CCNA Implement advanced Ansible automation Questions

75 of 94 questions · Page 1/2 · Implement advanced Ansible automation · Answers revealed

1
MCQmedium

A role contains a handler. The playbook includes the role and also defines a task that notifies the same handler. When the playbook runs, the handler executes only once. Which of the following best explains this behavior?

A.the handler was already triggered by the role and is skipped for the play task
B.handlers are deduplicated by name; multiple notifications trigger the handler only once per play
C.the role's handler uses 'listen' which overrides notifications
D.the playbook's task notifies a different handler with the same name
AnswerB

Correct: Ansible ensures handlers execute once even if notified multiple times.

Why this answer

Option A is correct because Ansible deduplicates notifications by handler name. Option B is false (handler runs once regardless). Options C and D are incorrect.

2
MCQeasy

An administrator needs to apply a set of firewall rules to multiple servers. They have created a playbook that uses the firewalld module. When running the playbook, they receive 'ERROR! module not found: firewalld'. The control node has the module available locally. What is the most likely cause?

A.The playbook uses the wrong module name.
B.The ansible.posix collection is not installed on the control node.
C.The ansible.cfg has a wrong module path.
D.The module is not installed on the target nodes.
AnswerB

The module resides in ansible.posix, which needs to be installed.

Why this answer

Option D is correct because firewalld is part of the ansible.posix collection, which must be installed. Option A is not the cause because modules run on the control node. Option B is plausible but less likely if the collection is missing.

Option C is wrong because the module name is correct.

3
MCQeasy

An Ansible playbook is designed to run on a group of database servers. The administrator wants to ensure that a task runs only on the primary database server, which is defined in the inventory with a variable 'primary: true'. Which conditional should be used?

A.ignore_errors: yes
B.when: primary
C.run_once: true
D.delegate_to: "{{ primary }}"
AnswerB

The when clause evaluates to true if the variable is truthy.

Why this answer

Option B is correct because the `when` conditional in Ansible evaluates a Jinja2 expression to determine whether a task should execute. By using `when: primary`, the task will run only on hosts where the inventory variable `primary` is defined and evaluates to `true` (a truthy value). This directly meets the requirement to target the primary database server.

Exam trap

The trap here is that candidates confuse `run_once: true` with a conditional that selects a specific host, not realizing `run_once` merely limits execution to a single arbitrary host in the group, not the one defined by a variable like `primary: true`.

How to eliminate wrong answers

Option A is wrong because `ignore_errors: yes` does not control task execution based on a condition; it merely continues playbook execution if the task fails, which is irrelevant to targeting a specific host. Option C is wrong because `run_once: true` ensures a task runs only once across the entire batch of hosts (typically on the first host in the group), but it does not select a specific host based on a variable like `primary: true`; it could run on any host, not necessarily the primary. Option D is wrong because `delegate_to: "{{ primary }}"` attempts to delegate the task to a host named by the variable `primary`, but this is not a conditional; it changes the target host for execution and would fail if `primary` is not a valid hostname or group, and it does not evaluate a boolean variable.

4
Drag & Dropmedium

Drag and drop the steps to configure a network bond (bond0) using nmcli in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Bonding: create bond, add slaves, set mode, activate, verify.

5
MCQmedium

A playbook uses serial: 2 and sets any_errors_fatal: true. The first batch of 2 hosts both fail. What happens?

A.The playbook continues with the next batch.
B.The playbook aborts and no further batches run.
C.The playbook marks the batch as unreachable and continues.
D.The playbook retries the failed hosts.
AnswerB

any_errors_fatal stops execution on first failure.

Why this answer

Option A is correct because any_errors_fatal causes the play to abort on any failure when serial is used. Option B is wrong because fatal errors halt execution. Option C is wrong because there is no automatic retry.

Option D is wrong because it marks as unreachable but still aborts.

6
Multi-Selecthard

Which two statements about ansible-vault are true? (Select exactly 2.)

Select 2 answers
A.Vault-encrypted files cannot be used with include_vars.
B.Vault can encrypt entire files or individual variables.
C.Vault uses AES-128 encryption by default.
D.Vault passwords can be stored directly in ansible.cfg.
E.Vault supports multiple passwords with vault IDs.
AnswersB, E

ansible-vault encrypts at file level; variable encryption requires specific syntax.

Why this answer

Options A and E are correct. ansible-vault can encrypt files or individual variables, and supports multiple passwords via vault IDs. Option B is false because AES-256 is used. Option C is false because vault passwords cannot be stored directly in ansible.cfg; only a path to a password file can.

Option D is false because vault-encrypted files can be used with include_vars when decrypted.

7
MCQmedium

An Ansible role has tasks that need to run in a specific order, and some tasks must use a different shell interpreter. Which feature allows the role to control task execution order and environment settings?

A.Use the meta module to declare dependencies and the environment directive in tasks.
B.Use the strategy plugin and a custom lookup to set interpreter.
C.Use tags to control execution order and a custom inventory script.
D.Use the block directive to order tasks and a vars file for interpreter.
AnswerA

Meta can specify role order; environment sets interpreter.

Why this answer

Option A is correct because the meta module can set role dependencies and the environment directive sets interpreter. Option B is wrong because block is for grouping tasks, not ordering between roles. Option C is wrong because tags are for filtering, not ordering.

Option D is wrong because strategy is for play-level ordering.

8
MCQhard

An administrator needs to securely pass a database password to a playbook without exposing it in logs or the command line. Which approach is the most secure?

A.Store the password in an Ansible Vault-encrypted variable file and include it.
B.Set the password in a variable and use 'no_log: true' on tasks that use it.
C.Store the password in a host_vars file with restricted file permissions.
D.Prompt for the password and pass it as an extra variable using -e.
AnswerA

Vault encrypts the data, and the vault password is prompted or provided via a vault password file.

Why this answer

Option A is correct because Ansible Vault encrypts the variable file at rest, and including it via `vars_files` or `include_vars` decrypts it only in memory during playbook execution. This prevents the password from appearing in logs, the command line, or the process table, meeting the security requirement.

Exam trap

The trap here is that candidates often confuse `no_log: true` with actual encryption, thinking it hides the secret from all exposure, when in fact it only suppresses output and does not protect the secret from being visible in the process table or module internals.

How to eliminate wrong answers

Option B is wrong because `no_log: true` only hides the task output from logs, but the password is still passed in plaintext to the module and could be exposed via the process table or debug output if the module itself logs it. Option C is wrong because `host_vars` files with restricted file permissions still store the password in plaintext on disk, and any user with read access to the file or a backup can retrieve it. Option D is wrong because passing the password as an extra variable with `-e` exposes it in the command line, which is visible in the process list and shell history, and it may also appear in logs if the playbook uses `--log-level` or `ANSIBLE_LOG_PATH`.

9
MCQmedium

Refer to the exhibit. Which of the following is the most likely cause of this error?

A.The playbook is running without '--become' flag.
B.The 'become_method' is set to 'su' instead of 'sudo'.
C.The 'ansible_become_password' was provided but incorrect.
D.The remote user is not in the sudoers file.
E.The 'ask_become_pass' is set to 'false' and no become password is provided.
AnswerE

Correct: If ask_become_pass is false and no password is set via variable or vault, Ansible cannot obtain a sudo password, resulting in 'Missing sudo password'.

Why this answer

Option E is correct. The error 'Missing sudo password' indicates that Ansible attempted to become root via sudo, but no password was provided and the configuration does not allow passwordless sudo. Option A would give a different error.

Option B would also give a password prompt or error, but the specific message points to missing password. Option C would give 'incorrect password' error. Option D would not attempt become at all.

Therefore, E is most likely.

10
MCQhard

An Ansible playbook uses the 'constructed' inventory plugin with 'keyed_groups' to create groups based on 'ansible_distribution'. Despite correct configuration, hosts are not assigned to the expected groups. What is the most likely cause?

A.the 'keyed_groups' syntax uses invalid Jinja2 expressions
B.the inventory file is incorrectly formatted
C.the 'strict' option is set to 'yes' and the required facts are not gathered
D.the plugin is not enabled in ansible.cfg
AnswerC

Correct: with strict: yes, undefined variables cause group assignment to fail silently.

Why this answer

Option C is correct because 'strict: yes' causes plugin to fail on undefined variables; if facts are not gathered, 'ansible_distribution' is undefined. Options A, B, D are plausible but less likely.

11
MCQeasy

A large enterprise manages its infrastructure with Ansible Automation Platform. The operations team reports that job runs are taking longer than expected, especially for playbooks that include role dependencies. After investigation, they notice that the control node has high CPU and memory usage during job execution. The inventory contains 500 hosts, and the playbooks use several roles that include dynamic includes (include_tasks) based on conditional variables. The team wants to reduce the load on the control node without changing the playbook logic or reducing functionality. Which action should the team take?

A.Use the --limit flag to run the playbook against a subset of hosts.
B.Increase the forks value in ansible.cfg to 100 to speed up execution.
C.Enable pipelining in ansible.cfg by setting pipelining = True.
D.Migrate to AWX to distribute job execution across multiple nodes.
AnswerC

Pipelining reduces the number of SSH operations, decreasing control node load.

Why this answer

Enabling pipelining reduces the number of SSH connections Ansible makes to each host by combining multiple task operations into a single SSH session. This drastically lowers the overhead on the control node's CPU and memory, especially when executing many tasks with dynamic includes across a large inventory, without altering playbook logic.

Exam trap

The trap here is that candidates often confuse increasing forks (Option B) as a performance fix, but it actually increases control node load, while pipelining reduces connection overhead without changing parallelism.

How to eliminate wrong answers

Option A is wrong because --limit reduces the number of target hosts, which changes the scope of execution and does not reduce load per host or address the control node's resource usage during role dependency resolution. Option B is wrong because increasing forks speeds up parallel execution but actually increases CPU and memory load on the control node by spawning more concurrent SSH processes, worsening the problem. Option D is wrong because migrating to AWX distributes job execution across worker nodes, which offloads work from the control node but is a significant architectural change that goes beyond the requirement of not changing functionality and is not a simple configuration fix.

12
Multi-Selecteasy

Which TWO of the following are advantages of using 'ansible-pull' over 'ansible-playbook'?

Select 2 answers
A.It can be used in environments where a central control node is not desired.
B.It eliminates the need for an inventory file.
C.Nodes can self-configure by pulling playbooks from a git repository.
D.It supports a different syntax for playbooks that is more efficient.
E.It reduces load on the control node because it runs locally on each node.
AnswersA, C

ansible-pull eliminates the need for a central push server.

Why this answer

Option A is correct because ansible-pull operates in a pull-based model where each managed node independently retrieves and executes playbooks from a central repository (e.g., a Git server). This eliminates the need for a persistent central control node, making it ideal for environments where a dedicated Ansible control node is not desired or feasible, such as in large-scale or decentralized deployments.

Exam trap

The trap here is that candidates often confuse 'eliminating the need for a control node' with 'eliminating the need for inventory,' or incorrectly assume that running locally automatically reduces load, when in fact the load is redistributed rather than reduced.

13
MCQhard

Refer to the exhibit. An Ansible playbook targeting 'production' hosts fails with 'deploy_user is undefined'. What is the most likely cause?

A.the playbook uses a different group name in the play
B.the inventory file is missing the host entries
C.the variable is defined but overridden by a higher precedence variable
D.the variable 'deploy_user' is not defined in any group or host vars
AnswerD

Correct: the inventory only defines ansible_user, not deploy_user.

Why this answer

Option A is correct because 'deploy_user' is not defined anywhere in the inventory shown. Options B, C, D are plausible but not directly supported by the exhibit.

14
MCQeasy

A playbook uses the copy module to deploy a configuration file. The file should be templated with variables, but the engineer mistakenly uses the 'src' parameter with a static file instead of 'content' or a template module. What is the most likely outcome?

A.The module automatically renders the Jinja2 template before copying.
B.The file is copied without variable substitution, resulting in literal Jinja2 syntax in the destination.
C.The playbook fails because the source file contains undefined variables.
D.The task is skipped because copy cannot handle variables.
AnswerB

Copy module does not process templates.

Why this answer

Option A is correct because copy with src copies the file as-is, no variable substitution. Option B is wrong because the module does not fail on static content. Option C is wrong because it won't automatically render variables; that requires template module.

Option D is wrong because it will copy the file, not skip.

15
MCQhard

Refer to the exhibit. The playbook fails because the httpd package is not found. Which is the most likely cause?

A.The inventory does not define 'webservers' group.
B.The role path is incorrectly configured in ansible.cfg.
C.The target host does not have the necessary repositories enabled.
D.The 'yum' module should use 'name=httpd' instead of YAML syntax.
AnswerC

The package httpd is not found, indicating repositories are missing or not enabled.

Why this answer

The error indicates the package is not available. This is typically due to missing or incorrect repository configuration. The playbook itself and role syntax are valid.

16
MCQmedium

An Ansible playbook fails intermittently when deploying web servers. The error message indicates that a required package is not available in the repository. Which approach would best ensure that the required packages are consistently available before the playbook runs?

A.Set 'ignore_errors: yes' on the package installation task and handle the failure later.
B.Add retries and delay to the package installation task.
C.Add a pre_task to run 'dnf update' or 'apt update' before the package installation.
D.Use the 'get_url' module to download the package from an external source and install it manually.
AnswerC

Updating the repository cache ensures the latest package metadata is available.

Why this answer

Option C is correct because the intermittent failure is caused by the package metadata cache being stale or missing. Running 'dnf update' (RHEL/CentOS) or 'apt update' (Debian/Ubuntu) as a pre_task refreshes the repository index, ensuring that the package manager has the latest list of available packages before attempting installation. This directly resolves the 'package not available' error by synchronizing the local cache with the remote repository.

Exam trap

The trap here is that candidates often choose retries (Option B) thinking it handles transient network issues, but the real problem is a stale metadata cache, which retries cannot fix; the exam tests understanding of package manager internals versus generic error-handling strategies.

How to eliminate wrong answers

Option A is wrong because 'ignore_errors: yes' merely suppresses the failure notification without addressing the root cause; the package will still be missing, and subsequent tasks that depend on it will fail. Option B is wrong because retries and delay only reattempt the same failing operation, which will continue to fail if the repository metadata is stale; they do not update the cache. Option D is wrong because using 'get_url' to download and manually install a package bypasses the repository entirely, which is brittle, insecure, and does not leverage the system's package manager for dependency resolution or updates.

17
MCQhard

Refer to the exhibit. When running the playbook with the limit set to 'webservers', why does the playbook fail on web2?

A.The 'webservers' group includes web2 due to a misconfiguration.
B.The SSH key for web2 is not authorized.
C.The inventory file has a syntax error causing web2 to be included in webservers.
D.The playbook's 'hosts' directive is set to 'all' instead of 'webservers'.
AnswerA

The inventory JSON shows web2 is not in webservers, but the playbook still tries to run on web2, suggesting the limit is not working correctly or the inventory is misconfigured.

Why this answer

The inventory shows web2 is in the 'all' group but not in the 'webservers' group. The limit 'webservers' should only target web1, but the playbook still attempts to connect to web2. This indicates an error in the inventory or playbook configuration.

18
MCQeasy

A systems administrator needs to run a playbook that applies configuration changes to a set of servers. They want to ensure that if any task fails on a host, the playbook continues with the next host without aborting the entire play. Which play-level keyword should they use?

A.Set `gather_facts: no` to skip fact gathering and reduce failure points.
B.Set `any_errors_fatal: true` at the play level.
C.Set `force_handlers: true` at the play level.
D.`ignore_errors: yes` on each task that might fail.
AnswerD

Setting `ignore_errors: yes` on a task allows the play to continue to the next host even if that task fails on a given host.

Why this answer

Option D is correct because `ignore_errors: yes` on each task ensures that if a task fails on a host, the playbook continues executing subsequent tasks on that host and moves on to the next host without aborting the entire play. This directly meets the requirement to continue with the next host upon task failure.

Exam trap

The trap here is that candidates often confuse `ignore_errors` with `any_errors_fatal` or `force_handlers`, mistakenly thinking that setting a play-level keyword can achieve per-task failure tolerance without modifying individual tasks.

How to eliminate wrong answers

Option A is wrong because `gather_facts: no` only skips the fact-gathering step, which reduces network overhead but does nothing to control playbook behavior when a task fails. Option B is wrong because `any_errors_fatal: true` causes the entire play to abort immediately on any task failure, which is the opposite of what is needed. Option C is wrong because `force_handlers: true` ensures handlers run even when the play fails, but it does not prevent the play from aborting or continue execution to the next host after a task failure.

19
MCQhard

An organization uses Ansible Tower to manage automation across different teams. One team has a job template that uses a custom Python virtual environment located at '/opt/custom_venv' to run a playbook that uses the 'docker_container' module from the 'community.docker' collection. The playbook runs successfully from the command line when using the '--ask-become-pass' option and the virtual environment activated. However, when the team runs the same playbook via the Ansible Tower job template, it fails with an error indicating that the 'docker_container' module is not found. The job template is configured to use the custom virtual environment under the 'CUSTOM VIRTUAL ENVIRONMENT' setting. The team confirms that the virtual environment has the collection installed (verified by running 'ansible-galaxy collection list' inside the venv). What is the most likely cause of the failure?

A.The playbook should use the 'ansible_connection: local' directive to force local execution.
B.The Ansible Tower node executing the job does not have the custom virtual environment installed.
C.The 'community.docker' collection was installed in the default system-wide location instead of the custom virtual environment.
D.The job template's 'CUSTOM VIRTUAL ENVIRONMENT' setting points to a different path than '/opt/custom_venv'.
AnswerB

The virtual environment must be present on the execution node.

Why this answer

Ansible Tower runs jobs on the node where the job template is executed. The custom virtual environment must be present on that node and contain the required collections. Option D is correct because Tower's job runner uses the configured virtual environment, but if the node running the job is not the same as the control node, the venv may not exist or may be incomplete.

Option A is incorrect because the venv does have the collection. Option B is incorrect because Tower can use custom venvs. Option C would not fix a missing collection.

20
MCQeasy

A system administrator wants to run a playbook on all hosts in the 'webservers' group, but only if the host is currently online. Which approach should be used?

A.Set 'gather_facts: no' to skip fact collection.
B.Use 'throttle: 1' to limit concurrent connections.
C.Set 'serial: 1' to run on one host at a time.
D.Use 'wait_for_connection' as a pre-task to ensure connectivity.
AnswerD

wait_for_connection waits for the host to become reachable.

Why this answer

Option D is correct because the `wait_for_connection` module is specifically designed to pause the playbook execution until a remote host becomes reachable over SSH or WinRM. By placing it as a pre-task, the playbook will only proceed to subsequent tasks for hosts that are currently online, effectively filtering out offline hosts. This directly meets the requirement to run the playbook only on hosts in the 'webservers' group that are online.

Exam trap

The trap here is that candidates confuse connectivity testing with execution control keywords like `serial` or `throttle`, mistakenly believing those options can prevent a playbook from running on offline hosts, when in fact they only manage concurrency or order of execution without verifying reachability.

How to eliminate wrong answers

Option A is wrong because setting 'gather_facts: no' only skips the collection of system facts from remote hosts; it does not test connectivity or determine if a host is online. Option B is wrong because 'throttle: 1' limits the number of concurrent tasks or connections to one at a time, but it does not verify whether a host is reachable before running tasks. Option C is wrong because 'serial: 1' forces the playbook to execute on one host at a time, but it still attempts to connect to each host regardless of its online status, potentially causing failures or timeouts.

21
MCQhard

A company uses Ansible Vault to encrypt sensitive data in playbooks. They have multiple environments (dev, test, prod) and use a separate vault password file for each environment. The passwords are stored in files named 'vault-pass-dev', 'vault-pass-test', and 'vault-pass-prod'. To run a playbook against the test environment, they use the command 'ansible-playbook site.yml -i test -e @test-vars.yml --vault-id test@vault-pass-test'. This runs successfully from the command line. However, when they define the same vault-id in an Ansible Tower credential and attempt to run the job, the job fails with 'ERROR! Decryption failed (no vault secrets would be found that could decrypt the vault encrypted file)' for a vault-encrypted variable file that was encrypted with a different vault ID (e.g., 'dev'). The team expects that Tower would use the provided vault credential to decrypt all vault-encrypted files. Which change should be made to ensure correct decryption in Tower?

A.Add multiple vault credentials to the job template, one for each vault ID used in the project.
B.Enter all vault passwords separated by commas in the 'VAULT PASSWORD' field of a single credential.
C.Re-encrypt all files with the same vault ID (e.g., 'default') to simplify the setup.
D.Change the vault password file to contain the password for the vault ID that was used to encrypt the file.
AnswerA

Tower can use multiple vault credentials to decrypt files with different vault IDs.

Why this answer

Ansible Vault with multiple vault IDs allows different passwords for different files. The Tower credential only provides one vault password per vault ID. To decrypt files encrypted with multiple vault IDs, multiple vault credentials or a single credential with multiple vault IDs must be configured.

Option A correctly suggests using a single vault password file that contains the correct password for the file being decrypted, but the issue is that the file was encrypted with a different vault ID. Option B is the standard way in Tower: associate multiple vault credentials with the job template, each corresponding to a different vault ID. Option C is incorrect because Tower does not accept multiple passwords via one field.

Option D would only work if the file was encrypted with the default ID.

22
MCQeasy

An administrator wants to run a playbook with a different user for a specific host. Which variable should be set?

A.ansible_user
B.ansible_user_id
C.ansible_ssh_user
D.ansible_remote_user
AnswerA

Correct variable to set SSH user.

Why this answer

Option A is correct because ansible_user sets the SSH user for a host. Option B is a deprecated synonym. Option C is for user ID on target.

Option D is a deprecated alternative.

23
MCQmedium

An Ansible playbook includes a role that defines default variables in 'defaults/main.yml' and role variables in 'vars/main.yml'. A playbook sets the same variable in the play's 'vars' section. Which variable value takes precedence?

A.Role defaults
B.Inventory group vars
C.Role vars
D.Play vars
AnswerD

Play vars have higher precedence than role vars.

Why this answer

In Ansible, variable precedence is hierarchical, and play vars (set directly in the play's `vars` section) have a higher priority than role defaults and role vars. Specifically, play vars override role vars, which in turn override role defaults. Therefore, when the same variable is defined in all three locations, the play vars value takes precedence.

Exam trap

Red Hat often tests the misconception that role vars override play vars because they are defined inside the role, but the actual precedence places play vars above role vars, so candidates must memorize the full variable precedence order to avoid this trap.

How to eliminate wrong answers

Option A is wrong because role defaults have the lowest precedence among the listed options; they are meant to be easily overridden by any other variable source. Option B is wrong because inventory group vars have a lower precedence than play vars; they are overridden by play vars when both define the same variable. Option C is wrong because role vars have a higher precedence than role defaults but are still overridden by play vars, which sit higher in the variable precedence order.

24
MCQhard

Given the command and error above, what is the most likely cause of the failure?

A.The vault file 'vault@prompt' does not exist.
B.The vault password file must be encrypted with ansible-vault.
C.The --vault-id syntax is incorrect; 'vault@prompt' should be a label and password source, not a vault file.
D.The --check flag is incompatible with vault encryption.
AnswerC

Users often confuse vault-id with vault file; proper usage is '--vault-id @prompt' or '--vault-id myvault@prompt'.

Why this answer

Option D is correct because --vault-id expects a password source, not an encrypted file; the vault file itself should not be specified as a vault-id. Option A is wrong because --check should work. Option B is wrong because the vault file exists.

Option C is wrong because encryption is needed, but the error message says the vault password must be encrypted, which is misleading; actually the vault-id parameter is misused.

25
Multi-Selecthard

An Ansible Automation Platform administrator is reviewing a job template that runs a playbook against a large inventory. To improve performance without sacrificing accuracy, which TWO strategies should be implemented? (Choose two.)

Select 2 answers
A.Implement the ansible-cmdb tool to generate a CMDB from gathered facts.
B.Enable fact caching using a Redis backend.
C.Use the serial keyword to limit concurrent execution to 1 host at a time.
D.Set forks to 50 in ansible.cfg to maximize parallel execution.
E.Set gathering = explicit in ansible.cfg to skip fact gathering.
AnswersA, B

ansible-cmdb centralizes system information, reducing the need for repeated fact gathering.

Why this answer

Option A is correct because the ansible-cmdb tool generates a Configuration Management Database (CMDB) from gathered facts, which can be used for documentation and analysis without re-running fact gathering on every playbook execution. Option B is correct because enabling fact caching with a Redis backend stores gathered facts in a fast, external cache, allowing subsequent playbook runs to reuse cached facts instead of gathering them again from each host, which significantly reduces execution time for large inventories.

Exam trap

The trap here is that candidates may confuse 'improving performance' with 'increasing parallelism' (Option D) or 'skipping facts entirely' (Option E), without realizing that fact caching preserves accuracy while reducing redundant work, and that ansible-cmdb is a documentation tool, not a runtime performance enhancer.

26
MCQhard

An Ansible automation engineer is developing a role that manages a microservice. The role needs to include conditional tasks based on whether a variable `microservice_version` is defined. If defined, it should use that version; otherwise, it should default to `latest`. Which of the following is the most efficient and idiomatic way to implement this default value within the role?

A.In `defaults/main.yml`: `microservice_version: latest` and reference `{{ microservice_version }}` in the task.
B.In the task: `image: "myimage:{{ microservice_version }}"` and use `| mandatory` to fail if undefined.
C.In the task: `vars: microservice_version: "{{ microservice_version | default('latest') }}"`
D.In the task: `image: "myimage:{{ microservice_version | default('latest') }}"`
AnswerD

The default filter provides a fallback value when the variable is undefined.

Why this answer

Option D is correct because it uses the `default` filter directly in the task to set a fallback value for `microservice_version` when it is undefined. This is the most efficient and idiomatic approach in Ansible, as it avoids modifying role defaults or introducing extra variables, and it handles the conditional logic inline without unnecessary complexity.

Exam trap

The trap here is that candidates often confuse the `default` filter with setting variables in `defaults/main.yml`, not realizing that `defaults/main.yml` always provides a value (even if the variable is defined elsewhere with a lower precedence), whereas the `default` filter only applies when the variable is truly undefined, preserving the ability to conditionally use an externally defined value.

How to eliminate wrong answers

Option A is wrong because setting `microservice_version: latest` in `defaults/main.yml` would override any variable defined at a higher precedence (e.g., play vars or extra vars) with the default, but it does not conditionally check if the variable is defined; it always provides a default, which is not the same as conditionally using the defined value. Option B is wrong because using `| mandatory` would cause the task to fail if `microservice_version` is undefined, which contradicts the requirement to default to `latest` when undefined. Option C is wrong because it attempts to redefine `microservice_version` inside the task's `vars` using the same variable name, which creates a recursive reference and will result in an undefined variable error or unexpected behavior.

27
MCQmedium

An Ansible role has multiple dependencies defined in meta/main.yml. One of the dependent roles should be executed before the role's own tasks, but only if a certain condition is met. How can this be implemented?

A.The dependency cannot be conditional; use 'include_role' with 'when' in the tasks.
B.Use 'condition' field in the dependencies list.
C.Use 'when' condition in the role's tasks to include the dependency.
D.Use 'pre_tasks' in the playbook to run the conditional dependency.
AnswerA

Correct: Dependencies are always applied; use include_role with when for conditional execution.

Why this answer

Option C is correct because role dependencies in meta are unconditional. To conditionally apply a role, use 'include_role' with 'when' in the tasks. Option A is incorrect because including dependencies within tasks is awkward.

Option B has no such field. Option D uses pre_tasks but that is at the play level, not role level. Therefore, C is correct.

28
MCQhard

An Ansible playbook uses a rolling update strategy with serial: 1. After the first host is updated, the playbook stops and shows 'PLAY RECAP' with only one host. What is the most likely reason?

A.the playbook has a 'failed_when' condition that stops execution
B.the inventory contains only one host
C.the play uses 'delegate_to' incorrectly
D.the playbook does not have any task that triggers the next batch, and 'serial' only controls concurrency, not retry
AnswerD

Correct: Serial limits batch size; playbook runs once per batch and finishes.

Why this answer

Option A is correct because the playbook only runs one iteration per host due to 'serial: 1' and lacks a loop or next batch trigger. Options B, C, D are plausible but not the direct cause.

29
MCQmedium

An engineer runs the playbook as shown. What is the expected result?

A.Only the 'configure firewall' task is executed; the rest are skipped.
B.The 'configure firewall' task is executed, the 'enable service' task is skipped, and the playbook continues to the next play.
C.All tasks are executed and the playbook completes successfully.
D.The 'configure firewall' and 'enable service' tasks are executed; the 'start service' task is skipped.
AnswerB

Answered 'y' for configure firewall, 'n' for enable service (skipped), and 'c' for start service (continue to next play).

Why this answer

Option B is correct because the playbook uses the `block` and `rescue` keywords. The 'configure firewall' task runs first and fails (e.g., due to a syntax error or connectivity issue). The `rescue` block then executes the 'enable service' task.

However, the `always` block (which contains 'start service') is not present, so the playbook does not execute any 'always' tasks; instead, it proceeds to the next play after the rescue block completes. The 'start service' task is not part of the block/rescue structure and is skipped because the play moves to the next play after the rescue.

Exam trap

Cisco often tests the misconception that the `always` block is mandatory or that tasks after a rescue block will still execute, but in reality, the play moves to the next play after the rescue, skipping subsequent tasks in the same play.

How to eliminate wrong answers

Option A is wrong because the 'configure firewall' task is executed, but the rescue block ensures the 'enable service' task runs after the failure, not skipped entirely. Option C is wrong because the 'configure firewall' task fails, so not all tasks are executed; the 'start service' task is skipped due to the play moving to the next play. Option D is wrong because the 'start service' task is not executed; it is skipped because the rescue block does not include it, and the playbook continues to the next play after the rescue.

30
MCQeasy

A playbook uses the 'block' feature to group tasks and includes a 'rescue' section. If a task inside the block fails, what happens?

A.The rescue tasks run, and then the entire playbook fails.
B.The rescue tasks run, and the play continues with the next task after the block.
C.The rescue tasks are ignored and the play fails immediately.
D.The block is re-executed after rescue.
AnswerB

Correct: This is the standard behavior of block/rescue in Ansible.

Why this answer

Option A is correct. The rescue tasks run after a failure inside the block, and then the play continues with the next task after the block. Option B is wrong because the play does not fail after rescue.

Option C is wrong because the block is not re-executed. Option D is wrong because rescue tasks are executed. Therefore, A is correct.

31
MCQhard

A playbook uses the 'include_tasks' module to load platform-specific tasks. The playbook fails intermittently with 'Could not find or access file' error on some runs but works on others. Which of the following is the most likely cause?

A.The 'include_tasks' is used inside a block that has 'always' section.
B.The task file path is not absolute and Ansible's search order is inconsistent.
C.The 'include_tasks' is used with a loop and the loop variable shadows the included file's parameter.
D.The playbook uses 'any_errors_fatal: true' causing early exits.
AnswerC

Correct: Variable shadowing can cause the included file's expected variable to be overridden, leading to file lookup failures on some iterations.

Why this answer

Option D is correct because if the loop variable used in include_tasks shadows a parameter expected by the included file, it can cause variable collision and file resolution issues. Option A is less likely because Ansible's search order is consistent. Option B and C would cause consistent failures.

Therefore, D is the most likely cause.

32
MCQhard

An Ansible playbook uses delegation to run a task on localhost while targeting remote hosts. The task fails with 'connection refused' for the remote host. What is the most likely cause?

A.the remote host is not reachable from the control node
B.the task uses 'connection: local' incorrectly or omits it
C.the playbook lacks 'gather_facts: yes'
D.the delegate host lacks required Python libraries
AnswerB

Correct: when delegating, the connection should be set to local unless using 'delegate_to' with proper connection vars.

Why this answer

Option B is correct because 'delegate_to: localhost' runs the task locally, but the connection keyword 'ansible_connection' may still refer to remote if not set correctly. Option A is plausible but less common. Options C and D are incorrect.

33
Multi-Selectmedium

Which three of the following are valid methods to pass variables to an Ansible playbook at runtime? (Choose three.)

Select 3 answers
A.Using '--extra-vars' command line option.
B.Using '--ask-vault-pass' and storing variables in encrypted files.
C.Using 'environment' directive in the playbook.
D.Using 'vars_prompt' in the playbook.
E.Using '-e @file' to load variables from a JSON file.
AnswersA, D, E

Correct: This directly passes variables or file paths.

Why this answer

Options A, C, and E are correct. A uses --extra-vars on the command line, C uses -e @file to load from a file, and E uses vars_prompt interactively. Option B is for vault password, not variables.

Option D sets environment variables, not playbook variables. Therefore, A, C, and E are correct.

34
Multi-Selecteasy

An administrator wants to ensure that Ansible facts gathered from a host are consistent across multiple playbook runs. Which two actions can help achieve this? (Choose two.)

Select 2 answers
A.Use 'gather_facts: no' and manually run 'setup' module with specific filter.
B.Use 'tags' to only gather facts on selective runs.
C.Enable fact caching using 'ansible_cache' plugin with a persistent backend like Redis.
D.Disable fact caching and gather facts every time.
E.Set 'ANSIBLE_GATHERING=smart' and configure cache_timeout.
AnswersC, E

Correct: Caching stores facts between runs, ensuring consistency.

Why this answer

Options B and D are correct. Option B enables fact caching with a persistent backend, storing facts for reuse. Option D uses smart gathering and cache_timeout to reuse cached facts within a timeframe.

Option A forces gathering every run, not consistent. Option C reduces facts but doesn't cache. Option E uses tags but does not affect fact persistence.

Therefore, B and D are correct.

35
MCQeasy

An organization has a set of common tasks used in many playbooks. The tasks are updated frequently. What is the most maintainable way to share them?

A.Create a role and store it in a local directory referenced by ansible.cfg.
B.Copy the task files into each project repository.
C.Package the tasks into a collection and install it via ansible-galaxy.
D.Use include_tasks with a relative path from each playbook.
AnswerC

Centralized, versioned, and easy to update.

Why this answer

Option D is correct because packaging tasks into a collection and distributing via ansible-galaxy allows versioned, maintainable sharing. Option A leads to duplication. Option B requires manual updates.

Option C is fragile with relative paths.

36
MCQeasy

An administrator wants to reuse a set of tasks that configure a firewall across multiple playbooks. Which Ansible feature should be used to achieve this?

A.Create a role for firewall configuration.
B.Add the tasks to the inventory file under a group.
C.Define the tasks in a vars file and include it.
D.Define the tasks as handlers and notify them.
AnswerA

Roles are the standard way to package reusable content.

Why this answer

A role is the correct Ansible feature for reusing a set of tasks across multiple playbooks. Roles provide a structured, self-contained directory layout for tasks, handlers, variables, templates, and files, allowing the firewall configuration logic to be packaged once and referenced in any playbook via the `roles:` directive or `import_role`/`include_role` modules.

Exam trap

The trap here is confusing roles with other reusable components like variables or handlers, leading candidates to think that storing tasks in a vars file or using handlers can achieve the same cross-playbook reuse.

How to eliminate wrong answers

Option B is wrong because the inventory file defines hosts and groups, not reusable task logic; adding tasks to an inventory file is syntactically invalid and would not execute them. Option C is wrong because vars files store variables, not tasks; including a vars file with `include_vars` cannot run tasks. Option D is wrong because handlers are special tasks triggered by notifiers only when a change occurs, not designed for general-purpose reuse across playbooks.

37
MCQeasy

Refer to the exhibit. What is the purpose of the 'failed_when' condition?

A.It fails the task only if the return code is non-zero and the error does not indicate 'not installed'.
B.It ensures the task never fails regardless of return code.
C.It fails the task only if the package is installed.
D.It fails the task if the package is not installed.
AnswerA

Correct: This is exactly what the condition defines.

Why this answer

Option B is correct. The condition fails the task only if the return code is non-zero and the stderr does not contain 'not installed'. If the package is not installed, the stderr contains 'not installed', so the condition is false and the task does not fail.

Options A, C, and D are incorrect interpretations. Therefore, B is correct.

38
Multi-Selectmedium

Which TWO statements about Ansible roles are correct? (Select exactly 2)

Select 2 answers
A.A role can directly include tasks from another role using the `include_tasks` module.
B.Roles can have dependencies on other roles defined in `meta/main.yml`.
C.Roles have a predefined directory structure that includes `tasks`, `handlers`, `defaults`, `vars`, `meta`, `templates`, and `files`.
D.Variables defined in `defaults/main.yml` override those in `vars/main.yml`.
E.Roles cannot include playbooks.
AnswersB, C

Role dependencies are defined in `meta/main.yml` using the `dependencies` key.

Why this answer

Option B is correct because Ansible roles can declare dependencies on other roles in their `meta/main.yml` file using the `dependencies` keyword. This ensures that dependent roles are executed before the dependent role, enabling modular and reusable automation workflows.

Exam trap

Red Hat often tests the distinction between `include_role` and `include_tasks` to see if candidates confuse including a role's tasks versus including a role itself, and the precedence order of `defaults` vs `vars` to catch those who think defaults override vars.

39
MCQhard

Refer to the exhibit. After the playbook run fails on the 'Verify config' task, what happens to the 'restart service' handler?

A.The handler runs immediately after the failed task.
B.The handler is not executed because the playbook failed before the end of the play.
C.The handler runs on the next playbook run.
D.The handler is executed because it was notified before the failure.
AnswerB

By default, handlers run at the end of the play only if all tasks succeed. If a task fails, the play aborts and handlers are not run.

Why this answer

Handlers are notified but only run at the end of the play if notified. However, if a subsequent task fails, the playbook stops, and handlers are not executed unless the 'force_handlers' option is set.

40
MCQeasy

An automation engineer wants to run a playbook only on hosts that belong to both the 'webservers' group and the 'production' group. Which inventory grouping method achieves this?

A.webservers:&production
B.webservers:production
C.webservers:!production
D.webservers+,production
AnswerA

Ampersand specifies intersection of hosts in both groups.

Why this answer

Option C is correct because ansible supports intersecting group patterns with ':&'. Option A is wrong because it would union the groups. Option B is wrong because it would exclude.

Option D is wrong because it is invalid syntax.

41
MCQeasy

A developer reports that a role's behavior is not as expected. They set a variable in the playbook's vars section, but the role still uses the value from its vars/main.yml. Which of the following explains this issue?

A.vars defined in the playbook have higher precedence than those in roles/vars/main.yml
B.vars defined in group_vars override both play and role vars
C.the playbook must use include_vars after the role to override
D.vars defined in roles/vars/main.yml have higher precedence than those in the playbook's vars section
AnswerD

Correct: role vars override play vars.

Why this answer

Option B is correct because Ansible variable precedence places role vars (vars/main.yml) above play vars. Option A is false. Option C is true but does not explain the issue.

Option D is a workaround but not the explanation.

42
MCQhard

A system administrator uses the ansible-vault encrypt_string command to encrypt a sensitive variable. The variable is included in a playbook via a vars_prompt. When the playbook runs, the vault password is provided, but the playbook fails with 'Vault password is required for decryption' for the prompted variable. What is the most likely cause?

A.The vault-encrypted variable is used in a vars_prompt, which expects plaintext input; encrypted value cannot be prompted.
B.The variable is defined in a vault-encrypted file without a prompt.
C.The vault password file is corrupted or missing.
D.The encrypted string includes extra whitespace or quotes that cause parsing issues.
AnswerA

vars_prompt expects user to enter the value; a vault string cannot be prompted.

Why this answer

Option C is correct because ansible-vault encrypt_string creates a variable that is automatically decrypted only if it's stored in a file or passed via --extra-vars; vars_prompt requires the variable to be entered manually, so the vault-encrypted value is not usable. Option A is wrong because the prompt is defined as prompted variable, not from file. Option B is wrong because the vault password is provided.

Option D is wrong because the variable is encrypted, not wrapped in other quotes.

43
MCQhard

An Ansible Tower/AWX job template uses a custom inventory script that dynamically queries an API. The script returns JSON including groups and hosts. Recently, the API started returning HTTP 500 errors intermittently, causing inventory sync failures. Which Ansible approach can make the inventory source more resilient?

A.Configure the inventory script to use the Ansible cache plugin with a timeout and fallback to cached data.
B.Wrap the inventory script invocation in a Jinja2 template with error handling.
C.Use the setup module to gather facts and store them locally as a fallback inventory.
D.Modify the inventory script to retry on failure and write results to a static file.
AnswerA

Cache can serve stale data if API fails.

Why this answer

Option A is correct because using a cache plugin with a long timeout reduces API calls and tolerates intermittent failures. Option B is wrong because templates don't handle API errors. Option C is wrong because facts don't prevent sync failures.

Option D is wrong because it adds complexity and doesn't improve resilience.

44
MCQmedium

The playbook above fails with 'template source file not found' for the copy task. Which change should be made to fix it?

A.Use the 'template' module instead of 'copy' for .j2 files.
B.Add 'delegate_to: localhost' to copy the file from the control node.
C.Set 'backup: no' because backup creates additional files.
D.Set 'gather_facts: yes' to allow Ansible to locate the template.
AnswerA

Template module processes Jinja2 templates.

Why this answer

Option D is correct because the template module should be used to render .j2 files. Option A is wrong because the file exists on the control node, not remote. Option B is wrong because backup is not related.

Option C is wrong because facts are not required to find the source.

45
MCQhard

A playbook uses the 'win_chocolatey' module to install software on Windows hosts. The playbook is idempotent for most packages, but one package consistently fails with 'The package is already installed' error despite being reinstalled each run. Which approach ensures true idempotency?

A.Change state=present to state=latest to ensure the module only updates if needed.
B.Use the 'force' option in win_chocolatey to allow reinstalling, and ignore the error.
C.Add a 'when' condition to skip the package if it is already installed based on a registered variable from the win_chocolatey module's results.
D.Use a win_shell task with a check command to detect installation, and conditionally run the win_chocolatey task only when absent.
AnswerD

Manual check ensures idempotent execution.

Why this answer

Option D is correct because win_chocolatey with state=latest will upgrade if needed, but for idempotency, using state=present with choco upgrade command is not needed; the real issue is that the module might not detect the installation correctly. Using win_shell to check before install is more reliable. Option A is wrong because it does not check.

Option B is wrong because it triggers upgrade every time. Option C is wrong because it forces reinstall.

46
MCQmedium

An organization uses separate network hops that require different SSH usernames for different inventory groups. Which Ansible configuration approach ensures each group uses the correct SSH user without duplicating playbooks?

A.Create a group_vars directory with a file named after the group containing ansible_user.
B.Specify the SSH user in the inventory file for each host.
C.Set the ansible_user variable in ansible.cfg.
D.Define ansible_user in the playbook using vars.
AnswerA

Group vars allow per-group variable values.

Why this answer

Option D is correct because group_vars files can set ansible_user per group. Option A is wrong because ansible.cfg applies globally. Option B is wrong because it's not best practice and can be overridden.

Option C is wrong because inventory file is less scalable.

47
MCQmedium

An Ansible playbook uses async and poll to run a long-running task. The task reports 'async task did not complete within the requested time'. Which of the following is the most likely cause?

A.the poll interval is set too long
B.the async timeout value is set too short for the task duration
C.the async task requires become: yes
D.the host is unreachable
AnswerB

Correct: the timeout must be greater than the expected task runtime.

Why this answer

Option D is correct because the async timeout value set in the play or task is too short. Options A, B, C are less likely.

48
MCQhard

Refer to the exhibit. The playbook copies all .conf files from the control node to host1. If the playbook runs again on the same host without any changes, which task status is expected?

A.The task will fail because the destination directory already contains files.
B.All items will show 'ok' because files are identical.
C.The task will be skipped because the files already exist.
D.All items will show 'changed'.
AnswerB

The copy module uses checksums; if source and destination are the same, it reports 'ok'.

Why this answer

The copy module uses checksums to detect changes. If the files are identical, the task will report 'ok' (not 'changed'). However, the with_fileglob lookup runs on the control node and will always return the same list.

The copy module will compare each file and report 'ok' if unchanged.

49
MCQmedium

A playbook uses a loop over a list of packages to ensure they are installed. However, the playbook runs slowly because each package is processed individually. Which optimization technique should be used to improve performance?

A.Pass the entire list to the package module's 'name' parameter instead of looping.
B.Use with_items instead of loop; with_items is faster.
C.Set the async parameter on the looped task to run packages in parallel.
D.Use the serial keyword at the play level to increase parallelism.
AnswerA

Many package modules accept a list, reducing task overhead.

Why this answer

Option B is correct because using the 'loop' with the package module installs each package individually; switching to a single call with a list is faster. Option A is wrong because async is for long-running tasks, not parallel package installs. Option C is wrong because serial controls host batching, not per-task parallelism.

Option D is wrong because it's the opposite of performance improvement.

50
MCQmedium

A DevOps team is developing a collection of Ansible roles to standardize web server deployments. One role, 'webserver-base', configures the firewall and installs common packages. Another role, 'webserver-app', depends on 'webserver-base' and adds application-specific configurations. The team wants to ensure that when 'webserver-app' is applied to a host, 'webserver-base' is automatically applied first. They currently have a 'meta/main.yml' file in 'webserver-app' that lists 'webserver-base' as a dependency. However, when they run a playbook that includes 'webserver-app' in a role list, they notice that 'webserver-base' runs after 'webserver-app' sometimes, causing configuration conflicts. They verify that the dependency is correctly defined and that no other roles are involved. What change should they make to ensure 'webserver-base' always runs before 'webserver-app'?

A.Change the dependency type to 'include_role' in the playbook to control ordering.
B.Set 'static: yes' in the dependency entry in the dependent role's meta/main.yml.
C.Add 'order: before' to the dependency entry in meta/main.yml.
D.Add a 'pre_tasks' section in the playbook to include 'webserver-base' before 'webserver-app'.
AnswerB

This forces the dependency to be resolved statically, ensuring correct order.

Why this answer

By default, role dependencies are executed before the dependent role. The issue described suggests that something is causing the order to be reversed. Option C, using 'static: yes' in the dependency definition, forces Ansible to inline the dependencies at playbook parse time, ensuring the correct order.

Option A is not a valid keyword for dependency ordering. Option B would cause the role to be included multiple times. Option D would run the role explicitly but does not guarantee dependency order if the role is used elsewhere.

51
MCQmedium

An Ansible playbook sets a variable with a dictionary value in the play's vars and also in group_vars/all. When the play runs, the dictionary in group_vars completely replaces the one in play vars. What is the most likely reason?

A.the playbook uses 'set_fact' which overrides all other vars
B.the play vars dictionary is defined with incorrect YAML syntax
C.the group_vars file uses a different variable name
D.Ansible's default variable precedence uses replacement, not merging, for dictionaries
AnswerD

Correct: unless 'hash_behaviour=merge' is set, later sources replace earlier ones.

Why this answer

Option A is correct because Ansible does not merge dictionaries by default; a variable assignment overwrites entirely. Option B is false (hash_behaviour default is replace). Options C and D are incorrect.

52
Multi-Selecthard

Which TWO of the following are correct about Ansible Vault?

Select 2 answers
A.vault encryption is irreversible
B.vault encrypted files cannot be edited in place
C.the vault password can be provided via the '--vault-password-file' option
D.vault can encrypt only specific variable values within a file
E.the vault id can be specified to use multiple vault passwords
AnswersC, E

Correct: this is a common way to automate vault decryption.

Why this answer

Options A and D are correct. Vault password can be provided via a file, and vault id allows using multiple passwords. Option B is false (vault can encrypt whole files).

Option C is false (vault encrypts files, not individual variables without using !vault). Option E is false (encryption is reversible with decryption).

53
Multi-Selecthard

An Ansible playbook repeatedly uses the same pattern: check if a service is running, if not start it, and then verify it's running. Which three Ansible features can be used to reduce code duplication? (Choose three.)

Select 3 answers
A.Using 'include_vars' to reuse variable files.
B.Using a role with multiple tasks and handlers.
C.Using 'debug' module to output the status.
D.Creating a custom filter plugin to encapsulate the logic.
E.Using 'include_tasks' with a loop to include a common task file.
AnswersB, D, E

Correct: Roles encapsulate tasks, handlers, and variables for reuse.

Why this answer

Options B, D, and E are correct. B (custom filter plugin) can encapsulate logic, D (roles) can group tasks, and E (include_tasks with loop) can reuse a task file. Option A is for variables, not logic.

Option C is for debugging, not reuse. Therefore, B, D, and E are correct.

54
MCQmedium

A playbook uses the 'block' and 'rescue' keywords to handle errors. The block contains three tasks. The first task fails. What happens next?

A.The rescue section runs and retries the failed task.
B.The rescue section runs immediately after the failure.
C.The playbook fails with an error message.
D.The remaining tasks in the block run, then the rescue section runs.
AnswerB

Rescue is executed when any task in the block fails.

Why this answer

In Ansible, when a task inside a `block` fails, the `rescue` section is executed immediately after the failure, without running any remaining tasks in the block. This is analogous to a try-catch mechanism in programming: the block is the 'try', and the rescue is the 'catch'. Option B correctly describes this behavior.

Exam trap

The trap here is that candidates often confuse `block`/`rescue` with a simple retry mechanism or assume that all tasks in the block must complete before error handling, but Ansible's behavior is to immediately jump to rescue on the first failure.

How to eliminate wrong answers

Option A is wrong because the rescue section does not retry the failed task; it runs a separate set of tasks to handle the error, and retry logic would require a `until` loop or `retries` parameter on the task itself. Option C is wrong because the playbook does not fail immediately; the rescue section is designed to catch the error and continue execution, preventing a playbook failure unless the rescue itself fails. Option D is wrong because the remaining tasks in the block are skipped once a task fails; the rescue runs immediately, not after the block completes.

55
Multi-Selectmedium

Which THREE of the following are valid attributes of the ansible.builtin.service module?

Select 3 answers
A.state
B.enabled
C.pattern
D.name
E.runlevel
AnswersA, B, D

Correct: state controls whether the service is started/stopped.

Why this answer

Options A, B, and C are correct. state, enabled, and name are valid parameters. runlevel and pattern are not standard parameters of the service module.

56
Multi-Selecteasy

Which two statements about Ansible roles are correct? (Select exactly 2.)

Select 2 answers
A.Roles must have a meta/main.yml file.
B.Roles are a type of playbook.
C.Roles can include tasks, handlers, variables, and defaults.
D.Roles cannot be used with include_role.
E.Roles can be installed from Galaxy.
AnswersC, E

Roles have a standard directory structure for these components.

Why this answer

Options A and D are correct. Roles can contain tasks, handlers, variables, and defaults. Roles can be installed from Ansible Galaxy.

Option B is false because roles can be used with include_role. Option C is false because meta/main.yml is optional. Option E is false because roles are not playbooks.

57
MCQmedium

An Ansible automation team is designing a playbook to manage network devices. They need to ensure that the playbook can handle transient network failures by retrying failed tasks a specific number of times with a delay between retries. Which approach should they use?

A.Set `max_fail_percentage` in the play to 0 and use `ignore_errors: yes` with a rescue block.
B.Use the `throttle` keyword to limit concurrent tasks and rely on idempotency.
C.Set `serial: 1` on the play to ensure only one host is processed at a time and rely on idempotency.
D.Use the `until` loop with `retries` and `delay` parameters on the task.
AnswerD

The `until` loop with `retries` and `delay` retries the task until a condition is met or retries are exhausted, ideal for transient failures.

Why this answer

The `until` loop with `retries` and `delay` parameters is the correct approach because it allows a task to be retried a specified number of times with a configurable pause between attempts, directly addressing transient network failures. This is a built-in Ansible feature for handling intermittent issues without additional error-handling constructs.

Exam trap

The trap here is that candidates confuse concurrency controls (`serial`, `throttle`) or error-handling directives (`ignore_errors`, `max_fail_percentage`) with the retry mechanism, which is specifically implemented via the `until` loop with `retries` and `delay` parameters.

How to eliminate wrong answers

Option A is wrong because `max_fail_percentage` controls the percentage of hosts that can fail before the play aborts, not task retries; combining `ignore_errors: yes` with a rescue block would suppress errors but not implement retry logic. Option B is wrong because the `throttle` keyword limits the number of concurrent task executions, which is unrelated to retrying failed tasks. Option C is wrong because `serial: 1` processes hosts one at a time to control rolling updates or concurrency, not to retry tasks on failure.

58
MCQhard

A playbook uses an Ansible collection that includes a custom module. The module's documentation is missing. What is the best way to locate the module's source code?

A.Run ansible-doc <module name>.
B.Search the Ansible Galaxy website.
C.Navigate to the collection's plugin directory on the control node.
D.Look in the roles directory.
AnswerC

Source code is in the collection's modules subdirectory.

Why this answer

Option D is correct because the source code is in the collection's plugin directory on the control node. Option A may not find it if it's local. Option B may not show source without docs.

Option C is wrong because roles are separate.

59
MCQeasy

An administrator wants to reuse a set of tasks across multiple playbooks. Which Ansible approach is most appropriate?

A.Encrypting the tasks with Ansible Vault.
B.Creating a role with tasks in tasks/main.yml.
C.Using ansible-doc to document the tasks.
D.Writing a custom module in Python.
AnswerB

Correct: Roles encapsulate tasks, variables, handlers, and are designed for reuse across playbooks.

Why this answer

Option B is correct because roles are the standard mechanism for reusable content. Option A is overkill for simple task reuse. Option C is for documentation, not reuse.

Option D is for encryption, not reuse. Therefore, B is correct.

60
Matchingmedium

Match each Ansible fact variable to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Fully qualified domain name

OS family (e.g., RedHat)

Total memory in MB

Number of CPU cores

Default IPv4 interface info

Why these pairings

Common facts gathered by Ansible setup module.

61
MCQeasy

Refer to the exhibit. An administrator wants to view the decrypted value of 'db_password' without modifying the file. Which command should be used?

A.ansible-vault rekey file.yml
B.ansible-vault decrypt file.yml
C.ansible-vault view file.yml
D.ansible-vault edit file.yml
AnswerC

Correct: view displays decrypted content to stdout.

Why this answer

Option B is correct because 'ansible-vault view' displays the decrypted content. Option A decrypts and saves unencrypted. Option C opens for editing.

Option D changes the vault password.

62
MCQeasy

An Ansible playbook uses the lineinfile module to ensure a specific line is present in a configuration file. However, after running the playbook multiple times, the line is duplicated each time. Which option best explains this behavior?

A.The lineinfile module is missing the regexp parameter, so it adds the line every run.
B.The state parameter is set to 'append' instead of 'present'.
C.The backup parameter is not set, causing file corruption.
D.The insertafter parameter is incorrectly set to EOF, causing multiple adds.
AnswerA

Without a regexp, lineinfile cannot detect existing line, so it appends each time.

Why this answer

Option B is correct because without specifying a regexp, lineinfile adds the line every time, causing duplicates. Option A is wrong because backup does not affect duplication. Option C is wrong because state=present is the default and doesn't prevent duplicates.

Option D is wrong because the insertafter parameter would place line after first match, but without regexp it still adds each run.

63
MCQhard

Refer to the exhibit. A playbook targeting the 'webservers' group uses '{{ http_port }}'. What will be the value of 'http_port' on 'web2'?

A.8080
B.80
C.80, because the group variable overrides host variable.
D.Undefined, causing an error
AnswerA

Correct: Host variable http_port=8080 overrides the group variable.

Why this answer

Option A is correct. Host variables override group variables. web2 has http_port=8080 defined as a host variable, so it takes precedence over the group variable of 80. Option B would be true if group variables override host variables, which they don't.

Option C is incorrect because the variable is defined. Option D is the opposite of the precedence rule. Therefore, A is correct.

64
Multi-Selecteasy

Which TWO statements about Ansible roles are correct?

Select 2 answers
A.Ansible roles follow a predefined directory structure.
B.Roles enforce an execution order for tasks based on file naming.
C.A role can only be included once in a playbook.
D.Roles cannot have dependencies on other roles.
E.Roles can be downloaded from Ansible Galaxy.
AnswersA, E

Roles require a specific directory layout (tasks, handlers, etc.).

Why this answer

Options A and C are correct. A: Roles can be shared via Ansible Galaxy. C: The directory structure is defined by Ansible.

B is wrong because roles do not enforce a specific order; tasks run in order of main.yml. D is wrong because roles can have dependencies defined in meta. E is wrong because roles can be used multiple times in a play.

65
Multi-Selecthard

Which THREE of the following are valid uses of the 'ansible.builtin.include_role' module?

Select 3 answers
A.Pass variables to the included role using the 'vars' keyword.
B.Include a role from a collection by specifying 'namespace.collection.role_name'.
C.Dynamically set the role name using a variable without the 'name' parameter.
D.Conditionally include a role based on a variable.
E.Apply tags to all tasks within the included role.
AnswersA, B, D

Variables can be passed to the role via the 'vars' parameter.

Why this answer

Option A is correct because the 'ansible.builtin.include_role' module supports the 'vars' keyword to pass variables directly to the included role. This allows you to override or supply role variables at the point of inclusion, which is a common pattern for reusing roles with different configurations.

Exam trap

The trap here is that candidates often confuse 'include_role' with 'import_role', assuming that tags applied to the include statement will automatically apply to all tasks inside the role, but in Ansible, tags on a dynamic include only affect the include task itself, not the included tasks.

66
MCQeasy

An administrator needs to securely store a database password used across multiple roles in a shared repository. Which approach is recommended?

A.Use ansible-vault to encrypt the password string and store it in a file, then include_vars.
B.Use a lookup plugin to fetch from a secrets manager.
C.Store the password in an environment variable on the controller.
D.Hardcode the password in the playbook and use .gitignore.
AnswerA

ansible-vault is the standard way to encrypt sensitive data.

Why this answer

Option A is correct because ansible-vault encrypts the variable and can be decrypted at runtime. Option B is insecure. Option C is not portable.

Option D is valid but not covered in core RHCE.

67
MCQmedium

You have an Ansible playbook that uses the 'lineinfile' module to manage the /etc/ssh/sshd_config file. The playbook runs without errors, but after execution, the SSH service becomes unreachable on some hosts. Investigation reveals that the file contains duplicate lines for 'Port 22' and 'PermitRootLogin no'. The playbook uses the following task: - name: Ensure SSH settings ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: "^{{ item.key }}" line: "{{ item.key }} {{ item.value }}" loop: - { key: 'Port', value: '22' } - { key: 'PermitRootLogin', value: 'no' } The playbook is run multiple times. What is the most likely cause of the duplicate lines?

A.The regexp pattern does not match the existing lines exactly, causing new lines to be added instead of replacing.
B.The 'lineinfile' module is not idempotent when used with loops.
C.The loop should use 'with_items' instead of 'loop' for proper idempotence.
D.The 'line' parameter should use backreferences to avoid duplication.
AnswerA

If the line has leading spaces or is not at the start, it may not match.

Why this answer

Option A is correct because the regexp pattern `^{{ item.key }}` matches only the start of a line (e.g., `^Port` or `^PermitRootLogin`), but the existing lines in `/etc/ssh/sshd_config` may have leading spaces or tabs (common in SSH config files). Since the regex does not match the actual line due to whitespace, the `lineinfile` module inserts a new line instead of replacing the existing one. Each playbook run adds another duplicate, eventually causing SSH to fail due to conflicting directives.

Exam trap

The trap here is that candidates assume `regexp` with `^` will match any line starting with the key, but they overlook that SSH config files often have leading whitespace, causing the module to add duplicate lines instead of replacing.

How to eliminate wrong answers

Option B is wrong because the `lineinfile` module is inherently idempotent when used correctly; the issue is not with loops but with the regexp pattern failing to match. Option C is wrong because `loop` and `with_items` are functionally equivalent in modern Ansible (both are converted to the same internal structure), so switching to `with_items` would not fix the regexp mismatch. Option D is wrong because backreferences are used in `regexp` to capture and reuse parts of the matched line, but the problem here is that the regexp does not match at all due to whitespace; backreferences would not help if the pattern fails to match.

68
MCQhard

Refer to the exhibit. The playbook fails with an error about the package list. What is the issue?

A.The variable 'packages' is not accessible because it is defined in a vars_file.
B.The variable 'packages' is being converted to a string by the Jinja2 template, resulting in a list literal string.
C.The 'yum' module requires the 'name' parameter to be a comma-separated string, not a list.
D.The 'yum' module should use 'pkg' instead of 'name'.
AnswerB

Using "{{ packages }}" produces a string representation of the list. The correct approach is to use `name: "{{ item }}"` with a loop or pass the list directly without quotes.

Why this answer

The yum module expects a list of strings or a comma-separated string. The variable 'packages' is a list, but when used with 'name: "{{ packages }}"', Jinja2 converts it to a string representation like "['httpd', 'mariadb-server', 'php']". The yum module does not accept that format; it needs a proper list or comma-separated string.

69
Multi-Selectmedium

Which three methods can be used to pass variables to an Ansible playbook? (Select exactly 3.)

Select 3 answers
A.In the ansible.cfg file.
B.In the role's vars/main.yml.
C.In the playbook's vars_files directive.
D.In the inventory file variables.
E.Using the --extra-vars command line option.
AnswersC, D, E

vars_files includes YAML/JSON files with variables.

Why this answer

Options A, B, and C are correct. vars_files includes variable files, --extra-vars passes variables from command line, and inventory files can define variables. Option D is false because ansible.cfg does not define playbook variables. Option E is false because role vars are specific to the role, not passed to the playbook directly.

70
MCQhard

A playbook uses the 'include_tasks' module to dynamically include tasks based on a variable. The playbook runs successfully on some hosts but fails on others with a 'template error' message. What is the most likely cause?

A.The included task file does not exist on the control node.
B.The variable used in the 'include_tasks' path has a Jinja2 template error.
C.The included task file has incorrect permissions.
D.The included tasks contain a syntax error.
AnswerB

Template errors occur when Jinja2 syntax is invalid.

Why this answer

The 'include_tasks' module dynamically resolves the path to a task file using a variable. If that variable contains a Jinja2 template error (e.g., undefined variable, syntax mistake, or filter misuse), Ansible will fail with a 'template error' message during the variable expansion phase, before the task file is even loaded. This explains why the error occurs only on hosts where the variable's value or context triggers the template failure.

Exam trap

The trap here is that candidates often confuse the source of the template error, assuming it comes from the content of the included tasks (option D) rather than from the variable used in the include path itself, which is evaluated before the included file is even accessed.

How to eliminate wrong answers

Option A is wrong because if the included task file does not exist on the control node, Ansible would produce a 'file not found' or 'could not find or access' error, not a 'template error'. Option C is wrong because file permissions on the control node affect whether Ansible can read the file, but a permissions issue would result in a 'permission denied' error, not a Jinja2 template error. Option D is wrong because a syntax error inside the included tasks would cause a playbook failure when those tasks are parsed or executed, but the error message would be a YAML or Ansible syntax error, not a 'template error' from the include path resolution.

71
MCQmedium

An organization uses Ansible to manage an AWS EC2 environment. The Ansible control node runs on a Linux server, and the team uses a dynamic inventory script (ec2.py) to automatically populate hosts. Recently, they need to run a playbook only against EC2 instances that have a specific tag, 'Environment', set to 'production'. The team has placed the ec2.ini configuration file in the same directory as the inventory script. However, when they run the playbook with '-i ec2.py', the playbook runs against all instances instead of only production ones. The team verifies that the tag exists on the correct instances and that the environment variable AWS_PROFILE is set correctly. Which action should resolve the issue?

A.Set the environment variable 'EC2_TAGS=Environment=production' before running the playbook.
B.Modify the ec2.ini file to include 'filters = tag:Environment=production' under the [ec2] section.
C.Use the '--limit' option with the playbook command to specify the tag.
D.Add the option 'hostname = tag_Name' to the ec2.ini file.
AnswerB

This restricts the inventory to instances with the specified tag.

Why this answer

The ec2.py dynamic inventory script uses ec2.ini settings to filter instances. To filter by tags, the 'regions_exclude' and 'destination_variable' are set, but the 'filters' setting inside the 'ec2' section must be configured to include 'tag:Environment=production'. Option B correctly identifies that the ec2.ini must be modified with the 'filters' option.

Option A is incorrect because 'hostname' is for naming hosts, not filtering. Option C would not filter by the tag. Option D is unrelated.

72
MCQeasy

An Ansible playbook uses a 'block' to group multiple tasks and includes a 'rescue' section. If a task inside the block fails, what will happen?

A.the rescue section runs and then the playbook resumes with the next task after the block
B.the block is re-executed from the beginning
C.the rescue section runs, and the playbook continues with tasks after the block
D.the playbook stops immediately
AnswerC

Correct: rescue handles failures and then execution continues after the block.

Why this answer

Option D is correct because 'rescue' handles failures within the block. Option A is false (block does not run on remote). Options B and C are incorrect.

73
Multi-Selectmedium

Which TWO statements about Ansible collections are correct?

Select 2 answers
A.Collections cannot be versioned.
B.Collections provide a way to package and distribute Ansible content.
C.Collections replace the need for inventory files.
D.Collections can only contain modules and roles.
E.Collections can be published to Ansible Galaxy or Automation Hub.
AnswersB, E

Collections are the standard packaging format.

Why this answer

Ansible collections are a distribution format for Ansible content that allows packaging and distributing playbooks, roles, modules, and plugins. They enable users to bundle related automation content into a single, versioned package that can be shared via Ansible Galaxy or Automation Hub. This makes option B correct because collections are explicitly designed for packaging and distribution.

Exam trap

Red Hat often tests the misconception that collections are limited to modules and roles, but the trap here is that collections can also include plugins, playbooks, and documentation, making option D a common distractor.

74
MCQmedium

Refer to the exhibit. The playbook fails with this error. What is the most likely cause?

A.group_vars are not loaded
B.the host is unreachable
C.the inventory is missing the host
D.gather_facts is set to 'no'
AnswerD

Correct: facts are required for 'ansible_os_family'.

Why this answer

Option B is correct because 'ansible_os_family' is a fact variable that requires 'gather_facts: yes' (default). If fact gathering is disabled, this variable is undefined. Option A might cause missing group vars but not this specific variable.

Options C and D would cause different errors.

75
MCQeasy

Given the inventory above, which user will Ansible use when connecting to 'web2'?

A.dbadmin
B.The system default user from ansible.cfg.
C.deploy
D.root
AnswerC

webservers group sets ansible_user=deploy.

Why this answer

Option C is correct because the group vars for webservers set ansible_user=deploy. Option A is wrong because host vars are not set. Option B is wrong because root is default only if not set.

Option D is wrong because dbadmin is for dbservers.

Page 1 of 2 · 94 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Implement advanced Ansible automation questions.