From f97bac279197f222d22d2384927599cb8ab15cce Mon Sep 17 00:00:00 2001
From: lacatoire <la.catoire@gmail.com>
Date: Sun, 8 Feb 2026 19:14:15 +0100
Subject: [PATCH] Add new questions for Security and Storage domains

Security (+34 questions):
- docker_bench_security.yaml: Docker Bench for Security (8)
- seccomp_profiles.yaml: seccomp profiles (6)
- apparmor_selinux.yaml: AppArmor/SELinux (6)
- docker_secrets.yaml: secrets management (8)
- readonly_containers.yaml: read-only containers (6)

Storage & Volumes (+26 questions):
- tmpfs_mounts.yaml: tmpfs mounts (6)
- storage_driver_comparison.yaml: storage driver comparison (8)
- system_cleanup.yaml: docker system df/prune (6)
- volume_plugins_nfs.yaml: volume plugins and NFS (6)
---
 README.md                                     |  9 +++
 data/5_Security/apparmor_selinux.yaml         | 54 ++++++++++++++
 data/5_Security/docker_bench_security.yaml    | 72 +++++++++++++++++++
 data/5_Security/docker_secrets.yaml           | 72 +++++++++++++++++++
 data/5_Security/readonly_containers.yaml      | 54 ++++++++++++++
 data/5_Security/seccomp_profiles.yaml         | 54 ++++++++++++++
 .../storage_driver_comparison.yaml            | 72 +++++++++++++++++++
 .../6_storage_and_volumes/system_cleanup.yaml | 54 ++++++++++++++
 data/6_storage_and_volumes/tmpfs_mounts.yaml  | 54 ++++++++++++++
 .../volume_plugins_nfs.yaml                   | 54 ++++++++++++++
 10 files changed, 549 insertions(+)
 create mode 100644 data/5_Security/apparmor_selinux.yaml
 create mode 100644 data/5_Security/docker_bench_security.yaml
 create mode 100644 data/5_Security/docker_secrets.yaml
 create mode 100644 data/5_Security/readonly_containers.yaml
 create mode 100644 data/5_Security/seccomp_profiles.yaml
 create mode 100644 data/6_storage_and_volumes/storage_driver_comparison.yaml
 create mode 100644 data/6_storage_and_volumes/system_cleanup.yaml
 create mode 100644 data/6_storage_and_volumes/tmpfs_mounts.yaml
 create mode 100644 data/6_storage_and_volumes/volume_plugins_nfs.yaml

diff --git a/README.md b/README.md
index 213bd15..a342e79 100644
--- a/README.md
+++ b/README.md
@@ -108,6 +108,11 @@ The goal is to help candidates:
 * [Describe and demonstrate how to configure RBAC with UCP.](data/5_Security/ucp_rbac_config.yaml)
 * [Describe and demonstrate how to integrate UCP with LDAP/AD.](data/5_Security/ucp_ldap_ad_integration.yaml)
 * [Describe and demonstrate how to create UCP client bundles.](data/5_Security/ucp_client_bundle.yaml)
+* [Describe Docker Bench for Security.](data/5_Security/docker_bench_security.yaml)
+* [Describe seccomp profiles.](data/5_Security/seccomp_profiles.yaml)
+* [Describe AppArmor and SELinux with Docker.](data/5_Security/apparmor_selinux.yaml)
+* [Describe Docker secrets management.](data/5_Security/docker_secrets.yaml)
+* [Describe read-only containers.](data/5_Security/readonly_containers.yaml)
 
 ### Domain 6: Storage and Volumes (10% of exam)
 
@@ -120,6 +125,10 @@ The goal is to help candidates:
 * [Describe and demonstrate how storage can be used across cluster nodes.](data/6_storage_and_volumes/volume_cluster.yaml)
 * [Describe how to provision persistent storage to a Kubernetes pod using persistentVolumes.](data/6_storage_and_volumes/peristent_volumes.yaml)
 * [Describe the relationship between container storage interface drivers, storageClass, persistentVolumeClaim and volume objects in Kubernetes.](data/6_storage_and_volumes/relationship_storage_volume.yaml)
+* [Describe tmpfs mounts.](data/6_storage_and_volumes/tmpfs_mounts.yaml)
+* [Compare storage drivers.](data/6_storage_and_volumes/storage_driver_comparison.yaml)
+* [Describe docker system df and prune commands.](data/6_storage_and_volumes/system_cleanup.yaml)
+* [Describe volume plugins and NFS.](data/6_storage_and_volumes/volume_plugins_nfs.yaml)
 
 ## Contributions
 
diff --git a/data/5_Security/apparmor_selinux.yaml b/data/5_Security/apparmor_selinux.yaml
new file mode 100644
index 0000000..1afb17e
--- /dev/null
+++ b/data/5_Security/apparmor_selinux.yaml
@@ -0,0 +1,54 @@
+questions:
+  - uuid: b4d2e8a1-c5f3-4976-9d07-6b1a3e7f2c89
+    question: What type of access control do AppArmor and SELinux provide for Docker containers?
+    answers:
+      - { value: 'Discretionary Access Control (DAC)', correct: false }
+      - { value: 'Role-Based Access Control (RBAC)', correct: false }
+      - { value: 'Mandatory Access Control (MAC)', correct: true }
+      - { value: 'Attribute-Based Access Control (ABAC)', correct: false }
+    help: https://docs.docker.com/engine/security/apparmor/
+
+  - uuid: e7f1c3b5-a2d4-4868-b9e0-8d6a1f5c4b27
+    question: What is the name of the default AppArmor profile that Docker applies to containers?
+    answers:
+      - { value: 'docker-apparmor', correct: false }
+      - { value: 'container-default', correct: false }
+      - { value: 'docker-default', correct: true }
+      - { value: 'apparmor-docker-profile', correct: false }
+    help: https://docs.docker.com/engine/security/apparmor/
+
+  - uuid: 9a5b1d8e-f4c2-4637-a0b3-7e6d3c1f9a45
+    question: Which flag is used to specify a custom AppArmor profile when running a Docker container?
+    answers:
+      - { value: '--apparmor-profile=<profile>', correct: false }
+      - { value: '--security-opt apparmor=<profile>', correct: true }
+      - { value: '--cap-add apparmor=<profile>', correct: false }
+      - { value: '--mac-profile=<profile>', correct: false }
+    help: https://docs.docker.com/engine/security/apparmor/
+
+  - uuid: 2c8f4a6d-b1e3-4d59-87b0-5e9a3d7c1f62
+    question: How do you apply SELinux label options to a Docker container at runtime?
+    answers:
+      - { value: '--selinux=<label>', correct: false }
+      - { value: '--security-opt label=<option>', correct: true }
+      - { value: '--mac-opt selinux=<label>', correct: false }
+      - { value: '--label-security=<option>', correct: false }
+    help: https://docs.docker.com/engine/security/
+
+  - uuid: 6e3d1b7a-c8f2-4a15-9d04-0b5f8e2c4a93
+    question: What is the key difference between Mandatory Access Control (MAC) and Discretionary Access Control (DAC)?
+    answers:
+      - { value: 'DAC policies are enforced by the kernel and cannot be overridden by users', correct: false }
+      - { value: 'MAC policies are enforced by the system regardless of user permissions, while DAC allows resource owners to set permissions', correct: true }
+      - { value: 'MAC is only available on Windows systems, while DAC is Linux-specific', correct: false }
+      - { value: 'There is no difference; they are interchangeable terms', correct: false }
+    help: https://docs.docker.com/engine/security/apparmor/
+
+  - uuid: f1a9c5d3-e2b4-4786-b0e8-4d7a6f3c8b12
+    question: What happens when you run a Docker container with --security-opt apparmor=unconfined?
+    answers:
+      - { value: 'The container uses the docker-default AppArmor profile', correct: false }
+      - { value: 'The container runs without any AppArmor profile applied', correct: true }
+      - { value: 'The container is blocked from starting', correct: false }
+      - { value: 'AppArmor applies the most restrictive profile available', correct: false }
+    help: https://docs.docker.com/engine/security/apparmor/
diff --git a/data/5_Security/docker_bench_security.yaml b/data/5_Security/docker_bench_security.yaml
new file mode 100644
index 0000000..205c633
--- /dev/null
+++ b/data/5_Security/docker_bench_security.yaml
@@ -0,0 +1,72 @@
+questions:
+  - uuid: 7a3e1f4b-92d8-4c6a-b5e7-1d8f3a2c9b04
+    question: What is Docker Bench for Security?
+    answers:
+      - { value: 'A Docker image scanning tool for CVEs', correct: false }
+      - { value: 'A script that checks for best practices around deploying Docker containers in production based on the CIS Docker Benchmark', correct: true }
+      - { value: 'A firewall configuration utility for Docker networks', correct: false }
+      - { value: 'A performance benchmarking tool for Docker containers', correct: false }
+    help: https://docs.docker.com/engine/security/
+
+  - uuid: 3b2d8e6f-a1c4-4f9b-87e5-6c0d4a3f1e28
+    question: How is the docker-bench-security tool typically executed?
+    answers:
+      - { value: 'By installing it as a Docker plugin', correct: false }
+      - { value: 'By running it as a Docker container with access to the Docker socket and system directories', correct: true }
+      - { value: 'By compiling it from source on the host', correct: false }
+      - { value: 'By enabling it in the Docker daemon configuration file', correct: false }
+    help: https://docs.docker.com/engine/security/
+
+  - uuid: d4f6a8c2-5b1e-4d93-a0f7-9e3c2b8d1a56
+    question: Which of the following is NOT one of the audit categories checked by Docker Bench for Security?
+    answers:
+      - { value: 'Host Configuration', correct: false }
+      - { value: 'Docker Daemon Configuration', correct: false }
+      - { value: 'Container Runtime', correct: false }
+      - { value: 'Application Source Code Quality', correct: true }
+    help: https://docs.docker.com/engine/security/
+
+  - uuid: 1e9b7c3a-8d4f-42a6-b5c1-0f6e2d8a4b79
+    question: What standard does Docker Bench for Security use as its baseline for security checks?
+    answers:
+      - { value: 'NIST SP 800-53', correct: false }
+      - { value: 'CIS Docker Benchmark', correct: true }
+      - { value: 'OWASP Top 10', correct: false }
+      - { value: 'PCI DSS v3.2', correct: false }
+    help: https://docs.docker.com/engine/security/
+
+  - uuid: 8c5f2d1a-b3e7-4a69-9d06-7f4e1c8b3a25
+    question: What does a WARN result in Docker Bench for Security output indicate?
+    answers:
+      - { value: 'The check was skipped because it does not apply', correct: false }
+      - { value: 'The check passed with minor observations', correct: false }
+      - { value: 'The configuration does not meet the CIS benchmark recommendation and should be remediated', correct: true }
+      - { value: 'The Docker daemon needs to be restarted', correct: false }
+    help: https://docs.docker.com/engine/security/
+
+  - uuid: 5a4e9b7d-c2f1-4683-b8d0-3e6f1a8c2d47
+    question: Which Docker Bench for Security section audits settings such as restricting network traffic between containers and configuring TLS authentication?
+    answers:
+      - { value: 'Container Images and Build File', correct: false }
+      - { value: 'Host Configuration', correct: false }
+      - { value: 'Docker Daemon Configuration', correct: true }
+      - { value: 'Docker Swarm Configuration', correct: false }
+    help: https://docs.docker.com/engine/security/
+
+  - uuid: f2c8b1d6-4a3e-4975-8e09-5d7a6c1f0b93
+    question: What type of checks does Docker Bench for Security classify as "manual" rather than "automated"?
+    answers:
+      - { value: 'Checks that require human judgment or organizational policy review', correct: true }
+      - { value: 'Checks that must be run on Windows hosts only', correct: false }
+      - { value: 'Checks that require the Docker daemon to be stopped', correct: false }
+      - { value: 'Checks that are only available in Docker Enterprise', correct: false }
+    help: https://docs.docker.com/engine/security/
+
+  - uuid: 6d1a3f8e-b5c2-4d07-9a4b-2e7c0f9d5b16
+    question: Which of the following is a host configuration recommendation checked by Docker Bench for Security?
+    answers:
+      - { value: 'Ensure that the Docker socket is exposed on TCP port 2375', correct: false }
+      - { value: 'Ensure containers run with the --privileged flag', correct: false }
+      - { value: 'Ensure auditing is configured for Docker files and directories', correct: true }
+      - { value: 'Ensure all containers use the host network mode', correct: false }
+    help: https://docs.docker.com/engine/security/
diff --git a/data/5_Security/docker_secrets.yaml b/data/5_Security/docker_secrets.yaml
new file mode 100644
index 0000000..a6361b5
--- /dev/null
+++ b/data/5_Security/docker_secrets.yaml
@@ -0,0 +1,72 @@
+questions:
+  - uuid: 4b7e2d1a-c8f3-4a56-9e0b-5d6a1f3c8e27
+    question: In which Docker mode are Docker secrets available?
+    answers:
+      - { value: 'Standalone mode only', correct: false }
+      - { value: 'Docker Compose standalone only', correct: false }
+      - { value: 'Docker Swarm mode', correct: true }
+      - { value: 'Any Docker mode without restrictions', correct: false }
+    help: https://docs.docker.com/engine/swarm/secrets/
+
+  - uuid: 8d3a6f1e-b5c2-4e79-a4d0-2c9b7e5f1a38
+    question: Where are Docker secrets mounted inside a container by default?
+    answers:
+      - { value: '/etc/secrets/', correct: false }
+      - { value: '/var/lib/docker/secrets/', correct: false }
+      - { value: '/run/secrets/', correct: true }
+      - { value: '/opt/docker/secrets/', correct: false }
+    help: https://docs.docker.com/engine/swarm/secrets/
+
+  - uuid: e1c5b9a3-d4f2-4867-80b1-6e3a7d2f5c94
+    question: What is the maximum size of a Docker secret?
+    answers:
+      - { value: '256 KB', correct: false }
+      - { value: '500 KB', correct: true }
+      - { value: '1 MB', correct: false }
+      - { value: '5 MB', correct: false }
+    help: https://docs.docker.com/engine/swarm/secrets/
+
+  - uuid: 3f9d7b2e-a1c4-4538-b6e0-8d5a2c7f1e43
+    question: Which command is used to create a Docker secret from a file?
+    answers:
+      - { value: 'docker secret add my_secret ./secret.txt', correct: false }
+      - { value: 'docker secret create my_secret ./secret.txt', correct: true }
+      - { value: 'docker secret new my_secret --file ./secret.txt', correct: false }
+      - { value: 'docker swarm secret create my_secret ./secret.txt', correct: false }
+    help: https://docs.docker.com/engine/swarm/secrets/
+
+  - uuid: 7a2e4c8b-d6f1-4359-b0a7-1e5d3f9c2b76
+    question: Why are Docker secrets considered more secure than environment variables for sensitive data?
+    answers:
+      - { value: 'Environment variables are encrypted while secrets are not', correct: false }
+      - { value: 'Secrets are stored encrypted in the Raft log and only mounted in-memory to authorized services, while environment variables can be exposed via inspect commands and logs', correct: true }
+      - { value: 'Secrets can only be accessed by manager nodes', correct: false }
+      - { value: 'There is no security difference between them', correct: false }
+    help: https://docs.docker.com/engine/swarm/secrets/
+
+  - uuid: c5b1d8f3-e2a4-4796-9d07-4a6e3b7c1f58
+    question: How do you grant a running Swarm service access to a new secret?
+    answers:
+      - { value: 'docker secret attach <secret> <service>', correct: false }
+      - { value: 'docker service update --secret-add <secret> <service>', correct: true }
+      - { value: 'docker service secret add <secret> <service>', correct: false }
+      - { value: 'docker secret grant <secret> --service <service>', correct: false }
+    help: https://docs.docker.com/engine/swarm/secrets/
+
+  - uuid: 9e4a2f6d-b3c1-4857-a0e8-7d5b1c8f3a29
+    question: What happens to a Docker secret when you run docker secret inspect on it?
+    answers:
+      - { value: 'It displays the full secret value in plaintext', correct: false }
+      - { value: 'It shows metadata about the secret such as ID, name, and creation date, but not the secret data itself', correct: true }
+      - { value: 'It decrypts and prints the secret in base64', correct: false }
+      - { value: 'It removes the secret from the Swarm cluster', correct: false }
+    help: https://docs.docker.com/engine/swarm/secrets/
+
+  - uuid: 2d8f5b1c-a3e7-4694-b0d2-6e9a4c7f3b15
+    question: How is secret rotation typically handled in Docker Swarm?
+    answers:
+      - { value: 'Secrets are automatically rotated every 24 hours', correct: false }
+      - { value: 'You create a new version of the secret, update the service to remove the old secret and add the new one', correct: true }
+      - { value: 'You edit the secret in-place using docker secret update', correct: false }
+      - { value: 'Secrets cannot be rotated once created', correct: false }
+    help: https://docs.docker.com/engine/swarm/secrets/#example-rotate-a-secret
diff --git a/data/5_Security/readonly_containers.yaml b/data/5_Security/readonly_containers.yaml
new file mode 100644
index 0000000..40f7f2e
--- /dev/null
+++ b/data/5_Security/readonly_containers.yaml
@@ -0,0 +1,54 @@
+questions:
+  - uuid: d6b3e1f8-c4a2-4957-8d0b-7e5a3c9f1b24
+    question: What does the --read-only flag do when used with docker run?
+    answers:
+      - { value: 'Prevents the container from reading environment variables', correct: false }
+      - { value: 'Blocks all network read operations', correct: false }
+      - { value: "Mounts the container's root filesystem as read-only", correct: true }
+      - { value: 'Makes all mounted volumes read-only', correct: false }
+    help: https://docs.docker.com/engine/reference/run/#read-only
+
+  - uuid: a2f8d4b1-e6c3-4a75-9b07-1d5e8c3f7a92
+    question: How can you allow a read-only container to write to a specific directory?
+    answers:
+      - { value: 'Use --writable-dir to specify the directory', correct: false }
+      - { value: 'Use --tmpfs to mount a writable tmpfs filesystem at that path', correct: true }
+      - { value: 'Read-only containers cannot write to any directory', correct: false }
+      - { value: 'Use --read-only=partial to allow selective writes', correct: false }
+    help: https://docs.docker.com/engine/reference/run/#read-only
+
+  - uuid: 5c9e1a7d-b2f4-4386-80d3-6a8b3e1f5c47
+    question: Which command runs a container with a read-only root filesystem and a writable /tmp directory?
+    answers:
+      - { value: 'docker run --read-only --writable /tmp myimage', correct: false }
+      - { value: 'docker run --read-only --tmpfs /tmp myimage', correct: true }
+      - { value: 'docker run --immutable --allow-write /tmp myimage', correct: false }
+      - { value: 'docker run --filesystem ro --exception /tmp myimage', correct: false }
+    help: https://docs.docker.com/engine/reference/run/#read-only
+
+  - uuid: 8b4f2d6a-c1e3-4a58-97b0-3e7d5a9c1f82
+    question: What is a key security benefit of running containers with a read-only root filesystem?
+    answers:
+      - { value: 'It encrypts the container filesystem', correct: false }
+      - { value: 'It prevents attackers from modifying the container filesystem, such as installing malware or altering binaries', correct: true }
+      - { value: 'It automatically enables AppArmor for the container', correct: false }
+      - { value: 'It disables all Linux capabilities inside the container', correct: false }
+    help: https://docs.docker.com/engine/reference/run/#read-only
+
+  - uuid: 1e7c3a5d-f8b2-4d96-a0b4-9d6e2f4c8b31
+    question: What happens when a process inside a read-only container attempts to write to the root filesystem?
+    answers:
+      - { value: 'The write is silently discarded', correct: false }
+      - { value: 'The container is automatically stopped', correct: false }
+      - { value: 'The process receives a read-only filesystem error', correct: true }
+      - { value: 'The write is redirected to a temporary overlay', correct: false }
+    help: https://docs.docker.com/engine/reference/run/#read-only
+
+  - uuid: 4a9d6f2b-e3c1-4875-b8d0-5c7e1a3f9b64
+    question: Which combination of flags provides a read-only container with writable directories for /tmp and /var/run?
+    answers:
+      - { value: 'docker run --read-only --tmpfs /tmp --tmpfs /var/run myimage', correct: true }
+      - { value: 'docker run --read-only --volume /tmp --volume /var/run myimage', correct: false }
+      - { value: 'docker run --read-only --writable /tmp,/var/run myimage', correct: false }
+      - { value: 'docker run --immutable --except /tmp,/var/run myimage', correct: false }
+    help: https://docs.docker.com/engine/reference/run/#read-only
diff --git a/data/5_Security/seccomp_profiles.yaml b/data/5_Security/seccomp_profiles.yaml
new file mode 100644
index 0000000..9d09d29
--- /dev/null
+++ b/data/5_Security/seccomp_profiles.yaml
@@ -0,0 +1,54 @@
+questions:
+  - uuid: a9d3e7b1-4c6f-4285-b0e8-2f5a1d8c3e97
+    question: What does seccomp stand for in the context of Docker security?
+    answers:
+      - { value: 'Secure Composition', correct: false }
+      - { value: 'Security Compliance', correct: false }
+      - { value: 'Secure Computing Mode', correct: true }
+      - { value: 'Secure Container Management Protocol', correct: false }
+    help: https://docs.docker.com/engine/security/seccomp/
+
+  - uuid: 2f8c4b6e-d1a3-4e57-9b0d-7a5e3c1f8d29
+    question: What does Docker's default seccomp profile do to containers?
+    answers:
+      - { value: 'It blocks all network access by default', correct: false }
+      - { value: 'It restricts the set of system calls available to the container process', correct: true }
+      - { value: 'It encrypts all filesystem operations', correct: false }
+      - { value: 'It prevents containers from using environment variables', correct: false }
+    help: https://docs.docker.com/engine/security/seccomp/
+
+  - uuid: 74e1a5c8-b3d2-4f96-80a7-9d6f2e4b1c53
+    question: Which flag is used to apply a custom seccomp profile when running a Docker container?
+    answers:
+      - { value: '--cap-add seccomp', correct: false }
+      - { value: '--seccomp-profile', correct: false }
+      - { value: '--security-opt seccomp=<profile.json>', correct: true }
+      - { value: '--profile seccomp=<profile.json>', correct: false }
+    help: https://docs.docker.com/engine/security/seccomp/
+
+  - uuid: c3b7d9e2-1f5a-4c68-b4d0-8e6a2f3c7b15
+    question: How do you disable the default seccomp profile for a Docker container?
+    answers:
+      - { value: '--security-opt seccomp=disabled', correct: false }
+      - { value: '--security-opt seccomp=unconfined', correct: true }
+      - { value: '--security-opt no-seccomp', correct: false }
+      - { value: '--disable-seccomp', correct: false }
+    help: https://docs.docker.com/engine/security/seccomp/
+
+  - uuid: 5e2a8d4f-c6b1-4397-a0e3-1b9f7d5c3a68
+    question: Which of the following system calls is blocked by Docker's default seccomp profile?
+    answers:
+      - { value: 'read', correct: false }
+      - { value: 'write', correct: false }
+      - { value: 'clone (with CLONE_NEWUSER flag)', correct: true }
+      - { value: 'open', correct: false }
+    help: https://docs.docker.com/engine/security/seccomp/
+
+  - uuid: 18f6c4a9-d2e3-4b75-8c1a-0d7b5e9f2a46
+    question: What format is used to define a custom seccomp profile for Docker?
+    answers:
+      - { value: 'YAML', correct: false }
+      - { value: 'XML', correct: false }
+      - { value: 'JSON', correct: true }
+      - { value: 'TOML', correct: false }
+    help: https://docs.docker.com/engine/security/seccomp/
diff --git a/data/6_storage_and_volumes/storage_driver_comparison.yaml b/data/6_storage_and_volumes/storage_driver_comparison.yaml
new file mode 100644
index 0000000..c3703a2
--- /dev/null
+++ b/data/6_storage_and_volumes/storage_driver_comparison.yaml
@@ -0,0 +1,72 @@
+questions:
+  - uuid: 1a3b5c7d-9e0f-4a2b-8c4d-6e8f0a1b3c5d
+    question: Which storage driver is the default and recommended driver for Docker on most modern Linux distributions?
+    answers:
+      - { value: 'aufs', correct: false }
+      - { value: 'devicemapper', correct: false }
+      - { value: 'overlay2', correct: true }
+      - { value: 'btrfs', correct: false }
+    help: https://docs.docker.com/storage/storagedriver/select-storage-driver/
+
+  - uuid: 2b4c6d8e-0f1a-4b3c-9d5e-7f0a2b4c6d8e
+    question: What mechanism do Docker storage drivers use to avoid duplicating data across image layers?
+    answers:
+      - { value: 'Data deduplication', correct: false }
+      - { value: 'Copy-on-write (CoW)', correct: true }
+      - { value: 'RAID mirroring', correct: false }
+      - { value: 'Log-structured merge trees', correct: false }
+    help: https://docs.docker.com/storage/storagedriver/#the-copy-on-write-cow-strategy
+
+  - uuid: 575439a5-ce5e-4a72-845a-731a0fbc3fac
+    question: Which command displays the current storage driver used by the Docker daemon?
+    answers:
+      - { value: 'docker storage info', correct: false }
+      - { value: 'docker inspect --driver', correct: false }
+      - { value: 'docker info', correct: true }
+      - { value: 'docker system driver', correct: false }
+    help: https://docs.docker.com/engine/reference/commandline/info/
+
+  - uuid: 9486e50b-0564-4354-ba03-366d42821ae8
+    question: What is a key requirement for overlay2 to function correctly on an xfs filesystem?
+    answers:
+      - { value: 'The xfs filesystem must be mounted with the nobarrier option', correct: false }
+      - { value: 'The xfs filesystem must be formatted with d_type=true (ftype=1)', correct: true }
+      - { value: 'The xfs filesystem must use a block size of 8192 bytes', correct: false }
+      - { value: 'The xfs filesystem must have journaling disabled', correct: false }
+    help: https://docs.docker.com/storage/storagedriver/overlayfs-driver/#prerequisites
+
+  - uuid: 100529f2-6e50-4196-aaeb-33c974d415b3
+    question: Which storage driver requires the backing filesystem to be the same type as the driver (e.g., a btrfs filesystem for the btrfs driver)?
+    answers:
+      - { value: 'overlay2', correct: false }
+      - { value: 'devicemapper', correct: false }
+      - { value: 'btrfs and zfs', correct: true }
+      - { value: 'aufs', correct: false }
+    help: https://docs.docker.com/storage/storagedriver/select-storage-driver/#supported-backing-filesystems
+
+  - uuid: 6c4a2aba-583c-4e9f-a492-0cdb1fb8e276
+    question: In the copy-on-write strategy, when does Docker copy a file from a lower layer to the writable container layer?
+    answers:
+      - { value: 'When the container is started', correct: false }
+      - { value: 'When the file is read for the first time', correct: false }
+      - { value: 'When the file is modified for the first time', correct: true }
+      - { value: 'When the container image is pulled', correct: false }
+    help: https://docs.docker.com/storage/storagedriver/#the-copy-on-write-cow-strategy
+
+  - uuid: ed8b27a0-6b76-4d9e-8374-9dcc4d1c9594
+    question: Why is the devicemapper driver in loop-lvm mode unsuitable for production?
+    answers:
+      - { value: 'It does not support any Linux distribution', correct: false }
+      - { value: 'It uses loopback devices which are slow and resource-intensive', correct: true }
+      - { value: 'It cannot store images larger than 1 GB', correct: false }
+      - { value: 'It requires a commercial Docker license', correct: false }
+    help: https://docs.docker.com/storage/storagedriver/device-mapper-driver/#configure-loop-lvm-mode-for-testing
+
+  - uuid: 6da8b5c9-d21e-4ce4-b35f-747cad6e4f5e
+    question: Which storage driver uses OverlayFS with multiple lower directories, reducing inode consumption compared to its predecessor?
+    answers:
+      - { value: 'aufs', correct: false }
+      - { value: 'overlay (the original)', correct: false }
+      - { value: 'overlay2', correct: true }
+      - { value: 'devicemapper', correct: false }
+    help: https://docs.docker.com/storage/storagedriver/overlayfs-driver/#how-the-overlay2-driver-works
diff --git a/data/6_storage_and_volumes/system_cleanup.yaml b/data/6_storage_and_volumes/system_cleanup.yaml
new file mode 100644
index 0000000..e4ee975
--- /dev/null
+++ b/data/6_storage_and_volumes/system_cleanup.yaml
@@ -0,0 +1,54 @@
+questions:
+  - uuid: d70d5b33-5585-4e69-aa41-0c03a6ac042b
+    question: Which command shows a summary of disk space used by Docker images, containers, volumes, and build cache?
+    answers:
+      - { value: 'docker system usage', correct: false }
+      - { value: 'docker disk info', correct: false }
+      - { value: 'docker system df', correct: true }
+      - { value: 'docker storage stats', correct: false }
+    help: https://docs.docker.com/engine/reference/commandline/system_df/
+
+  - uuid: c5200061-f45e-48ae-ba03-46541582f36e
+    question: What does the command 'docker system prune' remove by default?
+    answers:
+      - { value: 'All stopped containers, all networks not used by at least one container, all dangling images, and all dangling build cache', correct: true }
+      - { value: 'All containers including running ones, all images, and all volumes', correct: false }
+      - { value: 'Only unused volumes and dangling images', correct: false }
+      - { value: 'Only stopped containers and their associated volumes', correct: false }
+    help: https://docs.docker.com/engine/reference/commandline/system_prune/
+
+  - uuid: 1e3f5a7b-9c0d-4e2f-8a4b-6c9d1e3f5a7b
+    question: What is the difference between a dangling image and an unused image?
+    answers:
+      - { value: 'Dangling images are corrupted; unused images are intact but old', correct: false }
+      - { value: "A dangling image is not tagged and not referenced by any container, while an unused image is any image not referenced by a container", correct: true }
+      - { value: 'Dangling images are in remote registries; unused images are local only', correct: false }
+      - { value: 'There is no difference; the terms are interchangeable', correct: false }
+    help: https://docs.docker.com/engine/reference/commandline/image_prune/
+
+  - uuid: 2f4a6b8c-0d1e-4f3a-9b5c-7d0e2f4a6b8c
+    question: Which command removes all volumes that are not currently mounted by at least one container?
+    answers:
+      - { value: 'docker volume rm --all', correct: false }
+      - { value: 'docker volume prune', correct: true }
+      - { value: 'docker system prune', correct: false }
+      - { value: 'docker volume clean', correct: false }
+    help: https://docs.docker.com/engine/reference/commandline/volume_prune/
+
+  - uuid: d4ee6ded-10a1-4848-8100-30d8f1f51715
+    question: How can you use the --filter flag with 'docker image prune' to remove images created more than 24 hours ago?
+    answers:
+      - { value: 'docker image prune --filter age=24h', correct: false }
+      - { value: 'docker image prune --filter until=24h', correct: true }
+      - { value: 'docker image prune --filter older-than=24h', correct: false }
+      - { value: 'docker image prune --filter created=24h', correct: false }
+    help: https://docs.docker.com/engine/reference/commandline/image_prune/#filtering
+
+  - uuid: 079659ed-e2bd-42ea-8d46-9a834d1b76e0
+    question: What additional flag must be passed to 'docker system prune' to also remove unused volumes?
+    answers:
+      - { value: '--all', correct: false }
+      - { value: '--force', correct: false }
+      - { value: '--volumes', correct: true }
+      - { value: '--deep', correct: false }
+    help: https://docs.docker.com/engine/reference/commandline/system_prune/
diff --git a/data/6_storage_and_volumes/tmpfs_mounts.yaml b/data/6_storage_and_volumes/tmpfs_mounts.yaml
new file mode 100644
index 0000000..0a79584
--- /dev/null
+++ b/data/6_storage_and_volumes/tmpfs_mounts.yaml
@@ -0,0 +1,54 @@
+questions:
+  - uuid: a1d4e7b3-5f29-4c8a-b6e2-9d3f8a1c7e50
+    question: What is the primary characteristic of a tmpfs mount in Docker?
+    answers:
+      - { value: 'Data is persisted to the host filesystem', correct: false }
+      - { value: 'Data is stored only in the host memory and never written to disk', correct: true }
+      - { value: 'Data is replicated across Swarm nodes', correct: false }
+      - { value: 'Data is stored inside the container image layer', correct: false }
+    help: https://docs.docker.com/storage/tmpfs/
+
+  - uuid: b2c5f8a4-6e31-4d9b-a7f3-0e4a9b2d8f61
+    question: Which flag can be used to create a tmpfs mount when running a container?
+    answers:
+      - { value: '--memory-fs /app/cache', correct: false }
+      - { value: '--ramdisk /app/cache', correct: false }
+      - { value: '--tmpfs /app/cache', correct: true }
+      - { value: '--volatile /app/cache', correct: false }
+    help: https://docs.docker.com/storage/tmpfs/#use-a-tmpfs-mount-in-a-container
+
+  - uuid: c3d6a9b5-7f42-4eac-b8a4-1f5b0c3e9a72
+    question: How do you specify a size limit of 64 megabytes for a tmpfs mount using the --mount syntax?
+    answers:
+      - { value: '--mount type=tmpfs,destination=/app/tmp,tmpfs-size=64m', correct: false }
+      - { value: '--mount type=tmpfs,destination=/app/tmp,tmpfs-size=67108864', correct: true }
+      - { value: '--mount type=tmpfs,destination=/app/tmp,size=64MB', correct: false }
+      - { value: '--mount type=tmpfs,destination=/app/tmp,max-size=64m', correct: false }
+    help: https://docs.docker.com/storage/tmpfs/#specify-tmpfs-options
+
+  - uuid: 466f6942-30ac-4670-808d-fbe925e40832
+    question: What does the tmpfs-mode option control when creating a tmpfs mount?
+    answers:
+      - { value: 'The maximum number of files allowed in the tmpfs', correct: false }
+      - { value: 'The file permission mode of the tmpfs filesystem in octal', correct: true }
+      - { value: 'Whether the tmpfs operates in synchronous or asynchronous mode', correct: false }
+      - { value: 'The compression algorithm used for data in memory', correct: false }
+    help: https://docs.docker.com/storage/tmpfs/#specify-tmpfs-options
+
+  - uuid: 5249cf97-189b-409f-bc8e-6cec89db2526
+    question: In which scenario is a tmpfs mount most appropriate?
+    answers:
+      - { value: 'Sharing configuration files between the host and container', correct: false }
+      - { value: 'Persisting database data across container restarts', correct: false }
+      - { value: 'Storing sensitive secrets or temporary data that should not persist on the host or in the container writable layer', correct: true }
+      - { value: 'Sharing data between multiple containers on different hosts', correct: false }
+    help: https://docs.docker.com/storage/tmpfs/
+
+  - uuid: 9252b98d-06ec-4cc5-96af-0d2bb7551ffe
+    question: How do you add a tmpfs mount to a Swarm service?
+    answers:
+      - { value: 'docker service create --tmpfs /run/secrets nginx', correct: false }
+      - { value: 'docker service create --mount type=tmpfs,destination=/run/secrets nginx', correct: true }
+      - { value: 'docker service create --volume type=tmpfs,target=/run/secrets nginx', correct: false }
+      - { value: 'docker service create --memory-mount /run/secrets nginx', correct: false }
+    help: https://docs.docker.com/storage/tmpfs/#use-a-tmpfs-mount-in-a-service
diff --git a/data/6_storage_and_volumes/volume_plugins_nfs.yaml b/data/6_storage_and_volumes/volume_plugins_nfs.yaml
new file mode 100644
index 0000000..0c3558c
--- /dev/null
+++ b/data/6_storage_and_volumes/volume_plugins_nfs.yaml
@@ -0,0 +1,54 @@
+questions:
+  - uuid: a466b434-9c04-4d38-b6b6-fd3242843f4e
+    question: How do you create a Docker volume that uses NFS as the backing storage with the local driver?
+    answers:
+      - { value: 'docker volume create --driver nfs --opt server=nfs.example.com --opt share=/data myvolume', correct: false }
+      - { value: 'docker volume create --driver local --opt type=nfs --opt o=addr=nfs.example.com,rw --opt device=:/data myvolume', correct: true }
+      - { value: 'docker volume create --type nfs --server nfs.example.com --path /data myvolume', correct: false }
+      - { value: 'docker volume create --nfs-mount nfs.example.com:/data myvolume', correct: false }
+    help: https://docs.docker.com/storage/volumes/#create-a-service-which-creates-an-nfs-volume
+
+  - uuid: b1111aa0-2178-4974-b791-ac2738e45eac
+    question: Which command installs a Docker volume plugin from Docker Hub?
+    answers:
+      - { value: 'docker volume add-driver myplugin', correct: false }
+      - { value: 'docker plugin install myplugin', correct: true }
+      - { value: 'docker driver install myplugin', correct: false }
+      - { value: 'docker extension add myplugin', correct: false }
+    help: https://docs.docker.com/engine/extend/plugin_api/
+
+  - uuid: e4accb25-7e04-4edc-aeb0-b731dd6e21c2
+    question: What is the purpose of third-party volume plugins such as REX-Ray or Portworx in Docker?
+    answers:
+      - { value: 'They replace the Docker daemon with a custom storage engine', correct: false }
+      - { value: 'They provide integration with external or cloud-based storage systems for persistent data', correct: true }
+      - { value: 'They compress all volume data to reduce disk usage', correct: false }
+      - { value: 'They enforce encryption on all container filesystems', correct: false }
+    help: https://docs.docker.com/engine/extend/legacy_plugins/#volume-plugins
+
+  - uuid: 87897d9e-ba11-47bc-a722-e31f600e53b1
+    question: When creating a volume with the local driver and NFS options, which --opt parameter specifies the mount type?
+    answers:
+      - { value: '--opt driver=nfs', correct: false }
+      - { value: '--opt filesystem=nfs', correct: false }
+      - { value: '--opt type=nfs', correct: true }
+      - { value: '--opt proto=nfs', correct: false }
+    help: https://docs.docker.com/storage/volumes/#create-a-service-which-creates-an-nfs-volume
+
+  - uuid: 4bb83da8-6c5b-4221-8be6-ca18eb2a3f1b
+    question: Where does Docker look for volume plugin socket files on Linux by default?
+    answers:
+      - { value: '/etc/docker/plugins/', correct: false }
+      - { value: '/run/docker/plugins/', correct: true }
+      - { value: '/var/lib/docker/drivers/', correct: false }
+      - { value: '/opt/docker/volume-plugins/', correct: false }
+    help: https://docs.docker.com/engine/extend/plugin_api/#plugin-discovery
+
+  - uuid: b6581de8-3eb3-4d0d-8940-4b7d9ebef186
+    question: How do you specify a volume driver when creating a named volume?
+    answers:
+      - { value: 'docker volume create --type mydriver myvolume', correct: false }
+      - { value: 'docker volume create -d mydriver myvolume', correct: true }
+      - { value: 'docker volume create --plugin mydriver myvolume', correct: false }
+      - { value: 'docker volume create --storage mydriver myvolume', correct: false }
+    help: https://docs.docker.com/engine/reference/commandline/volume_create/