Free Docker DCA Practice Exam with Questions & Answers | Set: 2

The statement is not entirely correct. In Kubernetes, a service of type ClusterIP routes traffic sent to its IP address to the pods selected by its label selector1. However, the port to which the traffic is routed in the pod is determined by the targetPort specified in the service definition1. If targetPort is not specified, it defaults to being the same as the port field1. In the provided YAML snippet, there is no targetPort specified for port 80, so we cannot confirm that the traffic will be routed to port 8080 in the pod. Therefore, without additional information about the pod configuration, we cannot verify the provided solution statement1.

 In the context of a swarm mode cluster, an instance of the Docker engine participating in the swarm is indeed a node1. A node can be either a manager or a worker, depending on the role assigned by the swarm manager2. A manager node handles the orchestration and management of the swarm, while a worker node executes the tasks assigned by the manager2. A node can join or leave a swarm at any time, and the swarm manager will reconcile the desired state of the cluster accordingly1. References:

• 1: Swarm mode overview | Docker Docs
• 2: Manage nodes in a swarm | Docker Docs

The command docker Is -a does not list all nodes in a swarm cluster from the command line, but rather lists all containers, both running and stopped, on the current node1. To list all nodes in a swarm cluster, you need to use the command docker node ls from a manager node2. This command shows the node ID, hostname, status, availability, and manager status for each node in the swarm2. You can also use the --filter option to filter the output based on various criteria2. References: Docker Documentation, docker node ls

= The command docker service create -name dns-cache -p 53:53 -udp dns-cache will not create a swarm service that only listens on port 53 using the UDP protocol. The reason is that the command has several syntax errors and invalid options. The correct command to create a swarm service that only listens on port 53 using the UDP protocol is docker service create --name dns-cache --publish published=53,target=53,protocol=udp dns-cache12. The command docker service create -name dns-cache -p 53:53 -udp dns-cache has the following problems:

• The option -name is not a valid option for docker service create. The valid option for specifying the service name is --name3.
• The option -p is not a valid option for docker service create. The valid option for publishing a port for a service is --publish1.
• The option -udp is not a valid option for docker service create. The valid option for specifying the protocol for a published port is protocol within the --publish option1.
• The argument 53:53 is not a valid argument for docker service create. The argument for docker service create should be the image name for the service, such as dns-cache3. The source and target of the published port should be specified in the --publish option, separated by a comma1.

Therefore, the command docker service create -name dns-cache -p 53:53 -udp dns-cache will not work as intended, and will likely produce an error message or an unexpected result. References:

• Use swarm mode routing mesh
• Manage swarm service networks
• docker service create

= The command docker run -add-volume /data /mydata -read-only ubuntu will not mount the host’s /data directory to the ubuntu container in read-only mode. The reason is that the command has several syntax errors and invalid options. The correct command to mount a host directory to a container in read-only mode is docker run --mount type=bind,source=/data,target=/mydata,readonly ubuntu12. The command docker run -add-volume /data /mydata -read-only ubuntu has the following problems:

• The option -add-volume is not a valid option for docker run. The valid options for mounting a volume or a bind mount are --mount or -v12.
• The option -read-only is not a valid option for docker run. The valid option for making the container’s root filesystem read-only is --read-only3. However, this option will not affect the mounted volumes or bind mounts, which have their own readonly option12.
• The argument /data /mydata is not a valid argument for docker run. The argument for docker run should be the command to run inside the container, such as bash or ping4. The source and target of the volume or bind mount should be specified in the --mount or -v option, separated by a colon12.

Therefore, the command docker run -add-volume /data /mydata -read-only ubuntu will not work as intended, and will likely produce an error message or an unexpected result. References:

• Use bind mounts
• Use volumes
• docker run
• Docker run reference

The statement is correct. In the provided Docker Compose file, a health check is defined for the service “app”. It uses curl to perform a health check on the application every 10 seconds (as specified by the “interval” parameter). If it fails three times (as specified by the “retries” parameter), then the container is marked as unhealthy. A health check is a way of checking the health of a running container and applying actions based on the result1. It can be used to monitor the status of the service and restart the container if it becomes unhealthy2. References:

• Compose file version 3 reference | Docker Docs
• Docker Compose & Health Checks – Gabriel’s World

= Distributing seven managers across three datacenters or availability zones as 3-3-1 is not the best way to ensure high availability and fault tolerance. This is because if one of the datacenters with three managers fails, the remaining four managers will not have a quorum to elect a leader and continue the swarm operations. A quorum is the minimum number of managers that must be available to maintain the swarm state, and it is calculated as (N/2) + 1, where N is the total number of managers1. For seven managers, the quorum is five, so losing three managers will cause the swarm to lose the quorum. A better way to distribute seven managers across three datacenters or availability zones is 2-2-3, which will allow the swarm to survive the failure of any one datacenter2. References:

• Administer and maintain a swarm of Docker Engines
• Distribute manager nodes across multiple AZ

 Docker Content Trust (DCT) is a feature that allows users to verify the integrity and publisher of container images they pull or deploy from a registry server, signed on a Notary server12. DCT does not verify or encrypt the Docker registry TLS, which is a separate mechanism for securing the communication between the Docker client and the registry server. The purpose of DCT is to ensure that the images are not tampered with or maliciously modified by anyone other than the original publisher3. References:

• Content trust in Docker | Docker Docs
• Docker Content Trust: What It Is and How It Secures Container Images
• Automation with content trust | Docker Docs

= LDAP is a supported user authentication method for Universal Control Plane (UCP). UCP has its own built-in authentication mechanism and integrates with LDAP and Active Directory. It also supports Role Based Access Control (RBAC) and Docker Content Trust. UCP allows you to configure LDAP as an authentication method and connect it to your LDAP server. You need to provide the LDAP URL, the base DN, the bind DN and password, and the user and group search settings12. References:

• SAML | Docker Docs
• Universal Control Plane overview | dockerlabs

The networkPolicy shown in the image is a Kubernetes yaml file that describes a networkPolicy. This networkPolicy will not block traffic from a pod bearing the tier: backend label, to a pod bearing the tier: frontend label. This is because the networkPolicy is configured to allow ingress traffic from pods with the tier: backend label to pods with the tier: frontend label. References:

• Content trust in Docker | Docker Docs
• Docker Content Trust: What It Is and How It Secures Container Images
• Automation with content trust | Docker Docs