DCA Exam Dumps - Docker Certified Associate Questions and Answers

= Docker Content Trust (DCT) is a feature that allows users to verify the integrity and publisher of container images they pull or deploy from a registry server, signed on a Notary server12. DCT does not enable mutual TLS between the Docker client and server, which is a different security mechanism that ensures encrypted and authenticated communication between the client and the server3. DCT is based on digital signatures and The Update Framework (TUF) to provide trust over arbitrary collections of data1. References:

Content trust in Docker | Docker Docs

Docker Content Trust: What It Is and How It Secures Container Images

Protect the Docker daemon socket | Docker Docs

The statement is correct. In the provided Kubernetes YAML, it’s defined that traffic sent to the IP of this service on port 8080 will be routed to port 80 in a random pod with the label app: nginx. This is because it’s a ClusterIP service type which is meant for internal communication within the cluster, and it uses selectors to route traffic to the correct pods. References: Docker Certified Associate Guide, DCA Prep Guide

 The command docker service create -name dns-cache -p 53:53 -constraint networking.protocol.udp=true dns-cache will not create a swarm service that only listens on port 53 using the UDP protocol. This command has several syntax errors and invalid options. The correct syntax for creating a swarm service is docker service create [OPTIONS] IMAGE [COMMAND] [ARG...]1. The correct options for specifying the service name, port mapping, and network mode are --name, --publish, and --network respectively1. The option -constraint is not a valid option for the docker service create command. To create a swarm service that only listens on port 53 using the UDP protocol, you need to use the --publish option with the protocol=udp and mode=host parameters, and the --network option with the host value23. For example, the following command creates a global service using host mode and bypassing the routing mesh2:

docker service create --name dns-cache \

--publish published=53,target=53,protocol=udp,mode=host \

--mode global \

--network host \

dns-cache

1: docker service create | Docker Docs

2: Use swarm mode routing mesh | Docker Docs

3: Manage swarm service networks | Docker Docs

= Provisioning a Docker config object for each environment is a way to provision configuration to containers at runtime. Docker configs allow services to adapt their behaviour without the need to rebuild a Docker image. Services can only access configs when explicitly granted by a configs attribute within the services top-level element. As with volumes, configs are mounted as files into a service’s container’s filesystem1. Docker configs are supported on both Linux and Windows services2. References: Docker Documentation, Configs top-level element

When content trust is enabled, Docker blocks any command that operates on unsigned images, such as docker service create. This is because Docker Content Trust (DCT) allows users to verify the integrity and publisher of specific image tags, using digital signatures stored on a Notary server. If an image tag is not signed, or the signature cannot be verified, Docker will refuse to pull, run, or build with that image. Therefore, if myorg/myimage:1.0 is unsigned, Docker will block the command docker service create myorg/myimage:1.0 and display an error message. References:

Content trust in Docker

Docker Content Trust: What It Is and How It Secures Container Images

Automation with content trust

n: = Using the DTR web UI to make all tags in the repository immutable is not a good way to prevent an image, such as ‘nginx:latest’, from being overwritten by another user with push access to the repository. This is because making all tags immutable would prevent any updates to the images in the repository, which may not be desirable for some use cases. For example, if a user wants to push a new version of ‘nginx:latest’ with a security patch, they would not be able to do so if the tag is immutable. A better way to prevent an image from being overwritten by another user is to use the DTR web UI to create a promotion policy that restricts who can push to a specific tag or repository1. Alternatively, the user can also use the DTR API to create a webhook that triggers a custom action when an image is pushed to a repository2. References:

Prevent tags from being overwritten | Docker Docs

Create webhooks | Docker Docs

= The command docker network create -d overlay --secure  will not ensure that overlay traffic between service tasks is encrypted. The --secure option is not a valid flag for the docker network create command1. To enable encryption for an overlay network, you need to use the --opt encrypted flag instead23. This will create IPSEC tunnels between the nodes where the service tasks are scheduled, using the AESalgorithm in GCM mode2. You can verify if an overlay network is encrypted by checking if the IPSEC tunnels were created using tools like netstat4. References:

1: docker network create | Docker Docs

2: Encrypt traffic on an overlay network | Docker Docs

3: Overlay network driver | Docker Docs

4: Docker: How to verify if an overlay network is encrypted - Stack Overflow

= The command ‘docker swarm nodes’ is not a valid command to list all nodes in a swarm cluster from the command line. The correct command is docker node ls, which can be run on a manager node to view the details of all the nodes in the swarm1.The docker swarm command is used to manage the swarm itself, not the nodes. For example, you can use docker swarm init to create a new swarm, or docker swarm join to add a node to an existing swarm2. References:

Manage nodes in a swarm | Docker Docs

docker swarm | Docker Docs

= Mirroring the engineering/api repository to one of the user’s own private repositories will not grant them read/write access to the original repository. Mirroring is a feature that allows users to automatically sync images from one repository to another, either within the same DTR or across different DTRs. Mirroring does not affect the permissions or roles of the users or teams associated with the source or destination repositories. To grant a user read/write access to the engineering/api repository, the user needs to be added to a team that has the appropriate role for that repository, or the repository needs to be configured with the appropriate visibility and access settings. References:

Mirror repositories

Manage access to repositories

Manage teams