1What is the primary purpose of a container in DevOps?
Introduction to containers (Origin of containers, Emergence of Modern Containerization and Integration into DevOps)
Easy
A.To package software and its dependencies so it runs consistently across environments
B.To manage the physical cooling systems of a data center
C.To emulate hardware devices for older operating systems
D.To permanently store user databases in a single large file
Correct Answer: To package software and bindings so it runs consistently across environments
Explanation:
Containers package application code along with its libraries and dependencies, ensuring that the software runs uniformly regardless of the environment it is deployed in.
Incorrect! Try again.
2Which early UNIX feature is often considered a precursor to modern containerization?
Introduction to containers (Origin of containers, Emergence of Modern Containerization and Integration into DevOps)
Easy
A.chroot
B.cron
C.systemd
D.bash
Correct Answer: chroot
Explanation:
The chroot (change root) operation, introduced in UNIX, was an early form of isolation that changed the apparent root directory for a running process and its children.
Incorrect! Try again.
3What is the main responsibility of a container runtime?
Container runtime
Easy
A.To compile Java code into bytecode
B.To execute and manage containers on a host system
C.To write the application code for the developer
D.To host web pages on the internet
Correct Answer: To execute and manage containers on a host system
Explanation:
A container runtime is the software component responsible for actually running containers, handling their execution and lifecycle on the host operating system.
Incorrect! Try again.
4Which Linux kernel feature provides process isolation for containers?
Process isolation & namespaces
Easy
A.Namespaces
B.Virtual RAM
C.Disk partitions
D.Hypervisors
Correct Answer: Namespaces
Explanation:
Linux namespaces partition kernel resources such that one set of processes sees one set of resources while another set of processes sees a different set, providing fundamental isolation for containers.
Incorrect! Try again.
5What is the primary function of Control Groups (cgroups) in containerization?
Control Groups (cgroups) for resource limits
Easy
A.To limit and monitor resource usage like CPU and memory
B.To manage user passwords within the Linux OS
C.To assign IP addresses to containers
D.To encrypt the data stored inside a container
Correct Answer: To limit and monitor resource usage like CPU and memory
Explanation:
Control Groups (cgroups) are a Linux kernel feature used to allocate, limit, and monitor system resources (CPU, memory, disk I/O) among a group of processes.
Incorrect! Try again.
6What is a container image?
Container images & layers
Easy
A.A virtual machine configuration file
B.A graphical diagram showing how containers connect to each other
C.A backup file of the host operating system
D.A lightweight, standalone, executable package that includes everything needed to run an application
Correct Answer: A lightweight, standalone, executable package that includes everything needed to run an application
Explanation:
A container image is a static, read-only file that contains the application code, runtime, libraries, environment variables, and config files necessary to run the application.
Incorrect! Try again.
7How are modern container images typically constructed to optimize storage and transfer?
Container images & layers
Easy
A.Using a single monolithic file
B.Using encrypted hardware tokens
C.Using a layered architecture
D.Using uncompressed text files
Correct Answer: Using a layered architecture
Explanation:
Container images are built in layers. This allows different images to share common underlying layers, significantly optimizing disk space and network transfer times.
Incorrect! Try again.
8What is the primary role of an image registry?
Image registries & distribution
Easy
A.To execute code within a container
B.To store, manage, and distribute container images
C.To allocate CPU limits to running containers
D.To compile application source code into an image
Correct Answer: To store, manage, and distribute container images
Explanation:
An image registry is a centralized storage and distribution system for container images, allowing users to push (upload) and pull (download) images.
Incorrect! Try again.
9What is Docker?
Introduction to Docker
Easy
A.A physical hardware device used to connect servers
B.An operating system exclusively for Apple computers
C.A popular open-source platform for developing, shipping, and running applications in containers
D.A programming language designed for DevOps
Correct Answer: A popular open-source platform for developing, shipping, and running applications in containers
Explanation:
Docker is a widely-used platform that utilizes OS-level virtualization to deliver software in standardized packages called containers.
Incorrect! Try again.
10Which of the following best describes Docker's underlying architecture?
Docker Architecture
Easy
A.Mainframe architecture
B.Peer-to-Peer architecture
C.Monolithic architecture
D.Client-Server architecture
Correct Answer: Client-Server architecture
Explanation:
Docker uses a client-server architecture where the Docker client communicates with the Docker daemon, which does the heavy lifting of building, running, and distributing containers.
Incorrect! Try again.
11What is the role of the Docker daemon (dockerd)?
Docker daemon
Easy
A.It runs in the background on the host OS and manages Docker objects like images and containers
B.It is a remote server that stores user code
C.It compiles the Linux kernel from source code
D.It acts as a graphical user interface for developers
Correct Answer: It runs in the background on the host OS and manages Docker objects like images and containers
Explanation:
The Docker daemon listens for Docker API requests and manages Docker objects such as images, containers, networks, and volumes.
Incorrect! Try again.
12What does the Docker CLI (Command Line Interface) do?
Docker CLI
Easy
A.It accepts terminal commands from the user and sends them to the Docker daemon
B.It provides a web-based dashboard to monitor container health
C.It physically allocates RAM to the host computer
D.It creates automatic backups of all cloud servers
Correct Answer: It accepts terminal commands from the user and sends them to the Docker daemon
Explanation:
The Docker CLI is the primary way Docker users interact with Docker. When a user types a command like docker run, the CLI sends it to the Docker daemon via an API.
Incorrect! Try again.
13What is Docker Hub?
Docker registry & Hub
Easy
A.The default public cloud registry for finding and sharing Docker images
B.A network protocol used for container communication
C.A paid software application for designing UI mockups
D.A local daemon service running on the host OS
Correct Answer: The default public cloud registry for finding and sharing Docker images
Explanation:
Docker Hub is a cloud-based registry service hosted by Docker, where users and partners can create, test, store, and distribute container images.
A.Persisting data generated by and used by Docker containers
B.Routing internet traffic to the correct container
C.Increasing the CPU speed of a container
D.Storing the Docker daemon configuration settings
Correct Answer: Persisting data generated by and used by Docker containers
Explanation:
Volumes are the preferred mechanism for persisting data generated by and used by Docker containers, preventing data loss when a container stops or is deleted.
Incorrect! Try again.
15Which Docker object is defined as a runnable instance of an image?
Docker networks allow containers to communicate securely with each other, the host, or external networks while remaining isolated from other processes.
Incorrect! Try again.
17What happens when a running container needs to modify a file from its underlying image?
Docker layering & filesystem
Easy
A.A new image is immediately generated and published to Docker Hub
B.The original image file is permanently modified on the disk
C.The change is written to a writable container layer on top of the read-only image layers
D.The container crashes because image files are strictly read-only
Correct Answer: The change is written to a writable container layer on top of the read-only image layers
Explanation:
Docker uses a Copy-on-Write strategy. When a container needs to change a file, it copies the file from the read-only image layer up to the writable container layer and modifies it there.
Incorrect! Try again.
18Why does Docker use a layered filesystem?
Docker layering & filesystem
Easy
A.To allow Docker containers to run directly on Windows without virtualization
B.To encrypt the data automatically at rest
C.To maximize layer reuse, reduce disk space, and speed up image downloads
D.To make images completely immune to malware
Correct Answer: To maximize layer reuse, reduce disk space, and speed up image downloads
Explanation:
Layered filesystems allow multiple images to share base layers (like a common OS layer). This reduces disk usage and makes pulling updates faster.
Incorrect! Try again.
19Which Linux namespace is responsible for isolating the system hostname and domain name for a container?
Process isolation & namespaces
Easy
A.Mount namespace
B.PID namespace
C.Network namespace
D.UTS namespace
Correct Answer: UTS namespace
Explanation:
The UTS (UNIX Time-Sharing) namespace provides isolation of two system identifiers: the hostname and the NIS domain name, allowing each container to have its own hostname.
Incorrect! Try again.
20Without cgroups configured, what potential issue might a container cause on a host system?
Control Groups (cgroups) for resource limits
Easy
A.It could consume all available CPU and memory, starving other processes
B.It could delete the host system's bootloader
C.It could randomly change the IP addresses of other computers on the network
D.It could automatically bypass all firewall rules
Correct Answer: It could consume all available CPU and memory, starving other processes
Explanation:
Since cgroups restrict resource usage, an unconstrained container could theoretically use 100% of the host's CPU and RAM, leaving no resources for other applications or containers.
Incorrect! Try again.
21Which early Unix technology laid the foundational concept of isolating process environments, paving the way for modern containerization?
Introduction to containers (Origin of containers, Emergence of Modern Containerization and Integration into DevOps)
Medium
A.Systemd
B.Hypervisors
C.cgroups
D.chroot
Correct Answer: chroot
Explanation:
The chroot system call, introduced in 1979, changed the apparent root directory for a process, providing an early form of filesystem isolation that served as a conceptual predecessor to modern container environments.
Incorrect! Try again.
22If an administrator wants to ensure that a container cannot see or interact with the network interfaces of the host system, which Linux feature is directly responsible for this isolation?
Process isolation & namespaces
Medium
A.UTS namespace
B.cgroups
C.Mount namespace
D.Network namespace
Correct Answer: Network namespace
Explanation:
Network namespaces isolate system resources associated with networking, such as network interfaces, routing tables, and port numbers, ensuring a container operates in its own isolated network stack.
Incorrect! Try again.
23A DevOps engineer needs to restrict a database container so it does not consume more than 2GB of RAM, preventing host system crashes. Which underlying Linux kernel feature enforces this constraint?
Control Groups (cgroups) for resource limits
Medium
A.Copy-on-Write (CoW)
B.Control Groups (cgroups)
C.Namespaces
D.SELinux
Correct Answer: Control Groups (cgroups)
Explanation:
Control Groups (cgroups) limit, account for, and isolate the resource usage (such as CPU, memory, disk I/O) of a collection of processes.
Incorrect! Try again.
24In a modern container architecture, what is the primary difference between a high-level container runtime (like containerd) and a low-level container runtime (like runc)?
Container runtime
Medium
A.containerd executes the container processes, while runc manages image transfers.
B.containerd manages the container lifecycle and images, while runc interacts directly with the kernel to spawn the container.
C.runc provides a REST API, while containerd relies strictly on CLI commands.
D.containerd is used exclusively for Docker, while runc is used for Kubernetes.
Correct Answer: containerd manages the container lifecycle and images, while runc interacts directly with the kernel to spawn the container.
Explanation:
High-level runtimes manage images, networking, and the overall container lifecycle, delegating the actual creation and execution of the isolated processes to low-level runtimes like runc.
Incorrect! Try again.
25When building a container image, multiple commands are executed in a Dockerfile. How does the image build process handle these commands to optimize storage and pull speed?
Container images & layers
Medium
A.It creates a new read-only layer for each command, caching them for reuse in future builds.
B.It creates a writable layer for each command and merges them upon execution.
C.It compresses all commands into a single tarball layer.
D.It bypasses storage optimization unless explicitly instructed by the user.
Correct Answer: It creates a new read-only layer for each command, caching them for reuse in future builds.
Explanation:
Container images are built in layers. Each instruction in a Dockerfile typically creates a new read-only layer. These layers are cached, speeding up future builds and minimizing storage via reuse.
Incorrect! Try again.
26A developer is attempting to deploy an application on a cluster of ARM-based servers. They pull a standard image from the registry, but the containers fail to start. What is the most likely cause related to image distribution?
Image registries & distribution
Medium
A.The pulled image layer exceeded the default size limit.
B.The registry network timed out during the pull.
C.The registry requires a specialized pull command for ARM images.
D.The pulled image was built for an x86_64 architecture, not ARM.
Correct Answer: The pulled image was built for an x86_64 architecture, not ARM.
Explanation:
Container images are architecture-specific. If an image built for x86_64 is pulled on an ARM host, the binaries will not execute unless an emulator or a multi-architecture manifest is used.
Incorrect! Try again.
27In the standard Docker architecture, how do the Docker client and the Docker daemon communicate when they are running on the same host?
Docker Architecture
Medium
A.Using a local UNIX socket (/var/run/docker.sock).
B.By directly modifying the Docker filesystem layers.
C.Via shared memory segments.
D.Through an encrypted SSH tunnel.
Correct Answer: Using a local UNIX socket (/var/run/docker.sock).
Explanation:
By default, on a Linux host, the Docker client communicates with the Docker daemon using a local UNIX socket. It can also be configured to use a TCP socket for remote communication.
Incorrect! Try again.
28If the Docker daemon (dockerd) crashes or needs to be restarted for an upgrade, what happens to the currently running containers if the 'Live Restore' feature is enabled?
Docker daemon
Medium
A.They remain running and the daemon reconnects to them upon restart.
B.They are paused and their state is written to disk until the daemon recovers.
C.They are immediately terminated and restarted upon daemon recovery.
D.They are killed and must be manually restarted.
Correct Answer: They remain running and the daemon reconnects to them upon restart.
Explanation:
Live Restore is a feature that allows container processes to stay running independent of the Docker daemon, meaning a daemon restart does not kill the running containers.
Incorrect! Try again.
29Which of the following Docker CLI commands correctly starts a container in the background, maps host port 8080 to container port 80, and names the container web_app?
Correct Answer: docker run -d -p 8080:80 --name web_app nginx
Explanation:
The -d flag runs the container in detached (background) mode, -p 8080:80 maps the host's 8080 to the container's 80, and --name assigns the specific name to the container.
Incorrect! Try again.
30When a developer issues the command docker pull ubuntu, how does Docker determine which registry to contact to download the image?
Docker registry & Hub
Medium
A.It broadcasts a request to the local network to find an available registry.
B.It requires a manual configuration file update before the command will work.
C.It queries the local DNS server for an ubuntu service record.
D.It defaults to contacting Docker Hub unless a different registry URL is specified in the image name.
Correct Answer: It defaults to contacting Docker Hub unless a different registry URL is specified in the image name.
Explanation:
If no registry URL is prefixed to the image name (e.g., registry.example.com/ubuntu), the Docker daemon defaults to pulling from Docker Hub (docker.io).
Incorrect! Try again.
31You are deploying a PostgreSQL database using Docker. To ensure that the database records persist even if the container is removed, which Docker object type MUST you utilize?
Object types: container, image, network, volume
Medium
A.A read-only image layer
B.A bridge network
C.A Docker volume
D.A container snapshot
Correct Answer: A Docker volume
Explanation:
Volumes are the preferred mechanism for persisting data generated by and used by Docker containers, as they exist entirely outside the lifecycle of a given container.
Incorrect! Try again.
32Two containers, frontend and backend, need to communicate with each other using container names rather than IP addresses. What is the best way to achieve this using Docker objects?
Object types: container, image, network, volume
Medium
A.Connect both containers to a user-defined bridge network.
B.Link them together using a shared volume.
C.Expose all ports on the backend container to the host.
D.Modify the default docker0 network to allow DNS resolution.
Correct Answer: Connect both containers to a user-defined bridge network.
Explanation:
User-defined bridge networks provide automatic DNS resolution between containers, allowing them to communicate using container names. The default bridge network does not support this feature.
Incorrect! Try again.
33If a file is created in Layer 1 of a Docker image, and then explicitly deleted in Layer 2, what actually happens to the file within the final image structure?
Docker layering & filesystem
Medium
A.Layer 1 is recompiled to omit the file, reducing the overall image size.
B.A 'whiteout' file is created in Layer 2 to hide the file, but the file still exists in Layer 1, consuming disk space.
C.The deletion is ignored because read-only layers cannot be modified.
D.The file is completely removed from the disk, saving space in the final image.
Correct Answer: A 'whiteout' file is created in Layer 2 to hide the file, but the file still exists in Layer 1, consuming disk space.
Explanation:
Because image layers are read-only, deleting a file in an upper layer creates a 'whiteout' file (a marker that hides the file). The original file remains in the lower layer and continues to consume disk space.
Incorrect! Try again.
34Why do containers inherently accelerate Continuous Integration/Continuous Deployment (CI/CD) pipelines compared to traditional hardware virtualization (VMs)?
Introduction to containers (Origin of containers, Emergence of Modern Containerization and Integration into DevOps)
Medium
A.Containers automatically rewrite application code to be cloud-native.
B.Containers start in milliseconds by sharing the host kernel, significantly reducing deployment time.
C.Containers eliminate the need for application testing.
D.Containers include a full guest OS, ensuring higher compatibility.
Correct Answer: Containers start in milliseconds by sharing the host kernel, significantly reducing deployment time.
Explanation:
Unlike VMs, which must boot a full guest operating system, containers share the host OS kernel and only start the application processes. This lightweight nature drastically reduces startup times, speeding up CI/CD workflows.
Incorrect! Try again.
35When you list the running processes from inside a newly started, isolated Docker container, the application process usually shows a Process ID (PID) of 1. However, on the host machine, the same process has a PID of 14502. How is this possible?
Process isolation & namespaces
Medium
A.Docker daemon uses a proxy to spoof the PID output inside the container.
B.The application runs twice: once on the host and once in the container.
C.The PID namespace maps the host PID 14502 to a virtual PID 1 inside the container.
D.The host machine recalculates the PID dynamically using cgroups.
Correct Answer: The PID namespace maps the host PID 14502 to a virtual PID 1 inside the container.
Explanation:
The PID namespace provides process isolation. It allows processes inside the container to have their own independent set of PIDs (starting at 1), which are mapped to standard PIDs on the host system.
Incorrect! Try again.
36A host system is running under heavy CPU load. Container A is assigned a CPU share of 1024, and Container B is assigned a CPU share of 512. How will the host allocate CPU cycles between these two containers?
Control Groups (cgroups) for resource limits
Medium
A.Container A will be allowed to use all CPU cores, while Container B is restricted to half a core.
B.Both containers will receive equal CPU time until the host load drops.
C.Container A will receive 1024 CPU cycles per second, and Container B will receive 512.
D.Container A will receive exactly twice as much CPU time as Container B.
Correct Answer: Container A will receive exactly twice as much CPU time as Container B.
Explanation:
CPU shares are relative weights. If CPU resources are constrained, a container with 1024 shares will be allocated twice the CPU time of a container with 512 shares.
Incorrect! Try again.
37Which component in the Docker engine is primarily responsible for listening to Docker API requests and managing Docker objects?
Docker daemon
Medium
A.dockerd
B.containerd
C.docker-cli
D.runc
Correct Answer: dockerd
Explanation:
The Docker daemon (dockerd) runs on the host machine, listens for Docker API requests, and manages Docker objects such as images, containers, networks, and volumes.
Incorrect! Try again.
38Why is it considered a DevOps best practice to use minimal base images (like Alpine Linux) when creating container images?
Container images & layers
Medium
A.Minimal images automatically update their own security patches.
B.They natively compile code faster than Ubuntu or CentOS images.
C.They reduce the attack surface and speed up image pulling and deployment.
D.Minimal images bypass the need for Docker volumes.
Correct Answer: They reduce the attack surface and speed up image pulling and deployment.
Explanation:
Minimal base images contain fewer packages and libraries. This smaller footprint translates to faster network pulls, less disk usage, and a reduced attack surface since there are fewer vulnerabilities to exploit.
Incorrect! Try again.
39When dealing with Docker storage, what is the primary distinction between a 'Volume' and a 'Bind Mount'?
Object types: container, image, network, volume
Medium
A.Volumes are managed entirely by Docker, whereas bind mounts rely on specific directory paths on the host machine.
B.Bind mounts are stored in memory, while volumes are written to the physical disk.
C.Volumes are read-only, while bind mounts allow write access.
D.Volumes can only be used by one container at a time, whereas bind mounts can be shared.
Correct Answer: Volumes are managed entirely by Docker, whereas bind mounts rely on specific directory paths on the host machine.
Explanation:
Volumes are stored in a part of the host filesystem managed by Docker (e.g., /var/lib/docker/volumes/), isolating them from host OS specifics. Bind mounts reference an absolute, explicit path on the host's filesystem.
Incorrect! Try again.
40When a container starts, Docker creates a thin writable layer on top of the underlying read-only image layers. What happens to the data stored in this writable layer when the container is deleted?
Docker layering & filesystem
Medium
A.The data is converted into a dangling image layer.
B.The data is permanently lost unless it is stored in a volume or bind mount.
C.The data becomes permanently integrated into the base image.
D.The data is automatically backed up to a local registry.
Correct Answer: The data is permanently lost unless it is stored in a volume or bind mount.
Explanation:
The top writable layer of a container is ephemeral. It exists only for the lifetime of the container. Once the container is deleted, the writable layer and all changes within it are permanently destroyed.
Incorrect! Try again.
41While the chroot system call laid the early groundwork for filesystem isolation, which critical limitation of chroot necessitated the development of modern containerization primitives like FreeBSD Jails and eventually Linux Namespaces?
Introduction to containers (Origin of containers, Emergence of Modern Containerization and Integration into DevOps)
Hard
A.chroot does not prevent a root user within the jail from breaking out using secondary chroot calls and relative paths.
B.chroot lacks the ability to execute binaries compiled for architectures different from the host system.
C.chroot prevents the execution of multi-threaded applications due to its global lock on process execution.
D.chroot is restricted to operating on block storage devices and cannot utilize network-attached storage.
Correct Answer: chroot does not prevent a root user within the jail from breaking out using secondary chroot calls and relative paths.
Explanation:
A process with root privileges inside a basic chroot environment can easily break out by creating a new chroot inside the current one and using relative paths (../) to escape to the real root directory. Modern primitives address this by virtualizing the root filesystem entirely and using robust user namespace mapping.
Incorrect! Try again.
42In the context of the Open Container Initiative (OCI) runtime specifications, what is the primary architectural difference between a low-level runtime like runc and a high-level runtime like containerd?
Container runtime
Hard
A.runc provides API endpoints for image pulls and network management, whereas containerd interacts directly with Linux namespaces and cgroups.
B.containerd manages the container lifecycle, image distribution, and storage, whereas runc is strictly responsible for spawning and running the container processes via kernel primitives.
C.containerd replaces the Docker daemon entirely, while runc is merely a shell wrapper for executing chroot commands.
D.runc is designed to run exclusively inside a hypervisor for secure multi-tenancy, while containerd runs on bare-metal OS kernels.
Correct Answer: containerd manages the container lifecycle, image distribution, and storage, whereas runc is strictly responsible for spawning and running the container processes via kernel primitives.
Explanation:
High-level runtimes like containerd handle images, storage, and networking APIs. They hand off the actual execution of the container to low-level runtimes like runc, which interact with the kernel (namespaces, cgroups, pivot_root) to create the isolated process.
Incorrect! Try again.
43How does the Linux User namespace achieve privilege separation when a container requires a process to run as root internally but remain unprivileged externally?
Process isolation & namespaces
Hard
A.It intercepts system calls made by the container's root user and rewrites them to execute as a standard user via a hypervisor.
B.It drops all Linux capabilities (like CAP_SYS_ADMIN) from the container process, regardless of the mapped UID.
C.It maps a range of UIDs on the host to a different range inside the namespace, allowing UID 0 inside the container to correspond to a non-zero, unprivileged UID on the host.
D.It utilizes an overlay filesystem to mock file ownership, deceiving the process into believing it has root ownership of mounted volumes.
Correct Answer: It maps a range of UIDs on the host to a different range inside the namespace, allowing UID 0 inside the container to correspond to a non-zero, unprivileged UID on the host.
Explanation:
User namespaces map UIDs and GIDs between the host and the container. This allows a process to possess UID 0 (root) inside the container's namespace for internal tasks, while actually running as an unprivileged user (e.g., UID 100000) on the host system.
Incorrect! Try again.
44When setting CPU limits in Docker using --cpu-shares versus --cpus, which of the following accurately describes how the Linux Completely Fair Scheduler (CFS) applies these constraints?
Control Groups (cgroups) for resource limits
Hard
A.--cpu-shares provides a relative weight for CPU allocation only during periods of CPU contention, whereas --cpus enforces a strict CFS quota limiting the absolute CPU time a container can use.
B.Both --cpu-shares and --cpus enforce hard limits, but --cpu-shares operates at the thread level, while --cpus operates at the process level.
C.--cpu-shares defines a hard quota that throttles the container when reached, while --cpus adjusts the container's priority only when the host CPU is contended.
D.--cpus maps container processes to specific CPU cores using cpuset, whereas --cpu-shares distributes processes randomly across all available cores.
Correct Answer: --cpu-shares provides a relative weight for CPU allocation only during periods of CPU contention, whereas --cpus enforces a strict CFS quota limiting the absolute CPU time a container can use.
Explanation:
CPU shares establish a relative weighting system that only restricts container execution if the host is under heavy load. Conversely, --cpus configures CFS periods and quotas, imposing a hard limit on CPU consumption regardless of host load.
Incorrect! Try again.
45A developer creates a Dockerfile that downloads a 500MB archive in one RUN instruction, extracts it, and deletes the original archive in a subsequent RUN instruction. How does this affect the final image size due to Union Filesystem mechanics?
Container images & layers
Hard
A.The image build will fail because union filesystems do not allow deletion of files created in previous intermediate layers.
B.The final image size will be reduced by 500MB because the union filesystem consolidates all sequential RUN instructions during the build.
C.The final image size will include the 500MB archive because the deletion creates a 'whiteout' file in a new layer, but the archive remains persisted in the lower read-only layer.
D.The final image will only include the extracted files, as the Docker builder automatically garbage-collects deleted files across all layers before finalizing the image.
Correct Answer: The final image size will include the 500MB archive because the deletion creates a 'whiteout' file in a new layer, but the archive remains persisted in the lower read-only layer.
Explanation:
Each RUN instruction commits a new image layer. If a file is added in layer 1 and deleted in layer 2, layer 2 only contains a "whiteout" marker instructing the filesystem to hide the file. The actual 500MB file still exists in layer 1, bloating the final image size.
Incorrect! Try again.
46How does an OCI-compliant image registry successfully distribute a single tagged image (e.g., app:latest) across diverse architectures like amd64 and arm64?
Image registries & distribution
Hard
A.The registry utilizes a 'Manifest List' (or fat manifest) that acts as an index, resolving the tag to a specific architecture's image digest based on the client's architecture request.
B.The registry dynamically transpiles the amd64 binary within the image to arm64 instructions during the image pull process.
C.Docker includes a universal hypervisor that allows amd64 images to run natively on arm64 hosts, so only one image architecture is actually stored.
D.The image layers contain universal binaries combining executable code for all architectures, and the container runtime selects the correct binary path at execution.
Correct Answer: The registry utilizes a 'Manifest List' (or fat manifest) that acts as an index, resolving the tag to a specific architecture's image digest based on the client's architecture request.
Explanation:
A Manifest List (or OCI Image Index) contains pointers to multiple architecture-specific image manifests. When a client pulls an image, it requests this list, identifies the digest matching its local OS/architecture, and pulls the corresponding specific image.
Incorrect! Try again.
47Which of the following scenarios highlights the fundamental limitation of Docker's kernel-sharing architecture when compared to hardware virtualization (VMs)?
Introduction to Docker
Hard
A.Running a containerized Windows IIS server natively on a host running the Linux kernel.
B.Isolating network interfaces so that a container cannot intercept host traffic.
C.Running a Debian-based container on an Ubuntu host.
D.Limiting the maximum RAM a database container can consume on the host.
Correct Answer: Running a containerized Windows IIS server natively on a host running the Linux kernel.
Explanation:
Docker containers share the host's operating system kernel. A Linux kernel cannot execute native Windows binaries or provide Windows system calls, making it impossible to run a Windows container natively on a Linux kernel without employing hardware virtualization.
Incorrect! Try again.
48In Docker's architecture, what is the primary role of the containerd-shim process?
Docker Architecture
Hard
A.It acts as a reverse proxy, routing HTTP API requests from the Docker CLI to the dockerd daemon.
B.It translates OCI runtime specifications into hypervisor instructions for running lightweight virtual machines like Firecracker.
C.It dynamically links host kernel modules to the container's isolated root filesystem during startup.
D.It decouples the container execution from the containerd daemon, allowing the daemon to be restarted or upgraded without killing running containers.
Correct Answer: It decouples the container execution from the containerd daemon, allowing the daemon to be restarted or upgraded without killing running containers.
Explanation:
The containerd-shim sits between containerd and the low-level runtime (runc). It keeps the container's standard streams open and reports exit status to containerd, allowing containerd and dockerd to restart without disrupting the running container processes (enabling 'live-restore').
Incorrect! Try again.
49By default, exposing the Docker daemon (dockerd) over an unencrypted TCP socket (tcp://0.0.0.0:2375) on a public network is considered a critical security vulnerability. What specific capability makes this as dangerous as granting passwordless root SSH access?
Docker daemon
Hard
A.Any user can initiate a denial-of-service attack by continuously pulling large base images until the host disk is full.
B.An attacker can use the API to start a privileged container mounting the host's root filesystem / and modify host files like /etc/shadow.
C.The Docker daemon intercepts all host network traffic natively, acting as a packet sniffer without needing special permissions.
D.The daemon automatically replicates host SSH keys into all newly created containers, exposing them over the network.
Correct Answer: An attacker can use the API to start a privileged container mounting the host's root filesystem / and modify host files like /etc/shadow.
Explanation:
Access to the Docker API is equivalent to root access on the host. An attacker can instruct the daemon to create a container, mount the host's entire root filesystem into that container, and trivially alter critical files or inject SSH keys.
Incorrect! Try again.
50When executing a docker run command, the Docker CLI determines which Docker daemon to communicate with based on a specific order of precedence. Which of the following represents the correct priority sequence from highest to lowest?
Docker CLI
Hard
A.Command-line flag (-H), Environment variable (DOCKER_HOST), Active Docker Context, Default socket path
B.Environment variable (DOCKER_HOST), Active Docker Context, Command-line flag (-H), Default socket path
C.Command-line flag (-H), Active Docker Context, Default socket path, Environment variable (DOCKER_HOST)
Correct Answer: Command-line flag (-H), Environment variable (DOCKER_HOST), Active Docker Context, Default socket path
Explanation:
The Docker CLI resolves the target host by first checking explicit command-line flags (-H or --host). If absent, it checks the DOCKER_HOST environment variable. If that is also absent, it uses the currently active Docker Context, and finally falls back to the default local socket.
Incorrect! Try again.
51When utilizing Docker Content Trust (DCT) to enforce image signing, which key hierarchy protects against a scenario where an attacker compromises the online registry server and attempts to serve malicious image tags?
Docker registry & Hub
Hard
A.An offline Root key generates an intermediate Targets key; the online registry only holds the Targets key, meaning it cannot sign a forged Tag without the offline Root key.
B.The symmetric TLS session key used during the image pull verifies the image payload's integrity.
C.The registry generates a unique RSA private key for each image layer, which is embedded into the container runtime during installation.
D.An offline Root key guarantees the repository's identity, while short-lived online Timestamp and Snapshot keys prevent replay attacks and ensure the client receives the exact signed image tag.
Correct Answer: An offline Root key guarantees the repository's identity, while short-lived online Timestamp and Snapshot keys prevent replay attacks and ensure the client receives the exact signed image tag.
Explanation:
Docker Content Trust (based on The Update Framework - TUF) uses a hierarchy of keys. The Root key is kept offline for high security. Online keys (Timestamp, Snapshot) manage freshness and consistency, ensuring compromised online registries cannot serve forged or outdated signatures without the offline keys.
Incorrect! Try again.
52A production database container utilizes a Docker named volume for its data directory instead of writing to the container's default union filesystem layer. Which of the following is the primary architectural advantage of this approach?
Object types: container, image, network, volume
Hard
A.Named volumes automatically encrypt data at rest, whereas the union filesystem stores data in plaintext.
B.Named volumes enforce a strictly read-only filesystem, preventing the database container from accidentally corrupting transaction logs.
D.Named volumes are directly managed by the host kernel, bypassing the performance overhead and Copy-on-Write (CoW) penalties of the container's storage driver.
Correct Answer: Named volumes are directly managed by the host kernel, bypassing the performance overhead and Copy-on-Write (CoW) penalties of the container's storage driver.
Explanation:
Volumes bypass the storage driver's union filesystem entirely. This avoids the heavy performance overhead associated with the Copy-on-Write mechanics, providing native disk I/O speeds necessary for I/O-intensive applications like databases.
Incorrect! Try again.
53In the context of the OverlayFS storage driver, what occurs when a container creates a new file in a directory that exists only in the read-only lowerdir?
Docker layering & filesystem
Hard
A.The directory is duplicated in the upperdir, and a special pointer file is placed in the lowerdir to maintain consistency.
B.The file creation fails with a 'Read-only file system' error because the parent directory cannot be modified.
C.The entire directory structure and its contents are copied up to the upperdir before the new file is written.
D.Only the new file is written directly to the upperdir, leaving the directory structure implicitly defined by the lowerdir.
Correct Answer: Only the new file is written directly to the upperdir, leaving the directory structure implicitly defined by the lowerdir.
Explanation:
OverlayFS is efficient. If a container writes a new file to an existing directory, it simply creates the necessary parent directory structure in the upperdir (without copying existing files from the lowerdir) and writes the new file there. Only modified existing files trigger a full copy-up.
Incorrect! Try again.
54To connect a container's isolated network namespace to the host's network, Docker typically utilizes a Virtual Ethernet (veth) pair. Which of the following accurately describes the termination points of this veth pair?
Process isolation & namespaces
Hard
A.One end resides in the container's network namespace as eth0, and the other end attaches to a virtual switch/bridge (like docker0) in the host's default network namespace.
B.Both ends reside in the host's default network namespace, but one end is routed through an iptables NAT rule pointing to the container's process ID.
C.One end resides in the container's network namespace, and the other end terminates at the Docker daemon process to proxy TCP requests.
D.One end connects directly to the host's physical NIC (eth0), and the other end connects to the container's internal loopback interface (lo).
Correct Answer: One end resides in the container's network namespace as eth0, and the other end attaches to a virtual switch/bridge (like docker0) in the host's default network namespace.
Explanation:
A veth pair acts like a virtual patch cable. One end is placed inside the container's network namespace (becoming its eth0 interface), and the other end remains in the host's root network namespace, plugged into a bridge (e.g., docker0) to facilitate routing.
Incorrect! Try again.
55During the startup of a container, the low-level runtime relies on pivot_root rather than just chroot. What security enhancement does pivot_root provide over standard chroot?
Container runtime
Hard
A.pivot_root creates a copy-on-write clone of the host's root filesystem in memory, ensuring the container cannot write to disk.
B.pivot_root automatically encrypts the new root filesystem, preventing offline tampering.
C.pivot_root alters the root mount for the namespace and detaches the old root filesystem, preventing the process from accessing or unmounting the host filesystem.
D.pivot_root forces all subsequent system calls from the container to be authenticated via AppArmor or SELinux.
Correct Answer: pivot_root alters the root mount for the namespace and detaches the old root filesystem, preventing the process from accessing or unmounting the host filesystem.
Explanation:
While chroot changes the apparent root directory for a process, the old root filesystem is still technically accessible in the mount namespace. pivot_root securely swaps the entire root mount and unmounts the old host root, making escape significantly harder.
Incorrect! Try again.
56When using the macvlan network driver to assign a unique MAC address directly to a container, a specific routing isolation issue arises by default. Which of the following describes this issue?
Object types: container, image, network, volume
Hard
A.The host machine cannot directly communicate with containers attached to the macvlan network via their IP addresses due to kernel security restrictions filtering loopback traffic to macvlan interfaces.
B.Containers on the macvlan network can communicate with the external internet but cannot ping other containers on the same macvlan network.
C.Containers on a macvlan network are stripped of their internal localhost (lo) interface, breaking internal inter-process communication.
D.The macvlan driver overrides the host's physical MAC address, causing immediate network collision and taking the host offline.
Correct Answer: The host machine cannot directly communicate with containers attached to the macvlan network via their IP addresses due to kernel security restrictions filtering loopback traffic to macvlan interfaces.
Explanation:
By design, Linux isolates macvlan interfaces from the parent interface to prevent loops. Consequently, the host system cannot communicate directly with its own macvlan containers unless a separate macvlan sub-interface is created on the host and specific routing rules are applied.
Incorrect! Try again.
57If the dockerd process encounters a fatal crash and terminates unexpectedly, what happens to the running containers under Docker's default modern configuration (assuming live-restore is enabled)?
Docker Architecture
Hard
A.The containers continue running undisturbed because they are child processes of containerd-shim, not dockerd, and will reconnect to dockerd once it restarts.
B.The containers are safely gracefully terminated with a SIGTERM, followed by SIGKILL after a 10-second timeout.
C.All running containers are immediately sent a SIGKILL signal by the kernel because their parent process died.
D.The containers pause execution and are suspended in RAM until dockerd restarts and sends a SIGCONT signal.
Correct Answer: The containers continue running undisturbed because they are child processes of containerd-shim, not dockerd, and will reconnect to dockerd once it restarts.
Explanation:
With live-restore enabled, containers are kept alive during daemon downtime. The architecture uses containerd and containerd-shim to manage the running processes independently of dockerd, allowing the Docker daemon to be upgraded or restarted without downtime.
Incorrect! Try again.
58A host system with hundreds of running containers abruptly throws 'No space left on device' errors. However, df -h shows that only 30% of the disk capacity is utilized. Which of the following OverlayFS or container behaviors most likely caused this?
Docker layering & filesystem
Hard
A.The host's RAM swap space was completely filled by container memory leaks, which the kernel reports as device space exhaustion.
B.The Docker daemon exhausted its allowed pool of virtual network IP addresses.
C.The kernel reached the maximum allowed limit for nested overlay filesystems.
D.The containers generated millions of tiny temporary files, exhausting the filesystem's inode capacity despite available block storage.
Correct Answer: The containers generated millions of tiny temporary files, exhausting the filesystem's inode capacity despite available block storage.
Explanation:
Every file on a Linux filesystem requires an inode. If containers rapidly create massive numbers of small files, the host's underlying filesystem will run out of inodes long before it runs out of raw storage space, resulting in 'No space left on device'.
Incorrect! Try again.
59Which specific Linux kernel feature, merged around 2008, was the critical missing piece that allowed LXC (Linux Containers) to accurately meter and limit hardware resources, differentiating it from earlier UNIX-based jail systems?
Introduction to containers (Origin of containers, Emergence of Modern Containerization and Integration into DevOps)
Hard
A.Control Groups (cgroups)
B.Seccomp (Secure Computing Mode)
C.OverlayFS
D.Advanced Linux Sound Architecture (ALSA)
Correct Answer: Control Groups (cgroups)
Explanation:
Developed by Google and merged into the Linux kernel in 2008, cgroups allow for the allocation, limitation, and isolation of resource usage (CPU, memory, disk I/O) among process groups. This was the defining addition that made modern, reliable containerization possible.
Incorrect! Try again.
60In a system running cgroups v2, which of the following best describes the unified hierarchy model compared to cgroups v1?
Control Groups (cgroups) for resource limits
Hard
A.cgroups v2 eliminates the need for the kernel to manage resources, offloading the calculations entirely to user-space daemons like systemd.
B.cgroups v2 utilizes a single unified tree hierarchy for all controllers, ensuring a process cannot belong to different cgroups for different resources (e.g., CPU and memory).
C.cgroups v2 forces every controller (memory, CPU, I/O) to be mounted on separate parallel hierarchies, increasing granularity but complicating administration.
D.cgroups v2 introduces a mandatory network controller hierarchy that tracks layer-7 HTTP traffic natively.
Correct Answer: cgroups v2 utilizes a single unified tree hierarchy for all controllers, ensuring a process cannot belong to different cgroups for different resources (e.g., CPU and memory).
Explanation:
In cgroups v1, controllers (CPU, memory, blkio) could have entirely different, overlapping tree structures. Cgroups v2 introduced a unified hierarchy where a process belongs to exactly one node in a single tree, and resource controllers are enabled/disabled along this unified path.