Docker Certified Associate (DCA) Practice Exams Set 11

A service 'wordpress' is running using a password string to connect to a non-Dockerized database service. The password string is passed into the 'wordpress' service as a Docker secret. Per security policy, the password on the database was changed. Identity the correct sequence of steps to rotate the secret from the old password to the new password.


Options are :

  • Trigger an update to the service by using 'docker service update --secret='
  • Create a new docker secret with the new password. Trigger a rolling secret update by using the 'docker secret update' command
  • Create a new docker secret with the new password. Remove the existing service using 'docker service rm'. Start a new service with the new secret using "--secret="
  • Create a new docker secret with a new password. Trigger a rolling update of the "wordpress" service, by using "-- secret-rm" & "--secret-add" to remove the old secret and add the updated secret.

Answer : Create a new docker secret with a new password. Trigger a rolling update of the "wordpress" service, by using "-- secret-rm" & "--secret-add" to remove the old secret and add the updated secret.

Which set of commands can identify the publishd port(s) for a container?


Options are :

  • 'docker container inspect', docker port'
  • 'docker network inspect','docker port'
  • 'docker port inspect', 'docker container inspect'
  • 'docker info','docker network inspect'

Answer : 'docker container inspect', docker port'

Docker Certified Associate (DCA) Practice Exams Set 5

What service mode is used to deploy a single task of a service to each node?


Options are :

  • Universal
  • Spread
  • Global
  • Replicated
  • Distributed

Answer : Global

How do you configure Docker engine to use a registry that is not configured with TLS certificates from a trusted CA?


Options are :

  • Set and export the IGNORE_TLS environment variable on the command line.
  • Pass the '--insecure-registry' flag to the daemon at run time.
  • Set INSECURE_REGISTRY in the '/etc/docker/default' configuration file.
  • Set IGNORE_TLS in the 'daemon.json' configuration file.

Answer : Pass the '--insecure-registry' flag to the daemon at run time.

Which of the following commands starts a Redis container and configures it to always restart unless it is explicitly stopped or Docker is restarted?


Options are :

  • 'docker run -d --restart omit-stopped redis'
  • 'docker run -d --failure omit-stopped redis'
  • 'docker run -d --restart-policy unless-stopped redis'
  • docker run -d --restart unless-stopped redis'

Answer : docker run -d --restart unless-stopped redis'

Docker Certified Associate (DCA) Practice Exams Set 1

A docker service 'web' is running with a scale factor of 1 (replicas = 1). Bob intends to use the command 'docker service update --replicas=3 web'. Alice intends to use the command 'docker service scale web=3'. How do the outcomes of these two commands differ?


Options are :

  • Bob's command results in an error. Alice's command updates the number of replicas of the 'web' service to 3.
  • Bob's command updates the number of replicas of the 'web' service to 3. Alice's command results in an error.
  • Bob's command only updates the service definition, but no new replicas are started. Alice's command results in the actual scaling up of the 'web' service.
  • Both Bob's and Alice's commands result in exactly the same outcome, which is 3 instances of the 'web' service.

Answer : Both Bob's and Alice's commands result in exactly the same outcome, which is 3 instances of the 'web' service.

What is the recommended way to configure the daemon flags and environment variables for your Docker daemon in a platform independent way?


Options are :

  • Set the configuration DOCKER_OPTS in '/etc/default/docker'
  • Set the configuration options in '/etc/docker/daemon.json'
  • Set the configuration options using the ENV variable
  • Using 'docker config' to set the configuration options.

Answer : Set the configuration options in '/etc/docker/daemon.json'

Which of the following is NOT how to create an efficient image via a Dockerfile?


Options are :

  • Use multi-stage builds
  • Start with an appropriate base image
  • Avoid installing unnecessary packages
  • Combine multiple applications into a single container

Answer : Combine multiple applications into a single container

Docker Certified Associate (DCA) Practice Exams Set 24

Which of the following is supported by control groups?


Options are :

  • Collect net
  • Isolate processes in a container
  • Mange certificates
  • Limit CPU usage within a container

Answer : Limit CPU usage within a container

Which flag for a service would allow a container to consume more than 2 GB of memory only when there is no memory contention but would also prevent a container from consuming more than 4GB of memory, in any case?


Options are :

  • --limit-memory 2GB --reserve-memory 4GB
  • --limit-memory 4GB --reserve-memory 2GB
  • --memory-swap 2GB --limit-memory 4GB
  • --memory-swap 4GB --limit-memory 2GB

Answer : --limit-memory 4GB --reserve-memory 2GB

What is the image storage solution that is part of Docker Enterprise Edition called?


Options are :

  • Universal Control Plane
  • Docker Hub
  • Docker Registry
  • Docker Trusted Registry

Answer : Docker Trusted Registry

Docker Certified Associate (DCA) Practice Exams Set 5

What is the docker command for displaying layers of a Docker image?


Options are :

  • docker info
  • docker history
  • docker layers
  • docker image layers

Answer : docker history

If installing Docker using devicemapper for storage with the Intent to run production workloads, how should devicemapper be configured?


Options are :

  • direct-lvm
  • aufs-lvm
  • overlay-lvm
  • loop-lvm

Answer : direct-lvm

In Docker Trusted Registry, how would a user prevent an image, for example 'nginx:latest' from being overwritten by another user with push access to the repository?


Options are :

  • Tag the image with 'nginx:immutable'
  • Use the DTR web UI to make the tag immutable.
  • Remove push access from all other users.
  • Keep a backup copy of the image on another repository.

Answer : Use the DTR web UI to make the tag immutable.

Docker Certified Associate (DCA) Practice Exams Set 23

Docker image is built up from a series of layers and each layer represents an instruction in the image's Dockerfile. True or false?


Options are :

  • FALSE
  • TRUE

Answer : TRUE

What is the function of docker inspect command"


Options are :

  • To return low-level information on Docker objects
  • To manage Docker configs
  • To inspect changes to files or directories on a container's filesystem
  • To display system-wide information

Answer : To return low-level information on Docker objects

Following the principle of least privilege, which of the following methods can be used to securely grant access to the specific user to communicate to a Docker engine? (Choose two.)


Options are :

  • C. Add the user to the 'docker' group on the server or specify the group with the '--group' Docker daemon option.
  • Utilize the '--host 0.0.0.0:2375' option to the Docker daemon to listen on port 2375 over TCP on all interfaces.
  • Give the user root access to the server to allow them to run Docker commands as root.
  • Utilize the '--host 127.0.0.1:2375' option to the Docker daemon to listen on port 2375 over TCP on localhost
  • Utilize openssl to create TLS client and server certificates, configuring the Docker engine to use with mutual TLS over TCP.

Answer : C. Add the user to the 'docker' group on the server or specify the group with the '--group' Docker daemon option. Utilize openssl to create TLS client and server certificates, configuring the Docker engine to use with mutual TLS over TCP.

Docker Certified Associate (DCA) Practice Exams Set 8

Dockerfile option EXPOSE publish the port to external systems. True or false?


Options are :

  • TRUE
  • FALSE

Answer : FALSE

Which of the following statements is incorrect?


Options are :

  • When a container is deleted, the writable layer is persisted.
  • Copy-on-write is a Docker strategy of sharing and copying files for maximum efficiency.
  • The column 'size' of docker ps -s output shows the amount of data that is used for the writable layer of each container.
  • The column 'virtual size' of docker ps -s output shows the amount of data used for the read-only image data used by the container plus the container's writable layer 'size'.

Answer : When a container is deleted, the writable layer is persisted.

Which of the following docker image commands display detailed information on one or more images?


Options are :

  • docker image ls
  • docker image detail
  • docker image inspect
  • docker image history

Answer : docker image inspect

Docker Certified Associate (DCA) Practice Exams Set 6

Which one of the following commands will result in the volume being removed automatically once the container has exited?


Options are :

  • 'docker run --rm -v /foo busybox'
  • 'docker run --remove -v /foo busybox'
  • 'docker run --read-only -v /foo busybox'
  • 'docker run --del -v /foo busybox'

Answer : 'docker run --rm -v /foo busybox'

Each container shares common writeable container layer. True or false?


Options are :

  • FALSE
  • TRUE

Answer : FALSE

Which of the following is true about overlay networks?


Options are :

  • Overlay networks are first created on the manager nodes. Then they are created on the worker nodes once a task is scheduled on the specific worker node.
  • Overlay networks are created only on the manager node that you created the overlay networking on.
  • Overlay networks are only created on the manager nodes.
  • Overlay networks are created on all cluster nodes when you create the overlay network.

Answer : Overlay networks are first created on the manager nodes. Then they are created on the worker nodes once a task is scheduled on the specific worker node.

Docker Certified Associate (DCA) Practice Exams Set 24

What is the purpose of Docker Content Trust?


Options are :

  • Indicating an image on Docker Hub is an official image
  • Signing and verification of image tags
  • Docker registry TLS verification and encryption
  • Enabling mutual TLS between the Docker client and server

Answer : Signing and verification of image tags

What is the difference between the ADD and COPY dockerfile instructions? (choosen 2)


Options are :

  • ADD supports compression format handling while COPY does not.
  • COPY supports compression format handling while ADD does not.
  • ADD supports regular expression handling while COPY does not.
  • COPY supports regular expression handling while ADD does not.
  • ADD support remote URL handling while COPY does not.

Answer : ADD supports compression format handling while COPY does not. ADD support remote URL handling while COPY does not.

What is the docker command to remove one or more images?


Options are :

  • docker image delete
  • docker image rm
  • docker remove
  • docker delete

Answer : docker image rm

Docker Certified Associate (DCA) Practice Exams Set 7

When using the Docker client to push an image to a registry, what environment variable is used to instruct the client to perform signing of the image?


Options are :

  • DOCKER_IMAGE_SIGN=1
  • DOCKER_CONTENT_TRUST=1
  • DOCKER_PUSH_SIGN=1
  • NOTARY_ENABLE=1

Answer : DOCKER_CONTENT_TRUST=1

What is one way of directly transferring a Docker Image from one Docker host in another?


Options are :

  • There is no way of directly transferring Docker images between hosts. A Docker Registry must be used ad an intermediary.
  • 'docker save' the image to save it as TAR file and copy it over to the target host. Then use 'docker load' to un-TAR the image back as a Docker image.
  • 'docker commit' to save the image outside of the Docker filesystem. Then transfer the file over to the target host and 'docker start' to start the container again.
  • 'docker push' the image to the IP address of the target host.

Answer : 'docker save' the image to save it as TAR file and copy it over to the target host. Then use 'docker load' to un-TAR the image back as a Docker image.

Which of the following is required to install Docker EE from a package repository?


Options are :

  • License key obtained from Docker Store
  • Repository URL obtained from Docker Hub
  • License key obtained from Docker Hub
  • Repository URL obtained from Docker Store

Answer : Repository URL obtained from Docker Store

Docker Certified Associate (DCA) Practice Exams Set 3

What is the default format of docker inspect output?


Options are :

  • yaml
  • html
  • xml
  • json

Answer : json

After creating a new service named 'http', you notice that the new service is not registering as healthy. How do you view the list of historical tasks for that service by using the command line?


Options are :

  • 'docker service inspect http'
  • 'docker service ps http'
  • 'docker inspect http'
  • 'docker ps http'

Answer : 'docker service inspect http'

Which of the following is the correct command to tag an image?


Options are :

  • docker build tag SOURCE_IMAGE[:TAG] TARGET_IMAGE[:TAG]
  • docker tag image SOURCE_IMAGE[:TAG] TARGET_IMAGE[:TAG]
  • docker tag TARGET_IMAGE[:TAG] SOURCE_IMAGE[:TAG]
  • docker tag SOURCE_IMAGE[:TAG] TARGET_IMAGE[:TAG]

Answer : docker tag SOURCE_IMAGE[:TAG] TARGET_IMAGE[:TAG]

Docker Certified Associate (DCA) Practice Exams Set 11

What is used by the kernel to isolate resources when running Docker containers?


Options are :

  • Control groups (also know as cgroups)
  • Overlay networks
  • Volumes
  • Namespaces

Answer : Control groups (also know as cgroups)

You can monitor the status of UCP by using the web UI or the CLI. True or false?


Options are :

  • TRUE
  • FALSE

Answer : TRUE

What is the docker command to pull an image or a repository from a registry?


Options are :

  • docker build
  • docker deploy
  • docker pull
  • docker checkout

Answer : docker pull

Docker Certified Associate (DCA) Practice Exams Set 9

A container named "analytics" that stores results in a volume called "data" was created. docker run -d --name=analytics -v data:/data webapp. How are the results accessed in "data" with another container called "dbapp"?


Options are :

  • docker run -d --name=reports --volume=data dbapp
  • docker run -d --name=reports --volume=webapp dbapp
  • docker run -d --name=reports --volume-from=analytics dbapp
  • docker run -d --name=reports --mount=webapp dbapp

Answer : docker run -d --name=reports --volume-from=analytics dbapp

Which statement is true about DTR garbage collection?


Options are :

  • Garbage collection removes unreferenced image layers from DTR's backend storage.
  • Garbage collection removes unused volumes from cluster nodes
  • Garbage collection removes exited containers from cluster nodes.
  • Garbage collection removes DTR images that are older than a configurable of days.

Answer : Garbage collection removes unreferenced image layers from DTR's backend storage.

What is the purpose of a client bundle in the Universal Control Plane?


Options are :

  • Provide a user with a Docker client binary compatible with the Universal Control Plane
  • Group multiple users in a team in the Universal Control Plane
  • Provide a new user instructions for how to login to the Universal Control Plane
  • Authenticate a user using client certificates to the Universal Control Plane

Answer : Authenticate a user using client certificates to the Universal Control Plane

Docker Certified Associate (DCA) Practice Exams Set 25

The following health check exists in a Dockerfile: 

'HEALTCHECK CMD curl --fail http://localhost/health || exit 1'

Which of the following describes its purpose?



Options are :

  • Defines the health check endpoint on the local host interface for containers to monitor the health of the docker engine.
  • Defines the action taken when container health fails, which in this case will kill the container with exit status 1.
  • Defines the health check endpoint on the localhost interface for external monitoring tools to monitor the health of the docker engine.
  • Defines the health check for the containerized application so that the application health can be monitored by the Docker engine.

Answer : Defines the action taken when container health fails, which in this case will kill the container with exit status 1.

Which of the following is the correct command to store an image to a registry?


Options are :

  • docker upload [OPTIONS] NAME[:TAG]
  • docker store [OPTIONS] NAME[:TAG]
  • docker commit [OPTIONS] NAME[:TAG]
  • docker push [OPTIONS] NAME[:TAG]

Answer : docker push [OPTIONS] NAME[:TAG]

Docker security scan can be started by all users including those with read-only access. True or false?


Options are :

  • TRUE
  • FALSE

Answer : FALSE

Docker Certified Associate (DCA) Practice Exams Set 8

Which of the following modes can be used for service discovery of a Docker swarm service (Pick 2 correct answers)?


Options are :

  • Virtual IP (VIP) with --endpoint-mode vip
  • Overlay with --endpoint-mode overlay
  • Network Address Translation(NAT) with --endpoint-mode nat
  • Ingress with --endpoint-mode ingress
  • DNS Round-Robin with --endpoint-mode dnsrr

Answer : Virtual IP (VIP) with --endpoint-mode vip DNS Round-Robin with --endpoint-mode dnsrr

Which of these swarm manager configurations will cause the cluster to be in a lost quorum state?


Options are :

  • 3 managers of which 2 are healthy.
  • 5 managers of which 3 are healthy.
  • 1 manager of which 1 is healthy.
  • 4 managers of which 2 are healthy.

Answer : 4 managers of which 2 are healthy.

What is the difference between a resource limit and a resource reservation when scheduling services?


Options are :

  • A resource limit and a resource reservation can be used interchangeably.
  • A resource limit is used to find a host with adequate resources for scheduling a hard limit for your service, while a reservation is hard limit for your service.
  • A resource limit is hard limit for your service, while a reservation is used to find a host with adequate resources for scheduling.
  • A resource limit is soft limit for your service, while a reservation is hard limit and the docker engine will do its best to keep your service at the limit.

Answer : A resource limit is hard limit for your service, while a reservation is used to find a host with adequate resources for scheduling.

Docker Certified Associate (DCA) Practice Exams Set 8

Which of the following is the docker command to enable autolock on an existing swarm cluster?


Options are :

  • docker swarm update --autolock-swarm=true
  • docker swarm --autolock=true
  • docker swarm autolock
  • docker swarm update --autolock=true

Answer : docker swarm update --autolock=true

Docker Certified Associate (DCA) Practice Exams Set 23

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions