CISSP PRACTICE QUESTIONS – 20211021

Effective CISSP Questions

Which of the following is not a primary construct that supports containerization? (Wentz QOTD)
A. Partition kernel resources into namespaces
B. Limit the resource usage of a collection of processes
C. Connect containers across multiple hosts using overlay networks, e.g., VXLAN
D. Isolate containers through the bare metal hypervisor

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is D. Isolate containers through the bare metal hypervisor.

Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.

Virtual Machines and Docker Containers
Virtual Machines and Docker Containers (Credit: Diego Terrana)

Containerization is an application-level virtualization technology that shares the same OS kernel instead of virtual machine-based virtualization managed by the hypervisor. The underlying OS features are namespaces, groups, AppArmor, etc.

  • Namespaces are the most essential construct to partition kernel resources.
  • C-groups limit, account for, and autheticate the resource usage of a collection of processes.
  • It’s common to connect containers using bridge networks, host networks, overlay networks (e.g., VXLAN), Macvlan networks, or third-party network implementations. Docker networking provides a good overview.
  • AppArmor is a well-known Linux kernel module that enforces container security.

Containerization can be implemented on a bare metal server without a hypervisor or virtual machines. Common container deployments are shown as follows.

Virtual Machine and Container Deployments
Virtual Machine and Container Deployments (Source: NIST SP 800-190)

Reference


以下哪個不是支持容器化的主要結構? (Wentz QOTD)
A. 將內核資源劃分為命名空間
B. 限制進程集合的資源使用
C. 使用覆蓋網絡(例如 VXLAN)跨多個主機連接容器
D. 通過裸機管理程序隔離容器



Leave a Reply