Red Hat Certified Engineer EX294 (EX294) — Questions 376450

518 questions total · 7pages · All types, answers revealed

Page 5

Page 6 of 7

Page 7
376
MCQhard

During a collection development, a developer wants to include a Python dependency that is not available in the base image of the execution environment. Where should this dependency be declared?

A.In the execution-environment.yml under 'dependencies' -> 'python'
B.In the collection's requirements.yml under 'python'
C.In the collection's galaxy.yml under 'dependencies'
D.In the collection's meta/runtime.yml under 'python_dependencies'
AnswerA

Correct location for Python dependencies needed in the EE.

Why this answer

In Ansible execution environments, Python dependencies that are not part of the base image must be declared in the `execution-environment.yml` file under the `dependencies` key, specifically within the `python` subkey. This file is used by `ansible-builder` to build a custom container image that includes those additional Python packages. The base image already contains a standard set of Python libraries, but any extra ones needed by a collection must be explicitly listed here to be installed during the build process.

Exam trap

Red Hat often tests the distinction between files used for building execution environments (`execution-environment.yml`) versus files used for publishing or runtime metadata (`galaxy.yml`, `meta/runtime.yml`), causing candidates to confuse where Python dependencies should be declared.

How to eliminate wrong answers

Option B is wrong because `requirements.yml` is used for Ansible collections or roles, not for Python dependencies; it does not support a `python` key for pip packages. Option C is wrong because `galaxy.yml` is a metadata file for publishing collections to Ansible Galaxy, not for declaring runtime dependencies for execution environments. Option D is wrong because `meta/runtime.yml` defines Ansible runtime behavior like action groups or module deprecations, not Python package dependencies.

377
MCQeasy

A DevOps team uses Ansible to manage a large fleet of web servers. They have a custom filter plugin, `custom_encrypt`, stored in `/opt/ansible/filter_plugins/custom_encrypt.py`. This filter works correctly in Ansible 2.9. After upgrading the control node to Ansible 2.14 (ansible-core 2.14), the filter is no longer found. The `ansible.cfg` includes `filter_plugins = /opt/ansible/filter_plugins` and the file permissions are 644. The team verified the Python file is valid and contains the correct `FilterModule` class with a `filters()` method. Which of the following is the most likely cause of the issue?

A.The `ansible.cfg` path must be under `~/.ansible/plugins/filter_plugins`.
B.The filter plugin name must match the module name exactly.
C.The filter plugin is missing a `filters()` method.
D.The filter plugin must be part of an Ansible collection because standalone filter plugins are deprecated.
AnswerD

Ansible 2.14 deprecates standalone plugins; collections are the recommended format.

Why this answer

Starting with ansible-core 2.12, standalone custom filter plugins placed directly in a directory are deprecated. The recommended approach is to package them into a collection. The filter is not part of any collection, and while the `filter_plugins` directory still works, it is deprecated and may stop working in future releases.

In ansible-core 2.14, the behavior is unchanged, but the deprecation warning might indicate that the path is not being recognized if the plugin was not loaded correctly. However, the most likely cause given the upgrade is that the filter must be part of a collection for proper compatibility. Option A is incorrect because the `FilterModule` class is present.

Option C is incorrect because the path is absolute and valid. Option D is incorrect because the plugin's name does not need to match the file name exactly (though it's good practice).

378
MCQeasy

A systems administrator at a growing company uses Red Hat Ansible Automation Platform to manage configuration of web servers. They have a job template named 'Web Server Config' that runs a playbook to apply security hardening. The playbook includes variables encrypted with Ansible Vault using the default vault ID. The administrator has created a credential of type 'Ansible Vault Password' in Automation Controller and assigned it to the job template. When the job runs, it fails with the error: 'Decryption failed (no vault secrets would be found that would decrypt)'. However, other job templates that use the same vault credential run successfully. The administrator checks that the vault password is correct and that the credential is properly assigned. They also verify that the playbook's path is correct and the inventory is populated. What is the most likely cause of the failure?

A.The playbook references a different vault id than the one in the credential.
B.The playbook has a syntax error.
C.The vault password file is missing from the controller.
D.The vault credential is not assigned to this specific job template.
AnswerA

The error indicates no vault secrets found, meaning the vault id in the playbook does not match any provided vault secret.

Why this answer

Since other job templates with the same credential succeed, the credential is valid and assigned. The error 'no vault secrets would be found' typically occurs when the playbook references a vault id that was not provided. The most likely cause is a vault id mismatch between the playbook and the credential.

379
MCQeasy

An Ansible Tower administrator needs to allow a team of developers to run playbooks against specific inventory groups without allowing them to modify the inventory or credentials. Which approach best satisfies the requirement?

A.Assign the developers the 'Execute' role on the inventory and 'Use' role on the credential.
B.Assign the developers the 'Update' role on the inventory and 'Admin' role on the credential.
C.Assign the developers the 'Admin' role on the inventory and 'Read' role on the credential.
D.Assign the developers the 'Read' role on both inventory and credential.
AnswerA

Execute allows running jobs; Use allows credential usage without management.

Why this answer

The 'Execute' role on an inventory allows a user to run playbooks against that inventory without granting permission to modify its contents. The 'Use' role on a credential permits the credential to be used in job templates but not viewed or edited. This combination precisely meets the requirement of allowing playbook execution while preventing inventory or credential modification.

Exam trap

The trap here is confusing 'Execute' with 'Read' or 'Update' roles — candidates often assume 'Read' is sufficient for running playbooks, but Tower requires the explicit 'Execute' permission to launch jobs against an inventory.

How to eliminate wrong answers

Option B is wrong because the 'Update' role on inventory allows modifying inventory contents (e.g., adding/removing hosts), and the 'Admin' role on credential grants full control including editing and deletion, both exceeding the requirement. Option C is wrong because the 'Admin' role on inventory provides full administrative rights including modification, and the 'Read' role on credential only allows viewing, not usage in job templates. Option D is wrong because the 'Read' role on both inventory and credential only permits viewing, not executing playbooks against the inventory or using the credential in a job template.

380
MCQeasy

A user wants to build an execution environment from a definition file. Which command is used?

A.ansible-playbook build -i ee.yml
B.ansible-builder build -f execution-environment.yml
C.ansible-execution-environment build -f ee.yml
D.ansible-galaxy build execution-environment.yml
AnswerB

Correct command for building an EE.

Why this answer

The `ansible-builder build` command is the correct tool for building an Ansible execution environment from a a definition file. The `-f` flag specifies the path to the `execution-environment.yml` file, which defines the base image, required collections, and system dependencies for the containerized environment.

Exam trap

The trap here is that candidates confuse `ansible-builder` with `ansible-galaxy` or `ansible-playbook`, mistakenly thinking that building an execution environment uses the same command as building a collection or running a playbook.

How to eliminate wrong answers

Option A is wrong because `ansible-playbook` is used to run playbooks, not to build execution environments; there is no `build` subcommand for `ansible-playbook`. Option C is wrong because `ansible-execution-environment` is not a valid Ansible command; the correct command is `ansible-builder`. Option D is wrong because `ansible-galaxy build` is used to build a collection from a `galaxy.yml` file, not an execution environment from an `execution-environment.yml` file.

381
MCQhard

A junior admin runs the command shown in the exhibit. What is the most likely cause of the error?

A.The 'ansible.builtin' collection is not installed in the execution environment.
B.The shell module requires a command argument that is missing.
C.The playbook file path is incorrect; ansible-navigator cannot find the file.
D.The playbook uses incorrect YAML syntax; the task should use the 'module' keyword.
AnswerD

The correct syntax is 'module: ansible.builtin.shell' or simply 'ansible.builtin.shell:' as a mapping key.

Why this answer

Option B is correct. The YAML syntax is incorrect because the 'ansible.builtin.shell' module should be listed under the 'module' key, not as a separate line. The correct usage is 'ansible.builtin.shell:' as a value under 'module:' or directly as the action.

In this case, the task is missing the 'module' key. Option A is wrong because the collection is installed by default. Option C is wrong because the syntax error is in the YAML structure, not in the module name.

Option D is wrong because the path is absolute and correct.

382
MCQmedium

Refer to the exhibit. What is the most likely cause of the job being in 'pending' state?

A.The job is queued because the capacity limit of the automation controller is reached.
B.The credential is invalid and the system is attempting to validate it.
C.The job template is configured with a survey that requires approval.
D.The project needs to be updated before the job can run.
AnswerA

Capacity limits cause jobs to wait in pending state.

Why this answer

In Ansible Automation Platform, when a job is in 'pending' state, it typically indicates that the automation controller has queued the job because the maximum number of concurrent jobs (capacity limit) has been reached. The controller uses a job fork limit and instance group capacity to determine how many jobs can run simultaneously; once that limit is hit, additional jobs are placed in a pending queue until capacity frees up.

Exam trap

Red Hat often tests the distinction between 'pending' (capacity queue) and 'awaiting approval' (survey or workflow approval), so candidates mistakenly choose the survey option when they see a job not starting immediately.

How to eliminate wrong answers

Option B is wrong because an invalid credential would cause the job to fail immediately with an authentication error, not remain in a pending state; the system does not retry validation indefinitely. Option C is wrong because a survey requiring approval would place the job in an 'awaiting approval' state, not 'pending'; approval is a separate workflow step before the job is even queued. Option D is wrong because a project update is a prerequisite for launching a job template, but if the project is outdated, the job would either fail or prompt an update, not sit in pending; pending specifically relates to capacity, not project sync status.

383
Multi-Selecthard

Which THREE statements correctly describe the behavior of the 'serial' keyword in Ansible? (Choose exactly three.)

Select 3 answers
A.It can be set as a percentage of the total hosts.
B.It causes the playbook to run on a subset of hosts at a time.
C.It can be combined with max_fail_percentage to control failure thresholds.
D.It guarantees that only one task runs across all hosts at any time.
E.It applies globally to all plays in the playbook.
AnswersA, B, C

Correct. serial: 10% is valid.

Why this answer

Option A is correct because the 'serial' keyword in Ansible can be specified as a percentage (e.g., 'serial: 50%'), which tells Ansible to run the play on that percentage of hosts in the batch at a time. This is useful for controlling the rollout pace across a dynamic inventory where the exact host count may vary.

Exam trap

The trap here is that candidates often confuse 'serial' with a task-level concurrency control or assume it applies globally across all plays, when in fact it is a per-play batch size setting that controls how many hosts execute the entire play simultaneously.

384
MCQeasy

What is the effect of setting 'serial: 5' in an Ansible playbook that targets a group of 20 hosts?

A.The playbook runs on 5 hosts per task, then moves to next task.
B.The playbook runs on 5 hosts at a time, sequentially.
C.The playbook runs only on the first 5 hosts.
D.The playbook runs on all 20 hosts at once.
AnswerB

Correct. serial: 5 splits into batches of 5.

Why this answer

Setting 'serial: 5' in an Ansible playbook configures the playbook to execute each task on a batch of 5 hosts at a time, moving to the next batch only after the current batch completes all tasks. This ensures that no more than 5 hosts are processed concurrently, providing controlled, sequential rolling updates across the 20-host group.

Exam trap

The trap here is confusing 'serial' with 'forks' or per-task parallelism, leading candidates to think it limits hosts per task rather than per batch across all tasks.

How to eliminate wrong answers

Option A is wrong because 'serial' controls the number of hosts processed per batch across all tasks, not per task; the playbook runs all tasks on the first batch of 5 hosts before moving to the next batch. Option C is wrong because 'serial: 5' does not limit execution to only the first 5 hosts; it processes all 20 hosts in batches of 5. Option D is wrong because 'serial: 5' explicitly limits concurrency to 5 hosts at a time, preventing all 20 hosts from running simultaneously.

385
MCQeasy

An Ansible playbook uses a 'block' to group multiple tasks and includes a 'rescue' section. If a task inside the block fails, what will happen?

A.the rescue section runs and then the playbook resumes with the next task after the block
B.the block is re-executed from the beginning
C.the rescue section runs, and the playbook continues with tasks after the block
D.the playbook stops immediately
AnswerC

Correct: rescue handles failures and then execution continues after the block.

Why this answer

Option D is correct because 'rescue' handles failures within the block. Option A is false (block does not run on remote). Options B and C are incorrect.

386
MCQmedium

Refer to the exhibit. An administrator has configured ansible.cfg as shown. Which command will successfully install the 'community.general' collection from this server?

A.ansible-galaxy collection install community.general --server=https://galaxy.ansible.com
B.ansible-galaxy collection install community.general
C.ansible-galaxy collection install community.general --ignore-certs
D.ansible-galaxy collection install community.general --force-with-deps
AnswerB

Uses the configured server.

Why this answer

Option B is correct because the ansible.cfg file shown in the exhibit sets the `server` key under the `[galaxy]` section to a custom server URL (e.g., `https://private-galaxy.example.com`). When no `--server` flag is provided, `ansible-galaxy collection install` automatically uses the server defined in `ansible.cfg`. Therefore, the simple command `ansible-galaxy collection install community.general` will install the collection from the configured private server.

Exam trap

The trap here is that candidates may think they must specify the `--server` flag to point to a custom server, forgetting that `ansible.cfg` already defines the server, making the flag redundant and potentially counterproductive.

How to eliminate wrong answers

Option A is wrong because it explicitly overrides the configured server with `--server=https://galaxy.ansible.com`, which defeats the purpose of the custom server defined in ansible.cfg. Option C is wrong because `--ignore-certs` disables SSL certificate verification, which is unnecessary and insecure unless the server uses a self-signed certificate; the question does not indicate any certificate issue. Option D is wrong because `--force-with-deps` forces reinstallation of the collection and its dependencies, which is not required for a successful first-time installation and could overwrite existing collections unnecessarily.

387
MCQmedium

Your organization is migrating from manually maintained control nodes to using execution environments. You have created an execution environment that includes all necessary collections and Python dependencies. You want to ensure that developers use this execution environment when running playbooks. You have configured ansible-navigator on their workstations. However, some developers report that when they run a playbook, it uses the local installation of Ansible instead of the execution environment. What should you check first?

A.Confirm that the developers have installed ansible-builder locally.
B.Ensure that the developers are using the 'ansible-navigator run' command instead of 'ansible-playbook'.
C.Verify that the ansible-navigator configuration file points to the correct execution environment image.
D.Check that the execution environment container is running on the developers' machines.
AnswerB

Correct. ansible-navigator is the tool to run playbooks inside the execution environment.

Why this answer

The correct answer is B because `ansible-navigator` is the CLI tool designed to run Ansible inside an execution environment. If developers run `ansible-playbook` directly, it uses the locally installed Ansible, bypassing the execution environment entirely. The question states that `ansible-navigator` is configured on their workstations, but the developers must use the `ansible-navigator run` subcommand to invoke playbooks within the containerized environment.

Exam trap

The trap here is that candidates often focus on configuration details (like the image path in the config file) or container status, missing the fundamental point that the command itself (`ansible-playbook` vs `ansible-navigator run`) determines whether the execution environment is used.

How to eliminate wrong answers

Option A is wrong because `ansible-builder` is used to build execution environment images, not to run playbooks; its absence does not affect whether a playbook runs locally or in an execution environment. Option C is wrong because while the configuration file pointing to the correct image is important, the primary issue is that developers are using the wrong command (`ansible-playbook`), which ignores the execution environment entirely regardless of the configuration. Option D is wrong because the execution environment container does not need to be running continuously; `ansible-navigator run` pulls and starts the container on demand, so checking if it is running is irrelevant to the reported problem.

388
MCQhard

A large enterprise has deployed Ansible Automation Platform with multiple organizations. A team lead needs to allow a junior administrator to create and manage job templates within their own organization, but not modify organizations, users, or system settings. Which RBAC roles should be assigned?

A.Assign the `admin` role on the organization.
B.Assign the `job_template_admin` role on the specific organization.
C.Assign the `execute` role on all job templates.
D.Assign the `auditor` role on the organization.
AnswerB

This role allows managing job templates but not organization-level settings.

Why this answer

The `job_template_admin` role on a specific organization grants the ability to create, edit, and manage job templates within that organization without allowing modifications to organizations, users, or system settings. This is the correct RBAC role for the junior administrator's requirements.

Exam trap

The trap here is that candidates often confuse the `admin` role on an organization with the `job_template_admin` role, assuming that full admin rights are needed to manage job templates, when in fact a more restricted role exists specifically for that purpose.

How to eliminate wrong answers

Option A is wrong because the `admin` role on an organization provides full administrative privileges, including the ability to modify organizations, users, and system settings, which exceeds the required permissions. Option C is wrong because the `execute` role on all job templates only allows running existing job templates, not creating or managing them. Option D is wrong because the `auditor` role on an organization provides read-only access to view objects and audit logs, with no permissions to create or manage job templates.

389
Multi-Selectmedium

Which TWO statements about Ansible collections are correct?

Select 2 answers
A.Collections cannot be versioned.
B.Collections provide a way to package and distribute Ansible content.
C.Collections replace the need for inventory files.
D.Collections can only contain modules and roles.
E.Collections can be published to Ansible Galaxy or Automation Hub.
AnswersB, E

Collections are the standard packaging format.

Why this answer

Ansible collections are a distribution format for Ansible content that allows packaging and distributing playbooks, roles, modules, and plugins. They enable users to bundle related automation content into a single, versioned package that can be shared via Ansible Galaxy or Automation Hub. This makes option B correct because collections are explicitly designed for packaging and distribution.

Exam trap

Red Hat often tests the misconception that collections are limited to modules and roles, but the trap here is that collections can also include plugins, playbooks, and documentation, making option D a common distractor.

390
MCQmedium

What is the most likely cause of this error?

A.The `filter_plugins` path is misconfigured.
B.The `encrypt_string` filter plugin is not installed.
C.The filter name is incorrect; no filter named 'encrypt_string' exists by default.
D.The playbook syntax is invalid.
AnswerC

Correct; the error indicates the filter is not found, likely because the name is wrong (e.g., maybe 'password_hash' was intended).

Why this answer

The error occurs because there is no built-in filter named 'encrypt_string' in Ansible. While Ansible provides many filters for data transformation, 'encrypt_string' is not one of them by default. This filter would need to be provided by a custom filter plugin or a collection, and since it is not present, Ansible raises an undefined filter error.

Exam trap

Red Hat often tests the distinction between built-in filters and custom plugins, leading candidates to assume a filter exists because it sounds plausible or because they confuse it with a similar feature like the `vault` module.

How to eliminate wrong answers

Option A is wrong because a misconfigured `filter_plugins` path would cause Ansible to fail to load custom filters, but the error here is about an undefined filter name, not a path issue. Option B is wrong because `encrypt_string` is not a standard filter plugin that can be installed; it is not part of any official Ansible package or collection. Option D is wrong because the playbook syntax is valid; the error is specifically about the filter name being unrecognized, not a YAML or syntax issue.

391
MCQeasy

A playbook needs to set a fact 'total_memory' by summing the 'memory_mb' values from a list of servers. Which filter should be used?

A.{{ servers | map(attribute='memory_mb') | sum }}
B.{{ servers | map('memory_mb') | sum }}
C.{{ servers | sum }}
D.{{ servers | sum(attribute='memory_mb') }}
AnswerA

Correct: map attribute then sum.

Why this answer

Option A is correct because it uses the `map` filter with the `attribute` parameter to extract the `memory_mb` value from each dictionary in the list, then pipes the resulting list of integers into the `sum` filter to compute the total. This is the standard Ansible idiom for summing a specific attribute across a list of dictionaries.

Exam trap

The trap here is that candidates confuse the `map` filter's `attribute` parameter with a direct filter name argument, leading them to choose option B, or they incorrectly assume `sum` can accept an `attribute` parameter like some other filters do.

How to eliminate wrong answers

Option B is wrong because `map('memory_mb')` attempts to call a filter named `memory_mb`, which does not exist; the correct syntax requires the `attribute` keyword to extract a dictionary key. Option C is wrong because `servers | sum` tries to sum the list objects themselves, which are dictionaries, not numbers, causing an error or incorrect result. Option D is wrong because the `sum` filter does not accept an `attribute` parameter; that parameter belongs to `map`, not `sum`.

392
MCQhard

Refer to the exhibit. The administrator runs the playbook with the 'deploy' tag, but all tasks are skipped. What is the most likely reason?

A.The --tags option filters tasks; only tasks with the 'deploy' tag run, but none of the role tasks have that tag.
B.The role 'database' is not found in the roles_path.
C.The inventory host db1.example.com is not in the dbservers group.
D.The tags in the role tasks conflict with the play tags, causing a syntax error.
AnswerA

The play-level tag does not propagate to role tasks unless inherited via include_role or import_role.

Why this answer

The playbook site.yml sets tags: ['deploy'] at the play level. When running with --tags 'deploy', only tasks that have the 'deploy' tag (or no tags) would run. However, all tasks in the role have specific tags (packages, service, database), and none have the 'deploy' tag.

Tasks with tags that do not match the specified tag are skipped. To fix, either remove tags from the play or add the 'deploy' tag to the roles tasks.

393
MCQmedium

Refer to the exhibit. The playbook fails with this error. What is the most likely cause?

A.group_vars are not loaded
B.the host is unreachable
C.the inventory is missing the host
D.gather_facts is set to 'no'
AnswerD

Correct: facts are required for 'ansible_os_family'.

Why this answer

Option B is correct because 'ansible_os_family' is a fact variable that requires 'gather_facts: yes' (default). If fact gathering is disabled, this variable is undefined. Option A might cause missing group vars but not this specific variable.

Options C and D would cause different errors.

394
MCQhard

Given `{{ ['1', '2', '3'] | map('int') | list }}`, what is the result?

A.An error because 'int' is not a valid filter name.
B.`[1, 2, 3]`
C.`['1', '2', '3']` as integers, but stored as strings.
D.`['1', '2', '3']`
AnswerB

Correct; map applies int filter to each element.

Why this answer

The `map('int')` filter in Ansible/Jinja2 converts each string element in the list to an integer. The `list` filter then materializes the generator into a list, resulting in `[1, 2, 3]`. Option B is correct because this is the standard behavior of the `map` filter with the `int` function.

Exam trap

The trap here is that candidates may think 'int' is a filter name rather than a Python function passed to `map`, or they may forget that `map` returns a generator that must be converted to a list with the `list` filter to see the result.

How to eliminate wrong answers

Option A is wrong because 'int' is a valid built-in function name for the `map` filter in Jinja2/Ansible, not a filter name itself, and it does not cause an error. Option C is wrong because the `map('int')` filter explicitly converts strings to actual integers, not 'integers stored as strings' — that would be a contradiction. Option D is wrong because it shows the original string list unchanged, ignoring the conversion performed by `map('int')`.

395
MCQeasy

A developer wants to create a new Ansible collection from a skeleton template. Which command should be used?

A.`ansible-galaxy collection generate my_namespace.my_collection`
B.`ansible-galaxy collection create my_namespace.my_collection`
C.`ansible-galaxy collection start my_namespace.my_collection`
D.`ansible-galaxy collection init my_namespace.my_collection`
AnswerD

Correct command to initialize a collection skeleton.

Why this answer

The correct command is `ansible-galaxy collection init my_namespace.my_collection`, which creates a new collection skeleton with the required directory structure and metadata files. This is the official Ansible command for bootstrapping a collection from a template.

Exam trap

The trap here is that candidates often confuse the `ansible-galaxy` subcommands for roles (`init` for roles) with those for collections, or they misremember the verb as `create` or `generate`, which are not valid for collection initialization.

How to eliminate wrong answers

Option A is wrong because `ansible-galaxy collection generate` is not a valid subcommand; the correct verb is `init`. Option B is wrong because `ansible-galaxy collection create` does not exist; `create` is used for roles, not collections. Option C is wrong because `ansible-galaxy collection start` is not a valid Ansible command; `start` is not a recognized subcommand for collections.

396
MCQeasy

Given the inventory above, which user will Ansible use when connecting to 'web2'?

A.dbadmin
B.The system default user from ansible.cfg.
C.deploy
D.root
AnswerC

webservers group sets ansible_user=deploy.

Why this answer

Option C is correct because the group vars for webservers set ansible_user=deploy. Option A is wrong because host vars are not set. Option B is wrong because root is default only if not set.

Option D is wrong because dbadmin is for dbservers.

397
MCQmedium

An Ansible Engineer is planning a rolling update for a web application deployed across 10 nodes. The playbook uses the 'delegate_to' directive to manage load balancer health checks. Which of the following best describes the recommended approach to minimize downtime?

A.Use 'serial: 1' and delegate load balancer disable/enable tasks to localhost, ensuring each node is taken out of rotation before updating.
B.Run the update playbook with 'serial: 10' to update all nodes at once, then run a separate playbook to update the load balancer.
C.Run the update on each node manually using 'ansible-playbook --limit' and skip load balancer management to save time.
D.Use 'strategy: free' to allow nodes to update independently without controlling the load balancer.
AnswerA

This ensures each node is removed from the load balancer, updated, and then re-added, minimizing downtime.

Why this answer

Option A is correct because using 'serial: 1' ensures that only one node is updated at a time, and delegating load balancer disable/enable tasks to localhost (or the Ansible control node) allows the playbook to interact with the load balancer API to remove the node from the pool before the update and re-add it after. This minimizes downtime by ensuring traffic is not sent to a node being updated, while other nodes continue serving requests.

Exam trap

The trap here is that candidates may think 'serial: 10' is efficient because it updates all nodes quickly, but they overlook that it causes a full outage, whereas the correct approach prioritizes availability over speed.

How to eliminate wrong answers

Option B is wrong because 'serial: 10' updates all nodes simultaneously, which would cause a complete outage during the update window, defeating the purpose of a rolling update. Option C is wrong because manually running with '--limit' and skipping load balancer management does not automate the process and leaves nodes in the load balancer pool while they are being updated, causing traffic to be sent to an unavailable node and increasing downtime. Option D is wrong because 'strategy: free' allows nodes to run tasks independently without any serialization or load balancer coordination, leading to potential race conditions and no guarantee of minimizing downtime.

398
MCQeasy

An Ansible administrator wants to use an encrypted vault file to store sensitive variables. Which command creates a new vault file and prompts for a password?

A.ansible-vault edit secrets.yml
B.ansible-vault create secrets.yml
C.ansible-vault view secrets.yml
D.ansible-vault encrypt secrets.yml
AnswerB

Creates a new vault file and prompts for password.

Why this answer

Option B is correct because `ansible-vault create secrets.yml` creates a new encrypted vault file and immediately prompts the user to set a password, which is then used to encrypt the file. This command is specifically designed for initial creation of vault files, unlike `edit` which requires an existing file, `view` which only displays content, or `encrypt` which encrypts an existing plaintext file.

Exam trap

The trap here is that candidates confuse `ansible-vault create` with `ansible-vault encrypt`, mistakenly thinking both create new files, but `encrypt` requires an existing plaintext file while `create` generates a new encrypted file from scratch.

How to eliminate wrong answers

Option A is wrong because `ansible-vault edit` opens an existing vault file for editing, not creating a new one; it requires the file to already exist and be encrypted. Option C is wrong because `ansible-vault view` displays the decrypted content of an existing vault file without prompting for a new password or creating a file. Option D is wrong because `ansible-vault encrypt` encrypts an existing plaintext file into a vault file, but does not create a new file from scratch; it expects the file to already exist in plaintext.

399
MCQhard

You manage an Ansible Tower instance that has multiple inventories synced from different sources (static, dynamic cloud, and satellite). Recently, a job template that uses an inventory synced from Red Hat Satellite fails with 'No hosts matched' even though hosts exist in Satellite. The inventory sync job runs successfully and shows hosts populated in Tower. The job template uses a limit field set to '*' and there are no tags or other filters. The playbook is simple: 'hosts: all'. What is the most likely cause?

A.The inventory sync job is not scheduled to run before the job template.
B.The groups imported from Satellite are nested and the job template's limit does not include the parent group.
C.The inventory source is configured to use 'scraped from project' instead of 'satellite'.
D.The credential used for Satellite sync is expired.
AnswerB

Hosts may be in subgroups; the limit must account for hierarchy.

Why this answer

Option B is correct because when Satellite imports hosts into Tower, it often creates nested groups (e.g., a parent group containing child groups). If the job template's limit field is set to '*' (which expands to all hosts in the inventory), but the playbook's 'hosts: all' directive only matches hosts directly in the top-level group—not those in nested subgroups—the job will report 'No hosts matched'. This occurs because Ansible's inventory resolution for 'all' does not automatically recurse into child groups unless the inventory source properly flattens the group hierarchy or the limit explicitly includes the parent group.

Exam trap

The trap here is that candidates assume '*' in the limit field or 'hosts: all' in the playbook will match every host in the inventory, overlooking how nested group structures from dynamic sources like Satellite can cause hosts to be invisible to the 'all' group unless the inventory is properly flattened.

How to eliminate wrong answers

Option A is wrong because the inventory sync job runs successfully and shows hosts populated in Tower, so scheduling is not the issue; the problem is that the job template cannot match those hosts. Option C is wrong because the inventory source is explicitly stated as synced from Satellite, and 'scraped from project' is a different source type that would not import Satellite groups; the question confirms the sync runs successfully, so the source type is correct. Option D is wrong because if the credential were expired, the inventory sync job would fail, not succeed and show hosts populated.

400
MCQeasy

A team is automating server configuration using Ansible. They have a custom role 'security' that updates firewall and SSH settings. They notice that when they apply the role to multiple hosts, the SSH configuration changes sometimes fail because the firewall blocks the SSH port before the SSH configuration is updated. They need to ensure that SSH configuration is updated first, then firewall rules are applied. They have defined both tasks in the same role. What should they do?

A.Use tags to control the sequence of tasks.
B.Split the role into two separate roles and use role dependencies to enforce order.
C.Use pre_tasks for SSH and post_tasks for firewall in the playbook.
D.Use the 'order' directive in the playbook to specify task order within the role.
AnswerB

Correct: role dependencies in meta/main.yml enforce execution order.

Why this answer

The best approach is to split the role into two separate roles and use role dependencies to enforce order. Role dependencies, defined in meta/main.yml, allow specifying that one role must run before another. By creating a 'ssh_config' role and a 'firewall' role, and setting the firewall role to depend on the ssh_config role, the correct order is guaranteed.

Option B is invalid (no 'order' directive). Tags do not control task order within a role. Pre_tasks/post_tasks are play-level constructs and do not apply to role-internal order.

401
MCQeasy

Refer to the exhibit. An Ansible playbook task fails with 'Missing sudo password'. The playbook runs against a server where the remote user 'admin' has sudo privileges but requires a password. Which configuration change would resolve this issue?

A.Set ansible_become_password or use the -K flag when running the playbook.
B.Change become_method to su to avoid password prompts.
C.Remove the become_user line and rely on default root.
D.Change become_user to root.
AnswerA

Correct: This provides the required sudo password.

Why this answer

Option B is correct because the error indicates that sudo requires a password and Ansible does not have it. Setting ansible_become_password provides the password. Option A is incorrect because the become_user is valid.

Option C is incorrect because the user does have sudo privileges but requires a password. Option D is incorrect because changing to 'su' would use a different authentication method and is unnecessary.

402
MCQmedium

An admin is creating a workflow that must run a survey at the beginning to collect user input. Which node type should be used for the first step?

A.Workflow node
B.Approval node
C.Job Template node with survey enabled
D.Project Sync or Inventory Sync node
AnswerC

Surveys can be added to job templates to prompt for variables.

Why this answer

A Job Template node with survey enabled is the correct choice because surveys in Ansible Automation Platform allow you to prompt the user for variables at runtime before the job runs. This is the only node type that can collect user input as the first step in a workflow, as it presents a form to the user and passes the entered values as extra variables to the job.

Exam trap

The trap here is that candidates may confuse an Approval node with a survey node, thinking that an approval step can also collect input, but approvals only allow a yes/no or simple comment, not structured variable input.

How to eliminate wrong answers

Option A is wrong because a Workflow node is a container for other nodes and does not itself collect user input; it merely defines the flow. Option B is wrong because an Approval node is used to pause a workflow for manual approval or rejection, not to collect survey-style input from the user. Option D is wrong because Project Sync and Inventory Sync nodes are used to synchronize source control or inventory sources, and they do not support surveys or user input collection.

403
MCQhard

A user runs the commands shown in the exhibit. The execution environment (EE) builds successfully but the playbook run fails with the error. What is the most likely cause?

A.The collections_path in ansible.cfg points to a non-existent directory.
B.The execution environment image tag is incorrect.
C.The --pp never flag prevents the EE from being pulled.
D.The collection 'community.general' was not included in the execution environment definition file.
AnswerD

Correct: The execution-environment.yml only sets build args, but does not list collections to install. Without a 'galaxy' section or requirements.yml, collections are not added to the EE.

Why this answer

The error indicates that the playbook requires the 'community.general' collection, which is not available in the execution environment. Since the EE builds successfully but the playbook fails, the most likely cause is that the collection was omitted from the execution environment definition file (e.g., execution-environment.yml or requirements.yml). Without it, the collection is not installed in the EE, causing the playbook to fail at runtime.

Exam trap

Cisco often tests the distinction between a successful EE build and a runtime collection error, tricking candidates into thinking the build success implies all dependencies are present.

How to eliminate wrong answers

Option A is wrong because if collections_path pointed to a non-existent directory, the error would occur during the EE build or playbook execution with a path-related error, not a missing collection error. Option B is wrong because the EE builds successfully, so the image tag is correct; an incorrect tag would cause a build failure or pull error. Option C is wrong because the --pp never flag (if valid) would prevent pulling the EE image, but the EE builds successfully, meaning the image is already present or built locally; the flag does not affect collection availability.

404
MCQeasy

An administrator wants to use automation mesh to distribute workloads across multiple execution nodes. After configuring mesh topology, some jobs fail with: `Error: No healthy mesh node found for execution`. What is the most likely cause?

A.The mesh nodes are not all connected to each other.
B.The execution node is not registered with a unique `node_id`.
C.The `hop` count is set too high in the mesh configuration.
D.The `node_type` is set to `control` for all nodes.
AnswerB

Duplicate node IDs cause routing issues, making nodes appear unhealthy.

Why this answer

Option B is correct because each execution node in an automation mesh must have a unique `node_id` to be properly identified and reachable by the mesh controller. When nodes share a `node_id` or are not registered with a unique identifier, the controller cannot distinguish between them, leading to the 'No healthy mesh node found for execution' error. This uniqueness is critical for the mesh's peer-to-peer routing and health-checking mechanism.

Exam trap

The trap here is that candidates often confuse connectivity issues (Option A) with node identity problems, but the error message directly points to a health-check failure caused by duplicate or missing `node_id` values, not network topology.

How to eliminate wrong answers

Option A is wrong because automation mesh nodes do not need to be fully connected to each other; they communicate via a parent-child topology using `peers` and `parent` directives, and the error is not caused by lack of full connectivity. Option C is wrong because the `hop` count (maximum number of intermediate nodes) does not directly cause this error; a high hop count might affect latency or routing but not the health detection of individual nodes. Option D is wrong because setting `node_type` to `control` for all nodes would mean no execution nodes exist, but the error specifically mentions 'execution' and the issue is about node identification, not node type assignment.

405
MCQeasy

A developer has created a collection and needs to publish it to a private Automation Hub. Which command should be used to upload the collection archive?

A.`ansible-galaxy collection server upload ./tar.gz`
B.`ansible-galaxy collection publish ./my-namespace-my_collection-1.0.0.tar.gz`
C.`ansible-galaxy role import my-namespace my_collection`
D.`ansible-galaxy collection upload ./my-namespace-my_collection-1.0.0.tar.gz`
AnswerB

Correct command to publish a collection archive.

Why this answer

The correct command to upload a collection archive to a private Automation Hub is `ansible-galaxy collection publish ./my-namespace-my_collection-1.0.0.tar.gz`. This command authenticates to the configured Automation Hub server (as defined in `ansible.cfg` or the `--server` flag) and publishes the tarball, making it available for other users to install. The `publish` subcommand is specifically designed for this purpose, handling the API call to the Galaxy or Automation Hub server.

Exam trap

The trap here is that candidates confuse the `publish` subcommand with `upload` or `import`, or mistakenly use the `role import` command which is for roles, not collections, leading them to choose a plausible-sounding but invalid option.

How to eliminate wrong answers

Option A is wrong because `ansible-galaxy collection server upload` is not a valid subcommand; the correct subcommand is `publish`, and the syntax `./tar.gz` is a placeholder, not a valid filename. Option C is wrong because `ansible-galaxy role import` is used for importing roles from a source control URL (like GitHub) to Galaxy, not for uploading a collection archive to a private Automation Hub. Option D is wrong because `ansible-galaxy collection upload` is not a valid subcommand; the correct subcommand is `publish`, and the filename format `./my-namespace-my_collection-1.0.0.tar.gz` is correct but the verb is incorrect.

406
MCQmedium

The playbook uses the community.general.parse_csv filter. Assuming the collection is installed, what is the type and structure of the 'parsed' variable?

A.A list of dictionaries: [{'name': 'Alice', 'age': '30'}, {'name': 'Bob', 'age': '25'}]
B.A single string: 'Alice,30\nBob,25'
C.A list of strings: ['name,age', 'Alice,30', 'Bob,25']
D.A dictionary: {'Alice': '30', 'Bob': '25'}
AnswerA

Correct output of parse_csv.

Why this answer

The `community.general.parse_csv` filter in Ansible parses CSV content into a list of dictionaries, where the first row is treated as headers and subsequent rows become dictionaries with those headers as keys. Option A correctly describes this output: a list of dictionaries with keys 'name' and 'age' and corresponding string values.

Exam trap

The trap here is that candidates confuse `parse_csv` with `split` or `regex_replace` filters, assuming it returns raw strings or a single dictionary, rather than understanding it returns a list of dictionaries with header-based keys.

How to eliminate wrong answers

Option B is wrong because `parse_csv` does not return a single string; it returns structured data, not raw CSV text. Option C is wrong because it describes a list of strings (each row as a string), but `parse_csv` parses the CSV into dictionaries, not raw strings. Option D is wrong because it suggests a single dictionary mapping names to ages, but `parse_csv` returns a list of dictionaries, one per data row, not a flat mapping.

407
MCQmedium

Refer to the exhibit. A user runs ansible-runner with --container-image localhost/ee-30:latest and receives the error shown. What is the most likely cause?

A.The container image tag is incorrect.
B.The ansible-runner process does not have network access.
C.The execution environment is not listed in the project's execution-environment.yml.
D.The container image has not been pulled or built locally.
AnswerD

The error says 'defined in the local container registry', meaning the image is missing locally.

Why this answer

The error indicates that the container image `localhost/ee-30:latest` is not available locally. The `--container-image` flag tells ansible-runner to use a specific execution environment image, but if that image has not been pulled from a registry or built locally, the container runtime (e.g., Podman or Docker) cannot find it. Option D is correct because the image must exist in the local container storage before ansible-runner can launch it.

Exam trap

Red Hat often tests the distinction between local image availability and network access, leading candidates to incorrectly assume that ansible-runner automatically pulls missing images when it does not by default.

How to eliminate wrong answers

Option A is wrong because the tag `latest` is valid and the error does not mention an invalid tag format; a missing image error would occur regardless of tag correctness if the image is not present. Option B is wrong because the error message indicates the image is not found locally, not that network access is blocked; ansible-runner does not attempt to pull the image when `--container-image` is used unless `--container-option` or `--container-pull` is explicitly set. Option C is wrong because the execution-environment.yml file is used by Automation Controller (formerly Ansible Tower) to define execution environments for job templates, not by the `ansible-runner` command-line tool; ansible-runner directly uses the image specified via `--container-image`.

408
Multi-Selectmedium

An Ansible content creator wants to ensure that a collection is properly structured and meets Red Hat's best practices. Which TWO of the following are required files in a valid Ansible collection structure?

Select 2 answers
A.meta/runtime.yml
B.galaxy.yml
C.plugins/README.md
D.requirements.yml
E.roles/requirements.yml
AnswersA, B

Correct. This file is required to specify Ansible version compatibility and runtime features.

Why this answer

A is correct because `meta/runtime.yml` is a required file in a valid Ansible collection structure. It defines the collection's runtime dependencies, such as minimum Ansible version and action group mappings, ensuring the collection is compatible with the Ansible runtime environment. B is correct because `galaxy.yml` is the mandatory metadata file that describes the collection's name, version, authors, and other essential information, and it is required for publishing to Ansible Galaxy or Automation Hub.

Exam trap

The trap here is that candidates often confuse optional documentation files (like `plugins/README.md`) or dependency files (like `requirements.yml`) with the strictly required structural files (`galaxy.yml` and `meta/runtime.yml`), leading them to select non-mandatory options.

409
MCQhard

A company has a large infrastructure with over 1000 servers. They run a playbook that configures NTP on all servers. The playbook takes over 30 minutes due to sequential execution. The team wants to reduce execution time. Which approach should they take?

A.Use serial: 10 to batch hosts.
B.Set forks: 50 and strategy: free.
C.Use include_tasks to parallelize tasks.
D.Use ansible-pull on each server.
AnswerB

More forks increase concurrent hosts; free strategy removes batching.

Why this answer

Option B is correct because increasing forks and using free strategy maximizes parallelism. Option A (serial) still processes batches sequentially. Option C (ansible-pull) shifts the workload but may not be faster.

Option D (include_tasks) does not affect parallelism.

410
Matchingmedium

Match each Ansible playbook directive to its purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Specify target hosts or groups

Enable privilege escalation

Define variables

List of modules to execute

Special tasks run on notification

Why these pairings

Key keywords in Ansible playbooks.

411
Multi-Selectmedium

Which TWO statements about inventory groups in Ansible Automation Platform are correct? (Choose exactly two.)

Select 2 answers
A.A host can belong to multiple groups
B.Inventory groups can be used in smart inventories as filter criteria
C.Host variables are the only way to define variables for a host
D.Groups cannot be members of other groups
E.Dynamic inventory sources cannot produce groups
AnswersA, B

A host can be a member of multiple groups, e.g., 'webservers' and 'production'.

Why this answer

Options B and D are correct. A is wrong because groups can contain other groups (nested groups). C is wrong because host variables can be defined at the group level.

E is wrong because smart inventories are a separate type, not a dynamic source.

412
MCQhard

An admin imports this inventory into AAP and assigns a machine credential that uses SSH key authentication. The job fails with 'Authentication failed'. What is the most likely cause?

A.The private key file path in the inventory does not exist on the controller.
B.The credential's SSH key is not being used because the inventory variable ansible_ssh_private_key_file conflicts.
C.The machine credential does not contain an SSH private key.
D.The 'ansible_become' variable is missing from the inventory.
AnswerB

AAP uses the credential's key when a credential is assigned; the inventory variable is ignored and can cause confusion.

Why this answer

Option B is correct because AAP does not use inventory variables for authentication; it uses credentials. The variable 'ansible_ssh_private_key_file' is ignored by AAP, and the credential must be used. Option A is incorrect because the credential is present.

Option C is incorrect because the key path is not used. Option D is incorrect because the become method is not relevant to this failure.

413
Multi-Selecteasy

A managed node is configured with an Ansible vault-encrypted variable file. When running a playbook that uses these variables, the user receives a 'decryption failed' error. Which two steps should the user take to resolve the issue?

Select 2 answers
A.Verify the file permissions are set to 600.
B.Check that the SSH private key has access to the managed node.
C.Make sure the vault password file contains the path to the vault file.
D.Ensure the vault ID matches the one used when encrypting the file.
E.Verify the correct vault password is being provided.
AnswersD, E

Vault ID must match if used during encryption.

Why this answer

Option D is correct because Ansible vault supports multiple vault IDs (labels) to manage different passwords for different encrypted files. If the vault ID used during decryption does not match the one used when encrypting the file, Ansible will fail to decrypt it, even if the correct password is provided. The `--vault-id` option or `ANSIBLE_VAULT_ID_MATCH` environment variable must align the ID with the encryption context.

Exam trap

The trap here is that candidates often assume 'decryption failed' always means a wrong password, overlooking that Ansible vault IDs must match exactly when multiple vault passwords are in use.

414
Multi-Selecthard

Which THREE factors are essential for achieving idempotent behavior in Ansible plays?

Select 3 answers
A.Task execution order should not affect the final state.
B.Modules should be state-based and check current state before action.
C.Variables registered from previous tasks should be avoided.
D.Loops must be avoided because they always cause changes.
E.The 'ignore_errors' directive should be used sparingly and only when appropriate.
AnswersA, B, E

Idempotent plays produce same result regardless of order.

Why this answer

Options A, C, and D are correct. A: Modules should check current state before making changes. C: Tasks should not rely on the order of execution across hosts.

D: Avoid using 'ignore_errors' carelessly as it can mask failures and prevent idempotency. B is wrong because loops can be idempotent if designed correctly. E is wrong because register variables can be used idempotently.

415
MCQeasy

A team wants to ensure that a sensitive variable, such as a database password, is not printed when ansible-playbook runs with -v (verbose). What is the best method to achieve this?

A.Set the password as an environment variable on the control node.
B.Store the password in a file with 0600 permissions and use lookup('file', ...).
C.Use the 'no_log: true' directive on the task.
D.Use the 'ansible-vault encrypt_string' command and reference the variable from a vault file.
AnswerC

Correct: 'no_log: true' suppresses logging of task input/output, protecting sensitive data.

Why this answer

Option A is correct because 'no_log: true' prevents the task's input and output from being logged. Option B is good practice but does not prevent logging if the task prints the variable. Option C is insecure as environment variables may be exposed.

Option D encrypts the variable but if the task prints it, it's still logged. Therefore, A is the best direct method.

416
MCQeasy

A developer wants to encrypt a string in a playbook variable file. Which command should they use?

A.ansible-vault rekey
B.ansible-vault create
C.ansible-vault edit
D.ansible-vault encrypt_string
AnswerD

Encrypts a single string inline.

Why this answer

Option D is correct because `ansible-vault encrypt_string` is specifically designed to encrypt a single string value for use in a playbook variable file, without encrypting the entire file. This command outputs the encrypted string in a format that can be directly pasted into a YAML variable definition, preserving the rest of the file as plaintext.

Exam trap

The trap here is that candidates confuse encrypting a single string with encrypting an entire file, leading them to choose `ansible-vault create` or `ansible-vault edit` instead of the specific `encrypt_string` subcommand.

How to eliminate wrong answers

Option A is wrong because `ansible-vault rekey` is used to change the password of an already encrypted file, not to encrypt a string. Option B is wrong because `ansible-vault create` creates a new encrypted file from scratch, not a single string for a variable file. Option C is wrong because `ansible-vault edit` opens an existing encrypted file for modification, not to encrypt a new string.

417
Multi-Selecteasy

A job template has failed. Which TWO logs should be examined first to diagnose the issue?

Select 2 answers
A./var/log/tower/tower.log
B./var/log/tower/job_callback.log
C.Automation controller job stdout
D./var/log/messages
E./var/log/nginx/access.log
AnswersA, B

Main AAP log with errors and warnings.

Why this answer

Option A is correct because `/var/log/tower/tower.log` is the primary log file for the Ansible Tower/Automation Controller service itself, capturing all controller-level events, errors, and system messages. When a job template fails, this log is the first place to check for underlying service issues, authentication failures, or configuration problems that prevented the job from starting or completing. Option B is correct because `/var/log/tower/job_callback.log` specifically records callback data from job runs, including the final status and any errors returned by the Ansible playbook execution, making it essential for diagnosing job-specific failures.

Exam trap

The trap here is that candidates often confuse job stdout (the playbook output) with a log file, or they default to checking generic system logs like `/var/log/messages` instead of the application-specific logs that directly relate to the job template failure.

418
MCQeasy

You are responsible for maintaining a team of 10 Ansible developers. They all rely on a shared collection stored in a private Git repository. Recently, multiple developers reported that their playbooks are failing because they have different versions of the collection installed locally. You decide to standardize the environment by creating a consistent Ansible execution environment. You have a base image of Red Hat Enterprise Linux 8.6, and you need to include the collection from the Git repository. Additionally, the execution environment should be rebuilt automatically whenever the collection is updated. Which approach should you take?

A.Use ansible-navigator to run the playbooks directly from the Git repository without building an execution environment.
B.Write an execution-environment.yml that specifies the base image and uses the 'git' option under 'dependencies' to pull the latest collection from the Git repo, then configure a webhook to rebuild the image on each push.
C.Create a requirements.yml file for the developers to install the collection manually on their local machines.
D.Build the execution environment once using ansible-builder and distribute the resulting container image to all developers manually.
AnswerB

Correct. This ensures a consistent, automatically updated execution environment.

Why this answer

Option B is correct because it uses an execution-environment.yml file with the 'git' option under 'dependencies' to pull the collection directly from the private Git repository during the image build process. This ensures that every build includes the latest version of the collection, and by configuring a webhook (e.g., from GitLab or GitHub) to trigger a rebuild on each push, the environment is automatically standardized across all developers. This approach directly addresses the version inconsistency problem by creating a consistent, version-controlled execution environment.

Exam trap

The trap here is that candidates may confuse running playbooks directly from a Git repo (Option A) with building a consistent execution environment, or they may think manual distribution (Option D) is sufficient without considering the need for automatic updates triggered by collection changes.

How to eliminate wrong answers

Option A is wrong because ansible-navigator can run playbooks from a Git repository, but it does not create a consistent execution environment—it relies on the local system's Python and Ansible installation, which does not solve the version mismatch issue across developers. Option C is wrong because creating a requirements.yml file for manual installation does not standardize the environment; it still allows developers to have different versions or miss updates, leading to the same inconsistency. Option D is wrong because building the execution environment once and distributing the image manually does not provide automatic rebuilds when the collection is updated; it requires manual intervention and redistribution, which is inefficient and error-prone.

419
MCQmedium

An administrator sees this output during a playbook run. What can they conclude?

A.The task had ignore_errors set to yes
B.The playbook was run with the --ignore-errors command-line flag
C.The task was part of a block with rescue
D.The playbook was run with the --check flag
AnswerA

The fatal error followed by 'ignoring' indicates ignore_errors was enabled.

Why this answer

The output shows '...ignoring' after a fatal error, which indicates that the task had 'ignore_errors: yes' set. This causes Ansible to mark the task as failed but continue execution.

420
MCQeasy

Which ansible.cfg setting controls the number of parallel forks for task execution?

A.parallel
B.max_parallel
C.forks
D.threads
AnswerC

The 'forks' setting in ansible.cfg controls the number of parallel processes.

Why this answer

Option A (forks) is correct. Option B (parallel), Option C (max_parallel), Option D (threads) are not valid settings.

421
MCQmedium

An execution environment fails to start because the container image is missing the ansible-runner package. Which step in the build process should have included it?

A.The ansible-runner role in the builder definition
B.The base image selection in execution-environment.yml
C.The requirement to install ansible-runner via pip in the containerfile
D.The additional_dependencies section in execution-environment.yml
AnswerB

The base image (e.g., ee-29-rhel8) includes ansible-runner and ansible-core; using a minimal base may omit it.

Why this answer

Option B is correct because the base image specified in the `execution-environment.yml` file determines the foundational operating system and packages for the execution environment. If the base image lacks `ansible-runner`, the environment will fail to start, as `ansible-runner` is essential for orchestrating playbook execution. The base image selection is the first step in the build process where this dependency must be satisfied.

Exam trap

The trap here is that candidates confuse the `additional_dependencies` section (which adds packages after the base image) with the base image selection step, thinking that any missing package can be fixed later, but the base image must provide the core `ansible-runner` package for the environment to even start building correctly.

How to eliminate wrong answers

Option A is wrong because the `ansible-runner` role in the builder definition is used to configure the execution environment after the base image is selected, not to include the `ansible-runner` package itself; the role assumes the package is already present. Option C is wrong because installing `ansible-runner` via pip in the Containerfile is a valid method, but the question asks which step in the build process should have included it—the base image selection is the step that determines if `ansible-runner` is available, and pip installation is a subsequent step that could be used if the base image lacks it. Option D is wrong because the `additional_dependencies` section in `execution-environment.yml` is for adding extra packages via `dnf` or `pip`, but it is not the step that should have included `ansible-runner`; the base image selection is the primary step, and `additional_dependencies` is a fallback for missing packages, not the intended step.

422
MCQeasy

Which best practice should be followed when using Ansible to manage task execution across multiple hosts?

A.Use 'ignore_errors: yes' on all tasks to prevent playbook failures.
B.Ensure tasks are idempotent so they can be run multiple times without changing the system state beyond the desired state.
C.Always use serial execution to avoid race conditions.
D.Write tasks that rely on the previous task's output to ensure correct order.
AnswerB

Idempotency is a core principle of Ansible.

Why this answer

Option B is correct because idempotency is a core principle of Ansible: running the same playbook multiple times should produce the same desired state without unintended side effects. This ensures predictable, safe task execution across multiple hosts, as Ansible modules are designed to check the current state before making changes.

Exam trap

The trap here is that candidates confuse 'ignore_errors' with a valid error-handling strategy, or assume serial execution is always safer, when in fact idempotency is the fundamental best practice that Ansible's design revolves around.

How to eliminate wrong answers

Option A is wrong because 'ignore_errors: yes' on all tasks would suppress legitimate failures, making debugging impossible and potentially leaving systems in an inconsistent or broken state. Option C is wrong because serial execution is not always necessary; Ansible's default parallel execution (via forks) is efficient and safe for idempotent tasks, and serial is only used for specific rolling-update scenarios. Option D is wrong because relying on previous task output creates tight coupling and non-idempotent workflows; Ansible encourages using facts, registered variables, and idempotent modules to maintain order without hard dependencies.

423
Multi-Selectmedium

A team is configuring an inventory to manage Windows hosts via Ansible. Which TWO inventory variables must be defined for each host?

Select 2 answers
A.ansible_host
B.ansible_shell_type
C.ansible_user
D.ansible_winrm_server_cert_validation
E.ansible_connection
AnswersA, E

Required to specify the host address.

Why this answer

Option A is correct because `ansible_host` defines the IP address or FQDN that Ansible uses to connect to the managed host. For Windows hosts, this is essential because Ansible cannot rely on the inventory hostname alone (which may be a short name or not resolvable). Option E is correct because `ansible_connection` must be set to `winrm` for Windows hosts; without it, Ansible defaults to SSH, which will fail against Windows targets.

Exam trap

The trap here is that candidates often assume `ansible_user` is mandatory for all connections, but Ansible can derive the user from the current session or other credential sources, whereas `ansible_host` and `ansible_connection` are strictly required to reach and identify the Windows host correctly.

424
MCQmedium

An administrator is configuring a job template in automation controller that runs a playbook to deploy a web application. The playbook requires a database password that changes quarterly. To avoid updating the credential each quarter, what is the best approach to dynamically provide the password without exposing it in the playbook?

A.Use a lookup plugin to fetch the password from an external secrets manager.
B.Store the password as a variable in the project repository and encrypt it with ansible-vault.
C.Define a survey prompt in the job template that asks for the password during launch.
D.Create a custom credential type that prompts for the password each launch.
AnswerC

Survey prompts allow dynamic input without storing the password in the playbook.

Why this answer

Option C is correct because a survey prompt in the job template allows the password to be entered at launch time, avoiding hardcoding or storing it in the playbook or project. This approach dynamically provides the password each quarter without requiring credential updates, as the survey can be configured to prompt for the password as a variable that the playbook uses. It aligns with automation controller's built-in survey feature for secure, runtime variable input.

Exam trap

The trap here is that candidates often confuse survey prompts with custom credential types, assuming that a custom credential type is the only way to prompt for input at launch, but surveys are the native and simpler mechanism for runtime variable input in job templates.

How to eliminate wrong answers

Option A is wrong because lookup plugins fetch data at playbook runtime from external sources, but they require the automation controller to have network access and authentication configured to the secrets manager, which adds complexity and does not inherently avoid credential updates if the password changes quarterly. Option B is wrong because storing the password as an ansible-vault encrypted variable in the project repository still requires updating the vault file each quarter when the password changes, which contradicts the goal of avoiding updates. Option D is wrong because a custom credential type that prompts for the password each launch is essentially a survey-like mechanism but is overly complex for a single variable; it is designed for injecting multiple credential fields, not for a simple runtime prompt, and still requires defining the credential type in the controller.

425
MCQmedium

Refer to the exhibit. An Ansible playbook contains the following block structure. If the task inside the block fails, which of the following describes the execution order of the rescue and always sections?

A.Only always runs.
B.Only rescue runs.
C.Rescue runs, then always.
D.Always runs, then rescue.
AnswerC

Standard block behavior: rescue on failure, then always.

Why this answer

Option A is correct because when a block fails, the rescue section executes, and then the always section runs regardless. Option B is wrong because always runs after rescue, not before. Option C is wrong because always always runs.

Option D is wrong because rescue runs before always.

426
MCQhard

Your team is responsible for managing a fleet of 200 RHEL 8 servers using Ansible Tower. You have been asked to implement a secure automation workflow that meets the following requirements: 1. All playbooks must be stored in a private Git repository hosted on an internal GitLab server. 2. Credentials to access the Git repository must be stored securely in Ansible Tower. 3. The automation must run on a schedule every night at 2:00 AM. 4. If a playbook run fails, the team must be notified via email. 5. The playbooks require SSH private keys to connect to the managed hosts; these keys must be stored securely. 6. A development team needs to be able to launch the same job template manually, but they must not be able to modify the job template or view the credentials. You have created a Machine Credential for SSH and a Source Control Credential for Git. You have also created a Job Template that references the project, inventory, and credentials. What is the correct sequence of steps to satisfy all requirements?

A.1. Create a Project in Tower, pointing to the Git repository and associate the Source Control Credential. 2. Create a Job Template referencing the Project. 3. Add the Machine Credential to the Job Template. 4. Create a Schedule for the Job Template. 5. Assign the development team execute-only permissions on the Job Template. 6. Configure a Notification Template for email on failure.
B.1. Create a Schedule for 2:00 AM. 2. Create a Project in Tower with Source Control Credential. 3. Create a Job Template with Machine Credential. 4. Assign the development team admin permissions on the Job Template. 5. Configure a Notification Template.
C.1. Create a Project in Tower, pointing to the Git repository without a credential. 2. Create a Job Template referencing the Project. 3. Add the Source Control Credential to the Job Template. 4. Create a Schedule for the Job Template. 5. Assign the development team read-only permissions on the Job Template. 6. Configure a Notification Template for email on failure.
D.1. Create a Project in Tower, pointing to the Git repository and associate the Source Control Credential. 2. Create a Job Template referencing the Project, and add the Machine Credential. 3. Assign the development team read and execute permissions on the Job Template (not admin). 4. Create a Schedule for the Job Template to run at 2:00 AM. 5. Configure a Notification Template for email on failure and associate it with the Job Template.
AnswerD

This sequence correctly associates credentials, sets permissions (read+execute allows launch without edit), schedules, and configures notifications.

Why this answer

Option D is correct because it correctly sequences the steps: first creating a Project with the Source Control Credential to securely access the private Git repository, then creating a Job Template that references the Project and includes the Machine Credential for SSH access to managed hosts. Assigning the development team 'read and execute' permissions (not admin) satisfies the requirement that they can launch the job template manually but cannot modify it or view credentials. Creating a Schedule for 2:00 AM and configuring a Notification Template for email on failure completes the automation workflow.

Exam trap

The trap here is that candidates often confuse the permission levels in Ansible Tower, mistakenly thinking 'execute-only' or 'read-only' allows launching a job template, when in fact the correct combination is 'read and execute' to permit manual launch without modification rights.

How to eliminate wrong answers

Option A is wrong because it adds the Machine Credential to the Job Template after creating the Job Template, which is technically acceptable but the sequence is less efficient; more critically, it assigns 'execute-only' permissions, which in Ansible Tower does not exist as a distinct permission level—the correct permission is 'read and execute' to allow launching without modification. Option B is wrong because it creates the Schedule before the Project and Job Template, which is invalid as a Schedule must be associated with an existing Job Template; it also assigns 'admin' permissions to the development team, which violates the requirement that they must not be able to modify the job template or view credentials. Option C is wrong because it creates the Project without a Source Control Credential, which would fail to authenticate to the private Git repository; it then incorrectly adds the Source Control Credential to the Job Template instead of the Project, and assigns 'read-only' permissions, which in Ansible Tower does not allow launching the job template—only 'read and execute' permits manual launch.

427
Multi-Selecteasy

Which TWO options are best practices for coordinating rolling updates with Ansible? (Choose exactly two.)

Select 2 answers
A.Set ignore_errors: yes to ensure the playbook continues even if some hosts fail.
B.Use the serial keyword to update hosts in batches.
C.Use the default serial setting (all hosts) for simplicity.
D.Set max_fail_percentage to limit the number of failed hosts before aborting.
E.Run all hosts in parallel to minimize total update time.
AnswersB, D

serial enables batching, which is the core of rolling updates.

Why this answer

Option B is correct because the `serial` keyword in Ansible controls how many hosts are updated at a time during a rolling update, allowing you to update hosts in batches to maintain service availability. This is a best practice for coordinating rolling updates as it prevents overwhelming the infrastructure and ensures that a subset of hosts remains operational while others are being updated.

Exam trap

The trap here is that candidates often confuse `ignore_errors` with error handling for rolling updates, not realizing that it bypasses failure detection, whereas `max_fail_percentage` is the correct way to control abort behavior during batch updates.

428
MCQhard

An Ansible playbook that deploys a web application includes a task that uses the `uri` module to call an external API. The task occasionally fails due to API rate limiting. Which combination of keywords should be added to the task to automatically retry up to 5 times with a 30-second delay between attempts, and only fail if all retries are exhausted?

A.`register: result`, `until: status == 200`, `retries: 5`, `delay: 30`
B.`register: result`, `until: result.status == 200`, `retries: 5`, `delay: 30`
C.`until: result.status == 200`, `retries: 5`, `delay: 30`
D.`register: result`, `retries: 5`, `delay: 30`
AnswerB

Correctly registers the result, retries until status 200, with 5 retries and 30-second delay.

Why this answer

Option B is correct because it combines `register` to capture the API response, `until` to check that `result.status` equals 200 (the HTTP success code), `retries: 5` to attempt the task up to five times, and `delay: 30` to wait 30 seconds between retries. This ensures the task only fails after all five retries are exhausted, which is the exact behavior needed to handle transient API rate limiting.

Exam trap

Red Hat often tests the requirement that `register` must be used with `until` to reference the captured result, and that `retries`/`delay` are meaningless without `until` — candidates frequently omit `register` or forget to prefix the variable with `result.` in the condition.

How to eliminate wrong answers

Option A is wrong because it uses `status == 200` instead of `result.status == 200`; without referencing the registered variable, Ansible would look for a nonexistent `status` fact, causing a syntax or logic error. Option C is wrong because it omits `register: result`, so the `until` condition has no captured variable to check, leading to an undefined variable error. Option D is wrong because it lacks the `until` keyword entirely, meaning the task will not retry based on a condition; `retries` and `delay` alone only apply when `until` is present, so the task would run once and fail immediately.

429
MCQmedium

A workflow template in automation controller consists of three job templates that must run sequentially with different credentials. The first job template uses a machine credential to provision a VM, the second uses a network credential to configure the switch, and the third uses a cloud credential to deploy the application. To secure the credential usage, what should the administrator configure?

A.Create a single credential that covers all three environments.
B.Set each job template to use the appropriate credential and ensure workflow node permissions are set to 'use credential'.
C.Define credential validation rules in the workflow node properties.
D.Assign all three credentials to the workflow template directly.
AnswerB

Each job template uses its own credential; workflow nodes inherit those credentials.

Why this answer

Each job template can have its own credential defined. The workflow template does not directly hold credentials; it uses the credentials assigned to each job template. Option A (assign to workflow) is not possible.

Option C (single credential) is not appropriate. Option D (validation rules) does not exist.

430
Drag & Dropmedium

Drag and drop the steps to create and apply a simple Ansible playbook that installs httpd into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

A playbook defines hosts and tasks; tasks use modules; after execution, verification confirms success.

431
MCQhard

An organization uses an external secrets management system (e.g., HashiCorp Vault) to store sensitive credentials. They want to integrate it with Ansible Automation Platform so that job templates automatically retrieve credentials from Vault without storing them in the AAP database. Which approach is supported?

A.Use the built-in 'Machine' credential type and store the Vault token in the credential
B.Store the secret in an extra variable and reference it in the playbook
C.Use the 'Ansible Vault' credential type to decrypt vault-encrypted variables in the project
D.Create a custom credential type with an injector that uses a lookup plugin to fetch the secret from Vault
AnswerD

Custom credential types can use runtime lookups to retrieve secrets externally.

Why this answer

Option D is correct because Ansible Automation Platform supports custom credential types that can use lookup plugins (such as `hashi_vault`) to retrieve secrets from external systems like HashiCorp Vault at runtime. The injector template can define environment variables or extra variables that are populated by the lookup plugin, ensuring credentials are never stored in the AAP database.

Exam trap

The trap here is confusing 'Ansible Vault' (a file encryption tool) with 'HashiCorp Vault' (an external secrets manager), leading candidates to incorrectly select Option C, which only handles decrypting Ansible Vault-encrypted files, not integrating with external secret stores.

How to eliminate wrong answers

Option A is wrong because the built-in 'Machine' credential type is designed for SSH authentication, not for storing Vault tokens; it would still store the token in the AAP database, defeating the purpose of external secret retrieval. Option B is wrong because storing the secret in an extra variable means the secret is passed as plain text in the job template or inventory, which persists in the AAP database and logs, violating the requirement to avoid storing credentials. Option C is wrong because the 'Ansible Vault' credential type is used to decrypt Ansible Vault-encrypted files (using a password), not to integrate with external secrets management systems like HashiCorp Vault.

432
Multi-Selecteasy

A playbook must execute cleanup tasks after a block of tasks, both on success and failure. Which two of the following should be used within the block to achieve this?

Select 2 answers
A.ignore_errors
B.rescue
C.failed_when
D.always
E.block
AnswersD, E

always runs after the block regardless of outcome, ensuring cleanup.

Why this answer

The block + always pattern ensures that a set of tasks is always executed regardless of the success or failure of tasks in the block. The block keyword groups tasks, and the always keyword defines tasks that run unconditionally. Rescue is for error handling but not required for cleanup.

Ignore_errors prevents failure but does not guarantee cleanup. Failed_when customizes failure conditions.

433
MCQhard

Refer to the exhibit. The administrator notices that the handler 'restart httpd' runs even though the httpd service was already running. Which change would ensure the handler only runs if the service configuration changes?

A.Add a condition to the handler to check if httpd is already running.
B.Set the handler to 'state: reloaded' instead of 'restarted'.
C.Move the 'Ensure httpd is running' task before the handler notification.
D.Use a separate handler for configuration changes and notify it from tasks that modify configuration files.
AnswerD

This ensures restart only occurs when configuration changes, not on every httpd package update.

Why this answer

The handler is notified by the 'Install httpd' task, which changes only on initial installation or update. However, the handler runs after the 'Ensure httpd is running' task, which is unnecessary. To avoid restarting when the service is already running and no configuration changed, the administrator should add a 'listen' directive or use a separate handler for configuration changes.

434
MCQmedium

A company uses Ansible to manage rolling updates of a web server fleet. During a deployment, the playbook fails on one host due to a transient network error, and the rest of the fleet is left in an inconsistent state. Which strategy would best minimize the risk of inconsistency in future rolling updates?

A.Add retries to each task so transient errors are automatically retried.
B.Use a larger serial batch size to complete the rollout faster.
C.Set ignore_errors: yes on all tasks to continue despite failures.
D.Set max_fail_percentage to 0 in the serial block to abort the rollout on any failure.
AnswerD

max_fail_percentage aborts the playbook if failure rate exceeds threshold, preventing inconsistency.

Why this answer

Option D is correct because setting `max_fail_percentage: 0` in a rolling update (using `serial`) tells Ansible to abort the entire playbook run if any single host fails. This prevents the rest of the fleet from being updated, avoiding an inconsistent state where some hosts have the new deployment and others do not. It directly addresses the risk of partial rollouts caused by transient errors.

Exam trap

The trap here is that candidates often confuse `max_fail_percentage` with `serial` or think that retries (`Option A`) are sufficient to guarantee consistency, when in fact only aborting the rollout on any failure prevents the fleet from reaching an inconsistent mixed state.

How to eliminate wrong answers

Option A is wrong because adding retries to each task only handles transient errors on a per-task basis, but if the retries are exhausted or the error occurs at a higher level (e.g., host unreachable), the playbook still fails on that host, leaving the fleet inconsistent. Option B is wrong because using a larger serial batch size increases the number of hosts updated simultaneously, which amplifies the risk of inconsistency if a failure occurs — it does not mitigate it. Option C is wrong because setting `ignore_errors: yes` on all tasks causes Ansible to continue despite failures, which can silently leave the failed host in an unknown or partially updated state while the rest of the fleet continues, worsening inconsistency.

435
MCQeasy

An automation team wants to grant a group of operators the ability to launch job templates in automation controller but prevent them from modifying the job template configuration. They also need to troubleshoot failed jobs by viewing job output. Which predefined role should be assigned to the team for a specific job template?

A.Execute role
B.Read role
C.Admin role
D.Update role
AnswerA

Allows launching and viewing output, but not modifying the job template.

Why this answer

The Execute role is the correct predefined role because it grants permission to launch a job template and view job output (including standard out and error logs) without allowing any modifications to the job template's configuration. This aligns exactly with the requirement: operators can execute and troubleshoot failed jobs but cannot edit the template.

Exam trap

The trap here is that candidates often confuse the Execute role with the Read role, assuming that Read allows launching jobs, when in fact Read only permits viewing the template and its output, not executing it.

How to eliminate wrong answers

Option B (Read role) is wrong because it only allows viewing the job template definition and job output, but does not include the permission to launch the job template. Option C (Admin role) is wrong because it grants full administrative privileges, including the ability to modify the job template configuration, which violates the requirement to prevent modifications. Option D (Update role) is wrong because it allows updating the job template's configuration, which is explicitly prohibited by the requirement.

436
MCQhard

A team is setting up an Ansible execution environment that requires a specific version of a Python library that is not available in the default base image. The team wants to minimize the size of the final container. Which approach should they take in the execution-environment.yml file?

A.Use the 'additional_build_steps' key to add a RUN command that installs the library via pip.
B.Use the 'base_image' key to point to a custom image that already contains the library.
C.Use the 'dependencies' key with 'python' to specify the library and version.
D.Use the 'galaxy' key to install the library from a collection.
AnswerC

Correct. This allows ansible-builder to handle installation efficiently and minimize image size.

Why this answer

Option C is correct because the `dependencies` key in `execution-environment.yml` allows specifying Python libraries and their versions under the `python` subkey. Ansible Builder will then install these dependencies during the build process, ensuring the required library is available without bloating the final container with unnecessary layers or manual RUN commands.

Exam trap

The trap here is that candidates confuse the `dependencies` key for Python libraries with the `galaxy` key for Ansible collections, or assume that `additional_build_steps` is the only way to install custom packages, ignoring the built-in Python dependency support.

How to eliminate wrong answers

Option A is wrong because `additional_build_steps` adds arbitrary RUN commands that create extra layers, increasing the final container size and bypassing Ansible Builder's optimized dependency management. Option B is wrong because using a custom base image with the library pre-installed forces the team to maintain a separate image, defeating the purpose of using the standard execution environment and often resulting in a larger base image. Option D is wrong because the `galaxy` key is for installing Ansible collections, not Python libraries; it cannot resolve pip dependencies.

437
MCQeasy

Which filter converts a string like 'hello' into a list of characters ['h','e','l','l','o']?

A.`list`
B.`split`
C.`join`
D.`map`
AnswerA

Correct; the list filter converts a string to a list of characters.

Why this answer

The `list` filter in Ansible converts a string into a list of its individual characters by iterating over the string and creating a list where each element is a single character. This is a built-in Jinja2 filter that works directly on strings, making option A correct for transforming 'hello' into ['h','e','l','l','o'].

Exam trap

The trap here is that candidates often confuse `split` with `list`, assuming `split` without arguments will break a string into characters, but `split` actually requires an empty delimiter to approximate that behavior, which is not standard and can lead to errors.

How to eliminate wrong answers

Option B is wrong because `split` divides a string into a list based on a delimiter (default whitespace), not into individual characters; `'hello' | split('')` would raise an error or produce unexpected results. Option C is wrong because `join` is the inverse operation—it concatenates list elements into a string, not the other way around. Option D is wrong because `map` applies a function to each element of a list or iterable, but it does not convert a string into a list of characters; it would require a separate filter like `list` to first break the string into characters.

438
MCQmedium

A playbook uses the 'debug' module to print a variable 'my_var' but the output is 'VARIABLE IS UNDEFINED'. The variable is defined in group_vars/all.yml. Which filter could be used to provide a default value and avoid this error?

A.{{ my_var | mandatory }}
B.{{ my_var | default('fallback') }}
C.{{ my_var | ternary('yes', 'no') }}
D.{{ my_var | dflt('fallback') }}
AnswerB

default provides a fallback value when my_var is undefined.

Why this answer

Option B is correct because the `default` filter in Ansible provides a fallback value when a variable is undefined, preventing the 'VARIABLE IS UNDEFINED' error. Using `{{ my_var | default('fallback') }}` ensures that if `my_var` is not defined in group_vars/all.yml or any other precedence level, the string 'fallback' is used instead of causing a failure.

Exam trap

The trap here is that candidates may confuse the `default` filter with the `mandatory` filter, thinking that 'mandatory' provides a fallback, when in fact it enforces definition and causes an error if the variable is missing.

How to eliminate wrong answers

Option A is wrong because the `mandatory` filter forces the variable to be defined; if it is undefined, it raises an error, which is the opposite of providing a default value. Option C is wrong because the `ternary` filter evaluates a condition and returns one of two values based on truthiness, not a default for undefined variables. Option D is wrong because `dflt` is not a valid Ansible filter; the correct filter name is `default`.

439
MCQhard

Refer to the exhibit. A playbook fails with the above error when using ansible-vault. What is the most likely cause?

A.The file is not encrypted with ansible-vault.
B.The vault password file is missing.
C.The vault id used in the playbook does not match the one used to encrypt the file.
D.The user does not have read permissions on the file.
AnswerC

The error states 'for vault id default', which suggests the vault id is mismatched.

Why this answer

The error specifically mentions vault id 'default', indicating that the file was encrypted with a different vault id or the password for the default id is wrong. The most common cause is a mismatch between the vault id used in the playbook and the one used to encrypt the file.

440
Multi-Selectmedium

Which TWO of the following are valid methods to include external variable files into an Ansible playbook?

Select 2 answers
A.using the 'add_host' module
B.using the 'set_fact' module
C.using the 'include_vars' module
D.using '-e' command line option
E.using the 'vars_files' directive in the play
AnswersC, E

Correct: include_vars loads variables from files at runtime.

Why this answer

Options A and B are correct. vars_files is a play keyword, and include_vars is a module. Options C, D, and E are not methods to include external variable files.

441
MCQmedium

A new technician runs a playbook that uses the yum module to install packages. The playbook fails with 'No package matching' for a custom package. The package is available on a third-party repository. Which step should the technician take?

A.Use the rpm_key module to import the GPG key.
B.Add the repository using the yum_repository module.
C.Use command: yum install directly.
D.Update the package cache using yum update.
AnswerB

Properly adds the repository for package installation.

Why this answer

Option B is correct because adding the repository using yum_repository module is the proper way. Option A (rpm_key) is for importing GPG keys, not adding repos. Option C (command) bypasses the module and is not idempotent.

Option D (yum update) does not add repos.

442
MCQmedium

An organization is deploying Automation Platform for the first time. The security team requires that all SSH private keys used for automation be stored securely with access controls. Which AAP feature should be used to meet this requirement?

A.Store the private key in plain text within the inventory file.
B.Use Ansible Vault to encrypt the private key file.
C.Set the SSH key as an environment variable on the controller.
D.Create a Machine credential type and upload the SSH private key.
AnswerD

AAP machine credentials store SSH keys encrypted and allow granular access control.

Why this answer

Option D is correct because the Machine credential type in Ansible Automation Platform (AAP) is specifically designed to securely store SSH private keys. When you upload the private key via the AAP web UI or API, it is encrypted at rest in the AAP database and access is controlled through role-based access control (RBAC). This meets the security team's requirement for secure storage and access controls without exposing the key in plain text.

Exam trap

The trap here is that candidates may confuse Ansible Vault (a file-level encryption tool) with AAP's credential management system, not realizing that Vault does not provide the centralized access control and audit trail required for enterprise security compliance.

How to eliminate wrong answers

Option A is wrong because storing a private key in plain text within an inventory file violates basic security principles and exposes the key to anyone with file system access, which is not secure storage with access controls. Option B is wrong because Ansible Vault encrypts files at rest but does not integrate with AAP's native credential system; the key would still need to be decrypted at runtime and managed outside of AAP's RBAC, failing the access control requirement. Option C is wrong because setting the SSH key as an environment variable on the controller exposes it to any process or user that can read environment variables, and it lacks the granular access controls and audit logging that AAP credentials provide.

443
Matchingmedium

Match each Ansible inventory parameter to its meaning.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Hostname or IP to connect to

SSH user for connection

SSH port number

Private key file path

Python interpreter path

Why these pairings

Common inventory variables for Ansible connection.

444
Multi-Selectmedium

Which TWO statements about execution environments are true?

Select 2 answers
A.Execution environments can include both Ansible and system dependencies.
B.Execution environments cannot be used with ansible-playbook directly.
C.Execution environments must be built using ansible-builder.
D.Ansible Navigator is required to use execution environments.
E.Execution environments are OCI containers.
AnswersA, E

They bundle all needed components.

Why this answer

Option A is correct because execution environments are container images that bundle all dependencies required to run Ansible, including both Ansible itself (e.g., specific versions of ansible-core and collections) and system-level dependencies (e.g., Python libraries, SSH clients, or package managers). This ensures consistent behavior across different control nodes and eliminates the 'works on my machine' problem.

Exam trap

Red Hat often tests the misconception that `ansible-builder` is the only way to build execution environments, but candidates must remember that any OCI-compliant container build tool (e.g., Dockerfile) can be used, and pre-built images can be pulled from a registry.

445
MCQeasy

A systems administrator needs to run a playbook that installs packages on a group of managed nodes. The playbook should run only on nodes that are part of the 'web_servers' group in the inventory. Which approach is best practice?

A.Set 'hosts: web_servers' in the play.
B.Set 'hosts: all' and use '--limit web_servers' when running ansible-playbook.
C.Set 'hosts: localhost' and delegate tasks to web_servers.
D.Set 'hosts: all' and use a 'when' condition to check if the node is in the web_servers group.
AnswerA

Directly targeting the group is the simplest and most readable approach.

Why this answer

Option A is correct because setting 'hosts: web_servers' in the play directly targets only the nodes in that inventory group, which is the simplest and most maintainable approach. This follows Ansible's best practice of declaring the target group explicitly in the playbook rather than relying on runtime flags or conditional logic, ensuring the playbook's intent is clear and portable.

Exam trap

The trap here is that candidates may overcomplicate the solution by choosing runtime flags or conditional logic, forgetting that Ansible's simplest and most explicit targeting method—setting 'hosts' to the group name—is both best practice and the most reliable for clarity and execution.

How to eliminate wrong answers

Option B is wrong because using '--limit web_servers' with 'hosts: all' is a runtime override that can be forgotten or misapplied, making the playbook less self-documenting and error-prone; it also requires the operator to remember the flag each time. Option C is wrong because setting 'hosts: localhost' and delegating tasks to web_servers is unnecessary complexity—delegation is meant for tasks that must run on the control node (e.g., fetching files), not for targeting a group of managed nodes. Option D is wrong because using a 'when' condition to check group membership (e.g., 'when: "web_servers" in group_names') still runs the play on all nodes, wasting resources and potentially causing failures on non-target nodes if tasks are not idempotent.

446
Multi-Selecthard

An organization uses automation controller with multiple projects and teams. They want to enforce that only the operations team can run job templates that make changes in production, while the development team can only run job templates that deploy to development environments. Which three components should be configured to achieve this? (Choose three.)

Select 3 answers
A.Assign different credentials to each job template.
B.Create separate job templates for production and development.
C.Define team roles for each job template.
D.Set execution environments to be team-specific.
E.Use a workflow template that routes based on user role.
AnswersA, B, C

Ensures only appropriate credentials are used.

Why this answer

Option A is correct because credentials in automation controller (formerly Ansible Tower/AWX) define the authentication context for a job template. By assigning different credentials (e.g., SSH keys or cloud API tokens) to production and development job templates, you can enforce that only the operations team's credentials have access to production infrastructure, while the development team's credentials are restricted to development environments. This is a fundamental access control mechanism that ties authentication directly to job execution.

Exam trap

The trap here is that candidates confuse execution environments (which are runtime containers) with access control mechanisms, or assume workflow templates can dynamically route based on user roles, when in fact RBAC is static and defined per object.

447
MCQhard

A company uses dynamic inventory from a cloud provider. The playbook needs to run tasks only on instances with a specific tag. The ansible_ec2_tags variable is not available. What is the most efficient method to filter hosts?

A.Use the hostvars lookup to check tags.
B.Use the ec2_instance_facts module inside the playbook to gather facts and filter.
C.Use a static inventory file with hosts pre-filtered.
D.Use the amazon.aws.aws_ec2 inventory plugin with compose and keyed_groups.
AnswerD

Pre-filters hosts at inventory time, most efficient.

Why this answer

Option C is correct because using the aws_ec2 inventory plugin with compose and keyed_groups allows pre-filtering hosts efficiently. Option A is inefficient as it runs a task on all hosts. Option B may not have the variable available.

Option D requires manual maintenance.

448
MCQeasy

Which key in the galaxy.yml file defines the collection's namespace?

A.collection
B.authors
C.name
D.namespace
AnswerD

The 'namespace' key in galaxy.yml defines the namespace.

Why this answer

The `namespace` key in the `galaxy.yml` file explicitly defines the collection's namespace, which is the first part of the fully qualified collection name (FQCN) and is used to organize collections under a specific publisher or organization on Ansible Galaxy. This is a required field in the `galaxy.yml` metadata file, as per the Ansible Collection structure.

Exam trap

Red Hat often tests the distinction between `namespace` and `name` in `galaxy.yml`, knowing candidates may confuse the two or think `namespace` is implied by the directory structure rather than explicitly defined in the file.

How to eliminate wrong answers

Option A is wrong because `collection` is not a valid key in `galaxy.yml`; the file itself describes a collection, but no such key exists. Option B is wrong because `authors` is a metadata field listing the collection's authors, not the namespace. Option C is wrong because `name` defines the collection's short name (the second part of the FQCN), not the namespace.

449
MCQmedium

A playbook using the 'uri' module is timing out when connecting to an external API. The network team confirms connectivity. What Ansible configuration parameter can be adjusted to increase the timeout?

A.validate_certs
B.retries
C.ansible_timeout
D.delay
AnswerC

Sets the timeout for connections.

Why this answer

Option C is correct because `ansible_timeout` is an Ansible configuration parameter that controls the default socket-level timeout for network connections, including those made by the `uri` module. When an external API is slow to respond, increasing this value (default 10 seconds) allows the playbook to wait longer before aborting the connection attempt.

Exam trap

The trap here is that candidates confuse `ansible_timeout` with module-specific parameters like `retries` or `delay`, thinking those control the initial connection timeout when they actually only affect behavior after a failure.

How to eliminate wrong answers

Option A is wrong because `validate_certs` controls SSL certificate verification, not connection timeout; disabling it would bypass certificate checks but not extend the wait time. Option B is wrong because `retries` is a parameter for the `uri` module that controls how many times to retry a failed request, but it does not affect the initial connection timeout; retries only apply after a failure occurs. Option D is wrong because `delay` is a parameter for the `uri` module that specifies the time to wait between retries, not the initial connection timeout; it only matters if retries are configured.

450
MCQhard

Refer to the exhibit. The playbook uses the 'yum' module to install 'httpd' on a RHEL 8 system. Which of the following is the most likely cause of the failure?

A.The 'yum' module is deprecated for RHEL 8; must use 'dnf'.
B.The AppStream repository is not enabled on the target host.
C.The remote host does not have subscription-manager access.
D.The package name is misspelled; it should be 'apache2'.
AnswerB

httpd is in AppStream; if disabled, package won't be found.

Why this answer

On RHEL 8, the `yum` command is a symbolic link to `dnf`, and the `yum` Ansible module internally uses `dnf` as the backend. The most common cause of failure when installing a package like `httpd` on RHEL 8 is that the AppStream repository (which contains `httpd`) is not enabled or available on the target host. Without an enabled repository containing the package, the module cannot resolve and install it, leading to a failure.

Exam trap

The trap here is that candidates assume the `yum` module is deprecated or incompatible with RHEL 8, but the actual failure is almost always a repository availability issue, not the module itself.

How to eliminate wrong answers

Option A is wrong because the `yum` module is not deprecated for RHEL 8; it is fully functional and internally delegates to `dnf` on RHEL 8 systems, so using the `yum` module is valid. Option C is wrong because subscription-manager access is not required for installing `httpd`; the package is available from standard repositories (e.g., AppStream) and does not require a Red Hat subscription to be accessed. Option D is wrong because the package name `httpd` is correct for RHEL 8; `apache2` is the package name used on Debian-based systems, not on RHEL.

Page 5

Page 6 of 7

Page 7

All pages