Docker DCA Practice Test - Questions Answers, Page 12

= Setting and exporting the IGNORE_TLS environment variable on the command line is not a way to configure the Docker engine to use a registry without a trusted TLS certificate.This environment variable is not recognized by Docker and has no effect on the TLS verification process1.To use a registry without a trusted TLS certificate, you need to either add the certificate to the system or Docker-specific trust store, or configure the Docker daemon to allow insecure registries23.Reference:

Environment variables | Docker Docs

Verify repository client with certificates | Docker Docs

Test an insecure registry | Docker Docs

: The commanddocker container logs nginx --volumeswillnotdisplay a list of volumes for a specific container.Thedocker container logscommand shows the logs of a container, which are usually the standard output and standard error of the main process running in the container1.The--volumesflag is not a valid option for this command, and will result in an error message2.To display a list of volumes for a specific container, you can use thedocker inspectcommand with a filter option, such asdocker inspect -f '{{ .Mounts }}' nginx3.This will show the source, destination, mode, type, and propagation of each volume mounted in the container4.Reference:docker container logs,docker container logs nginx --volumes,docker inspect,docker inspect -f '{{ .Mounts }}' nginx

= SAML is a supported user authentication method for Universal Control Plane (UCP). UCP has its own built-in authentication mechanism and integrates with LDAP and Active Directory. It also supports Role Based Access Control (RBAC) and Docker Content Trust. UCP allows you to configure SAML as an authentication method and connect it to your Identity Provider (IdP).You need to provide the Entity ID and the ACS URL from UCP to your IdP, and the SAML Sign-on URL and the x509 Certificate from your IdP to UCP12.Reference:

SAML | Docker Docs

Configure Single Sign-On | Docker Docs

x.500 is not a supported user authentication method for Universal Control Plane (UCP).UCP supports two types of user authentication methods:built-inandexternal1. Built-in authentication uses the UCP's own database to store and verify user credentials.External authentication uses an external LDAP or Active Directory service to manage user accounts and passwords1.x.500 is a standard for directory services, which can be used by LDAP or Active Directory, but it is not a user authentication method by itself2.Reference:

User authentication | Docker Docs

= A Dockerfile does not store persistent data between deployments of a container. A Dockerfile is a text document that contains instructions for building a Docker image. A Docker image is a read-only template that defines the layers and configuration of a container. A Docker container is an isolated and ephemeral instance of a Docker image that runs on the Docker Engine. Docker containers are not meant to store persistent data, as any changes made to the container's filesystem are lost when the container is removed. To store persistent data between deployments of a container, you need to use volumes or bind mounts. Volumes and bind mounts are ways to attach external storage to a container, so that the data is preserved even if the container is deleted. Volumes are managed by Docker and stored in a location on the host system that is independent of the container's lifecycle. Bind mounts are files or directories on the host system that are mounted into a container.Reference:

Persist container data

Dockerfile reference

Docker MySQL Persistence

Persist the DB

Docker - Dockerfile, persist data with VOLUME

= The commanddocker network create -d overlay --secure <network-name>will not ensure that overlay traffic between service tasks is encrypted.The--secureoption is not a valid flag for thedocker network createcommand1.To enable encryption for an overlay network, you need to use the--opt encryptedflag instead23.This will create IPSEC tunnels between the nodes where the service tasks are scheduled, using the AES algorithm in GCM mode2.You can verify if an overlay network is encrypted by checking if the IPSEC tunnels were created using tools likenetstat4.Reference:

1: docker network create | Docker Docs

2: Encrypt traffic on an overlay network | Docker Docs

3: Overlay network driver | Docker Docs

4: Docker: How to verify if an overlay network is encrypted - Stack Overflow

Creating a Dockerfile for each environment, specifying ports and Docker secrets for certificates is not a way to provision configuration to containers at runtime.A Dockerfile is a text document that contains all the commands a user could call on the command line to assemble an image1. A Dockerfile is used to build an image, not to run a container. Once an image is built, the configuration specified in the Dockerfile cannot be changed at runtime.To provision configuration to containers at runtime, you need to use a different mechanism, such as environment variables, command-line arguments, or config maps234.Reference:

Dockerfile reference | Docker Docs

Environment variables in Compose | Docker Docs

Override the default command | Docker Docs

Configuration management with Containers | Kubernetes

The sequence of steps willnotcompletely delete an image from disk in the Docker Trusted Registry.Deleting an image and deleting an image repository from the Docker Trusted Registry will only remove the references to the image, but not the actual image data on the disk1.To completely delete an image from disk, you need to run the garbage collection command on the registry server, which will delete any unreferenced blobs2.The garbage collection command isbin/registry garbage-collect /path/to/config.yml3.Reference: Deleting an image), Garbage collection), Running garbage collection)

= Creating a collection for each application is not a way to accomplish this.A collection is a term used by Ansible to describe a package of related content that can be used to automate the management of Kubernetes resources1. A collection is not a native Kubernetes concept and does not group resources together within the cluster. To group Kubernetes-specific resources, such as secrets, for each application, you need to use namespaces.A namespace is a logical partition of the cluster that allows you to isolate resources and apply policies to them2. You can create a namespace for each application and store the secrets and other resources in that namespace. This way, you can prevent conflicts and limit access to the resources of each application.To create a namespace, you can use the kubectl create namespace command or a yaml file2.To create a secret within a namespace, you can use the kubectl create secret command with the --namespace option or a yaml file with the metadata.namespace field3.Reference:

Kubernetes Collection for Ansible - GitHub

Namespaces | Kubernetes

Secrets | Kubernetes

Managing Secrets using kubectl | Kubernetes