A company's security policy specifies that development and production containers must run on separate nodes in a given Swarm cluster. Can this be used to schedule containers to meet the security policy requirements?
Solution.label constraints
Correct Answer: A
Explanation
Label constraints can be used to schedule containers to meet the security policy requirements. Label constraints are a way to specify which nodes a service can run on based on the labels assigned to the nodes.
Labels are key-value pairs that can be attached to any node in the swarm. For example, you can label nodes as development or production depending on their intended use. Then, you can use the --constraint option when creating or updating a service to filter the nodes based on their labels. For example, to run a service only on development nodes, you can use:
docker service create --constraint'node.labels.environment == development'...
To run a service only on production nodes, you can use:
docker service create --constraint'node.labels.environment == production'...
This way, you can ensure that development and production containers run on separate nodes in the swarm, as required by the security policy. References:
* Using placement constraints with Docker Swarm
* Multiple label placement constraints in docker swarm
* Machine constraints in Docker swarm
* How can set service constraint to multiple value