If you are looking for Docker Certified Associate Exam sample questions, then this article helps a lot in your exam preparation. Docker certification is designed for beginners who are new to the concept of containers. Docker is a platform that helps build different containers. This certification exam assesses your docker skills and recognizes you as an industry-acceptable docker certified associate.
By going through these free docker certification questions, you will gain more confidence in facing the actual exam. The detailed explanation for docker questions and answers makes you aware of the important objectives of the real exam.
Domain : Orchestration
Q1 : A global service is a service that runs ____ task/tasks on every node that meet the placement and resource constraints
A. Many
B. One
C. more than one
D. None
Correct Answer: B
Explanation
Option A is incorrect
Option B is correct
Option C is incorrect
Option D is incorrect
Reference: https://docs.docker.com/engine/swarm/services/#replicated-or-global-services
Domain : Orchestration
Q2 : Your company needs to run a custom monitoring application published in Docker Hub called “examplecorp/stats-collector”. You must ensure this would run in all swarm nodes, regardless how many nodes you currently have or if a new one would join the swarm eventually. This monitoring system requires an environment variable called ENDPOINT_ADDRESS that sends the metrics to an external service hosted at ‘service.example.com’. Which of the following commands would accomplish these requirements?
A. docker service create –name stats-collector –replicas=1 –entrypoint ADDRESS=”service.example.com” examplecorp/stats-collector
B. docker service create –name stats-collector –replicas=auto –entrypoint ADDRESS=”service.example.com” examplecorp/stats-collector
C. docker service create –name stats-collector –mode=global -e ENDPOINT_ADDRESS=”service.example.com” examplecorp/stats-collector
D. docker service create –name stats-collector –mode=replicated -e ENDPOINT_ADDRESS=”service.example.com” examplecorp/stats-collector
Correct Answer: C
Explanation
A is incorrect because this would only bring one task (container) up in one random node in the swarm. Another issue is that –entrypoint option would make the container to exec ADDRESS=”service.example.com”, which would make the service creation fails in the end.
B is incorrect because you cannot specify ‘auto’ as a number of replicas. It must be a number always. Another issue is that –entrypoint option would make the container to exec ADDRESS=”service.example.com”, which would make the service creation fails in the end.
C is correct. The service must run as ‘global’, because it will create one task in each swarm node, even if a new node joins the swarm. The -e is the correct option to specify a custom environment variable to the container.
D is wrong. Not only this is the default mode, but eventually will create just only one container in the entire swarm. The questions asks that we need to run this in all nodes. The -e is the correct option to specify a custom environment variable to the container.
Reference: https://docs.docker.com/engine/reference/commandline/service_create/
Domain : Orchestration
Q3 : Which of the following is NOT true regarding docker swarm mode?
A. You can deploy both kinds of nodes, managers and workers, using the Docker Engine
B. For each service, you can declare the number of tasks you want to run. When you scale up or down, the swarm manager automatically adapts by adding or removing tasks to maintain the desired state.
C. The swarm manager automatically assigns addresses to the containers on the overlay network when it initializes or updates the application.
D. Docker swarm mode is a plugin which you can install alongside docker to run a cluster of docker engines
Correct Answer: D
Explanation
- This is correct
- This is correct
- This is correct
- a,b and c all are correct – so the only incorrect option is this.
Docker swarm mode is not a plugin. It is built into docker engine. A basic docker installation can be run in swarm mode, it doesn’t require any plugin.
Each node in the swarm enforces TLS mutual authentication and encryption to secure communications between itself and all other nodes https://docs.docker.com/engine/swarm/
Domain : Image Creation, Management, and Registry
Q4 : Which of the following patterns would exclude all Python byte-code files from being copied during the Docker image creation process?
A. **.pyc
B. **/*.pyc
C. *.pyc
D. /*.pyc
Correct Answer: B
Explanation
The correct answer is Option B
References: https://docs.docker.com/engine/reference/builder, https://codefresh.io/docker-tutorial/not-ignore-dockerignore/
Beyond Go’s filepath.Match rules, Docker also supports a special wildcard string ** that matches any number of directories (including zero). For example, **/*.go will exclude all files that end with .go that are found in all directories, including the root of the build context.
Domain : Image Creation, Management, and Registry
Q5 : Which of the following statement is correct? Pick exactly two statements.
A. Image is a collection of immutable layers whereas container is a running instance of an image.
B. Container can exist without the image but image cannot exist without container
C. Only one container can be spawned from a given image at a time
D. If multiple containers are spawned from the same image then they all use the same copy of image in memory.
Correct Answers: A and D
Explanation
Option A is correct. Image consists of layers which are immutable. Container is a running instance of an image.
Option B is incorrect because containers cannot exist without an image. We can spawn a container using an image.
Option C is incorrect because we can spawn multiple containers from a single image.
Option D is correct because when we spawn multiple containers from a same image – only a single copy of the image is loaded on memory. Each container has its own Read and Write layer to accommodate its local changes.
Reference: https://docs.docker.com/glossary/?term=image
Domain : Image Creation, Management, and Registry
Q6 : You are in a directory containing a file named Dockerfile-app. You want to build a docker image using this “Dockerfile-app” file without renaming it to “Dockerfile”. Which of the following answers is correct?
A. docker build -d Dockerfile-app
B. docker build -f Dockerfile-app
C. docker build –dockerfile Dockerfile-app
D. docker build –from-file Dockerfile-app
Correct Answer: B
Explanation
- Invalid flag.
- “-f” is a valid flag for providing Dockerfile
- Invalid flag.
- Invalid flag.
Docker provides argument “-f” to use Dockerfile to build the image. https://docs.docker.com/engine/reference/commandline/build/
Domain : Installation and Configuration
Q7 : Bob did a fresh installation of docker on his new linux server. He hasn’t tinkered with anything and has just installed docker packages from official repository. He runs a new container with command “docker run -d nginx” , which logging driver will this container use?
A. Syslog
B. Logentries
C. Json-file
D. Journald
Correct Answer: C
Explanation
Option A is incorrect
Option B is incorrect
Option C is correct
Option D is incorrect
json-file is the default logging driver in docker
Domain : Installation and Configuration
Q8 : Which of the following gives a web dashboard to manage docker cluster?
A. Docker swarm mode
B. Docker UCP
C. Docker-compose
D. DTR
Correct Answer: B
Explanation
- docker swarm mode is used for creating docker cluster
- Docker UCP is the a docker enterprise software which comes bundled with a web dashboard and cli for managing docker swarm effectively.
- docker-compose is used for running/managing docker services in single docker host.
- Docker Trusted Registry (DTR) is the enterprise-grade image storage solution from Docker.
UCP provides us with a single web based dashboard to manage/maintain docker cluster.
Domain : Networking
Q9 : Bob runs a container with –net=host, which of the following will NOT true? There are already multiple containers running on the host.
A. The container will use host network namespace and the network interfaces and IP stack of the host.
B. All containers in the host network are able to communicate with each other on the host interfaces.
C. Because they are using the host networking namespace, two containers are able to bind to the same TCP port.
D. From a networking standpoint this is equivalent to multiple processes running on a host without containers.
Correct Answer: C
Explanation
Option A is incorrect
Option B is incorrect
Option C is correct
Option D is incorrect
Any two processes running on same networking namespace can’t bind to the same port. This holds true for host networking namespace as well. That’s why Option C is a false statement.
Reference: https://success.docker.com/article/networking
Read More: Docker Networking using hands-on labs
Domain : Security
Q10 : Grants in UCP are made up of which of the following?
A. subject, role and resource set
B. subject, role and containers
C. nodes, role and containers
D. subject, node and containers
E. images, containers and nodes
Correct Answer: A
Explanation
Option A is correct
Option B is incorrect
Option C is incorrect
Option D is incorrect
A grant is made up of subject, role, and resource set.
Grants define which users can access what resources in what way. Grants are effectively Access Control Lists (ACLs), and when grouped together, they provide comprehensive access policies for an entire organization.
Only an administrator can manage grants, subjects, roles, and access to resources.
Domain : Security
Q11 : Which of the following is NOT true about selinux ?
A. SELinux= Security-Enhanced Linux
B. SELinux provides a mechanism for supporting access control security policies
C. SELinux comes bundled with docker
D. SELinux is a set of kernel modifications and user-space tools that have been added to various Linux distributions.
Correct Answer: C
Explanation
Option A is incorrect because its a true statement
Option B is incorrect because its a true statement
Option C is correct
Option D is incorrect because its a true statement
SELinux is independent of docker. Docker is compatible with SELinux though.
Domain : Storage and Volumes
Q12 : Bob wants to update the secret being used by one of his service. What is the correct sequence of actions to be performed by him?
A. Update the existing secret using docker secret update
B. Update the existing secret , restart all the services using this secret
C. Create a new secret, update the service to use this new secret , delete the old secret
D. Create a new secret, create a new service with this new secret, delete old secret and old service
Correct Answer: C
Explanation
Option A is incorrect
Option B is incorrect
Option C is correct
Option D is incorrect
Secrets are immutable in docker swarm. This means they cannot be modified. So if you want to make any modification to a secret then you have to create a new secret file.
Having said that, the current sequence for updating a secret is – to first create a new secret (because we can’t update an existing one), attach the new secret to the service by updating the service – (this would require the service to restart – docker swarm would take care of that) and then delete the old secret.
Domain : Orchestration
Q13 : Bob is running a docker swarm cluster with multiple manager nodes. Bob needs to remove one the manager nodes from the cluster permanently. Bob has access to this manager node. What is the safest way for him to remove a manager node from the cluster?
A. Simply shut down the server and let the Raft quorum decides to remove it permanently from the swarm.
B. Run “docker swarm leave” on the specific node.
C. Firstly demote the manager node to a worker and then remove it using “docker swarm leave”
D. Stop the docker service on this specific manager node. Wait until its status change to ‘Unreachable’ by checking the status on another manager node. Once it disappears from the list of manager nodes, you can safely shut down this node.
Correct Answer: C
Explanation
Option A is incorrect
Option B is incorrect
Option C is correct
A is incorrect because the purpose of a raft quorum is to decide which manager node is a leader. The manager will still show as ‘active’ in the swarm, but the manager status will be ‘Unreachable’
B is incorrect because only a worker node can leave a swarm with no restriction. If a manager node tries to leave a swarm, the command will fail because it will state you are a manager. Therefore you must demote this node to a worker so the swarm and them you can leave the swarm as a worker. If the current manager is the leader, it will successfully auto-demote itself and the raft quorum will decide which manager node will be the new leader.
C is correct because this is the correct and safest way to remove a manager from a swarm.
D is incorrect because the manager will still show as ‘active’ in the swarm, but the manager status will be ‘Unreachable’.
Reference: https://docs.docker.com/engine/reference/commandline/swarm_leave/
Domain : Orchestration
Q14 : DCT stands for?
A. Docker Content Transmission
B. Docker Container Transmission
C. Docker Certificate Trust
D. Docker Content Trust
Correct Answer: D
Explanation
Option A is incorrect
Option B is incorrect
Option C is incorrect
Option D is correct
Points regarding locking docker swarm
Domain : Orchestration
Q15 : Which of the following options are available to run a single container?
A. published port, user, log driver, restart policy
B. published port, user, log driver, placement constraints
C. published port, volume, secrets, log driver
D. volume, secrets, log driver, memory limit
Correct Answer: A
Explanation
Option A is correct
Option B is incorrect because we can’t specify placement constraints while running a single container. Placement constraints can be specified while running a service.
Option C is incorrect because we can’t specify secrets while running a single container
Option D is incorrect because we can’t specify secrets while running a container.
SOURCE: https://docs.docker.com/engine/reference/commandline/container_run/
Regarding to secrets, it is only available on the Docker Swarm and you cannot create a secret on a lone docker execution, only if it part of a service.
SOURCE: https://docs.docker.com/engine/swarm/secrets/
Domain : Image Creation, Management, and Registry
Q16 : Docker image consists of _____ layers each of which represents a Dockerfile instruction. The layers are stacked and each one is a delta of the changes from the previous layer.
A. read and write
B. write only
C. read only
D. Movable
Correct Answer: C
Explanation
Option A is incorrect
Option B is incorrect
Option C is correct because all the layers involved in making an image are read only
Option D is incorrect because there is no such thing as “movable” layers
Domain : Image Creation, Management, and Registry
Q17 : Which of the following statements is NOT TRUE about multi-stage builds?
A. Multi-stage builds eliminates the need of separate Dockerfiles.
B. Multi-stage builds helps on creation of smaller image sizes.
C. You cannot select which step you want to start your build process in a multi-stage build once you defined all steps.
D. With multi-stage builds, you can create images for different purposes, such as development and production.
Correct Answer: C
Explanation
Option A is true. You don’t need to maintain different Dockerfile as before.
Option B is true. You can create an image with the sole purpose to build a binary file and one for running a binary file, without the need of the compiler nor the development files.
Option C is wrong, because you can select a target build stage.
Option D is correct, because you can declare diferrent images and then select which will be your target during the build stage.
Reference: https://docs.docker.com/develop/develop-images/multistage-build/
Domain : Image Creation, Management, and Registry
Q18 : If we don’t specify a tag then by convention which tag is pulled while running docker pull command?
A. Production
B. Staging
C. Latest
D. Master
Correct Answer: C
Explanation
- production tag can be manually created/specified but it is not auto generated.
- staging tag can be manually created/specified but it is not auto generated.
- This is the correct option. “latest” is the default tag.
- Image versions can be specified manually but it is not auto generated.
The default tag to pull is latest. https://docs.docker.com/engine/reference/commandline/pull/
Domain : Installation and Configuration
Q19 : What is the default location of secrets inside a Docker container?
A. /run/secrets/
B. /secrets/
C. /var/run/
D. /var/secrets/
Correct Answer: A
Explanation
Option A is correct
Option B is incorrect
Option C is incorrect
Option D is incorrect
Reference: https://docs.docker.com/engine/swarm/secrets/
Domain : Installation and Configuration
Q20 : How do you setup the default logging driver on Docker daemon to be the syslog driver?
A. On /etc/docker/daemon.yaml or C:\ProgramData\docker\config\daemon.yaml, just add:
log-driver: “syslog”
B. On /etc/docker/daemon.json or C:\ProgramData\docker\config\daemon.json, just add:
{
“log-driver”: “syslog”
}
C. On /etc/docker/daemon.cfg or C:\ProgramData\docker\config\daemon.cfg, just add:
{
“log-driver”: “syslog”
}
D. On /etc/docker/daemon.cfg or C:\ProgramData\docker\config\daemon.cfg, just add: log-driver: “syslog”
E. On /etc/docker/daemon.conf or C:\ProgramData\docker\config\daemon.conf, just add: log-driver: “syslog”
F. On /etc/docker/daemon.conf or C:\ProgramData\docker\config\daemon.conf, just add:
{
“log-driver”: “syslog”
}
Correct Answer: B
Reference: https://docs.docker.com/config/containers/logging/configure/
Domain : Networking
Q21 : Which of the following commands can be used to attach an existing network named ‘net1’ to a container ‘container1’ which is currently running in network named ‘net2’?
A. docker network connect net1 net2 container1
B. docker network connect net1 container1
C. docker connect network net1 net2
D. docker connect network net1 container1
E. docker connect network net1 net2 container1
Correct Answer: B
Explanation
Option A is incorrect
Option B is correct
Option C is incorrect
Option D is incorrect
Option E is incorrect
container1 is currently part of network ‘net2’. To connect it to ‘net1’ we simply have to connect/attach it with network ‘net1’
‘docker network connect net1 container1’ should do what we want.
Reference: https://docs.docker.com/engine/reference/commandline/network_connect/#examples
Domain : Networking
Q22 : Which of the following is a valid command to assign static IP to a container?
A. docker run –static-ip 172.18.0.22 <image>
B. docker run –ip 172.18.0.22 <image>
C. None of the above
D. docker run –network-ip 172.18.0.22 <image>
Correct Answer: C
Explanation
Option A is incorrect
Option B is incorrect
Option C is correct
Option D is incorrect
Static IP can be allocated only on a custom network. So first you will have to create a new network
docker network create –subnet=172.18.0.0/16 mynet123
And then run container with static IP
docker run –net mynet123 –ip 172.18.0.22 -it ubuntu bash
Domain : Security
Q23 : Bob wants to test an untrusted docker image which has a bug due to which it starts consuming memory rapidly which causes other programs on the system to run out of memory and crash. Bob wants to run the container and limit the max memory it can to be 512MB.
Which of the following can bob use while running a container to deal with this problem?
A. docker run –limit 512m
B. docker run –limit 512
C. docker run -m 512m
D. docker run -m 512
Correct Answer: C
Explanation
Option A is incorrect because –limit is not a valid flag
Option B is incorrect because –limit is not a valid flag
Option C is correct
Option D is incorrect because -m 512 only assigns 512 bytes but bob wants to assign 512MB
Domain : Security
Q24 : What is the recommended way of dealing with loss of root in in DCT?
A. Regenerate a new root key
B. Sign existing user certs with a new root key
C. Contact docker support.
D. Create a new DCT cluster
Correct Answer: C
Explanation
Option A is incorrect
Option B is incorrect
Option C is correct
Option D is incorrect
Domain : Storage and Volumes
Q25 : Which of the following statements is NOT true?
By default all files created inside a container are stored on a writable container layer. This means that:
A. The data persists when that container no longer exists
B. Two different containers can’t share the data present in their writable layer.
C. A container’s writable layer is tightly coupled to the host machine where the container is running. You can’t easily move the data somewhere else.
D. Writing into a container’s writable layer requires a storage driver to manage the filesystem.
Correct Answer: A
Explanation
Option A is correct
Option B is incorrect because its a true statement. Containers writable layers are separated using different mount namespaces and hence they can’t share it.
Option C is incorrect because it’s a true statement
Option D is incorrect because it’s a true statement
When a container is deleted – all data present in it’s writable layer is also lost. To prevent this data loss we can use volumes.
Summary
By trying these free questions and answers, you are now very clear on the core concepts of the docker certified associate certification exam. Additionally, you have to take up a few more practice tests to ensure you are 100% ready to attempt the actual exam. You can check our official web page to try out the practice tests and a step-by-step video course. Keep Learning !
- Top 25 DevSecOps Interview Question and Answers for 2024 - March 1, 2023
- How to prepare for VMware Certified Technical Associate [VCTA-DCV] Certification? - February 14, 2023
- Top 20 Cloud Influencers in 2024 - January 31, 2023
- 25 Free Question on SC-100: Microsoft Cybersecurity Architect - January 27, 2023
- Preparation Guide on MS-101: Microsoft 365 Mobility and Security - December 26, 2022
- Exam tips to prepare for Certified Kubernetes Administrator: CKA Exam - November 24, 2022
- Top Hands-On Labs To Prepare For AWS Certified Cloud Practitioner Certification - October 27, 2022
- Why do you need to upskill your teams with the Azure AI fundamentals? - October 11, 2022