DCA Practice Exam Questions with Answers Docker Certified Associate (DCA) Exam Certification

While removing push access from all other users can prevent an image from being overwritten, it’s not the only way and might not be the most efficient or practical solution, especially in a collaborative environment. Docker Trusted Registry (DTR) provides a feature called ‘Immutable Tags’ which can be used to prevent an image, such as ‘nginx:latest’, from being overwritten. Once a tag is marked as immutable, DTR will prevent any user from pushing the same tag to the repository, thus preserving the image. This allows for better version control and prevents accidental overwrites. Therefore, the solution to prevent an image from being overwritten is not just to remove push access from all other users, but to use the features provided by DTR like ‘Immutable Tags’.

= The command docker volume inspect nginx will not display a list of volumes for a specific container. This is because docker volume inspect expects one or more volume names as arguments, not a container name1. To display a list of volumes for a specific container, you can use the docker inspect command with the --format option and a template that extracts the volume information from the container JSON output2. For example, to display the source and destination of the volumes mounted by the container nginx, you can use the following command:

docker inspect --format=' { {range .Mounts}} { {.Source}}: { {.Destination}} { {end}}' nginx

References:

• docker volume inspect | Docker Docs
• docker inspect | Docker Docs

= Control Groups (cgroups) are a feature of the Linux kernel that allow you to limit the access processes and containers have to system resources such as CPU, memory, disk I/O, network, and so on1. Control groups allow Docker Engine to share available hardware resources to containers and optionally enforce limits and constraints2. For example, you can use the docker run command to specify the CPU shares, memory limit, or network bandwidth for a container3. By using cgroups, you can ensure that each container gets the resources it needs and prevent resource starvation or overcommitment4. References:

• Lab: Control Groups (cgroups) | dockerlabs
• Runtime metrics | Docker Docs
• Docker run reference | Docker Docs
• Docker resource management via Cgroups and systemd

= The command docker run -add-volume /data /mydata -read-only ubuntu will not mount the host’s /data directory to the ubuntu container in read-only mode. The reason is that the command has several syntax errors and invalid options. The correct command to mount a host directory to a container in read-only mode is docker run --mount type=bind,source=/data,target=/mydata,readonly ubuntu12. The command docker run -add-volume /data /mydata -read-only ubuntu has the following problems:

• The option -add-volume is not a valid option for docker run. The valid options for mounting a volume or a bind mount are --mount or -v12.
• The option -read-only is not a valid option for docker run. The valid option for making the container’s root filesystem read-only is --read-only3. However, this option will not affect the mounted volumes or bind mounts, which have their own readonly option12.
• The argument /data /mydata is not a valid argument for docker run. The argument for docker run should be the command to run inside the container, such as bash or ping4. The source and target of the volume or bind mount should be specified in the --mount or -v option, separated by a colon12.

Therefore, the command docker run -add-volume /data /mydata -read-only ubuntu will not work as intended, and will likely produce an error message or an unexpected result. References:

• Use bind mounts
• Use volumes
• docker run
• Docker run reference

 Better caching when building Docker images is an advantage of multi-stage builds. Multi-stage builds allow you to use multiple FROM statements in your Dockerfile, each starting a new stage of the build1. This can help you improve the caching efficiency of your Docker images, as each stage can use its own cache layer2. For example, if you have a stage that installs dependencies and another stage that compiles your code, you can reuse the cached layer of the dependencies stage if they don’t change, and only rebuild the code stage if it changes2. This can save you time and bandwidth when building and pushing your images. References:

• Multi-stage builds | Docker Docs
• What Are Multi-Stage Docker Builds? - How-To Geek

The statement is correct. In the provided Docker Compose file, a health check is defined for the service “app”. It uses curl to perform a health check on the application every 10 seconds (as specified by the “interval” parameter). If it fails three times (as specified by the “retries” parameter), then the container is marked as unhealthy. A health check is a way of checking the health of a running container and applying actions based on the result1. It can be used to monitor the status of the service and restart the container if it becomes unhealthy2. References:

• Compose file version 3 reference | Docker Docs
• Docker Compose & Health Checks – Gabriel’s World

A Kubernetes node is allocated a /26 CIDR block (64 unique IPs) for its address space. This means that the node can assign up to 64 IP addresses to its resources, such as pods and containers. If every pod on this node has exactly two containers in it, then each pod will need two IP addresses, one for each container. Therefore, the node can support up to 32 pods, since 64 / 2 = 32. The other options are incorrect because they either exceed the available IP addresses or do not account for the number of containers per pod. References:

•CIDR Blocks and Container Engine for Kubernetes - Oracle

•How kubernetes assigns podCIDR for nodes? - Stack Overflow

 Deleting the image and the image repository from Docker Trusted Registry will not completely delete the image from disk. This is because deleting a repository or a tag only removes the reference to the image, but not the image itself. The image is still stored as a blob on the disk, and can be accessed by its digest1. To completely delete the image from disk, you need to enable the deletion feature in the registry configuration, and then use the API to delete the image by its manifest2. Alternatively, you can manually delete the image files from the registry storage directory, but this is not recommended3. After deleting the image, you also need to run the garbage collector to reclaim the disk space4. References:

• Docker Registry HTTP API V2
• How to delete images from a private docker registry?
• Remove docker image in registry by removing files/folders on server
• Garbage collection

= Scanning images to detect any security vulnerability is a function of UCP. UCP integrates with Docker Trusted Registry (DTR), which is a secure and scalable image storage solution1. DTR has a built-in image scanning feature that checks every layer of every image for known vulnerabilities and displays the results in the UCP web UI2. This helps users to identify and fix any security issues before deploying their applications. UCP also allows users to enforce security policies and only allow running applications that use images that are scanned and free of vulnerabilities3. References:

• Docker Trusted Registry | Docker Docs
• Scan images for vulnerabilities | Docker Docs
• Manage images | Docker Docs

 The command docker service create -name dns-cache -p 53:53 -service udp dns-cache is not valid because it has some syntax errors. The correct syntax for creating a swarm service is docker service create [OPTIONS] IMAGE [COMMAND] [ARG...]. The errors in the command are:

• There should be a space between the option flag and the option value. For example, -name dns-cache should be -name dns-cache.
• The option flag for specifying the service mode is -mode, not -service. For example, -service udp should be -mode udp.
• The option flag for specifying the port mapping is --publish or -p, not -p. For example, -p 53:53 should be --publish 53:53.

The correct command for creating a swarm service that only listens on port 53 using the UDP protocol is:

docker service create --name dns-cache --publish 53:53/udp dns-cache

This command will create a service called dns-cache that uses the dns-cache image and exposes port 53 on both the host and the container using the UDP protocol.

References: : [docker service create | Docker Documentation] : [Publish ports for services | Docker Documentation]

Tagging the image with ‘nginx:immutable’ is not how a user can prevent an image, such as ‘nginx:latest’, from being overwritten by another user with push access to the repository. Tagging the image with ‘nginx:immutable’ will only create a new tag for the image, but it will not prevent the original tag from being overwritten. To prevent an image tag from being overwritten in Docker Trusted Registry, the user can use the DTR web UI to make the tag immutable1. This will prevent anyone from pushing a new image with the same tag, even if they have push access to the repository1. Alternatively, the user can also use the DTR API to make the tag immutable2. References: Prevent tags from being overwritten), DTR API reference)

Using either EXPOSE or -publish to access the container on the bridge network will not accomplish the goal of creating a container that is reachable from its host’s network. EXPOSE is a way of documenting which ports a container listens on, but it does not open any ports to the host1. -publish (or -p) is a way of mapping a host port to a container port, but it does not change the network mode of the container2. By default, Docker containers use the bridge network, which isolates them from the host network3. To create a container that is reachable from its host’s network, you need to use the --network host option when running the container4. This will make the container share the host’s network stack and have the same IP address as the host4. References:

• 1: Difference Between “expose” and “publish” in Docker | Baeldung on Ops
• 2: Deploy services to a swarm | Docker Docs
• 3: Bridge network | Docker Docs
• 4: Host network | Docker Docs

The set of commands docker container inspect and docker port cannot identify the published port(s) for a container. The docker container inspect command returns low-level information on a container, such as its ID, name, state, network settings, mounts, etc1. However, it does not show the port mappings between the container and the host2. The docker port command lists the port mappings or a specific mapping for a container, but it requires the container name or ID as an argument3. Therefore, to identify the published port(s) for a container, you need to use both commands together, such as docker port $(docker container inspect -f '{{.Name}}' CONTAINER)4. References:

• docker container inspect | Docker Docs
• How to inspect a running Docker container - Stack Overflow
• docker port | Docker Docs
• List port for Docker container using command line - Stack Overflow

 The mnt namespace is not disabled by default and does not need to be enabled at Docker engine runtime to be used. The mnt namespace is one of the six Linux kernel namespaces that Docker uses to isolate containers from the host system1. The mnt namespace allows a container to have its own set of mounted filesystems and root directories, which are different from the host’s2. This means that a container can access only the files and directories that are mounted inside its namespace, and not the ones that are mounted on the host or other containers. The mnt namespace is created automatically when a container is started, and it is destroyed when the container stops3.

References:

• Isolate containers with a user namespace | Docker Docs
• The mnt namespace - Docker Cookbook - Second Edition
• Container security fundamentals part 2: Isolation & namespaces

mnt is not a Linux kernel namespace that is disabled by default and must be enabled at Docker engine runtime to be used. According to the official documentation, mnt is one of the namespaces that are enabled by default when using namespaces for isolation.

References: https://docs.docker.com/engine/security/userns-remap/#user-namespace-known-limitations

= This is a function of UCP, as it integrates with Docker Trusted Registry (DTR) to provide built-in security and access control for your images. DTR allows you to enforce security policies and only allow running applications that use Docker images you know and trust. You can sign your images with Docker Content Trust (DCT) to prove their authenticity and integrity. UCP will verify the signatures of the images before deploying them to the cluster12. References:

• Universal Control Plane overview | dockerlabs
• How to Sign Your Docker Images to Increase Trust - How-To Geek

Creating one pod and adding all the resources needed for each application is not a good way to accomplish the goal of grouping Kubernetes-specific resources for each application. This is because pods are the smallest unit of a Kubernetes application, and they are designed to run a single container or a set of tightly coupled containers that share the same network and storage resources1. Pods are ephemeral and can be created and destroyed by the Kubernetes system at any time. Therefore, putting multiple applications in one pod would make them harder to manage, scale, and update independently. A better way to accomplish the goal is to use namespaces, which are logical clusters within a physical cluster that can isolate resources, policies, and configurations for different applications2. Namespaces can also help organize secrets, which are Kubernetes objects that store sensitive information such as passwords, tokens, and keys3. References:

• Pods | Kubernetes
• Namespaces | Kubernetes
• Secrets | Kubernetes

The provided Kubernetes NetworkPolicy YAML configuration indicates that the policy applies to pods with the label tier: backend in the default namespace1. The ingress rule allows traffic from pods with the label tier: api1. Therefore, a request issued from a pod bearing only the tier: frontend label to a pod bearing the tier: backend label will be blocked by this networkPolicy1. This is because the networkPolicy does not have a rule allowing ingress from pods with the tier: frontend label1. For more information on Kubernetes NetworkPolicies, you can refer to the Kubernetes Documentation on Network Policies.

= Docker will block this command if you configure the local Docker engine to enforce content trust by setting the environment variable DOCKER_CONTENT_TRUST=1. This means that you can only pull, run, or build with trusted images that have been signed using Docker Content Trust (DCT)1. DCT is a feature that allows you to use digital signatures to verify the integrity and the publisher of specific image tags2. If myorg/myimage:1.0 is unsigned, it means that it does not have a valid signature from the image publisher or a trusted delegate. Therefore, Docker will not allow you to build an image from a Dockerfile that begins with FROM myorg/myimage:1.0, as it cannot verify the source or the content of the base image. You will get an error message like this:

No valid trust data for 1.0

To avoid this error, you need to either disable DCT by setting DOCKER_CONTENT_TRUST=0, or use a signed image tag as the base image in your Dockerfile3. References:

• Content trust in Docker | Docker Docs
• Docker Content Trust: What It Is and How It Secures Container Images
• Automation with content trust | Docker Docs

 Running docker engine activate will upgrade Docker Engine CE to Docker Engine EE. This is a feature that allows you to switch from the Community Edition to the Enterprise Edition without reinstalling Docker or losing any data. You need to have a valid license file and a subscription to Docker EE to use this feature1. Docker EE is a premium version of Docker CE that offers additional features, such as security scanning, image management, and certified plugins23. References:

• Upgrade Docker Engine | Docker Docs
• What is the exact difference between Docker EE (Enterprise Edition), Docker CE (Community Edition) and Docker (Custom Support) - Stack Overflow
• Docker Community Edition or Docker Enterprise Edition - Docker | BoxBoat

= Storage is not a type of Linux kernel namespace that provides container isolation. Linux namespaces are a feature of the Linux kernel that partitions kernel resources such that one set of processes sees one set of resources while another set of processes sees a different set of resources1. The feature works by having the same namespace for a set of resources and processes, but those namespaces refer to distinct resources. Since kernel version 5.6, there are 8 kinds of namespaces: mount, UTS, IPC, PID, network, user, cgroup, and time2. Each kind of namespace isolates a different aspect of the system, such as file system mounts, host and domain names, inter-process communication, process IDs, network interfaces, user and group IDs, cgroups, and system time2. Storage is not one of them. References:

• 1: Linux namespaces - Wikipedia
• 2: Namespaces — The Linux Kernel documentation

 Deleting the /var/lib/docker directory will not upgrade Docker Engine CE to Docker Engine EE. It will only remove all the data stored by Docker, such as images, containers, volumes, and networks. This can cause data loss and disrupt the running services. To upgrade from Docker Engine CE to Docker Engine EE, you need to follow the official instructions from Docker, which involve uninstalling the CE package and installing the EE package. You also need to have a valid license to use Docker Engine EE. References:

• Upgrading Docker CE to EE for the Impatient — Part I
• Install Docker Engine
• Moving from docker ce to docker-EE - Stack Overflow

 = The command docker container inspect nginx will display a list of volumes for the specific container named nginx. The output of the command will include a section called “Mounts” that shows the source, destination, mode, type, and propagation of each volume mounted in the container1. For example, the following output shows that the container nginx has two volumes: one is a bind mount from the host’s /var/log/nginx directory to the container’s /var/log/nginx directory, and the other is an anonymous volume created by Docker at /var/lib/docker/volumes/… and mounted to the container’s /etc/nginx/conf.d directory2.

"Mounts": [

{

"Type": "bind",

"Source": "/var/log/nginx",

"Destination": "/var/log/nginx",

"Mode": "rw",

"RW": true,

"Propagation": "rprivate"

},

{

"Type": "volume",

"Name": "f6eb3dfdd57b7e632f6329a6d9bce75a1e8ffdf94498e5309c6c81a87832c28d",

"Source": "/var/lib/docker/volumes/f6eb3dfdd57b7e632f6329a6d9bce75a1e8ffdf94498e5309c6c81a87832c28d/_data",

"Destination": "/etc/nginx/conf.d",

"Driver": "local",

"Mode": "",

"RW": true,

"Propagation": ""

}

]

References:

• docker container inspect
• List volumes of Docker container

= The command docker inspect nodes will not list all nodes in a swarm cluster from the command line. This command is invalid, as docker inspect requires one or more object names or IDs as arguments1. To list all nodes in a swarm cluster, you need to use the docker node ls command from a manager node2. This command will display the ID, hostname, status, availability, manager status, and engine version of each node in the swarm2. You can also use the -f or --filter flag to filter the nodes by various criteria, such as role, label, or name2. References:

• 1: docker inspect | Docker Docs
• 2: docker node ls | Docker Docs

Docker will block the command docker container run myorg/myimage:1.0 if the image tag myorg/myimage:1.0 is unsigned and the environment variable DOCKER_CONTENT_TRUST=1 is set. The reason is that setting DOCKER_CONTENT_TRUST=1 enables Docker Content Trust (DCT), which is a feature that allows users to verify the integrity and publisher of Docker images using digital signatures1. When DCT is enabled, Docker will only pull, run, or build images that have valid signatures. If an image tag is unsigned or has an invalid signature, Docker will reject the operation and display an error message2. Therefore, to run an unsigned image with DCT enabled, you need to either disable DCT by setting DOCKER_CONTENT_TRUST=0 or use the --disable-content-trust flag, or sign the image tag with a valid key3. References:

• Content trust in Docker
• Determine if Docker image is signed or unsigned
• Signing Images and Enabling Docker Content Trust

= This is not how the seven managers should be distributed across three datacenters or availability zones. A swarm cluster is a group of Docker hosts that are running in swarm mode and act as managers or workers1. A manager node is responsible for maintaining the swarm state and orchestrating the services2. A swarm cluster needs a quorum of managers to operate, which means a majority of managers must be available and able to communicate with each other3.

The problem with distributing the seven managers as 4-2-1 is that it creates a split-brain scenario, where the cluster can lose the quorum if one datacenter or availability zone fails. For example, if the datacenter with four managers goes down, the remaining three managers will not have enough votes to form a quorum, and the cluster will stop functioning. Similarly, if the datacenter with one manager goes down, the cluster will lose the tie-breaking vote and will not be able to elect a leader4.

A better way to distribute the seven managers across three datacenters or availability zones is to use 3-2-2, which ensures that the cluster can tolerate the failure of any one datacenter or availability zone and still maintain the quorum. For example, if the datacenter with three managers goes down, the remaining four managers will have enough votes to form a quorum and elect a leader. Similarly, if the datacenter with two managers goes down, the remaining five managers will have enough votes to form a quorum and elect a leader4. References:

• Swarm mode overview | Docker Docs
• Administer and maintain a swarm of Docker Engines | Docker Docs
• Raft consensus in swarm mode | Docker Docs
• Docker Swarm: How to distribute managers across availability zones? - Stack Overflow

Docker uses cgroups, a Linux kernel feature, to limit the resources a container can use. This includes CPU and memory resources12. For instance, Docker can limit a container’s CPU usage to the equivalent of a single CPU core on the Docker host system2. Similarly, Docker can limit a container’s memory usage1. However, to use these features, the Docker host must have cgroup memory and swap accounting enabled1. Therefore, cgroups can indeed limit a Docker container’s access to host resources such as CPU and memory12.

n: = Using the DTR web UI to make all tags in the repository immutable is not a good way to prevent an image, such as ‘nginx:latest’, from being overwritten by another user with push access to the repository. This is because making all tags immutable would prevent any updates to the images in the repository, which may not be desirable for some use cases. For example, if a user wants to push a new version of ‘nginx:latest’ with a security patch, they would not be able to do so if the tag is immutable. A better way to prevent an image from being overwritten by another user is to use the DTR web UI to create a promotion policy that restricts who can push to a specific tag or repository1. Alternatively, the user can also use the DTR API to create a webhook that triggers a custom action when an image is pushed to a repository2. References:

• Prevent tags from being overwritten | Docker Docs
• Create webhooks | Docker Docs

   = Using network connect to access the container on the bridge network does not accomplish creating a container that is reachable from its host’s network. The network connect command connects a container to an existing network, but it does not expose the container’s ports to the host1. The bridge network is the default network that Docker creates for containers, and it provides isolation from the host network2. To create a container that is reachable from its host’s network, you need to use the host network driver, which disables network isolation and uses the host’s network stack directly3. Alternatively, you can use the port mapping feature to publish specific ports of the container to the host4. References:

• docker network connect | Docker Docs
• Bridge network driver | Docker Docs
• Host network driver | Docker Docs
• Publish ports on the host | Docker Docs

 Multi-stage builds are a feature of Docker that allows you to use multiple FROM statements in your Dockerfile. Each FROM statement creates a new stage of the build, which can use a different base image and run different commands. You can then copy artifacts from one stage to another, leaving behind everything you don’t want in the final image. This optimizes the image size and reduces the attack surface by removing unnecessary dependencies and tools. For example, you can use a stage to compile your code, and then copy only the executable file to the final stage, which can use a minimal base image like scratch. This way, you don’t need to include the compiler or the source code in the final image. References:

• Multi-stage builds | Docker Docs
• What Are Multi-Stage Docker Builds? - How-To Geek
• Multi-stage | Docker Docs

= Mirroring the engineering/api repository to one of the user’s own private repositories will not grant them read/write access to the original repository. Mirroring is a feature that allows users to automatically sync images from one repository to another, either within the same DTR or across different DTRs. Mirroring does not affect the permissions or roles of the users or teams associated with the source or destination repositories. To grant a user read/write access to the engineering/api repository, the user needs to be added to a team that has the appropriate role for that repository, or the repository needs to be configured with the appropriate visibility and access settings. References:

• Mirror repositories
• Manage access to repositories
• Manage teams

 = The solution will not configure a Docker container to export container logs to the logging solution, such as Splunk. The command docker system events --filter splunk is not a valid command to send logs to a remote destination. The --filter option for docker system events only accepts the following keys: container, daemon, event, image, label, network, plugin, type, and volume1. splunk is not a valid key for filtering events. To configure a Docker container to export container logs to a logging solution, such as Splunk, you need to use the --log-driver and --log-opt options when creating or running the container2. For example, to use the Splunk logging driver, you can use the following command:

docker run --log-driver=splunk --log-opt splunk-token=176FCEBF-4CF5-4EDF-91BC-703796522D20 --log-opt splunk-url=https://splunkhost:8088 ...

This command will send the container logs to the Splunk HTTP Event Collector (HEC) endpoint specified by the splunk-url option, using the authentication token provided by the splunk-token option3. You can also use other logging drivers, such as syslog, fluentd, gelf, etc., depending on your logging solution4. References:

• 1: docker system events | Docker Docs
• 2: Configure logging drivers | Docker Docs
• 3: Splunk logging driver | Docker Docs
• 4: Supported logging drivers | Docker Docs

 = The configuration will not achieve fault tolerance for managers in a swarm, because it does not have enough managers to form a quorum. A quorum is the minimum number of managers that must be available to agree on values and maintain the consistent state of the swarm. The quorum is calculated as (N/2)+1, where N is the number of managers in the swarm. For example, a swarm with 3 managers has a quorum of 2, and a swarm with 5 managers has a quorum of 3. Having only two managers, one active and one passive, means that the quorum is also 2. Therefore, if one manager fails or becomes unavailable, the swarm will lose the quorum and will not be able to process any requests or schedule any tasks. To achieve fault tolerance, a swarm should have an odd number of managers, at least 3, and no more than 7. This way, the swarm can tolerate the loss of up to (N-1)/2 managers and still maintain the quorum and the cluster state. References:

• Administer and maintain a swarm of Docker Engines
• Raft consensus in swarm mode
• How nodes work

 Resource reservation is a feature that allows you to specify the amount of CPU and memory resources that a service or a container needs. This helps the scheduler to place the service or the container on a node that has enough available resources. However, resource reservation does not control which node the service or the container runs on, nor does it enforce any separation or isolation between different services or containers. Therefore, resource reservation cannot be used to schedule containers to meet the security policy requirements.

References:

• [Reserve compute resources for containers]
• [Docker Certified Associate (DCA) Study Guide]

https://docs.docker.com/config/containers/resource_constraints/

https://success.docker.com/certification/study-guides/dca-study-guide

 Setting the log-driver and log-opt keys to values for the logging solution (Splunk) in the daemon.json file will configure a Docker container to export container logs to the logging solution. This is because the Splunk logging driver sends container logs to the HTTP Event Collector in Splunk Enterprise and Splunk Cloud1. To use the Splunk driver as the default logging driver, set the keys log-driver and log-opts to appropriate values in the daemon.json configuration file and restart Docker1. To use the Splunk driver for a specific container, use the commandline flags --log-driver and log-opt with docker run1. The Splunk logging driver supports various options, such as splunk-token, splunk-url, splunk-source, splunk-sourcetype, splunk-index, etc1. References: Splunk logging driver | Docker Docs1

= A DTR security scan will detect private keys copied to the image. DTR security scan is a feature of Docker Trusted Registry (DTR) that scans images to detect any security vulnerability1. DTR security scan uses the open source tool SecretScanner2 to find unprotected secrets in container images or file systems. SecretScanner can match the contents of images against a database of approximately 140 secret types, including private keys3. Therefore, if an image contains private keys, DTR security scan will report them as potential secrets and alert the user to remove them from the image. References:

• Scan images for vulnerabilities | Docker Docs
• GitHub - deepfence/SecretScanner: :unlock: Find secrets and passwords …
• SecretScanner/deepfence_secret_scanner.py at main · deepfence/SecretScanner

The command docker run -v /data:/mydata -mode readonly ubuntu will not mount the host’s /data1 directory to the ubuntu container in read-only mode. The command has several errors that prevent it from working correctly. First, the host directory should be /data1 instead of /data, as specified in the question. Second, the option flag should be --mode instead of -mode, and it should be placed before the image name. Third, the mode value should be ro instead of readonly, as per the Docker documentation1. The correct command should be docker run -v /data1:/mydata --mode ro ubuntu, which will mount the host’s /data1 directory as a read-only volume at /mydata inside the container1. References:

• docker run | Docker Docs

= This is not a way to configure the Docker engine to use a registry without a trusted TLS certificate. There is no such option as IGNORE_TLS in the daemon.json configuration file. The daemon.json file is used to configure various aspects of the Docker engine, such as logging, storage, networking, and security1. To use a registry without a trusted TLS certificate, you need to either add the certificate to the trusted root certificates of the system, or configure the Docker engine to allow insecure registries2. To add the certificate to the trusted root certificates, you need to copy the certificate file to the /etc/docker/certs.d// directory on every Docker host2. To configure the Docker engine to allow insecure registries, you need to add the registry hostname or IP address to the “insecure-registries” array in the daemon.json file3. For example:

{ “insecure-registries” : [“myregistry.example.com:5000”] }

Note that using insecure registries is not recommended, as it exposes you to potential man-in-the-middle attacks and data corruption3. You should always use a registry with a trusted TLS certificate, or use Docker Content Trust to sign and verify your images4. References:

• Daemon configuration file | Docker Docs
• Verify repository client with certificates | Docker Docs
• Test an insecure registry | Docker Docs
• Content trust in Docker | Docker Docs

= The action of using --link to access the container on the bridge network does not accomplish the goal of creating a container that is reachable from its host’s network. The --link option allows you to connect containers that are running on the same network, but it does not expose the container’s ports to the host1. To create a container that is reachable from its host’s network, you need to use the --network host option, which attaches the container to the host’s network stack and makes it share the host’s IP address2. Alternatively, you can use the --publish or -p option to map the container’s ports to the host’s ports3.

References: : Legacy container links | Docker Documentation : Networking using the host network | Docker Documentation : docker run reference | Docker Documentation

 A liveness probe is a mechanism for indicating your application’s internal health to the Kubernetes control plane. Kubernetes uses liveness probes to detect issues within your pods. When a liveness check fails, Kubernetes restarts the container in an attempt to restore your service to an operational state1. Therefore, the action taken by the orchestrator to fix the unhealthy container is to restart it. References:

• Content trust in Docker | Docker Docs
• Docker Content Trust: What It Is and How It Secures Container Images
• A Practical Guide to Kubernetes Liveness Probes | Airplane

 Environment variables cannot be used to schedule containers to meet the security policy requirements. Environment variables are used to pass configuration data to the containers, not to control where they run1. To schedule containers to run on separate nodes in a Swarm cluster, you need to use node labels and service constraints23. Node labels are key-value pairs that you can assign to nodes to organize them into groups4. Service constraints are expressions that you can use to limit the nodes where a service can run based on the node labels. For example, you can label some nodes as env=dev and others as env=prod, and then use the constraint --constraint node.labels.env==dev or --constraint node.labels.env==prod when creating a service to ensure that it runs only on the nodes with the matching label. References:

• 1: Environment variables in Compose | Docker Docs
• 2: Deploy services to a swarm | Docker Docs
• 3: How to use Docker Swarm labels to deploy containers on specific nodes
• 4: Manage nodes in a swarm | Docker Docs
• [5]: Swarm mode routing mesh | Docker Docs
• [6]: Docker Swarm - How to set environment variables for tasks on various nodes