Newly Released Docker DCA Exam PDF

While removing push access from all other users can prevent an image from being overwritten, it’s not the only way and might not be the most efficient or practical solution, especially in a collaborative environment. Docker Trusted Registry (DTR) provides a feature called ‘Immutable Tags’ which can be used to prevent an image, such as ‘nginx:latest’, from being overwritten. Once a tag is marked as immutable, DTR will prevent any user from pushing the same tag to the repository, thus preserving the image. This allows for better version control and prevents accidental overwrites. Therefore, the solution to prevent an image from being overwritten is not just to remove push access from all other users, but to use the features provided by DTR like ‘Immutable Tags’.

= Docker will block this command if you configure the local Docker engine to enforce content trust by setting the environment variable DOCKER_CONTENT_TRUST=1. This means that you can only pull, run, or build with trusted images that have been signed using Docker Content Trust (DCT)1. DCT is a feature that allows you to use digital signatures to verify the integrity and the publisher of specific image tags2. If myorg/myimage:1.0 is unsigned, it means that it does not have a valid signature from the image publisher or a trusted delegate. Therefore, Docker will not allow you to build an image from a Dockerfile that begins with FROM myorg/myimage:1.0, as it cannot verify the source or the content of the base image. You will get an error message like this:

No valid trust data for 1.0

To avoid this error, you need to either disable DCT by setting DOCKER_CONTENT_TRUST=0, or use a signed image tag as the base image in your Dockerfile3. References:

Content trust in Docker | Docker Docs

Docker Content Trust: What It Is and How It Secures Container Images

Automation with content trust | Docker Docs

= The command docker service create --network --secure will not ensure that overlay traffic between service tasks is encrypted. This is because the --secure option is not a valid option for the docker service create command1. To ensure that overlay traffic between service tasks is encrypted, you need to use the --opt encrypted option when creating the overlay network with the docker network create command2. For example, to create an encrypted overlay network named my-net, you can use the following command:

docker network create --driver overlay --opt encrypted my-net

Then, you can use the --network my-net option when creating the service with the docker service create command3. For example, to create a service named my-service using the nginx image and the my-net network, you can use the following command:

docker service create --name my-service --network my-net nginx

docker service create | Docker Docs

Use overlay networks | Docker Docs

Create a service | Docker Docs