Red Hat Certified Engineer EX294 (EX294) — Questions 301375

518 questions total · 7pages · All types, answers revealed

Page 4

Page 5 of 7

Page 6
301
Multi-Selecthard

Which THREE of the following are valid Ansible lookup plugins? (Select exactly three.)

Select 3 answers
A.`csvfile`
B.`map`
C.`file`
D.`password`
E.`select`
AnswersA, C, D

Correct; csvfile is a lookup plugin to parse CSV files.

Why this answer

Option A is correct because `csvfile` is a built-in Ansible lookup plugin that reads data from CSV files, allowing playbooks to parse structured tabular data. It is documented in the official Ansible lookup plugin list and is commonly used for dynamic inventory or configuration values.

Exam trap

The trap here is that candidates confuse Jinja2 filters (like `map` and `select`) with Ansible lookup plugins, as both are used in templating but serve fundamentally different purposes—filters transform data, while lookups retrieve external data.

302
MCQhard

A large enterprise runs a multi-tenant Ansible Automation Platform deployment. The security team has mandated strict role-based access control (RBAC) for three departments: Network (manages routers/switches), Security (manages firewalls/IDS), and Operations (manages servers/applications). Each department must have its own projects, inventories, job templates, and credentials. Additionally, credentials must not be viewable by users who do not own them. The platform currently uses a single organization with one team and all users have admin permissions. Which course of action best meets these requirements?

A.Create three organizations (Network, Security, Operations). Within each organization, create a team, assign users, and grant appropriate permissions. Use custom roles to restrict credential access to team members only.
B.Create custom roles with no organizations. Assign users directly to resources via user-level permissions.
C.Keep a single organization but create three teams. Assign each team to its own projects and inventories, and use job template-level permissions to restrict access.
D.Use a single organization with one team. Set all credentials to 'read-only' to prevent viewing of secret values.
AnswerA

Organizations provide natural boundaries for resource isolation; teams and custom roles enforce fine-grained access.

Why this answer

Option A is correct because creating separate organizations for each department provides the strongest isolation boundary in Ansible Automation Platform. Within each organization, a dedicated team with custom roles ensures that credentials are scoped to that team and cannot be viewed by users outside it, satisfying the RBAC and credential visibility requirements.

Exam trap

The trap here is that candidates assume teams within a single organization can achieve full isolation, but they overlook that credentials and inventories are organization-scoped and can still be accessed by users from other teams if permissions are not meticulously restricted, and that credential 'view' permissions are separate from 'use' permissions.

How to eliminate wrong answers

Option B is wrong because user-level permissions without organizations or teams do not scale for multi-tenant environments and cannot enforce credential isolation at the organizational boundary. Option C is wrong because a single organization with three teams does not provide sufficient resource isolation; projects, inventories, and credentials would still be visible across teams unless explicitly restricted, and credential viewing cannot be fully prevented at the job template level. Option D is wrong because setting credentials to 'read-only' does not prevent users from viewing the credential values; read-only only prevents editing, not viewing secret fields, and a single team with admin permissions violates the RBAC mandate entirely.

303
MCQhard

What is the most likely cause of the build failure?

A.The base image already includes python3-devel, causing a conflict with the bindep.txt entry.
B.The package_manager_path should be /usr/bin/dnf.
C.The version field in execution-environment.yml is incorrect.
D.The base image name is misspelled.
AnswerA

ee-minimal images often include development packages; duplicate request fails.

Why this answer

The build failure is most likely caused by a conflict between the base image's pre-installed python3-devel package and the bindep.txt entry that also specifies python3-devel. In Ansible Builder, bindep.txt lists system packages to install via dnf, but if the base image already includes that package, the build process may fail due to duplicate or conflicting package manager operations, especially if the base image uses a different package version or repository configuration.

Exam trap

The trap here is that candidates assume all build failures are due to syntax errors or misspellings, but Red Hat often tests the nuance of package conflicts between the base image and bindep.txt, which is a common real-world issue in execution environment creation.

How to eliminate wrong answers

Option B is wrong because the package_manager_path should be /usr/bin/dnf only if the base image uses DNF; however, many execution environment base images (like the default ansible-runner) use microdnf or a different package manager, and the path is typically auto-detected by Ansible Builder. Option C is wrong because the version field in execution-environment.yml is optional and does not cause build failures; it is used for metadata and has no impact on package installation. Option D is wrong because a misspelled base image name would cause a pull error (e.g., 'image not found'), not a build failure related to package conflicts.

304
MCQeasy

A team uses Ansible to update a web application across 10 servers with minimal downtime. Which playbook directive achieves one-at-a-time updates?

A.run_once: true
B.delegate_to: localhost
C.serial: 1
D.throttle: 1
E.forks: 10
AnswerC

Updates one host at a time, ensuring minimal downtime.

Why this answer

C is correct because the `serial: 1` directive in an Ansible playbook controls the number of hosts that are updated simultaneously. Setting `serial: 1` forces Ansible to execute the playbook on one host at a time, ensuring that the web application is updated sequentially across the 10 servers, which minimizes downtime by keeping the other 9 servers available during each individual update.

Exam trap

The trap here is that candidates confuse `serial` with `forks` or `throttle`, mistakenly thinking that limiting parallel connections (`forks: 1`) or task concurrency (`throttle: 1`) achieves the same sequential host behavior as `serial`, but only `serial` controls the batch size of hosts processed by the playbook.

How to eliminate wrong answers

Option A is wrong because `run_once: true` executes a task on only one host in the batch, not sequentially across all hosts, and is typically used for one-time setup tasks like generating a shared secret. Option B is wrong because `delegate_to: localhost` runs a task on the Ansible control node instead of the target servers, which does not control the order or batch size of host updates. Option D is wrong because `throttle: 1` limits the number of concurrent forks for a specific task but does not enforce sequential host processing across the entire play; it can still allow parallel execution of other tasks.

Option E is wrong because `forks: 10` sets the maximum number of parallel connections Ansible can make, but it does not guarantee one-at-a-time updates; with 10 forks, Ansible could attempt to update all 10 servers simultaneously.

305
MCQhard

An administrator is designing a workflow that includes an approval node. The workflow should pause at the approval node until a user with the appropriate role approves or denies. The workflow is triggered by a webhook. After setting up, the webhook successfully starts the workflow, but the approval node is never created. What is the most likely cause?

A.The approval node requires a notification template to be configured.
B.The workflow job template is set to run as a system user, but the approval node requires an actual user to approve.
C.The approval node's timeout is set to 0, causing it to be skipped.
D.The inventory for the workflow does not have proper machine credentials.
AnswerB

Webhook-triggered jobs run as the user who created the webhook key, but if system-level, no user context exists for approval.

Why this answer

Option B is correct because in Ansible Automation Platform, approval nodes in workflows require a real user to approve or deny the request. If the workflow job template is configured to run as a system user (e.g., the automation controller system user), there is no actual user identity associated with the approval action, so the approval node is never created. The webhook can still trigger the workflow, but the approval node fails to materialize because the system user lacks the necessary user context to generate the approval request.

Exam trap

The trap here is that candidates often assume approval nodes are purely configuration-based and overlook the requirement for a real user identity, confusing system-level execution with user-level approval actions.

How to eliminate wrong answers

Option A is wrong because notification templates are optional for approval nodes; they are used to send email or other notifications when an approval is pending, but they are not required for the approval node to be created. Option C is wrong because setting the timeout to 0 means the approval node will wait indefinitely (no timeout), not that it is skipped; a timeout of 0 does not cause the node to be bypassed. Option D is wrong because inventory machine credentials are irrelevant to the creation of an approval node; they are used for connecting to managed hosts, not for workflow approval logic.

306
MCQeasy

Refer to the exhibit. An administrator wants to view the decrypted value of 'db_password' without modifying the file. Which command should be used?

A.ansible-vault rekey file.yml
B.ansible-vault decrypt file.yml
C.ansible-vault view file.yml
D.ansible-vault edit file.yml
AnswerC

Correct: view displays decrypted content to stdout.

Why this answer

Option B is correct because 'ansible-vault view' displays the decrypted content. Option A decrypts and saves unencrypted. Option C opens for editing.

Option D changes the vault password.

307
MCQhard

A team uses Ansible Automation Controller with multiple organizations. Each organization has its own set of machines that require different SSH keys. The administrator wants to ensure that users from one organization cannot use credentials from another organization. What is the best way to achieve this isolation?

A.Create credentials within each organization and assign organization-level access
B.Store credentials in separate projects and restrict project access
C.Set 'Use' permission on credentials only for specific users
D.Place users in different teams and restrict credential access by team
AnswerA

Credentials belong to an organization, and users from other organizations cannot see them.

Why this answer

In Ansible Automation Controller, credentials are scoped to organizations. By creating credentials within each organization and assigning organization-level access, the administrator ensures that credentials are only visible and usable by members of that organization. This leverages the built-in role-based access control (RBAC) that isolates resources by organization, preventing cross-organization credential access.

Exam trap

The trap here is that candidates often confuse team-based access control with organization-level isolation, assuming that restricting credentials to a team within an organization provides cross-organization security, but teams do not span organizations and cannot prevent access from users in other organizations.

How to eliminate wrong answers

Option B is wrong because projects in Ansible Automation Controller are used to store playbooks and source code, not credentials; credentials are stored separately in the Credentials resource and are not scoped by project. Option C is wrong because setting 'Use' permission on credentials for specific users does not prevent users from other organizations from accessing those credentials if they are not properly scoped to an organization; organization-level isolation is required. Option D is wrong because teams are subgroups within an organization and do not provide cross-organization isolation; users from different organizations could still be placed in the same team, and team-based restrictions do not enforce organizational boundaries.

308
MCQmedium

You are deploying Red Hat Ansible Automation Platform in a restricted network environment where the automation controller, automation hub, and execution nodes cannot access the internet. You have successfully installed the automation controller and automation hub on separate RHEL 8 servers using a local repository. The automation hub is configured to sync collections from a local mirror. After deployment, you attempt to create a new job template that uses a collection from automation hub, but the job template creation fails with the error: 'Failed to find collection' for a collection that exists in automation hub. The execution nodes are subscribed to the same local repository. The automation controller is configured with the automation hub as the default collections server. What is the most likely cause?

A.The local repository does not contain the required Ansible Automation Platform packages for the execution nodes.
B.The automation controller cannot communicate with the execution nodes due to network restrictions.
C.The execution nodes are not registered with the automation controller.
D.The automation controller is configured with the default cloud.redhat.com as the collections server instead of the local automation hub URL.
AnswerD

Correct: The controller must point to the local automation hub; otherwise, it cannot find collections.

Why this answer

Option D is correct because the automation controller must be explicitly configured to use the local automation hub as the default collections server. If it defaults to cloud.redhat.com, the controller will attempt to download collections from the internet, which fails in a restricted network environment. The error 'Failed to find collection' indicates the controller cannot reach the configured collections server, not that the collection is missing from the local hub.

Exam trap

The trap here is that candidates may assume the error is due to network connectivity between components (Option B) or missing packages (Option A), when the real issue is a misconfiguration of the collections server URL in the controller settings.

How to eliminate wrong answers

Option A is wrong because the execution nodes are subscribed to the same local repository that was used to install the automation controller and hub, so they have the required AAP packages; the issue is about collection access, not package availability. Option B is wrong because the error occurs at job template creation, not during job execution, and the controller communicates with execution nodes only when a job runs, not during template creation. Option C is wrong because execution nodes must be registered with the controller to run jobs, but the error occurs before any job execution attempt, and registration status does not affect the controller's ability to find collections on the hub.

309
MCQeasy

An Ansible playbook uses the lineinfile module to ensure a specific line is present in a configuration file. However, after running the playbook multiple times, the line is duplicated each time. Which option best explains this behavior?

A.The lineinfile module is missing the regexp parameter, so it adds the line every run.
B.The state parameter is set to 'append' instead of 'present'.
C.The backup parameter is not set, causing file corruption.
D.The insertafter parameter is incorrectly set to EOF, causing multiple adds.
AnswerA

Without a regexp, lineinfile cannot detect existing line, so it appends each time.

Why this answer

Option B is correct because without specifying a regexp, lineinfile adds the line every time, causing duplicates. Option A is wrong because backup does not affect duplication. Option C is wrong because state=present is the default and doesn't prevent duplicates.

Option D is wrong because the insertafter parameter would place line after first match, but without regexp it still adds each run.

310
MCQhard

A DevOps engineer is creating an execution environment for a team that needs both Ansible and the 'requests' Python library. The engineer creates an execution environment definition file (EE.yml) with the following content: --- version: 3 images: base_image: name: registry.redhat.io/ansible-automation-platform-22/ee-minimal-rhel8:latest options: package_manager_path: /usr/bin/microdnf dependencies: python: requirements.txt system: bindep.txt What is missing from this definition to ensure the 'requests' library is installed?

A.The package_manager_path should be /usr/bin/yum.
B.The requirements.txt file must contain 'requests'.
C.The galaxy.yml file must be added to the dependencies section.
D.The base image should be ee-supported-rhel8 instead.
AnswerB

The requirements.txt file is referenced but the content is not shown; it must list requests.

Why this answer

The execution environment definition file (EE.yml) specifies dependencies via external files like requirements.txt for Python packages. To install the 'requests' library, the requirements.txt file must explicitly list 'requests' as a dependency. Without it, the build process will not include the library, regardless of other configuration options.

Exam trap

The trap here is that candidates may focus on the package manager or base image details, overlooking that the Python dependency must be explicitly declared in the requirements.txt file referenced by the definition.

How to eliminate wrong answers

Option A is wrong because the package_manager_path is correctly set to /usr/bin/microdnf for the specified RHEL 8 base image, which uses microdnf as its package manager; changing it to /usr/bin/yum would be incorrect. Option C is wrong because the galaxy.yml file is used for Ansible Galaxy content collections, not for Python package dependencies like 'requests'. Option D is wrong because the base image 'ee-minimal-rhel8' is appropriate for this execution environment; 'ee-supported-rhel8' is not a standard Red Hat image name and would not resolve the missing Python dependency.

311
MCQhard

Refer to the exhibit. A playbook targeting the 'webservers' group uses '{{ http_port }}'. What will be the value of 'http_port' on 'web2'?

A.8080
B.80
C.80, because the group variable overrides host variable.
D.Undefined, causing an error
AnswerA

Correct: Host variable http_port=8080 overrides the group variable.

Why this answer

Option A is correct. Host variables override group variables. web2 has http_port=8080 defined as a host variable, so it takes precedence over the group variable of 80. Option B would be true if group variables override host variables, which they don't.

Option C is incorrect because the variable is defined. Option D is the opposite of the precedence rule. Therefore, A is correct.

312
MCQmedium

An organization uses custom Ansible plugins stored in a collection. A junior admin reports that after updating the collection to version 2.0.0, a playbook that uses a custom filter plugin fails with 'undefined filter'. What is the most likely cause?

A.The playbook uses an outdated syntax that is incompatible with the new collection.
B.The filter plugin was placed in the wrong directory inside the collection.
C.The playbook does not use the fully qualified collection name (FQCN) for the filter.
D.The collection's metadata file galaxy.yml is missing a dependency declaration.
AnswerB

Filter plugins must reside in plugins/filter/ directory.

Why this answer

In Ansible collections, filter plugins must reside in the `plugins/filter/` directory within the collection structure. If the plugin is placed in the wrong directory (e.g., `plugins/modules/` or `plugins/lookup/`), Ansible will not load it as a filter, resulting in an 'undefined filter' error. The collection update to version 2.0.0 likely reorganized the directory structure, causing the filter to be misplaced.

Exam trap

The trap here is that candidates often assume the error is due to syntax or naming (FQCN), but the core issue is the strict directory structure requirement for Ansible plugin loading, which is a fundamental concept in collection development.

How to eliminate wrong answers

Option A is wrong because an outdated syntax would typically cause a syntax error or deprecation warning, not an 'undefined filter' error specific to a missing plugin. Option C is wrong because while FQCN is recommended for clarity, omitting it does not cause 'undefined filter' if the filter is correctly placed and the collection is in the search path; Ansible will still resolve short names if the collection is listed in the playbook's `collections` directive. Option D is wrong because a missing dependency in `galaxy.yml` affects installation of dependent collections, not the loading of a filter plugin within the same collection.

313
MCQmedium

Your team maintains a collection that includes custom modules and plugins. You have been tasked with creating a content collection that adheres to the Red Hat Ansible Content Collection requirements. You have created the directory structure and written the collection code. Now you need to package the collection for distribution to your internal automation hub. You run 'ansible-galaxy collection build' and it completes successfully, generating a tarball. However, when you try to publish it to your private automation hub using 'ansible-galaxy collection publish', you get an authentication error. You have verified that your automation hub server URL and API token are correct. What is the most likely cause of the error?

A.The automation hub server is not reachable from your network.
B.The collection tarball is corrupted and needs to be rebuilt.
C.The collection contains a module that violates a content policy enforced by the hub.
D.The 'namespace' or 'name' in galaxy.yml does not match the namespace you are allowed to publish to on the automation hub.
AnswerD

Correct. The publish command checks if the token has permission to write to the specified namespace.

Why this answer

The authentication error despite correct server URL and API token indicates that the issue is not with credentials or connectivity, but with authorization. Ansible Automation Hub enforces namespace-based access control: the `namespace` field in `galaxy.yml` must match a namespace you are permitted to publish to. If the namespace does not match, the hub rejects the upload with an authentication/authorization error, even though the token itself is valid.

Exam trap

The trap here is that candidates assume any error during `publish` with a valid token must be a network or credential issue, overlooking the namespace authorization check that Ansible Automation Hub performs before allowing upload.

How to eliminate wrong answers

Option A is wrong because the user verified the server URL is correct, and a connectivity issue would typically produce a timeout or connection refused error, not an authentication error. Option B is wrong because the `ansible-galaxy collection build` command completed successfully, which includes integrity checks; a corrupted tarball would likely cause a build failure or a checksum mismatch during upload, not an authentication error. Option C is wrong because content policy violations (e.g., disallowed modules) would result in a policy rejection error message, not an authentication error — the hub would accept the token but refuse the content based on policy rules.

314
Multi-Selectmedium

Which THREE files are commonly used when building an execution environment with ansible-builder?

Select 3 answers
A.bindep.txt
B.ansible.cfg
C.galaxy.yml
D.execution-environment.yml
E.requirements.txt
AnswersA, D, E

Lists system-level package dependencies.

Why this answer

Option A is correct because `bindep.txt` is one of the three files that `ansible-builder` uses by default to define system-level package dependencies (e.g., `libffi-devel`, `python3-devel`) that must be installed in the execution environment image. Along with `execution-environment.yml` (the main recipe file) and `requirements.txt` (Python package dependencies), `bindep.txt` is automatically consumed during the build process to ensure the container has the necessary OS packages.

Exam trap

Red Hat often tests the misconception that `ansible.cfg` is part of the execution environment build process, but it is only used at runtime by Ansible, not by `ansible-builder` to construct the container image.

315
MCQeasy

An Ansible developer needs to use the `podman_container` module in a playbook. The module is part of the `containers.podman` collection. Which command must be run first to make the module available?

A.`ansible-galaxy install containers.podman`
B.`ansible-galaxy collection install containers.podman`
C.`ansible-galaxy collection search containers.podman`
D.`ansible-galaxy collection install containers.podman:1.0.0`
AnswerB

Installs the collection from Galaxy or Automation Hub.

Why this answer

The `podman_container` module is part of the `containers.podman` collection, which must be installed from Ansible Galaxy before it can be used in a playbook. The correct command is `ansible-galaxy collection install containers.podman`, which downloads and installs the collection into the local collections path, making all its modules and plugins available.

Exam trap

The trap here is that candidates may confuse `ansible-galaxy install` (for roles) with `ansible-galaxy collection install` (for collections), or mistakenly think that searching for a collection makes it available for use.

How to eliminate wrong answers

Option A is wrong because `ansible-galaxy install` is used for installing roles, not collections; collections require the `collection` subcommand. Option C is wrong because `ansible-galaxy collection search` only searches for collections in Galaxy but does not install them, so the module would remain unavailable. Option D is wrong because while it specifies a version (`1.0.0`), the question does not require a specific version; the generic install command is sufficient, and pinning an arbitrary version may cause compatibility issues or fail if that version does not exist.

316
MCQmedium

An organization wants to include custom Python packages in their execution environment to support custom modules. Which method should be used to define these Python dependencies?

A.List them in the `galaxy-requirements.yml` file.
B.Use `ansible-navigator` to install them during runtime.
C.Create a `requirements.txt` file and reference it in the `execution-environment.yml` under `dependencies: python:`.
D.Add them to the `collection-requirements.yml` file.
AnswerC

Correct method to define Python dependencies for the execution environment build.

Why this answer

Option C is correct because the `execution-environment.yml` file supports a `dependencies` key with a `python` subkey that points to a `requirements.txt` file. This is the standard method defined by the Ansible Builder specification for including custom Python packages in an execution environment, ensuring they are installed during the build process.

Exam trap

The trap here is that candidates confuse the file used for Ansible collections (`galaxy-requirements.yml` or `collection-requirements.yml`) with the file used for Python dependencies, leading them to pick options A or D instead of recognizing the correct `execution-environment.yml` structure.

How to eliminate wrong answers

Option A is wrong because `galaxy-requirements.yml` is used to specify Ansible Galaxy content collections, not Python packages. Option B is wrong because `ansible-navigator` is a runtime tool for running execution environments, not for installing dependencies during the build; Python dependencies must be defined at build time. Option D is wrong because `collection-requirements.yml` is another name for a file that lists Ansible collections, not Python packages.

317
Multi-Selecteasy

Which TWO statements about Ansible roles are correct?

Select 2 answers
A.Ansible roles follow a predefined directory structure.
B.Roles enforce an execution order for tasks based on file naming.
C.A role can only be included once in a playbook.
D.Roles cannot have dependencies on other roles.
E.Roles can be downloaded from Ansible Galaxy.
AnswersA, E

Roles require a specific directory layout (tasks, handlers, etc.).

Why this answer

Options A and C are correct. A: Roles can be shared via Ansible Galaxy. C: The directory structure is defined by Ansible.

B is wrong because roles do not enforce a specific order; tasks run in order of main.yml. D is wrong because roles can have dependencies defined in meta. E is wrong because roles can be used multiple times in a play.

318
Multi-Selectmedium

Which TWO of the following are required in a valid Ansible collection directory structure?

Select 2 answers
A.`tests/` directory
B.`galaxy.yml` file
C.`docs/` directory
D.`plugins/` directory
E.`roles/` directory
AnswersB, D

Required metadata file for collections.

Why this answer

The `galaxy.yml` file is mandatory in a valid Ansible collection directory structure because it serves as the metadata file that defines the collection's name, version, author, and dependencies. Without this file, the collection cannot be properly built, published, or installed via `ansible-galaxy`. It is the equivalent of a package manifest for the collection.

Exam trap

The trap here is that candidates often assume `roles/` or `tests/` are mandatory because they are common in many collections, but the EX294 exam specifically tests the minimal required structure as defined by the Ansible documentation, which only mandates `galaxy.yml` and `plugins/`.

319
MCQeasy

Refer to the exhibit. A playbook already includes the 'common' role in its roles list. The current role depends on 'common' with 'allow_duplicates: false'. How many times will the 'common' role run?

A.Once.
B.Not at all.
C.Depends on the order of roles.
D.Twice.
AnswerA

Because allow_duplicates: false prevents the role from running multiple times.

Why this answer

Option A is correct. With allow_duplicates: false, the dependency will not run again if the role is already listed in the playbook.

320
Multi-Selecthard

An organization has multiple automation controller clusters spread across different geographic regions. The security policy requires that job artifacts (such as logs and assets) must remain in the region where the job ran. Which THREE configurations support this requirement? (Choose exactly three.)

Select 3 answers
A.Disable the 'Enable remote logging' option in the controller configuration for each cluster.
B.Use a custom execution environment that writes artifacts to a network share.
C.Assign each cluster its own inventory and restrict node membership to that region's hosts.
D.Set the 'local' execution node for each cluster and configure the controller to store artifacts on the local filesystem.
E.Configure automation mesh to route jobs to the nearest execution node.
AnswersA, C, D

Remote logging would send logs to a central server, violating regional retention.

Why this answer

Option A is correct because disabling 'Enable remote logging' in the controller configuration ensures that job artifacts (logs, assets) are stored locally on the controller's filesystem rather than being forwarded to an external logging server. This directly enforces the regional data residency requirement by preventing artifacts from leaving the geographic region where the controller cluster resides.

Exam trap

Red Hat often tests the misconception that execution node placement alone (via automation mesh) guarantees data locality, but candidates forget that artifact storage configuration is a separate control that must be explicitly set.

321
MCQeasy

A junior administrator needs to rotate the password for a database user stored in an Ansible Vault-encrypted file (secrets.yml). The current password is unknown to the admin, but they have the vault password file (vault-pass.txt). The admin wants to edit the file securely without exposing the decrypted content in the terminal history or logs. Which command should they run?

A.ansible-vault edit --vault-password-file vault-pass.txt secrets.yml
B.ansible-vault decrypt --vault-password-file vault-pass.txt secrets.yml
C.ansible-vault rekey --vault-password-file vault-pass.txt secrets.yml
D.ansible-vault view --vault-password-file vault-pass.txt secrets.yml
AnswerA

This command decrypts the file to a temporary file, opens an editor, and re-encrypts it when saved, minimizing exposure.

Why this answer

Option A is correct because `ansible-vault edit` decrypts the file to a temporary file, opens it in the default editor (e.g., vi), and upon saving, re-encrypts it transparently. This prevents the decrypted content from ever being written to the terminal history or logs, as the editing happens in a secure temporary location that is cleaned up after the editor closes.

Exam trap

The trap here is that candidates may confuse `edit` with `decrypt` (thinking they need to decrypt first, then edit, then re-encrypt), or they may think `rekey` is for changing the content, when in fact it only changes the vault encryption password.

How to eliminate wrong answers

Option B is wrong because `ansible-vault decrypt` permanently decrypts the file to plaintext on disk, which would expose the password in the filesystem and potentially in logs or history if the file is later read. Option C is wrong because `ansible-vault rekey` is used to change the vault password (encryption key) itself, not to edit the content of the encrypted file. Option D is wrong because `ansible-vault view` only displays the decrypted content to stdout (terminal), which would expose the password in the terminal output and potentially in scrollback or logs, without allowing any editing.

322
Multi-Selecthard

A system administrator is troubleshooting an execution environment that fails to build. The error indicates that a required collection cannot be found. Which THREE of the following actions could resolve the issue?

Select 3 answers
A.Verify that the collection is listed in the 'dependencies' section of the execution-environment.yml under 'galaxy'.
B.Add the collection to the 'additional_build_steps' section with a manual 'ansible-galaxy collection install' command.
C.Include the collection in the 'build_ignore' list to skip it.
D.Change the base image to one that includes the collection pre-installed.
E.Ensure that the collection is published to a configured Galaxy server and that authentication is correct.
AnswersA, D, E

Correct. The builder needs to know which collections to install.

Why this answer

Option A is correct because the 'dependencies' section under 'galaxy' in the execution-environment.yml file is the standard mechanism for declaring required Ansible collections. When the execution environment is built, ansible-builder reads this section and automatically installs the listed collections from the configured Galaxy server. If a required collection is missing, verifying its presence in this section ensures it will be included in the build.

Exam trap

Red Hat often tests the misconception that 'build_ignore' can be used to skip problematic collections, but in reality it only excludes files from the build context and does not affect dependency resolution.

323
Multi-Selecthard

Which THREE of the following are valid uses of the 'ansible.builtin.include_role' module?

Select 3 answers
A.Pass variables to the included role using the 'vars' keyword.
B.Include a role from a collection by specifying 'namespace.collection.role_name'.
C.Dynamically set the role name using a variable without the 'name' parameter.
D.Conditionally include a role based on a variable.
E.Apply tags to all tasks within the included role.
AnswersA, B, D

Variables can be passed to the role via the 'vars' parameter.

Why this answer

Option A is correct because the 'ansible.builtin.include_role' module supports the 'vars' keyword to pass variables directly to the included role. This allows you to override or supply role variables at the point of inclusion, which is a common pattern for reusing roles with different configurations.

Exam trap

The trap here is that candidates often confuse 'include_role' with 'import_role', assuming that tags applied to the include statement will automatically apply to all tasks inside the role, but in Ansible, tags on a dynamic include only affect the include task itself, not the included tasks.

324
MCQhard

Refer to the exhibit. Assuming the managed node is RHEL 7.9, what is the output of the debug task?

A.7.9
B.An error
C.False
D.True
AnswerD

7.9 is greater than or equal to 7.8.

Why this answer

The debug task uses the `debug` module with `msg: "{{ ansible_distribution_version is version('7.9', '>=') }}"`. The `version` filter compares the string `'7.9'` (from `ansible_distribution_version`) against the string `'7.9'` using the `>=` operator. Since the managed node is RHEL 7.9, the comparison evaluates to `True`, so the debug module outputs `True`.

Exam trap

The trap here is that candidates may mistakenly think the `version` filter returns the version string itself (like `ansible_distribution_version`) or that a comparison of equal versions returns `False`, rather than understanding it performs a boolean comparison and outputs `True` when the condition is met.

How to eliminate wrong answers

Option A is wrong because `ansible_distribution_version` returns the version string (e.g., '7.9'), but the `version` filter does not output the version itself; it evaluates a comparison and returns a boolean. Option B is wrong because the `version` filter is a valid Jinja2 filter in Ansible and will not cause an error when used correctly with a version string and comparison operator. Option C is wrong because the comparison `'7.9' >= '7.9'` is true, not false, so the output cannot be `False`.

325
MCQhard

Ansible Builder fails during the build of an execution environment with error: 'No matching manifest for linux/amd64 in the manifest list entries'. What is the most likely cause?

A.The ansible-builder version is too old.
B.The definition file has invalid syntax.
C.The container registry requires authentication.
D.The base image specified is incompatible with the host architecture.
AnswerD

The error 'No matching manifest for linux/amd64' indicates the base image does not support the build host's architecture.

Why this answer

Option D is correct because the error 'No matching manifest for linux/amd64 in the manifest list entries' indicates that the base image specified in the execution environment definition file does not have a container image manifest for the host's CPU architecture (linux/amd64). Ansible Builder pulls the base image from a registry, and if that image only supports other architectures (e.g., linux/arm64), the build fails. This is a common issue when using a base image built for a different platform.

Exam trap

Red Hat often tests the misconception that registry authentication or syntax errors cause all build failures, but here the specific manifest list error is a clear indicator of an architecture mismatch, not a credential or syntax problem.

How to eliminate wrong answers

Option A is wrong because an outdated ansible-builder version would not cause this specific manifest mismatch error; it might cause other build failures or deprecation warnings, but the error is architecture-related. Option B is wrong because invalid syntax in the definition file typically results in YAML parsing errors or missing key errors, not a manifest list mismatch. Option C is wrong because registry authentication failures produce errors like 'unauthorized: authentication required' or 'denied: requested access to the resource is denied', not a manifest architecture mismatch.

326
Multi-Selecthard

An administrator needs to create a custom execution environment that includes a specific Ansible collection and a Python package. Which two steps are required to build and use the execution environment? (Choose two.)

Select 2 answers
A.Create a Dockerfile that installs the collection and package.
B.Define the execution environment in ansible.cfg.
C.Build the execution environment using ansible-builder.
D.Push the execution environment to a private container registry.
E.Create a requirements.yml file listing the collection.
AnswersC, E

Correct: ansible-builder builds a container image from the execution environment definition.

Why this answer

Options A and C are correct. Creating a requirements.yml with the collection (A) and then building the execution environment with ansible-builder (C) are required. Option B is not needed because ansible-builder uses a definition file, not a Dockerfile directly.

Option D is optional for sharing but not required to use locally. Option E is wrong because execution environment is configured in ansible-navigator config, not ansible.cfg.

327
Matchingmedium

Match each storage concept to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Logical Volume Manager for flexible storage

Redundant array of independent disks

Default Linux filesystem (journaling)

High-performance 64-bit filesystem

Virtual memory on disk

Why these pairings

Common storage technologies in RHEL.

328
MCQeasy

You are managing a web application deployment using Ansible. The application requires a specific version of a library (libapp) to be installed on all web servers. Your current playbook uses the role 'web' which includes a task to install libapp version 1.2. However, after a recent update, the role's defaults now specify libapp version 2.0, but you must keep version 1.2 for compatibility. You have defined a variable 'lib_version' in the playbook's vars section with value '1.2'. The role's task uses the variable 'libapp_version' (not 'lib_version'). The play fails because 'libapp_version' is undefined. What is the best way to resolve this issue without modifying the role?

A.Modify the role's defaults/main.yml to set libapp_version to 1.2.
B.Use the playbook to set libapp_version as a variable for the role: either in the play vars section or by passing it as a role parameter.
C.Rename your playbook variable from lib_version to libapp_version in the play vars.
D.Create a file roles/web/vars/main.yml with libapp_version: 1.2.
AnswerB

You can set libapp_version in the play's vars or as a role parameter without modifying the role.

Why this answer

Option B is correct because it allows you to set the variable `libapp_version` that the role expects without modifying the role itself. By defining `libapp_version` in the playbook's vars section or passing it as a role parameter, you override the role's default value (2.0) with the required version 1.2, ensuring the task uses the correct library version while preserving role integrity.

Exam trap

The trap here is that candidates may confuse variable names (lib_version vs libapp_version) and attempt to rename variables or modify role defaults, rather than understanding that the correct solution is to set the exact variable expected by the role at the playbook level.

How to eliminate wrong answers

Option A is wrong because modifying the role's defaults/main.yml directly changes the role, which violates the requirement to not modify the role. Option C is wrong because renaming the playbook variable from `lib_version` to `libapp_version` does not address the issue; the role's task uses `libapp_version`, and simply renaming the variable in the playbook's vars section would still leave `libapp_version` undefined unless the variable is explicitly set. Option D is wrong because creating a file roles/web/vars/main.yml modifies the role's internal structure, which is not allowed per the requirement to not modify the role.

329
MCQhard

A security team requires that all passwords in an Ansible vault be encrypted with a different key from the host variables. They want to use a custom lookup plugin that fetches secrets from an external API. Which plugin type should be developed?

A.Lookup plugin
B.Module
C.Action plugin
D.Filter plugin
AnswerA

Lookup plugins are the correct way to fetch data from external sources like APIs.

Why this answer

A lookup plugin is the correct choice because it is designed to retrieve data from external sources (like an API) and return it as a string or list for use in Ansible playbooks. This aligns with the requirement to fetch secrets from an external API, and lookup plugins can be used directly in variables or templates without modifying the host state.

Exam trap

The trap here is that candidates often confuse lookup plugins with modules, thinking that any external interaction requires a module, but modules are for remote host actions, while lookups are for controller-side data retrieval.

How to eliminate wrong answers

Option B (Module) is wrong because modules are used to perform actions on remote hosts (e.g., install packages, manage services), not to fetch data from external APIs for use in variables. Option C (Action plugin) is wrong because action plugins execute on the controller and are typically used to implement complex module behavior or conditional logic, not for simple data retrieval like a lookup. Option D (Filter plugin) is wrong because filter plugins transform data within Jinja2 templates (e.g., format strings, manipulate lists), not fetch data from external sources.

330
MCQmedium

A team is using Ansible Tower with multiple credentials per job template. The playbook uses the 'become' method to escalate privileges on remote hosts. The become password is different from the SSH password. Which configuration ensures the become password is used?

A.Provide both the SSH password and become password in the machine credential.
B.Use a vault credential to store the become password.
C.Use two separate credentials (one for SSH, one for become) and assign both to the job template.
D.Store the become password in inventory variables.
AnswerA

Machine credentials support both SSH and become authentication fields.

Why this answer

In Ansible Tower, when a job template uses multiple credentials, the machine credential is the primary credential for SSH authentication. To use a different become password, you must provide both the SSH password and the become password within the same machine credential. This is because the machine credential has dedicated fields for 'Password' (SSH) and 'Become Password' (privilege escalation), and Tower automatically uses the become password from that credential when the playbook invokes 'become: yes'.

Exam trap

The trap here is that candidates assume you can use separate credentials for SSH and become passwords, but Tower requires both passwords to be bundled in the same machine credential because the become password is a field within that credential type, not a separate credential object.

How to eliminate wrong answers

Option B is wrong because a vault credential is used to store encrypted secrets (like passwords) that are decrypted at runtime, but it does not directly supply the become password to the 'become' mechanism; the become password must be explicitly provided in the machine credential or via a separate credential type. Option C is wrong because Tower does not support assigning two separate machine credentials to a single job template; you can assign multiple credentials of different types, but for SSH and become passwords, both must reside in the same machine credential. Option D is wrong because storing the become password in inventory variables is insecure and not the intended method; Tower expects the become password to be defined in the credential, not in inventory, and using variables would bypass credential management and auditing.

331
MCQmedium

An Ansible automation controller job template uses a custom credential type that requires a secret token. The token is stored as an extra variable in the job template definition. A security audit reveals the token is visible in plaintext in the job output. Which action should the administrator take to secure the secret?

A.Define the variable in the job template's 'extra variables' field with 'no_log: true' set in the playbook for that variable.
B.Vault-encrypt the variable in the playbook and reference it with {{ vault_var }}.
C.Create a custom credential type that injects the token as an environment variable, and remove the extra variable from the job template.
D.Store the token in a file on the controller with 600 permissions and use 'lookup' in the playbook.
AnswerA

Setting no_log on the variable prevents it from being displayed in logs and job output, meeting the security requirement.

Why this answer

Option A is correct because setting `no_log: true` on the variable in the playbook prevents Ansible from printing the value of that variable in any output, including job logs. This is the standard method to hide sensitive data like tokens when they are passed as extra variables, as it works at the task level to suppress logging of the variable's content.

Exam trap

The trap here is that candidates often assume vault encryption alone hides secrets in output, but vault only encrypts at rest; Ansible decrypts at runtime and the plaintext can still appear in logs unless `no_log` is explicitly set.

How to eliminate wrong answers

Option B is wrong because vault-encrypting the variable in the playbook only protects the data at rest; when the playbook runs, Ansible decrypts it and the plaintext value can still appear in job output unless `no_log` is also used. Option C is wrong because while injecting the token as an environment variable via a custom credential type is a secure practice, the question states the token is already stored as an extra variable; the correct action to secure the existing setup is to use `no_log`, not to redesign the credential type. Option D is wrong because storing the token in a file with 600 permissions and using `lookup` does not prevent the token from being displayed in job output; the `lookup` plugin reads the file and the value can still be logged unless `no_log` is applied.

332
MCQhard

A systems administrator is deploying Ansible Automation Platform 2.4 using the provided setup script. The installation fails with the error shown in the exhibit. Based on the exhibit, what is the most likely cause of the failure?

A.The installer requires a local PostgreSQL database; using a remote database is not supported.
B.The database password specified in setup.sh does not match the actual PostgreSQL password.
C.SELinux is blocking the ansible-navigator process from reaching the database.
D.The PostgreSQL service is not running on the database server.
AnswerD

The error 'Connection refused' indicates the PostgreSQL server is not listening on the specified host/port.

Why this answer

The error exhibit indicates that the installer cannot connect to the PostgreSQL database. The most common cause of this failure is that the PostgreSQL service is not running on the database server, preventing the Ansible Automation Platform setup script from establishing a connection. Without the database service active, the installer cannot proceed with the deployment.

Exam trap

The trap here is that candidates may assume a database password mismatch (Option B) is the issue, but the error message clearly indicates a connection failure rather than an authentication failure, which is a common confusion in database connectivity troubleshooting.

How to eliminate wrong answers

Option A is wrong because Ansible Automation Platform 2.4 supports both local and remote PostgreSQL databases; the setup script allows specifying a remote database host. Option B is wrong because a password mismatch would produce an authentication error (e.g., 'password authentication failed'), not a connection timeout or 'could not connect to server' error. Option C is wrong because SELinux blocking would typically manifest as a permission denied error on socket files or port access, not a generic connection failure to the database server; also, the error message does not reference SELinux denials.

333
Multi-Selectmedium

Which THREE directives can be used to modify loop behavior in Ansible?

Select 3 answers
A.ignore_errors
B.loop_control
C.when
D.rescue
E.always
AnswersA, B, C

ignore_errors causes Ansible to continue to the next item even if the current one fails.

Why this answer

loop_control provides advanced loop features like index_var and label. when can conditionally skip items in a loop. ignore_errors can continue execution on failed items within a loop.

334
MCQmedium

An Ansible playbook is used to generate configuration files for network devices. The variables are defined in a vars file like: --- interfaces: - name: GigabitEthernet1 ip: 192.168.1.1/24 - name: GigabitEthernet2 ip: 10.0.0.1/24 The playbook uses a Jinja2 template to render the config. The template iterates over interfaces and writes "ip address" lines. However, the designer wants to support an additional field "secondary_ips" which is a list of IP addresses (e.g., ["192.168.2.1/24", "192.168.3.1/24"]). In the template, they want to generate multiple "ip address" lines for each interface, one for the primary IP and one for each secondary IP. The following template fragment is used: {% for iface in interfaces %} interface {{ iface.name }} ip address {{ iface.ip }} {% for sec in iface.secondary_ips|default([]) %} ip address {{ sec }} {% endfor %} {% endfor %} This works when secondary_ips is defined. However, some interfaces have secondary_ips defined as a string (e.g., "192.168.2.1/24") instead of a list. The playbook fails because the inner loop tries to iterate over a string. The engineer wants to normalize the data in the playbook before passing to the template, so that secondary_ips is always a list. Which of the following set_fact tasks will correctly transform the interfaces list to ensure secondary_ips is always a list (even if missing or a string)?

A.- set_fact: interfaces: "{{ interfaces | map('combine', {'secondary_ips': item.secondary_ips | default([]) | split(',') if item.secondary_ips is defined and item.secondary_ips is string else item.secondary_ips | default([])}) }}" loop: "{{ interfaces }}"
B.- set_fact: interfaces: "{{ interfaces | map('combine', {'secondary_ips': [item.secondary_ips | default('')] | flatten }) }}" loop: "{{ interfaces }}"
C.- set_fact: interfaces: "{{ interfaces | map('combine', {'secondary_ips': item.secondary_ips | default([]) | string | split(',') | list}) }}" loop: "{{ interfaces }}"
D.- set_fact: interfaces: "{{ interfaces | map('combine', {'secondary_ips': (item.secondary_ips is undefined or item.secondary_ips is none) | ternary([], (item.secondary_ips is string) | ternary(item.secondary_ips | split(','), item.secondary_ips))}) }}" loop: "{{ interfaces }}"
AnswerD

Correctly handles undefined, string, and list cases.

Why this answer

Option D correctly uses the `ternary` filter to handle three cases: when `secondary_ips` is undefined or None (returns an empty list), when it is a string (splits it into a list), and when it is already a list (returns it unchanged). This ensures the template always receives a list for iteration, preventing the 'iteration over string' error.

Exam trap

The trap here is that candidates often try to use `default([])` or `split` without handling the case where the variable is already a list, leading to nested lists or string conversion errors, while the correct approach uses `ternary` to conditionally apply transformations based on the data type.

How to eliminate wrong answers

Option A is wrong because `split(',')` on a string like '192.168.2.1/24' would produce a list with one element, but the conditional logic is flawed: it uses `item.secondary_ips | default([]) | split(',')` which fails when `secondary_ips` is undefined (default returns an empty list, and `split` on a list causes an error). Option B is wrong because `[item.secondary_ips | default('')] | flatten` wraps a string in a list, but if `secondary_ips` is already a list, it nests it (e.g., `[['192.168.2.1/24']]`), and if undefined, it creates `['']` (a list with an empty string), both of which break the template. Option C is wrong because `| string` converts a list to a string representation (e.g., `['192.168.2.1/24']` becomes `['192.168.2.1/24']` as a string), then `split(',')` splits that string incorrectly, producing malformed IP entries.

335
MCQeasy

An administrator needs to provide a set of credentials to a job template that requires a machine credential for SSH and a source control credential for the project. What is the correct way to associate these credentials?

A.Define the source control token in the playbook using the 'set_fact' module
B.Create a single credential that includes both SSH key and source control token
C.Store the source control token as an extra variable in the job template
D.Assign both a machine credential and a source control credential to the job template
AnswerD

Job templates can have multiple credentials of different types.

Why this answer

Option D is correct because Ansible Tower/AWX allows multiple credentials of different types to be assigned to a single job template. A machine credential handles SSH authentication for target hosts, while a source control credential manages authentication for the project repository (e.g., Git). This separation follows Ansible's modular credential design, where each credential type serves a distinct purpose and can be independently managed.

Exam trap

The trap here is that candidates think a single credential must contain all authentication data, but Ansible Tower explicitly separates credential types by function, and a job template can accept multiple credentials of different types simultaneously.

How to eliminate wrong answers

Option A is wrong because the 'set_fact' module sets variables at runtime within a playbook, not credentials; source control tokens must be stored securely in a credential type, not hardcoded in playbooks. Option B is wrong because Ansible Tower does not support a single credential that combines SSH and source control tokens; credentials are typed (machine, source control, vault, etc.) and cannot be merged. Option C is wrong because extra variables are not designed for sensitive credentials; they are visible in job runs and logs, whereas source control tokens should be stored in a dedicated credential type with encryption.

336
MCQhard

A developer wants to reuse a set of tasks that conditionally include other task files based on variables defined per host. Which method should be used to ensure the included tasks are evaluated per host at runtime?

A.include_tasks
B.include_role
C.import_role
D.import_tasks
AnswerA

include_tasks is dynamic and evaluates per host at runtime.

Why this answer

Option C (include_tasks) is correct because it is dynamic and evaluated per host at runtime. Option A (import_tasks) is static and evaluated at parse time. Options B and D are also static imports for roles.

337
MCQhard

An organization has multiple Ansible Tower projects that use different cloud providers. The security team mandates that cloud API credentials stored in Tower must have restricted access and be reusable across job templates without exposing the secret key. Which credential type and organization strategy best meets these requirements?

A.Use a network credential to store the API token and assign it to the project.
B.Create separate custom credential types for each cloud provider, marking the secret key fields as 'password' type, and add them to each job template as needed.
C.Create a single custom credential type that includes both cloud provider API keys and reuse it across all projects.
D.Use a machine credential for each cloud provider and set the SSH key as the API secret.
AnswerB

Custom credential types with password fields provide secure, reusable credentials.

Why this answer

Option B is correct because Ansible Tower's custom credential types allow you to define fields with the 'password' type, which encrypts the secret key and hides it from view after entry. By creating separate custom credential types for each cloud provider, you can assign them to specific job templates, ensuring restricted access and reusability without exposing the secret key. This approach meets the security mandate by isolating credentials per provider and leveraging Tower's built-in encryption for sensitive fields.

Exam trap

The trap here is that candidates may confuse credential types (e.g., network, machine) with their intended use cases, or assume a single shared credential is more efficient, overlooking the security requirement for restricted access and separation of concerns per cloud provider.

How to eliminate wrong answers

Option A is wrong because network credentials are designed for network device authentication (e.g., SNMP, SSH), not for storing cloud API tokens, and they do not support custom fields for API secrets. Option C is wrong because a single custom credential type for all cloud providers would violate the principle of least privilege, as it would expose all API keys to any job template using that credential, increasing the risk of unauthorized access. Option D is wrong because machine credentials are intended for SSH key-based authentication to managed hosts, not for cloud API secrets, and using an SSH key field for an API secret would be a misuse of the credential type, potentially causing authentication failures.

338
MCQmedium

Your team uses ansible-pull to manage configuration of a large number of remote nodes. Each node is configured to pull the latest playbook from a Git repository every 30 minutes. Recently, some nodes started reporting 'ERROR! the role 'base' was not found'. The playbook depends on roles from a requirements.yml file that is stored in the same repository. The ansible-pull command on each node uses the default roles path (~/.ansible/roles). The Git repository contains the requirements.yml file but does not contain the actual role directories. What is the most likely cause and solution?

A.Run ansible-galaxy install on the control node and distribute the roles via a separate channel.
B.Add the role directories directly to the Git repository and modify the playbook to reference them with a relative path.
C.Add a pre_task to the playbook that runs 'ansible-galaxy install -r requirements.yml' before the roles are used.
D.Set the 'roles_path' in ansible.cfg on each node to include the repository's roles directory.
AnswerC

Correct: This ensures roles are installed from Galaxy during the pull execution.

Why this answer

Option C is correct because ansible-pull does not automatically install roles from requirements.yml; the playbook should include a pre_task that runs 'ansible-galaxy install -r requirements.yml' before using the roles. Option A is incorrect because the roles are already in the repository? No, they are not. Option B is incorrect because ansible-pull does not use a local roles path by default; the issue is missing installation.

Option D is incorrect because the control node is not involved in ansible-pull.

339
Multi-Selectmedium

An operations team is planning a rolling update of a production OpenShift cluster running Red Hat Enterprise Linux CoreOS nodes. Which three practices should be followed to ensure minimal downtime and proper rollback capability?

Select 3 answers
A.Use canary nodes to validate the update before full rollout.
B.Monitor cluster health via `oc get clusterversion` after each node update.
C.Use the `oc adm update` command to orchestrate updates across nodes.
D.Configure a maximum surge of 25% to prevent resource exhaustion.
E.Place nodes in the same Availability Zone to simplify rollback.
AnswersA, C, D

Canary nodes help detect issues early, supporting rollback decisions.

Why this answer

Option A is correct because `oc adm update` is the standard command for orchestrating updates. Option C is correct because a maximum surge of 25% prevents resource exhaustion and ensures controlled rollout. Option E is correct because canary nodes allow validation before full rollout.

Option B is wrong because placing nodes in the same AZ is not necessary and may reduce resilience. Option D is wrong while monitoring is important, it is not a rolling update practice for minimizing downtime or rollback capability.

340
MCQeasy

An administrator wants to ensure a role's tasks are executed only on certain hosts. Which approach should they use?

A.Set host_vars for each target host
B.Set group_vars for the target group
C.Use a 'when' condition in the role's tasks
D.Use tags on the role
AnswerC

A when condition can evaluate inventory or fact data to determine if a task runs on a particular host.

Why this answer

Using the 'when' condition inside the role's tasks allows the administrator to control execution based on host facts or variables. Other options like host_vars or group_vars define variables but do not directly control task execution conditions.

341
MCQeasy

A team runs the playbook shown in the exhibit. They notice that during the update, some requests are still being sent to servers that have been disabled. What is the most likely cause?

A.The disable task should use 'state: maintenance' instead of 'state: disabled'.
B.The 'serial: 2' setting allows two hosts to be disabled simultaneously, and the load balancer may not have drained connections.
C.The 'delegate_to' should be set to localhost, not lb01.
D.The 'serial' keyword is incorrectly used as a global variable.
AnswerB

With serial:2, both hosts are disabled at once, potentially causing connection issues.

Why this answer

Option B is correct because the `serial: 2` setting causes Ansible to update two hosts at a time. When a host is disabled in the load balancer, existing connections may not be fully drained before the next batch of hosts is updated, allowing traffic to still reach disabled servers. The load balancer needs time to drain active sessions, and a serial batch of 2 can overlap with that drain window.

Exam trap

Red Hat often tests the misconception that `serial` only controls parallelism and has no impact on load balancer connection draining, leading candidates to overlook the need for synchronization between disabling hosts and allowing connections to drain.

How to eliminate wrong answers

Option A is wrong because `state: disabled` is the correct parameter to mark a backend server as disabled in a load balancer module like `nginx` or `haproxy`; `state: maintenance` is not a valid state in standard Ansible load balancer modules. Option C is wrong because `delegate_to: lb01` is appropriate for running the disable task on the load balancer host; setting it to localhost would run the task on the control node, which would not affect the actual load balancer. Option D is wrong because `serial` is a valid play-level keyword that controls batch size, not a global variable; it is correctly used in the playbook to define rolling update behavior.

342
MCQhard

You are responsible for managing a large fleet of web servers running Red Hat Enterprise Linux 8. You have an Ansible playbook that deploys a custom web application. The playbook uses several roles from Ansible Galaxy and includes tasks that require root privileges. Recently, users reported that the deployment fails intermittently with the error 'Timeout (12s) waiting for privilege escalation prompt'. You suspect that the issue is related to the become method and the SSH connection. The current inventory uses 'ansible_user: deploy' and 'ansible_become: yes' with default settings. The 'deploy' user has sudo privileges with NOPASSWD for all commands. However, the timeout occurs only on high-latency connections. Which change would most effectively resolve the timeout issue?

A.Increase 'forks' to 20 to run more tasks in parallel.
B.Enable pipelining by setting 'pipelining = True' in ansible.cfg.
C.Set 'ansible_become_password' in the inventory.
D.Increase the 'timeout' setting in ansible.cfg to 30 seconds.
AnswerD

Correct: Increasing the timeout allows more time for the privilege escalation prompt on slow connections.

Why this answer

Option C is correct because increasing the 'timeout' parameter in ansible.cfg (or setting ANSIBLE_TIMEOUT) gives more time for privilege escalation prompts on slow connections. Option A is incorrect because SSH pipelining can reduce round trips but does not directly address the timeout. Option B is incorrect because parallel execution increases load and may exacerbate timeouts.

Option D is incorrect because the error indicates a privilege escalation timeout, not a missing password.

343
Multi-Selectmedium

Which TWO statements about machine credentials in Ansible Tower are correct? (Choose two.)

Select 2 answers
A.Machine credentials can specify a 'become_method' for privilege escalation.
B.Machine credentials can use an SSH private key for authentication.
C.The SSH private key file automatically includes privilege escalation settings.
D.The username field is optional when using an SSH key.
E.SSH key credentials require a password field to be filled in.
AnswersA, B

Become method (e.g., sudo) is configurable.

Why this answer

Option A is correct because Ansible Tower machine credentials include a 'Become Method' field that allows you to specify privilege escalation methods such as 'sudo', 'su', 'pbrun', or 'pfexec'. This setting is used by Ansible to escalate privileges on the target machine after the initial SSH connection is established, enabling tasks that require higher-level permissions.

Exam trap

The trap here is that candidates often assume the SSH private key file inherently includes privilege escalation settings, or that the username is optional when using SSH keys, but Ansible Tower strictly requires a username and treats privilege escalation as a separate configuration field.

344
MCQeasy

An administrator needs to securely store a database password used across multiple roles in a shared repository. Which approach is recommended?

A.Use ansible-vault to encrypt the password string and store it in a file, then include_vars.
B.Use a lookup plugin to fetch from a secrets manager.
C.Store the password in an environment variable on the controller.
D.Hardcode the password in the playbook and use .gitignore.
AnswerA

ansible-vault is the standard way to encrypt sensitive data.

Why this answer

Option A is correct because ansible-vault encrypts the variable and can be decrypted at runtime. Option B is insecure. Option C is not portable.

Option D is valid but not covered in core RHCE.

345
MCQmedium

An organization's execution environment must include a custom RPM that is not in the default base image. How should this be added in the execution-environment.yml?

A.Add the RPM to the 'dependencies' section under 'system'.
B.Add the RPM to the 'dependencies' section under 'python'.
C.Use a 'prepended_base' directive.
D.Use a custom base image that includes the RPM.
AnswerA

System RPMs are declared under 'system'.

Why this answer

In an execution-environment.yml file, custom RPM packages that are not part of the default base image must be listed under the 'dependencies' section with the 'system' key. This instructs ansible-builder to install those RPMs using the system package manager (e.g., dnf or yum) during the build process, ensuring the execution environment includes the required system-level libraries or tools.

Exam trap

The trap here is that candidates often confuse the 'system' and 'python' dependency sections, mistakenly thinking RPMs can be added under 'python' because both are under 'dependencies', but 'python' is strictly for pip-installable packages.

How to eliminate wrong answers

Option B is wrong because the 'python' key under 'dependencies' is used for Python packages (e.g., pip install), not for RPM packages. Option C is wrong because there is no 'prepended_base' directive in execution-environment.yml; the correct way to modify the base image is through the 'base_image' field or by adding dependencies. Option D is wrong because while using a custom base image that includes the RPM is a valid approach, the question specifically asks how to add it in the execution-environment.yml file, and the correct method is to list it under 'dependencies: system' rather than building a separate custom base image.

346
MCQhard

An operations team is designing a rolling update for a stateful application that requires quorum (minimum 3 out of 5 nodes online). They plan to use Ansible's serial keyword. Which serial value ensures the update proceeds without breaking quorum while still being efficient?

A.serial: 2
B.serial: 1
C.serial: 3
D.serial: 5
AnswerA

Updating 2 nodes leaves 3 online, maintaining quorum, and is efficient.

Why this answer

Option A is correct because setting serial: 2 ensures that only 2 nodes are taken down at a time during the rolling update. With a quorum requirement of 3 out of 5 nodes, taking down 2 nodes leaves 3 online, maintaining quorum. This is the most efficient value that does not risk breaking quorum.

Exam trap

The trap here is that candidates may confuse 'quorum' with 'majority' and incorrectly choose serial: 3, thinking that 3 out of 5 is a majority, but fail to realize that taking down 3 nodes leaves only 2 online, which is below the quorum threshold of 3.

How to eliminate wrong answers

Option B is wrong because serial: 1 would take down only 1 node at a time, which is safe but less efficient than serial: 2 since it increases the total update time. Option C is wrong because serial: 3 would take down 3 nodes at once, leaving only 2 online, which breaks the quorum requirement of 3 out of 5 nodes. Option D is wrong because serial: 5 would take down all 5 nodes simultaneously, completely breaking quorum and causing the application to fail.

347
MCQmedium

You have an Ansible playbook that uses the 'lineinfile' module to manage the /etc/ssh/sshd_config file. The playbook runs without errors, but after execution, the SSH service becomes unreachable on some hosts. Investigation reveals that the file contains duplicate lines for 'Port 22' and 'PermitRootLogin no'. The playbook uses the following task: - name: Ensure SSH settings ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: "^{{ item.key }}" line: "{{ item.key }} {{ item.value }}" loop: - { key: 'Port', value: '22' } - { key: 'PermitRootLogin', value: 'no' } The playbook is run multiple times. What is the most likely cause of the duplicate lines?

A.The regexp pattern does not match the existing lines exactly, causing new lines to be added instead of replacing.
B.The 'lineinfile' module is not idempotent when used with loops.
C.The loop should use 'with_items' instead of 'loop' for proper idempotence.
D.The 'line' parameter should use backreferences to avoid duplication.
AnswerA

If the line has leading spaces or is not at the start, it may not match.

Why this answer

Option A is correct because the regexp pattern `^{{ item.key }}` matches only the start of a line (e.g., `^Port` or `^PermitRootLogin`), but the existing lines in `/etc/ssh/sshd_config` may have leading spaces or tabs (common in SSH config files). Since the regex does not match the actual line due to whitespace, the `lineinfile` module inserts a new line instead of replacing the existing one. Each playbook run adds another duplicate, eventually causing SSH to fail due to conflicting directives.

Exam trap

The trap here is that candidates assume `regexp` with `^` will match any line starting with the key, but they overlook that SSH config files often have leading whitespace, causing the module to add duplicate lines instead of replacing.

How to eliminate wrong answers

Option B is wrong because the `lineinfile` module is inherently idempotent when used correctly; the issue is not with loops but with the regexp pattern failing to match. Option C is wrong because `loop` and `with_items` are functionally equivalent in modern Ansible (both are converted to the same internal structure), so switching to `with_items` would not fix the regexp mismatch. Option D is wrong because backreferences are used in `regexp` to capture and reuse parts of the matched line, but the problem here is that the regexp does not match at all due to whitespace; backreferences would not help if the pattern fails to match.

348
MCQmedium

An OpenShift deployment is stuck in a degraded state after a rolling update. Which command helps diagnose the root cause by showing status conditions?

A.oc rollout history
B.oc get pods
C.oc logs deployment/myapp
D.oc get events
E.oc describe deployment/myapp
AnswerE

Describes the deployment and shows status conditions like Progressing and Available.

Why this answer

Option E is correct because `oc describe deployment/myapp` displays the full status conditions of the Deployment, including `Progressing`, `Available`, and `ReplicaFailure` conditions. When a rolling update leaves the Deployment in a degraded state, the `Conditions` field under `Status` explicitly shows the reason (e.g., `ProgressDeadlineExceeded` or `MinimumReplicasUnavailable`), which directly points to the root cause of the degradation.

Exam trap

The trap here is that candidates often reach for `oc logs` or `oc get events` to debug failures, but the exam specifically tests whether you know that `oc describe` on the Deployment resource reveals the structured status conditions that define the degraded state.

How to eliminate wrong answers

Option A is wrong because `oc rollout history` only shows revision history and change causes, not current status conditions or degradation reasons. Option B is wrong because `oc get pods` lists pod statuses but does not aggregate Deployment-level conditions or explain why the update failed. Option C is wrong because `oc logs deployment/myapp` is invalid syntax (logs are retrieved from pods, not deployments) and would not show Deployment status conditions.

Option D is wrong because `oc get events` shows cluster events but does not present the structured status conditions of a specific Deployment resource.

349
MCQmedium

There are 5 hosts in the webservers group. All updates succeed on the first batch of 2 hosts. On the second batch, one host fails. What is the result?

A.The play retries the failed host automatically.
B.The play marks the host as failed and continues with the next batch.
C.The play continues with the remaining 1 host in the third batch.
D.The play aborts due to max_fail_percentage being exceeded.
E.The play aborts immediately after the failure.
AnswerD

With max_fail_percentage: 0, any failure causes the play to abort.

Why this answer

The play defines a rolling update with a batch size of 2 and a max_fail_percentage of 20%. With 5 hosts total, 20% of 5 is 1, so only 1 failure is allowed. When the second batch has 1 failure, the cumulative failure count reaches 1, which equals the threshold, causing the play to abort.

This is why option D is correct.

Exam trap

Red Hat often tests the misconception that max_fail_percentage applies per batch rather than cumulatively across all hosts, leading candidates to incorrectly choose options that suggest the play continues with remaining batches.

How to eliminate wrong answers

Option A is wrong because Ansible does not automatically retry failed hosts in a rolling update; retries must be explicitly configured via the 'retries' parameter on the task or play. Option B is wrong because the play does not mark the host as failed and continue with the next batch; the max_fail_percentage check occurs after each batch, and exceeding it aborts the entire play. Option C is wrong because the play does not continue with the remaining 1 host in the third batch; the failure in the second batch already triggers the abort condition.

Option E is wrong because the play does not abort immediately after the failure; it completes the current batch of 2 hosts, then evaluates the cumulative failure count against max_fail_percentage before deciding to abort.

350
MCQhard

Refer to the exhibit. The playbook fails with an error about the package list. What is the issue?

A.The variable 'packages' is not accessible because it is defined in a vars_file.
B.The variable 'packages' is being converted to a string by the Jinja2 template, resulting in a list literal string.
C.The 'yum' module requires the 'name' parameter to be a comma-separated string, not a list.
D.The 'yum' module should use 'pkg' instead of 'name'.
AnswerB

Using "{{ packages }}" produces a string representation of the list. The correct approach is to use `name: "{{ item }}"` with a loop or pass the list directly without quotes.

Why this answer

The yum module expects a list of strings or a comma-separated string. The variable 'packages' is a list, but when used with 'name: "{{ packages }}"', Jinja2 converts it to a string representation like "['httpd', 'mariadb-server', 'php']". The yum module does not accept that format; it needs a proper list or comma-separated string.

351
Multi-Selectmedium

Which TWO statements about Ansible roles are true?

Select 2 answers
A.A role can include tasks, handlers, variables, templates, and files.
B.Roles are defined directly inside a playbook using the 'roles' keyword.
C.Roles can be reused across multiple playbooks.
D.Roles can only be invoked using the 'include_role' module.
E.Variables defined in a role's vars/main.yml cannot be overridden by playbook variables.
AnswersA, C

Roles organize these components in a standard structure.

Why this answer

Option A is correct because Ansible roles are designed to organize automation content into a standardized directory structure that can include tasks, handlers, variables, templates, and files. This modular structure allows for better code reuse and maintainability, as each component is stored in its own subdirectory within the role.

Exam trap

Red Hat often tests the misconception that roles can only be invoked via 'include_role' or that role variables cannot be overridden, but in reality, roles support both static and dynamic inclusion, and vars/main.yml variables are overridable by higher-precedence variables like playbook vars.

352
MCQeasy

Refer to the exhibit. A playbook fails with the given error. What is the most likely cause?

A.The playbook syntax is wrong.
B.The vault password file is missing or incorrect.
C.The inventory file is encrypted.
D.The remote host is unreachable.
AnswerB

This error means no vault secrets were found to decrypt the file.

Why this answer

The error indicates that Ansible cannot locate vault secrets. This typically happens when the vault password file is missing or incorrect. Options B, C, and D produce different error messages.

353
MCQmedium

A playbook has a dictionary `config` that maps service names to ports. The team wants to iterate over both keys and values in a task. Which filter should be used to convert the dictionary into a list of key-value pairs?

A.dict2items
B.items2dict
C.flatten
D.json_query
AnswerA

Transforms dict to list of {key:..., value:...}.

Why this answer

The `dict2items` filter is the correct choice because it converts a dictionary into a list of key-value pairs, each represented as a dictionary with `key` and `value` keys. This is the standard Ansible filter for iterating over both keys and values in a `loop` within a task, enabling access to `item.key` and `item.value`.

Exam trap

The trap here is that candidates often confuse `dict2items` with `items2dict` due to their similar names, or mistakenly think `flatten` or `json_query` can perform the conversion, when only `dict2items` is designed for this specific transformation.

How to eliminate wrong answers

Option B is wrong because `items2dict` performs the inverse operation, converting a list of key-value pairs back into a dictionary, not converting a dictionary into a list. Option C is wrong because `flatten` is used to reduce nested lists into a single flat list, not to transform dictionaries into key-value pair lists. Option D is wrong because `json_query` is a filter for querying JSON data using JMESPath expressions, not for converting dictionaries to a list of key-value pairs.

354
MCQeasy

You need to run an Ansible playbook every hour to update a dynamic inventory file from a CMDB API. The playbook is stored in /opt/ansible/update_inventory.yml. You want to schedule the execution using a cron job on the control node. The control node runs Red Hat Enterprise Linux 9. The playbook uses Ansible Vault to decrypt API credentials, and the vault password is stored in /etc/ansible/.vault_pass. Which cron entry will execute the playbook hourly?

A.0 * * * * /usr/bin/ansible-playbook --vault-password-file ~/.vault_pass /opt/ansible/update_inventory.yml
B.* * * * * /usr/bin/ansible-playbook --vault-password-file /etc/ansible/.vault_pass /opt/ansible/update_inventory.yml
C.0 * * * * /usr/bin/ansible --vault-password-file /etc/ansible/.vault_pass /opt/ansible/update_inventory.yml
D.0 * * * * /usr/bin/ansible-playbook --vault-password-file /etc/ansible/.vault_pass /opt/ansible/update_inventory.yml
AnswerD

Correct: Runs hourly with proper vault password file and playbook path.

Why this answer

Option A is correct because it specifies the correct cron schedule (0 * * * * for hourly) and uses full paths to ansible-playbook, vault password file, and playbook. Option B uses the wrong schedule (every minute). Option C uses ansible command instead of ansible-playbook.

Option D has an incorrect path for the vault password file.

355
MCQhard

A developer is building an execution environment using `ansible-builder` and encounters the error: 'Error: Failed to pull base image: manifest for registry.redhat.io/ansible-automation-platform/ansible-builder-rhel8:2.0.0 not found: manifest unknown.' The developer checks the registry and verifies that the image exists with a different tag. Which action should the developer take to resolve the issue?

A.Change the tag in `execution-environment.yml` to a valid tag, such as 'latest'.
B.Run `podman login registry.redhat.io` to authenticate.
C.Modify the `execution-environment.yml` to use a different base image from Docker Hub.
D.Update the container runtime to the latest version.
AnswerA

Using a valid tag resolves the 'manifest not found' error.

Why this answer

Option A is correct because the error indicates the specified tag '2.0.0' does not exist in the registry. The developer confirmed the image exists with a different tag, so updating the tag in `execution-environment.yml` to a valid one, such as 'latest', resolves the manifest lookup failure. `ansible-builder` uses this file to define the base image and tag for building the execution environment.

Exam trap

The trap here is that candidates may confuse a tag-not-found error with an authentication issue (Option B) or assume a broader infrastructure problem (Option D), when the fix is a straightforward tag correction in the configuration file.

How to eliminate wrong answers

Option B is wrong because the error is about a missing manifest for a specific tag, not an authentication failure; `podman login` would not fix a non-existent tag. Option C is wrong because changing the base image to a different registry (e.g., Docker Hub) is unnecessary and may break compatibility with Red Hat Ansible Automation Platform requirements; the issue is only the tag. Option D is wrong because the container runtime version is irrelevant to a tag lookup failure; the error is purely about the image tag not being found in the registry.

356
Multi-Selectmedium

Which two actions are appropriate when configuring a custom execution environment for an automation controller job? (Choose two.)

Select 2 answers
A.Storing the execution environment in a public registry only
B.Building the execution environment using ansible-builder
C.Setting the execution_environment_image in the project's SCM
D.Using the default execution environment provided by controller
E.Creating a Containerfile with the required packages
AnswersB, E

ansible-builder builds EE from definition.

Why this answer

Option B is correct because `ansible-builder` is the official tool for building custom execution environments, which are container images that include Ansible, collections, and dependencies needed for automation controller jobs. Option E is correct because a Containerfile (or Dockerfile) defines the base image, packages, and Python dependencies required for the custom execution environment, and it is used by `ansible-builder` or directly with `podman build` to create the image.

Exam trap

The trap here is that candidates confuse the `execution_environment_image` field (set in the controller UI or API) with a setting in the project's SCM, or they assume that custom execution environments must always be stored in a public registry, ignoring private registry options.

357
MCQeasy

Which directory is the default location for installed Ansible collections on a control node for a regular user?

A.~/.ansible/collections
B./usr/share/ansible/collections
C./etc/ansible/collections
D./opt/ansible/collections
AnswerA

Default user-level collections path.

Why this answer

For a regular (non-root) user on an Ansible control node, the default location for installed collections is `~/.ansible/collections`. This is defined by Ansible's default collection search path, which includes the user's home directory under `~/.ansible/collections` for user-level installations. When a user runs `ansible-galaxy collection install` without specifying a custom path, the collection is placed in this directory by default.

Exam trap

The trap here is that candidates often confuse the system-wide default (`/usr/share/ansible/collections`) with the user-level default, forgetting that regular users lack write permissions to system directories and that Ansible defaults to the home directory for non-root installations.

How to eliminate wrong answers

Option B is wrong because `/usr/share/ansible/collections` is the default location for system-wide (root) collection installations, not for a regular user. Option C is wrong because `/etc/ansible/collections` is not a standard default path for collections; `/etc/ansible/` is typically used for configuration files like `ansible.cfg` and `hosts`, not collections. Option D is wrong because `/opt/ansible/collections` is not a default Ansible collection path; it might be used in custom setups but is not the default for any user level.

358
Multi-Selectmedium

Which three methods can be used to pass variables to an Ansible playbook? (Select exactly 3.)

Select 3 answers
A.In the ansible.cfg file.
B.In the role's vars/main.yml.
C.In the playbook's vars_files directive.
D.In the inventory file variables.
E.Using the --extra-vars command line option.
AnswersC, D, E

vars_files includes YAML/JSON files with variables.

Why this answer

Options A, B, and C are correct. vars_files includes variable files, --extra-vars passes variables from command line, and inventory files can define variables. Option D is false because ansible.cfg does not define playbook variables. Option E is false because role vars are specific to the role, not passed to the playbook directly.

359
MCQhard

Your team manages a fleet of 200 Red Hat Enterprise Linux 8 servers. Security policy requires that all servers have a specific set of security configurations: (1) SELinux must be enforcing, (2) the firewall must allow only SSH and HTTPS, (3) SSH root login must be disabled, and (4) the 'auditd' service must be running and enabled. You have created an Ansible role 'security-hardening' that applies these settings. The role is idempotent and uses the 'lineinfile' module to modify /etc/ssh/sshd_config, the 'firewalld' module to configure firewall rules, the 'selinux' module to set SELinux to enforcing, and the 'service' module to enable and start auditd. You run the playbook against a test group of 10 servers, and it reports 'changed=0' for all tasks, indicating the servers are already compliant. However, a subsequent manual audit reveals that on two servers, SELinux is permissive and SSH root login is still permitted. What is the most likely cause of this discrepancy?

A.The 'become' privilege escalation is not configured, so the tasks cannot modify system files.
B.The playbook was run with the '--check' flag, which simulates changes without applying them.
C.The inventory hostnames for those two servers are incorrect, causing Ansible to connect to different hosts that are already compliant.
D.The Ansible modules used in the role are not installed on the control node.
AnswerC

Ansible reported changes on the hosts it connected to, but those are not the actual servers needing changes.

Why this answer

Option C is correct because if the inventory hostnames for the two non-compliant servers are incorrect, Ansible would connect to different hosts that are already compliant, resulting in 'changed=0' for all tasks. The playbook never actually ran against the intended servers, so the manual audit correctly found them non-compliant. This is a common inventory misconfiguration issue where the target hostname does not match the actual server.

Exam trap

The trap here is that candidates assume 'changed=0' means the target servers are compliant, but it actually means the tasks were applied to a different set of hosts due to inventory misconfiguration.

How to eliminate wrong answers

Option A is wrong because if 'become' privilege escalation were not configured, the tasks would fail with a permission error (e.g., 'Permission denied') rather than reporting 'changed=0'. Option B is wrong because running with '--check' would report 'changed=1' for tasks that would make changes, not 'changed=0' for all tasks, and the manual audit would still find the servers non-compliant. Option D is wrong because the Ansible modules used (lineinfile, firewalld, selinux, service) are all core modules included with Ansible Engine/Ansible Core and do not require separate installation on the control node.

360
Multi-Selectmedium

Which THREE are valid credential types in Ansible Tower?

Select 3 answers
A.Network credential
B.Machine credential
C.Source control credential
D.Cloud credential
E.Vault credential
AnswersA, B, E

Network credentials are used for network devices.

Why this answer

Network credentials are valid in Ansible Tower for authenticating to network devices (e.g., routers, switches) via protocols like SSH, Telnet, or API. They store the username, password, and optional SSH key or become method, enabling Tower to execute playbooks against network targets.

Exam trap

The trap here is that candidates confuse 'Source control credential' (which is not a standalone type) with the ability to authenticate to Git repos, which is actually handled by Machine or Cloud credentials, or by storing SSH keys in the project's settings.

361
MCQmedium

Refer to the exhibit. After running the playbook, what is the value of 'clean_list'?

A.[' apple ', 'BANANA', ' cherry ']
B.['apple', 'banana', 'cherry']
C.[' apple ', 'banana', ' cherry ']
D.['APPLE', 'BANANA', 'CHERRY']
AnswerB

Trimmed and lowercased correctly.

Why this answer

Option B is correct because the `lower` filter converts all strings to lowercase, and the `map('trim')` filter removes leading and trailing whitespace from each element. The playbook applies these filters sequentially to the `fruits` list, resulting in `['apple', 'banana', 'cherry']`.

Exam trap

Red Hat often tests the order of filter application and the scope of `map` — candidates may mistakenly think `map('trim')` only affects the first element or that `lower` applies after trimming, leading to incorrect whitespace or case handling.

How to eliminate wrong answers

Option A is wrong because it retains the original whitespace and uppercase 'BANANA', failing to apply the `lower` filter to all elements and the `map('trim')` filter correctly. Option C is wrong because it only trims the second element ('banana') but leaves whitespace on the first and third, indicating a misunderstanding that `map('trim')` applies to all list elements, not just one. Option D is wrong because it uppercases all elements, which is the opposite of the `lower` filter's behavior.

362
MCQhard

A team develops an Ansible collection and wants to distribute it internally. They have a private Automation Hub. Which approach best ensures that collection dependencies from external sources are also available?

A.Manually install each dependency on the control node
B.Define a requirements.yml in the execution environment that references both the private hub and external sources
C.Include all dependencies directly in the collection's repository
D.Use ansible-galaxy collection download and then upload to private hub
AnswerB

This ensures all dependencies are available from trusted sources.

Why this answer

Option B is correct because defining a `requirements.yml` in the execution environment allows you to specify collections from both the private Automation Hub and external sources (e.g., Ansible Galaxy). When building the execution environment, `ansible-builder` processes this file and resolves dependencies from the listed sources, ensuring all required collections are bundled into the container image. This approach automates dependency management and avoids manual installation or repository bloat.

Exam trap

The trap here is that candidates often assume dependencies must be manually installed or bundled directly, missing the fact that `requirements.yml` in the execution environment context is the standard way to aggregate collections from multiple sources automatically.

How to eliminate wrong answers

Option A is wrong because manually installing each dependency on the control node is error-prone, not scalable, and does not ensure dependencies are available in the execution environment or to other team members. Option C is wrong because including all dependencies directly in the collection's repository violates best practices—collections should declare dependencies in `galaxy.yml` or `requirements.yml`, not bundle them, as this leads to repository bloat and version conflicts. Option D is wrong because `ansible-galaxy collection download` only downloads collections for offline use; uploading them to the private hub does not automatically resolve dependencies from external sources unless those dependencies are also downloaded and uploaded, which is not guaranteed by this approach.

363
Drag & Dropmedium

Drag and drop the steps to configure an Ansible control node for managing remote hosts into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Ansible requires installation, inventory definition, SSH key-based authentication, and connectivity verification before managing hosts.

364
MCQhard

A playbook uses the 'include_tasks' module to dynamically include tasks based on a variable. The playbook runs successfully on some hosts but fails on others with a 'template error' message. What is the most likely cause?

A.The included task file does not exist on the control node.
B.The variable used in the 'include_tasks' path has a Jinja2 template error.
C.The included task file has incorrect permissions.
D.The included tasks contain a syntax error.
AnswerB

Template errors occur when Jinja2 syntax is invalid.

Why this answer

The 'include_tasks' module dynamically resolves the path to a task file using a variable. If that variable contains a Jinja2 template error (e.g., undefined variable, syntax mistake, or filter misuse), Ansible will fail with a 'template error' message during the variable expansion phase, before the task file is even loaded. This explains why the error occurs only on hosts where the variable's value or context triggers the template failure.

Exam trap

The trap here is that candidates often confuse the source of the template error, assuming it comes from the content of the included tasks (option D) rather than from the variable used in the include path itself, which is evaluated before the included file is even accessed.

How to eliminate wrong answers

Option A is wrong because if the included task file does not exist on the control node, Ansible would produce a 'file not found' or 'could not find or access' error, not a 'template error'. Option C is wrong because file permissions on the control node affect whether Ansible can read the file, but a permissions issue would result in a 'permission denied' error, not a Jinja2 template error. Option D is wrong because a syntax error inside the included tasks would cause a playbook failure when those tasks are parsed or executed, but the error message would be a YAML or Ansible syntax error, not a 'template error' from the include path resolution.

365
MCQeasy

An administrator needs to limit the number of concurrent jobs that can run on a specific automation controller node. Which setting should be adjusted?

A.The forks parameter in the playbook
B.The job template's 'allow simultaneous' option
C.The number of execution environments
D.The max concurrent jobs setting in the node's configuration
AnswerD

Limits jobs on that node.

Why this answer

The correct setting to limit concurrent jobs on a specific automation controller node is the 'max concurrent jobs' parameter in the node's configuration. This setting directly controls how many jobs the node can execute simultaneously, preventing resource exhaustion and ensuring predictable performance. Adjusting this value is the proper method for managing node-level concurrency in Red Hat Ansible Automation Platform.

Exam trap

The trap here is that candidates confuse the 'forks' parameter (task-level parallelism) with node-level job concurrency, or mistakenly think that job template settings like 'allow simultaneous' control node capacity.

How to eliminate wrong answers

Option A is wrong because the 'forks' parameter controls the number of parallel tasks within a single playbook run, not the number of concurrent jobs across the controller. Option B is wrong because the 'allow simultaneous' option in a job template permits multiple runs of the same template at once, but it does not limit overall node concurrency. Option C is wrong because the number of execution environments affects the runtime environment for jobs, not the concurrency limit on a specific node.

366
MCQeasy

An administrator wants to update a web server fleet with minimal downtime. They need to update each server one at a time. Which Ansible playbook directive should be used?

A.throttle: 1
B.forks: 1
C.serial: 1
D.max_fail_percentage: 0
AnswerC

Correct. serial sets the batch size for rolling updates.

Why this answer

Option C is correct because the `serial: 1` directive in an Ansible playbook controls the batch size of hosts that are updated simultaneously. Setting it to 1 ensures that only one host is updated at a time, which minimizes downtime by allowing the rest of the fleet to remain available while each server is sequentially updated.

Exam trap

The trap here is that candidates often confuse `serial` with `forks` or `throttle`, mistakenly thinking that limiting parallel task execution (`forks: 1`) or task concurrency (`throttle: 1`) achieves the same one-at-a-time host update behavior, but only `serial` controls the batch size of hosts processed sequentially.

How to eliminate wrong answers

Option A is wrong because `throttle: 1` limits the number of concurrent tasks per host or per play, but it does not control the batch size of hosts being updated; it limits task concurrency, not the sequential update of hosts. Option B is wrong because `forks: 1` sets the number of parallel processes Ansible uses to execute tasks on hosts, but it still allows all hosts in the batch to be processed in parallel; it does not enforce a one-at-a-time update across the entire fleet. Option D is wrong because `max_fail_percentage: 0` defines the maximum percentage of hosts that can fail before the playbook aborts, but it does not control the order or batch size of updates; it is a failure threshold, not a sequencing mechanism.

367
MCQmedium

An Ansible role has a complex dependency tree. The administrator wants to ensure that dependencies are installed before the main role tasks. Which file should be used to define dependencies?

A.meta/main.yml
B.defaults/main.yml
C.tasks/main.yml
D.vars/main.yml
AnswerA

The meta directory contains main.yml for role metadata including dependencies.

Why this answer

Role dependencies are defined in the meta/main.yml file using the 'dependencies' keyword. Ansible resolves these dependencies and runs them before the role's own tasks.

368
Multi-Selectmedium

Which TWO filters are used to transform data types in Ansible?

Select 2 answers
A.list
B.bool
C.float
D.string
E.int
AnswersB, E

Converts to boolean.

Why this answer

In Ansible, the `bool` and `int` filters are specifically designed to convert input values into boolean and integer data types, respectively. These are part of Ansible's Jinja2 filter set for explicit type coercion, enabling tasks to handle variables with the correct data type for conditional logic or arithmetic operations.

Exam trap

The trap here is that candidates often confuse Jinja2's generic filters (like `float` or `string`) with Ansible's officially tested type transformation filters, but the EX294 exam specifically expects `bool` and `int` as the two correct answers for data type transformation.

369
MCQhard

An OpenShift rolling update is failing because new pods crash immediately. Which parameter automatically triggers a rollback if no progress is made?

A.revisionHistoryLimit
B.maxSurge
C.progressDeadlineSeconds
D.maxUnavailable
E.minReadySeconds
AnswerC

If the deployment does not progress within this time, it is considered failed and rolls back.

Why this answer

The `progressDeadlineSeconds` parameter specifies the maximum duration (in seconds) that a deployment can make no progress before it is considered to have failed. When this deadline is exceeded, the deployment controller automatically triggers a rollback to the previous revision. This is the correct parameter for automatically rolling back a failed rolling update where new pods crash immediately.

Exam trap

The trap here is that candidates confuse `progressDeadlineSeconds` with `minReadySeconds`, thinking that a readiness check alone will trigger a rollback, but `minReadySeconds` only delays availability without initiating a rollback.

How to eliminate wrong answers

Option A is wrong because `revisionHistoryLimit` controls how many old ReplicaSets are retained for rollback, not the timing or automatic rollback trigger. Option B is wrong because `maxSurge` defines the maximum number of pods that can be created above the desired replica count during an update, not a rollback mechanism. Option D is wrong because `maxUnavailable` specifies the maximum number of pods that can be unavailable during the update process, not a progress deadline.

Option E is wrong because `minReadySeconds` determines how long a pod must be ready before it is considered available, but it does not trigger a rollback if no progress is made.

370
MCQmedium

An Ansible inventory file uses the `gce.py` dynamic inventory script for Google Cloud. After running the script, the inventory contains hosts but no variables. What is the most likely cause?

A.The script is not executable.
B.The GCE service account lacks permissions to read instance metadata.
C.The script's JSON output lacks the 'vars' section for the group.
D.The inventory file uses `hosts: all`.
AnswerC

Variables are only populated if the script includes a 'vars' key in each group.

Why this answer

Option C is correct because dynamic inventory scripts like `gce.py` output JSON that must include a `_meta` section with `hostvars` for host-specific variables, and a `vars` subsection within each group to define group-level variables. If the script's JSON output lacks the `vars` section for a group, Ansible will still see the hosts but will not populate any variables for that group, resulting in hosts with no associated variables.

Exam trap

The trap here is that candidates often assume missing variables are due to permission or execution issues, but the question specifically states the script runs and produces hosts, narrowing the cause to a structural problem in the script's JSON output.

How to eliminate wrong answers

Option A is wrong because if the script were not executable, Ansible would fail to run it entirely and would not produce any inventory hosts, not hosts without variables. Option B is wrong because insufficient GCE service account permissions would typically cause the script to fail to retrieve instance data, resulting in an empty inventory or an error, not hosts with missing variables. Option D is wrong because `hosts: all` is a playbook-level directive that targets all inventory hosts, not a cause for missing variables; it does not affect how the dynamic inventory script populates variables.

371
Multi-Selectmedium

An administrator needs to update a web application that runs as a Kubernetes Deployment with 5 replicas. The application is stateless, but the update must not cause any downtime. Which TWO strategies ensure zero-downtime rolling updates?

Select 2 answers
A.Omit the liveness probe from the pod spec.
B.Set strategy type to RollingUpdate with maxUnavailable=0 and maxSurge=1.
C.Set maxUnavailable=1 and maxSurge=0.
D.Use the Recreate strategy.
E.Configure a readiness probe that checks the application's health endpoint.
AnswersB, E

Correct: Ensures no pod is terminated until a new one is ready, and an extra pod can be created during the update to maintain capacity.

Why this answer

Option B is correct because setting `maxUnavailable=0` ensures that no pods are taken down before new ones are ready, while `maxSurge=1` allows one extra pod to be created above the desired replica count, enabling a rolling update without any downtime. This combination guarantees that at least 5 pods are always available during the update process.

Exam trap

The trap here is that candidates often confuse `maxUnavailable` and `maxSurge` values, mistakenly thinking that allowing one unavailable pod (maxUnavailable=1) is acceptable for zero-downtime, when in fact it can cause a temporary capacity deficit if the readiness probe is not fast enough.

372
Multi-Selectmedium

Which TWO statements are true about deploying Red Hat Ansible Automation Platform using the automation mesh?

Select 2 answers
A.Execution nodes can be located in different geographic regions.
B.Existing Ansible Tower nodes can be added to the mesh without modification.
C.Automation mesh requires two separate ports for control and data plane traffic.
D.The mesh topology is organized as a parent/child relationship between nodes.
E.All execution nodes must have direct network access to the automation controller.
AnswersA, D

Automation mesh supports distributed execution across multiple sites.

Why this answer

Option A is correct because the automation mesh is designed to support distributed topologies where execution nodes can be located in different geographic regions. The mesh uses peer-to-peer connections over standard TCP ports, allowing nodes to communicate across network boundaries without requiring a centralized controller in each region.

Exam trap

The trap here is that candidates often assume automation mesh requires separate control and data ports (like in some SDN solutions) or that all nodes must reach the controller directly, but Red Hat's implementation uses a single port and a peer-to-peer routing model.

373
MCQmedium

A developer wants to create a new collection named 'myutils' under namespace 'myorg'. Which command initializes the collection structure?

A.ansible-galaxy collection scaffold myorg.myutils
B.ansible-galaxy collection create myorg.myutils
C.ansible-galaxy collection new myorg.myutils
D.ansible-galaxy collection init myorg.myutils
AnswerD

Correct command to initialize a collection.

Why this answer

The correct command to initialize a new Ansible collection structure is `ansible-galaxy collection init <namespace.collection>`. This creates the required directory layout, including `galaxy.yml`, `README.md`, and subdirectories like `roles/`, `playbooks/`, and `plugins/`. Option D matches this syntax exactly.

Exam trap

The trap here is that candidates confuse role scaffolding commands (`ansible-galaxy init` or `ansible-galaxy role init`) with collection initialization, and mistakenly apply verbs like `scaffold`, `create`, or `new` which are not valid for collections.

How to eliminate wrong answers

Option A is wrong because `ansible-galaxy collection scaffold` is not a valid subcommand; `scaffold` is used for roles, not collections. Option B is wrong because `ansible-galaxy collection create` is not a valid subcommand; the correct verb is `init`. Option C is wrong because `ansible-galaxy collection new` is not a valid subcommand; `new` is used for roles, not collections.

374
MCQmedium

An organization uses Ansible to manage an AWS EC2 environment. The Ansible control node runs on a Linux server, and the team uses a dynamic inventory script (ec2.py) to automatically populate hosts. Recently, they need to run a playbook only against EC2 instances that have a specific tag, 'Environment', set to 'production'. The team has placed the ec2.ini configuration file in the same directory as the inventory script. However, when they run the playbook with '-i ec2.py', the playbook runs against all instances instead of only production ones. The team verifies that the tag exists on the correct instances and that the environment variable AWS_PROFILE is set correctly. Which action should resolve the issue?

A.Set the environment variable 'EC2_TAGS=Environment=production' before running the playbook.
B.Modify the ec2.ini file to include 'filters = tag:Environment=production' under the [ec2] section.
C.Use the '--limit' option with the playbook command to specify the tag.
D.Add the option 'hostname = tag_Name' to the ec2.ini file.
AnswerB

This restricts the inventory to instances with the specified tag.

Why this answer

The ec2.py dynamic inventory script uses ec2.ini settings to filter instances. To filter by tags, the 'regions_exclude' and 'destination_variable' are set, but the 'filters' setting inside the 'ec2' section must be configured to include 'tag:Environment=production'. Option B correctly identifies that the ec2.ini must be modified with the 'filters' option.

Option A is incorrect because 'hostname' is for naming hosts, not filtering. Option C would not filter by the tag. Option D is unrelated.

375
Multi-Selecteasy

Which TWO actions are required to use a private Automation Hub to share collections?

Select 2 answers
A.Configure the server in ansible.cfg under [galaxy] server_list.
B.Build a custom execution environment that includes the collections.
C.Run ansible-galaxy collection install --ignore-certs if using self-signed certs.
D.Use ansible-navigator with --pull-policy missing.
E.Create an API token and store it in ansible.cfg or environment variable.
AnswersA, E

Required to point to the private hub.

Why this answer

Option A is correct because to use a private Automation Hub, you must configure the server in ansible.cfg under the [galaxy] section with a server_list entry. This tells ansible-galaxy where to find the private hub, allowing you to install collections from it instead of the default public Galaxy server.

Exam trap

The trap here is that candidates confuse optional steps (like building execution environments or ignoring certs) with required actions, or they overlook that both server configuration and API token authentication are mandatory for accessing a private Automation Hub.

Page 4

Page 5 of 7

Page 6

All pages