DCA — Docker Certified Associate
I see more preparation mistakes on DCA than on almost any other infrastructure cert. The core mistake is treating DCA as a Kubernetes supplement — something to do after CKA because you already know containers. DCA is a Swarm exam. Docker Swarm is the orchestration layer being tested, not Kubernetes. Candidates who spend their prep time in kubectl and then walk into a DCA exam get surprised. The orchestration questions assume you know docker service, docker stack, and docker node commands the same way a CKA candidate knows kubectl apply.
Exam at a glance
| Detail | Value |
|---|---|
| Provider | Mirantis (acquired from Docker Inc.) |
| Exam code | DCA |
| Full name | Docker Certified Associate |
| Duration | 90 minutes |
| Question count | 55 |
| Passing score | ~65% (36/55 correct) |
| Exam fee | $195 USD |
| Validity | 2 years |
| Delivery | Online proctored via Mirantis exam platform |
| Retake policy | 14-day wait before retake; fee applies per attempt |
What's tested
The DCA study guide from Mirantis breaks into six weighted domains.
Orchestration (25%). The largest domain. Covers Docker Swarm architecture (manager nodes, worker nodes, the Raft consensus protocol for managers), docker swarm init, joining workers, promoting/demoting nodes, services (docker service create, replicated vs global mode, update parallelism, rollback), stacks (docker stack deploy with Compose v3 files), and constraint/placement preferences. Expect multi-step scenario questions here.
Image Creation, Management, and Registry (20%). Dockerfile best practices — layer ordering for cache efficiency, multi-stage builds, the difference between CMD and ENTRYPOINT, COPY vs ADD. Docker Hub, DTR (Docker Trusted Registry), image signing with Docker Content Trust, and promotion policies in DTR. Tagging, pushing, and pulling across registries.
Installation and Configuration (15%). Installing Docker Engine on Linux (supported distros), configuring the Docker daemon via /etc/docker/daemon.json, logging drivers, storage drivers (overlay2 is the default; know why), resource limits (memory, CPU), and configuring Docker for production (systemd unit, log rotation).
Networking (15%). Network drivers: bridge (default single-host), overlay (multi-host Swarm), host, macvlan, none. Creating overlay networks in Swarm and how service discovery uses DNS round-robin. Ingress vs user-defined overlay networks. Publishing ports with -p vs --publish in services. Container-to-container communication across nodes.
Security (15%). Docker Content Trust (DCT) and image signing, secrets (docker secret create, mounting secrets into services), user namespaces, AppArmor and seccomp profiles, read-only containers, and dropping Linux capabilities. Role-based access control in Docker Enterprise (UCP).
Storage and Volumes (10%). Volume drivers, bind mounts vs volumes vs tmpfs mounts, named volumes in Swarm services (must use a volume driver that supports multi-host if the service can run on any node), and storage driver behavior (overlay2 and copy-on-write semantics).
Common exam traps
docker service create vs docker run — know when each applies. docker run starts a single container on the local node. docker service create starts a replicated or global service managed by Swarm across the cluster. Questions describe a multi-node deployment and some of the answer choices mix the two. If the scenario involves high availability or multiple nodes, the answer is a service, not a container.
Swarm manager quorum and the Raft protocol. The exam tests quorum math. A three-manager cluster tolerates one manager failure (quorum = 2). A five-manager cluster tolerates two failures (quorum = 3). The formula is (N/2) + 1 rounded down. Questions ask things like "you have 7 managers, how many can fail without losing quorum?" The answer is 3. Candidates who memorize "3 or 5 managers is recommended" without understanding the math get the quorum questions wrong.
Ingress network vs user-defined overlay. When you publish a port on a Swarm service, Docker creates an ingress overlay network automatically. Traffic arriving on any Swarm node on that port gets routed to the service replicas via the ingress load balancer (IPVS). A user-defined overlay network is separate and used for service-to-service communication. The distinction matters on questions about why a service is not reachable or how to isolate services from each other.
COPY vs ADD in Dockerfiles. Both copy files into an image. ADD has two extra behaviors: it auto-extracts tar archives and it accepts remote URLs. The Docker documentation and the DCA exam both recommend using COPY by default and only using ADD when you specifically need the tar extraction behavior. Questions occasionally describe a requirement that sounds like it needs ADD but is actually better solved with COPY plus RUN curl.
Docker secrets are Swarm-only. docker secret create requires Swarm mode to be active. You cannot use Docker secrets in a standalone container started with docker run. The exam tests this boundary — a question describes a standalone (non-Swarm) environment and asks how to pass a secret to a container. The correct answer is an environment variable or a bind-mounted file, not a Docker secret.
How ARIA prepares you for DCA
My evaluation targets the six DCA domains with practical scenario-based questions. Most candidates who come from a Kubernetes background test strong on image management and networking but weak on Swarm-specific orchestration (stacks, service updates, quorum). Candidates from a sysadmin background often have the inverse profile: strong on installation and storage, weak on multi-stage builds and DTR.
For a developer with container experience but no Swarm background, expect a 3-phase roadmap. Phase 1 builds the Swarm mental model — how services, stacks, and nodes relate, and the Raft quorum mechanics. Phase 2 covers security, secrets, and the DTR/Content Trust topics that are easy to skip in day-to-day Docker use. Phase 3 is scenario drilling on the mixed-domain questions that make up the hardest exam items.
Timeline: 4–6 weeks for someone who runs containers regularly but has not administered a Swarm cluster. 2–3 weeks for someone with active Swarm experience.
Pass guarantee for DCA
DCA qualifies for the ClaudeLab pass guarantee under the standard five conditions. Full conditions here.
Related certifications
DCA sits naturally alongside the Kubernetes track. KCNA (Kubernetes and Cloud Native Associate) covers the conceptual layer, CKA (Certified Kubernetes Administrator) goes deep on cluster administration, and CKAD (Certified Kubernetes Application Developer) covers workload deployment. If you hold CKA and want to round out your container expertise with a Swarm-focused cert, DCA is the logical complement. The Terraform Associate pairs well for teams that provision infrastructure before deploying Docker workloads on it.
Start your DCA roadmap
Start your DCA roadmap with ARIA → claudelab.me
The Swarm orchestration domain carries 25% of the exam weight and is the one area where most candidates who learned Docker in a Kubernetes-first world have actual gaps. I will find those gaps in the evaluation and build a roadmap that fixes them specifically — not one that makes you re-study image management you already know.