CCNA Devnet App Deployment Questions

24 of 99 questions · Page 2/2 · Devnet App Deployment topic · Answers revealed

76
MCQmedium

A developer commits code to a GitHub repository and wants automated tests to run, followed by building a Docker image and pushing it to Docker Hub only if tests pass. Which CI/CD tool can be configured using a YAML file placed in the .github/workflows directory?

A.Jenkins
B.CircleCI
C.GitHub Actions
D.GitLab CI
AnswerC

Correct. GitHub Actions workflows are defined in .github/workflows.

Why this answer

GitHub Actions is the only CI/CD tool among the options that uses a YAML workflow file placed in the `.github/workflows` directory within the repository. This allows developers to define automated triggers (e.g., on push) to run tests, build a Docker image, and push it to Docker Hub only if tests pass, all natively integrated with GitHub.

Exam trap

The trap here is that candidates may confuse the directory structure for different CI/CD tools (e.g., `.circleci/config.yml` for CircleCI or `.gitlab-ci.yml` for GitLab CI) and incorrectly assume any YAML-based CI tool can use the `.github/workflows` path, which is exclusive to GitHub Actions.

How to eliminate wrong answers

Option A is wrong because Jenkins uses a `Jenkinsfile` (typically Groovy-based) and does not read YAML files from `.github/workflows`; it requires its own server or agent configuration. Option B is wrong because CircleCI uses a `.circleci/config.yml` file placed in the `.circleci` directory, not `.github/workflows`. Option D is wrong because GitLab CI uses a `.gitlab-ci.yml` file placed in the root of the repository, not in a `.github/workflows` directory, and is designed for GitLab repositories, not GitHub.

77
MCQmedium

A developer needs to prevent SQL injection in a web application. Which coding practice should be used when constructing database queries?

A.CSRF tokens
B.Output encoding
C.Input validation
D.Parameterized queries
AnswerD

Parameterized queries ensure user input is treated as data, not executable code.

Why this answer

Parameterized queries (also known as prepared statements) separate SQL logic from data by using placeholders (e.g., `?` in MySQLi or `:name` in PDO). This ensures user input is always treated as data, never as executable SQL code, effectively neutralizing SQL injection attacks regardless of the input content.

Exam trap

Cisco often tests the distinction between input validation and parameterized queries, trapping candidates who think sanitizing input is sufficient, when the secure standard is to use parameterized queries to enforce separation of code and data.

How to eliminate wrong answers

Option A is wrong because CSRF tokens protect against cross-site request forgery, not SQL injection; they prevent unauthorized commands from being executed on behalf of an authenticated user. Option B is wrong because output encoding (e.g., HTML entity encoding) is used to prevent cross-site scripting (XSS) by escaping data before rendering in a browser, not for securing database queries. Option C is wrong because input validation alone is insufficient; it can be bypassed (e.g., via encoded payloads or logic flaws) and does not address the root cause of SQL injection, which is the mixing of code and data in a query string.

78
MCQmedium

A CI/CD pipeline includes stages for code commit, build, unit test, integration test, staging deploy, and production deploy. Which change would best prevent a faulty build from reaching production?

A.Remove the integration test stage to speed up the pipeline.
B.Add a manual approval gate before production deploy.
C.Use the same environment for testing and production.
AnswerB

Manual approval ensures that a responsible person reviews the build before it reaches production.

Why this answer

Adding a manual approval gate before the production deploy stage allows a human to verify the build and prevent faulty code from being deployed.

79
Multi-Selecthard

A developer is writing a CI/CD pipeline using Jenkins Declarative Pipeline. They want to ensure that sensitive credentials (e.g., API keys) are never exposed in console logs. Which two security practices should be implemented? (Choose two.)

Select 2 answers
A.Store the API key in a Jenkins 'Secret text' credential and use the withCredentials step in the pipeline.
B.Hardcode the API key in the Jenkinsfile and use the sh step to echo it.
C.Pass the API key as a command-line argument to the build script.
D.Print the API key to the console for debugging.
E.Set the API key as an environment variable using the environment directive, referencing a Jenkins credential.
AnswersA, E

withCredentials masks the secret in logs.

Why this answer

Option A is correct because Jenkins' `withCredentials` step securely binds a 'Secret text' credential to a variable, masking the value in console logs and preventing exposure. This is the standard practice for handling sensitive data in Declarative Pipeline, as it integrates with Jenkins' credential store and automatically redacts the secret from output.

Exam trap

Cisco often tests the distinction between using the `environment` directive with `credentials()` (which is secure) versus setting environment variables manually (which is not), and the trap here is that candidates may think any environment variable is safe, but only those sourced from Jenkins credentials are masked.

80
MCQmedium

A developer wants to perform a rolling update of a Kubernetes Deployment. Which command will update the image and initiate the rollout?

A.kubectl update deployment myapp --image=myapp:v2
B.kubectl set image deployment/myapp myapp=myapp:v2
C.kubectl edit deployment myapp --image=myapp:v2
D.kubectl apply -f deployment.yaml --image=myapp:v2
AnswerB

This updates the image for the container named 'myapp' in the deployment.

Why this answer

kubectl set image deployment updates the container image and triggers a rolling update if the deployment strategy is RollingUpdate (default).

81
MCQmedium

A DevOps engineer runs a container using 'docker run -d -p 8080:80 nginx'. The host firewall blocks incoming traffic on port 8080 from external networks but allows from the local host. Which command would allow the engineer to test the container's web server from the same machine?

A.curl 10.0.0.1:8080
B.docker exec -it <container> bash
C.docker logs <container>
D.curl localhost:8080
AnswerD

Correct. Localhost traffic is allowed, so this will work.

Why this answer

Since the host firewall allows local traffic, using curl localhost:8080 will reach the container via the mapped port.

82
Multi-Selecthard

Which THREE are valid Kubernetes Service types? (Select three.)

Select 3 answers
A.NodePort
B.Deployment
C.ClusterIP
D.LoadBalancer
E.Ingress
AnswersA, C, D

Exposes service on each Node's IP at a static port.

Why this answer

A is correct because NodePort is a standard Kubernetes Service type that exposes a service on a static port (30000-32767) on each node's IP address, allowing external traffic to reach the service by targeting <NodeIP>:<NodePort>. It builds on top of ClusterIP and is commonly used for development or direct access scenarios.

Exam trap

Cisco often tests the distinction between Kubernetes resource types (e.g., Deployment, Ingress) and actual Service types, so candidates mistakenly select Ingress or Deployment because they associate them with external access, but only NodePort, ClusterIP, and LoadBalancer are valid Service types.

83
MCQmedium

A developer runs 'docker run -d -p 8080:80 --name web nginx:alpine'. The container fails to start. Which command is the most appropriate to investigate the issue?

A.docker inspect web
B.docker exec -it web bash
C.docker logs -f web
AnswerC

docker logs -f web streams the logs, revealing any errors during startup.

Why this answer

Option C is correct because `docker logs -f web` streams the container's stdout and stderr output, which typically contains the error message explaining why the container failed to start (e.g., port conflict, missing configuration, or process crash). Since the container is not running, `docker logs` is the primary diagnostic tool to retrieve its exit logs without requiring the container to be active.

Exam trap

Cisco often tests the distinction between `docker inspect` (metadata) and `docker logs` (runtime output), and the trap here is that candidates assume `docker inspect` shows error messages, but it only shows configuration and state, not application logs.

How to eliminate wrong answers

Option A is wrong because `docker inspect web` returns low-level JSON metadata about the container (e.g., mount points, network settings, state), but it does not show the application's runtime logs or the specific error that caused the failure to start. Option B is wrong because `docker exec -it web bash` attempts to run a command inside a running container, but the container has failed and is not running, so this command will fail with an error like 'Container is not running' and cannot provide diagnostic information.

84
MCQeasy

In Docker, which command is used to build an image from a Dockerfile and tag it as 'myapp:v1'?

A.docker run -t myapp:v1 .
B.docker build -t myapp:v1 .
C.docker create myapp:v1 .
D.docker commit myapp:v1 .
AnswerB

Correct. The -t flag assigns the tag 'myapp:v1'.

Why this answer

The `docker build -t myapp:v1 .` command builds a Docker image from the Dockerfile in the current directory and tags it with the name `myapp` and version tag `v1`. The `-t` flag assigns the tag, and the dot (`.`) specifies the build context (the current directory). This is the standard Docker command for building and tagging images.

Exam trap

Cisco often tests the distinction between `docker build` (for creating images from a Dockerfile) and `docker run` (for starting containers), and the trap here is that candidates confuse the `-t` flag in `docker run` (which allocates a TTY) with the `-t` flag in `docker build` (which tags the image).

How to eliminate wrong answers

Option A is wrong because `docker run` is used to create and start a container from an existing image, not to build an image from a Dockerfile; the `-t` flag in `docker run` allocates a pseudo-TTY, not a tag. Option C is wrong because `docker create` creates a new container from an image but does not build an image or accept a tag in that syntax; it also requires an image name, not a build context. Option D is wrong because `docker commit` creates a new image from a container's changes, not from a Dockerfile, and the syntax `docker commit myapp:v1 .` is invalid (it expects a container ID or name, not a tag and build context).

85
MCQmedium

A docker-compose.yml defines a web service with environment variables. Which key in the service definition should be used to set environment variables?

A.args
B.volumes
C.environment
D.env_file
AnswerC

The 'environment' key allows setting environment variables directly.

Why this answer

Option C is correct because the `environment` key in a Docker Compose service definition is the standard way to set environment variables directly within the YAML file. This key accepts a list of key-value pairs (e.g., `- KEY=VALUE`) or a mapping, and the variables are injected into the container at runtime, overriding any default values in the Docker image.

Exam trap

Cisco often tests the distinction between build-time (`args`) and runtime (`environment`) configuration, so the trap here is confusing `args` (used in `docker build`) with `environment` (used in `docker run` or `docker-compose up`), especially since both can pass key-value pairs but serve entirely different lifecycle stages.

How to eliminate wrong answers

Option A is wrong because `args` is used to pass build-time arguments to the Dockerfile during image building (via the `build` context), not to set runtime environment variables in a running container. Option B is wrong because `volumes` mounts host directories or named volumes into the container for persistent data storage, not for environment configuration. Option D is wrong because `env_file` is a separate key that loads environment variables from an external file, but the question specifically asks for a key that defines variables directly within the service definition, not from an external source.

86
Multi-Selectmedium

A developer is deploying a containerized application with Docker Compose. The application requires environment variables for database credentials that should not be hardcoded in the docker-compose.yml file. Which two methods securely provide these credentials? (Choose two.)

Select 2 answers
A.Use a public registry to store the credentials.
B.Hardcode the credentials in the docker-compose.yml under environment.
C.Use an .env file and add it to .gitignore, then reference it with env_file in the service.
D.Define the variables in the environment block of docker-compose.yml, with values from shell variables using ${VAR} syntax.
E.Store the credentials in the Docker image during build.
AnswersC, D

.env file with env_file keeps secrets out of version control.

Why this answer

Option C is correct because using an `.env` file allows you to externalize sensitive environment variables (like database credentials) from the `docker-compose.yml` file. By adding the `.env` file to `.gitignore`, you prevent it from being committed to version control, thus keeping credentials secure. The `env_file` directive in the service definition loads these variables at runtime without exposing them in the compose file.

Exam trap

Cisco often tests the distinction between compile-time (build) and runtime injection of secrets, and the trap here is that candidates may think storing credentials in the Docker image (Option E) is acceptable, not realizing that image layers are persistent and can be inspected by anyone with access to the image.

87
MCQmedium

Which Docker command is used to view the logs of a running container in real-time?

A.docker exec -it <container> tail -f /var/log/app.log
B.docker logs -f <container>
C.docker attach <container>
D.docker logs <container>
AnswerB

The -f flag follows log output in real-time.

Why this answer

docker logs -f follows the log output, similar to tail -f.

88
MCQmedium

A developer is writing a web application and wants to prevent SQL injection attacks. Which coding practice should be followed when constructing SQL queries?

A.Use parameterized queries with prepared statements
B.Use stored procedures exclusively
C.Encode user input with base64 before inserting into SQL
D.Concatenate user input directly into SQL statements
AnswerA

Parameterized queries safely separate SQL logic from data.

Why this answer

Using parameterized queries ensures that user input is treated as data, not executable code, preventing SQL injection.

89
Multi-Selectmedium

Which TWO Kubernetes resources are used to provide configuration data to pods? (Choose TWO.)

Select 2 answers
A.Secret
B.PersistentVolumeClaim
C.ConfigMap
D.Deployment
E.Service
AnswersA, C

Secret stores sensitive data like passwords or API keys.

Why this answer

ConfigMap for non-sensitive data and Secret for sensitive data are both used to inject configuration into pods.

90
MCQeasy

A developer creates a Dockerfile with the following content: FROM python:3.9-slim, COPY app.py /app/, RUN pip install flask, EXPOSE 5000, CMD ["python", "/app/app.py"]. When building the image with 'docker build -t myapp .', what is the purpose of the EXPOSE instruction?

A.It automatically publishes port 5000 to a random host port.
B.It informs Docker that the container listens on port 5000, but the port must be published at runtime.
C.It installs the Flask framework on port 5000.
D.It maps host port 5000 to container port 5000.
AnswerB

EXPOSE documents the port, but publishing requires -p.

Why this answer

EXPOSE documents that the container listens on port 5000 at runtime. It does not publish the port; that requires -p flag when running the container.

91
MCQeasy

A developer wants to create a Docker image that runs a Python application. Which instruction should be placed at the end of the Dockerfile to specify the command that runs when the container starts?

A.RUN
B.ENTRYPOINT
C.COPY
D.CMD
AnswerD

CMD specifies the command to run when the container starts.

Why this answer

CMD specifies the default command to run when the container starts, and it can be overridden by providing a command at runtime. ENTRYPOINT is similar but not easily overridden. RUN executes during build.

COPY copies files during build.

92
MCQmedium

In a CI/CD pipeline using Jenkins, which stage is typically executed immediately after the build stage to ensure code quality before deployment?

A.Unit test
B.Deploy to production
C.Integration test
D.Artifact publication
AnswerA

Unit tests validate code functionality immediately after build.

Why this answer

In a Jenkins CI/CD pipeline, the build stage compiles the code and produces artifacts. Immediately after the build, unit tests are executed to validate individual components in isolation, catching defects early before proceeding to integration or deployment stages. This aligns with the principle of 'shift-left' testing, where quality gates are applied as early as possible.

Exam trap

Cisco often tests the distinction between unit tests and integration tests in a CI/CD pipeline, where candidates mistakenly think integration tests come immediately after build because they involve 'testing code' broadly, but the correct order is unit tests first to validate individual modules before combining them.

How to eliminate wrong answers

Option B is wrong because deploying to production occurs much later in the pipeline, after all testing stages (unit, integration, acceptance) have passed, and typically requires manual approval gates. Option C is wrong because integration tests are executed after unit tests, as they require multiple components or services to be available and often depend on the build artifacts being published. Option D is wrong because artifact publication (e.g., storing the build output in a repository like Nexus or Artifactory) usually happens after unit tests pass, ensuring only verified artifacts are stored for later stages.

93
MCQhard

A team uses GitHub Actions for CI/CD. Their workflow includes a job that builds a Docker image and pushes it to a private registry. The job needs to authenticate to the registry using secrets stored in GitHub. Which approach is most secure for passing credentials?

A.Use GitHub Secrets and reference them with ${{ secrets.REGISTRY_PASSWORD }}.
B.Embed the password directly in the workflow YAML file.
C.Store the password in a plain text file in the repository and read it during the build.
D.Use environment variables set in the runner's local .env file.
AnswerA

Secrets are encrypted and not exposed in logs.

Why this answer

GitHub Secrets allow storing sensitive data encrypted. In the workflow, secrets are accessed via ${{ secrets.REGISTRY_PASSWORD }}. This avoids hardcoding credentials.

94
MCQeasy

A developer runs 'docker-compose up -d' for a multi-service application. What does the '-d' flag do?

A.It enables debugging output
B.It pulls the latest images before starting
C.It deletes the containers after they stop
D.It runs containers in detached mode (background)
AnswerD

Detached mode runs containers in the background.

Why this answer

The `-d` flag in `docker-compose up -d` stands for 'detached mode', which instructs Docker Compose to run the containers in the background, freeing the terminal for other commands. This is analogous to the `-d` flag in `docker run -d` and is essential for long-running services that should not block the command-line session.

Exam trap

Cisco often tests the `-d` flag to see if candidates confuse it with debugging (`-d` in some tools like `curl`) or assume it stands for 'delete', when in Docker it specifically means 'detached mode'.

How to eliminate wrong answers

Option A is wrong because debugging output is enabled by the `--debug` flag (or `DOCKER_COMPOSE_DEBUG` environment variable), not `-d`. Option B is wrong because pulling the latest images is done with the `--pull always` or `--pull missing` flag, or by running `docker-compose pull` separately; `-d` does not trigger a pull. Option C is wrong because deleting containers after they stop is achieved with the `--rm` flag (for `docker run`) or by using `docker-compose down`; `-d` does not affect container lifecycle on exit.

95
MCQeasy

In a Docker Compose file, which key is used to define the dependency order between services?

A.links
B.volumes
C.networks
D.depends_on
AnswerD

Correct. depends_on defines service dependencies.

Why this answer

The depends_on key in Docker Compose allows specifying that one service depends on another, controlling startup order.

96
MCQhard

A developer is implementing secure coding practices to prevent SQL injection. Which approach is most effective when building a SQL query with user input?

A.Validating user input to allow only alphanumeric characters
B.Using parameterized queries with prepared statements
C.Storing user input in a database before using it in a query
D.Escaping all user input with a function like mysqli_real_escape_string
AnswerB

Parameterized queries ensure input is treated as data, not executable code.

Why this answer

Parameterized queries separate SQL code from data, preventing injection. Input validation helps but not sufficient alone. Stored procedures can help but parameterized queries are standard.

Escaping is error-prone.

97
MCQhard

A Kubernetes Deployment has replicas: 3. The team updates the container image to a new version. The rollout gets stuck because the new pod fails readiness probes. Which kubectl command will display the rollout status and help diagnose the issue?

A.kubectl get pods -l app=my-deployment
B.kubectl logs deployment/my-deployment
C.kubectl describe deployment my-deployment
D.kubectl rollout status deployment/my-deployment
AnswerD

Shows rollout progress and can indicate failure.

Why this answer

kubectl rollout status deployment/my-deployment shows the progress. If stuck, it indicates failure. kubectl describe pod can show probe details.

98
MCQmedium

In a Docker bridge network, two containers can communicate with each other using which identifier by default?

A.Their IP addresses only
B.Their image names
C.Their container names
D.Their MAC addresses
AnswerC

Docker DNS resolves container names to IPs on the same bridge network.

Why this answer

On the default bridge network, containers can communicate using IP addresses. For name resolution, Docker provides a DNS service using container names. Container names are used as hostnames.

99
Multi-Selecthard

A company is adopting DevSecOps practices. Which THREE practices should be implemented to secure application deployment?

Select 3 answers
A.Secrets management using environment variables stored in .env files committed to git
B.Dependency scanning with tools like Snyk or Dependabot
C.HTTPS enforcement and CORS configuration
D.Secure coding practices (input validation, parameterized queries)
E.Disabling all security tools to reduce deployment time
AnswersB, C, D

Identifies vulnerable third-party libraries.

Why this answer

Secure coding, secrets management, and dependency scanning are core DevSecOps practices that address security throughout the deployment lifecycle.

← PreviousPage 2 of 2 · 99 questions total

Ready to test yourself?

Try a timed practice session using only Devnet App Deployment questions.

CCNA Devnet App Deployment Questions — Page 2 of 2 | Courseiva