Using either EXPOSE or -publish to access the container on the bridge network will not accomplish the goal of creating a container that is reachable from its host's network.EXPOSE is a way of documenting which ports a container listens on, but it does not open any ports to the host1.-publish (or -p) is a way of mapping a host port to a container port, but it does not change the network mode of the container2.By default, Docker containers use the bridge network, which isolates them from the host network3.To create a container that is reachable from its host's network, you need to use the --network host option when running the container4.This will make the container share the host's network stack and have the same IP address as the host4.Reference:

1: Difference Between ''expose'' and ''publish'' in Docker | Baeldung on Ops

2: Deploy services to a swarm | Docker Docs

3: Bridge network | Docker Docs

4: Host network | Docker Docs

Image role-based access control isnota function of UCP. UCP has its own built-in authentication mechanism and integrates with LDAP services.It also has role-based access control (RBAC), so that you can control who can access and make changes to your cluster and applications1.However, image role-based access control is a feature of Docker Trusted Registry (DTR), which integrates with UCP and allows you to manage the images you use for your applications2.DTR lets you define granular permissions for images, such as who can push, pull, delete, or scan them3.Reference:Universal Control Plane overview), Docker Trusted Registry overview),Docker Access Control)

= Seccomp is a Linux kernel feature that allows you to restrict the actions available within the container. By using a seccomp profile, you can limit the system calls that a container can make, thus enhancing its security and isolation. Docker has a default seccomp profile that blocks some potentially dangerous system calls, such as mount, reboot, or ptrace. You can also pass a custom seccomp profile for a container using the--security-optoption. Seccomp can limit a container's access to host resources, such as CPU or memory, by blocking or filtering system calls that affect those resources, such as setpriority, sched_setaffinity, or mlock.Reference:

Seccomp security profiles for Docker

Hardening Docker Container Using Seccomp Security Profile

Docker Content Trust (DCT) is a feature that allows users to verify the integrity and publisher of container images they pull or deploy from a registry server, signed on a Notary server1. DCT is enabled by setting the environment variable DOCKER_CONTENT_TRUST=1 on the Docker client.When DCT is enabled, the Docker client will only pull, run, or build images that have valid signatures for a specific tag2.However, DCT does not apply to the docker image import command, which allows users to import an image or a tarball with a repository and tag from a file or STDIN3. Therefore, if myorg/myimage:1.0 is unsigned, Docker will not block the docker image import <tarball> myorg/myimage:1.0 command, even if DCT is enabled. This is because the docker image import command does not interact with a registry or a Notary server, and thus does not perform any signature verification. However, this also means that the imported image will not have any trust data associated with it, and it will not be possible to push it to a registry with DCT enabled, unless it is signed with a valid key.Reference:

Content trust in Docker

Automation with content trust

[docker image import]

[Content trust and image tags]

The commanddocker service create -name dns-cache -p 53:53 -service udp dns-cacheisnot validbecause it has somesyntax errors. The correct syntax for creating a swarm service isdocker service create [OPTIONS] IMAGE [COMMAND] [ARG...]. The errors in the command are:

There should be a space between theoption flagand theoption value. For example,-name dns-cacheshould be-name dns-cache.

The option flag for specifying theservice modeis-mode, not-service. For example,-service udpshould be-mode udp.

The option flag for specifying theport mappingis--publishor-p, not-p. For example,-p 53:53should be--publish 53:53.

The correct command for creating a swarm service that only listens on port 53 using the UDP protocol is:

docker service create --name dns-cache --publish 53:53/udp dns-cache

This command will create a service calleddns-cachethat uses thedns-cacheimage and exposes port 53 on both the host and the container using the UDP protocol.