Red Hat Certified Engineer EX294 (EX294) — Questions 175

518 questions total · 7pages · All types, answers revealed

Page 1 of 7

Page 2
1
MCQmedium

Consider the task: `- debug: msg={{ item | upper }}` with `loop: "{{ ['a','b'] }}"`. What will be the output?

A.An error because upper expects a string, not a loop variable.
B.Two debug messages: 'a' and 'b'
C.Two debug messages: 'A' and 'B'
D.One debug message with the list ['A','B']
AnswerC

Correct; each item is uppercased and printed separately.

Why this answer

Option C is correct because the `upper` filter in Ansible converts each string item in the loop to uppercase. The `loop` directive iterates over the list `['a','b']`, and for each iteration, the `{{ item | upper }}` expression applies the `upper` filter to the current item, resulting in `'A'` and `'B'`. The `debug` module then prints each transformed value as a separate message.

Exam trap

The trap here is that candidates may overlook the fact that the `upper` filter is applied to each item individually within the loop, leading them to think the output remains lowercase (Option B) or that the filter fails on a loop variable (Option A).

How to eliminate wrong answers

Option A is wrong because the `upper` filter in Ansible is designed to work with strings, and `item` in a loop is a scalar value (a string in this case), not a list; the filter correctly converts each string to uppercase. Option B is wrong because it ignores the effect of the `upper` filter, which transforms the items to uppercase before output. Option D is wrong because the `loop` directive causes the `debug` module to execute once per item, producing two separate messages, not a single message containing a list.

2
MCQhard

An organization uses a private Git repository to store Ansible content collections. They want to automate the building of execution environments that include these collections. Which approach is recommended?

A.Store the collection tarball in a Git LFS and use an ADD command in the base image.
B.Add the Git repository as a source in the execution-environment.yml using the 'git' type.
C.Use ansible-builder to clone the repository during build with a pre-build script.
D.Build the collection manually, publish it to a private Automation Hub, then reference it in the EE.
AnswerD

Publishing to Automation Hub is the standard method for managing collections in execution environments.

Why this answer

Option D is correct because the recommended workflow for including private collections in an execution environment is to build the collection, publish it to a private Automation Hub, and then reference it in the `execution-environment.yml` file. This ensures the collection is available as a signed, versioned artifact that `ansible-builder` can pull during the build process, maintaining integrity and reproducibility without exposing Git credentials or requiring network access during build.

Exam trap

The trap here is that candidates assume Git repositories can be directly referenced in the execution environment definition file, but the EX294 exam expects you to know that only Galaxy or Automation Hub sources are valid, and that private collections must be published to a private Automation Hub first.

How to eliminate wrong answers

Option A is wrong because Git LFS stores large files, not tarballs of collections, and using an ADD command in a Containerfile bypasses the dependency resolution and signing provided by Automation Hub, leading to potential version mismatches. Option B is wrong because the `execution-environment.yml` file does not support a 'git' type source; it only supports 'galaxy' or 'automation_hub' types for pulling collections from a Galaxy server or Automation Hub. Option C is wrong because `ansible-builder` does not support pre-build scripts that clone repositories; it builds execution environments from a definition file and expects collections to be available from a configured Galaxy or Automation Hub source, not from arbitrary Git clones.

3
MCQhard

A DevOps engineer is designing a dynamic inventory script for a cloud provider. The script must return host variables in a specific JSON format. According to Ansible best practices, which top-level keys should be present in the script output?

A.Group names as keys, each containing 'hosts' and 'vars'
B.all, groups, hosts
C.List of host objects
D.inventory, hosts, vars
AnswerA

Required format for dynamic inventory output.

Why this answer

Ansible dynamic inventory scripts must return JSON with group names as top-level keys, each containing 'hosts' (a list of hostnames) and optionally 'vars' (dictionary of group variables). This structure allows Ansible to map hosts to groups and apply group-level variables, which is essential for inventory organization and playbook targeting. Option A correctly describes this required format per Ansible best practices.

Exam trap

The trap here is that candidates confuse the dynamic inventory JSON schema with the structure of an Ansible inventory file (INI or YAML) or with the output of the 'ansible-inventory' command, leading them to select options like 'all, groups, hosts' or 'inventory, hosts, vars' instead of recognizing that group names must be the top-level keys.

How to eliminate wrong answers

Option B is wrong because 'all', 'groups', and 'hosts' are not the required top-level keys; 'all' is a default group in Ansible but not a mandatory key in the script output, and 'groups' and 'hosts' are not valid top-level keys for the inventory JSON structure. Option C is wrong because a list of host objects does not provide the group-based hierarchy Ansible expects; the script must return a dictionary with group names as keys, not a flat list. Option D is wrong because 'inventory', 'hosts', and 'vars' are not the correct top-level keys; the inventory script output must use group names as keys, and 'inventory' is not a recognized key in the dynamic inventory JSON schema.

4
MCQmedium

An Ansible playbook includes multiple roles. The administrator wants to ensure that a specific role's tasks are executed before any other roles, even if the roles are listed in a different order in the playbook. Which approach should be used?

A.Use the 'any_errors_fatal' setting.
B.Use role dependencies with 'allow_duplicates: no'.
C.Set the 'order' parameter in the role definition.
D.Use the 'pre_tasks' section in the playbook to call the role.
AnswerD

pre_tasks run before any roles, guaranteeing execution order.

Why this answer

Option B is correct because pre_tasks run before any roles, ensuring ordering. Option A (any_errors_fatal) is for error handling, not ordering. Option C (role dependencies) can enforce order but not as straightforward as pre_tasks.

Option D is not a valid parameter.

5
MCQeasy

An Ansible Tower administrator wants to allow a team to run playbooks against a set of production web servers without giving them direct SSH access to the hosts. Which inventory configuration approach should be used?

A.Use the ad hoc inventory feature to specify hosts at launch time
B.Define a group variable for production web servers in the inventory
C.Create a static inventory and add each web server manually
D.Create a smart inventory and use the 'prod_web' tag to filter hosts
AnswerD

Smart inventories dynamically filter hosts based on criteria like tags, enabling automatic grouping.

Why this answer

Smart inventories in Ansible Tower allow you to define a dynamic set of hosts based on a filter, such as a tag (e.g., 'prod_web'). This enables the team to run playbooks against production web servers without granting them direct SSH access to the hosts, as Tower manages the SSH connections centrally using its own credentials.

Exam trap

The trap here is that candidates often confuse smart inventories with static inventories or group variables, failing to recognize that smart inventories are the only option that provides dynamic, tag-based host filtering without requiring direct SSH access.

How to eliminate wrong answers

Option A is wrong because the ad hoc inventory feature is used for one-off, temporary host lists at launch time, not for persistent, tag-based filtering of production web servers. Option B is wrong because defining a group variable for production web servers does not restrict access or filter hosts dynamically; it only sets variables for that group. Option C is wrong because creating a static inventory and adding each web server manually is not scalable and does not leverage Tower's dynamic filtering capabilities to control access without direct SSH.

6
MCQeasy

Based on the exhibit, which file is generated by `ansible-builder` to support the build?

A.requirements.yml
B.execution-environment.yml
C.Containerfile
D.ansible.cfg
AnswerC

`ansible-builder` generates a Containerfile from the definition.

Why this answer

The `ansible-builder` tool uses a definition file (typically `execution-environment.yml`) to construct a container image. During the build process, it generates a `Containerfile` (or `Dockerfile`) that contains the exact instructions for building the container image, such as base image selection, package installation, and collection inclusion. This generated file is the actual artifact that the container runtime (e.g., Podman or Docker) uses to create the execution environment image.

Exam trap

Red Hat often tests the distinction between the input definition file (`execution-environment.yml`) and the output build artifact (`Containerfile`), causing candidates to mistakenly select the input file as the generated output.

How to eliminate wrong answers

Option A is wrong because `requirements.yml` is an input file used to specify Ansible collections or Python dependencies for an execution environment, not a file generated by `ansible-builder` during the build process. Option B is wrong because `execution-environment.yml` is the definition file that you provide to `ansible-builder` as input, describing the base image, dependencies, and other settings; it is not generated by the tool. Option D is wrong because `ansible.cfg` is a configuration file for Ansible itself, controlling settings like inventory, roles path, and connection parameters, and it has no direct role in the `ansible-builder` build process.

7
MCQmedium

An administrator uses a rolling update strategy with serial: 3 and max_fail_percentage: 20. They have 10 hosts in the inventory. The first batch of 3 hosts: 2 succeed, 1 fails. What happens next?

A.The playbook continues with the next batch of 3 hosts.
B.The playbook retries the failed host, then continues.
C.The playbook marks the failed host as unreachable and continues.
D.The playbook aborts and no further hosts are updated.
AnswerD

Correct. The failure percentage in the batch exceeded max_fail_percentage.

Why this answer

Option D is correct because when `max_fail_percentage` is set to 20% and the inventory has 10 hosts, the maximum allowed failures across the entire play is 2 hosts (20% of 10 = 2). In the first batch of 3 hosts, 1 failure already occurred. If the playbook continued and another failure happened in a subsequent batch, the total failures would exceed 2, violating the `max_fail_percentage` constraint.

Ansible's rolling update logic aborts the entire play immediately when a failure occurs in a batch if the cumulative failures would exceed the allowed percentage, preventing further updates.

Exam trap

The trap here is that candidates mistakenly think `max_fail_percentage` applies per batch rather than to the total inventory, leading them to believe the playbook can continue with the next batch since only 1 of 3 hosts failed in the first batch.

How to eliminate wrong answers

Option A is wrong because continuing with the next batch would risk exceeding the `max_fail_percentage` of 20% (2 failures allowed out of 10 hosts) since 1 failure has already occurred and any additional failure would push the total to 2 or more, which is not permitted. Option B is wrong because Ansible does not automatically retry failed hosts in a rolling update; it aborts the play when the failure threshold is reached, and retrying would not change the fact that the failure count already consumes half of the allowed failures. Option C is wrong because marking the host as unreachable does not resolve the failure count; the `max_fail_percentage` is based on actual failures, not reachability status, and the playbook still aborts to prevent exceeding the threshold.

8
MCQhard

Refer to the exhibit. The administrator observes the output and is concerned because the 'Check on async job' task shows 'finished: 0'. What does this indicate?

A.The async job was not started.
B.The async job failed.
C.The async job has completed successfully.
D.The async job is still running.
AnswerD

finished: 0 means the job is still in progress.

Why this answer

Option B is correct. finished: 0 means the job is still running. finished: 1 would indicate completion.

9
MCQmedium

A role contains a handler. The playbook includes the role and also defines a task that notifies the same handler. When the playbook runs, the handler executes only once. Which of the following best explains this behavior?

A.the handler was already triggered by the role and is skipped for the play task
B.handlers are deduplicated by name; multiple notifications trigger the handler only once per play
C.the role's handler uses 'listen' which overrides notifications
D.the playbook's task notifies a different handler with the same name
AnswerB

Correct: Ansible ensures handlers execute once even if notified multiple times.

Why this answer

Option A is correct because Ansible deduplicates notifications by handler name. Option B is false (handler runs once regardless). Options C and D are incorrect.

10
MCQhard

An administrator is designing a role that needs to execute a set of tasks conditionally based on whether a package is installed. Which approach is best practice?

A.Use the stat module to check package file existence
B.Use the command module to check package status
C.Use ansible_facts.packages
D.Use the package_facts module
AnswerD

package_facts gathers installed package information and is designed for this purpose.

Why this answer

Using the package_facts module to gather package information and then using a when condition based on the facts is the best practice because it is idempotent and does not rely on running commands.

11
MCQeasy

An administrator needs to apply a set of firewall rules to multiple servers. They have created a playbook that uses the firewalld module. When running the playbook, they receive 'ERROR! module not found: firewalld'. The control node has the module available locally. What is the most likely cause?

A.The playbook uses the wrong module name.
B.The ansible.posix collection is not installed on the control node.
C.The ansible.cfg has a wrong module path.
D.The module is not installed on the target nodes.
AnswerB

The module resides in ansible.posix, which needs to be installed.

Why this answer

Option D is correct because firewalld is part of the ansible.posix collection, which must be installed. Option A is not the cause because modules run on the control node. Option B is plausible but less likely if the collection is missing.

Option C is wrong because the module name is correct.

12
MCQhard

A company manages its infrastructure using Ansible Tower. There are two teams: Team Alpha manages web servers in the 'webservers' group, and Team Beta manages database servers in the 'dbservers' group. Both teams need to use the same SSH credential to connect to their respective servers. The credential is stored in Tower as 'shared_ssh_key'. Team Alpha reports that they can launch jobs against the 'webservers' group, but Team Beta gets an error when trying to launch jobs against the 'dbservers' group: 'You do not have permission to use this credential.' Both teams are members of the same organization. The inventory is a single inventory source with separate groups. The credential has been assigned to the organization. What is the most likely cause of Team Beta's issue, and what is the correct solution?

A.Grant Team Beta the 'Use' role on the credential 'shared_ssh_key'.
B.Create a new credential with the same SSH key and assign it to Team Beta.
C.Assign the credential to the dbservers group in the inventory.
D.Move the credential from the organization to the project level.
AnswerA

Explicit 'Use' permission allows Team Beta to use the credential in jobs.

Why this answer

In Ansible Tower, credentials are assigned to an organization, but users or teams must be explicitly granted the 'Use' role on a credential to be able to use it in a job template. Team Alpha can use the credential because they likely have the 'Use' role, while Team Beta does not. Granting Team Beta the 'Use' role on 'shared_ssh_key' resolves the permission error.

Exam trap

The trap here is that candidates assume assigning a credential to an organization automatically grants all members the right to use it, but Tower requires explicit 'Use' role assignment for each team or user.

How to eliminate wrong answers

Option B is wrong because creating a duplicate credential violates the principle of least privilege and adds unnecessary management overhead; the existing credential can be shared by granting the 'Use' role. Option C is wrong because credentials are not assigned to inventory groups in Tower; they are assigned to organizations, projects, or job templates, and the error is about credential permissions, not inventory group assignments. Option D is wrong because moving the credential to the project level does not change the fact that Team Beta lacks the 'Use' role; the credential would still require explicit role assignment for the team to use it.

13
Multi-Selecteasy

Which TWO statements are true regarding the deployment of Ansible Automation Platform in a highly available configuration?

Select 2 answers
A.The automation hub requires an external PostgreSQL database to store collections and execution environments.
B.Execution nodes must have direct network access to the automation controller database.
C.The automation controller requires a PostgreSQL database that must be configured with replication for high availability.
D.The automation controller can use an embedded SQLite database for production deployments.
E.The automation mesh component is used to provide resilient, fault-tolerant execution across multiple nodes.
AnswersC, E

Correct: A highly available automation controller requires a highly available PostgreSQL database.

Why this answer

Option C is correct because the automation controller in Ansible Automation Platform requires a PostgreSQL database, and for high availability (HA), that database must be configured with replication (e.g., streaming replication or Patroni) to ensure failover and data durability. Without database replication, a single database instance becomes a single point of failure, defeating the purpose of an HA deployment.

Exam trap

The trap here is that candidates often confuse the storage backend for automation hub (thinking it requires an external database for content storage) or assume execution nodes need direct database access, when in reality the architecture separates database access to the controller and uses API-based communication for execution nodes.

14
MCQmedium

An administrator needs to combine two dictionaries, `base_config` and `user_config`, where keys in `user_config` should override keys in `base_config`, and nested dictionaries should be merged recursively. Which filter syntax achieves this?

A.{{ base_config | combine(user_config, recursive=True) }}
B.{{ base_config | combine(user_config, deep=True) }}
C.{{ base_config | combine(user_config) }}
D.{{ base_config | combine(user_config, list_merge='replace') }}
AnswerA

Correctly enables recursive merge.

Why this answer

Option A is correct because the `combine` filter in Ansible with `recursive=True` merges two dictionaries, with `user_config` overriding `base_config`, and recursively merges nested dictionaries. This matches the requirement exactly, as `recursive=True` ensures that nested structures are combined rather than replaced outright.

Exam trap

The trap here is that candidates often confuse `recursive=True` with `deep=True` (which does not exist) or assume that the default `combine` behavior (shallow merge) is sufficient for nested dictionaries, leading them to pick option B or C.

How to eliminate wrong answers

Option B is wrong because `deep=True` is not a valid parameter for the `combine` filter; the correct parameter for recursive merging is `recursive=True`. Option C is wrong because using `combine` without any parameters performs a shallow merge, where nested dictionaries are replaced entirely by the `user_config` values, not merged recursively. Option D is wrong because `list_merge='replace'` controls how lists are merged (replacing the base list with the user list), but it does not enable recursive merging of nested dictionaries, so nested dicts would still be replaced.

15
Multi-Selecthard

Which THREE of the following are best practices for managing credentials in Ansible Automation Controller?

Select 3 answers
A.Avoid using external secret management systems; keep all secrets in Automation Controller
B.Share the same credential across multiple organizations for simplicity
C.Restrict credential 'Use' permissions to specific users or teams
D.Use custom credential types to store secrets for third-party APIs
E.Use Vault credentials to store and encrypt sensitive variables in playbooks
AnswersC, D, E

This ensures only authorized users can use the credential.

Why this answer

Option C is correct because Ansible Automation Controller's Role-Based Access Control (RBAC) allows administrators to assign granular 'Use' permissions to specific users or teams, ensuring that only authorized entities can leverage a credential for job runs. This prevents unauthorized access to sensitive secrets and aligns with the principle of least privilege, which is a core security best practice in automation environments.

Exam trap

The trap here is that candidates may think storing all secrets inside Automation Controller is safer than using an external vault, but Red Hat specifically recommends integrating with external secret managers for centralized control and rotation, making Option A a common misconception.

16
MCQhard

An execution environment is built using ansible-builder. The definition file includes a base image from registry.redhat.io. After building, the container runs but ansible-navigator can't find the EE. What is the most likely cause?

A.The EE was not pushed to a registry accessible by ansible-navigator.
B.ansible-navigator uses a different Python interpreter.
C.The base image is not compatible with the installed collections.
D.The EE was not tagged correctly.
AnswerA

ansible-navigator by default pulls EEs from a registry; a locally built EE must be pushed to a configured registry.

Why this answer

The most likely cause is that the execution environment (EE) was built locally but not pushed to a registry that `ansible-navigator` can access. By default, `ansible-navigator` pulls EEs from a container registry (e.g., `registry.redhat.io` or a private registry) specified in its configuration; it does not automatically discover locally built images. If the EE is only present in the local Docker/Podman store, `ansible-navigator` will fail to find it, resulting in a runtime error.

Exam trap

The trap here is that candidates assume `ansible-navigator` can use any locally built container image without pushing it to a registry, overlooking the default pull behavior that requires registry access.

How to eliminate wrong answers

Option B is wrong because `ansible-navigator` does not use a separate Python interpreter; it runs inside the EE container, inheriting the Python interpreter from the EE's base image. Option C is wrong because base image compatibility with collections is not the issue here — the EE was built successfully and runs, so the collections are compatible. Option D is wrong because tagging is a metadata issue that would affect image identification, not the fundamental ability of `ansible-navigator` to locate the EE; even a correctly tagged local image would still be invisible to `ansible-navigator` if not pushed to a registry.

17
MCQeasy

An Ansible playbook is designed to run on a group of database servers. The administrator wants to ensure that a task runs only on the primary database server, which is defined in the inventory with a variable 'primary: true'. Which conditional should be used?

A.ignore_errors: yes
B.when: primary
C.run_once: true
D.delegate_to: "{{ primary }}"
AnswerB

The when clause evaluates to true if the variable is truthy.

Why this answer

Option B is correct because the `when` conditional in Ansible evaluates a Jinja2 expression to determine whether a task should execute. By using `when: primary`, the task will run only on hosts where the inventory variable `primary` is defined and evaluates to `true` (a truthy value). This directly meets the requirement to target the primary database server.

Exam trap

The trap here is that candidates confuse `run_once: true` with a conditional that selects a specific host, not realizing `run_once` merely limits execution to a single arbitrary host in the group, not the one defined by a variable like `primary: true`.

How to eliminate wrong answers

Option A is wrong because `ignore_errors: yes` does not control task execution based on a condition; it merely continues playbook execution if the task fails, which is irrelevant to targeting a specific host. Option C is wrong because `run_once: true` ensures a task runs only once across the entire batch of hosts (typically on the first host in the group), but it does not select a specific host based on a variable like `primary: true`; it could run on any host, not necessarily the primary. Option D is wrong because `delegate_to: "{{ primary }}"` attempts to delegate the task to a host named by the variable `primary`, but this is not a conditional; it changes the target host for execution and would fail if `primary` is not a valid hostname or group, and it does not evaluate a boolean variable.

18
MCQmedium

During a rolling update using an Ansible playbook with serial: 2, one host in the first batch becomes unreachable. The playbook fails with an unreachable host error. How should the administrator proceed to complete the update on the remaining hosts while excluding the problematic host?

A.Use 'ansible-playbook playbook.yml --forks 1' to slow down the update.
B.Use 'ansible-playbook playbook.yml --limit all:!hostname' to exclude the unreachable host.
C.Add 'any_errors_fatal: false' to the playbook and rerun.
D.Rerun the playbook with the same command; it will skip the unreachable host automatically.
AnswerB

Correct. --limit can exclude the failed host using the '!' operator.

Why this answer

Option B is correct because the `--limit` flag with the pattern `all:!hostname` uses Ansible's inventory host pattern syntax to exclude a specific host from the playbook run. This allows the administrator to rerun the playbook against all hosts except the unreachable one, completing the rolling update without re-attempting the failed host. The `serial: 2` setting is irrelevant once the host is excluded, as the playbook will only target the remaining reachable hosts.

Exam trap

The trap here is that candidates assume Ansible automatically retries or skips unreachable hosts on subsequent runs, when in fact it will fail again unless the host is explicitly excluded using `--limit` or the connectivity issue is resolved.

How to eliminate wrong answers

Option A is wrong because `--forks 1` reduces the number of parallel connections to 1, which slows down execution but does not exclude the unreachable host; the playbook will still fail when it attempts to connect to that host. Option C is wrong because `any_errors_fatal: false` (the default) does not prevent failure from an unreachable host; unreachable hosts cause a fatal error regardless of this setting, and the playbook will still abort. Option D is wrong because Ansible does not automatically skip unreachable hosts on a rerun; the playbook will fail again on the same host unless it is explicitly excluded or the connectivity issue is resolved.

19
MCQeasy

A DevOps engineer needs to extract the first 10 lines of a log file and store them in a variable for further processing. Which Ansible filter should be used?

A.regex
B.first
C.slice
D.head
AnswerD

head filter returns the first N lines of a string or list.

Why this answer

Option D is correct because the `head` filter in Ansible extracts the first N items from a list or string. In this scenario, using `head(10)` on the log file content (read via `lookup('file', ...)`) returns the first 10 lines, which can be stored in a variable for further processing. This filter is specifically designed for such truncation tasks.

Exam trap

The trap here is that candidates may confuse the `head` filter with the Linux `head` command or think a custom filter is needed, but Ansible provides this built-in filter specifically for list/string truncation, and the exam expects familiarity with its name and behavior.

How to eliminate wrong answers

Option A is wrong because the `regex` filter is used for pattern matching and extraction using regular expressions, not for selecting the first N lines of a file. Option B is wrong because there is no `first` filter in Ansible; the correct filter for this purpose is `head`. Option C is wrong because the `slice` filter extracts a contiguous subset of a list based on start and end indices, but it is not the idiomatic or simplest way to get the first 10 lines; `head` is the intended filter for this common task.

20
MCQeasy

Which command publishes a collection to Automation Hub?

A.ansible-galaxy collection import ./namespace-name-1.0.0.tar.gz
B.ansible-galaxy collection upload ./namespace-name-1.0.0.tar.gz
C.ansible-galaxy collection push ./namespace-name-1.0.0.tar.gz
D.ansible-galaxy collection publish ./namespace-name-1.0.0.tar.gz --token MYTOKEN
AnswerD

'ansible-galaxy collection publish' with an API token is the correct way to publish.

Why this answer

Option D is correct because `ansible-galaxy collection publish` is the specific command used to upload a collection tarball to Automation Hub (or any Galaxy server). The `--token` flag provides the required API authentication token for the publish operation. This command sends the tarball to the server's API endpoint, which validates and imports the collection.

Exam trap

The trap here is that candidates confuse the `ansible-galaxy role push` command (used for roles) with the collection workflow, mistakenly assuming 'push' or 'upload' are valid for collections, when only `publish` is correct.

How to eliminate wrong answers

Option A is wrong because `ansible-galaxy collection import` is not a valid command; the correct command for importing a collection from a source (like a Git repository) is `ansible-galaxy collection build` followed by `publish`, and `import` is used for roles, not collections. Option B is wrong because `ansible-galaxy collection upload` does not exist; the verb 'upload' is not used in the Ansible Galaxy CLI for collections. Option C is wrong because `ansible-galaxy collection push` is not a valid subcommand; 'push' is used with `ansible-galaxy role` (e.g., `ansible-galaxy role push`), not for collections.

21
Drag & Dropmedium

Drag and drop the steps to configure a network bond (bond0) using nmcli in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Bonding: create bond, add slaves, set mode, activate, verify.

22
MCQhard

The job template running against host db1 uses a machine credential with an SSH key. The key is correctly configured in Automation Controller. However, the job fails with the error shown. What is the most likely cause?

A.The SSH public key corresponding to the private key is not installed on the target host
B.The vault password is incorrect
C.The SSH port is blocked by a firewall
D.The host's SSH host key has changed and the known_hosts file is outdated
AnswerA

Permission denied (publickey) indicates the key is not accepted.

Why this answer

The error indicates that Automation Controller cannot authenticate to host db1 using the SSH key. Since the key is correctly configured in the controller, the most likely cause is that the corresponding public key is not present in the target host's ~/.ssh/authorized_keys file. SSH key-based authentication requires the private key on the client (controller) and the public key installed on the target host; without the public key, the server rejects the connection attempt.

Exam trap

The trap here is that candidates often assume the SSH key error is due to network or firewall issues, but the specific 'Permission denied (publickey)' message points directly to a missing or mismatched public key on the target host, not connectivity or host key verification.

How to eliminate wrong answers

Option B is wrong because a vault password is used to decrypt encrypted variables or files, not for SSH authentication; an incorrect vault password would cause a decryption failure, not an SSH key authentication error. Option C is wrong because a blocked SSH port (default 22) would result in a connection timeout or 'Connection refused' error, not an authentication failure related to keys. Option D is wrong because an outdated known_hosts file causes a host key verification failure (e.g., 'REMOTE HOST IDENTIFICATION HAS CHANGED'), not an authentication error with the SSH key itself.

23
Multi-Selecthard

When using the 'uri' module to interact with a REST API in Ansible, which TWO of the following statements about error handling and response parsing are correct?

Select 2 answers
A.The 'follow_redirects' parameter must be set to 'all' to handle HTTP 4xx and 5xx errors gracefully.
B.To access the response body, use the 'body' key of the registered variable and then parse it with a filter like 'json_query'.
C.Use the 'status_code' parameter to define which HTTP response codes are considered successful.
D.The 'failed_when' condition can inspect the HTTP response before the request is sent.
E.The 'register' keyword automatically parses JSON responses into Ansible variables.
AnswersB, C

Correct: 'body' contains the raw response body as a string.

Why this answer

Option B is correct because when you register the result of an `uri` module call, the response body is stored under the `body` key of the registered variable. To extract or filter data from that JSON body, you can use the `json_query` filter (which relies on jmespath) to parse and query the JSON structure. This is the standard approach for accessing and manipulating API response data in Ansible.

Exam trap

Cisco often tests the misconception that `register` automatically parses JSON or that `failed_when` can run before the request, when in fact the registered variable is a raw dict and `failed_when` only evaluates after the HTTP transaction completes.

24
MCQmedium

You have a list `my_list` containing `[0, 1, 2, '', 'hello']`. You want to extract the first truthy element that exists. Which chain achieves this?

A.`my_list | select('truthy') | first | default('')`
B.`my_list | list | first | default('')`
C.`my_list | select('string') | first | default('')`
D.`my_list | first | default('')`
AnswerA

Correct; select truthy, then first, then default.

Why this answer

Option A is correct because `select('truthy')` filters the list to include only elements that evaluate to `true` in Ansible/Jinja2 (non-zero numbers, non-empty strings, etc.), and `first` returns the first such element. The `default('')` provides a fallback if no truthy element exists. This chain correctly extracts `1` from the list `[0, 1, 2, '', 'hello']`.

Exam trap

The trap here is that candidates may think `first` alone returns the first truthy element, but it actually returns the first element regardless of its truthiness, leading to a falsy result like `0` or `''`.

How to eliminate wrong answers

Option B is wrong because `list` is redundant (the input is already a list) and `first` without `select` returns the first element `0`, which is falsy, not the first truthy element. Option C is wrong because `select('string')` filters only elements that are strings, returning `''` and `'hello'`; `first` then returns `''`, which is falsy, not the first truthy element. Option D is wrong because `first` alone returns the first element `0`, which is falsy, and `default('')` only applies if the list is empty, not if the first element is falsy.

25
MCQmedium

A team is writing an Ansible role to configure a web server. They want to include default variables that can be easily overridden by playbook variables. Which directory and file should they use to define these variables?

A.vars/defaults.yml
B.defaults/main.yml
C.default_vars/main.yml
D.vars/main.yml
AnswerB

This file contains variables with the lowest precedence, allowing easy override.

Why this answer

In Ansible roles, default variables are defined in the `defaults/main.yml` file. These variables have the lowest precedence, meaning they can be easily overridden by playbook variables, inventory variables, or any other variable source with higher precedence. This design allows role authors to provide sensible defaults while giving users the flexibility to customize behavior without modifying the role itself.

Exam trap

The trap here is that candidates confuse the `defaults/` directory (lowest precedence) with the `vars/` directory (higher precedence), or they invent non-standard directory names like `default_vars/`, because the exam tests precise knowledge of the Ansible role directory structure and variable precedence rules.

How to eliminate wrong answers

Option A is wrong because `vars/defaults.yml` is not a standard Ansible role directory structure; Ansible expects default variables in a `defaults` directory, not a `vars` directory. Option C is wrong because `default_vars/main.yml` uses an incorrect directory name; the correct directory is `defaults`, not `default_vars`. Option D is wrong because `vars/main.yml` is used for role variables that have higher precedence and are not intended to be easily overridden by playbook variables; placing defaults in `vars/` would make them harder to override, defeating the purpose of easily overridable defaults.

26
MCQmedium

A playbook uses serial: 2 and sets any_errors_fatal: true. The first batch of 2 hosts both fail. What happens?

A.The playbook continues with the next batch.
B.The playbook aborts and no further batches run.
C.The playbook marks the batch as unreachable and continues.
D.The playbook retries the failed hosts.
AnswerB

any_errors_fatal stops execution on first failure.

Why this answer

Option A is correct because any_errors_fatal causes the play to abort on any failure when serial is used. Option B is wrong because fatal errors halt execution. Option C is wrong because there is no automatic retry.

Option D is wrong because it marks as unreachable but still aborts.

27
MCQmedium

An administrator wants to run a playbook that executes tasks in parallel across multiple hosts but wants to limit the number of simultaneous hosts to 5. Which directive should be set?

A.poll
B.serial
C.throttle
D.forks
AnswerB

serial: 5 limits the batch of hosts to 5 at a time.

Why this answer

The 'serial' keyword in a play controls how many hosts are processed at a time in a play. Setting 'serial: 5' ensures only 5 hosts run tasks concurrently.

28
Multi-Selecthard

Which two statements about ansible-vault are true? (Select exactly 2.)

Select 2 answers
A.Vault-encrypted files cannot be used with include_vars.
B.Vault can encrypt entire files or individual variables.
C.Vault uses AES-128 encryption by default.
D.Vault passwords can be stored directly in ansible.cfg.
E.Vault supports multiple passwords with vault IDs.
AnswersB, E

ansible-vault encrypts at file level; variable encryption requires specific syntax.

Why this answer

Options A and E are correct. ansible-vault can encrypt files or individual variables, and supports multiple passwords via vault IDs. Option B is false because AES-256 is used. Option C is false because vault passwords cannot be stored directly in ansible.cfg; only a path to a password file can.

Option D is false because vault-encrypted files can be used with include_vars when decrypted.

29
MCQmedium

Refer to the exhibit. The user ran ansible-navigator without specifying an inventory. What does the warning indicate about the target hosts?

A.The playbook ran against all hosts in the default inventory
B.The playbook used the implicit localhost but it does not match 'all', causing no tasks to run
C.The playbook only ran against localhost because no inventory was defined
D.The playbook failed because no hosts matched
AnswerC

Only implicit localhost was available.

Why this answer

When `ansible-navigator` runs without a specified inventory, it defaults to using the implicit localhost as the only target host. However, because no inventory is defined, the implicit localhost is not part of the `all` group, so the playbook's `hosts: all` directive matches no hosts, resulting in no tasks being executed. Option C correctly identifies that the playbook only targeted localhost (implicitly) but failed to run tasks due to the group mismatch.

Exam trap

Red Hat often tests the misconception that the implicit localhost is automatically included in the `all` group, causing candidates to think tasks will run when no inventory is provided, when in fact they will not execute.

How to eliminate wrong answers

Option A is wrong because without an inventory, there is no default inventory to run against; Ansible requires an explicit inventory file or directory to define hosts, and the implicit localhost is not part of any inventory. Option B is wrong because the implicit localhost is used, but the warning indicates that it does not match 'all', so no tasks run—this is exactly what the warning says, but the option incorrectly states that the playbook 'used the implicit localhost' without acknowledging that the tasks did not execute. Option D is wrong because the playbook did not fail; it completed with a warning that no hosts matched, which is a non-fatal condition—Ansible reports 'ok=0 changed=0' rather than a failure.

30
MCQhard

A custom filter plugin named `custom_filter` is stored in `./filter_plugins/` relative to the playbook. The playbook runs on a control node where the `ansible.cfg` sets `filter_plugins = /opt/ansible/filters`. Which location will Ansible search for the plugin first?

A.Both A and B, with A first then B
B./opt/ansible/filters
C../filter_plugins/
D.~/.ansible/plugins/filter
AnswerB

The ansible.cfg setting takes precedence over the default.

Why this answer

Option B is correct because Ansible's plugin loading order prioritizes the `filter_plugins` directory specified in `ansible.cfg` over the `./filter_plugins/` directory relative to the playbook. The `ansible.cfg` setting explicitly overrides the default search path, so `/opt/ansible/filters` is checked first.

Exam trap

The trap here is that candidates assume the playbook-relative `./filter_plugins/` directory is always searched first, but the `ansible.cfg` setting explicitly overrides that order, making the configured path the primary search location.

How to eliminate wrong answers

Option A is wrong because it suggests both locations are searched with A first, but the actual order is determined by the `ansible.cfg` setting, which takes precedence over the playbook-relative directory. Option C is wrong because `./filter_plugins/` is only searched if no `filter_plugins` path is set in `ansible.cfg` or if the configured path doesn't exist; here, the explicit path in `ansible.cfg` is checked first. Option D is wrong because `~/.ansible/plugins/filter` is a fallback location searched after the `ansible.cfg` path and the playbook-relative path, not before.

31
Drag & Dropmedium

Drag and drop the steps to configure a firewall rule using firewalld to allow HTTPS traffic in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Firewalld commands: check zone, add service with --permanent, reload, verify, test.

32
MCQmedium

An Ansible role has tasks that need to run in a specific order, and some tasks must use a different shell interpreter. Which feature allows the role to control task execution order and environment settings?

A.Use the meta module to declare dependencies and the environment directive in tasks.
B.Use the strategy plugin and a custom lookup to set interpreter.
C.Use tags to control execution order and a custom inventory script.
D.Use the block directive to order tasks and a vars file for interpreter.
AnswerA

Meta can specify role order; environment sets interpreter.

Why this answer

Option A is correct because the meta module can set role dependencies and the environment directive sets interpreter. Option B is wrong because block is for grouping tasks, not ordering between roles. Option C is wrong because tags are for filtering, not ordering.

Option D is wrong because strategy is for play-level ordering.

33
MCQhard

Refer to the exhibit. An administrator runs the playbook but the wait_for task fails. What is the most likely cause?

A.The ansible_facts variable may not be available because fact gathering is disabled.
B.The http_port variable is misspelled.
C.The wait_for module requires the 'port' parameter to be an integer.
D.The delegate_to should be set to the remote host.
AnswerA

Correct: without gather_facts: yes, ansible_facts is empty.

Why this answer

The wait_for task uses ansible_facts, which are not gathered by default unless fact gathering is enabled. Since there is no gather_facts directive or it is set to false, ansible_facts will be empty, causing the task to fail. Option B is correct.

Option A is incorrect because delegate_to is fine on localhost. Option C is incorrect because http_port is defined. Option D is incorrect because wait_for accepts strings for port.

34
MCQhard

An organization uses multiple Satellite servers for inventory. They want to combine data from all satellites into one unified inventory in Ansible Tower. Which approach is best?

A.Use a custom script to fetch and merge data from all Satellites into a single inventory source.
B.Create a smart inventory that includes all satellites.
C.Use a single Satellite server that aggregates data from all other Satellites.
D.Create one inventory with multiple inventory sources, each pointing to a different Satellite.
AnswerD

Multiple inventory sources can populate the same inventory, merging hosts.

Why this answer

Option D is correct because Ansible Tower allows you to create a single inventory with multiple inventory sources, each configured to sync from a different Satellite server. This approach consolidates all host data into one unified inventory without custom scripting or requiring a central aggregator, leveraging Tower's native multi-source inventory capabilities.

Exam trap

The trap here is that candidates may confuse 'smart inventory' with the ability to aggregate external sources, but smart inventories only filter existing inventory data and cannot import from multiple external sources directly.

How to eliminate wrong answers

Option A is wrong because using a custom script to fetch and merge data introduces unnecessary complexity, maintenance overhead, and bypasses Tower's built-in inventory source management, which is designed for this exact use case. Option B is wrong because a smart inventory filters hosts based on existing inventory data and cannot directly import data from multiple external sources like Satellite servers; it requires a pre-populated inventory. Option C is wrong because requiring a single Satellite server to aggregate data from others adds an extra layer of infrastructure and defeats the purpose of using multiple independent Satellite servers, which Tower can directly query.

35
MCQeasy

In OpenShift, a DeploymentConfig uses the RollingUpdate strategy. Which parameter controls the maximum number of pods that can be unavailable during an update?

A.minReadySeconds
B.maxSurge
C.revisionHistoryLimit
D.maxUnavailable
E.progressDeadlineSeconds
AnswerD

maxUnavailable sets the maximum number of pods that can be unavailable during the update.

Why this answer

In OpenShift, the RollingUpdate strategy for a DeploymentConfig uses the `maxUnavailable` parameter to specify the maximum number or percentage of pods that can be unavailable during the update process. This ensures that the desired number of pods remain available to serve traffic while the update rolls out, controlling the trade-off between update speed and availability.

Exam trap

The trap here is that candidates often confuse `maxUnavailable` with `maxSurge`, mistakenly thinking that controlling how many extra pods are created is the same as controlling how many can be unavailable, but `maxSurge` limits overshoot while `maxUnavailable` limits undershoot.

How to eliminate wrong answers

Option A is wrong because `minReadySeconds` controls how long a pod must be ready before it is considered available, not the number of unavailable pods during an update. Option B is wrong because `maxSurge` controls the maximum number of pods that can be created above the desired count during an update, not the number that can be unavailable. Option C is wrong because `revisionHistoryLimit` controls how many old ReplicationControllers are retained for rollback, not the update availability threshold.

Option E is wrong because `progressDeadlineSeconds` sets the maximum time for the deployment to make progress before it is considered failed, not the number of unavailable pods.

36
Multi-Selectmedium

Which THREE of the following are valid ways to define host variables in an Ansible inventory? (Choose exactly three.)

Select 3 answers
A.In the 'extra_vars' field of the job template.
B.Inline in the inventory file, e.g., 'myhost ansible_host=192.168.1.1 http_port=8080'.
C.In a credential's 'Input Configuration' as a secret variable.
D.In a 'group_vars/<groupname>' file, if the host belongs to that group.
E.In a 'host_vars/<hostname>' file within the project.
AnswersB, D, E

Variables can be assigned directly in the inventory file.

Why this answer

Option B is correct because Ansible allows inline host variable definitions directly in the inventory file using key=value pairs after the hostname. This is a standard syntax where variables like 'http_port=8080' are assigned to the host 'myhost' and become available as Ansible facts during playbook execution. The 'ansible_host' special variable is also defined this way to override the connection address.

Exam trap

The trap here is that candidates confuse runtime variable injection methods (like extra_vars or credentials) with static inventory variable definitions, leading them to select options that are valid for passing variables but not for defining host variables in an inventory.

37
MCQhard

An administrator needs to securely pass a database password to a playbook without exposing it in logs or the command line. Which approach is the most secure?

A.Store the password in an Ansible Vault-encrypted variable file and include it.
B.Set the password in a variable and use 'no_log: true' on tasks that use it.
C.Store the password in a host_vars file with restricted file permissions.
D.Prompt for the password and pass it as an extra variable using -e.
AnswerA

Vault encrypts the data, and the vault password is prompted or provided via a vault password file.

Why this answer

Option A is correct because Ansible Vault encrypts the variable file at rest, and including it via `vars_files` or `include_vars` decrypts it only in memory during playbook execution. This prevents the password from appearing in logs, the command line, or the process table, meeting the security requirement.

Exam trap

The trap here is that candidates often confuse `no_log: true` with actual encryption, thinking it hides the secret from all exposure, when in fact it only suppresses output and does not protect the secret from being visible in the process table or module internals.

How to eliminate wrong answers

Option B is wrong because `no_log: true` only hides the task output from logs, but the password is still passed in plaintext to the module and could be exposed via the process table or debug output if the module itself logs it. Option C is wrong because `host_vars` files with restricted file permissions still store the password in plaintext on disk, and any user with read access to the file or a backup can retrieve it. Option D is wrong because passing the password as an extra variable with `-e` exposes it in the command line, which is visible in the process list and shell history, and it may also appear in logs if the playbook uses `--log-level` or `ANSIBLE_LOG_PATH`.

38
MCQhard

A company uses Ansible Automation Controller to manage a mix of Linux and Windows servers. Each server is in a separate inventory group. The Linux servers use SSH keys stored in machine credentials, and the Windows servers use username/password stored in machine credentials. Recently, a new security policy requires that all credentials must be rotated every 90 days. The automation team has 50 Linux servers and 20 Windows servers. They want to minimize manual effort and avoid exposing secrets in plain text during rotation. They currently have a Jenkins pipeline that can run scripts on the controller node. Which approach best meets the requirements?

A.Use a Vault credential to store the new secrets and reference them in the job template
B.Write a script that uses the Automation Controller API to update the credential's inputs (e.g., new SSH key or password) after rotating them on the target servers
C.Store the new passwords directly in a playbook and run it manually on each server, then update the credential in the UI
D.Create a single machine credential with the same SSH key for all Linux servers and a single credential for all Windows servers
AnswerB

The API allows programmatic rotation without exposing secrets in logs or playbooks.

Why this answer

Option B is correct because it uses the Automation Controller API to programmatically update credential inputs (SSH keys or passwords) after rotating them on the target servers, which minimizes manual effort, avoids exposing secrets in plain text (the API call uses HTTPS and authentication tokens), and satisfies the 90-day rotation policy. The Jenkins pipeline can invoke a script that first rotates the secret on each server (e.g., via SSH or WinRM) and then calls the API's PATCH endpoint for the credential to update the stored value, ensuring the credential remains synchronized without manual UI intervention.

Exam trap

The trap here is that candidates may assume a Vault credential (Option A) automates rotation, but it only stores secrets securely and does not programmatically update them; the exam tests understanding that the API is the correct mechanism for automated credential updates without manual steps.

How to eliminate wrong answers

Option A is wrong because a Vault credential stores secrets in a secure vault but does not automate the rotation process; it still requires manual steps to generate and inject new secrets, and referencing it in a job template does not update the credential's value on the controller. Option C is wrong because storing new passwords directly in a playbook exposes them in plain text (even if encrypted with ansible-vault, the playbook would need to be manually updated and run on each server, then the credential updated in the UI, which is not automated and violates the requirement to avoid exposing secrets in plain text during rotation). Option D is wrong because using a single machine credential for all Linux servers and a single credential for all Windows servers violates the requirement that each server is in a separate inventory group and would break the ability to rotate credentials per server or per group, as well as creating a security risk if one key is compromised.

39
Matchingmedium

Match each Linux file system path to its typical content.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Configuration files

Variable data (logs, databases)

User system resources (binaries, libraries)

Temporary files

Process and kernel information

Why these pairings

Standard FHS directories for Red Hat Enterprise Linux.

40
MCQmedium

Refer to the exhibit. A user runs a playbook that creates hosts and then attempts to use a constructed inventory plugin. However, the constructed inventory does not group hosts by OS distribution. What is the most likely cause?

A.The constructed plugin cannot be used with the add_host module.
B.The 'strict: false' setting ignores missing variables, causing the group to be empty.
C.The constructed inventory runs before add_host tasks, so the hosts are not yet created.
D.The variable ansible_distribution is not defined because gather_facts is set to no.
AnswerC

Inventory plugins execute at inventory load time, not during playbook execution.

Why this answer

The constructed inventory plugin processes inventory sources and applies Jinja2 conditions to group hosts based on variables. However, when used in a playbook alongside the `add_host` module, the constructed inventory is evaluated at the start of the play, before any tasks (including `add_host`) run. Therefore, hosts added dynamically via `add_host` do not exist when the constructed plugin attempts to group them, causing the groups to be empty.

Option C correctly identifies this ordering issue.

Exam trap

Red Hat often tests the misconception that inventory plugins and dynamic host creation (`add_host`) operate in the same phase, when in fact the constructed plugin runs during inventory loading (pre-task) while `add_host` runs during task execution, creating a timing mismatch that candidates overlook.

How to eliminate wrong answers

Option A is wrong because the constructed plugin can absolutely be used with hosts created by `add_host` — the issue is not compatibility but execution order. Option B is wrong because `strict: false` does not cause groups to be empty; it merely suppresses errors when a variable is undefined, but if the hosts themselves are not yet present, no grouping can occur regardless of strict mode. Option D is wrong because even if `gather_facts` is set to `no`, the constructed plugin can still use other variables or static facts; the core problem remains that the hosts are not yet added to the inventory at the time the plugin runs.

41
Multi-Selecthard

Which THREE actions are required to successfully publish a collection to Automation Hub?

Select 3 answers
A.Build the collection with ansible-galaxy collection build.
B.Create an API token.
C.Sign the collection with GPG.
D.Run ansible-galaxy collection test.
E.Ensure the collection version is unique.
AnswersA, B, E

The collection must be built into a tarball before publishing.

Why this answer

Option A is correct because `ansible-galaxy collection build` is the required command to package a collection into a distributable tarball (e.g., `namespace-collection-1.0.0.tar.gz`). This tarball is the artifact that is then uploaded to Automation Hub. Without building the collection, there is no file to publish.

Exam trap

The trap here is that candidates confuse optional security hardening (GPG signing) with a mandatory publishing step, or they invent a non-existent command like `ansible-galaxy collection test` as a required action.

42
MCQhard

A team is migrating from static inventory to dynamic inventory using a custom script. The script returns JSON with a group 'webservers' containing hosts. However, the playbook targeting 'webservers' fails with 'no hosts matched'. Which filter or plugin issue is most likely?

A.The playbook uses 'hosts: all' but should use 'hosts: webservers'.
B.The script is not executable.
C.The 'ansible_host' variable is not set in hostvars.
D.The script output is missing the '_meta' key with 'hostvars'.
AnswerD

Dynamic inventory scripts require _meta structure; without it, Ansible may not recognize hosts.

Why this answer

Dynamic inventory scripts must include a `_meta` key with `hostvars` in their JSON output for Ansible to properly resolve host variables and match hosts to groups. Without `_meta`, Ansible cannot associate host-specific variables (like `ansible_host`) with the hosts listed under `webservers`, causing the playbook to see no matched hosts even though the group exists.

Exam trap

Red Hat often tests the misconception that 'no hosts matched' is caused by a missing group or incorrect host targeting, when in reality it is a dynamic inventory protocol compliance issue—specifically the absence of the `_meta` key in the script output.

How to eliminate wrong answers

Option A is wrong because the playbook already targets 'webservers' (as stated in the question), so changing to 'hosts: all' would not fix the 'no hosts matched' error and would instead run on all hosts. Option B is wrong because a non-executable script would cause a different error (e.g., 'Failed to execute script') rather than 'no hosts matched', and the question states the script returns JSON, implying it runs. Option C is wrong because while `ansible_host` is important for connectivity, its absence does not cause 'no hosts matched'—that error occurs during inventory parsing before variable resolution; missing `ansible_host` would cause a connection failure later.

43
MCQhard

A job template runs successfully on some hosts but fails on others with 'Permission denied' for the same task. The admin has verified that the credential is correct. What is the most likely cause?

A.The package repository is not accessible from those hosts.
B.The privilege escalation method (become method) differs among hosts.
C.The credential's username is incorrect for some hosts.
D.The SSH key is not accepted on some hosts.
AnswerB

Hosts may have different sudo configurations; the become method in the job template might not work on all hosts.

Why this answer

B is correct because the 'Permission denied' error on a task that runs successfully on some hosts but not others, despite a verified credential, typically indicates a privilege escalation issue. The become method (e.g., sudo, su, pbrun) may be configured differently or unsupported on the failing hosts, causing Ansible to fail when attempting to escalate privileges for the task. Since the credential is correct, the failure occurs during the become process, not authentication.

Exam trap

The trap here is that candidates often assume 'Permission denied' always means an SSH key or credential issue, overlooking that privilege escalation (become) is a separate step that can fail even when the initial SSH connection succeeds.

How to eliminate wrong answers

Option A is wrong because a package repository being inaccessible would cause a different error (e.g., 'Could not resolve host' or 'Failed to download metadata'), not 'Permission denied' for a task. Option C is wrong because the admin has verified the credential is correct, so the username is not incorrect; a wrong username would cause an authentication failure, not a permission error after authentication. Option D is wrong because an SSH key not being accepted would cause an SSH connection failure (e.g., 'Permission denied (publickey)') before any task runs, not a 'Permission denied' error on a specific task after connection is established.

44
Multi-Selectmedium

An organization is designing a high-availability Automation Platform deployment. Which TWO practices are essential for achieving high availability?

Select 2 answers
A.Use a single instance of PostgreSQL on the controller node.
B.Installation on a single powerful node.
C.Deploy multiple automation controllers behind a load balancer.
D.Store all secrets in the Automation Platform vault.
E.Use an external PostgreSQL database with replication.
AnswersC, E

Provides controller failover.

Why this answer

Option C is correct because deploying multiple automation controllers behind a load balancer distributes workload and provides failover: if one controller fails, the load balancer redirects traffic to healthy nodes, ensuring continuous job execution and API availability. This is a core high-availability pattern for Ansible Automation Platform, as the controllers are stateless and can share the same database and project storage.

Exam trap

The trap here is that candidates confuse 'high availability' with 'performance scaling' or 'security hardening', leading them to select a single powerful node (Option B) or vault storage (Option D) instead of recognizing that redundancy of both controllers and the database is required.

45
MCQmedium

Refer to the exhibit. Which of the following is the most likely cause of this error?

A.The playbook is running without '--become' flag.
B.The 'become_method' is set to 'su' instead of 'sudo'.
C.The 'ansible_become_password' was provided but incorrect.
D.The remote user is not in the sudoers file.
E.The 'ask_become_pass' is set to 'false' and no become password is provided.
AnswerE

Correct: If ask_become_pass is false and no password is set via variable or vault, Ansible cannot obtain a sudo password, resulting in 'Missing sudo password'.

Why this answer

Option E is correct. The error 'Missing sudo password' indicates that Ansible attempted to become root via sudo, but no password was provided and the configuration does not allow passwordless sudo. Option A would give a different error.

Option B would also give a password prompt or error, but the specific message points to missing password. Option C would give 'incorrect password' error. Option D would not attempt become at all.

Therefore, E is most likely.

46
Multi-Selecthard

Which THREE components are typically included in an execution environment?

Select 3 answers
A.Base OS image
B.Ansible Navigator
C.Ansible Core and collections
D.Python interpreter and dependencies
E.Ansible Tower/AWX
AnswersA, C, D

The foundation of the container.

Why this answer

An execution environment is a container image that provides a consistent, self-contained runtime for Ansible automation. It must include a base OS image (e.g., Red Hat Universal Base Image) to host the environment, Ansible Core and collections for automation logic, and a Python interpreter with its dependencies to execute modules and manage system interactions. These three components ensure portability and reproducibility across different control nodes.

Exam trap

Red Hat often tests the distinction between tools that manage execution environments (like Ansible Navigator) versus components that are actually inside the execution environment, leading candidates to mistakenly include Navigator or Tower/AWX as part of the image.

47
MCQhard

An Ansible playbook uses the 'constructed' inventory plugin with 'keyed_groups' to create groups based on 'ansible_distribution'. Despite correct configuration, hosts are not assigned to the expected groups. What is the most likely cause?

A.the 'keyed_groups' syntax uses invalid Jinja2 expressions
B.the inventory file is incorrectly formatted
C.the 'strict' option is set to 'yes' and the required facts are not gathered
D.the plugin is not enabled in ansible.cfg
AnswerC

Correct: with strict: yes, undefined variables cause group assignment to fail silently.

Why this answer

Option C is correct because 'strict: yes' causes plugin to fail on undefined variables; if facts are not gathered, 'ansible_distribution' is undefined. Options A, B, D are plausible but less likely.

48
MCQhard

You are managing a critical web application deployed on OpenShift with 12 replicas. The application must maintain at least 10 replicas available during updates to meet an SLA. You initiate a rolling update using the default strategy, but the rollout is progressing slowly because only 2 new pods are created at a time, causing a prolonged update duration. You need to speed up the rollout without violating the SLA (10 available replicas). The current Deployment configuration has maxSurge: 25% (3 pods) and maxUnavailable: 25% (3 pods). You have permission to update the DeploymentConfig during the active rollout. Which action should you take?

A.Cancel the current rollout, set maxSurge to 4 and maxUnavailable to 2, then start a new rollout.
B.Set maxSurge to 50% and maxUnavailable to 50%, then run 'oc rollout resume'.
C.Set maxSurge to 5 and maxUnavailable to 2, then run 'oc rollout retry'.
D.Set maxSurge to 10 and maxUnavailable to 2, then run 'oc rollout resume'.
AnswerD

maxUnavailable=2 ensures at most 2 pods down, keeping 10 available. maxSurge=10 allows more new pods in parallel, speeding the rollout. Modifying during rollout is valid; resume continues the update.

49
Multi-Selecteasy

Which two conditions could prevent an automation controller job from starting? (Choose two.)

Select 2 answers
A.The inventory source is empty
B.The project sync is pending
C.The job template is disabled
D.The user is a system auditor
E.The execution environment image tag is 'latest'
AnswersB, C

Controller may block jobs until project sync completes.

Why this answer

Options A and D are correct: a disabled job template cannot start, and a pending project sync can block execution. Option B is wrong: empty inventory may cause zero hosts but job still starts and fails. Option C is wrong: 'latest' tag is valid.

Option E is wrong: system auditors can still launch jobs if they have the role.

50
MCQeasy

A large enterprise manages its infrastructure with Ansible Automation Platform. The operations team reports that job runs are taking longer than expected, especially for playbooks that include role dependencies. After investigation, they notice that the control node has high CPU and memory usage during job execution. The inventory contains 500 hosts, and the playbooks use several roles that include dynamic includes (include_tasks) based on conditional variables. The team wants to reduce the load on the control node without changing the playbook logic or reducing functionality. Which action should the team take?

A.Use the --limit flag to run the playbook against a subset of hosts.
B.Increase the forks value in ansible.cfg to 100 to speed up execution.
C.Enable pipelining in ansible.cfg by setting pipelining = True.
D.Migrate to AWX to distribute job execution across multiple nodes.
AnswerC

Pipelining reduces the number of SSH operations, decreasing control node load.

Why this answer

Enabling pipelining reduces the number of SSH connections Ansible makes to each host by combining multiple task operations into a single SSH session. This drastically lowers the overhead on the control node's CPU and memory, especially when executing many tasks with dynamic includes across a large inventory, without altering playbook logic.

Exam trap

The trap here is that candidates often confuse increasing forks (Option B) as a performance fix, but it actually increases control node load, while pipelining reduces connection overhead without changing parallelism.

How to eliminate wrong answers

Option A is wrong because --limit reduces the number of target hosts, which changes the scope of execution and does not reduce load per host or address the control node's resource usage during role dependency resolution. Option B is wrong because increasing forks speeds up parallel execution but actually increases CPU and memory load on the control node by spawning more concurrent SSH processes, worsening the problem. Option D is wrong because migrating to AWX distributes job execution across worker nodes, which offloads work from the control node but is a significant architectural change that goes beyond the requirement of not changing functionality and is not a simple configuration fix.

51
MCQeasy

An Ansible playbook needs to extract the domain name from a list of email addresses stored in variable `emails`. The domain appears after the '@' symbol. Which filter should be used?

A.split
B.regex_replace
C.urldecode
D.base64
AnswerB

The pattern `.*@(.*)` with replacement `\1` extracts the domain.

Why this answer

The `regex_replace` filter can extract the domain by matching the pattern `.*@(.*)` and replacing with `\1`, isolating the part after '@'. This is the correct approach because Ansible's Jinja2 filters include `regex_replace` for pattern-based string extraction, while `split` would require additional steps to isolate the domain.

Exam trap

Red Hat often tests the misconception that `split` alone can extract a substring, but candidates forget that `split` returns a list and requires indexing, while `regex_replace` directly yields the matched group.

How to eliminate wrong answers

Option A is wrong because `split('@')` returns a list of parts (e.g., ['user', 'example.com']), but the filter alone does not extract a single element; you would need to index the result (e.g., `emails[0].split('@')[1]`), making it less direct than `regex_replace`. Option C is wrong because `urldecode` decodes URL-encoded characters (e.g., %20 to space) and has no relevance to extracting substrings after a delimiter. Option D is wrong because `base64` encodes or decodes Base64 data, which is unrelated to parsing email addresses.

52
Multi-Selecteasy

Which TWO of the following are advantages of using 'ansible-pull' over 'ansible-playbook'?

Select 2 answers
A.It can be used in environments where a central control node is not desired.
B.It eliminates the need for an inventory file.
C.Nodes can self-configure by pulling playbooks from a git repository.
D.It supports a different syntax for playbooks that is more efficient.
E.It reduces load on the control node because it runs locally on each node.
AnswersA, C

ansible-pull eliminates the need for a central push server.

Why this answer

Option A is correct because ansible-pull operates in a pull-based model where each managed node independently retrieves and executes playbooks from a central repository (e.g., a Git server). This eliminates the need for a persistent central control node, making it ideal for environments where a dedicated Ansible control node is not desired or feasible, such as in large-scale or decentralized deployments.

Exam trap

The trap here is that candidates often confuse 'eliminating the need for a control node' with 'eliminating the need for inventory,' or incorrectly assume that running locally automatically reduces load, when in fact the load is redistributed rather than reduced.

53
Matchingmedium

Match each systemd unit type to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Background daemon or process

IPC or network socket

Time-based activation

Filesystem mount point

Group of units for synchronization

Why these pairings

Common systemd unit types used in RHEL.

54
MCQeasy

A systems administrator is installing Ansible Automation Platform on a Red Hat Enterprise Linux 9 server. They download the installer tarball and run `./setup.sh`. The installation fails with an error indicating that the database password is incorrect. What is the most likely cause?

A.The `admin_password` variable in the inventory file does not match the PostgreSQL password.
B.The `bootstrap.yml` file has an incorrect value for `pg_password`.
C.The PostgreSQL server is not listening on the expected port.
D.The license file has not been placed in the installer directory.
AnswerA

The inventory file specifies the database password for the setup process.

Why this answer

Option A is correct because the `admin_password` variable in the AAP installer inventory file (typically `inventory` or `hosts`) sets the password for the AAP admin user, not the PostgreSQL database password. The database password is set by the `pg_password` variable. If `admin_password` is incorrectly used where `pg_password` is expected, or if the two are mismatched, the installer will fail with a 'database password is incorrect' error during the database connection check.

Exam trap

The trap here is that candidates confuse the AAP admin password (`admin_password`) with the PostgreSQL database password (`pg_password`), assuming a single password controls both, when in fact they are separate variables in the inventory file.

How to eliminate wrong answers

Option B is wrong because `bootstrap.yml` is not a standard file in the AAP installer; the database password is configured in the inventory file, not in a `bootstrap.yml`. Option C is wrong because a PostgreSQL server not listening on the expected port would produce a connection timeout or 'could not connect to server' error, not a 'password is incorrect' error. Option D is wrong because the license file is only required for initial login to the AAP web UI after installation; its absence does not cause a database password error during `setup.sh`.

55
MCQhard

Refer to the exhibit. An Ansible playbook targeting 'production' hosts fails with 'deploy_user is undefined'. What is the most likely cause?

A.the playbook uses a different group name in the play
B.the inventory file is missing the host entries
C.the variable is defined but overridden by a higher precedence variable
D.the variable 'deploy_user' is not defined in any group or host vars
AnswerD

Correct: the inventory only defines ansible_user, not deploy_user.

Why this answer

Option A is correct because 'deploy_user' is not defined anywhere in the inventory shown. Options B, C, D are plausible but not directly supported by the exhibit.

56
Multi-Selecteasy

Which TWO factors should be considered when choosing a base container image for an execution environment?

Select 2 answers
A.The date of the last update.
B.The presence of ansible-core and ansible-runner.
C.The size of the image.
D.The base operating system version.
E.The number of layers.
AnswersB, D

These components are essential for running Ansible inside the container.

Why this answer

An execution environment is a container image that includes all dependencies needed to run Ansible automation. For it to function correctly, the base image must contain `ansible-core` and `ansible-runner`, as these provide the core automation engine and the runner that manages playbook execution, respectively. Without these components, the container cannot execute Ansible jobs, making their presence a mandatory requirement.

Exam trap

Red Hat often tests the misconception that image size or layer count are critical selection criteria, when in fact the mandatory technical requirement is the presence of `ansible-core` and `ansible-runner` to ensure the container can actually run Ansible jobs.

57
MCQeasy

An admin needs to restrict which users can launch specific job templates. Which AAP feature should be used?

A.Execution environments with custom modules.
B.Machine credentials with different users.
C.Inventory groups with host restrictions.
D.Role-based access control (RBAC) on job templates.
AnswerD

RBAC can assign permissions to users/teams for specific job templates.

Why this answer

Role-based access control (RBAC) on job templates is the correct feature because it allows an administrator to assign specific permissions (e.g., execute, read, or admin) to users or teams for individual job templates in Ansible Automation Platform (AAP). This directly restricts which users can launch specific job templates without affecting other resources.

Exam trap

The trap here is that candidates confuse operational features (like execution environments or credentials) with access control mechanisms, assuming that restricting execution environments or credentials indirectly controls user access, when AAP explicitly uses RBAC for granular user permissions on job templates.

How to eliminate wrong answers

Option A is wrong because execution environments are containerized runtime environments for Ansible playbooks, not a mechanism for user-level access control; custom modules extend functionality but do not restrict job template launches. Option B is wrong because machine credentials authenticate to target hosts (e.g., SSH keys or passwords) and do not control which users can launch job templates in AAP. Option C is wrong because inventory groups organize hosts for targeting playbooks, but they do not enforce user permissions on job templates; host restrictions limit which hosts are affected, not who can launch the job.

58
Multi-Selecthard

An administrator is debugging a playbook that uses multiple roles and wants to limit execution to a specific set of tasks. Which three methods can be used to filter task execution? (Choose three.)

Select 3 answers
A.Use the '--tags' command-line option.
B.Use the '--skip-tags' command-line option.
C.Use the '--check' command-line option.
D.Use the '--step' command-line option.
E.Use the '--start-at-task' command-line option.
AnswersA, B, E

--tags filters tasks by specified tags.

Why this answer

Options A, B, and C are correct. Option D (--step) prompts after each task but doesn't filter. Option E (--check) performs a dry run without filtering.

59
Multi-Selecthard

Which THREE are valid methods to control task execution in Ansible?

Select 3 answers
A.Using the 'when' conditional
B.Using 'block' to group tasks for error handling
C.Using 'register' to store task output
D.Using 'loop' to iterate over a list
E.Using the 'with_items' loop
AnswersA, B, D

'when' controls task execution based on conditions.

Why this answer

Option A is correct because the 'when' conditional in Ansible allows you to control whether a task runs based on the evaluation of a condition, such as a variable, fact, or the result of a previous task. This is a primary method for conditional execution, enabling tasks to be skipped when the condition is false, directly controlling task execution flow.

Exam trap

The trap here is that candidates confuse 'register' (which stores output) with a control flow mechanism, or they mistakenly think 'with_items' is still a valid method for controlling task execution, when in fact the exam expects knowledge of the modern 'loop' keyword and the deprecation of 'with_items'.

60
MCQhard

An Ansible role uses a variable "server_list" which is a list of dictionaries. Each dictionary has a key "ports" which should be a list of integers. However, due to inconsistent input, "ports" could be a comma-separated string (e.g., "80,443") or already a list of integers (e.g., [80,443]). The engineer wants to normalize "ports" to always be a list of integers for further processing. Which of the following tasks correctly normalizes the "ports" field?

A.- set_fact: server_list: "{{ server_list | map('combine', {'ports': item.ports | split(',')}) }}" loop: "{{ server_list }}"
B.- set_fact: server_list: "{{ server_list | map('combine', {'ports': [item.ports] | flatten}) }}" loop: "{{ server_list }}"
C.- set_fact: server_list: "{{ server_list | map('combine', {'ports': item.ports}) }}" loop: "{{ server_list }}"
D.- set_fact: server_list: "{{ server_list | map('combine', {'ports': (item.ports is string) | ternary(item.ports | split(','), item.ports)}) }}" loop: "{{ server_list }}"
AnswerD

Correctly uses ternary to conditionally split string or keep list.

Why this answer

Option D is correct because it uses the `ternary` filter to check if `item.ports` is a string; if true, it splits the string by commas into a list, otherwise it keeps the existing list. This ensures the `ports` field is always normalized to a list of integers, handling both inconsistent input formats.

Exam trap

The trap here is that candidates often overlook the need to conditionally handle both string and list inputs, picking options that either always split (breaking lists) or never split (breaking strings), rather than using a conditional filter like `ternary`.

How to eliminate wrong answers

Option A is wrong because `split(',')` will always produce a list of strings, not integers, and it does not handle the case where `ports` is already a list; also, `map('combine', ...)` with a loop is redundant and incorrectly replaces the entire list. Option B is wrong because `[item.ports] | flatten` will wrap a list in another list and then flatten it, but if `item.ports` is a string, it will create a list containing that single string, not splitting it; it fails to normalize strings into separate integer elements. Option C is wrong because it simply reassigns the `ports` field without any transformation, leaving strings unchanged and not converting them to lists.

61
MCQhard

A playbook includes a long-running task that should not block the rest of the playbook. The administrator wants to start the task and later check its status. Which method should be used?

A.Use the 'async' keyword with 'poll: 0' and then use async_status module.
B.Use 'delegate_to: localhost' and 'run_once'.
C.Use a separate playbook invoked with 'ansible-playbook' via command module.
D.Use 'throttle' to limit execution.
AnswerA

async with poll=0 starts the task and returns immediately; async_status checks the result later.

Why this answer

Option D (async with poll=0 and then async_status) is correct. Option A (delegate_to) runs on a different host but still blocks. Option B (separate playbook) is inefficient.

Option C (throttle) limits concurrency but doesn't background.

62
Multi-Selectmedium

Which TWO of the following are best practices for securing automation controller secrets and credentials?

Select 2 answers
A.Store secrets in plain text in inventory files for simplicity
B.Use Ansible Vault to encrypt sensitive data like passwords and API keys
C.Disable logging to prevent exposure of sensitive data in logs
D.Use OAuth2 tokens for API authentication instead of static credentials
E.Grant all users admin access to reduce permission complexity
AnswersB, D

Ansible Vault encrypts secrets at rest and requires a password or key to decrypt.

Why this answer

Option B is correct because Ansible Vault provides encryption for sensitive data such as passwords and API keys, ensuring they are not stored in plaintext. This is a core security practice for automation controller secrets, as it protects credentials at rest and during transport when used with playbooks.

Exam trap

Red Hat often tests the misconception that disabling logging is a valid security measure, but the correct approach is to use selective data masking with no_log rather than eliminating logs entirely, which hinders auditing and troubleshooting.

63
MCQmedium

A company is deploying Ansible Automation Platform (AAP) in a three-node cluster: one automation controller node, one private automation hub node, and one database node (PostgreSQL). The deployment uses an execution environment that pulls from the private automation hub. After a successful installation, all nodes are reachable and services are running. However, when launching a job template that uses the execution environment, the job fails with the error: 'Unable to pull execution environment image from automation-hub.example.com:5000/ee/my-ee:latest - request to registry failed with status 403 Forbidden'. The administrator confirms that the execution environment image exists in the private automation hub and that the automation controller node can reach the registry via curl. What is the most likely cause and solution?

A.The private automation hub is configured to allow unauthenticated access; change the hub configuration to disable authentication.
B.SELinux on the controller node is blocking container pulls; temporarily set SELinux to permissive.
C.Create a container registry credential in automation controller that uses the pull token from private automation hub, and associate it with the execution environment.
D.The execution environment definition in the controller is missing the 'pull' field; add 'pull: always' to the job template.
AnswerC

A valid credential is required to authenticate and pull the image.

Why this answer

Option D is correct. The 403 Forbidden error indicates an authentication issue. The automation controller needs a container registry credential to authenticate with the private automation hub.

Although the image exists and network connectivity works, the controller must have the correct credentials configured. Option A is wrong because SELinux is not blocking pull requests; it would cause different errors. Option B is wrong because the execution environment is configured, but the credential is missing.

Option C is wrong because unauthenticated access is not typically allowed in a production setup.

64
MCQeasy

A playbook needs to generate a default value for a variable if it is undefined or empty. Which filter with a default value should be used?

A.my_var | fail('fallback')
B.my_var | ternary('fallback', my_var)
C.my_var | default('fallback')
D.my_var | coalesce('fallback')
AnswerC

default filter returns 'fallback' if my_var is undefined.

Why this answer

Option C is correct because the `default` filter in Ansible is specifically designed to provide a fallback value when a variable is undefined or evaluates to an empty string (with the `omit` parameter). It is the idiomatic way to handle missing or empty variables in Jinja2 templates within Ansible playbooks, ensuring idempotency and avoiding undefined variable errors.

Exam trap

Red Hat often tests the distinction between filters that handle undefined variables (`default`) versus filters that perform conditional logic (`ternary`) or error handling (`fail`), and the trap here is that candidates may confuse `coalesce` (a common SQL function) with a valid Ansible filter, leading them to select option D.

How to eliminate wrong answers

Option A is wrong because `fail` is a filter that raises an error, not a filter that provides a default value; using `fail('fallback')` would cause the playbook to fail instead of supplying a fallback. Option B is wrong because `ternary` is a conditional filter that returns one of two values based on a condition, but it does not check for undefined or empty variables; it requires an explicit boolean expression and will error if `my_var` is undefined. Option D is wrong because `coalesce` is not a valid Ansible filter; it is a function in some databases (like SQL) or Jinja2 extensions, but Ansible does not provide a `coalesce` filter for defaulting variables.

65
Drag & Dropmedium

Drag and drop the steps to configure SELinux to allow Apache to read a custom web directory in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

SELinux for web: create dir, set context, verify, configure Apache, restart and test.

66
MCQeasy

An Ansible task uses the variable `{{ my_var | default(required=true) }}`. What happens if `my_var` is undefined?

A.The task fails with an error message
B.The task skips the host
C.The task uses an empty string
D.The task uses the string 'required'
AnswerA

The `required` parameter forces an error when the variable is undefined.

Why this answer

The `default(required=true)` filter in Ansible explicitly marks the variable as required. If `my_var` is undefined, the filter raises an error because it enforces that the variable must be provided, causing the task to fail with an error message. This is a deliberate mechanism to catch missing mandatory variables early in playbook execution.

Exam trap

The trap here is that candidates often confuse `default(required=true)` with setting a default value, thinking it will use the string 'required' or an empty string, when in fact it enforces mandatory variable definition and causes a failure.

How to eliminate wrong answers

Option B is wrong because the `required=true` parameter does not cause the task to skip the host; skipping occurs only with conditionals like `when: my_var is undefined` or `ignore_errors: yes`. Option C is wrong because an empty string is only used if `default('')` is specified without `required=true`. Option D is wrong because the string 'required' is not used as a fallback value; the `required=true` parameter is a boolean flag that triggers an error, not a default value.

67
MCQeasy

A playbook uses the copy module to deploy a configuration file. The file should be templated with variables, but the engineer mistakenly uses the 'src' parameter with a static file instead of 'content' or a template module. What is the most likely outcome?

A.The module automatically renders the Jinja2 template before copying.
B.The file is copied without variable substitution, resulting in literal Jinja2 syntax in the destination.
C.The playbook fails because the source file contains undefined variables.
D.The task is skipped because copy cannot handle variables.
AnswerB

Copy module does not process templates.

Why this answer

Option A is correct because copy with src copies the file as-is, no variable substitution. Option B is wrong because the module does not fail on static content. Option C is wrong because it won't automatically render variables; that requires template module.

Option D is wrong because it will copy the file, not skip.

68
MCQeasy

A junior administrator is deploying Ansible Automation Platform (AAP) 2.3 on a fresh RHEL 9 server. They have downloaded the installer and edited the inventory file. The installation fails early in the process with: `TASK [private_automation_hub : Check that server_url has been configured]` and the error message: `FAILED - Could not connect to the Automation Hub server`. The inventory file has the following relevant lines: `automationhub_server_url=https://hub.example.com:443` and `automationhub_validate_certs=false`. The server `hub.example.com` is reachable from the installation node and responds with a 404 on the root path. The admin verified that the SSL certificate is self-signed. What should the admin do to resolve the issue?

A.Ensure that the hostname resolves to the correct IP address.
B.Add an `automationhub_token` value from the hub server.
C.Set `automationhub_validate_certs=true` and provide a CA certificate bundle.
D.Set `automationhub_server_url=https://hub.example.com/api/galaxy` to match the expected API path.
AnswerD

The hub server expects the API endpoint at `/api/galaxy/`.

Why this answer

Option D is correct because the Automation Hub server URL must point to the API endpoint, not the root path. The installer's `private_automation_hub` role checks for a valid response from `automationhub_server_url/api/galaxy/content/`, and a 404 on the root indicates the server is running but the URL is misconfigured. Setting the URL to `https://hub.example.com/api/galaxy` aligns with the expected API path, allowing the connectivity check to succeed.

Exam trap

The trap here is that candidates assume a reachable server with a self-signed certificate implies an SSL validation issue, but the actual problem is a URL path mismatch that the installer's connectivity check explicitly tests for.

How to eliminate wrong answers

Option A is wrong because the admin already verified that `hub.example.com` is reachable and responds, so DNS resolution is not the issue. Option B is wrong because the `automationhub_token` is used for authentication to sync content, not for the initial connectivity check that validates the server URL. Option C is wrong because the error is a 404 response, not an SSL validation failure; setting `validate_certs=true` would not resolve a path mismatch and could introduce a certificate error if no CA bundle is provided.

69
MCQeasy

An administrator needs to store a database password securely for use in playbooks. Which credential type should they create?

A.Vault credential
B.Source control credential
C.Machine credential
D.Network credential
AnswerA

Vault credentials securely store encrypted secrets like passwords.

Why this answer

A Vault credential is the correct choice because Ansible Vault is specifically designed to encrypt sensitive data like passwords, API keys, and other secrets used in playbooks. It allows the administrator to store the database password in an encrypted file that can be decrypted at runtime using a vault password, ensuring the secret is not exposed in plaintext in the playbook or inventory.

Exam trap

The trap here is that candidates may confuse 'Machine credential' (used for SSH/WinRM access to hosts) with a general-purpose secret store, not realizing that Ansible Vault is the dedicated mechanism for encrypting sensitive data like database passwords within playbooks.

How to eliminate wrong answers

Option B (Source control credential) is wrong because it is used to authenticate to Git or other version control systems to sync projects, not to store secrets for use in playbooks. Option C (Machine credential) is wrong because it is used for SSH or WinRM authentication to managed hosts, not for storing arbitrary secrets like database passwords. Option D (Network credential) is wrong because it is used for network device authentication (e.g., SNMP, API tokens for network appliances), not for storing database passwords for playbook use.

70
MCQmedium

An Ansible playbook needs to convert a list of server names into a comma-separated string for an API call. Which filter should be applied to the list variable 'server_list'?

A.map('regex_replace', '^', '')
B.combine(',')
C.join(',')
D.regex_replace('\n', ',')
AnswerC

join filter concatenates list items with the given separator.

Why this answer

Option C is correct because the `join` filter in Ansible is designed to concatenate list elements into a single string using a specified delimiter. Applying `join(',')` to `server_list` will produce a comma-separated string, exactly as required for the API call.

Exam trap

The trap here is that candidates may confuse `join` with `combine` (which works on dicts) or attempt to use regex filters on lists, not realizing that `join` is the only filter that directly converts a list to a delimited string.

How to eliminate wrong answers

Option A is wrong because `map('regex_replace', '^', '')` applies a regex replacement to each element, but the pattern `^` (start of string) with an empty replacement does nothing—it returns the list unchanged, not a string. Option B is wrong because `combine` is a filter for merging dictionaries, not for joining list elements into a string. Option D is wrong because `regex_replace('

', ',')` is intended for strings, not lists; applying it to a list would cause an error or unexpected behavior, and it does not convert a list to a comma-separated string.

71
MCQmedium

An administrator wants to use an Ansible role from Ansible Galaxy but the role has a dependency on another role that is already installed. What should be done to avoid conflicts?

A.Set 'allow_duplicates: false' in the parent role's meta/main.yml.
B.Define the dependency as a collection.
C.Use 'galaxy install --force' to overwrite.
D.No action needed; Ansible handles duplicates automatically.
AnswerA

This prevents the role from running multiple times if already listed.

Why this answer

Option A (set allow_duplicates: false) is correct to prevent the dependency from running twice. Option B (force install) overwrites but doesn't prevent duplicate execution. Option C (collection) is a different concept.

Option D (no action) would cause the role to run twice by default.

72
Multi-Selectmedium

A company uses Ansible to perform a rolling update of 10 web servers behind an HAProxy load balancer. The playbook uses the `serial` keyword and includes tasks to disable a host from the load balancer, update the web server package, and re-enable the host. Which TWO best practices should the administrator apply to minimize downtime and ensure a successful rolling update?

Select 2 answers
A.Use `any_errors_fatal: true` to stop the playbook if any host fails.
B.Set `serial: 1` to update one host at a time.
C.Use `throttle: 1` to limit the number of concurrent tasks across all hosts.
D.Ensure the load balancer draining timeout is longer than the maximum expected update time per host.
E.Use `async` and `poll` to run the update tasks in the background while proceeding to the next host immediately.
AnswersB, D

Updating one host at a time minimizes the impact on the load balancer pool and ensures continuous service availability.

Why this answer

Option A is correct because setting `serial: 1` updates one host at a time, ensuring that at most one host is out of the pool, preserving capacity. Option D is correct because ensuring the load balancer draining timeout is longer than the update time prevents the host from being prematurely re-enabled before the update completes. Option B is wrong because `any_errors_fatal: true` would stop the entire update on the first failure, which is too aggressive for a rolling update where failures on individual hosts can be tolerated.

Option C is wrong because `throttle: 1` limits concurrency of a single task across hosts, but does not control batch size; it can coexist with `serial` but is not a best practice for rolling update orchestration. Option E is wrong because `async` and `poll` are used for long-running tasks that should run in the background, not for sequential batch updates.

73
MCQhard

A job template uses a custom credential type that injects environment variables for a third-party API. The credential input defines a field 'api_key'. The playbook uses {{ api_key }} but it's empty. What is the most likely cause?

A.The injector configuration is missing or incorrect.
B.The field name is case-sensitive and the playbook uses a different case.
C.The credential was not assigned to the job template.
D.The playbook uses a different variable name.
AnswerA

Without injector, the credential's inputs are not made available to the playbook.

Why this answer

The most likely cause is that the injector configuration is missing or incorrect. In Ansible Tower/AWX, a custom credential type requires an injector definition (e.g., `env` or `file`) to map the credential input fields into environment variables or extra vars. Without a proper injector, the `api_key` field is never exposed to the job environment, so `{{ api_key }}` resolves to an empty string.

Exam trap

The trap here is that candidates assume simply defining an input field automatically makes it available as a variable, but without a correct injector configuration, the value is never injected into the job environment.

How to eliminate wrong answers

Option B is wrong because Ansible variable names are case-sensitive, but the playbook uses `{{ api_key }}` which matches the credential input field name `api_key` exactly, so case is not the issue. Option C is wrong because if the credential were not assigned to the job template, the job would fail with a credential not found error, not silently produce an empty variable. Option D is wrong because the playbook uses `{{ api_key }}` which matches the credential input field name; a different variable name would cause an undefined variable error, not an empty string.

74
Multi-Selecthard

Which THREE of the following are core components of Automation Platform that are installed by default in a standard setup?

Select 3 answers
A.Red Hat Enterprise Linux
B.Automation controller
C.Automation mesh (node type)
D.Private Automation Hub
E.Ansible Core
AnswersB, C, D

The central component for running automation jobs.

Why this answer

Option B is correct because Automation controller (formerly Ansible Tower) is the web-based UI and REST API platform that provides role-based access control, job scheduling, and inventory management for Ansible automation. It is installed by default as part of a standard Red Hat Ansible Automation Platform setup to serve as the central control plane.

Exam trap

The trap here is that candidates often confuse Ansible Core (the CLI engine) with a default platform component, but it is actually a runtime dependency that is not installed as a separate service in a standard Automation Platform deployment.

75
MCQeasy

A company uses a static inventory file for Ansible Tower. They need to add a new host to an existing group. Which action should they take?

A.Edit the inventory in the Tower UI and add the host to the group.
B.Use the ansible-inventory command to add the host.
C.Modify the static inventory file and run a job template.
D.Create a new inventory and host group.
AnswerA

Directly editing the inventory via UI is the correct method for static inventories.

Why this answer

Option A is correct because the company uses a static inventory file for Ansible Tower, and the Tower UI provides a built-in interface to manage static inventories. Editing the inventory in the Tower UI and adding the host to the group directly updates the underlying static inventory file and synchronizes it with Tower's database, ensuring the host is available for job runs without manual file manipulation.

Exam trap

The trap here is that candidates may think modifying the static inventory file directly (Option C) is sufficient, but they overlook that Tower requires a sync or UI-based edit to recognize the change, and simply running a job template does not refresh the inventory.

How to eliminate wrong answers

Option B is wrong because the ansible-inventory command is used to display or dump inventory contents, not to modify static inventory files; it cannot add hosts to a group. Option C is wrong because modifying the static inventory file manually does not automatically update Tower's inventory cache; you would need to sync or refresh the inventory in Tower, not just run a job template. Option D is wrong because creating a new inventory and host group is unnecessary and inefficient; the existing group can be edited directly to add the new host.

Page 1 of 7

Page 2

All pages