Docker Certified Associate Certification Guide
Certification
More details about certification and exam available on Mirantis website. Mirantis acquired Docker Enterprise in November 2019
Exam
Unlike CKA or CKAD there is no free retake of the exam, each subsequent attempt must be separately paid for, so make sure to prepare well. Remember that you can reschedule the exam at any time. Exam is pretty challenging. Questions are very detailed and often revolve around obscure details about particular topic. My exam had a lot of questions around PVs, PVCs, StorageClasses as well as detailed configuration of DTR and UCP. Please remember that your exam might be different, as questions are changed often. This guide is based on official Docker Study Guide v 1.3, May 2020
Exam topics
Topic | % of exam questions |
---|---|
Orchestration | 25% |
Image Creation, Management, and Registry | 20% |
Installation and Configuration | 15% |
Networking | 15% |
Security | 15% |
Storage and Volumes | 10% |
Exam Info
- Exam can be taken remotely
- 90 minutes to answer 55 questions
- All questions are multiple choice
- 13 questions are normal multiple choice
- 52 questions are Discrete Option Multiple Choice (DOMC) where options are randomly presented, one at a time. For each presented option, the examinee chooses YES or NO to indicate if the option is correct.
Learning Plan
Find good training material
As a primary online training learning source I have used Kodekloud's Docker Certified Associate Exam Course.
As a primary learning resource in general I cannot recommend enough Nigel Poulton's DOCKER DEEP DIVE. You can get the book for less than 10 EUR on Amazon in kindle format.
You can check out Nigel's personal page for more information.
I have already passed, and blogged about CKA and CKAD and there is significant overlap with Kubernetes orchestration part and containers basics.
There is a great repo by Govinda Fichtner where there are links to docker documentation organized per learning topic. You can find the repo here: DCA Prep Guide from DevOps-Academy.
Go though mock questions and exams
Since the exam is in the form of questions, it is important to exercise as much as possible and go thought questions and mock exams. Kodekloud course I've mentioned before has a lot of questions build in, but there are also free mock exams and questions. One from medium I find very good: Medium blog - 250 Practice Questions for the DCA Exam.
Practice with Docker
In this exam practical exercises are not as important as in CKA and CKAD for example, but I still find it valuable to follow up a theoretical session with a practical review.
There is a free service there you can spin up a few vms (some of them already have docker swarm preinstalled) and exercise without installing anything on your machine!
Interactive online docker environments on demand: docker
There is also a similar service for exercising with Kubernetes and is very useful for the Kubernetes orchestration part.
Interactive online docker environments on demand: kubernetes
Just a small hint, once you bootstrap Kubernetes, you can use my portable kubectl in docker image to run kubectl with diagnostic tools and aliases.
Here are easy steps to run the container:
# Run container on same network as host
docker run -d --network=host --name=kubectl-host --rm -it piotrzan/kubectl-comp:zsh
# Copy over Kubernetes config file
kubectl config view --raw > config
docker cp ./config kubectl-host:./root/.kube
# Attach shell to running container
docker attach kubectl-host
Or simpler version with volume mount
# .kube/config is a symling to /etc/kubernetes/admin.conf
docker run --network=host --name=kubectl-host -v /etc/kubernetes/admin.conf:/root/.kube/config --rm -it piotrzan/kubectl-comp:zsh
Know Docker/Mirantis documentation well
There are plenty of great learning repositories with exam topics directly linked to Docker/Mirantis documentation. A good one that is also up to date is Evalle/DCA.
Such sources are great shortcut for learning and reference later on, but I like to have all my links at my fingertips right in bookmarks bar.
If you would like to have same bookmarks, please use my gist below and import them from file. Bookmarks are arranged in subfolder corresponding to exam topics:
Basic Concepts
Docker CLI syntax
Docker CLI has following syntax:
Syntax: docker <docker-object> <sub-command> <-options> <arguments/commands>
Example: docker container run -it ubuntu
Docker Components
Sources:
Container Layer
By default all docker image layers are immutable (read-only). When container is created using docker run
command, an additional mutable (read-write) layer is created. This layer is only there for the duration of container lifetime and will be removed once container exits. When modifying any files in a running container, docker creates a copy of the file and moves it to container layer (COPY-ON-WRITE) before changes are saved. Original files as part of the image are never changed.
Access remote Docker host from CLI
On machine form where you want to access docker host, setup variable:
export DOCKER_HOST="tcp://<docker-host-ip>:2375"
Docker default ports:
- 2375 - unencrypted traffic
- 2376 - encrypted traffic.
IMPORTANT: This setting is only for testing/playground purposes. It will make docker host available on the network and by default there is no authentication.
Use docker CLI as non root user
- Create Docker group:
sudo groupadd docker
- Create a non-root user you want to use with docker:
sudo useradd -G docker <user-name>
- Change this user primary group:
sudo usermod -aG docker <non-root user>
- Logoff and login with the docker user.
- Optional - restart docker service:
sudo systemctl restart docker
Orchestration
Orchestration Areas
There are a few solutions on the marked that can help with container and nodes orchestration. By far most widely adopted one is Kubernetes followed by Docker Swarm. During the exam there will be questions about both.
I have covered in detail my learning path for CKA and CKAD certifications. So check my Medium profile if you would like to learn more.
Kubernetes Architecture
Source: https://kubernetes.io/docs/concepts/overview/components/.
Docker Swarm Architecture
Source: https://docs.docker.com/engine/swarm/images/service-lifecycle.png.
What is docker stack
Docker stack is very similar to docker compose with key difference being that docker compose defines containers while docker stack defines services. Swarm also provides commands to work with stacks directly.
Useful Stack commands:
docker stack deploy -c <compose file>
- deploy the new stack or updatedocker stack services
- list services in the stackdocker stack ps
- list the tasks in the stackdocker stack rm
- remove the stackdocker stack ls
- List stack
Difference between docker stack ls and docker stack ps
docker stack ls
- lists all the stacksdocker stack services
- list the services created by a stackdocker stack ps <stack-name>
- lists all the services running in a stack
Docker Swarm Networks
-
Overlay networks: manage communications among the Docker daemons participating in the swarm.You can attach a service to one or more existing overlay networks as well, to enable service-to-service communication.
-
ingress network: is a special overlay network that facilitates load balancing among a service’s nodes. When any swarm node receives a request on a published port, it hands that request off to a module called IPVS. IPVS keeps track of all the IP addresses participating in that service, selects one of them, and routes the request to it, over the ingress network.
-
docker_gwbridge: is a bridge network that connects the overlay networks (including the ingress network) to an individual Docker daemon’s physical network.
Raft Consensus and Quorum
Implementing Raft Consensus Algorithm ensures that all manager nodes in a distributed system are storing the same consistent state.
Quorum
To calculate minimum number of master nodes required to achieve quorum (or simply majority) use $\boxed{N=\frac {N + 1} 2}$
and round the result to full number.
So having 5 master nodes, the quorum is 3.
Fault Tolerance
Knowing the quorum of master nodes, we can predict fault tolerance which is a number describing how many master nodes can fail before cluster is going to be put in an inconsistent state.
To calculate fault tolerance of the cluster use $\boxed{N=\frac {N - 1} 2}$
So as an example having 7 master nodes, our quorum is 7+1/2 = 4 and fault tolerance 7-1/2 = 3
Kubernetes Deployment Spec
Sources:
- Json representation of a deployment based on my blazor in Docker demo
- https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#writing-a-deployment-spec
Highlighted fields are the only required fields for deployment to work.
.spec.template is the same as pod spec, without apiVersion and kind fields
Images and Registry
Creating docker images
Docker image is an immutable blueprint based on which containers are created.
Difference between CMD and ENTRYPOINT
CMD and ENTRYPOINT sections of Dockerfile
are used to instruct docker what to do once container is started.
This section defines what command will be executed once container starts. For example:
- defining
CMD ["httpd"]
in aDockerfile
building httpd server will start httpd Apache server based on the image used - running httpd image with command override
docker run httpd printenv
will override defaultCMD
withprintenv
command which will output environmental variables to the terminal - command can be specified as regular command:
CMD httpd
or as json arrayCMD ["sleep", "5"]
in json array syntax first element of an array is command itself and all subsequent elements are parameters/options
This section defines what command will be executed once container starts and cannot be overridden by default (you need to use --entrypoint
flag to force override). All arguments passed via docker run will be appended to command defined in ENTRYPOINT
CMD
andENTRYPOINT
work great together whereENTRYPOINT
defines "fixed" command to be executed once container starts andCMD
provides default, but overrideable arguments to run the container in different ways.
It is required to specify both CMD
and ENTRYPOINT
in a json array format for the override to work
How to control resources utilization by a container
CPU
Default CPU share per container is 1024
Option 1: If host has multiple CPUs, it is possible to assign each container a specific CPU.
Option 2: If host has multiple CPUs, it is possible to restrict how many CPUs can given container use.
It's worth noting that container orchestrators (like Kubernetes) provide declarative methods to restrict resources usage per run-time unit (pod in case of Kubernetes).
Memory
Option 1:
Run container with --memory=limit
flag to restrict use of memory.
If a container tries to consume more memory than its limit, system will kill it exiting the process with Out Of Memory Exception (OOM). By default container will be allowed to consume same amount of SWAP space as the memory limit, effectively doubling the memory limit. Providing of course that SWAP space is not disabled on the host.
Ports mapping
Ports mapping always goes from HOST to CONTAINER, so -p 8080:80
would be mapping of port 8080 on host to port 80 on container.
Hint: Prefer using "-p" option with static port when running containers in production.
How to copy files
Copying files is very easy, first parameter after cp command is source and second destination.
- Copy file from host to continuer:
docker container cp /tmp/file.txt container_name:/tmp/file.txt
- Copy file from container tp host:
docker container cp container_name:/tmp/file.txt /tmp/file.txt
Check logs to troubleshoot docker service
- Check system logs:
journalctl -u docker.service
- Check free space on the host:
df -h
, usedocker container prune
ordocker image prune
to get rid of stale containers/images
Where Images are pulled from?
By default docker will pull images from configured images repository (Docker Hub by default), but it's possible to specify build
directive instead of image
with a path to Dockerfile
Installation and Configuration
MKE Architecture
Source: https://docs.mirantis.com/docker-enterprise/v3.0/dockeree-products/mke/mke-architecture.html
Be aware that after Docker acquisition by Mirantis there have been some naming and product changes, so following applies:
- Docker Trusted Registry (DRT) is now Mirantis Secure Registry (MSR)
- Universal Control Plane is now Mirantis Kubernetes Engine (MKE)
- Docker Enterprise Edition (DEE) is now Mirantis Container Runtime (MCR)
UCP/MKE Backup
To take a backup of UCP/MKE use docker/ucp container
DTR/MSR Backup
To perform a backup of a MSR node, run the mirantis/dtr backup msr-cli-backup command
Docker Swarm Backup (simplified)
To back up the swarm using any manager, follow these steps.
-
If the swarm has auto-lock enabled, you need the unlock key to restore the swarm from backup.
-
Stop Docker on the manager before backing up the data, so that no data is being changed during the backup.
Be sure to maintain the quorum of swarm managers
-
Back up the entire /var/lib/docker/swarm directory.
-
Restart the manager.
Source: https://docs.docker.com/engine/swarm/admin_guide/#back-up-the-swarm
Kubernetes configMaps
In order to configure configMapKeyRef in a pod to use environment variables defined in a ConfigMap, use container path subset spec.containers.env.valueFrom
Change docker daemon host configuration
Configuration file is located at /etc/docker/daemon.json
and is by default in json
format.
This file is not present by default.
Logging in docker
Default logging drive for docker is json-file. To change logging driver to for example splunk, update deamon.json, like so:
echo ‘{“log-driver”: “splunk”}’ > /etc/docker/daemon.json
Networking
Docker server components
Kubernetes network policies
As soon as a network policy is associated with a POD all ingress and egress traffic to that POD are denied except allowed by the network policy.
Kubernetes service resource
Kubernetes uses services to enable communication between pods and other resources as well as external endpoints. Service can declare 3 types of ports:
- Port - exposes the Kubernetes service on the specified port within the cluster. Other pods within the cluster can communicate with this server on the specified port.
- TargetPort - is the port on which the service will send requests to, that your pod will be listening on. Your application in the container will need to be listening on this port also.
- NodePort - exposes a service externally to the cluster by means of the target nodes IP address and the NodePort. NodePort is the default setting if the port field is not specified.
By default NodePort range in Kubernetes is 30000-32767
Docker daemon stop behavior
By default once docker deamon is stopped or crashes all containers will be stopped as well.
To change this behavior set "live-restore: true"
in /etc/docker/deamon.json
config file.
Docker port mapping
Docker Networking
Important Containers can only communicate on a user defined bridge/host network
DTR overlay network
The network created for the DTR services to communicate with each other is overlay/dtr-ol
Security
Security Layers
Access Control Model in MKE
Source: http://docs.docker.oeynet.com/datacenter/ucp/2.2/guides/access-control/
Grants are effectively Access Control Lists (ACLs) which provide comprehensive access policies for an entire organization when grouped together.,Grants define which users can access what resources in what way.,A grant is made up of a subject, a role, and a resource set.
To control user access, cluster resources are grouped into Docker Swarm collections or Kubernetes namespaces.,Together, collections and namespaces are named resource sets.
Image Scanning
DTR/MSR has an ability to scan images for known vulnerabilities, it is done with a container called dtr-jobrunner.
Storage and Volumes
Kubernetes Storage Lifecycle
Source: Kubernetes Documentation
The above diagram shows manual provisioning of Persistent Volumes as well as using them via Persistent Volume Claims.
The process can be divided into 4 phases:
- Creation
- Setting up
- Usage
- Cleanup
Where is everything stored
Once installed, docker creates a folder under /var/lib/docker/
where all the containers, images, volumes and configurations are stored.
Kubernetes and Docker Swarm store cluster state and related information in etcd.
etcd by default listens on port 2380
for client connections.
Configure a storage class for an application in k8s
Steps:
- Create a storage class with a provisioner
- Create a PVC with the storage class
- Use the PVC in the volumes section in the pod definition file
Mounting volumes syntax
List of common storage drivers:
- AUFS - Ubuntu default
- ZFS
- BTRFS
- Device Mapper
- Overlay
- Overlay2
Template old syntax: docker run -v volume_name:<path to store in container> container_name
Template new syntax: docker run --mount source=volume_name,target=<path to store in container> container_name
Example old syntax: docker run -v data_vol:/var/lib/nginx_data nginx
Template old syntax: docker run -v <full path to folder in docker host>:<full path to folder in container> container_name
Template new syntax:
docker run --mount type=bind,source=<full path to folder in docker host>,target=<path to store in container> container_name
Example old syntax: docker run -v /data/nginx_data:/var/lib/nginx_data nginx
Useful Commands
This section describes useful docker CLI commands in following format:
Command: - docker command syntax
When is it useful: - common usecases when command should be used
Result: - what is the expected behavior or
Check Docker Status
Command:
docker system info
When is it useful: quickly see how many containers are running and what is the status of host OS
Result: information about docker host environment and containers
Remove all unused docker artifacts
Command:
docker system prune --all
Command Variation:
docker system prune --all --volumes
When is it useful: when learning or experimenting with docker, it is useful to clear unused artifacts without resetting the whole environment. Command variation with
--volumes
flag will also remove volumes.Result: following will be removed:
- all stopped containers
- all networks not used by at least one container
- all images without at least one container associated to them
- all build cache
- volumes (if
--volumes
flag is used)
Stop all running containers
Command:
docker container stop $(docker container ls -q)
When is it useful: quickly stop all running containers at once.
Result: all containers are stopped.
Setup container hostname
Command:
docker container run -it --name=ingress --hostname=nginx nginx
When is it useful: default hostname is container id, setting up recognizable hostname can help with logging etc.
Result: container hostname is set to custom one.
Automatically remove a container when on exit
Command:
docker container run -d --name=ingress --rm nginx
When is it useful: run a container and automatically remove it once stopped. This is very usefully when running CI/CD containers.
Result: container starts and is removed once it's stopped.
Add or remove capabilities for the user running a container
Command:
docker run --cap-add/--cap-drop KILL nginx
ordocker run --privileged nginx
When is it useful: This command is useful when elevating or dropping privileges on the user running container. By default containers run with limited root privileges. Second command runs container with full user privileges.
Result: container is run with expected privileges.
Filter results using --filter flag
Command:
docker search --filter=stars=3 --no-trunc busybox
When is it useful: Results of almost every docker command can be filtered using
--filter key=value
flag. Refer to docker documentation to check what filter options are supported for given command.Result: command output filtered as per filter flag.
Links and resources
- Docker Certified Associate Study Guide
- DCA Prep Guide from DevOps-Academy
- Docker Cheatsheet
- Interactive online docker environments on demand
- Interactive online kubernetes environments on demand
- Medium blog - 250 Practice Questions for the DCA Exam
- Kubernetes Official Documentation
- Docker Docs
- Mirantis Docs
- Kodekloud Youtube Docker for Beginners
- Docker Handbook
- PlantUML Diagrams as Code
- K8s Services Explained