You need to recommend a Docker container build strategy that meets the following requirements:
✑ Minimizes image sizes
✑ Minimizes the security surface area of the final image
What should you include in the recommendation?
Answer:
A
Multi-stage builds are a new feature requiring Docker 17.05 or higher on the daemon and client. Multistage builds are useful to anyone who has struggled to optimize Dockerfiles while keeping them easy to read and maintain.
Incorrect Answers:
C: A swarm consists of multiple Docker hosts which run in swarm mode and act as managers (to manage membership and delegation) and workers (which run swarm services).
Reference:
https://docs.docker.com/develop/develop-images/multistage-build/
You plan to create an image that will contain a .NET Core application.
You have a Dockerfile file that contains the following code. (Line numbers are included for reference only.)
You need to ensure that the image is as small as possible when the image is built.
Which line should you modify in the file?
Answer:
A
Multi-stage builds (in Docker 17.05 or higher) allow you to drastically reduce the size of your final image, without struggling to reduce the number of intermediate layers and files.
With multi-stage builds, you use multiple FROM statements in your Dockerfile. Each FROM instruction can use a different base, and each of them begins a new stage of the build. You can selectively copy artifacts from one stage to another, leaving behind everything you don't want in the final image.
Reference:
https://docs.docker.com/develop/develop-images/multistage-build/#use-multi-stage-builds
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your company has a project in Azure DevOps for a new web application.
You need to ensure that when code is checked in, a build runs automatically.
Solution: From the Triggers tab of the build pipeline, you select Batch changes while a build is in progress.
Does this meet the goal?
Answer:
B
Instead, In Visual Designer you enable continuous integration (CI) by:
1. Select the Triggers tab.
2. Enable Continuous integration.
Note: Batch changes -
Select this check box if you have many team members uploading changes often and you want to reduce the number of builds you are running. If you select this option, when a build is running, the system waits until the build is completed and then queues another build of all changes that have not yet been built.
Reference:
https://docs.microsoft.com/en-us/azure/devops/pipelines/get-started-designer
HOTSPOT -
You need to deploy Azure Kubernetes Service (AKS) to host an application. The solution must meet the following requirements:
✑ Containers must only be published internally.
✑ AKS clusters must be able to create and manage containers in Azure.
What should you use for each requirement? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Answer:
Box 1: Azure Container Registry -
Azure services like Azure Container Registry (ACR) and Azure Container Instances (ACI) can be used and connected from independent container orchestrators like kubernetes (k8s). You can set up a custom ACR and connect it to an existing k8s cluster to ensure images will be pulled from the private container registry instead of the public docker hub.
Box 2: An Azure service principal
When you're using Azure Container Registry (ACR) with Azure Kubernetes Service (AKS), an authentication mechanism needs to be established. You can set up
AKS and ACR integration during the initial creation of your AKS cluster. To allow an AKS cluster to interact with ACR, an Azure Active Directory service principal is used.
Reference:
https://thorsten-hans.com/how-to-use-private-azure-container-registry-with-kubernetes https://docs.microsoft.com/en-us/azure/aks/cluster-container-registry-integration
You have 50 Node.js-based projects that you scan by using WhiteSource. Each project includes Package.json, Package-lock.json, and Npm-shrinkwrap.json files.
You need to minimize the number of libraries reports by WhiteSource to only the libraries that you explicitly reference.
What should you do?
Answer:
B
Separate Your Dependencies -
Within your package.json file be sure you split out your npm dependencies between devDependencies and (production) dependencies. The key part is that you must then make use of the --production flag when installing the npm packages. The --production flag will exclude all packages defined in the devDependencies section.
Reference:
https://blogs.msdn.microsoft.com/visualstudioalmrangers/2017/06/08/manage-your-open-source-usage-and-security-as-reported-by-your-cicd-pipeline/
Your company deploys applications in Docker containers.
You want to detect known exploits in the Docker images used to provision the Docker containers.
You need to integrate image scanning into the application lifecycle. The solution must expose the exploits as early as possible during the application lifecycle.
What should you configure?
Answer:
A
You can use the Docker task to sign into ACR and then use a subsequent script to pull an image and scan the container image for vulnerabilities.
Use the docker task in a build or release pipeline. This task can be used with Docker or Azure Container registry.
Incorrect Answers:
C: We should not wait until deployment. We want to detect the exploits as early as possible.
D: We should wait until the image is in the product container. We want to detect the exploits as early as possible.
Reference:
https://docs.microsoft.com/en-us/azure/devops/articles/security-validation-cicd-pipeline?view=vsts
Your company has a hybrid cloud between Azure and Azure Stack.
The company uses Azure DevOps for its full CI/CD pipelines. Some applications are built by using Erlang and Hack.
You need to ensure that Erlang and Hack are supported as part of the build strategy across the hybrid cloud. The solution must minimize management overhead.
What should you use to execute the build pipeline?
Answer:
D
Azure Stack offers virtual machines (VMs) as one type of an on-demand, scalable computing resource. You can choose a VM when you need more control over the computing environment.
Reference:
https://docs.microsoft.com/en-us/azure/azure-stack/user/azure-stack-compute-overview
Your company has an Azure DevOps project,
The source code for the project is stored in an on-premises repository and uses on an on-premises build server.
You plan to use Azure DevOps to control the build process on the build server by using a self-hosted agent.
You need to implement the self-hosted agent.
You download and install the agent on the build server.
Which two actions should you perform next? Each correct answer presents part of the solution.
Answer:
BE
B: Make sure you install your self-signed ssl server certificate into the OS certificate store.
E: When you have a self-signed SSL certificate for your on-premises TFS server, make sure to configure the Git we shipped to allow that self-signed SSL certificate.
Enable git to use SChannel during configure with 2.129.0 or higher version agent Pass --gituseschannel during agent configuration
./config.cmd --gituseschannel
Reference:
https://docs.microsoft.com/en-us/azure/devops/pipelines/agents/certificate
You have an Azure subscription that contains an Azure Active Directory (Azure AD) tenant.
You are configuring a build pipeline in Azure Pipelines that will include a task named Task1. Task1 will authenticate by using an Azure AD service principal.
Which three values should you configure for Task1? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
Answer:
ABD
Create an Azure Resource Manager service connection with an existing service principal
AB: Enter the information about your service principal into the Azure subscription dialog textboxes:
✑ Tenant ID
✑ Subscription ID
✑ Subscription name
✑ Service principal ID
Either the service principal client key or, if you have selected Certificate, enter the contents of both the certificate and private key sections of the *.pem file.
D: To deploy to a specific Azure resource, the task will need additional data about that resource.
If you're using the classic editor, select data you need. For example, the App service name.
If you're using YAML, then go to the resource in the Azure portal, and then copy the data into your code. For example, to deploy a web app, you would copy the name of the App Service into the WebAppName value.
Reference:
https://docs.microsoft.com/en-us/azure/devops/pipelines/library/connect-to-azure
DRAG DROP -
You are deploying a new application that uses Azure virtual machines.
You plan to use the Desired State Configuration (DSC) extension on the virtual machines.
You need to ensure that the virtual machines always have the same Windows feature installed.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Select and Place:
Answer:
Step 1: Create a PowerShell configuration file
You create a simple PowerShell DSC configuration file.
Step 2: Load the file to Azure Blob storage
Package and publish the module to a publically accessible blob container URL
Step 3: Configure the Custom Script Extension on the virtual machines.
The Custom Script Extension downloads and executes scripts on Azure virtual machines.
Reference:
https://docs.microsoft.com/en-us/azure/automation/automation-dsc-getting-started https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/custom-script-windows
