CCNA Implement advanced Ansible automation Questions

19 of 94 questions · Page 2/2 · Implement advanced Ansible automation · Answers revealed

76
MCQhard

A company has a large infrastructure with over 1000 servers. They run a playbook that configures NTP on all servers. The playbook takes over 30 minutes due to sequential execution. The team wants to reduce execution time. Which approach should they take?

A.Use serial: 10 to batch hosts.
B.Set forks: 50 and strategy: free.
C.Use include_tasks to parallelize tasks.
D.Use ansible-pull on each server.
AnswerB

More forks increase concurrent hosts; free strategy removes batching.

Why this answer

Option B is correct because increasing forks and using free strategy maximizes parallelism. Option A (serial) still processes batches sequentially. Option C (ansible-pull) shifts the workload but may not be faster.

Option D (include_tasks) does not affect parallelism.

77
Multi-Selecthard

Which THREE factors are essential for achieving idempotent behavior in Ansible plays?

Select 3 answers
A.Task execution order should not affect the final state.
B.Modules should be state-based and check current state before action.
C.Variables registered from previous tasks should be avoided.
D.Loops must be avoided because they always cause changes.
E.The 'ignore_errors' directive should be used sparingly and only when appropriate.
AnswersA, B, E

Idempotent plays produce same result regardless of order.

Why this answer

Options A, C, and D are correct. A: Modules should check current state before making changes. C: Tasks should not rely on the order of execution across hosts.

D: Avoid using 'ignore_errors' carelessly as it can mask failures and prevent idempotency. B is wrong because loops can be idempotent if designed correctly. E is wrong because register variables can be used idempotently.

78
MCQeasy

A team wants to ensure that a sensitive variable, such as a database password, is not printed when ansible-playbook runs with -v (verbose). What is the best method to achieve this?

A.Set the password as an environment variable on the control node.
B.Store the password in a file with 0600 permissions and use lookup('file', ...).
C.Use the 'no_log: true' directive on the task.
D.Use the 'ansible-vault encrypt_string' command and reference the variable from a vault file.
AnswerC

Correct: 'no_log: true' suppresses logging of task input/output, protecting sensitive data.

Why this answer

Option A is correct because 'no_log: true' prevents the task's input and output from being logged. Option B is good practice but does not prevent logging if the task prints the variable. Option C is insecure as environment variables may be exposed.

Option D encrypts the variable but if the task prints it, it's still logged. Therefore, A is the best direct method.

79
MCQmedium

Refer to the exhibit. An Ansible playbook contains the following block structure. If the task inside the block fails, which of the following describes the execution order of the rescue and always sections?

A.Only always runs.
B.Only rescue runs.
C.Rescue runs, then always.
D.Always runs, then rescue.
AnswerC

Standard block behavior: rescue on failure, then always.

Why this answer

Option A is correct because when a block fails, the rescue section executes, and then the always section runs regardless. Option B is wrong because always runs after rescue, not before. Option C is wrong because always always runs.

Option D is wrong because rescue runs before always.

80
MCQhard

Your team is responsible for managing a fleet of 200 RHEL 8 servers using Ansible Tower. You have been asked to implement a secure automation workflow that meets the following requirements: 1. All playbooks must be stored in a private Git repository hosted on an internal GitLab server. 2. Credentials to access the Git repository must be stored securely in Ansible Tower. 3. The automation must run on a schedule every night at 2:00 AM. 4. If a playbook run fails, the team must be notified via email. 5. The playbooks require SSH private keys to connect to the managed hosts; these keys must be stored securely. 6. A development team needs to be able to launch the same job template manually, but they must not be able to modify the job template or view the credentials. You have created a Machine Credential for SSH and a Source Control Credential for Git. You have also created a Job Template that references the project, inventory, and credentials. What is the correct sequence of steps to satisfy all requirements?

A.1. Create a Project in Tower, pointing to the Git repository and associate the Source Control Credential. 2. Create a Job Template referencing the Project. 3. Add the Machine Credential to the Job Template. 4. Create a Schedule for the Job Template. 5. Assign the development team execute-only permissions on the Job Template. 6. Configure a Notification Template for email on failure.
B.1. Create a Schedule for 2:00 AM. 2. Create a Project in Tower with Source Control Credential. 3. Create a Job Template with Machine Credential. 4. Assign the development team admin permissions on the Job Template. 5. Configure a Notification Template.
C.1. Create a Project in Tower, pointing to the Git repository without a credential. 2. Create a Job Template referencing the Project. 3. Add the Source Control Credential to the Job Template. 4. Create a Schedule for the Job Template. 5. Assign the development team read-only permissions on the Job Template. 6. Configure a Notification Template for email on failure.
D.1. Create a Project in Tower, pointing to the Git repository and associate the Source Control Credential. 2. Create a Job Template referencing the Project, and add the Machine Credential. 3. Assign the development team read and execute permissions on the Job Template (not admin). 4. Create a Schedule for the Job Template to run at 2:00 AM. 5. Configure a Notification Template for email on failure and associate it with the Job Template.
AnswerD

This sequence correctly associates credentials, sets permissions (read+execute allows launch without edit), schedules, and configures notifications.

Why this answer

Option D is correct because it correctly sequences the steps: first creating a Project with the Source Control Credential to securely access the private Git repository, then creating a Job Template that references the Project and includes the Machine Credential for SSH access to managed hosts. Assigning the development team 'read and execute' permissions (not admin) satisfies the requirement that they can launch the job template manually but cannot modify it or view credentials. Creating a Schedule for 2:00 AM and configuring a Notification Template for email on failure completes the automation workflow.

Exam trap

The trap here is that candidates often confuse the permission levels in Ansible Tower, mistakenly thinking 'execute-only' or 'read-only' allows launching a job template, when in fact the correct combination is 'read and execute' to permit manual launch without modification rights.

How to eliminate wrong answers

Option A is wrong because it adds the Machine Credential to the Job Template after creating the Job Template, which is technically acceptable but the sequence is less efficient; more critically, it assigns 'execute-only' permissions, which in Ansible Tower does not exist as a distinct permission level—the correct permission is 'read and execute' to allow launching without modification. Option B is wrong because it creates the Schedule before the Project and Job Template, which is invalid as a Schedule must be associated with an existing Job Template; it also assigns 'admin' permissions to the development team, which violates the requirement that they must not be able to modify the job template or view credentials. Option C is wrong because it creates the Project without a Source Control Credential, which would fail to authenticate to the private Git repository; it then incorrectly adds the Source Control Credential to the Job Template instead of the Project, and assigns 'read-only' permissions, which in Ansible Tower does not allow launching the job template—only 'read and execute' permits manual launch.

81
MCQhard

An Ansible playbook that deploys a web application includes a task that uses the `uri` module to call an external API. The task occasionally fails due to API rate limiting. Which combination of keywords should be added to the task to automatically retry up to 5 times with a 30-second delay between attempts, and only fail if all retries are exhausted?

A.`register: result`, `until: status == 200`, `retries: 5`, `delay: 30`
B.`register: result`, `until: result.status == 200`, `retries: 5`, `delay: 30`
C.`until: result.status == 200`, `retries: 5`, `delay: 30`
D.`register: result`, `retries: 5`, `delay: 30`
AnswerB

Correctly registers the result, retries until status 200, with 5 retries and 30-second delay.

Why this answer

Option B is correct because it combines `register` to capture the API response, `until` to check that `result.status` equals 200 (the HTTP success code), `retries: 5` to attempt the task up to five times, and `delay: 30` to wait 30 seconds between retries. This ensures the task only fails after all five retries are exhausted, which is the exact behavior needed to handle transient API rate limiting.

Exam trap

Red Hat often tests the requirement that `register` must be used with `until` to reference the captured result, and that `retries`/`delay` are meaningless without `until` — candidates frequently omit `register` or forget to prefix the variable with `result.` in the condition.

How to eliminate wrong answers

Option A is wrong because it uses `status == 200` instead of `result.status == 200`; without referencing the registered variable, Ansible would look for a nonexistent `status` fact, causing a syntax or logic error. Option C is wrong because it omits `register: result`, so the `until` condition has no captured variable to check, leading to an undefined variable error. Option D is wrong because it lacks the `until` keyword entirely, meaning the task will not retry based on a condition; `retries` and `delay` alone only apply when `until` is present, so the task would run once and fail immediately.

82
Multi-Selecteasy

A playbook must execute cleanup tasks after a block of tasks, both on success and failure. Which two of the following should be used within the block to achieve this?

Select 2 answers
A.ignore_errors
B.rescue
C.failed_when
D.always
E.block
AnswersD, E

always runs after the block regardless of outcome, ensuring cleanup.

Why this answer

The block + always pattern ensures that a set of tasks is always executed regardless of the success or failure of tasks in the block. The block keyword groups tasks, and the always keyword defines tasks that run unconditionally. Rescue is for error handling but not required for cleanup.

Ignore_errors prevents failure but does not guarantee cleanup. Failed_when customizes failure conditions.

83
Multi-Selectmedium

Which TWO of the following are valid methods to include external variable files into an Ansible playbook?

Select 2 answers
A.using the 'add_host' module
B.using the 'set_fact' module
C.using the 'include_vars' module
D.using '-e' command line option
E.using the 'vars_files' directive in the play
AnswersC, E

Correct: include_vars loads variables from files at runtime.

Why this answer

Options A and B are correct. vars_files is a play keyword, and include_vars is a module. Options C, D, and E are not methods to include external variable files.

84
MCQmedium

A new technician runs a playbook that uses the yum module to install packages. The playbook fails with 'No package matching' for a custom package. The package is available on a third-party repository. Which step should the technician take?

A.Use the rpm_key module to import the GPG key.
B.Add the repository using the yum_repository module.
C.Use command: yum install directly.
D.Update the package cache using yum update.
AnswerB

Properly adds the repository for package installation.

Why this answer

Option B is correct because adding the repository using yum_repository module is the proper way. Option A (rpm_key) is for importing GPG keys, not adding repos. Option C (command) bypasses the module and is not idempotent.

Option D (yum update) does not add repos.

85
MCQhard

A company uses dynamic inventory from a cloud provider. The playbook needs to run tasks only on instances with a specific tag. The ansible_ec2_tags variable is not available. What is the most efficient method to filter hosts?

A.Use the hostvars lookup to check tags.
B.Use the ec2_instance_facts module inside the playbook to gather facts and filter.
C.Use a static inventory file with hosts pre-filtered.
D.Use the amazon.aws.aws_ec2 inventory plugin with compose and keyed_groups.
AnswerD

Pre-filters hosts at inventory time, most efficient.

Why this answer

Option C is correct because using the aws_ec2 inventory plugin with compose and keyed_groups allows pre-filtering hosts efficiently. Option A is inefficient as it runs a task on all hosts. Option B may not have the variable available.

Option D requires manual maintenance.

86
MCQmedium

A playbook uses 'vars_prompt' to ask for a confirmation before proceeding with destructive changes. However, when the playbook is run from a CI/CD pipeline, it hangs indefinitely. What is the best way to handle this?

A.Remove the prompt and always proceed.
B.Set ANSIBLE_STDOUT_CALLBACK=unixy to avoid interactive prompts.
C.Encrypt the confirmation in vault and include it.
D.Use --check mode to simulate.
E.Pass the variable via --extra-vars and modify the prompt to be conditional with 'when: variable is not defined'.
AnswerE

Correct: This allows non-interactive input from CI/CD and only prompts when variable is missing.

Why this answer

Option E is correct because passing the variable via --extra-vars and making the prompt conditional with 'when: variable is not defined' allows the pipeline to provide the variable non-interactively. Option A is unsafe. Option B's --check mode does not solve prompts.

Option C is unrelated. Option D encrypts data but does not handle prompts. Therefore, E is best.

87
MCQmedium

A playbook uses the 'block' and 'rescue' keywords. If a task in the block fails, but the rescue tasks also fail, what happens?

A.The play fails.
B.The play continues to the next task.
C.The block is re-executed.
D.The rescue tasks are retried.
AnswerA

A failed rescue marks the play as failed.

Why this answer

Option B is correct because if rescue also fails, the overall play fails. Option A is wrong because rescue failure propagates. Option C is wrong because no automatic retry.

Option D is wrong because block is not re-executed.

88
MCQmedium

A playbook uses import_playbook to include other playbooks. The main playbook is run with --check mode. Which statement is true?

A.Only the main playbook runs in check mode; imported ones run normally.
B.All imported playbooks are skipped because import happens at parse time.
C.import_playbook does not support check mode.
D.Imported playbooks are also run in check mode.
AnswerD

Import_playbook merges tasks at parse time, so check mode affects all tasks.

Why this answer

Option C is correct because import_playbook includes tasks at parse time, so check mode applies to all tasks. Option A is wrong because imported playbooks are not skipped. Option B is wrong because check mode applies to all plays.

Option D is wrong because import_playbook supports check mode.

89
MCQhard

A playbook uses 'delegate_to: localhost' for a task that modifies a local file. The playbook runs against multiple servers. The administrator notices that the local file is overwritten by each parallel execution, causing corruption. Which strategy should be used to prevent this?

A.Increase 'forks: 1' to serialize execution.
B.Use 'throttle: 1' on the task.
C.Use 'serial: 1' at the play level.
D.Use 'run_once: true' along with 'delegate_to'.
AnswerD

Correct: run_once ensures the task is executed only once, avoiding parallel overwrites.

Why this answer

Option A is correct because 'run_once: true' combined with delegate_to ensures the task runs only once, preventing overwrites. Option B serializes all tasks, which is inefficient. Option C throttles task concurrency but still runs on each host.

Option D serializes batches but still multiple executions. Therefore, A is best.

90
MCQeasy

An Ansible playbook contains many tasks. An administrator wants to run only a subset of tasks by passing '--tags ' at the command line. Which of the following must be added to the tasks?

A.a 'name' with specific naming convention
B.a 'block' statement
C.a 'tags' directive on each task
D.a 'when' condition
AnswerC

Correct: tags allow tasks to be selected with --tags.

Why this answer

Option C is correct because tagging tasks with 'tags: ' allows selective execution. Options A, B, D do not enable tag filtering.

91
MCQhard

An Ansible playbook uses 'async' and 'poll' to run a long-running task. The task returns a changed status and the playbook continues. However, the remote server reports that the task failed after the playbook finished. What is the most likely reason?

A.The 'async' timeout was set too high.
B.The 'poll' interval was set too low.
C.The task's return code was not checked; 'async_status' module should be used to explicitly check the job result.
D.The playbook used 'ignore_errors: true' on the async task.
AnswerC

Correct: Without explicit status check, Ansible only sees that the job started, not its final outcome.

Why this answer

Option B is correct because async tasks only start the job; the actual result must be checked with the 'async_status' module. If not checked, the playbook assumes success. Options A and C are about timing but not the core issue.

Option D would ignore errors but not cause a false success. Therefore, B is most likely.

92
MCQhard

You are managing a large infrastructure of 500 Linux servers. The servers are divided into groups: 'web', 'app', and 'db'. Each group has specific configuration requirements. You have developed a set of Ansible roles to manage these configurations. Recently, you noticed that when you run the playbook against all servers, the 'web' role is applied to 'app' servers due to a variable misconfiguration. The playbook uses include_role with a variable that determines which role to apply. The variable is defined in group_vars/all.yml as 'server_role: web'. However, each group should have its own role: 'web' for web servers, 'app' for app servers, 'db' for db servers. The playbook includes the role based on '{{ server_role }}'. What is the best course of action to fix this issue without modifying the playbook structure?

A.Change the variable in group_vars/all.yml to a list and use 'include_role' with loop.
B.Add a 'when' condition to the include_role task to check the group name.
C.Define the server_role variable in group_vars/web.yml, group_vars/app.yml, and group_vars/db.yml with the appropriate values.
D.Define the server_role in host_vars for each server.
AnswerC

Group vars override all.yml for that group.

Why this answer

Option C is correct because Ansible's variable precedence dictates that group_vars/<group_name>.yml files override group_vars/all.yml for hosts in that group. By defining `server_role` per group file (web, app, db), each server gets the correct role without modifying the playbook structure. This leverages Ansible's built-in group variable inheritance to resolve the misconfiguration cleanly.

Exam trap

The trap here is that candidates may think a `when` condition or modifying the playbook is necessary, but the question tests understanding of Ansible's variable precedence and the correct use of group_vars to override all.yml without altering the playbook structure.

How to eliminate wrong answers

Option A is wrong because changing `server_role` to a list and looping `include_role` would apply multiple roles to each server, not fix the single-role misassignment; it also unnecessarily complicates the playbook. Option B is wrong because adding a `when` condition requires modifying the playbook structure, which the question explicitly forbids, and it would not leverage Ansible's variable precedence. Option D is wrong because defining `server_role` in `host_vars` for each of 500 servers is impractical and violates the DRY principle; group_vars is the correct scope for group-specific variables.

93
Multi-Selectmedium

Which TWO conditions are necessary for the 'local_action' directive to work as intended?

Select 2 answers
A.The inventory must contain an entry for the control node.
B.The task must have privilege escalation (become) enabled.
C.The task must be executed on the Ansible control node.
D.The 'local_action' module must be used instead of 'action'.
E.The connection plugin must be set to 'local'.
AnswersC, E

local_action runs locally.

Why this answer

Options B and D are correct. B: The task must be run on the control node, so delegation is implied. D: local_action uses the local connection plugin, which typically uses the 'local' connection, not SSH.

A is wrong because local_action does not require become. C is wrong because inventory is not required for local_action. E is wrong because there is no 'local' module; it's a directive.

94
MCQmedium

An Ansible playbook runs tasks on a group of web servers. During a rolling update, the playbook should ensure that no more than 2 servers are taken out of service at the same time. Which play keyword should be used?

A.forks: 2
B.max_fail_percentage: 2
C.throttle: 2
D.serial: 2
AnswerD

Correct: 'serial: 2' ensures that tasks run on at most 2 hosts at a time, providing controlled rolling updates.

Why this answer

Option A is correct because 'serial: 2' processes hosts in batches of 2, limiting concurrency. Option B controls total forks but not batching. Option C sets a failure threshold.

Option D throttles task concurrency but not host batching. Therefore, A is correct.

← PreviousPage 2 of 2 · 94 questions total

Ready to test yourself?

Try a timed practice session using only Implement advanced Ansible automation questions.