Docker DCA Practice Test - Questions Answers, Page 15

Capabilities are a Linux kernel feature that allows processes to perform some privileged operations without having the full power of the root user1.Docker uses capabilities to limit the access of containers to host resources, such as CPU or memory2.By default, Docker drops all capabilities except those needed for the container to function properly, using a whitelist approach3. This reduces the risk of a container compromising the host system or other containers.You can also add or remove capabilities to or from a container at runtime, using the--cap-addor--cap-dropoptions of thedocker runcommand4. This gives you more control over the security and functionality of your containers.Reference:

Capabilities | dockerlabs

Docker run reference | Docker Docs

Docker Capabilities and no-new-privileges

Runtime privilege and Linux capabilities | Docker Docs

= The commanddocker service create -name dns-cache -p 53:53 -udp dns-cachewill not create a swarm service that only listens on port 53 using the UDP protocol. The reason is that the command has several syntax errors and invalid options.The correct command to create a swarm service that only listens on port 53 using the UDP protocol isdocker service create --name dns-cache --publish published=53,target=53,protocol=udp dns-cache12. The commanddocker service create -name dns-cache -p 53:53 -udp dns-cachehas the following problems:

The option-nameis not a valid option fordocker service create.The valid option for specifying the service name is--name3.

The option-pis not a valid option fordocker service create.The valid option for publishing a port for a service is--publish1.

The option-udpis not a valid option fordocker service create.The valid option for specifying the protocol for a published port isprotocolwithin the--publishoption1.

The argument53:53is not a valid argument fordocker service create.The argument fordocker service createshould be the image name for the service, such asdns-cache3.The source and target of the published port should be specified in the--publishoption, separated by a comma1.

Therefore, the commanddocker service create -name dns-cache -p 53:53 -udp dns-cachewill not work as intended, and will likely produce an error message or an unexpected result.Reference:

Use swarm mode routing mesh

Manage swarm service networks

docker service create

The conditions are sufficient for Kubernetes to dynamically provision a persistentVolume, because a storageClass defines the provisioner and parameters for creating a volume on-demand. A persistentVolumeClaim that specifies a storageClass triggers the dynamic provisioning process, and Kubernetes will automatically create and bind a persistentVolume that matches the request. This eliminates the need for manual intervention by cluster administrators to provision storage volumes.Reference:

Dynamic Volume Provisioning | Kubernetes

Persistent volumes and dynamic provisioning | Google Kubernetes Engine ...

Dynamic Provisioning and Storage Classes in Kubernetes

= Simultaneously creating and tagging multiple images is not an advantage of multi-stage builds.Multi-stage builds are a feature that allows you to use multiple FROM statements in your Dockerfile, each starting a new stage of the build1. You can selectively copy artifacts from one stage to another, leaving behind everything you don't want in the final image.This helps you to optimize the size and security of your images, as well as to simplify your build process12. However, multi-stage builds do not create or tag multiple images at once.Each Dockerfile produces one final image, which is the result of the last stage in the Dockerfile1.If you want to create and tag multiple images from a single Dockerfile, you need to use the--targetoption with thedocker buildcommand, and specify the name of the stage you want to build and tag3.Reference:

Multi-stage builds | Docker Docs

What Are Multi-Stage Docker Builds? - How-To Geek

Stop at a specific build stage | Docker Docs

LDAP is a supported user authentication method for Universal Control Plane (UCP). UCP has its own built-in authentication mechanism and integrates with LDAP and Active Directory. It also supports Role Based Access Control (RBAC) and Docker Content Trust. UCP allows you to configure LDAP as an authentication method and connect it to your LDAP server.You need to provide the LDAP URL, the base DN, the bind DN and password, and the user and group search settings12.Reference:

SAML | Docker Docs

Universal Control Plane overview | dockerlabs

Docker will block the commanddocker image inspect myorg/myimage: 1.0if the image tag is unsigned and the environment variable DOCKER_CONTENT_TRUST is set to 1.This is because Docker Content Trust (DCT) enables the verification of the integrity and publisher of Docker images using digital signatures1.When DCT is enabled, Docker will only pull, run, or inspect images that have a valid signature2.If the image tag is not signed, Docker will reject the command and display an error message, such asNo valid trust data for 1.03. To inspect an unsigned image, you need to either disable DCT by setting DOCKER_CONTENT_TRUST to 0, or use the--disable-content-trustflag with the command.Reference:

Content trust in Docker | Docker Docs

Enable and disable content trust in Docker | Docker Docs

Docker Content Trust: What It Is and How It Secures Container Images

[docker image inspect | Docker Docs]

Docker will block the commanddocker container run myorg/myimage:1.0if the image tagmyorg/myimage:1.0is unsigned and the environment variableDOCKER_CONTENT_TRUST=1is set.The reason is that settingDOCKER_CONTENT_TRUST=1enables Docker Content Trust (DCT), which is a feature that allows users to verify the integrity and publisher of Docker images using digital signatures1. When DCT is enabled, Docker will only pull, run, or build images that have valid signatures.If an image tag is unsigned or has an invalid signature, Docker will reject the operation and display an error message2.Therefore, to run an unsigned image with DCT enabled, you need to either disable DCT by settingDOCKER_CONTENT_TRUST=0or use the--disable-content-trustflag, or sign the image tag with a valid key3.Reference:

Content trust in Docker

Determine if Docker image is signed or unsigned

Signing Images and Enabling Docker Content Trust

Host is not a type of Linux kernel namespace that provides container isolation.Linux namespaces are a feature of the Linux kernel that partitions kernel resources such that one set of processes sees one set of resources while another set of processes sees a different set of resources1.There are eight kinds of namespaces available: Mount, Process, User, Network, UTS, IPC, Cgroup, and Time1.Host is a parameter that can be used to run a container in the host's network namespace, which means the container shares the same network interfaces and configuration as the host2.Reference:

Linux namespaces - Wikipedia

Network settings | Docker Documentation