LPI 305-300 LPIC-3: Virtualization and Containerization - Exam 305, version 3.0 Exam Practice Test

A hypervisor is a software that creates and runs virtual machines (VMs) by separating the operating system and resources from the physical hardware. One of the main tasks of a hypervisor is to map the resources of VMs to the resources of the host system, such as CPU, memory, disk, and network. This allows the hypervisor to allocate and manage the resources among multiple VMs and ensure that they run efficiently and independently123. Another important task of a hypervisor is to isolate the VMs and prevent unauthorized access to resources of other VMs. This ensures the security and privacy of the VMs and their data, as well as the stability and performance of the host system. The hypervisor can use various techniques to isolate the VMs, such as virtual LANs, firewalls, encryption, and access control145.

The other tasks listed are not part of a hypervisor’s responsibility, but rather of the guest operating system or the application running inside the VM. A hypervisor does not create filesystems during the installation of new VMs, as this is done by the installer of the guest operating system6. A hypervisor does not provide host-wide unique PIDs to the processes running inside the VMs, as this is done by the kernel of the guest operating system7. A hypervisor does not manage authentication to network services running inside a VM, as this is done by the network service itself or by a directory service such as LDAP or Active Directory8. References: 1 (search for “What is a hypervisor?”), 2 (search for “How does a hypervisor work?”), 3 (search for “The hypervisor gives each virtual machine the resources that have been allocated”), 4 (search for “Benefits ofhypervisors”), 5 (search for “Isolate the virtual machines and prevent unauthorized access”), 6 (search for “Create filesystems during the installation of new virtual machine quest operating systems”), 7 (search for “Provide host-wide unique PIDs to the processes running inside the virtual machines”), 8 (search for “Manage authentication to network services running inside a virtual machine”).

IaaS is a type of cloud computing service that offers essential compute, storage, and networking resources on demand, on a pay-as-you-go basis. IaaS is one of the four types of cloud services, along with software as a service (SaaS), platform as a service (PaaS), and serverless12. IaaS eliminates the need for enterprises to procure, configure, or manage infrastructure themselves, and they only pay for what they use23. Some examples of IaaS providers are Microsoft Azure, Google Cloud, and Amazon Web Services.

The unshare command is used to run a process in a new Linux namespace12. It takes one or more flags to specify which namespaces to create or unshare from the parent process1. For example, to run a shell in a new mount, network, and PID namespace, one can use:

unshare -mnp /bin/bash

References:

1: unshare(1) - Linux manual page - man7.org

2: A gentle introduction to namespaces in Linux - Packagecloud

The purpose of the kubelet service in Kubernetes is to run containers on the worker nodes according to the Kubernetes configuration. The kubelet is an agent or program that runs on each node and communicates with the Kubernetes control plane. It receives a set of PodSpecs that describe the desired state of the pods that should be running on the node, and ensures that the containers described in those PodSpecs are running and healthy. The kubelet also reports the status of the node and the pods back to the control plane. The kubelet does not manage containers that were not created by Kubernetes. References:

Kubernetes Docs - kubelet

Learn Steps - What is kubelet and what it does: Basics on Kubernetes

 The correct way to start a new container that shares the /data volume with the datastore container is to use the --volumes-from flag. This flag mounts all the defined volumes from the referenced containers. In this case, the datastore container has a volume named /data, which is mounted in the service container at the same path. The other options are incorrect because they either use invalid flags, such as --share-with or --volume-backend, or they create new volumes instead of sharing the existing one, such as -v datastore:/data or -v /data. References:

Docker Docs - Volumes

Stack Overflow - How to map volume paths using Docker’s --volumes-from?

Docker Docs - docker run

The purpose of the packer inspect subcommand is to display an overview of the configuration contained in a Packer template1. A Packer template is a file that defines the various components a Packer build requires, such as variables, sources, provisioners, and post-processors2. The packer inspect subcommand can help you quickly learn about a template without having to dive into the HCL (HashiCorp Configuration Language) itself1. The subcommand will tell you things like what variables a template accepts, the sources it defines, the provisioners it defines and the order they’ll run, and more1.

The other options are not correct because:

A) Retrieve files from an existing Packer image. This is not the purpose of the packer inspect subcommand. To retrieve files from an existing Packer image, you need to use the packer scp subcommand, which copies files from a running instance of a Packer image to your local machine2.

B) Execute commands within a running instance of a Packer image. This is not the purpose of the packer inspect subcommand. To execute commands within a running instance of a Packer image, you need to use the packer ssh subcommand, which connects to a running instance of a Packer image via SSH and runs the specified command2.

C) List the artifacts created during the build process of a Packer image. This is not the purpose of the packer inspect subcommand. To list the artifacts created during the build process of a Packer image, you need to use the packer build subcommand with the -machine-readable flag, which outputs the build information in a machine-friendly format that includes the artifact details2.

D) Show usage statistics of a Packer image. This is not the purpose of the packer inspect subcommand. To show usage statistics of a Packer image, you need to use the packer console subcommand with the -stat flag, which launches an interactive console that allows you to inspect and modify variables, sources, and functions, and displays the usage statistics of the current session2. References: 1: packer inspect - Commands | Packer | HashiCorp Developer 2: Commands | Packer | HashiCorp Developer

The ENTRYPOINT instruction in a Dockerfile specifies the default command to run when a container is started from the image. The ENTRYPOINT instruction can be written in two forms: exec form and shell form. The exec form uses a JSON array to specify the command and its arguments, such as [ “executable”, “param1”, “param2” ]. The shell form uses a single string to specify the command and its arguments, such as “executable param1 param2”. The shell form is converted to the exec form by adding /bin/sh -c to the beginning of the command. Therefore, the following statements in a Dockerfile are equivalent and will lead to a container that outputs hello world:

ENTRYPOINT [ “echo hello world” ] ENTRYPOINT [ “/bin/sh”, “-c”, “echo hello world” ] ENTRYPOINT “echo hello world” ENTRYPOINT [ “echo”, “hello”, “world” ] ENTRYPOINT [ “/bin/sh”, “-c”, “echo”, “hello”, “world” ] ENTRYPOINT “echo hello world”

The other statements in the question are invalid or incorrect. The statement A. ENTRYPOINT “echo Hello World” is invalid because it uses double quotes to enclose the entire command, which is not allowed in the shell form. The statement D. ENTRYPOINT echo Hello World is incorrect because it does not use quotes to enclose the command, which is required in the shell form. The statement E. ENTRYPOINT “echo”, “Hello”, “World” is invalid because it uses double quotes to separate the command and its arguments, which is not allowed in the exec form. References:

Dockerfile reference | Docker Docs

Using the Dockerfile ENTRYPOINT and CMD Instructions - ATA Learning

Difference Between run, cmd and entrypoint in a Dockerfile

LXD supports the following network interface types in an LXD container configuration1:

macvlan: Creates a virtual interface on the host with a unique MAC address and attaches it to an existing physical interface. This allows the container to have direct access to the physical network, but prevents communication with the host and other containers on the same host2.

bridged: Connects the container to an existing bridge interface on the host. This allows the container to communicate with the host and other containers on the same bridge, as well as the external network if the bridge is connected to a physical interface3.

physical: Passes an existing physical interface on the host to the container. This allows the container to have exclusive access to the physical network, but removes the interface from the host4.

The other network interface types, ipsec and wifi, are not valid in an LXD container configuration. Ipsec is a protocol for secure communication over IP networks, not a network interface type. Wifi is a wireless technology for connecting devices to a network, not a network interface type. References:

About networking - Canonical LXD documentation

Macvlan network - Canonical LXD documentation

Bridge network - Canonical LXD documentation

Physical network - Canonical LXD documentation

The WORKDIR instruction sets the working directory for any subsequent RUN, CMD, ENTRYPOINT, COPY and ADD instructions that follow it in the Dockerfile1. The RUN instruction executes commands in a new layer on top of the current image and commits the results2. The RUN cd command does not change the working directory for the next RUN instruction, because each RUN command runs in a new shell and a new environment3. Therefore, the file test is created in the root directory (/) of the container image, not in the /tmp directory. References:

Dockerfile reference: WORKDIR

Dockerfile reference: RUN

difference between RUN cd and WORKDIR in Dockerfile

Cloud-init is a tool that allows users to customize the configuration and behavior of cloud instances during the boot process. Cloud-init can process different kinds of data that are passed to the instance via user-data, which is a mechanism provided by various cloud providers to inject data into the instance. Among the kinds of data that cloud-init can process directly from user-data are:

Shell scripts to execute: Cloud-init can execute user-data that is formatted as a shell script, starting with the #!/bin/sh or #!/bin/bash shebang. The script can contain any commands that are valid in the shell environment of the instance. The script is executed as the root user during the boot process12.

Lists of URLs to import: Cloud-init can import user-data that is formatted as a list of URLs, separated by newlines. The URLs can point to any valid data source that cloud-init supports, such as shell scripts, cloud-config files, or include files. The URLs are fetched and processed by cloud-init in the order they appear in the list13.

cloud-config declarations in YAML: Cloud-init can process user-data that is formatted as a cloud-config file, which is a YAML document that contains declarations for various cloud-init modules. The cloud-config file can specify various aspects of the instance configuration, such as hostname, users, packages, commands, services, and more. The cloud-config file must start with the #cloud-config header14.

The other kinds of data listed in the question are not directly processed by cloud-init from user-data. They are either not supported, not recommended, or require additional steps to be processed. These kinds of data are:

ISO images to boot from: Cloud-init does not support booting from ISO images that are passed as user-data. ISO images are typically used to install an operating system on a physical or virtual machine, not to customize an existing cloud instance. To boot from an ISO image, the user would need to attach it as a secondary disk to the instance and configure the boot order accordingly5.

Base64-encoded binary files to execute: Cloud-init does not recommend passing binary files as user-data, as they may not be compatible with the instance’s architecture or operating system. Base64-encoding does not change this fact, as it only converts the binary data into ASCII characters. To execute a binary file, the user would need to decode it and make it executable on the instance6.

References:

User-Data Formats — cloud-init 22.1 documentation

User-Data Scripts

Include File

Cloud Config

How to Boot From ISO Image File Directly in Windows

How to run a binary file as a command in the terminal?.

Capabilities are a way of implementing fine-grained access control in Linux. They are a set of flags that define the privileges that a process can have. By default, a process inherits the capabilities of its parent, but some capabilities can be dropped or added by the process itself or by the kernel. In the context of container virtualization, capabilities are used to prevent processes from performing actions that might infringe the container, such as accessing the host’s devices, mounting filesystems, changing the system time, or killing other processes. Capabilities allow containers to run with a reduced set of privileges, enhancing the security and isolation of the container environment. For example, Docker uses a default set of capabilities that are granted to the processes running inside a container, and allows users to add or drop capabilities as needed12. References:

Capabilities | Docker Documentation1

Linux Capabilities: Making Them Work in Containers2

 Libvirt is a toolkit that provides a common API for managing different virtualization technologies, such as KVM, Xen, LXC, and others. Libvirt allows users to configure and control various aspects of a virtual machine (also called a domain), such as its CPU, memory, disk, network, and other resources. Among the resources that can be limited by libvirt for a KVM domain are:

Amount of CPU time: Libvirt allows users to specify the number of virtual CPUs (vCPUs) that a domain can use, as well as the CPU mode, model, topology, and tuning parameters. Users can also set the CPU shares, quota, and period to control the relative or absolute amount of CPU time that a domain can consume. Additionally, users can pin vCPUs to physical CPUs or NUMA nodes to improve performance and isolation. These settings can be configured in the domain XML file under the  and  elements12.

Size of available memory: Libvirt allows users to specify the amount of memory that a domain can use, as well as the memory backing, tuning, and NUMA node parameters. Users can also set the memory hard and soft limits, swap hard limit, and minimum guarantee to control the memory allocation and reclaim policies for a domain. These settings can be configured in the domain XML file under the , , and  elements13.

The other resources listed in the question are not directly limited by libvirt for a KVM domain. File systems allowed in the domain are determined by the disk and filesystem devices that are attached to the domain, which can be configured in the domain XML file under the  and  elements14. Number of running processes and number of available files are determined by the operating system and the file system of the domain, which are not controlled by libvirt.

References:

libvirt: Domain XML format

CPU Allocation

Memory Allocation

Hard drives, floppy disks, CDROMs

Libvirt supports creating and managing various types of virtual networks that can be used to connect virtual machines to each other or to the external network. One of the common types of virtual networks is the NAT-based network, which uses network address translation (NAT) to allow virtual machines to access the outside world through the host’s network interface. By default, libvirt creates a NAT-based network called ‘default’ when it is installed and started. This network appears as a standard Linux bridge device on the host system, named virbr0. The bridge device has an IP address of 192.168.122.1/24 and acts as a gateway and a DHCP server for the virtual machines connected to it. The bridge device also has iptables rules to forward and masquerade the traffic from and to the virtual machines. The virtual machines connected to the ‘default’ network have their own IP addresses in the 192.168.122.0/24 range and their own MAC addresses generated by libvirt. The virtual machines can communicate with each other, with the host, and with the external network through the bridge device and the NAT mechanism12.

The other statements in the question are false regarding networking with libvirt. Libvirt’s network functionality is not limited to connecting virtual machines to a physical network interface of the host system. Libvirt can also create isolated networks that do not have any connection to the outside world, or routed networks that use static routes to connect virtual machines to the external network without NAT3. Libvirt does not assign the same MAC address to all virtual machines and isolate their network interfaces at the link layer. Libvirt assigns a unique MAC address to each virtual machine and allows them to communicate with each other at the network layer4. Libvirt does not require a dedicated network interface that may not be used by the host system. Libvirt can share the host’s network interface with the virtual machines using NAT or bridging, or it can pass a physical network interface to a virtual machine exclusively using PCI passthrough5. Libvirt does not support exactly one virtual network and connect all virtual machines to it. Libvirt supports creating and managing multiple virtual networks with different names and configurations, and connecting virtual machines to different networks according to their needs6. References:

libvirt: Virtual Networking

libvirt: NAT forwarding (aka “virtual networks”)

libvirt: Routed network

libvirt: MAC address

libvirt: PCI passthrough of host network devices

[libvirt: Network XML format]

The option dom0_mem is used to set the initial and maximum memory size of the Domain-0, which is the privileged domain that starts first and manages the unprivileged domains (DomU) in Xen. The option dom0_mem must be specified in the bootloader configuration, such as GRUB or GRUB2, when Xen is booted. This ensures that the Domain-0 kernel can allocate memory for storing memory metadata and network related parameters based on the boot time amount of memory. If the option dom0_mem is not specified in the bootloader configuration, the Domain-0 will use all the available memory on the host system by default, which may cause performance and security issues. References:

Managing Xen Dom0′s CPU and Memory

Xen Project Best Practices

Dom0 Memory — Where It Has Not Gone

The command that deletes all volumes which are not associated with a container is docker volume prune. This command removes all unused local volumes, which are those that are not referenced by any containers. By default, it only removes anonymous volumes, which are those that are not given a specific name when they are created. To remove both unused anonymous and named volumes, the --all or -a flag can be added to the command. The command will prompt for confirmation before deleting the volumes, unless the --force or -f flag is used to bypass the prompt. The command will also show the total reclaimed space after deleting the volumes12.

The other commands listed in the question are not valid or do not have the same functionality as docker volume prune. They are either made up, misspelled, or have a different purpose. These commands are:

docker volume cleanup: This command does not exist in Docker. There is no cleanup subcommand for docker volume.

docker volume orphan -d: This command does not exist in Docker. There is no orphan subcommand for docker volume, and the -d flag is not a valid option for any docker volume command.

docker volume vacuum: This command does not exist in Docker. There is no vacuum subcommand for docker volume.

docker volume garbage-collect: This command does not exist in Docker. There is no garbage-collect subcommand for docker volume.

References:

docker volume prune | Docker Docs

How to Remove all Docker Volumes - YallaLabs.

 cloud-init uses the /var/lib/cloud/ directory to store status information and configuration information retrieved from external sources, such as the cloud platform’smetadata service or user data files. The directory contains subdirectories for different types of data, such as instance, data, handlers, scripts, and sem. The instance subdirectory contains information specific to the current instance, such as the instance ID, the user data, and the cloud-init configuration. The data subdirectory contains information about the data sources that cloud-init detected and used. The handlers subdirectory contains information about the handlers that cloud-init executed. The scripts subdirectory contains scripts that cloud-init runs at different stages of the boot process, such as per-instance, per-boot, per-once, and vendor. The sem subdirectory contains semaphore files that cloud-init uses to track the execution status of different modules and stages. References:

Configuring and managing cloud-init for RHEL 8 - Red Hat Customer Portal

vsphere - what is the linux file location where the cloud-init user …

Sparse images are a type of virtual disk images that grow in size as data is written to them, but do not shrink when data is deleted from them. Sparse images may consume an amount of space different from their nominal size, which is the maximum size that the image can grow to. For example, a sparse image with a nominal size of 100 GB may only take up 20 GB of physical storage if only 20 GB of data is written to it. Sparse images allocate backend storage at the first usage of a block, which means that the physical storage is only used when the virtual machine actually writes data to a block. This can save storage space and improve performance, as the image does not need to be pre-allocated or zeroed out.

Sparse images are not automatically shrunk when files within the image are deleted, because the virtual machine does not inform the host system about the freed blocks. To reclaim the unused space, a special tool such as virt-sparsify1 or qemu-img2 must be used to compact the image. Sparse images can be used with both full virtualization and paravirtualization, as the type of virtualization does not affect the format of the disk image. Sparse images are not automatically resized when their maximum capacity is about to be exceeded, because this would require changing the partition table and the filesystem of the image, which is not a trivial task. To resize a sparse image, a tool such as virt-resize3 or qemu-img2 must be used to increase the nominal size and the filesystem size of the image. References: 1 (search for “virt-sparsify”), 2 (search for “qemu-img”), 3 (search for “virt-resize”).

 The Linux kernel module that must be loaded in order to use QEMU with hardware virtualization extensions is KVM (Kernel-based Virtual Machine). KVM is a full virtualization solution that allows a user space program (such as QEMU) to utilize the hardware virtualization features of various processors (such as Intel VT or AMD-V). KVM consists of a loadable kernel module, kvm.ko, that provides the core virtualization infrastructure and a processor specific module, kvm-intel.ko or kvm-amd.ko. KVM must be loaded into the kernel of the host system in order to use the virtualization extensions of the host system’s CPU. This enables QEMU to run multiple virtual machines with unmodified Linux or Windows images, each with private virtualized hardware. KVM is integrated with QEMU, so there is no need to load it into the kernel of each virtual machine or the first virtual machine. KVM also does not require paravirtualization, which is a technique that modifies the guest operating system to communicate directly with the hypervisor, bypassing the emulation layer. References:

Features/KVM - QEMU

Kernel-based Virtual Machine

KVM virtualization on Red Hat Enterprise Linux 8 (2023)