1z0-1084-23 Sample Questions Answers

Explanation

The two characteristics of microservices are: Microservices can be independently deployed: One of the key principles of microservices architecture is the ability to independently deploy each microservice. This means that changes or updates to one microservice can be made and deployed without affecting other microservices. It allows for faster and more frequent deployments, enabling agile development and scalability. Microservices communicate over lightweight APIs: Microservices communicate with each other through lightweight APIs (Application Programming Interfaces). This enables loose coupling between microservices, as they can interact with each other using standard protocols like HTTP/REST or messaging systems like RabbitMQ or Kafka. Lightweight APIs facilitate flexibility and interoperability between microservices, making it easier to develop and maintain complex systems. The remaining statement, "All microservices share a data store," is not a characteristic of microservices. Microservices are designed to be autonomous and have their own data storage or database. Each microservice has its own data store, which promotes the principle of bounded contexts and avoids tight coupling between services. This allows for better scalability and independence of data management within each microservice.

Explanation

The correct answers are: Amount of RAM used by a function: Oracle Functions collects and reports the amount of memory (RAM) used by a function during its execution. This metric helps in monitoring and optimizing the resource consumption of functions. Length of time a function runs: Oracle Functions captures and provides the duration of function executions. This metric allows you to track the performance and responsiveness of your functions and identify any potential bottlenecks or delays. These metrics provide valuable insights into the resource utilization and performance of your functions, enabling you to monitor and optimize their behavior in the Oracle Cloud Infrastructure (OCI) environment.

Explanation

The correct approach to receive an email each time a Terraform action begins in Oracle Cloud Infrastructure (OCI) Resource Manager without writing any code is as follows: Create an OCI Notification topic and email subscription with the destination email address. This will define the email delivery configuration. Create an OCI Events rule that matches the "Resource Manager Job - Create" condition. This rule will be triggered when a Resource Manager job is created. In the OCI Events rule, select the notification topic that was created in step 1 as the action for the corresponding event. This will ensure that the notification is sent to the specified email address. By following these steps, you can configure the OCI Events service to send an email notification whenever a Resource Manager job is created in OCI Resource Manager.

Explanation

In the given scenario, the developer should use the approach of creating an authorizer function using token-based authorization. Token-based authorization is a commonly used approach for authenticating API requests. It involves generating and issuing tokens to API callers, which they can then include in the requests they make to the API. The tokens serve as proof of authentication and are validated by the server to ensure the caller's identity and access rights. By creating an authorizer function using token-based authorization, the developer can implement a custom scheme that accepts string-based parameters from the API caller. This allows the developer to define their own authentication logic and validate the provided tokens according to their requirements. The authorizer function can be configured in the OCI API Gateway to be invoked before forwarding the request to the web application. It will perform the necessary token validation and authenticationchecks, allowing only authorized requests to access the protected resources of the web application.

Explanation

The correct answer is: "A unique OCID is automatically generated for each secret and remains unchanged even when creating a new secret version." The statement that is NOT valid about managing secrets in the OCI Vault service is: "A unique OCID is automatically generated for each secret and remains unchanged even when creating a new secret version." In OCI Vault, a secret is identified by its OCID (Oracle Cloud Identifier), which is a unique identifier for each resource inOracle Cloud Infrastructure. However, when a new secret version is created for an existing secret, the OCID remains the same for the secret itself, but a new OCID is generated for the secret version. This allows you to track and manage different versions of a secret while maintaining a consistent OCID for the secret itself. The other statements mentioned are valid: You can manually create new secrets as well as new secret versions using the OCI Console. This means you have control over creating and managing secrets within the Vault service. A secret reuse rule prevents the use of secret contents across different versions of a secret. This ensures that each secret version maintains its own unique set of contents and avoids accidental reuse or sharing of secrets across versions. By default, new secret versions automatically expire in 90 days unless you configure an expiry rule. This helps enforce good security practices by automatically rotating secrets periodically, reducing the risk of unauthorized access in case of compromise. Therefore, the statement that is NOT valid is the one regarding the uniqueness and consistency of the OCID when creating new secret versions.

Explanation

To mandate image verification when deploying container images to Oracle Cloud Infrastructure (OCI) Container Engine for Kubernetes (OKE) clusters, you should enable image verification policies separately for each OKE cluster. This is enforced at the cluster level. Enabling image verification policies at the cluster level ensures that all container images deployed to the OKE cluster are automatically verified against the specified master encryption key (MEK). This helps maintain the security and integrity of the deployed microservices by ensuring that only signed and trusted container images are used. Enabling image verification policies at the cluster level allows for consistent and centralized enforcement of the verification process across all nodes and node pools within the cluster. It provides a standardized approach to image verification for the entire cluster, simplifying management and ensuring compliance with the organization's mandate. Enabling image verification policies separately for each node pool or at the pod level would introduce complexity and potential inconsistencies in the verification process. Therefore, enforcing image verification at the cluster level is the recommended approach.

Explanation

The appropriate logging approach for services running in Oracle Cloud Infrastructure (OCI) Container Engine for Kubernetes (OKE) is: "All services log to standard output only." When running services in a containerized environment like OKE, it is recommended to follow the Twelve-Factor App methodology, which suggests treating logs as event streams. According to this methodology, services should write their log events to standard output (stdout) instead of writing to log files. By logging to standard output, the container runtime (such as Kubernetes) can collect and aggregate the logs generated by the services. These logs can then be accessed and managed through the container runtime's logging infrastructure. Logging to standard output offers several advantages in a containerized environment: Simplicity and consistency: Standardizing on logging to stdout ensures a consistent approach across different services, making it easier to manage and analyze logs. Log aggregation: The container runtime can collect the logs from all the running containers and provide centralized log management, allowing you to access and search logs from different services in one place. Scalability: Since logs are written to stdout, they can be easily handled by the container runtime's log management system, which can scale to handle large volumes of log data. Separation of concerns: By logging to stdout, the responsibility of managing log files and their rotation is shifted to the container runtime, allowing the services to focus on their core functionality. While it is possible to log to log files or external logging systems, the recommended approach in a containerized environment like OKE is to log to standard output and leverage the logging infrastructure provided by the container runtime.

Explanation

To dynamically make Kubernetes resources discoverable to public DNS servers, you can use ExternalDNS. ExternalDNS is a Kubernetes add-on that automates the management of DNS records for your Kubernetes services and ingresses. It can be configured to monitor the changes in your Kubernetes resources and automatically update DNS records in a supported DNS provider. By integrating ExternalDNS with your Kubernetes cluster, you can ensure that the DNS records for your services and ingresses are automatically created, updated, or deleted based on changes in your Kubernetes resources. This allows your Kubernetes resources to be discoverable by external systems through public DNS servers.

Explanation

The correct answer is: "read only." The layers of a Docker image are read-only. Once a layer is created, it cannot be modified. Each layer represents a Dockerfile instruction, and it is stacked on top of the previous layer, forming a stack of immutable layers. These layers are designed to be read-only to ensure consistency and integrity of the image. When a Docker image is built, each instruction in the Dockerfile creates a new layer. Each layer represents the changes made by that instruction relative to the previous layer. The layers are stacked on top of each other to form the complete image. This layer-based approach allows for efficient storage and distribution of Docker images. Because the layers are read-only, any changes or modifications to the image result in the creation of new layers rather than modifying the existing ones. This immutability ensures that each layer remains intact and preserves the integrity of the image. It also enables Docker's caching mechanism, where previously built layers can be reused if the corresponding instructions haven't changed, speeding up the image build process. The other options mentioned, such as "write only," "write once," "movable," and "read mostly," do not accurately describe the permission associated with Docker image layers. Docker image layers are specifically designed to be read-only.

Explanation

The two true statements for serverless computing and serverless architectures are: Applications running on a FaaS (Functions as a Service) platform: Serverless architectures typically involve running code in the form of functions on a serverless platform. These functions are event-driven and executed in response to specific triggers or events. Serverless function execution is fully managed by a third party: In serverless computing, the cloud provider takes care of the infrastructure management and resource provisioning. The execution of serverless functions is handled automatically by the platform, relieving developers from the responsibility of managing servers orinfrastructure. It's important to note that long running tasks are not typically suited for serverless architectures due to the event-driven nature of serverless functions. Also, while serverless functions may have state, it is recommended to avoid external storage dependencies and instead leverage stateless functions whenever possible. Additionally, scaling in serverless architectures is typically handled automatically by the platform, rather than being the responsibility of the application DevOps team.

 Cloud native is the software approach of building, deploying, and managing modern applications in cloud computing environments3. Cloud native apps are designed and built to exploit the scale, elasticity, resiliency, and flexibility the cloud provides4. Cloud native technologies support fast and frequent changes to applications without impacting service delivery, providing adopters with an innovative, competitive advantage3. Therefore, cloud native refers to the design and deployment of applications that are optimized for cloud infrastructure. Verified References: What is Cloud Native? - Everything you need to know, What is Cloud Native?| Microsoft Learn

Explanation

To obtain a log file from one of the nodes in an Oracle Cloud Infrastructure (OCI) Container Enginefor Kubernetes (OKE) cluster, you should SSH into the nodes using the private key. Here's the step-by-step process: Obtain the private key: The private key is required to authenticate and access the nodes in the OKE cluster. You should obtain the private key from your administrator or the appropriate key pair used to create the cluster. SSH into the node: Use a secure shell (SSH) client, such as OpenSSH, to connect to the desired node in the cluster. The SSH command typically includes the private key file path and the public IP address or hostname of the node. Example command: ssh -i opc@ Replace with the path to the private key file and with the public IP address of the node you want to access. Navigate to the log file location: Once you have successfully connected to the node, navigate to the directory where the log file is located. The exact location and name of the log file may vary depending on the Kubernetes distribution and configuration. Copy or view the log file: You can either copy the log file from the node to your local machine using the scp command or view the contents directly on the node using tools like cat or less. By following these steps, you will be able to access the log file from the desired node in the OKE cluster for troubleshooting purposes.

Explanation

The correct answer is: Test using an API mock of service B. To test service A without deploying all of its dependencies, including service B, you can use an API mock of service B. An API mock is a simulated version of the API that mimics the behavior of the actual service. By using an API mock, you can isolate the testing of service A and simulate the responses and behavior of service B's APIs. With an API mock, you can define the expected responses and behavior of service B's APIs, allowing you to test the integration between service A and the mocked version of service B. This approach enables you to verify the functionality of service A without relying on the availability or changes in the actual service B. By decoupling the dependencies and using an API mock, you can perform independent testing of service A, ensuring its functionality in isolation.

In the shared responsibility model, Oracle is responsible for securing the underlying cloud infrastructure and platform services, while customers are responsible for securing theirdata and applications within the cloud4. For provisioned OKE clusters, Oracle manages the control plane (master nodes) of the Kubernetes cluster, while customers manage the data plane (worker nodes) of the cluster5. Therefore, it is the responsibility of the customer to perform patching, upgrading, and maintaining of the worker nodes in provisioned OKE clusters5. Customers can use tools such as Terraform or kubectl to automate these tasks5.

Explanation

The correct answer is: "Create a self-signed certificate and its corresponding key. Create a Kubernetes secret using the certificate and the key. Then add these annotations to the Kubernetes service: annotations: service.beta.kubernetes.io/oci-load-balancer-ssl-ports: '443' service.beta.kubernetes.io/oci-load-balancer-tls-secret: ssl certificate-secret." To create a secure SSL termination for your microservices-based application running in an OCI Container Engine for Kubernetes (OKE) cluster, you can follow these steps: Create a self-signed certificate and its corresponding key: Generate a self-signed SSL certificate and its private key using a tool like OpenSSL. Create a Kubernetes secret: Create a Kubernetes secret using the certificate and key obtained in the previous step. This secret will securely store the certificate and key within the Kubernetes cluster. Add annotations to the Kubernetes service: Modify the Kubernetes service that exposes your application and add the following annotations to enable SSL termination: annotations: service.beta.kubernetes.io/oci-load-balancer-ssl-ports: '443' (specify the SSL port as 443) annotations: service.beta.kubernetes.io/oci-load-balancer-tls-secret: ssl certificate-secret (specify the name of the Kubernetes secret containing the certificate and key) By following these steps, you can create a secure SSL termination for your application using a self-signed certificate and Kubernetes secret. The annotations added to the Kubernetes service ensure that the SSL port is configured correctly and the TLS secret is utilized for SSL termination when traffic reaches the load balancer. The other options provided are not the most suitable approaches for achieving secure SSLtermination in an OCI Container Engine for Kubernetes (OKE) cluster: Adding annotations related to the OCI load balancer SSL secret key is not the correct approach for SSL termination in this scenario. Using Let's Encrypt to generate a self-signed certificate and configuring it on the OCI Load Balancer is not necessary when you can create and manage the SSL certificate within the Kubernetes cluster using a Kubernetes secret.

Explanation

To troubleshoot issues in OCI, the option that is not valid is: Trace performance issues in the Application Performance Monitoring service by enabling Function traces. While the ApplicationPerformance Monitoring service in OCI allows you to monitor and trace the performance of your applications, it is specifically designed for monitoring OCI Functions (serverless functions) and does not directly apply to all types of applications. The other options mentioned, such as configuring logs in the OCI Logging service, leveraging OCI Cloud Guard for debug logs, viewing service metrics in the OCI Monitoring service, and using OCI Service Connector Hub for log forwarding, are valid options for troubleshooting and monitoring applications in OCI.

A rolling update is a deployment strategy that gradually replaces the old version of an application with the new version without any downtime4. OKE supports rolling updates by using the kubectl rollout command4. A rolling update allows you to roll back to the previous version if something goes wrong with the new version4. Therefore, using a rolling update strategy with kubectl ensures that you can roll back to the previous version of your Python application if the new image does not work once deployed.Verified References: Deploy Oracle Container Engine for Kubernetes

Explanation

The statement that is incorrect is: "The request does not require an Authorization header." In order to POST messages to a stream in the OCI Streaming service using OCI APIs, the request does require an Authorization header. The Authorization header is used to provide authentication and ensure the request is authorized to access the stream. The correct approach is to include the Authorization header in the request, along with other required headers such as x-content-sha256, content-type, and content-length. Therefore, the incorrect statement is that the request does not require an Authorization header.\

The logconfig.json file is a configuration file that specifies how the Unified Monitoring Agent collects and uploads custom logs to the OCI Logging service2. The logconfig.json file contains an array of objects, each representing a custom log configuration2. Each custom log configuration object has the following fields2:

• logGroupObjectId: The OCID of the log group where the custom log is stored.
• logObjectId: The OCID of the custom log.
• paths: An array of paths to files or directories containing the custom logs.
• src: A regular expression that matches the files containing the custom logs.
• parser: A parser definition that specifies how to parse the custom logs. If the logconfig.json file has incorrect or missing OCID for the custom log in the logobjectId field, or incorrect or missing OCID for the custom log group in the logGroupObjectId field, then the Unified Monitoring Agent will not be able to upload the custom logs to the OCI Logging service2. Therefore, these are potential reasons for logs from the Meshifyd application not showing up in the OCI Logging service. Verified References: Unified Monitoring Agent Configuration File

Explanation

The necessary configuration to provide access to a private repository in OCI Registry (OCIR) from OCI Container Engine for Kubernetes (OKE) is to create a docker-registry secret for OCIR with an identity Auth Token on the cluster and specify the imagePullSecret property in the application deployment manifest. Here's the breakdown of the steps: Create a docker-registry secret for OCIR with an identity Auth Token: In order to authenticate with the private repository in OCIR, you need to create a secret in your OKE cluster that contains the necessary credentials. This can be done by generating an identity Auth Token from the OCI Console and creating a secret in the cluster using the kubectl command. Specify the imagePullSecret property in the application deployment manifest: In your application's deployment manifest (such as a Kubernetes Deployment or StatefulSet YAML file), you need to include the imagePullSecret property and specify the name of the secret you created in the previous step. This allows the OKE cluster to use the credentials from the secret to pull the docker image from the private repository in OCIR during deployment. By following these steps, you can ensure that your OKE cluster has the necessary access to the private repository in OCIR, and your application can successfully pull the required docker image during deployment.

Explanation

The correct answers are: Set up the following dynamic group for your function's OCID: Name: read-file-dg Rule: resource.id = "ocid1.fnfunc.oc1.phx.aaaaaaaakeaobctakezjz5i4ujj7g25q7sx5mvr55pms6f4da" Set up a policy with the following statement to grant read access to the bucket: Statement: allow dynamic-group read-file-dg to read objects in compartment qa-compartment where target.bucket.name = 'input-bucket'Explanation: To implement the use case of reading a JSON file object from an Object Storage bucket using Resource Principals with Oracle Functions, you need to configure the following: Create a dynamic group named "read-file-dg" and associate it with your function's OCID. This dynamic group helps identify the function as a member of the group for policy enforcement. Create a policy that grants read access to the bucket. The policy statement should allow the dynamic group "read-file-dg" to read objects in the compartment "qa-compartment" and specify the target bucket name as "input-bucket". This policy ensures that the function has the necessary permissions to access the specified bucket. By setting up the dynamic group and policy, you ensure that the function, as a member of the dynamic group, has the required read access to the specified Object Storage bucket in the specified compartment.

Explanation

The correct answer is: Invoke from the Docker CLI.Explanation: Executing a function deployed in Oracle Functions is typically done using the following options: Invoke from the Fn Project CLI: The Fn Project CLI provides a command-line interface specifically designed for interacting with Oracle Functions. You can use commands like fn invoke to invoke a function. Trigger by an event in the Oracle Cloud Infrastructure (OCI) Events service: You can configure events in OCI to trigger your function based on various criteria, such as object storage events, resource state changes, or scheduled events. Invoke from the OCI CLI: The OCI CLI (Command Line Interface) allows you to interact with various services in Oracle Cloud Infrastructure, including Oracle Functions. You can use the fn invoke command to invoke a function. Send signed HTTP requests to the function's invoke endpoint: Oracle Functions provides an HTTP endpoint that can be used to invoke functions. You can send signed HTTP requests to this endpoint using tools or programming languages that support making HTTP requests. On the other hand, invoking a function deployed in Oracle Functions using the Docker CLI is not a valid option. The Docker CLI is primarily used for managing Docker containers and images, and it does not provide a direct mechanism for invoking functions in Oracle Functions.

Blue/Green deployment strategy allows releasing a new version of an application using two identical environments where one of them is active at a given time. The current version of the application is provisioned on the active environment, whereas the new version gets deployed to the standby environment1. The traffic is shifted from the active to the standby environment by updating the ingress resource2. Therefore, both old and new application versions are deployed to production at the same time, but only one of them receives the traffic. Verified References: Announcing new deployment strategies for OCI DevOps Service, Blue-Green OKE Deployment

Fn Project is the open source engine that is used by OCI to power Oracle Functions1. Fn Project is an open source, container native, serverless platform that can be run anywhere - any cloud or on-premises1. Fn Project is easy to use, extensible, and performant. You can download and install the open source distribution of Fn Project, develop and test a function locally, and then use the same tooling to deploy that function to Oracle Functions1.Verified References: Overview of Functions

To prevent images from being deleted from a repository, you can set the global policy of image retention to “Retain All Images”. This policy applies to all repositories in the tenancy and overrides any individual repository settings. You can also lock the policy to prevent any changes to it.Verified References: Using Retention Rules to Preserve Data

Explanation

The correct answer is: Controlling access to the backend OCI resources. OCI API Gateway does not provide direct control over access to backend OCI resources. It primarily focuses on managing and securing access to APIs exposed through the gateway. The gateway acts as a front-end for APIs and provides features such as authentication, authorization, rate limiting, and CORS support. While you can configure authentication and authorization policies, limit the number of requests, and enable CORS support in OCI API Gateway, it does not directly control access to backend OCI resources. Access to backend resources is typically managed through other means, such as IAM policies, network security rules, or resource-specific access controls.

Idle-timeout is the parameter that is used to configure the time period during which an idle function will remain in memory before Oracle Functions removes its container image from memory2. The idle-timeout parameter is specified in seconds and can be set when creating or updating a function2. The default value for idle-timeout is 30 seconds and the maximum value is 900 seconds (15 minutes)2. If a function has the --provisioned-concurrency option enabled, the idle-timeout parameter is ignored and the function instances are always kept in memory3.Verified References: Creating Functions, Provisioned Concurrency