Docker DCA Practice Test - Questions Answers, Page 4

A liveness probe is a mechanism for indicating your application's internal health to the Kubernetes control plane. Kubernetes uses liveness probes to detect issues within your pods.When a liveness check fails, Kubernetes restarts the container in an attempt to restore your service to an operational state1. Therefore, the action taken by the orchestrator to fix the unhealthy container is to restart it.Reference:

Content trust in Docker | Docker Docs

Docker Content Trust: What It Is and How It Secures Container Images

A Practical Guide to Kubernetes Liveness Probes | Airplane

: = The livenessProbe is a mechanism that checks if the container is alive and healthy, and restarts it if it fails1.The orchestrator is the component that manages the deployment and scaling of containers across a cluster of nodes2.The action taken by the orchestrator to fix the unhealthy container isnotto autoscale back and delete the pod, but torecreatethe pod on the same or a different node3. This ensures that the desired number of replicas for the pod is maintained, and that the pod can resume its normal operation. Autoscaling back and deleting the pod would reduce the availability and performance of the service, and would not necessarily alleviate the load.

Configure Liveness, Readiness and Startup Probes | Kubernetes

What is a Container Orchestrator? | Docker

Pod Lifecycle | Kubernetes

I hope this helps you understand the concept of livenessProbe and orchestrator, and how they work with Docker and Kubernetes. If you have any other questions related to Docker, please feel free to ask me.

Docker Content Trust (DCT) is a feature that allows users to verify the integrity and publisher of container images they pull or deploy from a registry server, signed on a Notary server1. DCT is enabled by setting the environment variable DOCKER_CONTENT_TRUST=1 on the Docker client.When DCT is enabled, the Docker client will only pull, run, or build images that have valid signatures for a specific tag2.However, DCT does not apply to the docker image import command, which allows users to import an image or a tarball with a repository and tag from a file or STDIN3. Therefore, if myorg/myimage:1.0 is unsigned, Docker will not block the docker image import <tarball> myorg/myimage:1.0 command, even if DCT is enabled. This is because the docker image import command does not interact with a registry or a Notary server, and thus does not perform any signature verification. However, this also means that the imported image will not have any trust data associated with it, and it will not be possible to push it to a registry with DCT enabled, unless it is signed with a valid key.Reference:

Content trust in Docker

Automation with content trust

[docker image import]

[Content trust and image tags]

When content trust is enabled, Docker blocks any command that operates on unsigned images, such as docker service create. This is because Docker Content Trust (DCT) allows users to verify the integrity and publisher of specific image tags, using digital signatures stored on a Notary server. If an image tag is not signed, or the signature cannot be verified, Docker will refuse to pull, run, or build with that image. Therefore, if myorg/myimage:1.0 is unsigned, Docker will block the command docker service create myorg/myimage:1.0 and display an error message.Reference:

Content trust in Docker

Docker Content Trust: What It Is and How It Secures Container Images

Automation with content trust