Free HashiCorp HCCAO-003 Exam Questions

Question 1

You have two Consul datacenters and you want to enable federation so services in dc1 can discover services in dc2. You run the consul join wan node2.example.com.

However, servers in dc1 can not communicate with servers in dc2 and vice versa. Based on the snippets of the server configuration files can be found below, why would

this be assuming network connectivity is working as expected?

dc1 configuration

1. "datacenter": "dc1",

2. "server": true,

3. "key_file": "/etc/consul.d/cert.key",

4. "cert_file": "/etc/consul.d/client.pem",

5. "ca_file": "/etc/consul.d/chain.pem",

6. "verify_incoming": true,

7. "verify_outgoing": true,

8. "verify_server_hostname": true,

9. "ui": true,

10. "encrypt": "XIUEktl3YjG9KPJfaBU1xE69IZ0XhsNCSH423FyknJE=",

11. "bootstrap_expect": 5,

12. "enable_syslog": true,

dc2 configuration

1. "datacenter": "dc2",

2. "server": true,

3. "key_file": "/etc/consul.d/cert.key",

4. "cert_file": "/etc/consul.d/client.pem",

5. "ca_file": "/etc/consul.d/chain.pem",

6. "verify_incoming": true,

7. "verify_outgoing": true,

8. "verify_server_hostname": true,

9. "ui": true,

10. "encrypt": "LSBSOZI5+9EX/kdY8u27mX50rk1ywcprfUCoSZjnpUg=",

11. "bootstrap_expect": 5,

12. "enable_syslog": false,

A : gossip keys need to match between federated datacenters

B : verify_incoming setting should be set to false before WAN federation can be configured

C : client certificates are issued from different CAs

D : syslog configurations do not match

Answer: A

Question 2

You need to determine the leader node for the Consul cluster. What command allows you to quickly identify the nodes and their current roles within the cluster?

Example of the command's output:

1. Node ID Address State Voter RaftProtocol

2. CONSUL-NODE-A 121abb4c-16fb-c8ec-2e2b-9595925de4dc 10.0.10.238:8300 follower true 3

3. CONSUL-NODE-C 4bead426-4471-0924-598f-cd6ce0015ebc 10.0.10.48:8300 follower true 3

4. CONSUL-NODE-E c44e8ab1-1132-1b22-9501-479c690c9e1b 10.0.10.105:8300 leader true 3

5. CONSUL-NODE-D ba86541f-cd93-6ada-b763-709b0fc6c09f 10.0.11.163:8300 follower true 3

6. CONSUL-NODE-B 2528cba1-06ea-4837-fc7b-13e44af19b0d 10.0.11.141:8300 follower true 3

A : nsul nodes -leader

B : nsul members

C : consul raft- list

D : consul operator raft list-peers

Answer: D

Question 3

You have created a new gossip encryption key using consul keygen and installed it using the command consul keyring -install

TX/1dsj67x/4XdTeSG1Cb5RdC/cbAbv9Hch4H8cL8nk=.

However, when you try and delete the original gossip encryption key, you receive an error. Based on the error message below, what steps need to be taken in order to be

able to remove the old gossip encryption key?

1. $ consul keyring -remove /d+jMNoQWICjMvddXJXzyGPDWiEOFgApvUJcuPRcves=

2.

3. ==> Removing gossip encryption key...

4. error: Unexpected response code: 500 (12 errors occurred:

5. * WAN error: 5/5 nodes reported failure

6. * CONSUL-NODE-A.dc-1: Removing the primary key is not allowed

7. * CONSUL-NODE-C.dc-1: Removing the primary key is not allowed

8. * CONSUL-NODE-B.dc-1: Removing the primary key is not allowed

9. * CONSUL-NODE-D.dc-1: Removing the primary key is not allowed

10. * CONSUL-NODE-E.dc-1: Removing the primary key is not allowed

11. * dc-1 (LAN) error: 5/5 nodes reported failure

12. * CONSUL-NODE-E: Removing the primary key is not allowed

13. * CONSUL-NODE-A: Removing the primary key is not allowed

14. * CONSUL-NODE-D: Removing the primary key is not allowed

15. * CONSUL-NODE-B: Removing the primary key is not allowed

16. * CONSUL-NODE-C: Removing the primary key is not allowed

A : wait until the old key is invalidated by Consul based upon the configured validity date

B : nfigure Consul to use the new key using the consul keyring -use command

C : the original gossip key on a Consul cluster cannot be deleted

D : it for Raft to replicate the new key across all cluster nodes before you can remove it

Answer: A

Question 4

Scenario: You have multiple services registered with Consul for your e-commerce site, including the front-end service, the shipping service, the inventory service, and the

cart service. To safeguard your customer's shipping addresses, you want to ensure that communication between the front-end and the shipping service is denied and that

traffic is only permitted from the cart service.

What feature of Consul Connect can you use to permit access to the shipping service from the cart service and deny communication from the front-end service?

Consul-Associate-Part-2-Q57-page32-image4

A : tentions

B : nsul agent

C : nsul ACLs

D : nsul Namespaces

Answer: A

Question 5

You have a Consul cluster running production workloads in your environment. However, you've discovered that the cluster was initially deployed without gossip

encryption configured, which means that traffic is being sent in cleartext. The security team has requested this to be updated ASAP. However, you can't take an outage on

the Consul service right now, knowing the server nodes will stop communicating once you start editing the configuration files one by one.

How can you enable gossip encryption on the existing cluster without affecting the services it is currently providing the business?

A : Generate the new encryption key using consul keygen. Update all the Consul server agent configuration files with the new encryption key. Using a scheduling tool,execute the consul reload command for all nodes at the same time. This will ensure that there is minimal downtime for the Consul service.

B : Generate the new encryption key using consul keygen. Update each Consul agent configuration file with the new configuration and set additional parameters toverify incoming and outgoing encryption to false. Use rolling updates to walk through the steps of ultimately setting the parameters to true.

C : Generate the new encryption key using consul keygen. Use the command consul keyring -install and push the new encryption key out to all participatingnodes in the cluster. Finally, use the command consul keyring -use to instruct Consul to use the key for encryption

D : Generate the new encryption key using consul keygen. Update the Consul server agent configuration files with the new encryption key and issue a kill -HUP command so the Consul service reloads and picks up the new gossip configuration. Update and restart as a rolling update across the cluster so only asingle node is offline at a time.

Answer: B