Docker Certified Associate Exam

25 Free Questions on Docker Certified Associate Exam

If you are looking for Docker Certified Associate Exam sample questions, then this article helps a lot in your exam preparation. Docker certification is designed for beginners who are new to the concept of containers. Docker is a platform that helps build different containers. This certification exam assesses your docker skills and recognizes you as an industry-acceptable docker certified associate.

By going through these free docker certification questions, you will gain more confidence in facing the actual exam. The detailed explanation for docker questions and answers makes you aware of the important objectives of the real exam.

Domain : Orchestration

Q1 : A global service is a service that runs  ____  task/tasks on every node that meet the placement and resource constraints

A. Many
B. One
C. more than one
D. None

Correct Answer: B

Explanation

Option A is incorrect
Option B is correct
Option C is incorrect
Option D is incorrect

Reference: https://docs.docker.com/engine/swarm/services/#replicated-or-global-services

 

Domain : Orchestration

Q2 : Your company needs to run a custom monitoring application published in Docker Hub called “examplecorp/stats-collector”. You must ensure this would run in all swarm nodes, regardless how many nodes you currently have or if a new one would join the swarm eventually. This monitoring system requires an environment variable called ENDPOINT_ADDRESS that sends the metrics to an external service hosted at ‘service.example.com’. Which of the following commands would accomplish these requirements?

A. docker service create –name stats-collector –replicas=1 –entrypoint ADDRESS=”service.example.com” examplecorp/stats-collector
B. docker service create –name stats-collector –replicas=auto –entrypoint ADDRESS=”service.example.com” examplecorp/stats-collector
C. docker service create –name stats-collector –mode=global -e ENDPOINT_ADDRESS=”service.example.com” examplecorp/stats-collector
D. docker service create –name stats-collector –mode=replicated -e ENDPOINT_ADDRESS=”service.example.com” examplecorp/stats-collector

Correct Answer: C

Explanation

A is incorrect because this would only bring one task (container) up in one random node in the swarm. Another issue is that –entrypoint option would make the container to exec ADDRESS=”service.example.com”, which would make the service creation fails in the end.

B is incorrect because you cannot specify ‘auto’ as a number of replicas. It must be a number always. Another issue is that –entrypoint option would make the container to exec ADDRESS=”service.example.com”, which would make the service creation fails in the end.
C is correct. The service must run as ‘global’, because it will create one task in each swarm node, even if a new node joins the swarm. The -e is the correct option to specify a custom environment variable to the container.
D is wrong. Not only this is the default mode, but eventually will create just only one container in the entire swarm. The questions asks that we need to run this in all nodes. The -e is the correct option to specify a custom environment variable to the container.

Reference: https://docs.docker.com/engine/reference/commandline/service_create/

 

Domain : Orchestration

Q3 : Which of the following is NOT true regarding docker swarm mode?

A. You can deploy both kinds of nodes, managers and workers, using the Docker Engine
B. For each service, you can declare the number of tasks you want to run. When you scale up or down, the swarm manager automatically adapts by adding or removing tasks to maintain the desired state.
C. The swarm manager automatically assigns addresses to the containers on the overlay network when it initializes or updates the application.
D. Docker swarm mode is a plugin which you can install alongside docker to  run a cluster of docker engines

Correct Answer: D

Explanation

  1. This is correct
  2. This is correct
  3. This is correct
  4. a,b and c all are correct – so the only incorrect option is this.

Docker swarm mode is not a plugin. It is built into docker engine. A basic docker installation can be run in swarm mode, it doesn’t require any plugin.

Each node in the swarm enforces TLS mutual authentication and encryption to secure communications between itself and all other nodes https://docs.docker.com/engine/swarm/

 

Domain : Image Creation, Management, and Registry

Q4 : Which of the following patterns would exclude all Python byte-code files from being copied during the Docker image creation process?

A. **.pyc
B. **/*.pyc
C. *.pyc
D. /*.pyc

Correct Answer: B

Explanation

The correct answer is Option B

References: https://docs.docker.com/engine/reference/builder, https://codefresh.io/docker-tutorial/not-ignore-dockerignore/

Beyond Go’s filepath.Match rules, Docker also supports a special wildcard string ** that matches any number of directories (including zero). For example, **/*.go will exclude all files that end with .go that are found in all directories, including the root of the build context.

 

Domain : Image Creation, Management, and Registry

Q5 : Which of the following statement is correct? Pick exactly two statements.

A. Image is a collection of immutable layers whereas container is a running instance of an image.
B. Container can exist without the image but image cannot exist without container
C. Only one container can be spawned from a given image at a time
D. If multiple containers are spawned from the same image then they all use the same copy of image in memory.

Correct Answers: A and D

Explanation

Option A is correct. Image consists of layers which are immutable. Container is a running instance of an image.
Option B is incorrect because containers cannot exist without an image. We can spawn a container using an image.
Option C is incorrect because we can spawn multiple containers from a single image.
Option D is correct because when we spawn multiple containers from a same image – only a single copy of the image is loaded on memory. Each container has its own Read and Write layer to accommodate its local changes.

Reference: https://docs.docker.com/glossary/?term=image

 

Domain : Image Creation, Management, and Registry

Q6 : You are in a directory containing a file named Dockerfile-app. You want to build a docker image using this “Dockerfile-app” file without renaming it to “Dockerfile”. Which of the following answers is correct?

A. docker build -d Dockerfile-app
B. docker build -f Dockerfile-app
C. docker build –dockerfile Dockerfile-app
D. docker build –from-file Dockerfile-app

Correct Answer: B 

Explanation

  1. Invalid flag.
  2. “-f” is a valid flag for providing Dockerfile
  3. Invalid flag.
  4. Invalid flag.

Docker provides argument “-f” to use Dockerfile to build the image. https://docs.docker.com/engine/reference/commandline/build/

 

Domain : Installation and Configuration

Q7 : Bob did a fresh installation of docker on his new linux server. He hasn’t tinkered with anything and has just installed docker packages from official repository. He runs a new container with command “docker run -d nginx” , which logging driver will this container use?

A. Syslog
B. Logentries
C. Json-file
D. Journald

Correct Answer: C

Explanation

Option A is incorrect
Option B is incorrect
Option C is correct
Option D is incorrect

json-file is the default logging driver in docker

 

Domain : Installation and Configuration

Q8 : Which of the following gives a web dashboard to manage docker cluster?

A. Docker swarm mode
B. Docker UCP
C. Docker-compose
D. DTR

Correct Answer: B

Explanation

  1. docker swarm mode is used for creating docker cluster
  2. Docker UCP is the a docker enterprise software which comes bundled with a web dashboard and cli for managing docker swarm effectively.
  3. docker-compose is used for running/managing docker services in single docker host.
  4. Docker Trusted Registry (DTR) is the enterprise-grade image storage solution from Docker.

UCP provides us with a single web based dashboard to manage/maintain docker cluster.

 

Domain : Networking

Q9 : Bob runs a container with –net=host, which of the following will NOT true? There are already multiple containers running on the host.

A. The container will use host network namespace and the network interfaces and IP stack of the host.
B. All containers in the host network are able to communicate with each other on the host interfaces.
C. Because they are using the host networking namespace, two containers are able to bind to the same TCP port.
D. From a networking standpoint this is equivalent to multiple processes running on a host without containers.

Correct Answer: C

Explanation

Option A is incorrect
Option B is incorrect
Option C is correct
Option D is incorrect

Any two processes running on same networking namespace can’t bind to the same port. This holds true for host networking namespace as well. That’s why Option C is a false statement.

Reference: https://success.docker.com/article/networking

Read More: Docker Networking using hands-on labs

Domain : Security

Q10 : Grants in UCP are made up of which of the following?

A. subject, role and resource set
B. subject, role and containers
C. nodes, role and containers
D. subject, node and containers
E. images, containers and nodes

Correct Answer: A

Explanation

Option A is correct
Option B is incorrect
Option C is incorrect
Option D is incorrect

A grant is made up of subject, role, and resource set.

Grants define which users can access what resources in what way. Grants are effectively Access Control Lists (ACLs), and when grouped together, they provide comprehensive access policies for an entire organization.

Only an administrator can manage grants, subjects, roles, and access to resources.

 

Domain : Security

Q11 : Which of the following is NOT true about selinux ?

A. SELinux= Security-Enhanced Linux
B. SELinux provides a mechanism for supporting access control security policies
C. SELinux comes bundled with docker
D. SELinux is a set of kernel modifications and user-space tools that have been added to various Linux distributions.

Correct Answer: C

Explanation

Option A is incorrect because its a true statement
Option B is incorrect because its a true statement
Option C is correct
Option D is incorrect because its a true statement

SELinux is independent of docker. Docker is compatible with SELinux though.

 

Domain : Storage and Volumes

Q12 : Bob wants to update the secret being used by one of his service. What is the correct sequence of actions to be performed by him?

A. Update the existing secret using docker secret update
B. Update the existing secret , restart all the services using this secret
C. Create a new secret, update the service to use this new secret , delete the old secret
D. Create a new secret, create a new service with this new secret, delete old secret and old service

Correct Answer: C

Explanation

Option A is incorrect
Option B is incorrect
Option C is correct
Option D is incorrect

Secrets are immutable in docker swarm. This means they cannot be modified. So if you want to make any modification to a secret then you have to create a new secret file.

Having said that, the current sequence for updating a secret is – to first create a new secret (because we can’t update an existing one), attach the new secret to the service by updating the service – (this would require the service to restart – docker swarm would take care of that) and then delete the old secret.

 

Domain : Orchestration

Q13 : Bob is running a docker swarm cluster with multiple manager nodes. Bob needs to remove one the manager nodes from the cluster permanently. Bob has access to this manager node. What is the safest way for him to remove a manager node from the cluster?

A. Simply shut down the server and let the Raft quorum decides to remove it permanently from the swarm.
B. Run “docker swarm leave” on the specific node.
C. Firstly demote the manager node to a worker and then remove it using “docker swarm leave”
D. Stop the docker service on this specific manager node. Wait until its status change to ‘Unreachable’ by checking the status on another manager node. Once it disappears from the list of manager nodes, you can safely shut down this node.

Correct Answer: C

Explanation

Option A is incorrect
Option B is incorrect
Option C is correct
A is incorrect because the purpose of a raft quorum is to decide which manager node is a leader. The manager will still show as ‘active’ in the swarm, but the manager status will be ‘Unreachable’
B is incorrect because only a worker node can leave a swarm with no restriction. If a manager node tries to leave a swarm, the command will fail because it will state you are a manager. Therefore you must demote this node to a worker so the swarm and them you can leave the swarm as a worker. If the current manager is the leader, it will successfully auto-demote itself and the raft quorum will decide which manager node will be the new leader.  
C is correct because this is the correct and safest way to remove a manager from a swarm.
D is incorrect because the manager will still show as ‘active’ in the swarm, but the manager status will be ‘Unreachable’.

Reference: https://docs.docker.com/engine/reference/commandline/swarm_leave/

 

Domain : Orchestration

Q14 : DCT stands for?

A. Docker Content Transmission
B. Docker Container Transmission
C. Docker Certificate Trust
D. Docker Content Trust

Correct Answer: D

Explanation

Option A is incorrect
Option B is incorrect
Option C is incorrect
Option D is correct

Points regarding locking docker swarm

 

Domain : Orchestration

Q15 : Which of the following options are available to run a single container?

A. published port, user, log driver, restart policy
B. published port, user, log driver, placement constraints
C. published port, volume, secrets, log driver
D. volume, secrets, log driver, memory limit

Correct Answer: A

Explanation

Option A is correct
Option B is incorrect because we can’t specify placement constraints while running a single container. Placement constraints can be specified while running a service.
Option C is incorrect because we can’t specify secrets while running a single container
Option D is incorrect because we can’t specify secrets while running a container.

SOURCE: https://docs.docker.com/engine/reference/commandline/container_run/

Regarding to secrets, it is only available on the Docker Swarm and you cannot create a secret on a lone docker execution, only if it part of a service.

SOURCE: https://docs.docker.com/engine/swarm/secrets/

 

Domain : Image Creation, Management, and Registry

Q16 : Docker image consists of _____ layers each of which represents a Dockerfile instruction. The layers are stacked and each one is a delta of the changes from the previous layer.

A. read and write
B. write only
C. read only
D. Movable

Correct Answer: C

Explanation

Option A is incorrect
Option B is incorrect 
Option C is correct because all the layers involved in making an image are read only
Option D is incorrect because there is no such thing as “movable” layers

 

Domain : Image Creation, Management, and Registry

Q17 : Which of the following statements is NOT TRUE about multi-stage builds?

A. Multi-stage builds eliminates the need of separate Dockerfiles.
B. Multi-stage builds helps on creation of smaller image sizes.
C. You cannot select which step you want to start your build process in a multi-stage build once you defined all steps.
D. With multi-stage builds, you can create images for different purposes, such as development and production.

Correct Answer: C

Explanation

Option A is true. You don’t need to maintain different Dockerfile as before.
Option B is true. You can create an image with the sole purpose to build a binary file and one for running a binary file, without the need of the compiler nor the development files.
Option C is wrong, because you can select a target build stage.
Option D is correct, because you can declare diferrent images and then select which will be your target during the build stage.

Reference: https://docs.docker.com/develop/develop-images/multistage-build/

 

Domain : Image Creation, Management, and Registry

Q18 : If we don’t specify a tag then by convention which tag is pulled while running docker pull command?

A. Production
B. Staging
C. Latest
D. Master

Correct Answer: C

Explanation

  1. production tag can be manually created/specified but it is not auto generated.
  2. staging tag can be manually created/specified but it is not auto generated.
  3. This is the correct option. “latest” is the default tag.
  4. Image versions can be specified manually but it is not auto generated.

The default tag to pull is latest. https://docs.docker.com/engine/reference/commandline/pull/

 

Domain : Installation and Configuration

Q19 : What is the default location of secrets inside a Docker container?

A. /run/secrets/
B. /secrets/
C. /var/run/
D. /var/secrets/

Correct Answer: A

Explanation

Option A is correct
Option B is incorrect
Option C is incorrect
Option D is incorrect

Reference: https://docs.docker.com/engine/swarm/secrets/

 

Domain : Installation and Configuration

Q20 : How do you setup the default logging driver on Docker daemon to be the syslog driver?

A. On /etc/docker/daemon.yaml or C:\ProgramData\docker\config\daemon.yaml, just add:
     log-driver: “syslog”
B. On /etc/docker/daemon.json or C:\ProgramData\docker\config\daemon.json, just add:
    {
     “log-driver”: “syslog” 
     }
C. On /etc/docker/daemon.cfg or C:\ProgramData\docker\config\daemon.cfg, just add:
    {
      “log-driver”: “syslog”
     }
D. On /etc/docker/daemon.cfg or C:\ProgramData\docker\config\daemon.cfg, just add: log-driver: “syslog”
E. On /etc/docker/daemon.conf or C:\ProgramData\docker\config\daemon.conf, just add: log-driver: “syslog”
F. On /etc/docker/daemon.conf or C:\ProgramData\docker\config\daemon.conf, just add:
    {
     “log-driver”: “syslog”
     }

Correct Answer: B

Reference: https://docs.docker.com/config/containers/logging/configure/

 

Domain : Networking

Q21 : Which of the following commands can be used to attach an existing network named ‘net1’ to a container ‘container1’ which is currently running in network named ‘net2’?

A. docker network connect net1 net2 container1
B. docker network connect net1 container1
C. docker connect network net1 net2
D. docker connect network net1 container1
E. docker connect network net1 net2 container1

Correct Answer: B

Explanation

Option A is incorrect
Option B is correct
Option C is incorrect
Option D is incorrect
Option E is incorrect

container1 is currently part of network ‘net2’. To connect it to ‘net1’ we simply have to connect/attach it with network ‘net1’

‘docker network connect net1 container1’ should do what we want.

Reference: https://docs.docker.com/engine/reference/commandline/network_connect/#examples

 

Domain : Networking

Q22 : Which of the following is a valid command to assign static IP to a container?

A. docker run –static-ip 172.18.0.22 <image>
B. docker run –ip 172.18.0.22 <image>
C. None of the above
D. docker run –network-ip 172.18.0.22 <image>

Correct Answer: C

Explanation

Option A is incorrect
Option B is incorrect
Option C is correct
Option D is incorrect

Static IP can be allocated only on a custom network. So first you will have to create a new network

docker network create –subnet=172.18.0.0/16 mynet123

And then run container with static IP

docker run –net mynet123 –ip 172.18.0.22 -it ubuntu bash

 

Domain : Security

Q23 : Bob wants to test an untrusted docker image which has a bug due to which it starts consuming memory rapidly which causes other programs on the system to run out of memory and crash. Bob wants to run the container and limit the max memory it can to be 512MB.
Which of the following can bob use while running a container to deal with this problem?

A. docker run –limit 512m
B. docker run –limit 512
C. docker run -m 512m
D. docker run -m 512

Correct Answer: C

Explanation

Option A is incorrect because –limit is not a valid flag
Option B is incorrect because –limit is not a valid flag
Option C is correct
Option D is incorrect because -m 512 only assigns 512 bytes but bob wants to assign 512MB

 

Domain : Security

Q24 : What is the recommended way of dealing with loss of root in in DCT?

A. Regenerate a new root key
B. Sign existing user certs with a new root key
C. Contact docker support.
D. Create a new DCT cluster

Correct Answer: C

Explanation

Option A is incorrect
Option B is incorrect
Option C is correct
Option D is incorrect

 

Domain : Storage and Volumes

Q25 : Which of the following statements is NOT true?
By default all files created inside a container are stored on a writable container layer. This means that:

A. The data persists when that container no longer exists
B. Two different containers can’t share the data present in their writable layer.
C. A container’s writable layer is tightly coupled to the host machine where the container is running. You can’t easily move the data somewhere else.
D. Writing into a container’s writable layer requires a storage driver to manage the filesystem.

Correct Answer: A

Explanation

Option A is correct
Option B is incorrect because its a true statement. Containers writable layers are separated using different mount namespaces and hence they can’t share it.
Option C is incorrect because it’s a true statement
Option D is incorrect because it’s a true statement

When a container is deleted – all data present in it’s writable layer is also lost. To prevent this data loss we can use volumes.

Summary

By trying these free questions and answers, you are now very clear on the core concepts of the docker certified associate certification exam. Additionally, you have to take up a few more practice tests to ensure you are 100% ready to attempt the actual exam. You can check our official web page to try out the practice tests and a step-by-step video course. Keep Learning !

About Abilesh Premkumar

Abilesh holds a Master's degree in Information technology and Master of Philosophy Degree in Computer Science and did his Research on Information security via Collaborative Inference Detection. Also, received an Honorary Doctorate from UNO recognized organization. He contributes to Cloud research and supports building cloud computing tools.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top