docker-practice/data/5_Security/docker_secrets.yaml at v1.5 · efficience-it/docker-practice · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
questions:
  - uuid: 4b7e2d1a-c8f3-4a56-9e0b-5d6a1f3c8e27
    question: In which Docker mode are Docker secrets available?
    answers:
      - { value: 'Standalone mode only', correct: false }
      - { value: 'Docker Compose standalone only', correct: false }
      - { value: 'Docker Swarm mode', correct: true }
      - { value: 'Any Docker mode without restrictions', correct: false }
    help: https://docs.docker.com/engine/swarm/secrets/

  - uuid: 8d3a6f1e-b5c2-4e79-a4d0-2c9b7e5f1a38
    question: Where are Docker secrets mounted inside a container by default?
    answers:
      - { value: '/etc/secrets/', correct: false }
      - { value: '/var/lib/docker/secrets/', correct: false }
      - { value: '/run/secrets/', correct: true }
      - { value: '/opt/docker/secrets/', correct: false }
    help: https://docs.docker.com/engine/swarm/secrets/

  - uuid: e1c5b9a3-d4f2-4867-80b1-6e3a7d2f5c94
    question: What is the maximum size of a Docker secret?
    answers:
      - { value: '256 KB', correct: false }
      - { value: '500 KB', correct: true }
      - { value: '1 MB', correct: false }
      - { value: '5 MB', correct: false }
    help: https://docs.docker.com/engine/swarm/secrets/

  - uuid: 3f9d7b2e-a1c4-4538-b6e0-8d5a2c7f1e43
    question: Which command is used to create a Docker secret from a file?
    answers:
      - { value: 'docker secret add my_secret ./secret.txt', correct: false }
      - { value: 'docker secret create my_secret ./secret.txt', correct: true }
      - { value: 'docker secret new my_secret --file ./secret.txt', correct: false }
      - { value: 'docker swarm secret create my_secret ./secret.txt', correct: false }
    help: https://docs.docker.com/engine/swarm/secrets/

  - uuid: 7a2e4c8b-d6f1-4359-b0a7-1e5d3f9c2b76
    question: Why are Docker secrets considered more secure than environment variables for sensitive data?
    answers:
      - { value: 'Environment variables are encrypted while secrets are not', correct: false }
      - { value: 'Secrets are stored encrypted in the Raft log and only mounted in-memory to authorized services, while environment variables can be exposed via inspect commands and logs', correct: true }
      - { value: 'Secrets can only be accessed by manager nodes', correct: false }
      - { value: 'There is no security difference between them', correct: false }
    help: https://docs.docker.com/engine/swarm/secrets/

  - uuid: c5b1d8f3-e2a4-4796-9d07-4a6e3b7c1f58
    question: How do you grant a running Swarm service access to a new secret?
    answers:
      - { value: 'docker secret attach <secret> <service>', correct: false }
      - { value: 'docker service update --secret-add <secret> <service>', correct: true }
      - { value: 'docker service secret add <secret> <service>', correct: false }
      - { value: 'docker secret grant <secret> --service <service>', correct: false }
    help: https://docs.docker.com/engine/swarm/secrets/

  - uuid: 9e4a2f6d-b3c1-4857-a0e8-7d5b1c8f3a29
    question: What happens to a Docker secret when you run docker secret inspect on it?
    answers:
      - { value: 'It displays the full secret value in plaintext', correct: false }
      - { value: 'It shows metadata about the secret such as ID, name, and creation date, but not the secret data itself', correct: true }
      - { value: 'It decrypts and prints the secret in base64', correct: false }
      - { value: 'It removes the secret from the Swarm cluster', correct: false }
    help: https://docs.docker.com/engine/swarm/secrets/

  - uuid: 2d8f5b1c-a3e7-4694-b0d2-6e9a4c7f3b15
    question: How is secret rotation typically handled in Docker Swarm?
    answers:
      - { value: 'Secrets are automatically rotated every 24 hours', correct: false }
      - { value: 'You create a new version of the secret, update the service to remove the old secret and add the new one', correct: true }
      - { value: 'You edit the secret in-place using docker secret update', correct: false }
      - { value: 'Secrets cannot be rotated once created', correct: false }
    help: https://docs.docker.com/engine/swarm/secrets/#example-rotate-a-secret