The bridge network is the default network that Docker creates for containers, and it provides isolation from the host network2. To create a container that is reachable from its host’s network, you need to use the host network driver, which disables network isolation and uses the host’s network stack directly3. Alternatively, you can use the port mapping feature to publish specific ports of the container to the host4. References:

• docker network connect | Docker Docs
• Bridge network driver | Docker Docs
• Host network driver | Docker Docs
• Publish ports on the host | Docker Docs

= Seccomp is a Linux kernel feature that allows you to restrict the actions available within the container. By using a seccomp profile, you can limit the system calls that a container can make, thus enhancing its security and isolation. Docker has a default seccomp profile that blocks some potentially dangerous system calls, such as mount, reboot, or ptrace. You can also pass a custom seccomp profile for a container using the --security-opt option. Seccomp can limit a container’s access to host resources, such as CPU or memory, by blocking or filtering system calls that affect those resources, such as setpriority, sched_setaffinity, or mlock. References:

• Seccomp security profiles for Docker
• Hardening Docker Container Using Seccomp Security Profile

= The command ‘docker run --volume /data:/mydata:ro ubuntu’ will mount the host’s ‘/data’ directory to the ubuntu container in read-only mode. The --volume or -v option allows you to mount a host directory or a file to a container as a volume1. The syntax for this option is:

-v|--volume=[host-src:]container-dest[:]

The host-src can be an absolute path or a name value. The container-dest must be an absolute path. The options can be a comma-separated list of mount options, such as ro for read-only, rw for read-write, z or Z for SELinux labels, etc1. In this case, the host-src is /data, the container-dest is /mydata, and the option is ro, which means the container can only read the data from the volume, but not write to it2. This can be useful for sharing configuration files or other data that should not be modified by the container3. References:

• Use volumes | Docker Documentation
• Docker run reference | Docker Documentation
• Docker - Volumes - Tutorialspoint

 Better caching when building Docker images is an advantage of multi-stage builds. Multi-stage builds allow you to use multiple FROM statements in your Dockerfile, each starting a new stage of the build1. This can help you improve the caching efficiency of your Docker images, as each stage can use its own cache layer2. For example, if you have a stage that installs dependencies and another stage that compiles your code, you can reuse the cached layer of the dependencies stage if they don’t change, and only rebuild the code stage if it changes2. This can save you time and bandwidth when building and pushing your images. References:

• Multi-stage builds | Docker Docs
• What Are Multi-Stage Docker Builds? - How-To Geek

= The action of using --link to access the container on the bridge network does not accomplish the goal of creating a container that is reachable from its host’s network. The --link option allows you to connect containers that are running on the same network, but it does not expose the container’s ports to the host1. To create a container that is reachable from its host’s network, you need to use the --network host option, which attaches the container to the host’s network stack and makes it share the host’s IP address2. Alternatively, you can use the --publish or -p option to map the container’s ports to the host’s ports3.

References: : Legacy container links | Docker Documentation : Networking using the host network | Docker Documentation : docker run reference | Docker Documentation

The provided Kubernetes NetworkPolicy YAML configuration indicates that the policy applies to pods with the label tier: backend in the default namespace1. The ingress rule allows traffic from pods with the label tier: api1. Therefore, a request issued from a pod bearing only the tier: frontend label to a pod bearing the tier: backend label will be blocked by this networkPolicy1. This is because the networkPolicy does not have a rule allowing ingress from pods with the tier: frontend label1. For more information on Kubernetes NetworkPolicies, you can refer to the Kubernetes Documentation on Network Policies.

= Provisioning a Docker config object for each environment is a way to provision configuration to containers at runtime. Docker configs allow services to adapt their behaviour without the need to rebuild a Docker image. Services can only access configs when explicitly granted by a configs attribute within the services top-level element. As with volumes, configs are mounted as files into a service’s container’s filesystem1. Docker configs are supported on both Linux and Windows services2. References: Docker Documentation, Configs top-level element

= The ‘docker inspect’ command returns low-level information on Docker objects, such as containers, images, networks, etc1 It does not show the list of historical tasks for a service. To view the list of tasks for a service, you need to use the ‘docker service ps’ command 2. For example, to see the tasks for the ‘http’ service, you would run ‘docker service ps http’. This would show the ID, name, image, node, desired state, current state, and error of each task 2. References: Docker inspect | Docker Docs, Docker service ps | Docker Docs

Creating a Dockerfile for each environment, specifying ports and Docker secrets for certificates is not a way to provision configuration to containers at runtime. A Dockerfile is a text document that contains all the commands a user could call on the command line to assemble an image1. A Dockerfile is used to build an image, not to run a container. Once an image is built, the configuration specified in the Dockerfile cannot be changed at runtime. To provision configuration to containers at runtime, you need to use a different mechanism, such as environment variables, command-line arguments, or config maps234. References:

• Dockerfile reference | Docker Docs
• Environment variables in Compose | Docker Docs
• Override the default command | Docker Docs
• Configuration management with Containers | Kubernetes

Process ID is a type of Linux kernel namespace that provides container isolation. Linux namespaces are a feature of the Linux kernel that isolate and virtualize system resources of a collection of processes1. Process ID namespace isolates the process ID number space, meaning that processes in different PID namespaces can have the same PID2. This allows each container to have its own init process with PID 1, which is the ancestor of all other processes in the container3. Process ID namespace also affects other identifiers, such as thread IDs, parent process IDs, and session IDs4. References: Namespaces in operation), pid_namespaces), What is a PID namespace?, Linux Namespaces: PID)

= Linux capabilities are a way of restricting the privileges of a process or a container. By default, Docker containers run with a reduced set of capabilities, which means they cannot perform certain operations that require higher privileges, such as setting the system time1. To allow a container to set the system time, you need to grant it the SYS_TIME capability by using the --cap-add option when running the container2. For example, docker run --cap-add SYS_TIME alpine date -s 12:00 would set the system time to 12:00 inside the alpine container3. References: Docker Documentation, Runtime privilege and Linux capabilities, Change system date time in Docker containers without impacting host, Is it possible to change time dynamically in docker container?

 = The command kubectl describe deployment api displays the events table for the deployment object called api, along with other information such as labels, replicas, strategy, conditions, and pod template. The events table shows the history of actions that have affected the deployment, such as scaling, updating, or creating pods. This can help troubleshoot any issues with the deployment. To see only the events table, you can use the flag --show-events=true with the command. References:

• Deployments | Kubernetes
• kubectl - How to describe kubernetes resource - Stack Overflow
• Kubectl: Get Deployments - Kubernetes - ShellHacks
• kubernetes - Kubectl get deployment yaml file - Stack Overflow

= Distributing seven managers across three datacenters or availability zones as 3-2-2 is not a good way to ensure high availability and fault tolerance. This is because a swarm cluster requires a majority of managers (more than half) to be available and able to communicate with each other in order to maintain the swarm state and avoid a split-brain scenario1. If one of the datacenters or availability zones with three managers goes down, the remaining four managers will not have a quorum and the swarm will stop functioning. A better way to distribute seven managers across three datacenters or availability zones is 3-3-1 or 3-2-1-1, which will allow the swarm to survive the loss of one or two datacenters or availability zones, respectively2. References:

• Administer and maintain a swarm of Docker Engines | Docker Docs
• How to Create a Cluster of Docker Containers with Docker Swarm and DigitalOcean on Ubuntu 16.04 | DigitalOcean