Red Hat · Free Practice Questions · Last reviewed May 2026
48real exam-style questions organised by domain, each with the correct answer highlighted and a plain-English explanation of why it's right — and why the others are wrong.
An organization wants to deploy Ansible Automation Platform 2.x in a highly available configuration. Which component must be deployed in an active-active cluster to ensure controller failover?
PostgreSQL database
Automation controller
The controller runs the web UI, API, and scheduler; an active-active cluster with a load balancer provides HA.
Private Automation Hub
Automation mesh
A DevOps engineer is troubleshooting an Ansible Automation Platform deployment where ansible-navigator fails to run a playbook, showing the error 'Error: Unable to pull execution environment image'. The ansible-navigator configuration file is shown in the exhibit. Which change should the engineer make to resolve the issue?
Set 'mode' to 'interactive' instead of 'stdout'
Change the execution-environment image to 'registry.redhat.io/ansible-automation-platform-24/ee-minimal-rhel8:latest'
Change 'pull policy' from 'missing' to 'always'
Setting policy to 'always' forces a pull attempt each time, which can resolve pull failures due to missing or outdated images.
Set 'playbook-artifact enable' to 'true'
Which TWO statements are true about deploying Red Hat Ansible Automation Platform using the automation mesh?
Execution nodes can be located in different geographic regions.
Automation mesh supports distributed execution across multiple sites.
Existing Ansible Tower nodes can be added to the mesh without modification.
Automation mesh requires two separate ports for control and data plane traffic.
The mesh topology is organized as a parent/child relationship between nodes.
Nodes are defined as parents and children, forming a tree-like structure.
All execution nodes must have direct network access to the automation controller.
A systems administrator is deploying Ansible Automation Platform 2.4 using the provided setup script. The installation fails with the error shown in the exhibit. Based on the exhibit, what is the most likely cause of the failure?
The installer requires a local PostgreSQL database; using a remote database is not supported.
The database password specified in setup.sh does not match the actual PostgreSQL password.
SELinux is blocking the ansible-navigator process from reaching the database.
The PostgreSQL service is not running on the database server.
The error 'Connection refused' indicates the PostgreSQL server is not listening on the specified host/port.
A company is deploying Red Hat Ansible Automation Platform 2.3 in a hybrid cloud environment. The automation controller is installed on a RHEL 8 server in the on-premises data center. Execution nodes are distributed: four in the same data center, two in a remote branch office connected via VPN, and three in AWS EC2 instances. The VPN connection to the branch office is low-bandwidth and high-latency. The AWS nodes use a direct connect with stable bandwidth. During initial testing, playbooks running on the branch office execution nodes frequently timeout or hang, while on-premises and AWS nodes work fine. The automation mesh topology is configured with all nodes as direct children of the controller. The team wants to minimize latency and ensure reliable execution for the branch office nodes. Which course of action should the administrator take?
Deploy an additional automation mesh node in the branch office and make the branch office execution nodes children of that node.
A local mesh node reduces WAN traffic by caching playbook artifacts and handling control plane communication locally.
Configure the controller to use the AWS execution nodes for all branch office jobs via a proxy.
Increase the `ansible_timeout` setting in the controller configuration to 120 seconds.
Reduce the forks value for branch office execution nodes to 1.
Which TWO statements are true regarding the deployment of Ansible Automation Platform in a highly available configuration?
The automation hub requires an external PostgreSQL database to store collections and execution environments.
Execution nodes must have direct network access to the automation controller database.
The automation controller requires a PostgreSQL database that must be configured with replication for high availability.
Correct: A highly available automation controller requires a highly available PostgreSQL database.
The automation controller can use an embedded SQLite database for production deployments.
The automation mesh component is used to provide resilient, fault-tolerant execution across multiple nodes.
Correct: The mesh enables distributed execution and can handle node failures.
Want more Deploy Ansible Automation Platform practice?
Practice this domainAn administrator needs to store a secret API token in Ansible Automation Controller so that it can be used in job templates without exposing the token in plain text. Which type of credential should be used?
Vault credential
Machine credential
Machine credentials can store SSH keys or passwords, but not API tokens directly; however, the token can be stored as a custom credential type or secret. This is the closest built-in type.
Network credential
Cloud credential
A team uses Ansible Automation Controller with multiple organizations. Each organization has its own set of machines that require different SSH keys. The administrator wants to ensure that users from one organization cannot use credentials from another organization. What is the best way to achieve this isolation?
Create credentials within each organization and assign organization-level access
Credentials belong to an organization, and users from other organizations cannot see them.
Store credentials in separate projects and restrict project access
Set 'Use' permission on credentials only for specific users
Place users in different teams and restrict credential access by team
An Ansible playbook uses the `ansible_password` variable to connect to a Windows host. The value is stored in an encrypted Ansible Vault file. Which credential type in Automation Controller would allow the vault password to be supplied at runtime?
Cloud credential
Machine credential
Vault credential
Vault credentials provide the vault password to decrypt vault-encrypted files.
Network credential
An administrator wants to create a custom credential type to store a third-party API key. The API key must be passed to the playbook as an environment variable `MY_API_KEY`. What is the correct Injector configuration in the custom credential type definition?
file: {MY_API_KEY: "{{ api_key }}"}
env: {"MY_API_KEY": api_key}
extra_vars: {MY_API_KEY: "{{ api_key }}"}
env: {MY_API_KEY: "{{ api_key }}"}
The env dictionary maps credential inputs to environment variables.
A junior admin is troubleshooting why a job template fails with 'Permission denied' when connecting to a target host. The job template uses a machine credential that appears correct. What is the first thing to check?
Verify the inventory contains the correct host IP
Check the credential's username and private key / password
The error suggests the credentials are not accepted by the target host.
Check the vault credential used in the job template
Check the project sync status
Which TWO of the following are valid methods to supply a credential password in Ansible Automation Controller?
Prompt on launch (ask for credential on job run)
This allows manual entry at runtime.
Set the password via an environment variable in the job template
Include the password in a file in the project repository
Store the password in plain text in the credential definition
Use a Vault credential to decrypt vault-encoded password
The vault credential provides the vault password to decrypt the actual password stored in a vault file.
Want more Manage inventories and credentials practice?
Practice this domainA systems administrator needs to run a playbook that installs packages on a group of managed nodes. The playbook should run only on nodes that are part of the 'web_servers' group in the inventory. Which approach is best practice?
Set 'hosts: web_servers' in the play.
Directly targeting the group is the simplest and most readable approach.
Set 'hosts: all' and use '--limit web_servers' when running ansible-playbook.
Set 'hosts: localhost' and delegate tasks to web_servers.
Set 'hosts: all' and use a 'when' condition to check if the node is in the web_servers group.
A team is writing an Ansible role to configure a web server. They want to include default variables that can be easily overridden by playbook variables. Which directory and file should they use to define these variables?
vars/defaults.yml
defaults/main.yml
This file contains variables with the lowest precedence, allowing easy override.
default_vars/main.yml
vars/main.yml
During a playbook execution, a task that uses the 'ansible.builtin.copy' module fails with 'Permission denied' on a remote host. The playbook runs as user 'ansible' which is a sudoer without password. Which of the following is the most likely cause and solution?
The remote path does not exist. Use 'remote_src: yes' to copy from remote.
The local source file is not readable by the user running ansible-playbook. Change permissions on the source file.
The task lacks 'become: yes' but has 'become_user: root'. Add 'become: yes' to the task.
Without 'become: yes', become_user is ignored; adding 'become: yes' enables privilege escalation.
The remote file is owned by root and the destination directory is not writable by ansible. Use 'become: yes' and set 'owner: ansible'.
Which TWO statements about Ansible roles are true?
A role can include tasks, handlers, variables, templates, and files.
Roles organize these components in a standard structure.
Roles are defined directly inside a playbook using the 'roles' keyword.
Roles can be reused across multiple playbooks.
Roles are designed for reusability.
Roles can only be invoked using the 'include_role' module.
Variables defined in a role's vars/main.yml cannot be overridden by playbook variables.
Which THREE are valid methods to control task execution in Ansible?
Using the 'when' conditional
'when' controls task execution based on conditions.
Using 'block' to group tasks for error handling
Block with rescue/always controls execution flow on errors.
Using 'register' to store task output
Using 'loop' to iterate over a list
Loop repeats a task for each item in a list.
Using the 'with_items' loop
Refer to the exhibit. The playbook runs successfully. What will the debug task output?
Just the username 'jdoe'.
A dictionary with details about the user, such as uid, gid, and groups.
The user module returns a dictionary with user attributes.
The entire playbook YAML structure.
The string 'true' if the user was created successfully.
Want more Manage task execution and roles practice?
Practice this domainA company uses Ansible to manage rolling updates of a web server fleet. During a deployment, the playbook fails on one host due to a transient network error, and the rest of the fleet is left in an inconsistent state. Which strategy would best minimize the risk of inconsistency in future rolling updates?
Add retries to each task so transient errors are automatically retried.
Use a larger serial batch size to complete the rollout faster.
Set ignore_errors: yes on all tasks to continue despite failures.
Set max_fail_percentage to 0 in the serial block to abort the rollout on any failure.
max_fail_percentage aborts the playbook if failure rate exceeds threshold, preventing inconsistency.
An operations team is designing a rolling update for a stateful application that requires quorum (minimum 3 out of 5 nodes online). They plan to use Ansible's serial keyword. Which serial value ensures the update proceeds without breaking quorum while still being efficient?
serial: 2
Updating 2 nodes leaves 3 online, maintaining quorum, and is efficient.
serial: 1
serial: 3
serial: 5
Which TWO options are best practices for coordinating rolling updates with Ansible? (Choose exactly two.)
Set ignore_errors: yes to ensure the playbook continues even if some hosts fail.
Use the serial keyword to update hosts in batches.
serial enables batching, which is the core of rolling updates.
Use the default serial setting (all hosts) for simplicity.
Set max_fail_percentage to limit the number of failed hosts before aborting.
max_fail_percentage provides a safety threshold to abort on excessive failures.
Run all hosts in parallel to minimize total update time.
Refer to the exhibit. The playbook uses serial: 1 (one host at a time). The update failed on web3.example.com. Based on the output, what is the most likely reason the play did not abort the rollout and how should the playbook be modified to stop on failure?
Add retries: 3 to the 'Update Apache config' task.
Set ignore_errors: yes on the 'Update Apache config' task.
Add max_fail_percentage: 0 to the play to abort on any failure.
max_fail_percentage: 0 aborts the play if any host fails, preventing inconsistent state.
Increase the serial value to update multiple hosts at once.
You are managing a rolling update of a 10-node web application cluster using Ansible. The application requires that at least 8 nodes remain available during the update to handle traffic. You have written a playbook that uses serial: 2 (updates 2 nodes at a time). During a test run, the playbook updates the first batch of 2 nodes successfully, but when it proceeds to the second batch, one of the nodes fails to restart the web service. However, the playbook continues and updates the remaining nodes. At the end, only 7 nodes are healthy, causing performance degradation. You need to ensure that if a batch fails to meet the minimum health requirements, the entire rollout is stopped and no further updates are applied. Which course of action should you take?
Add a retry loop to the service restart task with a delay and count of 5.
Set ignore_errors: yes on the service restart task to avoid failures stopping the playbook.
Use the 'throttle' keyword with a rolling update strategy that includes a post-task health check and set max_fail_percentage to a value that aborts if the healthy node count drops below 8.
throttle and max_fail_percentage combined can enforce health thresholds and abort the rollout when conditions are not met.
Increase serial to 3 to complete the update faster and reduce the chance of node failures.
An Ansible Engineer is planning a rolling update for a web application deployed across 10 nodes. The playbook uses the 'delegate_to' directive to manage load balancer health checks. Which of the following best describes the recommended approach to minimize downtime?
Use 'serial: 1' and delegate load balancer disable/enable tasks to localhost, ensuring each node is taken out of rotation before updating.
This ensures each node is removed from the load balancer, updated, and then re-added, minimizing downtime.
Run the update playbook with 'serial: 10' to update all nodes at once, then run a separate playbook to update the load balancer.
Run the update on each node manually using 'ansible-playbook --limit' and skip load balancer management to save time.
Use 'strategy: free' to allow nodes to update independently without controlling the load balancer.
Want more Coordinate rolling updates practice?
Practice this domainAn Ansible playbook needs to extract the first line from a multi-line string variable 'output' and store it in a new variable 'first_line'. Which filter should be used?
{{ output | lines | first }}
{{ output | split(' ') | first }}
Correct: split into lines then take first.
{{ output | first }}
{{ output | head(1) }}
A playbook uses the 'uri' module to query an API and registers the result. The API returns a JSON with a nested field 'data.users[0].name'. Which expression correctly extracts that name?
{{ result | json_query('data.users.0.name') }}
{{ result | json_query("data.users[0].name") }}
{{ result.data.users[0].name }}
{{ result | json_query('data.users[0].name') }}
Correct JMESPath expression.
A team is migrating from static inventory to dynamic inventory using a custom script. The script returns JSON with a group 'webservers' containing hosts. However, the playbook targeting 'webservers' fails with 'no hosts matched'. Which filter or plugin issue is most likely?
The playbook uses 'hosts: all' but should use 'hosts: webservers'.
The script is not executable.
The 'ansible_host' variable is not set in hostvars.
The script output is missing the '_meta' key with 'hostvars'.
Dynamic inventory scripts require _meta structure; without it, Ansible may not recognize hosts.
A playbook needs to set a fact 'total_memory' by summing the 'memory_mb' values from a list of servers. Which filter should be used?
{{ servers | map(attribute='memory_mb') | sum }}
Correct: map attribute then sum.
{{ servers | map('memory_mb') | sum }}
{{ servers | sum }}
{{ servers | sum(attribute='memory_mb') }}
A playbook uses the 'debug' module to print a variable 'myvar' which is a list of dictionaries. The output shows 'VARIABLE IS UNDEFINED' despite the variable being defined earlier. Which filter issue is most likely?
The debug task uses 'var: myvar' instead of 'msg: "{{ myvar }}"'.
The playbook uses 'set_fact' with quotes around the variable name.
The variable contains a fact that is only available on the control node.
The variable is defined in a role but the playbook uses include_role incorrectly.
If the variable is defined inside a role but not exposed to the play, it will be undefined.
Which TWO filters are used to transform data types in Ansible?
list
bool
Converts to boolean.
float
string
int
Converts to integer.
Want more Transform data with filters and plugins practice?
Practice this domainAn automation team is designing a content collection to distribute internal Ansible modules across the organization. The collection should be installed from a private Galaxy server. To minimize namespace conflicts and ensure discoverability, which naming convention should be used for the collection?
collection_name.namespace
namespace_collection_name
namespace-collection_name
namespace.collection_name
Standard Ansible Galaxy naming convention for collections.
When building an execution environment with ansible-builder, a developer notices that the build process fails with an error about missing dependencies. The developer wants to ensure all required Python packages are installed in the execution environment. Which file should be used to specify additional Python packages?
meta/runtime.yml
galaxy.yml
bindep.txt
requirements.txt
Standard file for Python dependencies in execution environments.
A system administrator wants to publish a custom Ansible collection to a private Automation Hub. What is the correct command to build the collection before publishing?
ansible-galaxy collection init mycollection
ansible-galaxy collection publish ./mycollection-1.0.0.tar.gz
ansible-galaxy collection install .
ansible-galaxy collection build
Builds a collection tarball from the current directory.
An organization uses custom Ansible plugins stored in a collection. A junior admin reports that after updating the collection to version 2.0.0, a playbook that uses a custom filter plugin fails with 'undefined filter'. What is the most likely cause?
The playbook uses an outdated syntax that is incompatible with the new collection.
The filter plugin was placed in the wrong directory inside the collection.
Filter plugins must reside in plugins/filter/ directory.
The playbook does not use the fully qualified collection name (FQCN) for the filter.
The collection's metadata file galaxy.yml is missing a dependency declaration.
A DevOps engineer is creating an execution environment for a team that needs both Ansible and the 'requests' Python library. The engineer creates an execution environment definition file (EE.yml) with the following content: --- version: 3 images: base_image: name: registry.redhat.io/ansible-automation-platform-22/ee-minimal-rhel8:latest options: package_manager_path: /usr/bin/microdnf dependencies: python: requirements.txt system: bindep.txt
What is missing from this definition to ensure the 'requests' library is installed?
The package_manager_path should be /usr/bin/yum.
The requirements.txt file must contain 'requests'.
The requirements.txt file is referenced but the content is not shown; it must list requests.
The galaxy.yml file must be added to the dependencies section.
The base image should be ee-supported-rhel8 instead.
Which TWO statements about Ansible content collections are correct?
Collections can be installed only from Galaxy.
The collection name must be a single word without namespace.
Collections can be distributed via Automation Hub or Galaxy.
Both are valid distribution platforms for collections.
A collection can contain only roles and playbooks.
A collection must have a galaxy.yml file in its root directory.
galaxy.yml is required for metadata.
Want more Create content collections and execution environments practice?
Practice this domainAn Ansible playbook fails intermittently when deploying web servers. The error message indicates that a required package is not available in the repository. Which approach would best ensure that the required packages are consistently available before the playbook runs?
Set 'ignore_errors: yes' on the package installation task and handle the failure later.
Add retries and delay to the package installation task.
Add a pre_task to run 'dnf update' or 'apt update' before the package installation.
Updating the repository cache ensures the latest package metadata is available.
Use the 'get_url' module to download the package from an external source and install it manually.
An administrator wants to reuse a set of tasks that configure a firewall across multiple playbooks. Which Ansible feature should be used to achieve this?
Create a role for firewall configuration.
Roles are the standard way to package reusable content.
Add the tasks to the inventory file under a group.
Define the tasks in a vars file and include it.
Define the tasks as handlers and notify them.
A playbook uses the 'include_tasks' module to dynamically include tasks based on a variable. The playbook runs successfully on some hosts but fails on others with a 'template error' message. What is the most likely cause?
The included task file does not exist on the control node.
The variable used in the 'include_tasks' path has a Jinja2 template error.
Template errors occur when Jinja2 syntax is invalid.
The included task file has incorrect permissions.
The included tasks contain a syntax error.
An Ansible playbook is designed to run on a group of database servers. The administrator wants to ensure that a task runs only on the primary database server, which is defined in the inventory with a variable 'primary: true'. Which conditional should be used?
ignore_errors: yes
when: primary
The when clause evaluates to true if the variable is truthy.
run_once: true
delegate_to: "{{ primary }}"
A playbook uses the 'block' and 'rescue' keywords to handle errors. The block contains three tasks. The first task fails. What happens next?
The rescue section runs and retries the failed task.
The rescue section runs immediately after the failure.
Rescue is executed when any task in the block fails.
The playbook fails with an error message.
The remaining tasks in the block run, then the rescue section runs.
An administrator needs to securely pass a database password to a playbook without exposing it in logs or the command line. Which approach is the most secure?
Store the password in an Ansible Vault-encrypted variable file and include it.
Vault encrypts the data, and the vault password is prompted or provided via a vault password file.
Set the password in a variable and use 'no_log: true' on tasks that use it.
Store the password in a host_vars file with restricted file permissions.
Prompt for the password and pass it as an extra variable using -e.
Want more Implement advanced Ansible automation practice?
Practice this domainAn Ansible automation controller job template uses a custom credential type that requires a secret token. The token is stored as an extra variable in the job template definition. A security audit reveals the token is visible in plaintext in the job output. Which action should the administrator take to secure the secret?
Define the variable in the job template's 'extra variables' field with 'no_log: true' set in the playbook for that variable.
Setting no_log on the variable prevents it from being displayed in logs and job output, meeting the security requirement.
Vault-encrypt the variable in the playbook and reference it with {{ vault_var }}.
Create a custom credential type that injects the token as an environment variable, and remove the extra variable from the job template.
Store the token in a file on the controller with 600 permissions and use 'lookup' in the playbook.
A Red Hat Ansible Automation Platform deployment uses automation mesh to manage remote nodes across a high-latency WAN. An administrator notices that some job runs fail intermittently due to connection timeouts. The administrator wants to improve reliability without changing network infrastructure. Which configuration change is most effective?
Increase the 'timeout' value in the [defaults] section of ansible.cfg to 60 seconds.
This extends the connection timeout, accommodating high-latency links.
Increase the 'retries' parameter for each task.
Increase the 'forks' value in ansible.cfg to 50.
Set 'async: 600' and 'poll: 10' in the playbook.
An organization requires that all Ansible playbooks be executed using a specific service account that has limited permissions. The account can only run playbooks from a specific directory. Which approach best enforces this requirement in automation controller?
Use an inventory that contains only the allowed hosts.
Configure an execution environment that mounts the authorized directory as read-only.
Create a project that syncs only the authorized directory, and assign the service account as the only user with execute permissions on that project.
Projects control source of playbooks; RBAC can restrict execution to that project.
Assign the service account a machine credential that connects to the controller via SSH.
A managed node is not responding to Ansible automation. The administrator verifies that the node is reachable via SSH and that the SSH key is correctly deployed. However, 'ansible all -m ping' fails with 'UNREACHABLE'. The automation controller uses a custom execution environment. What is the most likely cause?
The SSH private key has incorrect permissions on the controller.
The remote user specified in the credential does not have sudo access.
The custom execution environment is missing the 'python3' or 'python' package.
Ansible requires Python on the control node (execution environment) to execute modules; missing Python causes unreachable errors.
The automation controller is behind a firewall that blocks SSH.
An Ansible playbook uses 'become: yes' to install packages. The playbook works when run manually by the administrator but fails when run from automation controller with 'Missing sudo password'. The administrator has configured a machine credential with the SSH key and the 'Become password' field is blank. What is the most likely issue?
The machine credential does not include the become password.
The become password must be supplied in the credential's 'Become password' field when the remote user requires a password for privilege escalation.
The become method is set to 'su' instead of 'sudo'.
The remote user is not in the sudoers file.
The SSH private key is not loaded into the automation controller.
An automation controller administrator must ensure that a playbook's output does not expose sensitive data. Which TWO actions should be taken? (Choose exactly two.)
Set 'no_log: true' on tasks that handle sensitive data.
This prevents the output of those tasks from being displayed.
Set 'stdout_callback = actionable' in ansible.cfg.
Use 'name: "Sensitive task"' but keep the task body visible.
Add 'display_args_to_stdout = false' to the execution environment's ansible.cfg.
This prevents task arguments from being displayed, which may contain sensitive values.
Use 'tags: never' on sensitive tasks.
Want more Manage automation security and operations practice?
Practice this domainThe EX294 exam is performance-based — there are no multiple-choice questions. It is a hands-on lab exam completed within 240 minutes. You complete practical tasks in a live or simulated environment. Courseiva practice questions cover the underlying concepts.
Hands-on automation tasks using Ansible in a live RHEL environment.
The exam covers 8 domains: Deploy Ansible Automation Platform, Manage inventories and credentials, Manage task execution and roles, Coordinate rolling updates, Transform data with filters and plugins, Create content collections and execution environments, Implement advanced Ansible automation, Manage automation security and operations. Questions are weighted by domain — higher-weight domains appear more on your actual exam.
No. These are original exam-style practice questions written against the official Red Hat EX294 exam objectives. They are not copied from the real exam. Courseiva focuses on genuine understanding, not memorisation of braindumps.
Courseiva tracks your accuracy per domain and routes you toward weak areas automatically. Free, no account required.