Unit 1 - Practice Quiz

INT332 60 Questions
0 Correct 0 Wrong 60 Left
0/60

1 What is the primary purpose of a container in DevOps?

Introduction to containers (Origin of containers, Emergence of Modern Containerization and Integration into DevOps) Easy
A. To package software and its dependencies so it runs consistently across environments
B. To permanently store user databases in a single large file
C. To manage the physical cooling systems of a data center
D. To emulate hardware devices for older operating systems

2 Which early UNIX feature is often considered a precursor to modern containerization?

Introduction to containers (Origin of containers, Emergence of Modern Containerization and Integration into DevOps) Easy
A. systemd
B. cron
C. bash
D. chroot

3 What is the main responsibility of a container runtime?

Container runtime Easy
A. To compile Java code into bytecode
B. To write the application code for the developer
C. To execute and manage containers on a host system
D. To host web pages on the internet

4 Which Linux kernel feature provides process isolation for containers?

Process isolation & namespaces Easy
A. Virtual RAM
B. Hypervisors
C. Namespaces
D. Disk partitions

5 What is the primary function of Control Groups (cgroups) in containerization?

Control Groups (cgroups) for resource limits Easy
A. To assign IP addresses to containers
B. To limit and monitor resource usage like CPU and memory
C. To encrypt the data stored inside a container
D. To manage user passwords within the Linux OS

6 What is a container image?

Container images & layers Easy
A. A virtual machine configuration file
B. A lightweight, standalone, executable package that includes everything needed to run an application
C. A backup file of the host operating system
D. A graphical diagram showing how containers connect to each other

7 How are modern container images typically constructed to optimize storage and transfer?

Container images & layers Easy
A. Using a layered architecture
B. Using a single monolithic file
C. Using encrypted hardware tokens
D. Using uncompressed text files

8 What is the primary role of an image registry?

Image registries & distribution Easy
A. To store, manage, and distribute container images
B. To compile application source code into an image
C. To execute code within a container
D. To allocate CPU limits to running containers

9 What is Docker?

Introduction to Docker Easy
A. An operating system exclusively for Apple computers
B. A programming language designed for DevOps
C. A physical hardware device used to connect servers
D. A popular open-source platform for developing, shipping, and running applications in containers

10 Which of the following best describes Docker's underlying architecture?

Docker Architecture Easy
A. Monolithic architecture
B. Peer-to-Peer architecture
C. Client-Server architecture
D. Mainframe architecture

11 What is the role of the Docker daemon (dockerd)?

Docker daemon Easy
A. It is a remote server that stores user code
B. It compiles the Linux kernel from source code
C. It runs in the background on the host OS and manages Docker objects like images and containers
D. It acts as a graphical user interface for developers

12 What does the Docker CLI (Command Line Interface) do?

Docker CLI Easy
A. It provides a web-based dashboard to monitor container health
B. It accepts terminal commands from the user and sends them to the Docker daemon
C. It creates automatic backups of all cloud servers
D. It physically allocates RAM to the host computer

13 What is Docker Hub?

Docker registry & Hub Easy
A. A network protocol used for container communication
B. A local daemon service running on the host OS
C. A paid software application for designing UI mockups
D. The default public cloud registry for finding and sharing Docker images

14 In Docker, what is a volume primarily used for?

Object types: container, image, network, volume Easy
A. Increasing the CPU speed of a container
B. Storing the Docker daemon configuration settings
C. Routing internet traffic to the correct container
D. Persisting data generated by and used by Docker containers

15 Which Docker object is defined as a runnable instance of an image?

Object types: container, image, network, volume Easy
A. Volume
B. Daemon
C. Network
D. Container

16 Which Docker object enables isolated communication between multiple containers?

Object types: container, image, network, volume Easy
A. Registry
B. Volume
C. Network
D. Image

17 What happens when a running container needs to modify a file from its underlying image?

Docker layering & filesystem Easy
A. The container crashes because image files are strictly read-only
B. The change is written to a writable container layer on top of the read-only image layers
C. A new image is immediately generated and published to Docker Hub
D. The original image file is permanently modified on the disk

18 Why does Docker use a layered filesystem?

Docker layering & filesystem Easy
A. To allow Docker containers to run directly on Windows without virtualization
B. To make images completely immune to malware
C. To encrypt the data automatically at rest
D. To maximize layer reuse, reduce disk space, and speed up image downloads

19 Which Linux namespace is responsible for isolating the system hostname and domain name for a container?

Process isolation & namespaces Easy
A. Network namespace
B. PID namespace
C. Mount namespace
D. UTS namespace

20 Without cgroups configured, what potential issue might a container cause on a host system?

Control Groups (cgroups) for resource limits Easy
A. It could randomly change the IP addresses of other computers on the network
B. It could delete the host system's bootloader
C. It could automatically bypass all firewall rules
D. It could consume all available CPU and memory, starving other processes

21 Which early Unix technology laid the foundational concept of isolating process environments, paving the way for modern containerization?

Introduction to containers (Origin of containers, Emergence of Modern Containerization and Integration into DevOps) Medium
A. Hypervisors
B. Systemd
C. chroot
D. cgroups

22 If an administrator wants to ensure that a container cannot see or interact with the network interfaces of the host system, which Linux feature is directly responsible for this isolation?

Process isolation & namespaces Medium
A. Network namespace
B. UTS namespace
C. cgroups
D. Mount namespace

23 A DevOps engineer needs to restrict a database container so it does not consume more than 2GB of RAM, preventing host system crashes. Which underlying Linux kernel feature enforces this constraint?

Control Groups (cgroups) for resource limits Medium
A. Copy-on-Write (CoW)
B. SELinux
C. Control Groups (cgroups)
D. Namespaces

24 In a modern container architecture, what is the primary difference between a high-level container runtime (like containerd) and a low-level container runtime (like runc)?

Container runtime Medium
A. containerd executes the container processes, while runc manages image transfers.
B. containerd is used exclusively for Docker, while runc is used for Kubernetes.
C. containerd manages the container lifecycle and images, while runc interacts directly with the kernel to spawn the container.
D. runc provides a REST API, while containerd relies strictly on CLI commands.

25 When building a container image, multiple commands are executed in a Dockerfile. How does the image build process handle these commands to optimize storage and pull speed?

Container images & layers Medium
A. It bypasses storage optimization unless explicitly instructed by the user.
B. It creates a writable layer for each command and merges them upon execution.
C. It creates a new read-only layer for each command, caching them for reuse in future builds.
D. It compresses all commands into a single tarball layer.

26 A developer is attempting to deploy an application on a cluster of ARM-based servers. They pull a standard image from the registry, but the containers fail to start. What is the most likely cause related to image distribution?

Image registries & distribution Medium
A. The pulled image layer exceeded the default size limit.
B. The pulled image was built for an x86_64 architecture, not ARM.
C. The registry requires a specialized pull command for ARM images.
D. The registry network timed out during the pull.

27 In the standard Docker architecture, how do the Docker client and the Docker daemon communicate when they are running on the same host?

Docker Architecture Medium
A. By directly modifying the Docker filesystem layers.
B. Via shared memory segments.
C. Through an encrypted SSH tunnel.
D. Using a local UNIX socket (/var/run/docker.sock).

28 If the Docker daemon (dockerd) crashes or needs to be restarted for an upgrade, what happens to the currently running containers if the 'Live Restore' feature is enabled?

Docker daemon Medium
A. They are immediately terminated and restarted upon daemon recovery.
B. They are paused and their state is written to disk until the daemon recovers.
C. They remain running and the daemon reconnects to them upon restart.
D. They are killed and must be manually restarted.

29 Which of the following Docker CLI commands correctly starts a container in the background, maps host port 8080 to container port 80, and names the container web_app?

Docker CLI Medium
A. docker start -b -p 80:8080 -n web_app nginx
B. docker run -d -p 8080:80 --name web_app nginx
C. docker exec -d --port 8080:80 --name web_app nginx
D. docker run -it -p 8080:80 --name web_app nginx

30 When a developer issues the command docker pull ubuntu, how does Docker determine which registry to contact to download the image?

Docker registry & Hub Medium
A. It defaults to contacting Docker Hub unless a different registry URL is specified in the image name.
B. It queries the local DNS server for an ubuntu service record.
C. It requires a manual configuration file update before the command will work.
D. It broadcasts a request to the local network to find an available registry.

31 You are deploying a PostgreSQL database using Docker. To ensure that the database records persist even if the container is removed, which Docker object type MUST you utilize?

Object types: container, image, network, volume Medium
A. A read-only image layer
B. A container snapshot
C. A Docker volume
D. A bridge network

32 Two containers, frontend and backend, need to communicate with each other using container names rather than IP addresses. What is the best way to achieve this using Docker objects?

Object types: container, image, network, volume Medium
A. Connect both containers to a user-defined bridge network.
B. Expose all ports on the backend container to the host.
C. Modify the default docker0 network to allow DNS resolution.
D. Link them together using a shared volume.

33 If a file is created in Layer 1 of a Docker image, and then explicitly deleted in Layer 2, what actually happens to the file within the final image structure?

Docker layering & filesystem Medium
A. The deletion is ignored because read-only layers cannot be modified.
B. Layer 1 is recompiled to omit the file, reducing the overall image size.
C. The file is completely removed from the disk, saving space in the final image.
D. A 'whiteout' file is created in Layer 2 to hide the file, but the file still exists in Layer 1, consuming disk space.

34 Why do containers inherently accelerate Continuous Integration/Continuous Deployment (CI/CD) pipelines compared to traditional hardware virtualization (VMs)?

Introduction to containers (Origin of containers, Emergence of Modern Containerization and Integration into DevOps) Medium
A. Containers automatically rewrite application code to be cloud-native.
B. Containers include a full guest OS, ensuring higher compatibility.
C. Containers eliminate the need for application testing.
D. Containers start in milliseconds by sharing the host kernel, significantly reducing deployment time.

35 When you list the running processes from inside a newly started, isolated Docker container, the application process usually shows a Process ID (PID) of 1. However, on the host machine, the same process has a PID of 14502. How is this possible?

Process isolation & namespaces Medium
A. The PID namespace maps the host PID 14502 to a virtual PID 1 inside the container.
B. The application runs twice: once on the host and once in the container.
C. Docker daemon uses a proxy to spoof the PID output inside the container.
D. The host machine recalculates the PID dynamically using cgroups.

36 A host system is running under heavy CPU load. Container A is assigned a CPU share of 1024, and Container B is assigned a CPU share of 512. How will the host allocate CPU cycles between these two containers?

Control Groups (cgroups) for resource limits Medium
A. Container A will be allowed to use all CPU cores, while Container B is restricted to half a core.
B. Container A will receive exactly twice as much CPU time as Container B.
C. Container A will receive 1024 CPU cycles per second, and Container B will receive 512.
D. Both containers will receive equal CPU time until the host load drops.

37 Which component in the Docker engine is primarily responsible for listening to Docker API requests and managing Docker objects?

Docker daemon Medium
A. containerd
B. runc
C. dockerd
D. docker-cli

38 Why is it considered a DevOps best practice to use minimal base images (like Alpine Linux) when creating container images?

Container images & layers Medium
A. Minimal images automatically update their own security patches.
B. They reduce the attack surface and speed up image pulling and deployment.
C. They natively compile code faster than Ubuntu or CentOS images.
D. Minimal images bypass the need for Docker volumes.

39 When dealing with Docker storage, what is the primary distinction between a 'Volume' and a 'Bind Mount'?

Object types: container, image, network, volume Medium
A. Volumes can only be used by one container at a time, whereas bind mounts can be shared.
B. Volumes are read-only, while bind mounts allow write access.
C. Bind mounts are stored in memory, while volumes are written to the physical disk.
D. Volumes are managed entirely by Docker, whereas bind mounts rely on specific directory paths on the host machine.

40 When a container starts, Docker creates a thin writable layer on top of the underlying read-only image layers. What happens to the data stored in this writable layer when the container is deleted?

Docker layering & filesystem Medium
A. The data is automatically backed up to a local registry.
B. The data becomes permanently integrated into the base image.
C. The data is converted into a dangling image layer.
D. The data is permanently lost unless it is stored in a volume or bind mount.

41 While the chroot system call laid the early groundwork for filesystem isolation, which critical limitation of chroot necessitated the development of modern containerization primitives like FreeBSD Jails and eventually Linux Namespaces?

Introduction to containers (Origin of containers, Emergence of Modern Containerization and Integration into DevOps) Hard
A. chroot prevents the execution of multi-threaded applications due to its global lock on process execution.
B. chroot does not prevent a root user within the jail from breaking out using secondary chroot calls and relative paths.
C. chroot is restricted to operating on block storage devices and cannot utilize network-attached storage.
D. chroot lacks the ability to execute binaries compiled for architectures different from the host system.

42 In the context of the Open Container Initiative (OCI) runtime specifications, what is the primary architectural difference between a low-level runtime like runc and a high-level runtime like containerd?

Container runtime Hard
A. containerd manages the container lifecycle, image distribution, and storage, whereas runc is strictly responsible for spawning and running the container processes via kernel primitives.
B. containerd replaces the Docker daemon entirely, while runc is merely a shell wrapper for executing chroot commands.
C. runc is designed to run exclusively inside a hypervisor for secure multi-tenancy, while containerd runs on bare-metal OS kernels.
D. runc provides API endpoints for image pulls and network management, whereas containerd interacts directly with Linux namespaces and cgroups.

43 How does the Linux User namespace achieve privilege separation when a container requires a process to run as root internally but remain unprivileged externally?

Process isolation & namespaces Hard
A. It utilizes an overlay filesystem to mock file ownership, deceiving the process into believing it has root ownership of mounted volumes.
B. It maps a range of UIDs on the host to a different range inside the namespace, allowing UID 0 inside the container to correspond to a non-zero, unprivileged UID on the host.
C. It drops all Linux capabilities (like CAP_SYS_ADMIN) from the container process, regardless of the mapped UID.
D. It intercepts system calls made by the container's root user and rewrites them to execute as a standard user via a hypervisor.

44 When setting CPU limits in Docker using --cpu-shares versus --cpus, which of the following accurately describes how the Linux Completely Fair Scheduler (CFS) applies these constraints?

Control Groups (cgroups) for resource limits Hard
A. --cpus maps container processes to specific CPU cores using cpuset, whereas --cpu-shares distributes processes randomly across all available cores.
B. --cpu-shares defines a hard quota that throttles the container when reached, while --cpus adjusts the container's priority only when the host CPU is contended.
C. --cpu-shares provides a relative weight for CPU allocation only during periods of CPU contention, whereas --cpus enforces a strict CFS quota limiting the absolute CPU time a container can use.
D. Both --cpu-shares and --cpus enforce hard limits, but --cpu-shares operates at the thread level, while --cpus operates at the process level.

45 A developer creates a Dockerfile that downloads a 500MB archive in one RUN instruction, extracts it, and deletes the original archive in a subsequent RUN instruction. How does this affect the final image size due to Union Filesystem mechanics?

Container images & layers Hard
A. The final image size will include the 500MB archive because the deletion creates a 'whiteout' file in a new layer, but the archive remains persisted in the lower read-only layer.
B. The final image will only include the extracted files, as the Docker builder automatically garbage-collects deleted files across all layers before finalizing the image.
C. The final image size will be reduced by 500MB because the union filesystem consolidates all sequential RUN instructions during the build.
D. The image build will fail because union filesystems do not allow deletion of files created in previous intermediate layers.

46 How does an OCI-compliant image registry successfully distribute a single tagged image (e.g., app:latest) across diverse architectures like amd64 and arm64?

Image registries & distribution Hard
A. The registry utilizes a 'Manifest List' (or fat manifest) that acts as an index, resolving the tag to a specific architecture's image digest based on the client's architecture request.
B. The registry dynamically transpiles the amd64 binary within the image to arm64 instructions during the image pull process.
C. The image layers contain universal binaries combining executable code for all architectures, and the container runtime selects the correct binary path at execution.
D. Docker includes a universal hypervisor that allows amd64 images to run natively on arm64 hosts, so only one image architecture is actually stored.

47 Which of the following scenarios highlights the fundamental limitation of Docker's kernel-sharing architecture when compared to hardware virtualization (VMs)?

Introduction to Docker Hard
A. Isolating network interfaces so that a container cannot intercept host traffic.
B. Limiting the maximum RAM a database container can consume on the host.
C. Running a containerized Windows IIS server natively on a host running the Linux kernel.
D. Running a Debian-based container on an Ubuntu host.

48 In Docker's architecture, what is the primary role of the containerd-shim process?

Docker Architecture Hard
A. It acts as a reverse proxy, routing HTTP API requests from the Docker CLI to the dockerd daemon.
B. It translates OCI runtime specifications into hypervisor instructions for running lightweight virtual machines like Firecracker.
C. It dynamically links host kernel modules to the container's isolated root filesystem during startup.
D. It decouples the container execution from the containerd daemon, allowing the daemon to be restarted or upgraded without killing running containers.

49 By default, exposing the Docker daemon (dockerd) over an unencrypted TCP socket (tcp://0.0.0.0:2375) on a public network is considered a critical security vulnerability. What specific capability makes this as dangerous as granting passwordless root SSH access?

Docker daemon Hard
A. The daemon automatically replicates host SSH keys into all newly created containers, exposing them over the network.
B. Any user can initiate a denial-of-service attack by continuously pulling large base images until the host disk is full.
C. The Docker daemon intercepts all host network traffic natively, acting as a packet sniffer without needing special permissions.
D. An attacker can use the API to start a privileged container mounting the host's root filesystem / and modify host files like /etc/shadow.

50 When executing a docker run command, the Docker CLI determines which Docker daemon to communicate with based on a specific order of precedence. Which of the following represents the correct priority sequence from highest to lowest?

Docker CLI Hard
A. Active Docker Context, Command-line flag (-H), Default socket path, Environment variable (DOCKER_HOST)
B. Command-line flag (-H), Environment variable (DOCKER_HOST), Active Docker Context, Default socket path
C. Environment variable (DOCKER_HOST), Active Docker Context, Command-line flag (-H), Default socket path
D. Command-line flag (-H), Active Docker Context, Default socket path, Environment variable (DOCKER_HOST)

51 When utilizing Docker Content Trust (DCT) to enforce image signing, which key hierarchy protects against a scenario where an attacker compromises the online registry server and attempts to serve malicious image tags?

Docker registry & Hub Hard
A. The symmetric TLS session key used during the image pull verifies the image payload's integrity.
B. The registry generates a unique RSA private key for each image layer, which is embedded into the container runtime during installation.
C. An offline Root key generates an intermediate Targets key; the online registry only holds the Targets key, meaning it cannot sign a forged Tag without the offline Root key.
D. An offline Root key guarantees the repository's identity, while short-lived online Timestamp and Snapshot keys prevent replay attacks and ensure the client receives the exact signed image tag.

52 A production database container utilizes a Docker named volume for its data directory instead of writing to the container's default union filesystem layer. Which of the following is the primary architectural advantage of this approach?

Object types: container, image, network, volume Hard
A. Named volumes automatically encrypt data at rest, whereas the union filesystem stores data in plaintext.
B. Named volumes span multiple host nodes natively, providing built-in synchronous replication for database clusters.
C. Named volumes are directly managed by the host kernel, bypassing the performance overhead and Copy-on-Write (CoW) penalties of the container's storage driver.
D. Named volumes enforce a strictly read-only filesystem, preventing the database container from accidentally corrupting transaction logs.

53 In the context of the OverlayFS storage driver, what occurs when a container creates a new file in a directory that exists only in the read-only lowerdir?

Docker layering & filesystem Hard
A. Only the new file is written directly to the upperdir, leaving the directory structure implicitly defined by the lowerdir.
B. The entire directory structure and its contents are copied up to the upperdir before the new file is written.
C. The file creation fails with a 'Read-only file system' error because the parent directory cannot be modified.
D. The directory is duplicated in the upperdir, and a special pointer file is placed in the lowerdir to maintain consistency.

54 To connect a container's isolated network namespace to the host's network, Docker typically utilizes a Virtual Ethernet (veth) pair. Which of the following accurately describes the termination points of this veth pair?

Process isolation & namespaces Hard
A. One end resides in the container's network namespace as eth0, and the other end attaches to a virtual switch/bridge (like docker0) in the host's default network namespace.
B. One end resides in the container's network namespace, and the other end terminates at the Docker daemon process to proxy TCP requests.
C. Both ends reside in the host's default network namespace, but one end is routed through an iptables NAT rule pointing to the container's process ID.
D. One end connects directly to the host's physical NIC (eth0), and the other end connects to the container's internal loopback interface (lo).

55 During the startup of a container, the low-level runtime relies on pivot_root rather than just chroot. What security enhancement does pivot_root provide over standard chroot?

Container runtime Hard
A. pivot_root creates a copy-on-write clone of the host's root filesystem in memory, ensuring the container cannot write to disk.
B. pivot_root alters the root mount for the namespace and detaches the old root filesystem, preventing the process from accessing or unmounting the host filesystem.
C. pivot_root forces all subsequent system calls from the container to be authenticated via AppArmor or SELinux.
D. pivot_root automatically encrypts the new root filesystem, preventing offline tampering.

56 When using the macvlan network driver to assign a unique MAC address directly to a container, a specific routing isolation issue arises by default. Which of the following describes this issue?

Object types: container, image, network, volume Hard
A. The macvlan driver overrides the host's physical MAC address, causing immediate network collision and taking the host offline.
B. The host machine cannot directly communicate with containers attached to the macvlan network via their IP addresses due to kernel security restrictions filtering loopback traffic to macvlan interfaces.
C. Containers on a macvlan network are stripped of their internal localhost (lo) interface, breaking internal inter-process communication.
D. Containers on the macvlan network can communicate with the external internet but cannot ping other containers on the same macvlan network.

57 If the dockerd process encounters a fatal crash and terminates unexpectedly, what happens to the running containers under Docker's default modern configuration (assuming live-restore is enabled)?

Docker Architecture Hard
A. The containers pause execution and are suspended in RAM until dockerd restarts and sends a SIGCONT signal.
B. The containers continue running undisturbed because they are child processes of containerd-shim, not dockerd, and will reconnect to dockerd once it restarts.
C. All running containers are immediately sent a SIGKILL signal by the kernel because their parent process died.
D. The containers are safely gracefully terminated with a SIGTERM, followed by SIGKILL after a 10-second timeout.

58 A host system with hundreds of running containers abruptly throws 'No space left on device' errors. However, df -h shows that only 30% of the disk capacity is utilized. Which of the following OverlayFS or container behaviors most likely caused this?

Docker layering & filesystem Hard
A. The kernel reached the maximum allowed limit for nested overlay filesystems.
B. The containers generated millions of tiny temporary files, exhausting the filesystem's inode capacity despite available block storage.
C. The host's RAM swap space was completely filled by container memory leaks, which the kernel reports as device space exhaustion.
D. The Docker daemon exhausted its allowed pool of virtual network IP addresses.

59 Which specific Linux kernel feature, merged around 2008, was the critical missing piece that allowed LXC (Linux Containers) to accurately meter and limit hardware resources, differentiating it from earlier UNIX-based jail systems?

Introduction to containers (Origin of containers, Emergence of Modern Containerization and Integration into DevOps) Hard
A. Seccomp (Secure Computing Mode)
B. Advanced Linux Sound Architecture (ALSA)
C. OverlayFS
D. Control Groups (cgroups)

60 In a system running cgroups v2, which of the following best describes the unified hierarchy model compared to cgroups v1?

Control Groups (cgroups) for resource limits Hard
A. cgroups v2 eliminates the need for the kernel to manage resources, offloading the calculations entirely to user-space daemons like systemd.
B. cgroups v2 forces every controller (memory, CPU, I/O) to be mounted on separate parallel hierarchies, increasing granularity but complicating administration.
C. cgroups v2 introduces a mandatory network controller hierarchy that tracks layer-7 HTTP traffic natively.
D. cgroups v2 utilizes a single unified tree hierarchy for all controllers, ensuring a process cannot belong to different cgroups for different resources (e.g., CPU and memory).