Ace Your DCA Docker Certified Associate Exam

When content trust is enabled, Docker blocks any command that operates on unsigned images, such as docker service create. This is because Docker Content Trust (DCT) allows users to verify the integrity and publisher of specific image tags, using digital signatures stored on a Notary server. If an image tag is not signed, or the signature cannot be verified, Docker will refuse to pull, run, or build with that image. Therefore, if myorg/myimage:1.0 is unsigned, Docker will block the command docker service create myorg/myimage:1.0 and display an error message. References:

• Content trust in Docker
• Docker Content Trust: What It Is and How It Secures Container Images
• Automation with content trust

Node taints are a way to mark nodes in a Swarm cluster so that they can repel or attract certain containers based on their tolerations. By applying node taints to the nodes that are designated for development or production, the company can ensure that only the containers that have the matching tolerations can be scheduled on those nodes. This way, the security policy requirements can be met. Node taints are expressed as key=value:effect, where the effect can be NoSchedule, PreferNoSchedule, or NoExecute. For example, to taint a node for development only, one can run:

kubectl taint nodes node1 env=dev:NoSchedule

This means that no container will be able to schedule onto node1 unless it has a toleration for the taint env=dev:NoSchedule. To add a toleration to a container, one can specify it in the PodSpec. For example:

tolerations:

- key: "env"

operator: "Equal"

value: "dev"

effect: "NoSchedule"

This toleration matches the taint on node1 and allows the container to be scheduled on it. References:

• Taints and Tolerations | Kubernetes
• Update the taints on one or more nodes in Kubernetes
• A Complete Guide to Kubernetes Taints & Tolerations

Creating one pod and adding all the resources needed for each application is not a good way to accomplish the goal of grouping Kubernetes-specific resources for each application. This is because pods are the smallest unit of a Kubernetes application, and they are designed to run a single container or a set of tightly coupled containers that share the same network and storage resources1. Pods are ephemeral and can be created and destroyed by the Kubernetes system at any time. Therefore, putting multiple applications in one pod would make them harder to manage, scale, and update independently. A better way to accomplish the goal is to use namespaces, which are logical clusters within a physical cluster that can isolate resources, policies, and configurations for different applications2. Namespaces can also help organize secrets, which are Kubernetes objects that store sensitive information such as passwords, tokens, and keys3. References:

• Pods | Kubernetes
• Namespaces | Kubernetes
• Secrets | Kubernetes

 The command docker service create -name dns-cache -p 53:53 -constraint networking.protocol.udp=true dns-cache will not create a swarm service that only listens on port 53 using the UDP protocol. This command has several syntax errors and invalid options. The correct syntax for creating a swarm service is docker service create [OPTIONS] IMAGE [COMMAND] [ARG...]1. The correct options for specifying the service name, port mapping, and network mode are --name, --publish, and --network respectively1. The option -constraint is not a valid option for the docker service create command. To create a swarm service that only listens on port 53 using the UDP protocol, you need to use the --publish option with the protocol=udp and mode=host parameters, and the --network option with the host value23. For example, the following command creates a global service using host mode and bypassing the routing mesh2:

docker service create --name dns-cache \

--publish published=53,target=53,protocol=udp,mode=host \

--mode global \

--network host \

dns-cache

References:

• 1: docker service create | Docker Docs
• 2: Use swarm mode routing mesh | Docker Docs
• 3: Manage swarm service networks | Docker Docs