Docker Certified Associate DCA Syllabus Exam Questions Answers

= Keeping a backup copy of the image on another repository is not how a user can prevent an image, such as ‘nginx:latest’, from being overwritten by another user with push access to the repository. This approach does not prevent the original image from being overwritten, it only provides a way to restore it from another source. However, this may not be reliable or efficient, as the backup repository may not be in sync with the original one, or may not be accessible at all times. To prevent an image from being overwritten by another user, the user can use the DTR web UI to make the tag immutable1. This feature allows the user to lock a specific tag, so that no one can push a new image with the same tag to the repository. This ensures that the image is always consistent and secure1. References:

• Make a tag immutable | Docker Docs

The user namespace is a Linux kernel namespace that is disabled by default and must be enabled at Docker engine runtime to be used. The user namespace allows the host system to map its own uid and gid to some different uid and gid for containers’ processes. This improves the security of Docker by isolating the user and group ID number spaces, so that a process’s user and group ID can be different inside and outside of a user namespace1. To enable the user namespace, the daemon must start with --userns-remap flag with a parameter that specifies base uid/gid2. All containers are run with the same mapping range according to /etc/subuid and /etc/subgid3. References:

• Isolate containers with a user namespace
• Using User Namespaces on Docker
• Docker 1.10 Security Features, Part 3: User Namespace

= Setting INSECURE_REGISTRY in the /etc/docker/default configuration file is one way to configure the Docker engine to use a registry without a trusted TLS certificate. This option tells the Docker daemon to accept insecure connections to the specified registry, bypassing the certificate verification1. However, this method is not recommended, as it exposes the registry and the Docker engine to potential security risks2. A better way to use a registry without a trusted TLS certificate is to add the registry’s CA certificate to the Docker daemon’s trust store, as described in the Docker documentation3 or other online guides4. References:

• 1: How to build docker registry without SSL
• 2: Verify repository client with certificates | Docker Docs
• 3: “docker pull” certificate signed by unknown authority
• 4: Login to docker registry with client certificate under windows