The 6 DCA Domains: Everything You Need to Know

The Docker Certified Associate exam covers 6 distinct domains, each with a different weight in the final score. Understanding this distribution is essential to optimize your preparation.

This article details each domain: what's tested, the commands to master, and examples of typical questions. By the end, you'll have a clear vision of what to expect and an effective study strategy.

Domain Overview#

The DCA exam consists of 55 questions to complete in 90 minutes. Here's how the points are distributed:

Domain	Weight	Estimated Questions	Difficulty
Orchestration	25%	~14 questions	High
Images & Registry	20%	~11 questions	Medium
Installation & Configuration	15%	~8 questions	Medium
Networking	15%	~8 questions	High
Security	15%	~8 questions	Medium
Storage	10%	~6 questions	Low

Key statistic

Orchestration and Images alone represent 45% of the exam. If you master these two domains, you've already secured almost half the points.

How to Read This Guide#

For each domain, you'll find:

What's Tested: Key concepts to master
Essential Commands: Must-know Docker commands
Typical Questions: Representative examples of exam format
Study Tips: How to effectively approach the domain

1. Orchestration (25%)#

Orchestration is the heaviest domain on the exam. It focuses on Docker Swarm, Docker's native orchestration system.

What's Tested#

Initializing and managing a Swarm cluster
Creating, updating, and scaling services
Rolling updates and rollbacks
Node management (managers, workers)
Stacks and deployment via Compose files
Container placement (constraints, preferences)
High availability and manager quorum

The 10 Essential Commands#

bash

# Cluster management
docker swarm init --advertise-addr <IP>
docker swarm join --token <TOKEN> <MANAGER-IP>:2377
docker swarm leave [--force]

# Node management
docker node ls
docker node update --availability drain <NODE>
docker node promote <NODE>
docker node demote <NODE>

# Service management
docker service create --name <NAME> --replicas <N> <IMAGE>
docker service scale <SERVICE>=<N>
docker service update --image <NEW-IMAGE> <SERVICE>
docker service rollback <SERVICE>

# Stacks
docker stack deploy -c docker-compose.yml <STACK-NAME>
docker stack ls
docker stack services <STACK-NAME>
docker stack rm <STACK-NAME>

Typical Questions#

Q1: Which command displays the tasks of a specific service?

The answer is docker service ps <SERVICE>. Watch out for the trap docker service tasks which doesn't exist.

Q2: How do you limit a service to nodes with the label env=production?

Use --constraint node.labels.env==production. Note the double == and the node.labels. prefix.

Q3: What's the minimum number of managers to tolerate the loss of one manager?

You need 3 managers to tolerate 1 failure (quorum = 2). The formula is: (N-1)/2 tolerated failures.

Common trap

Don't confuse docker service scale myapp=5 (correct) with docker scale myapp=5 (incorrect). The scale command only exists at the service level.

Study Tips#

Set up a Swarm cluster with at least 3 nodes (1 manager + 2 workers)
Practice rolling updates with different configurations
Test failure scenarios: what happens when a manager goes down?
Master constraints: node.role, node.labels, node.hostname

2. Images & Registry (20%)#

This domain tests your ability to create, optimize, and distribute Docker images.

What's Tested#

Writing optimized Dockerfiles
Multi-stage builds
Build cache management
Push/pull to registries
Tagging and versioning
Docker Content Trust
Image inspection and history

Put Theory Into Practice

Apply what you've learned with interactive Docker scenarios and real environments.

Try It Now View Scenarios

Dockerfile Best Practices#

dockerfile

# 1. Use a lightweight base image
FROM node:18-alpine

# 2. Define a non-root user
RUN addgroup -S appgroup && adduser -S appuser -G appgroup

# 3. Copy dependency files first (cache)
COPY package*.json ./
RUN npm ci --only=production

# 4. Copy source code after
COPY --chown=appuser:appgroup . .

# 5. Expose the port (documentation)
EXPOSE 3000

# 6. Set the user
USER appuser

# 7. Use exec form for CMD
CMD ["node", "server.js"]

Dockerfile Instructions Table#

Instruction	Creates a layer?	Usage
`FROM`	Yes	Base image
`RUN`	Yes	Execute commands
`COPY`	Yes	Copy files
`ADD`	Yes	Copy + extract archives
`CMD`	No	Default command
`ENTRYPOINT`	No	Entry point
`ENV`	Yes	Environment variables
`ARG`	No	Build variables
`EXPOSE`	No	Port documentation
`USER`	No	Execution user
`WORKDIR`	Yes	Working directory

Typical Questions#

Q1: Which instruction copies a file from a previous stage?

COPY --from=<stage> allows copying from another stage in a multi-stage build.

Q2: What's the difference between ENTRYPOINT and CMD?

ENTRYPOINT defines the main command (hard to override), CMD provides default arguments (easily replaceable).

Q3: How do you invalidate the cache from a specific instruction?

Modify the file copied before that instruction, or use --no-cache to disable all caching.

Cache optimization

Instruction order is crucial. Place instructions that rarely change (system dependency installation) before those that change often (source code copy).

Essential Commands#

bash

# Build
docker build -t myimage:v1 .
docker build --no-cache -t myimage:v1 .
docker build --target <stage> -t myimage:v1 .

# Tagging and push
docker tag myimage:v1 registry.example.com/myimage:v1
docker push registry.example.com/myimage:v1
docker pull registry.example.com/myimage:v1

# Inspection
docker image history myimage:v1
docker image inspect myimage:v1
docker image ls
docker image prune

Ready to Try This Yourself?

Practice these Docker concepts in a real environment with hands-on scenarios.

Start Free Session View Scenarios

3. Installation & Configuration (15%)#

This domain covers Docker daemon configuration and runtime environment.

What's Tested#

Installing Docker on different OS
Daemon configuration via daemon.json
Storage drivers
Logging drivers
Resource management (CPU, memory)
Daemon network configuration
Securing the Docker API

The daemon.json File#

The /etc/docker/daemon.json file centralizes daemon configuration:

json

{
  "storage-driver": "overlay2",
  "log-driver": "json-file",
  "log-opts": {
    "max-size": "10m",
    "max-file": "3"
  },
  "default-address-pools": [
    {"base": "172.80.0.0/16", "size": 24}
  ],
  "insecure-registries": ["registry.local:5000"],
  "registry-mirrors": ["https://mirror.example.com"],
  "live-restore": true,
  "userland-proxy": false
}

Storage Drivers#

Driver	Recommended	Use Case
`overlay2`	✔ Yes	Modern Linux (kernel 4.0+)
`fuse-overlayfs`	✔ Yes	Rootless Docker
`btrfs`	Specific	Btrfs file systems
`zfs`	Specific	ZFS file systems
`devicemapper`	✗ Deprecated	Legacy
`aufs`	✗ Deprecated	Legacy
`vfs`	✗ Slow	Debug only

Logging Drivers#

Driver	Description
`json-file`	Local JSON files (default)
`journald`	Systemd journal integration
`syslog`	Syslog server
`fluentd`	Fluentd collector
`gelf`	Graylog GELF format
`awslogs`	Amazon CloudWatch
`gcplogs`	Google Cloud Logging

Typical Questions#

Q1: Which command reloads daemon configuration without stopping containers?

sudo systemctl reload docker or sudo kill -SIGHUP $(pidof dockerd).

Q2: Which storage driver is recommended for Docker on Ubuntu 22.04?

overlay2 is the default and recommended driver for all modern Linux systems.

Q3: How do you check the current daemon configuration?

docker info displays all configuration information, including storage driver and logging driver.

4. Networking (15%)#

Docker networking is one of the most technical domains. It requires a good understanding of different network types.

What's Tested#

Network types: bridge, host, overlay, macvlan, none
Overlay networks for Swarm
Internal Docker DNS
Port publishing
Routing mesh and ingress
Service network configuration

Docker Network Types#

Type	Scope	Usage
`bridge`	Local	Containers on the same host
`host`	Local	Share host network
`overlay`	Multi-host	Swarm communication
`macvlan`	Local	Dedicated MAC addresses
`none`	Local	No network

Conceptual Diagram#

schema

┌──────────────────────────────────────────────────────────┐
│                     DOCKER HOST                          │
│  ┌──────────────────────────────────────────────────┐    │
│  │              bridge (docker0)                    │    │
│  │    ┌───────────┐    ┌───────────┐                │    │
│  │    │ Container │    │ Container │                │    │
│  │    │  172.17.  │    │  172.17.  │                │    │
│  │    └───────────┘    └───────────┘                │    │
│  └──────────────────────────────────────────────────┘    │
│                                                          │
│  ┌──────────────────────────────────────────────────┐    │
│  │              overlay (my-overlay)                │    │
│  │    ┌───────────┐                   ┌───────────┐ │    │
│  │    │ Service A │◄──── DNS ────────►│ Service B │ │    │
│  │    │  10.0.0.  │     (internal)    │  10.0.0.  │ │    │
│  │    └───────────┘                   └───────────┘ │    │
│  └──────────────────────────────────────────────────┘    │
│                                                          │
│  ┌──────────────────────────────────────────────────┐    │
│  │                    ingress                       │    │
│  │         (routing mesh / load balancing)          │    │
│  │              Published ports: 80, 443            │    │
│  └──────────────────────────────────────────────────┘    │
└──────────────────────────────────────────────────────────┘

Master Docker Hands-On

Go beyond theory - practice with real containers and orchestration scenarios.

Start Practicing View Scenarios

Internal Docker DNS#

Docker provides a built-in DNS server (127.0.0.11) that allows containers to discover each other by name:

Containers: Resolution by container name on user-defined networks
Swarm Services: Resolution by service name (automatic load-balancing)
Tasks: Resolution by <task>.<service>.<stack> to target a specific task

Typical Questions#

Q1: Which network allows containers to communicate between multiple Swarm nodes?

The overlay network enables multi-host communication in a Swarm cluster.

Q2: How do you make an overlay network accessible to standalone containers?

Use the --attachable option when creating the network.

Q3: Which network is responsible for load balancing published ports?

The ingress network handles routing mesh and distributes requests across replicas.

Essential Commands#

bash

# Creating networks
docker network create mybridge
docker network create --driver overlay --attachable myoverlay

# Inspection
docker network ls
docker network inspect mynetwork

# Connect/disconnect
docker network connect mynetwork mycontainer
docker network disconnect mynetwork mycontainer

5. Security (15%)#

Security is critical in production. This domain covers Docker's protection mechanisms.

What's Tested#

Docker Secrets and Configs
Docker Content Trust
Namespaces and cgroups
Linux Capabilities
Seccomp and AppArmor
Vulnerability scanning
TLS configuration

Docker Secrets#

Secrets allow storing sensitive data securely:

bash

# Creation
echo "mypassword" | docker secret create db_password -
docker secret create ssl_cert ./cert.pem

# Usage in a service
docker service create \
  --name myapp \
  --secret db_password \
  --secret source=ssl_cert,target=/etc/ssl/cert.pem \
  myimage

# Secrets are mounted in /run/secrets/

Docker Content Trust#

Content Trust ensures image integrity and authenticity:

bash

# Enable Content Trust
export DOCKER_CONTENT_TRUST=1

# Sign and push an image
docker push myregistry/myimage:v1

# Automatic verification on pull
docker pull myregistry/myimage:v1

Linux Capabilities#

Docker removes certain dangerous capabilities by default. You can adjust:

bash

# Remove all capabilities
docker run --cap-drop ALL nginx

# Add a specific capability
docker run --cap-drop ALL --cap-add NET_BIND_SERVICE nginx

# Typically removed capabilities
# SYS_ADMIN, NET_ADMIN, SYS_PTRACE, SYS_MODULE

Typical Questions#

Q1: Where are secrets mounted in a service container?

In /run/secrets/<secret_name>, mounted as tmpfs (in memory).

Q2: What's the difference between secrets and configs?

Secrets are encrypted at rest in the Raft log, configs are stored in plain text.

Q3: How do you enable Docker Content Trust?

export DOCKER_CONTENT_TRUST=1 before push/pull commands.

Common mistake

Never store secrets in environment variables (-e PASSWORD=xxx) or in image layers (ENV PASSWORD=xxx). Use Docker Secrets.

Ready to Try This Yourself?

Practice these Docker concepts in a real environment with hands-on scenarios.

Start Free Session View Scenarios

6. Storage (10%)#

Although representing only 10% of the exam, storage is essential for applications with persistent data.

What's Tested#

Docker Volumes
Bind mounts
tmpfs mounts
Volume drivers
Backup and restore

Volumes vs Bind Mounts vs tmpfs#

Type	Managed by Docker	Use Case
Volume	✔ Yes	Persistent data, sharing between containers
Bind mount	✗ No	Development, access to specific host files
tmpfs	✔ Yes	Sensitive temporary data (in memory)

Mount Syntaxes#

bash

# -v syntax (short)
docker run -v myvolume:/app/data nginx
docker run -v /host/path:/container/path nginx
docker run -v /app/data nginx  # Anonymous volume

# --mount syntax (explicit, recommended)
docker run --mount type=volume,source=myvolume,target=/app/data nginx
docker run --mount type=bind,source=/host/path,target=/container/path nginx
docker run --mount type=tmpfs,target=/app/temp nginx

# Common options
docker run --mount type=volume,source=myvolume,target=/data,readonly nginx
docker run -v myvolume:/data:ro nginx

Essential Commands#

bash

# Volume management
docker volume create mydata
docker volume ls
docker volume inspect mydata
docker volume rm mydata
docker volume prune

# Backup a volume
docker run --rm \
  -v mydata:/source:ro \
  -v $(pwd):/backup \
  alpine tar czf /backup/mydata.tar.gz -C /source .

# Restore
docker run --rm \
  -v mydata:/target \
  -v $(pwd):/backup:ro \
  alpine tar xzf /backup/mydata.tar.gz -C /target

Typical Questions#

Q1: What's the main difference between a volume and a bind mount?

A volume is managed by Docker (in /var/lib/docker/volumes/), a bind mount points to an arbitrary host path.

Q2: How do you mount a volume as read-only with --mount?

Add the readonly option: --mount type=volume,source=mydata,target=/data,readonly

Q3: Which command removes unused volumes?

docker volume prune removes all orphaned volumes.

Study Strategy#

You now know the 6 domains. Here's how to optimize your preparation.

Recommended Study Order#

Orchestration (25%) - Most important, start here
Images & Registry (20%) - Fundamental to understanding Docker
Networking (15%) - Technical but essential
Security (15%) - Key concepts to memorize
Installation & Config (15%) - More theoretical, quick to review
Storage (10%) - Simplest, save it for last

Study Time Distribution#

Domain	Exam Weight	Recommended Time
Orchestration	25%	40% of time
Images & Registry	20%	25% of time
Networking + Security + Installation	45%	30% of time
Storage	10%	5% of time

Tip

Focus 65% of your time on Orchestration and Images. These are the domains where hands-on practice makes the biggest difference, and they represent 45% of the exam.

Pre-Exam Checklist#

I can initialize and manage a 3-node Swarm cluster
I can write an optimized multi-stage Dockerfile
I understand the different Docker network types
I know how to create and use Docker secrets
I know the daemon.json options
I master the difference between volumes and bind mounts

Additional Resources#

Conclusion#

The 6 DCA domains test complementary skills:

Orchestration and Networking: Hands-on practice is essential
Images and Security: Understand concepts and best practices
Installation and Storage: More theoretical, but "easy" points

With structured preparation and lots of practice, you have everything you need to pass the exam.

Ready to take action? Practice with hands-on scenarios and DOMC format quizzes to maximize your chances of success.