Mirantis Mirantis Certifications DCA Questions & Answers

• Question 181:

  Will this command list all nodes in a swarm cluster from the command line?

  Solution: docker inspect nodes

  A. Yes

  B. No

  Correct Answer: B

  This command does not list all nodes in a swarm cluster from the command line. The docker inspect command shows low-level information about one or more objects, such as containers, images, networks, etc. It does not show information about nodes or services. To list all nodes in a swarm cluster from the command line, you need to use docker node ls command. This command shows information about all the nodes that are part of the swarm, such as their ID, hostname, status, availability, etc.

• Question 182:

  Will this action upgrade Docker Engine CE to Docker Engine EE? Solution: Run docker engine activate.

  A. Yes

  B. No

  Correct Answer: A

  Running docker engine activate does upgrade Docker Engine CE to Docker Engine EE. The docker engine activate command is a convenience script that automates the process of uninstalling Docker Engine CE and installing Docker Engine EE on supported platforms. It requires an activation token or license file that can be obtained from Docker Hub or Docker Store.

• Question 183:

  Is this a way to configure the Docker engine to use a registry without a trusted TLS certificate?

  Solution: Set and export the IGNORE_TLS environment variable on the command line.

  A. Yes

  B. No

  Correct Answer: B

  Setting and exporting the IGNORE_TLS environment variable on the command line is not a way to configure the Docker engine to use a registry without a trusted TLS certificate. The IGNORE_TLS environment variable is not recognized by Docker and has no effect on its behavior. To configure the Docker engine to use a registry without a trusted TLS certificate, you need to either set INSECURE_REGISTRY in the /etc/docker/default configuration file or add --insecure-registry flag to the dockerd command.

• Question 184:

  Is this a way to configure the Docker engine to use a registry without a trusted TLS certificate?

  Solution: Set INSECURE_REGISTRY in the' /etc/docker/default' configuration file.

  A. Yes

  B. No

  Correct Answer: A

  Setting INSECURE_REGISTRY in the /etc/docker/default configuration file is a way to configure the Docker engine to use a registry without a trusted TLS certificate. The INSECURE_REGISTRY option allows you to specify one or more registries that do not have valid TLS certificates or use HTTP instead of HTTPS. This option bypasses the TLS verification for these registries and allows Docker to pull and push images from them without errors. However, this option is not recommended for production use as it exposes your registry communication to potential security risks.

• Question 185:

  A company's security policy specifies that development and production containers must run on separate nodes in a given Swarm cluster. Can this be used to schedule containers to meet the security policy requirements?

  Solution: environment variables

  A. Yes

  B. No

  Correct Answer: B

  Environment variables cannot be used to schedule containers to meet the security policy requirements. Environment variables are key-value pairs that can be passed to containers when they are created or run. Environment variables can be used to configure the behavior of the containerized application or provide runtime information, such as database credentials, API keys, etc. Environment variables do not affect how containers are scheduled on nodes in a swarm mode cluster.

• Question 186:

  A user's attempts to set the system time from inside a Docker container are unsuccessful. Could this be blocking this operation?

  Solution: SELinux A. Yes

  B. No

  Correct Answer: B

  SELinux is not blocking this operation. SELinux is a security module that enforces mandatory access control policies on Linux systems. SELinux can restrict the actions of processes and users based on their security contexts and labels. However, SELinux does not prevent a user from setting the system time from inside a Docker container. The reason why a user's attempts to set the system time from inside a Docker container are unsuccessful is because Docker containers share the same kernel and clock as the host by default. Therefore, changing the system time inside a container requires privileged access to the host kernel, which is not allowed by default for security reasons. To allow a user to set the system time from inside a Docker container, you need to run the container with the --privileged flag or the --cap-add SYS_TIME flag.

• Question 187:

  Will a DTR security scan detect this?

  Solution: private keys copied to the image

  A. Yes

  B. No

  Correct Answer: B

  A DTR security scan does not detect private keys copied to the image. A DTR security scan is a feature that scans images for known vulnerabilities in the software packages or dependencies that are installed in the image. A DTR security scan does not check for private keys or other sensitive data that may be accidentally or intentionally copied to the image. To avoid copying private keys to the image, you should use Docker secrets or other secure mechanisms to manage your credentials.

• Question 188:

  Your organization has a centralized logging solution, such as Splunk.

  Will this configure a Docker container to export container logs to the logging solution?

  Solution: docker logs

  A. Yes

  B. No

  Correct Answer: B

  This does not configure a Docker container to export container logs to the logging Solution: The docker logs command shows information about the logs of a container. It does not export or send the logs to any external destination. To configure a Docker container to export container logs to the logging solution, you need to use the --log- driver and --log-opt flags when creating or running the container. These flags allow you to specify which logging driver and options to use for the container. For example, to use Splunk as the logging driver, you can use --log-driver splunk and provide the Splunk URL, token, and other options using --log-opt.

• Question 189:

  Two development teams in your organization use Kubernetes and want to deploy their applications while ensuring that Kubernetes-specific resources, such as secrets, are grouped together for each application.

  Is this a way to accomplish this?

  Solution: Create a collection for for each application.

  A. Yes

  B. No

  Correct Answer: B

  Creating a collection for each application is not a way to deploy applications using Kubernetes and group Kubernetes-specific resources for each application. A collection is a concept in Universal Control Plane (UCP) that defines a set of resources that users or teams can access. A collection can contain swarm services, Kubernetes namespaces, or volumes. A collection does not deploy applications or group resources; it only controls access to them. To deploy applications using Kubernetes and group Kubernetes-specific resources for each application, you can use namespaces or labels. A namespace is a way of isolating and organizing objects in a cluster. A label is a key-value pair that can be attached to any object for grouping or selecting purposes.

• Question 190:

  Will this action upgrade Docker Engine CE to Docker Engine EE?

  Solution: Disable the Docker service via `chkconfig' or 'systemctl'.

  A. Yes

  B. No

  Correct Answer: B

  Disabling the Docker service via chkconfig or systemctl does not upgrade Docker Engine CE to Docker Engine EE. Disabling the Docker service only stops and prevents Docker from starting automatically on system boot. It does not change or upgrade the version of Docker Engine installed on the system. To upgrade Docker Engine CE to Docker Engine EE, you need to uninstall Docker Engine CE and install Docker Engine EE following the official instructions for your operating system.