RETIRED - Docker Certified Associate (DCA) Practice Exam
This certification has been retired by Docker/Mirantis, but the question bank remains excellent free practice for Docker and container skills - great for interview prep and hands-on training. Covers orchestration, image management, networking, security, and storage.
Practice 681 exam-style RETIRED - Docker Certified Associate (DCA) questions with full answer explanations, then take timed mock exams that score like the real thing.
Question bank reviewed Jun 2026.
What the RETIRED - Docker Certified Associate (DCA) exam covers
- Orchestration146 questions
- Image Creation, Management, and Registry145 questions
- Installation and Configuration111 questions
- Networking110 questions
- Security88 questions
- Storage and Volumes81 questions
Free RETIRED - Docker Certified Associate (DCA) sample questions
A sample of 10 questions with answers and explanations. Sign up free to practice all 681.
-
Which command is used to initialize a Docker Swarm cluster on a manager node?
- Adocker swarm initCorrect
- Bdocker node init
- Cdocker swarm create
- Ddocker cluster init
✓ Correct answer: AThe 'docker swarm init' command is the proper initialization command that configures the current node as a Swarm manager and establishes the manager certificate. It generates the initial manager token and worker join tokens, setting up the foundational Swarm cluster infrastructure. This command must be executed once on the first manager node before any additional nodes can join the cluster.
Why the other options are wrong- Bdocker node init is incorrect because 'docker node' commands manage existing nodes in a cluster, not initialize the Swarm cluster itself; there is no 'node init' subcommand in Docker.
- Cdocker swarm create is incorrect because the proper subcommand is 'init' not 'create'; Docker does not use 'swarm create' for cluster initialization.
- Ddocker cluster init is incorrect because Docker uses 'swarm' terminology and not 'cluster' in its command structure for manager node initialization.
-
A production Docker Swarm service needs to be updated to a new image version. The team wants to minimize downtime and have the ability to automatically revert if the new version is unhealthy. Which TWO flags should they include in the service update command?
- A--update-order stop-first
- B--rollback-parallelism 0
- C--update-delay 0s
- D--update-order start-firstCorrect
- E--update-failure-action rollbackCorrect
✓ Correct answer: D, ETo minimize downtime during an update, '--update-order start-first' causes the Swarm scheduler to bring up the new task replica before stopping the old one, ensuring continuous availability throughout the rolling update. To enable automatic reversion when the new version is unhealthy, '--update-failure-action rollback' instructs the scheduler to automatically roll back all updated tasks to the previous service specification if a task fails to start or pass its health check within the monitoring window. Together these two flags achieve zero-downtime deployments with automatic failure recovery.
Why the other options are wrong- A--update-order stop-first causes the old task to be stopped before the new replacement task is started, which creates a brief window of reduced capacity during each update step. This increases rather than minimizes downtime risk and is opposite to what is needed for this requirement.
- B--rollback-parallelism 0 configures how many tasks are rolled back simultaneously during a rollback operation - setting it to 0 means all tasks are rolled back at once. This is a rollback configuration flag, not an update flag, and does not help trigger the rollback automatically or affect update ordering.
- C--update-delay 0s sets zero wait time between updating successive task batches. While this speeds up the update, it removes the stabilization window that allows health checks to detect problems with newly started tasks. Removing the delay makes automatic failure detection less reliable and is counterproductive for safe rolling updates.
-
What is the purpose of the 'LABEL' instruction in a Dockerfile?
- AIt assigns a human-readable name to a build stage
- BIt creates environment variables accessible inside the running container
- CIt specifies placement constraints for Docker Swarm scheduling
- DIt adds metadata key-value pairs to the image that can be queried with 'docker inspect'Correct
✓ Correct answer: DThis is the correct answer based on Docker Swarm specifications and best practices. The answer directly addresses the technical requirement stated in the question. Understanding this concept is essential for managing containerized applications in Swarm mode.
Why the other options are wrong- AIt assigns a human-readable name to a build stage is incorrect because it does not properly address the requirement or uses incorrect Docker syntax and terminology.
- BIt creates environment variables accessible inside the running container is incorrect because it does not properly address the requirement or uses incorrect Docker syntax and terminology.
- CIt specifies placement constraints for Docker Swarm scheduling is incorrect because it does not properly address the requirement or uses incorrect Docker syntax and terminology.
-
Which storage driver is recommended for Docker on modern Linux distributions using ext4 or xfs filesystems?
- ABtrfs
- BOverlay2Correct
- Caufs
- Ddevicemapper
✓ Correct answer: BThis is the correct answer based on Docker Swarm specifications and best practices. The answer directly addresses the technical requirement stated in the question. Understanding this concept is essential for managing containerized applications in Swarm mode.
Why the other options are wrong- ABtrfs is incorrect because it does not properly address the requirement or uses incorrect Docker syntax and terminology.
- Caufs is incorrect because it does not properly address the requirement or uses incorrect Docker syntax and terminology.
- Ddevicemapper is incorrect because it does not properly address the requirement or uses incorrect Docker syntax and terminology.
-
Which Docker network driver should be used to connect containers across multiple Docker hosts in a Swarm cluster?
- AoverlayCorrect
- Bmacvlan
- CBridge
- Dhost
✓ Correct answer: AThe overlay network driver is specifically built for Docker Swarm multi-host deployments. It creates a distributed virtual network that spans multiple Docker hosts by encapsulating container traffic in VXLAN packets routed over the underlying physical network. Containers on different Swarm nodes connected to the same overlay network communicate as if they share a single Layer 2 segment, with Docker's control plane handling the tunneling transparently.
Why the other options are wrong- Bmacvlan connects containers directly to a physical network with their own MAC addresses, but it operates only on a single host and cannot span multiple Docker hosts in a Swarm cluster.
- CBridge is a single-host network driver that creates an isolated network on one Docker daemon. It cannot span multiple hosts and has no built-in mechanism to route traffic between containers running on different Swarm nodes.
- Dhost removes network namespace isolation and shares the Docker host's network stack with the container; it is per-host and provides no cross-host container communication capability.
-
Which TWO of the following correctly describe how user namespaces work with Docker?
- AThey remap the root user inside the container to a non-root user on the hostCorrect
- BThey provide UID/GID isolation between the container and the hostCorrect
- CThey allow containers to run without any Linux capabilities
- DThey require all images to be built with specific UID configurations
✓ Correct answer: A, BDocker user namespace remapping maps the container's UID/GID range (including container root, UID 0) onto a non-privileged subordinate UID/GID range on the host. This means a process running as root inside the container actually runs as an unprivileged user on the host, providing UID/GID isolation that limits the blast radius if a container process escapes.
Why the other options are wrong- CAllowing containers to run without any Linux capabilities is incorrect, because capabilities are controlled separately by --cap-add and --cap-drop, independent of user-namespace UID/GID mapping.
- DUser namespaces do not require images to be built with specific UID configurations; remapping is applied by the daemon at runtime and works transparently regardless of the UIDs baked into the image.
-
In a Docker Swarm cluster, how are volumes handled when a service task is rescheduled to a different node?
- ADocker automatically migrates the volume data to the new node
- BThe service task waits until the volume is manually moved to the new node
- CDocker creates a replica of the volume on all nodes in advance
- DThe volume data remains on the original node and is not available on the new node unless using a shared storage driverCorrect
✓ Correct answer: DDocker Swarm does not include a built-in mechanism to migrate or replicate local volume data between nodes. When a service task is rescheduled - due to a node failure, a rolling update, or manual drain - the new task starts on a different node where the local volume does not exist or is empty. To ensure data continuity across rescheduling, operators must use a distributed or shared storage solution such as an NFS-backed local volume, a third-party volume plugin (for example REX-Ray or Portworx), or an external storage system that all nodes can access.
Why the other options are wrong- ADocker automatically migrates the volume data to the new node - Docker Swarm has no built-in volume migration feature. Volume data is node-local unless an external shared storage solution is explicitly configured.
- BThe service task waits until the volume is manually moved to the new node - Swarm does not pause task scheduling to wait for manual volume movement. The task is simply scheduled on the available node and will start with whatever volume state exists there.
- CDocker creates a replica of the volume on all nodes in advance - Docker does not pre-replicate volumes across Swarm nodes. Volumes are created on demand on the node that runs the task, with no automatic synchronisation between nodes.
-
By default, how does Docker Swarm treat data exchanged over an overlay network between containers on different hosts when '--opt encrypted' is NOT set?
- AControl-plane traffic is encrypted, but data-plane (container) traffic is not encryptedCorrect
- BBoth control-plane and data-plane traffic are encrypted automatically
- CNeither control-plane nor data-plane traffic is encrypted
- DOnly data-plane traffic is encrypted
✓ Correct answer: ABy default Swarm encrypts the management/control-plane gossip used to manage the overlay network. However, the actual application traffic between containers (the data plane) is only encrypted when the overlay network is created with '--opt encrypted', which enables IPsec on the VXLAN tunnels.
Why the other options are wrong- BData-plane encryption is not automatic; it must be enabled explicitly with --opt encrypted.
- CControl-plane traffic is in fact encrypted by default, so 'neither' is incorrect.
- DIt is the control plane that is encrypted by default, not the data plane.
-
You need to remove a specific tagged image, 'oldapp:0.9', from the local host without affecting other tags that share its layers. Which command should you use?
- Adocker rmi oldapp:0.9Correct
- Bdocker system prune -a
- Cdocker image prune
- Ddocker container rm oldapp:0.9
✓ Correct answer: Adocker rmi oldapp:0.9 removes that tag reference; shared layers remain on disk while any other tag still references them, and the underlying image is only fully deleted when no tags point to it.
Why the other options are wrong- Bdocker system prune -a aggressively removes all unused images and other resources, far more than the single tag requested.
- Cdocker image prune targets dangling images broadly, not one named tag.
- Ddocker container rm removes containers, not images, and the argument is an image reference.
-
When you create a macvlan network, which mode must typically be enabled on the parent NIC or switch port for containers' distinct MAC addresses to communicate properly?
- APromiscuous mode on the parent interfaceCorrect
- BSpanning Tree Protocol on the switch
- CJumbo frames (MTU 9000)
- DNIC teaming with LACP
✓ Correct answer: AA macvlan network gives each container its own MAC address on the parent physical interface. Because the NIC and upstream switch then see multiple MAC addresses on one port, the parent interface usually must be put into promiscuous mode (and the switch may need to allow multiple MACs per port) for traffic to reach the containers.
Why the other options are wrong- BSTP prevents switching loops and is not what enables multiple MACs on a macvlan parent.
- CJumbo frames affect MTU/performance, not macvlan MAC acceptance.
- DLACP/NIC teaming aggregates links and does not resolve the multiple-MAC requirement of macvlan.
RETIRED - Docker Certified Associate (DCA) practice exam FAQ
How many questions are in the RETIRED - Docker Certified Associate (DCA) practice exam on CertGrid?
CertGrid has 681 practice questions for RETIRED - Docker Certified Associate (DCA), covering 6 exam domains. The real RETIRED - Docker Certified Associate (DCA) exam has about 55 questions.
What is the passing score for RETIRED - Docker Certified Associate (DCA)?
The RETIRED - Docker Certified Associate (DCA) exam passing score is 650, and you have about 90 minutes to complete it. CertGrid scores your practice attempts the same way so you know when you are ready.
Are these official RETIRED - Docker Certified Associate (DCA) exam questions?
No. CertGrid is an independent practice platform. Questions are written to mirror the style and concepts of RETIRED - Docker Certified Associate (DCA), with full explanations, but they are not official or copied vendor exam items. They are original practice questions designed to help you genuinely learn the material.
Can I practice RETIRED - Docker Certified Associate (DCA) for free?
Yes. You can start practicing RETIRED - Docker Certified Associate (DCA) for free with daily practice and sample questions. Paid plans unlock full timed exams, complete explanations, and domain analytics.