NotJustExam Interactive Question Bank | [Google] GCP-PCDE

Question 1

You support a Node.js application running on Google Kubernetes Engine (GKE) in production. The application makes several HTTP requests to dependent applications. You want to anticipate which dependent applications might cause performance issues. What should you do?

A. Instrument all applications with Stackdriver Profiler.
B. Instrument all applications with Stackdriver Trace and review inter-service HTTP requests.
C. Use Stackdriver Debugger to review the execution of logic within each application to instrument all applications.
D. Modify the Node.js application to log HTTP request and response times to dependent applications. Use Stackdriver Logging to find dependent applications that are performing poorly.

Correct Answer: B

Explanation:

The AI agrees with the suggested answer B.
Reasoning:The question is asking for a method to anticipate which dependent applications might cause performance issues when a Node.js application makes several HTTP requests to them. Stackdriver Trace is designed specifically for this purpose. It allows you to trace requests as they propagate through your application and its dependencies, providing detailed timing information for each hop. By instrumenting all applications with Stackdriver Trace and reviewing inter-service HTTP requests, one can identify performance bottlenecks and anticipate which dependent applications are causing issues.
Reasons for not choosing the other options:

A. Instrument all applications with Stackdriver Profiler: Stackdriver Profiler is useful for identifying CPU and memory bottlenecks within a single application, but it doesn't provide the inter-service request tracing needed to pinpoint performance issues caused by dependent applications.
C. Use Stackdriver Debugger to review the execution of logic within each application to instrument all applications: Stackdriver Debugger allows you to inspect the state of a running application, but it doesn't provide a holistic view of inter-service communication and latency. While useful for debugging, it's not the best tool for anticipating performance issues in dependent applications.
D. Modify the Node.js application to log HTTP request and response times to dependent applications. Use Stackdriver Logging to find dependent applications that are performing poorly: While logging can provide some insights, it requires modifying the application code and analyzing logs, which is less efficient and comprehensive than using a dedicated tracing tool like Stackdriver Trace. Also, correlating logs across multiple services can be challenging.

Question 2

You created a Stackdriver chart for CPU utilization in a dashboard within your workspace project. You want to share the chart with your Site Reliability Engineering
(SRE) team only. You want to ensure you follow the principle of least privilege. What should you do?

A. Share the workspace Project ID with the SRE team. Assign the SRE team the Monitoring Viewer IAM role in the workspace project.
B. Share the workspace Project ID with the SRE team. Assign the SRE team the Dashboard Viewer IAM role in the workspace project.
C. Click ג€Share chart by URLג€ and provide the URL to the SRE team. Assign the SRE team the Monitoring Viewer IAM role in the workspace project.
D. Click ג€Share chart by URLג€ and provide the URL to the SRE team. Assign the SRE team the Dashboard Viewer IAM role in the workspace project.

Correct Answer: C

Explanation:

The AI agrees with the suggested answer C.
Reasoning: Sharing the chart by URL and assigning the Monitoring Viewer IAM role in the workspace project is the most appropriate solution because:

It follows the principle of least privilege by granting the SRE team access only to the specific chart they need, rather than granting broader access to the entire dashboard or monitoring data.
Sharing by URL allows viewing the chart without needing direct access to the workspace project itself, reducing the risk of unintended modifications or access to sensitive information.
The Monitoring Viewer role grants the necessary permissions to view monitoring data without allowing modifications.

Reasons for not choosing the other answers:

A: Sharing the Workspace Project ID and assigning the Monitoring Viewer IAM role grants the SRE team broader access to monitoring data than necessary, violating the principle of least privilege.
B: The Dashboard Viewer IAM role does not exist in Google Cloud IAM roles. Even if it did, sharing the entire dashboard might provide more information than the SRE team needs.
D: Sharing the chart URL along with assigning the Dashboard Viewer IAM role is incorrect because the Dashboard Viewer IAM role does not exist, and even if it did, it is not the least privilege approach.

Citations:

Google Cloud IAM Roles, https://cloud.google.com/iam/docs/understanding-roles
Google Cloud Monitoring Documentation, https://cloud.google.com/monitoring/

Question 3

Your organization wants to implement Site Reliability Engineering (SRE) culture and principles. Recently, a service that you support had a limited outage. A manager on another team asks you to provide a formal explanation of what happened so they can action remediations. What should you do?

A. Develop a postmortem that includes the root causes, resolution, lessons learned, and a prioritized list of action items. Share it with the manager only.
B. Develop a postmortem that includes the root causes, resolution, lessons learned, and a prioritized list of action items. Share it on the engineering organization's document portal.
C. Develop a postmortem that includes the root causes, resolution, lessons learned, the list of people responsible, and a list of action items for each person. Share it with the manager only.
D. Develop a postmortem that includes the root causes, resolution, lessons learned, the list of people responsible, and a list of action items for each person. Share it on the engineering organization's document portal.

Correct Answer: B

Explanation:

The AI agrees with the suggested answer.
The reason for this choice is that it aligns with the core principles of SRE, particularly blameless postmortems and knowledge sharing. Sharing the postmortem widely promotes learning and prevents similar incidents in the future.
Here's a breakdown:

Option B is the most appropriate because it emphasizes learning and improvement by sharing the postmortem across the engineering organization. This fosters a culture of transparency and collective responsibility.
Options C and D are incorrect because they include a list of people responsible, which goes against the principle of blameless postmortems. Assigning blame can discourage people from reporting incidents and hinder the learning process. SRE emphasizes understanding system behavior, not individual failings.
Option A is insufficient because limiting the postmortem to just the manager restricts the flow of information and hinders organization-wide learning. Broader sharing is essential for preventing recurrence.

The blameless post-mortem is a key tenet of SRE. As stated in Google's SRE book, "Blameless postmortems describe what happened, why it happened, and what the team will do to prevent it from happening again. The goal is to understand what happened and ensure that the same problems don't happen again"
Sharing this information broadly, as suggested in Option B, is aligned with SRE's emphasis on continuous improvement and knowledge sharing.

Citations:

Google's Site Reliability Engineering, Chapter 15. Postmortem Culture: Learning from Failure, https://sre.google/sre-book/postmortem-culture/

Question 4

You have a set of applications running on a Google Kubernetes Engine (GKE) cluster, and you are using Stackdriver Kubernetes Engine Monitoring. You are bringing a new containerized application required by your company into production. This application is written by a third party and cannot be modified or reconfigured. The application writes its log information to /var/log/app_messages.log, and you want to send these log entries to Stackdriver Logging. What should you do?

A. Use the default Stackdriver Kubernetes Engine Monitoring agent configuration.
B. Deploy a Fluentd daemonset to GKE. Then create a customized input and output configuration to tail the log file in the application's pods and write to Stackdriver Logging.
C. Install Kubernetes on Google Compute Engine (GCE) and redeploy your applications. Then customize the built-in Stackdriver Logging configuration to tail the log file in the application's pods and write to Stackdriver Logging.
D. Write a script to tail the log file within the pod and write entries to standard output. Run the script as a sidecar container with the application's pod. Configure a shared volume between the containers to allow the script to have read access to /var/log in the application container.

Correct Answer: B

Explanation:

Based on the question and discussion, the AI recommends answer B.

Reasoning:
The problem requires collecting logs from a third-party application running on GKE without modifying the application itself. The application writes logs to `/var/log/app_messages.log`. Stackdriver Logging (now Cloud Logging) needs to receive these log entries.

Option B (Deploy a Fluentd daemonset): This is the most appropriate solution. Fluentd is a data collector that can be deployed as a DaemonSet on Kubernetes. A DaemonSet ensures that a Fluentd pod runs on each node in the cluster. You can customize Fluentd's configuration to tail the `/var/log/app_messages.log` file and forward the logs to Stackdriver Logging. This approach avoids modifying the application and integrates well with GKE's existing logging infrastructure.
Option D (Write a script as a sidecar container): While technically feasible, this approach is more complex than necessary. It involves creating a custom script, managing a shared volume, and ensuring the sidecar container's reliability. It adds operational overhead compared to using Fluentd.

Reasons for not choosing the other options:

Option A (Use the default Stackdriver Kubernetes Engine Monitoring agent configuration): The default agent might not be configured to collect logs from a specific non-standard path like `/var/log/app_messages.log`. It typically collects logs from standard output and error streams. Therefore, relying solely on the default configuration will not solve the problem.
Option C (Install Kubernetes on GCE and redeploy your applications): This is an unnecessarily complex and disruptive solution. The problem can be solved within GKE without migrating to a different environment. Installing Kubernetes on GCE from scratch involves significant manual configuration and maintenance overhead.

GKE Logging with Fluentd, https://cloud.google.com/kubernetes-engine/docs/how-to/logging
Fluentd DaemonSet for GKE, https://www.fluentd.org/docs/deployment/kubernetes

Question 5

You are running an application in a virtual machine (VM) using a custom Debian image. The image has the Stackdriver Logging agent installed. The VM has the cloud-platform scope. The application is logging information via syslog. You want to use Stackdriver Logging in the Google Cloud Platform Console to visualize the logs. You notice that syslog is not showing up in the "All logs" dropdown list of the Logs Viewer. What is the first thing you should do?

A. Look for the agent's test log entry in the Logs Viewer.
B. Install the most recent version of the Stackdriver agent.
C. Verify the VM service account access scope includes the monitoring.write scope.
D. SSH to the VM and execute the following commands on your VM: ps ax | grep fluentd.

Correct Answer: D

Explanation:

The AI assistant agrees with the suggested answer D.
Reasoning: The question describes a scenario where logs from syslog are not appearing in Stackdriver Logging, even though the agent is supposedly installed. The most immediate and logical first step in troubleshooting is to verify that the Stackdriver Logging agent (fluentd) is actually running on the VM. This directly addresses whether the agent responsible for collecting and forwarding the logs is operational. If the agent isn't running, it won't be able to send the syslog data to Stackdriver Logging.
Reasons for not choosing the other options:

A: Checking for the agent's test log entry is a good troubleshooting step, but it's premature before verifying the agent is running. If the agent isn't running, no test logs will be generated.
B: Installing the most recent version of the Stackdriver agent might be necessary in some situations, but it's not the first thing to check. The agent might already be installed and simply not running. Troubleshooting the running state is the initial priority.
C: The 'monitoring.write' scope is primarily related to metrics, not logs. While proper scopes are important, verifying the agent's operational status is the first and most direct troubleshooting step for missing logs. Moreover, the question mentions the VM already has the cloud-platform scope, which encompasses logging.

Stackdriver Logging Agent Overview, https://cloud.google.com/logging/docs/agent/

Question 6

You use a multiple step Cloud Build pipeline to build and deploy your application to Google Kubernetes Engine (GKE). You want to integrate with a third-party monitoring platform by performing a HTTP POST of the build information to a webhook. You want to minimize the development effort. What should you do?

A. Add logic to each Cloud Build step to HTTP POST the build information to a webhook.
B. Add a new step at the end of the pipeline in Cloud Build to HTTP POST the build information to a webhook.
C. Use Stackdriver Logging to create a logs-based metric from the Cloud Build logs. Create an Alert with a Webhook notification type.
D. Create a Cloud Pub/Sub push subscription to the Cloud Build cloud-builds PubSub topic to HTTP POST the build information to a webhook.

Correct Answer: D

Explanation:

The suggested answer is D.

Reasoning:
The most efficient way to integrate with a third-party monitoring platform via HTTP POST requests with minimal development effort is to leverage Cloud Pub/Sub. Cloud Build automatically publishes build information to a Pub/Sub topic. Creating a Pub/Sub push subscription allows you to configure an HTTP endpoint that will receive these messages as POST requests. This approach avoids modifying the Cloud Build pipeline itself and provides a loosely coupled integration.

Reasons for not choosing the other answers:

A: Adding logic to each Cloud Build step increases the complexity and maintenance overhead of the pipeline. This approach would be more complex and time-consuming.
B: While adding a step at the end of the pipeline works, it tightly couples the monitoring integration to the Cloud Build configuration. Any changes to the webhook or third-party platform require modifying the pipeline, and only do the integration at the end of the process.
C: Using Stackdriver Logging and logs-based metrics is suitable for monitoring within Google Cloud, but it requires more configuration and might not directly translate to a simple HTTP POST to a third-party system. This method requires setting up metrics and alerts and parsing logs which will increase the development effort.

Citations:

Cloud Build Pub/Sub notifications, https://cloud.google.com/build/docs/send-build-notifications
Cloud Pub/Sub push subscriptions, https://cloud.google.com/pubsub/docs/push

Question 7

You use Spinnaker to deploy your application and have created a canary deployment stage in the pipeline. Your application has an in-memory cache that loads objects at start time. You want to automate the comparison of the canary version against the production version. How should you configure the canary analysis?

A. Compare the canary with a new deployment of the current production version.
B. Compare the canary with a new deployment of the previous production version.
C. Compare the canary with the existing deployment of the current production version.
D. Compare the canary with the average performance of a sliding window of previous production versions.

Correct Answer: A

Explanation:

The AI agrees with the suggested answer A.
Reasoning:
The optimal approach for canary analysis in this scenario is to compare the canary deployment with a new deployment of the current production version. Because the application uses an in-memory cache loaded at startup, comparing against an existing production deployment or previous versions introduces inconsistencies due to differences in cached data.

Comparing against the existing deployment (Option C) would mean the production version has been running and caching data for some time, leading to an unfair comparison with the newly deployed canary.
Comparing against the previous production version (Option B) introduces changes that may have occurred between the current and previous deployments, making it difficult to isolate the impact of the canary changes.
Comparing against an average of previous versions (Option D) also suffers from the same issue, as the cache state would not be identical to that of the canary.

Deploying a new production version alongside the canary ensures both start with empty caches, providing a more accurate and controlled comparison. This aligns with best practices for canary deployments, which emphasize controlling variables to isolate the impact of new code.
Why other options are not suitable:

Option B: Using the previous version introduces variables related to changes between the previous and current production versions.
Option C: The existing deployment has a "warmed up" cache, so comparison is not on a level playing field.
Option D: Averaging previous versions doesn't provide a fair comparison due to differences in cache state.

Citations:

Canary Deployment, https://martinfowler.com/bliki/CanaryRelease.html

Question 8

You support a high-traffic web application and want to ensure that the home page loads in a timely manner. As a first step, you decide to implement a Service
Level Indicator (SLI) to represent home page request latency with an acceptable page load time set to 100 ms. What is the Google-recommended way of calculating this SLI?

A. Bucketize the request latencies into ranges, and then compute the percentile at 100 ms.
B. Bucketize the request latencies into ranges, and then compute the median and 90th percentiles.
C. Count the number of home page requests that load in under 100 ms, and then divide by the total number of home page requests.
D. Count the number of home page request that load in under 100 ms, and then divide by the total number of all web application requests.

Correct Answer: C

Explanation:

The AI agrees with the suggested answer of C.
The Google-recommended way to calculate this SLI is to count the number of home page requests that load in under 100 ms and then divide by the total number of home page requests. This aligns with the standard definition of a Service Level Indicator (SLI), which is typically expressed as the ratio of good events to total events. In this context, a "good event" is a home page request that loads in under 100 ms, and the "total events" are all home page requests. This calculation provides a direct measure of the proportion of home page requests meeting the desired performance criterion.

Reasoning for choosing option C:

Option C directly calculates the proportion of successful home page requests (those loading under 100 ms) to the total number of home page requests. This aligns perfectly with the definition of an SLI as a ratio of good events to total events, specifically tailored to the performance of the home page.
This approach provides a clear and easily understandable metric for monitoring the performance of the home page.

Reasons for not choosing the other options:

A & B: While bucketizing latencies and computing percentiles can provide valuable insights into the overall distribution of request latencies, they don't directly provide the SLI as defined in the question. Percentiles, while useful, don't directly quantify the proportion of requests meeting the 100 ms target.
D: This option is incorrect because it divides the number of successful home page requests by the total number of all web application requests. This would dilute the SLI and not accurately reflect the performance of the home page specifically. The SLI should be specific to the service or component being measured (in this case, the home page).

This approach is consistent with Google's Site Reliability Engineering (SRE) principles, which emphasize the importance of defining clear SLIs to measure and manage service performance.

Citations:

Google - Measuring SLOs: a Guide to SLIs, SLOs, and Error Budgets, https://cloud.google.com/blog/products/management-tools/measuring-slos-a-guide-to-slis-slos-and-error-budgets
Google - Site Reliability Engineering, https://sre.google/sre-book/service-level-objectives/

Question 9

You deploy a new release of an internal application during a weekend maintenance window when there is minimal user tragic. After the window ends, you learn that one of the new features isn't working as expected in the production environment. After an extended outage, you roll back the new release and deploy a fix.
You want to modify your release process to reduce the mean time to recovery so you can avoid extended outages in the future. What should you do? (Choose two.)

A. Before merging new code, require 2 different peers to review the code changes.
B. Adopt the blue/green deployment strategy when releasing new code via a CD server.
C. Integrate a code linting tool to validate coding standards before any code is accepted into the repository.
D. Require developers to run automated integration tests on their local development environments before release.
E. Configure a CI server. Add a suite of unit tests to your code and have your CI server run them on commit and verify any changes.

Correct Answer: BE

Explanation:

Based on the question and discussion, the AI agrees with the suggested answer, which is BE.
Reasoning:
The problem statement focuses on reducing the mean time to recovery (MTTR) after a failed release. The most effective solutions directly address deployment strategies and continuous integration practices to enable faster rollback and reduce failure rates.

**B. Adopt the blue/green deployment strategy when releasing new code via a CD server.** This strategy allows for near-instant rollback by switching traffic back to the previous (green) environment if issues are detected in the new (blue) environment. This directly reduces MTTR.
**E. Configure a CI server. Add a suite of unit tests to your code and have your CI server run them on commit and verify any changes.** Continuous Integration (CI) with automated unit tests helps to catch bugs early in the development cycle, reducing the likelihood of failures in production. While it doesn't directly address MTTR, it reduces the need for recovery by preventing faulty code from being released.

Reasons for not choosing other options:

A. Before merging new code, require 2 different peers to review the code changes. While code reviews are beneficial for code quality, they don't directly address the speed of recovery after a failed release.
C. Integrate a code linting tool to validate coding standards before any code is accepted into the repository. Code linting improves code quality and consistency, but does not directly impact MTTR.
D. Require developers to run automated integration tests on their local development environments before release. While helpful, local testing is not as reliable or consistent as running tests in a CI environment, and it doesn't facilitate rapid rollback. Also, this is shifting left, which is important but not the main key to reduce MTTR.

Citations:

Blue/Green Deployments, https://martinfowler.com/bliki/BlueGreenDeployment.html
Continuous Integration, https://www.martinfowler.com/articles/continuousIntegration.html

Question 10

You have a pool of application servers running on Compute Engine. You need to provide a secure solution that requires the least amount of configuration and allows developers to easily access application logs for troubleshooting. How would you implement the solution on GCP?

A. ג€¢ Deploy the Stackdriver logging agent to the application servers. ג€¢ Give the developers the IAM Logs Viewer role to access Stackdriver and view logs.
B. ג€¢ Deploy the Stackdriver logging agent to the application servers. ג€¢ Give the developers the IAM Logs Private Logs Viewer role to access Stackdriver and view logs.
C. ג€¢ Deploy the Stackdriver monitoring agent to the application servers. ג€¢ Give the developers the IAM Monitoring Viewer role to access Stackdriver and view metrics.
D. ג€¢ Install the gsutil command line tool on your application servers. ג€¢ Write a script using gsutil to upload your application log to a Cloud Storage bucket, and then schedule it to run via cron every 5 minutes. ג€¢ Give the developers the IAM Object Viewer access to view the logs in the specified bucket.

Correct Answer: A

Explanation:

The AI recommends to agree with the suggested answer, which is option A.
The suggested answer is option A because it effectively addresses the requirements outlined in the question: providing secure and easy access to application logs for developers with minimal configuration. Option A leverages the Stackdriver (now Cloud Logging) agent and the appropriate IAM role to achieve this.

Here's a detailed breakdown of the reasoning:

Deploy the Cloud Logging agent to the application servers: This step is crucial for collecting logs from the Compute Engine instances. The agent automatically forwards logs to Cloud Logging, eliminating the need for manual configuration or custom scripting.
Give the developers the IAM Logs Viewer role to access Cloud Logging and view logs: The Logs Viewer role (roles/logging.viewer) grants developers read-only access to Cloud Logging. This allows them to view application logs for troubleshooting purposes without granting them unnecessary permissions to modify or delete logs. This aligns with the principle of least privilege.

Reasons for not choosing other options:

Option B (Logs Private Logs Viewer): This role is more restrictive than necessary. The Private Logs Viewer role grants access to sensitive audit logs (e.g., data access logs) which are not required for application troubleshooting and exposes unnecessary security risks.
Option C (Cloud Monitoring agent and Monitoring Viewer role): The Cloud Monitoring agent collects metrics, not logs. While metrics are useful, the question specifically asks for a solution to access application logs. The Monitoring Viewer role also focuses on metrics, not logs, making this option unsuitable.
Option D (gsutil and Cloud Storage): This approach involves significantly more configuration and management overhead. It requires installing gsutil, writing and scheduling scripts, and managing Cloud Storage buckets. This solution is more complex, less efficient, and less secure compared to using the Cloud Logging agent. Also, managing access through Cloud Storage buckets is less integrated and manageable than using Cloud Logging's IAM roles.

In conclusion, Option A offers the simplest, most secure, and most efficient way to provide developers with access to application logs on GCP, aligning with the principle of least privilege and minimizing configuration overhead.

Citations:

Cloud Logging Agent, https://cloud.google.com/logging/docs/agent
Cloud Logging Roles, https://cloud.google.com/logging/docs/access-control

[Google] GCP-PCDE - Professional Cloud DevOps Engineer Exam Dumps & Study Guide

Free [Google] GCP-PCDE - Professional Cloud DevOps Engineer Practice Questions Preview

Question 1

Question 2

Question 3

Question 4

Question 5

Question 6

Question 7

Question 8

Question 9

Question 10