Docker recommends using the responsible disclosure model for reporting vulnerabilities in the Docker platform. What does this mean?
- Simultaneously report the vulnerability to Docke and openly publish details of the vulnerability so that the wider community can take preventative action.
- After reporting the vulnerability to Docker, desist from further disclosure for a period of time to enable the project time to remedy the vulnerability. (Ans)
- Engineer a patch to remedy the vulnerability and describe the vulnerability and its fix in a GitHub pull request.
Why does RancherOS launch two Docker daemons on boot?
- To implement redundancy in the event that one of the daemons becomes unavailable
- To isolate application containers from the host’s system services (Ans)
- To improve system performance by load balancing Engine API requests
Given the following users and their group membership, which user will NOT have the means to access the Docker Engine API on its UNIX domain socket?
rackham: uid=1000(rackham) gid=1000(rackham) groups=1000(rackham),27(sudo)
baxter: uid=1001(baxter) gid=1001(baxter) groups=1001(baxter),999(docker)
bolt: uid=1002(bolt) gid=1002(bolt) groups=1002(bolt)
- bolt (Ans)
Which of the following statements is untrue about Docker?
- By default, Docker doesn’t create containers in user namespaces because not all Linux distributions enable user namespaces in their kernel. (Ans)
- Docker creates a sub-directory in its data root so that newly created objects are owned by the UID/GID at the top of the dock-remap user’s subordinate ranges.
- User namespaces allow a container’s process to be privileged in its own user namespace, whilst remaining non-privileged in the host’s user namespace.
A Docker admin needs a container to be able to write to a file owned by the root user located in the /etc directory. The Docker daemon is running with user namespace remapping enabled and the file is to be made available to the container as a bind mount. What is the best means of circumventing any permissions problems?
- Change the group ownership of the file to that of the remapped group ID that is used by the Docker daemon when creating containers.
- Temporarily reconfigure the Docker daemon to disable user namespace remapping for the lifetime of the container.
- Use the –userns config option with the argument host to disable the use of user namespaces for the container. (Ans)
What is the process of granting a client access to objects based on their identity?
- Authorization (Ans)
The Open Policy Agent (OPA) is a general purpose policy engine. Which of the following attributes is essential for it to function as a Docker authorization plugin?
- Its ability to act as an independent decision making service for clients (Ans)
- The availability of variables in Rego for defining policy rules
- The means for adding contextual data for use in rule evaluation
An environment variable can be used to define or override a registry setting. Which of the following variables defines or overrides the path to the certificate bundle used to sign tokens?
- REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE (Ans)
Which of the following registry operations are not provided to a client of the Docker Engine API?
- Pull an image from a registry repo
- Remove an image from a registry repo (Ans)
- Push an image to a registry repo
Which of the following is NOT a valid argument to the –secret config option for associating a secret with a swarm service?
- source=$(pwd)/db_pw,target=password (Ans)