Docker Certified Associate – Domain 1 : Orchestration August 17, 2020 112 Facebook WhatsApp Linkedin Email Print Docker Certified Associate - Domain 1 : Orchestration 1. Which of the following creates a new swarm ?docker swarm init --advertise-addr [ip-address-of-manager]docker swarm init --advertise-addr [ip-address-of-worker]docker swarm create [swarm-name] 2. Which of the following is true about join token and 'docker swarm join' command ?join token are secrets that allows only worker nodes to be joined to a swamjoin token are secrets that allows only manager nodes to be joined to a swamjoin token are secrets that allow both manager and worker nodes to be joined to a swam by passing the 'manager' or 'worker' flag to the command. 3. Which of the following is true about autolock feature in swarmautolock feature allows locking of swam operations using a lock keyautolock feature automatically locks the swarm when a manager is restartedautolock feature prompts for a lock key to start a manager which was stopped as a result of docker daemon restart 4. Autolock feature is used to protect which of the following ?Docker secretsContainers or Tasks in a docker swarmSwarm service’s configuration and data from attackers who gain access to the encrypted Raft logs, by accessing their encryption keys. Autolock feature protects the keys by encrypting them using the an unlock key.. 5. What protocol is used to authenticate, authorize and encrypt communication between nodes in a swarm ?mutual Transport Layer Security (TLS)Secure Socket Layer (SSLv3)HTTPS 6. What is the default validity period of a node certificate in a swarm ?30d (720h)45d (1080h)90d (2160h) 7. What is the minimum allowed validity period for a node in swarm ?30d7201h 8. Which one of the following statements is true about how CA (Certificate Authority) works in Docker ?If old CA is compromised, CA can be rotated to create a new CA cross signed using old CA Cert, to create a new intermediate CA. This ensures all nodes trusts the new CA. Once all nodes renew their TLS certificates, intermediate CA cert is ignored and new CA cert is used.If old CA is compromised, trust is broken between all nodes, requiring creation of a new CA key and certificate. All nodes need to renew their TLS certificate with the new CA Certificate. 9. An old swarm join token is no longer valid, when the CA is rotated. True or False ?TrueFalse 10. Which of the following is true about load balancing in docker ?Every node in docker has a load balancer which load balances requests between containers running in that node onlyEvery node in docker has a load balancer which load balances requests between containers running in that node as well as other nodesOnly swarm managers have load balancer in it to load balance requests between containers of all nodes 11. What is '--dispatcher-heartbeat' and what is the default '--dispatcher-heartbeat' period'--dispatcher-heartbeat' is the frequency with which nodes report their health. The default period is 5s.'--dispatcher-heartbeat' is the minimum wait time used by a manager node before it dispatches the next task to a worker node. The default value is 10s 12. What is a quorum in docker ?quorum is the minimum number of worker nodes required to be able to schedule tasks successfullyquorum is the minimum number of manager nodes required to achieve a consensus before a task or change is scheduled in a swarm. 13. If N is the number of manager nodes that is present in a swarm, what is the minimum number of failed manager nodes that a swam can tolerate, before it looses quorum ?Swarm can tolerate (N-1)/2 failed nodes. That is, a minimum of (N/2)+1 nodes is always needed to sustain the quorum.Swarm can tolerate (N/2) failures and at least half the number of nodes is needed to sustain quorum.Swarm can tolerate (N-1) failures and at least one node is needed to sustain quorum 14. What algorithm is used to reach a consensus and maintain a quorum in swarm and why ?Raft consensus algorithm is used to ensure all nodes storing the same consistent state.Proof-of-Authority (PoA) algorithm is used to ensure state changes are replicated in swarm. 15. What is the primary role of a manager leader node ?Manager leader distributes swarm management tasks evenly across other manager nodesManager leader monitors the states of other manager nodes in swarm.Manager leader logs all actions in swarm such as node addition/removal, task scheduling etc and every other swarm operation in Raft logs and replicates the logs to other manager nodes. 16. Docker secures Raft logs to protect them. Why ?Secrets (credentials, certificates etc.) used by containers of a service (/run/secrets/some_secret) is also stored in raft logs on manager nodes, which needs to be protected from attacks.Raft logs contain confidential information about manager nodes which needs to be secured from unauthorized access. 17. Which of the following can be used to decrypt Raft logs ?Raft logs can be decrypted using swarmkit's swarm-rafttool by providing the unlock-key.Raft logs can be decrypted using X509 decryption using private key 18. What is the minimum number of recommended availability zones for distributing the manager nodes ?32There is no such recommendation. 19. what are the flags passed to 'docker service create' command that support usage of templates.--dns, --env, --group'--hostname', '--env', ‘--mount'All flags support usage of templates. 20. Which of the following command is used to stopa docker service ?docker service stop [service-name]docker service rm [service-name] 21. Is it possible to limit the number of replicas to run per node for a docker service and how ?Yes, flag '--replicas-max-per-node' can be passed to 'docker service create' command.no 22. Is it possible to control CPU and Memory reservations for a container or service ?no. Docker hosts kernel manages CPU and Memory on docker containers services.Yes, flags '--reserve-cpu' (in decimal) and '--reserve-memory' (in bytes) can be passed while starting a container or service as long as docker node's kernel also support this feature. 23. which of the following commands reveal system wide info such as no. of images, containers, drivers, plugins, OS architecture & kernal etc ?docker inspectdocker info 24. What does restart policy or restart condition mean ?They refer to under what conditions a container or service is to be restarted. This is called "restart policy" at container level and "restart condition" at service level.They refers to schedules in which a container or service is restarted, respectively. 25. What are the different flags available for restart condition, in a docker service ?"none", "on-failure", "any""no", "on-failure", "always", "unless-stopped" 26. What is a label and why is it used ?Labels are unique identifiers used to identify a docker object.Labels are key=value pairs stored for any docker object such as an image, container, service etc, stored in string format, maintained as metadata. 27. Keys in a label can contain only these special characters: (.)period, (-)hyphen. True or False ?TrueFalse 28. (.)period in a label is used to separate namespace "fields". True or False ?TrueFalse 29. Values in a label can be of any datatype that can be represented as string (deserialized to string). True or False ?.TrueFalse 30. Which of the following is true about '--update-parallelism' for docker service ?Configures maximum number of parallel tasks scheduler can update simultaneouslyConfigures a boolean to enable or disable parallel updates. 31. What are the configurable options for '--update-failure-action' flag, for a docker service ?'stop', 'restart', 'rollback''pause', 'continue', 'rollback' 32. What is the default action when update failure occurs in a docker service ?stoppauserestart or retry 33. 'update-max-failure-ratio' refers to max no. of update failures to tolerate before an a update-failure action is taken. True or False ?TrueFalse 34. what is the dafault max. no. of update failures tolerated ?0depends on the total number of tasks running in swarm. 35. '--stop-signal' is used to override the default stop signal (sigterm), to stop the container. True or False ?TrueFalse 36. Which of the following is true about '--rollback-parallelism' for docker service ?Configures maximum number of parallel tasks scheduler can rollback simultaneously.Configures a boolean to enable or disable parallel rollbacks. 37. What are the configurable options for '--rollback-failure-action' flag, for a docker service ?pause, retrypause, continue 38. What is the default action when rollback failure occurs in a docker service ?retrypausecontinue 39. What does 'log-driver' refer to in docker ?Refers to what log driver to use, to get information from running containers and services.Refers to what log driver is used by the containers for logging its application data. 40. What is the default docker Logging-driver used in docker ?syslogjson-file 41. Which of the following statements is true about "container layer" ?Container layer is the top most layer which is writable, where any modifications such as addition/modification/removal of files are done. All layers other stacked under this are Read Only image layers.When a container is started, multiple layers are created for storing data. These layers are called container layers. 42. The storage driver controls how images and containers are stored and managed on your Docker host. True or False ?FalseTrue 43. Which of the following strategies is used by all storage drivers in docker, for managing i/o between image layers and writable layer of container.CoW - Copy on WriteRoW - Redirect on Write 44. Docker containers support container isolation to ensure that resources inside the container is not visible outside of it. That being said, what are the available isolation technologies supported."default" (this is default namespace based isolation in Linux, does not support anything else), "process" (default in windows", "hyperv" (supported by windows only)"default", "process", "hyperv" - These can run on any OS platforms. 45. Endpoint mode provides two options 'vip' (virtual ip) and 'dnsrr' (DNS round robin), to decide how a service is exposed and load balanced between containers of that service. True or False ?TrueFalse 46. What is the default endpoint-mode used by docker services ?dnsrr (DNS Round Robinvip (Virtual IP) 47. What does "health-cmd" flag configure, in a docker service ?A command passed to this flag, is run inside the container. Return 0 should mean healthy. Return 1 should mean unhealthy.A command passed to this flag is run from outside the container to probe the service exposed by the container. 48. Delay between health checks for a service, can be configured using "--health-interval" flag. What is the default duration ?0s20s30s 49. health-retries refer to consecutive failures needed to report unhealthy and health-timeout refers to time to wait before a health command timeouts. True or False ?TrueFalse 50. "stop-grace-period" refers to time to wait before forcefully killing a container, when the container fails to stop gracefully. What is the default "stop-grace-period" ?10s30s Please fill in the box below to leave a comment or feedback. Time is Up!