CCNA Manage task execution and roles Questions

64 questions · Manage task execution and roles · All types, answers revealed

1
MCQmedium

An Ansible playbook includes multiple roles. The administrator wants to ensure that a specific role's tasks are executed before any other roles, even if the roles are listed in a different order in the playbook. Which approach should be used?

A.Use the 'any_errors_fatal' setting.
B.Use role dependencies with 'allow_duplicates: no'.
C.Set the 'order' parameter in the role definition.
D.Use the 'pre_tasks' section in the playbook to call the role.
AnswerD

pre_tasks run before any roles, guaranteeing execution order.

Why this answer

Option B is correct because pre_tasks run before any roles, ensuring ordering. Option A (any_errors_fatal) is for error handling, not ordering. Option C (role dependencies) can enforce order but not as straightforward as pre_tasks.

Option D is not a valid parameter.

2
MCQhard

Refer to the exhibit. The administrator observes the output and is concerned because the 'Check on async job' task shows 'finished: 0'. What does this indicate?

A.The async job was not started.
B.The async job failed.
C.The async job has completed successfully.
D.The async job is still running.
AnswerD

finished: 0 means the job is still in progress.

Why this answer

Option B is correct. finished: 0 means the job is still running. finished: 1 would indicate completion.

3
MCQhard

An administrator is designing a role that needs to execute a set of tasks conditionally based on whether a package is installed. Which approach is best practice?

A.Use the stat module to check package file existence
B.Use the command module to check package status
C.Use ansible_facts.packages
D.Use the package_facts module
AnswerD

package_facts gathers installed package information and is designed for this purpose.

Why this answer

Using the package_facts module to gather package information and then using a when condition based on the facts is the best practice because it is idempotent and does not rely on running commands.

4
MCQmedium

A team is writing an Ansible role to configure a web server. They want to include default variables that can be easily overridden by playbook variables. Which directory and file should they use to define these variables?

A.vars/defaults.yml
B.defaults/main.yml
C.default_vars/main.yml
D.vars/main.yml
AnswerB

This file contains variables with the lowest precedence, allowing easy override.

Why this answer

In Ansible roles, default variables are defined in the `defaults/main.yml` file. These variables have the lowest precedence, meaning they can be easily overridden by playbook variables, inventory variables, or any other variable source with higher precedence. This design allows role authors to provide sensible defaults while giving users the flexibility to customize behavior without modifying the role itself.

Exam trap

The trap here is that candidates confuse the `defaults/` directory (lowest precedence) with the `vars/` directory (higher precedence), or they invent non-standard directory names like `default_vars/`, because the exam tests precise knowledge of the Ansible role directory structure and variable precedence rules.

How to eliminate wrong answers

Option A is wrong because `vars/defaults.yml` is not a standard Ansible role directory structure; Ansible expects default variables in a `defaults` directory, not a `vars` directory. Option C is wrong because `default_vars/main.yml` uses an incorrect directory name; the correct directory is `defaults`, not `default_vars`. Option D is wrong because `vars/main.yml` is used for role variables that have higher precedence and are not intended to be easily overridden by playbook variables; placing defaults in `vars/` would make them harder to override, defeating the purpose of easily overridable defaults.

5
MCQmedium

An administrator wants to run a playbook that executes tasks in parallel across multiple hosts but wants to limit the number of simultaneous hosts to 5. Which directive should be set?

A.poll
B.serial
C.throttle
D.forks
AnswerB

serial: 5 limits the batch of hosts to 5 at a time.

Why this answer

The 'serial' keyword in a play controls how many hosts are processed at a time in a play. Setting 'serial: 5' ensures only 5 hosts run tasks concurrently.

6
MCQhard

Refer to the exhibit. An administrator runs the playbook but the wait_for task fails. What is the most likely cause?

A.The ansible_facts variable may not be available because fact gathering is disabled.
B.The http_port variable is misspelled.
C.The wait_for module requires the 'port' parameter to be an integer.
D.The delegate_to should be set to the remote host.
AnswerA

Correct: without gather_facts: yes, ansible_facts is empty.

Why this answer

The wait_for task uses ansible_facts, which are not gathered by default unless fact gathering is enabled. Since there is no gather_facts directive or it is set to false, ansible_facts will be empty, causing the task to fail. Option B is correct.

Option A is incorrect because delegate_to is fine on localhost. Option C is incorrect because http_port is defined. Option D is incorrect because wait_for accepts strings for port.

7
Matchingmedium

Match each systemd unit type to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Background daemon or process

IPC or network socket

Time-based activation

Filesystem mount point

Group of units for synchronization

Why these pairings

Common systemd unit types used in RHEL.

8
Multi-Selecthard

An administrator is debugging a playbook that uses multiple roles and wants to limit execution to a specific set of tasks. Which three methods can be used to filter task execution? (Choose three.)

Select 3 answers
A.Use the '--tags' command-line option.
B.Use the '--skip-tags' command-line option.
C.Use the '--check' command-line option.
D.Use the '--step' command-line option.
E.Use the '--start-at-task' command-line option.
AnswersA, B, E

--tags filters tasks by specified tags.

Why this answer

Options A, B, and C are correct. Option D (--step) prompts after each task but doesn't filter. Option E (--check) performs a dry run without filtering.

9
Multi-Selecthard

Which THREE are valid methods to control task execution in Ansible?

Select 3 answers
A.Using the 'when' conditional
B.Using 'block' to group tasks for error handling
C.Using 'register' to store task output
D.Using 'loop' to iterate over a list
E.Using the 'with_items' loop
AnswersA, B, D

'when' controls task execution based on conditions.

Why this answer

Option A is correct because the 'when' conditional in Ansible allows you to control whether a task runs based on the evaluation of a condition, such as a variable, fact, or the result of a previous task. This is a primary method for conditional execution, enabling tasks to be skipped when the condition is false, directly controlling task execution flow.

Exam trap

The trap here is that candidates confuse 'register' (which stores output) with a control flow mechanism, or they mistakenly think 'with_items' is still a valid method for controlling task execution, when in fact the exam expects knowledge of the modern 'loop' keyword and the deprecation of 'with_items'.

10
MCQhard

A playbook includes a long-running task that should not block the rest of the playbook. The administrator wants to start the task and later check its status. Which method should be used?

A.Use the 'async' keyword with 'poll: 0' and then use async_status module.
B.Use 'delegate_to: localhost' and 'run_once'.
C.Use a separate playbook invoked with 'ansible-playbook' via command module.
D.Use 'throttle' to limit execution.
AnswerA

async with poll=0 starts the task and returns immediately; async_status checks the result later.

Why this answer

Option D (async with poll=0 and then async_status) is correct. Option A (delegate_to) runs on a different host but still blocks. Option B (separate playbook) is inefficient.

Option C (throttle) limits concurrency but doesn't background.

11
MCQmedium

An administrator wants to use an Ansible role from Ansible Galaxy but the role has a dependency on another role that is already installed. What should be done to avoid conflicts?

A.Set 'allow_duplicates: false' in the parent role's meta/main.yml.
B.Define the dependency as a collection.
C.Use 'galaxy install --force' to overwrite.
D.No action needed; Ansible handles duplicates automatically.
AnswerA

This prevents the role from running multiple times if already listed.

Why this answer

Option A (set allow_duplicates: false) is correct to prevent the dependency from running twice. Option B (force install) overwrites but doesn't prevent duplicate execution. Option C (collection) is a different concept.

Option D (no action) would cause the role to run twice by default.

12
MCQhard

During a playbook execution, a task that uses the 'ansible.builtin.copy' module fails with 'Permission denied' on a remote host. The playbook runs as user 'ansible' which is a sudoer without password. Which of the following is the most likely cause and solution?

A.The remote path does not exist. Use 'remote_src: yes' to copy from remote.
B.The local source file is not readable by the user running ansible-playbook. Change permissions on the source file.
C.The task lacks 'become: yes' but has 'become_user: root'. Add 'become: yes' to the task.
D.The remote file is owned by root and the destination directory is not writable by ansible. Use 'become: yes' and set 'owner: ansible'.
AnswerC

Without 'become: yes', become_user is ignored; adding 'become: yes' enables privilege escalation.

Why this answer

The 'Permission denied' error occurs because the task attempts to copy a file to a location that requires root privileges, but the playbook does not use privilege escalation. The user 'ansible' is a passwordless sudoer, so adding 'become: yes' to the task enables sudo, granting the necessary permissions to write to the destination. Option C correctly identifies this missing directive.

Exam trap

The trap here is that candidates assume 'become_user: root' alone is sufficient for privilege escalation, but Ansible requires the explicit 'become: yes' flag to activate any become method, including sudo.

How to eliminate wrong answers

Option A is wrong because 'remote_src: yes' copies a file from the remote host itself, not from the control node, and does not address permission issues; the error is about permissions, not a missing remote path. Option B is wrong because the error occurs on the remote host, not the control node; the local source file's permissions are irrelevant to a remote 'Permission denied' error. Option D is wrong because while 'become: yes' is needed, setting 'owner: ansible' is unnecessary and incorrect—the task should not change ownership to the unprivileged user; the solution is simply to escalate privileges to write the file, not to change the file's owner.

13
Multi-Selecteasy

Which two statements are true regarding Ansible roles? (Choose two.)

Select 2 answers
A.Role handlers are shared across all roles in the play.
B.A role can have a meta/main.yml file to define dependencies.
C.Role variables in vars/main.yml can be overridden by playbook vars.
D.Role default variables in defaults/main.yml have the lowest priority.
E.Roles can only be used in a playbook's roles section.
AnswersB, D

Role dependencies are defined in meta/main.yml.

Why this answer

Options A and B are correct. Option C is false because role vars (vars/main.yml) have higher priority than playbook vars. Option D is false because roles can be used via include_role or import_role in tasks.

Option E is false because handlers are scoped per role and not shared.

14
Multi-Selecthard

Which TWO statements about Ansible role defaults are true?

Select 2 answers
A.Defaults are only loaded if no vars are defined.
B.Defaults are loaded from the defaults/main.yml file.
C.Defaults have higher priority than variables defined in the playbook.
D.Defaults cannot be overridden.
E.Defaults have the lowest priority of all variables.
AnswersB, E

Defaults are defined in defaults/main.yml.

Why this answer

Role defaults have the lowest variable precedence, making them easy to override. They are defined in the defaults/main.yml file within the role.

15
MCQhard

An Ansible playbook fails intermittently due to a service not starting in time. The administrator wants to configure a task to retry until the service confirms it is running. Which Ansible feature should be used?

A.Until loop with retries and delay.
B.Failed_when with conditional retry.
C.Block and rescue to catch failure.
D.Async with poll interval.
AnswerA

The 'until' loop retries a task until a condition is met, with configurable retries and delay.

Why this answer

Option D (until loop with retries and delay) is correct. Option A (failed_when) only sets failure conditions, not retries. Option B (block/rescue) handles errors but doesn't retry.

Option C (async) starts a task and polls later but doesn't inherently retry on failure.

16
MCQeasy

A playbook needs to load encrypted variables from a file vault.yml. The vault password is stored in a file vault-pass with restricted permissions. Which method securely loads the variables when running the playbook?

A.Use include_vars: file: vault.yml without any additional configuration.
B.Run ansible-playbook with --ask-vault-pass to prompt for the password.
C.Run ansible-playbook playbook.yml --vault-password-file vault-pass
D.Set the environment variable ANSIBLE_VAULT_PASSWORD_FILE in the user's profile.
AnswerC

Correct: Provides the vault password from a file with restricted permissions.

Why this answer

Option C is correct because running ansible-playbook with --vault-password-file specifies the file containing the vault password, which is a best practice. Option A would fail because the encrypted file cannot be read without the vault password. Option B prompts for the password, which is less secure in automation.

Option D sets an environment variable, which could be insecure if the session is shared.

17
MCQmedium

Your organization uses Red Hat Ansible Automation Platform (AAP) to manage job execution. You have created a job template that runs a playbook to configure application servers. The playbook uses a custom credential to access a remote database. Recently, the job started failing with 'Authentication failed' when connecting to the database. You have verified that the database credentials are correct. The credential in AAP is of type 'Machine' and is assigned to the job template. The playbook uses the 'mysql_db' module. Which step should you take to troubleshoot and resolve the issue?

A.Change the credential type to 'Database' and provide the appropriate username and password.
B.Add the database password as an extra variable in the job template.
C.Modify the machine credential to include the database password as an SSH key.
D.Encrypt the database password using Ansible Vault and include it in the playbook.
AnswerA

Correct: The mysql_db module needs a database credential type to authenticate.

Why this answer

Option B is correct because the 'mysql_db' module typically requires a database credential type, not a machine credential. The credential type must match the module's needs. Option A is incorrect because extra variables would override inventory but not fix the credential type.

Option C is incorrect because the vault provides a different mechanism; the credential type is the core issue. Option D is incorrect because the issue is not about SSH keys.

18
MCQhard

An administrator has a requirements.yml file specifying roles from multiple sources: a public Galaxy server, a private Git repository, and a local path. They want to install all roles into the roles directory of the current project. Which command will achieve this?

A.ansible-galaxy collection install -r requirements.yml
B.ansible-galaxy install -r requirements.yml --roles-path ./roles
C.ansible-galaxy install -r requirements.yml -p .
D.ansible-galaxy role install --force -r requirements.yml
AnswerB

Correct: Installs all roles from requirements.yml into ./roles.

Why this answer

Option B is correct because ansible-galaxy install with -r reads the requirements file and --roles-path specifies the target directory. Option A uses -p . which installs into the current directory, not the roles subdirectory. Option C installs collections, not roles.

Option D uses --force which is unnecessary and may overwrite existing roles.

19
MCQeasy

What is the purpose of the 'meta: flush_handlers' task?

A.Restart services immediately
B.Clear the handler queue
C.Wait for handlers to complete
D.Force handlers to run immediately
AnswerD

flush_handlers triggers all notified handlers right away.

Why this answer

The meta task 'flush_handlers' forces all pending handler actions to run immediately at that point in the play, rather than waiting until the end of the play's task section.

20
MCQeasy

What is the purpose of the 'vars' keyword under the nginx role inclusion?

A.Set variables for the common role
B.Define new variables for the playbook
C.Set variables for all roles in the play
D.Override default variables for that role
AnswerD

vars specified with a role override the role's defaults.

Why this answer

The 'vars' keyword under a role inclusion allows the playbook to override default variables defined in that role's defaults/main.yml file. In this case, it sets http_port to 8080 for the nginx role.

21
MCQmedium

Refer to the exhibit. When the playbook runs on target1, which value will nginx_port have in the role?

A.443 (from playbook vars)
B.8080 (from vars/main.yml)
C.9090 (from host vars)
D.80 (from defaults/main.yml)
AnswerC

Host vars have higher precedence than playbook and role vars.

Why this answer

Ansible variable precedence: host vars > playbook vars > role vars (vars/main.yml) > role defaults. Playbook vars override role vars, but host vars override playbook vars. Since the inventory sets nginx_port: 9090 for target1, that value takes precedence.

22
MCQhard

An administrator wants to define role dependencies. In which file should they place the dependencies declaration?

A.vars/main.yml
B.defaults/main.yml
C.tasks/main.yml
D.meta/main.yml
AnswerD

Role metadata, including dependencies, is defined in meta/main.yml.

Why this answer

Role dependencies are defined in the meta/main.yml file using the 'dependencies' keyword. This file holds metadata about the role, including dependencies, author, etc.

23
MCQmedium

A playbook uses a loop to create multiple users. The administrator notices that if one user creation fails, the entire playbook stops. Which directive should be used to continue executing remaining iterations?

A.max_fail_percentage
B.any_errors_fatal
C.ignore_errors
D.failed_when
AnswerC

ignore_errors tells Ansible to continue despite failures for that task, including within a loop.

Why this answer

Setting 'ignore_errors: yes' on the task allows the loop to continue with subsequent items even if one fails. Other options either affect the whole play or do not continue on item-level failures within a loop.

24
MCQmedium

Refer to the exhibit. The playbook runs successfully. What will the debug task output?

A.Just the username 'jdoe'.
B.A dictionary with details about the user, such as uid, gid, and groups.
C.The entire playbook YAML structure.
D.The string 'true' if the user was created successfully.
AnswerB

The user module returns a dictionary with user attributes.

Why this answer

The debug task outputs the registered variable from the user module. By default, the user module returns a dictionary containing user account details such as uid, gid, groups, and home directory when the state is 'present'. Since the playbook runs successfully, the registered variable holds this dictionary, making option B correct.

Exam trap

Red Hat often tests the misconception that the debug task outputs a simple success message or a single value, when in fact it outputs the full return dictionary from the module.

How to eliminate wrong answers

Option A is wrong because the debug task does not output just the username; the user module returns a dictionary with multiple attributes, not a single string. Option C is wrong because the debug task outputs the contents of the registered variable, not the entire playbook YAML structure. Option D is wrong because the user module does not return a boolean string 'true'; it returns a dictionary on success, and the debug task will display that dictionary, not a success indicator.

25
Multi-Selectmedium

An administrator has a playbook with tasks tagged 'install', 'configure', and 'service'. There are no untagged tasks. They want to run only the tasks tagged 'install' and 'configure', skipping 'service'. Which three commands will achieve this? (Choose three.)

Select 3 answers
A.ansible-playbook site.yml --tags install,configure
B.ansible-playbook site.yml --tags configure --skip-tags install,service
C.ansible-playbook site.yml --skip-tags service
D.ansible-playbook site.yml --tags install --skip-tags service
E.ansible-playbook site.yml --tags install --tags configure
AnswersA, C, E

Runs tasks with either install or configure tag.

Why this answer

Options A, B, and C are correct. A uses --tags with both tags. B uses separate --tags options which accumulate.

C uses --skip-tags to exclude service, which works because there are no untagged tasks. D and E are incorrect because they include only one tag or exclude the wrong tags.

26
MCQmedium

Refer to the exhibit. The administrator wants to run a playbook that installs a package on all webservers. Which command will use the existing configuration and inventory correctly?

A.ansible-playbook -e 'ansible_python_interpreter=/usr/bin/python3' site.yml
B.ansible-playbook site.yml
C.ansible webservers -m package -a 'name=httpd state=present'
D.ansible-playbook -i inventory site.yml
AnswerB

ansible-playbook reads ansible.cfg automatically, using the defined inventory.

Why this answer

The ansible.cfg sets inventory=./inventory and roles_path=./roles. The playbook should be run with ansible-playbook, which reads the configuration automatically. The -i flag is not needed because inventory is defined in ansible.cfg.

27
MCQeasy

Which directive in an Ansible playbook ensures that a task runs only on the first host in a batch, and results are applied to all hosts?

A.run_once
B.any_errors_fatal
C.throttle
D.delegate_to: localhost
AnswerA

run_once runs the task on the first host and applies results to all hosts.

Why this answer

Option C (run_once) is correct. Option A (delegate_to) changes the host but runs on all hosts. Option B (any_errors_fatal) stops on error.

Option D (throttle) limits concurrency.

28
MCQmedium

A team develops a custom Ansible role 'webserver' that depends on another role 'common'. They want to ensure that when 'webserver' is used, 'common' is automatically installed from the same Galaxy server. Which approach should they use?

A.Add a requirements.yml file in the role's root directory specifying common.
B.Add a dependencies: ['common'] to the role's meta/main.yml file.
C.Use ansible-galaxy install webserver --with-dependencies to install common separately.
D.Include the 'common' role in the playbook before 'webserver'.
AnswerB

Correct: Role dependencies in meta/main.yml are automatically installed.

Why this answer

Option A is correct because role dependencies are declared in the meta/main.yml file using the 'dependencies' key, which causes ansible-galaxy to automatically install dependent roles. Option B relies on a requirements.yml file, which is not automatically processed when using the role. Option C requires manual intervention.

Option D works but does not automate installation of the dependency.

29
Multi-Selectmedium

Which TWO of the following statements about Ansible roles are correct?

Select 2 answers
A.Role names must be prefixed with 'ansible-role-' when published to Ansible Galaxy.
B.Variables in 'defaults/main.yml' have the lowest precedence and can be overridden by inventory variables.
C.Role dependencies are defined in the 'meta/main.yml' file.
D.The 'include_role' module can only be used for static imports.
E.A role's tasks are executed before any 'pre_tasks' defined in the playbook.
AnswersB, C

Correct: defaults have the lowest precedence.

Why this answer

Variables in defaults/main.yml have the lowest precedence and can be overridden by inventory variables. Role dependencies are defined in meta/main.yml. The other options are incorrect: pre_tasks run before roles, include_role is dynamic, and the naming convention is not mandatory.

30
MCQmedium

A DevOps engineer wants to run an Ansible playbook inside a specific execution environment (EE) that includes custom collections. The EE image is stored in a private registry requiring authentication. The engineer has configured a container credential file. Which command will execute the playbook using the EE and the credential file?

A.ansible-navigator run -m stdout --ce docker --container-image registry.example.com/custom-ee --container-auth-file auth.json
B.ansible-navigator run -m stdout --ce docker --container-image registry.example.com/custom-ee --container-auth-file credentials.yml
C.ansible-navigator run --pp never --ce docker --container-image registry.example.com/custom-ee
D.ansible-navigator run -m stdout --pp never --ce docker --container-image registry.example.com/custom-ee --container-credential-file credentials.yml
AnswerA

Correct: --container-auth-file specifies the authentication file for registry access.

Why this answer

Option B is correct because ansible-navigator uses the --container-auth-file option to provide authentication details for the container registry. Option A uses an invalid option --container-credential-file. Option C uses the wrong file format (credentials.yml is not typically used for auth).

Option D lacks authentication entirely.

31
MCQhard

What is the most likely cause of the failure?

A.The --check flag prevents role variable resolution.
B.The nginx role's defaults or vars do not define 'nginx_version'.
C.The host web1 is not configured to use the nginx role.
D.The nginx role was not included in the playbook correctly.
AnswerB

The variable is undefined in the role's defaults or vars files.

Why this answer

The error indicates that Ansible cannot resolve the variable 'nginx_version' during the playbook run. Since the `--check` flag only simulates changes and does not affect variable resolution, the most likely cause is that the nginx role's `defaults/main.yml` or `vars/main.yml` does not define this variable, leaving it undefined and causing the failure.

Exam trap

The trap here is that candidates often assume the `--check` flag is the culprit for any failure during a dry run, but Ansible's check mode still resolves all variables and validates templates, so a missing variable error is not caused by the check flag itself.

How to eliminate wrong answers

Option A is wrong because the `--check` flag does not prevent role variable resolution; it only skips the execution of modules that would make changes, while variable resolution still occurs normally. Option C is wrong because the host web1 does not need to be 'configured to use the nginx role' in a separate step; roles are applied via the playbook's `roles:` directive or `include_role`, and the error is about a missing variable, not role assignment. Option D is wrong because the error message does not indicate a syntax or inclusion issue with the role; it specifically points to an undefined variable, meaning the role was included but its variable definitions are incomplete.

32
MCQmedium

Refer to the exhibit. The playbook fails with an error. What is the most likely cause?

A.import_tasks cannot be used with a loop.
B.import_tasks must be placed in a role.
C.The loop variable should be referenced as '{{ item }}' without quotes.
D.The file names must be literal without templates.
AnswerA

import_tasks is static and loops are only supported with include_tasks.

Why this answer

Option A is correct. import_tasks is static and cannot be used with a loop; include_tasks should be used for dynamic inclusion.

33
MCQeasy

A playbook includes multiple roles. The administrator wants to skip a specific role during execution. Which technique should they use?

A.Add a condition to each task in the role
B.Use the '--limit' option to exclude hosts
C.Use tags on the role and run with --tags
D.Use tags on the role and run with --skip-tags
AnswerD

--skip-tags excludes tasks with the specified tags.

Why this answer

The --skip-tags command-line option allows skipping tasks or roles that have a specific tag assigned. By tagging the role with a unique tag, the administrator can skip it without modifying the playbook.

34
MCQeasy

An Ansible playbook needs to ensure a service is enabled and running on boot. Which combination of parameters should be used with the 'systemd' module?

A.enabled: yes, state: reloaded
B.enabled: yes, state: started
C.enabled: yes, daemon_reload: yes
D.enabled: yes, state: restarted
AnswerB

This ensures the service is enabled and running.

Why this answer

Option B is correct because the 'systemd' module in Ansible requires both 'enabled: yes' to set the service to start on boot and 'state: started' to ensure the service is currently running. This combination directly fulfills the requirement of ensuring a service is enabled and running on boot.

Exam trap

The trap here is that candidates often confuse 'enabled' with 'state' or assume 'daemon_reload' or 'reloaded' can substitute for starting the service, but only the combination of 'enabled: yes' and 'state: started' fully satisfies the requirement for both boot persistence and current running state.

How to eliminate wrong answers

Option A is wrong because 'state: reloaded' only reloads the service's configuration without starting it if it is not running, and it does not guarantee the service is enabled on boot. Option C is wrong because 'daemon_reload: yes' only reloads the systemd manager configuration (e.g., after adding new unit files) but does not start the service or enable it on boot. Option D is wrong because 'state: restarted' restarts the service if it is running but does not ensure it is enabled to start on boot, and it will fail if the service is not already running.

35
Drag & Dropmedium

Drag and drop the steps to configure a logical volume (LV) using LVM on a new disk in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

LVM workflow: PV -> VG -> LV -> filesystem -> mount.

36
MCQhard

A playbook uses ansible.builtin.import_playbook to include other playbooks. The administrator needs to pass variables to the imported playbook. Which approach is valid?

A.Use ansible.builtin.include_vars inside the imported playbook
B.Set variables using set_fact before the import
C.Use group_vars or host_vars
D.Add a 'vars' block to the import_playbook statement
AnswerD

import_playbook: other.yml vars: { key: value } is the correct syntax.

Why this answer

When using import_playbook, variables can be passed using the 'vars' keyword within the import statement. This makes the variables available throughout the imported playbook.

37
MCQhard

Refer to the exhibit. An administrator runs a playbook in check mode and receives the shown output. What should be done to fix the failure while maintaining idempotency?

A.Modify the deploy role to use the force parameter when copying files.
B.Add a task in the apache role to create the /var/www/html directory using the file module.
C.Run the playbook without check mode to force the deployment.
D.Add a pre_task in the playbook to create /var/www/html before roles execute.
AnswerB

The apache role should ensure the document root exists before deploying files.

Why this answer

The deploy role fails because /var/www/html does not exist. The apache role should ensure the directory exists, typically by including a task to create it. Adding a file module task in the apache role to create /var/www/html would fix the issue.

38
Multi-Selecteasy

An Ansible playbook that installs packages and configures services is not idempotent. Which two practices should be implemented to make it idempotent? (Choose two.)

Select 2 answers
A.Use notify handlers to restart services only on change.
B.Use the command module with the 'creates' parameter.
C.Use state=present for package installation.
D.Use check_mode: yes to preview changes.
E.Set always_run: yes on tasks.
AnswersB, C

creates makes the command run only if a specified file is missing, ensuring idempotency.

Why this answer

Options A and B are correct. Using state=present for package installation ensures the package is installed only if not present, making it idempotent. Using the command module with the 'creates' parameter ensures the command runs only if the specified file does not exist.

Options C, D, and E do not directly address idempotency.

39
MCQeasy

In an Ansible playbook, the 'strategy' parameter is set to 'free'. What behavior does this strategy produce?

A.Playbook runs tasks on hosts in batches of 1.
B.Strategy is deprecated and replaced by 'linear'.
C.All hosts run the same task at the same time, then move to the next task.
D.Each host runs through the playbook independently of other hosts.
AnswerD

Free strategy allows hosts to run tasks as fast as they can, not waiting for others.

Why this answer

Option A is correct. The 'free' strategy allows each host to run through the playbook independently without waiting for other hosts. Option B (linear) is the default where hosts wait at each task.

Option C (serial) batches hosts. Option D is not a valid strategy.

40
Multi-Selecteasy

Which TWO elements can be used to include external task files in a playbook?

Select 2 answers
A.import_tasks
B.include_tasks
C.include_vars
D.add_host
E.include_role
AnswersA, B

import_tasks statically includes a task file.

Why this answer

import_tasks and include_tasks are the two directives to include external task files. import_tasks is static and processed at parse time, while include_tasks is dynamic and processed at runtime.

41
MCQeasy

Refer to the exhibit. A playbook already includes the 'common' role in its roles list. The current role depends on 'common' with 'allow_duplicates: false'. How many times will the 'common' role run?

A.Once.
B.Not at all.
C.Depends on the order of roles.
D.Twice.
AnswerA

Because allow_duplicates: false prevents the role from running multiple times.

Why this answer

Option A is correct. With allow_duplicates: false, the dependency will not run again if the role is already listed in the playbook.

42
MCQeasy

You are managing a web application deployment using Ansible. The application requires a specific version of a library (libapp) to be installed on all web servers. Your current playbook uses the role 'web' which includes a task to install libapp version 1.2. However, after a recent update, the role's defaults now specify libapp version 2.0, but you must keep version 1.2 for compatibility. You have defined a variable 'lib_version' in the playbook's vars section with value '1.2'. The role's task uses the variable 'libapp_version' (not 'lib_version'). The play fails because 'libapp_version' is undefined. What is the best way to resolve this issue without modifying the role?

A.Modify the role's defaults/main.yml to set libapp_version to 1.2.
B.Use the playbook to set libapp_version as a variable for the role: either in the play vars section or by passing it as a role parameter.
C.Rename your playbook variable from lib_version to libapp_version in the play vars.
D.Create a file roles/web/vars/main.yml with libapp_version: 1.2.
AnswerB

You can set libapp_version in the play's vars or as a role parameter without modifying the role.

Why this answer

Option B is correct because it allows you to set the variable `libapp_version` that the role expects without modifying the role itself. By defining `libapp_version` in the playbook's vars section or passing it as a role parameter, you override the role's default value (2.0) with the required version 1.2, ensuring the task uses the correct library version while preserving role integrity.

Exam trap

The trap here is that candidates may confuse variable names (lib_version vs libapp_version) and attempt to rename variables or modify role defaults, rather than understanding that the correct solution is to set the exact variable expected by the role at the playbook level.

How to eliminate wrong answers

Option A is wrong because modifying the role's defaults/main.yml directly changes the role, which violates the requirement to not modify the role. Option C is wrong because renaming the playbook variable from `lib_version` to `libapp_version` does not address the issue; the role's task uses `libapp_version`, and simply renaming the variable in the playbook's vars section would still leave `libapp_version` undefined unless the variable is explicitly set. Option D is wrong because creating a file roles/web/vars/main.yml modifies the role's internal structure, which is not allowed per the requirement to not modify the role.

43
Multi-Selectmedium

Which THREE directives can be used to modify loop behavior in Ansible?

Select 3 answers
A.ignore_errors
B.loop_control
C.when
D.rescue
E.always
AnswersA, B, C

ignore_errors causes Ansible to continue to the next item even if the current one fails.

Why this answer

loop_control provides advanced loop features like index_var and label. when can conditionally skip items in a loop. ignore_errors can continue execution on failed items within a loop.

44
MCQhard

A developer wants to reuse a set of tasks that conditionally include other task files based on variables defined per host. Which method should be used to ensure the included tasks are evaluated per host at runtime?

A.include_tasks
B.include_role
C.import_role
D.import_tasks
AnswerA

include_tasks is dynamic and evaluates per host at runtime.

Why this answer

Option C (include_tasks) is correct because it is dynamic and evaluated per host at runtime. Option A (import_tasks) is static and evaluated at parse time. Options B and D are also static imports for roles.

45
MCQmedium

Your team uses ansible-pull to manage configuration of a large number of remote nodes. Each node is configured to pull the latest playbook from a Git repository every 30 minutes. Recently, some nodes started reporting 'ERROR! the role 'base' was not found'. The playbook depends on roles from a requirements.yml file that is stored in the same repository. The ansible-pull command on each node uses the default roles path (~/.ansible/roles). The Git repository contains the requirements.yml file but does not contain the actual role directories. What is the most likely cause and solution?

A.Run ansible-galaxy install on the control node and distribute the roles via a separate channel.
B.Add the role directories directly to the Git repository and modify the playbook to reference them with a relative path.
C.Add a pre_task to the playbook that runs 'ansible-galaxy install -r requirements.yml' before the roles are used.
D.Set the 'roles_path' in ansible.cfg on each node to include the repository's roles directory.
AnswerC

Correct: This ensures roles are installed from Galaxy during the pull execution.

Why this answer

Option C is correct because ansible-pull does not automatically install roles from requirements.yml; the playbook should include a pre_task that runs 'ansible-galaxy install -r requirements.yml' before using the roles. Option A is incorrect because the roles are already in the repository? No, they are not. Option B is incorrect because ansible-pull does not use a local roles path by default; the issue is missing installation.

Option D is incorrect because the control node is not involved in ansible-pull.

46
MCQeasy

An administrator wants to ensure a role's tasks are executed only on certain hosts. Which approach should they use?

A.Set host_vars for each target host
B.Set group_vars for the target group
C.Use a 'when' condition in the role's tasks
D.Use tags on the role
AnswerC

A when condition can evaluate inventory or fact data to determine if a task runs on a particular host.

Why this answer

Using the 'when' condition inside the role's tasks allows the administrator to control execution based on host facts or variables. Other options like host_vars or group_vars define variables but do not directly control task execution conditions.

47
MCQhard

You are responsible for managing a large fleet of web servers running Red Hat Enterprise Linux 8. You have an Ansible playbook that deploys a custom web application. The playbook uses several roles from Ansible Galaxy and includes tasks that require root privileges. Recently, users reported that the deployment fails intermittently with the error 'Timeout (12s) waiting for privilege escalation prompt'. You suspect that the issue is related to the become method and the SSH connection. The current inventory uses 'ansible_user: deploy' and 'ansible_become: yes' with default settings. The 'deploy' user has sudo privileges with NOPASSWD for all commands. However, the timeout occurs only on high-latency connections. Which change would most effectively resolve the timeout issue?

A.Increase 'forks' to 20 to run more tasks in parallel.
B.Enable pipelining by setting 'pipelining = True' in ansible.cfg.
C.Set 'ansible_become_password' in the inventory.
D.Increase the 'timeout' setting in ansible.cfg to 30 seconds.
AnswerD

Correct: Increasing the timeout allows more time for the privilege escalation prompt on slow connections.

Why this answer

Option C is correct because increasing the 'timeout' parameter in ansible.cfg (or setting ANSIBLE_TIMEOUT) gives more time for privilege escalation prompts on slow connections. Option A is incorrect because SSH pipelining can reduce round trips but does not directly address the timeout. Option B is incorrect because parallel execution increases load and may exacerbate timeouts.

Option D is incorrect because the error indicates a privilege escalation timeout, not a missing password.

48
Multi-Selectmedium

Which TWO statements about Ansible roles are true?

Select 2 answers
A.A role can include tasks, handlers, variables, templates, and files.
B.Roles are defined directly inside a playbook using the 'roles' keyword.
C.Roles can be reused across multiple playbooks.
D.Roles can only be invoked using the 'include_role' module.
E.Variables defined in a role's vars/main.yml cannot be overridden by playbook variables.
AnswersA, C

Roles organize these components in a standard structure.

Why this answer

Option A is correct because Ansible roles are designed to organize automation content into a standardized directory structure that can include tasks, handlers, variables, templates, and files. This modular structure allows for better code reuse and maintainability, as each component is stored in its own subdirectory within the role.

Exam trap

Red Hat often tests the misconception that roles can only be invoked via 'include_role' or that role variables cannot be overridden, but in reality, roles support both static and dynamic inclusion, and vars/main.yml variables are overridable by higher-precedence variables like playbook vars.

49
MCQeasy

You need to run an Ansible playbook every hour to update a dynamic inventory file from a CMDB API. The playbook is stored in /opt/ansible/update_inventory.yml. You want to schedule the execution using a cron job on the control node. The control node runs Red Hat Enterprise Linux 9. The playbook uses Ansible Vault to decrypt API credentials, and the vault password is stored in /etc/ansible/.vault_pass. Which cron entry will execute the playbook hourly?

A.0 * * * * /usr/bin/ansible-playbook --vault-password-file ~/.vault_pass /opt/ansible/update_inventory.yml
B.* * * * * /usr/bin/ansible-playbook --vault-password-file /etc/ansible/.vault_pass /opt/ansible/update_inventory.yml
C.0 * * * * /usr/bin/ansible --vault-password-file /etc/ansible/.vault_pass /opt/ansible/update_inventory.yml
D.0 * * * * /usr/bin/ansible-playbook --vault-password-file /etc/ansible/.vault_pass /opt/ansible/update_inventory.yml
AnswerD

Correct: Runs hourly with proper vault password file and playbook path.

Why this answer

Option A is correct because it specifies the correct cron schedule (0 * * * * for hourly) and uses full paths to ansible-playbook, vault password file, and playbook. Option B uses the wrong schedule (every minute). Option C uses ansible command instead of ansible-playbook.

Option D has an incorrect path for the vault password file.

50
MCQmedium

An Ansible role has a complex dependency tree. The administrator wants to ensure that dependencies are installed before the main role tasks. Which file should be used to define dependencies?

A.meta/main.yml
B.defaults/main.yml
C.tasks/main.yml
D.vars/main.yml
AnswerA

The meta directory contains main.yml for role metadata including dependencies.

Why this answer

Role dependencies are defined in the meta/main.yml file using the 'dependencies' keyword. Ansible resolves these dependencies and runs them before the role's own tasks.

51
MCQhard

Refer to the exhibit. The administrator runs the playbook with the 'deploy' tag, but all tasks are skipped. What is the most likely reason?

A.The --tags option filters tasks; only tasks with the 'deploy' tag run, but none of the role tasks have that tag.
B.The role 'database' is not found in the roles_path.
C.The inventory host db1.example.com is not in the dbservers group.
D.The tags in the role tasks conflict with the play tags, causing a syntax error.
AnswerA

The play-level tag does not propagate to role tasks unless inherited via include_role or import_role.

Why this answer

The playbook site.yml sets tags: ['deploy'] at the play level. When running with --tags 'deploy', only tasks that have the 'deploy' tag (or no tags) would run. However, all tasks in the role have specific tags (packages, service, database), and none have the 'deploy' tag.

Tasks with tags that do not match the specified tag are skipped. To fix, either remove tags from the play or add the 'deploy' tag to the roles tasks.

52
MCQeasy

A team is automating server configuration using Ansible. They have a custom role 'security' that updates firewall and SSH settings. They notice that when they apply the role to multiple hosts, the SSH configuration changes sometimes fail because the firewall blocks the SSH port before the SSH configuration is updated. They need to ensure that SSH configuration is updated first, then firewall rules are applied. They have defined both tasks in the same role. What should they do?

A.Use tags to control the sequence of tasks.
B.Split the role into two separate roles and use role dependencies to enforce order.
C.Use pre_tasks for SSH and post_tasks for firewall in the playbook.
D.Use the 'order' directive in the playbook to specify task order within the role.
AnswerB

Correct: role dependencies in meta/main.yml enforce execution order.

Why this answer

The best approach is to split the role into two separate roles and use role dependencies to enforce order. Role dependencies, defined in meta/main.yml, allow specifying that one role must run before another. By creating a 'ssh_config' role and a 'firewall' role, and setting the firewall role to depend on the ssh_config role, the correct order is guaranteed.

Option B is invalid (no 'order' directive). Tags do not control task order within a role. Pre_tasks/post_tasks are play-level constructs and do not apply to role-internal order.

53
MCQeasy

Refer to the exhibit. An Ansible playbook task fails with 'Missing sudo password'. The playbook runs against a server where the remote user 'admin' has sudo privileges but requires a password. Which configuration change would resolve this issue?

A.Set ansible_become_password or use the -K flag when running the playbook.
B.Change become_method to su to avoid password prompts.
C.Remove the become_user line and rely on default root.
D.Change become_user to root.
AnswerA

Correct: This provides the required sudo password.

Why this answer

Option B is correct because the error indicates that sudo requires a password and Ansible does not have it. Setting ansible_become_password provides the password. Option A is incorrect because the become_user is valid.

Option C is incorrect because the user does have sudo privileges but requires a password. Option D is incorrect because changing to 'su' would use a different authentication method and is unnecessary.

54
MCQmedium

An administrator sees this output during a playbook run. What can they conclude?

A.The task had ignore_errors set to yes
B.The playbook was run with the --ignore-errors command-line flag
C.The task was part of a block with rescue
D.The playbook was run with the --check flag
AnswerA

The fatal error followed by 'ignoring' indicates ignore_errors was enabled.

Why this answer

The output shows '...ignoring' after a fatal error, which indicates that the task had 'ignore_errors: yes' set. This causes Ansible to mark the task as failed but continue execution.

55
MCQeasy

Which ansible.cfg setting controls the number of parallel forks for task execution?

A.parallel
B.max_parallel
C.forks
D.threads
AnswerC

The 'forks' setting in ansible.cfg controls the number of parallel processes.

Why this answer

Option A (forks) is correct. Option B (parallel), Option C (max_parallel), Option D (threads) are not valid settings.

56
MCQeasy

Which best practice should be followed when using Ansible to manage task execution across multiple hosts?

A.Use 'ignore_errors: yes' on all tasks to prevent playbook failures.
B.Ensure tasks are idempotent so they can be run multiple times without changing the system state beyond the desired state.
C.Always use serial execution to avoid race conditions.
D.Write tasks that rely on the previous task's output to ensure correct order.
AnswerB

Idempotency is a core principle of Ansible.

Why this answer

Option B is correct because idempotency is a core principle of Ansible: running the same playbook multiple times should produce the same desired state without unintended side effects. This ensures predictable, safe task execution across multiple hosts, as Ansible modules are designed to check the current state before making changes.

Exam trap

The trap here is that candidates confuse 'ignore_errors' with a valid error-handling strategy, or assume serial execution is always safer, when in fact idempotency is the fundamental best practice that Ansible's design revolves around.

How to eliminate wrong answers

Option A is wrong because 'ignore_errors: yes' on all tasks would suppress legitimate failures, making debugging impossible and potentially leaving systems in an inconsistent or broken state. Option C is wrong because serial execution is not always necessary; Ansible's default parallel execution (via forks) is efficient and safe for idempotent tasks, and serial is only used for specific rolling-update scenarios. Option D is wrong because relying on previous task output creates tight coupling and non-idempotent workflows; Ansible encourages using facts, registered variables, and idempotent modules to maintain order without hard dependencies.

57
MCQhard

Refer to the exhibit. The administrator notices that the handler 'restart httpd' runs even though the httpd service was already running. Which change would ensure the handler only runs if the service configuration changes?

A.Add a condition to the handler to check if httpd is already running.
B.Set the handler to 'state: reloaded' instead of 'restarted'.
C.Move the 'Ensure httpd is running' task before the handler notification.
D.Use a separate handler for configuration changes and notify it from tasks that modify configuration files.
AnswerD

This ensures restart only occurs when configuration changes, not on every httpd package update.

Why this answer

The handler is notified by the 'Install httpd' task, which changes only on initial installation or update. However, the handler runs after the 'Ensure httpd is running' task, which is unnecessary. To avoid restarting when the service is already running and no configuration changed, the administrator should add a 'listen' directive or use a separate handler for configuration changes.

58
MCQeasy

A systems administrator needs to run a playbook that installs packages on a group of managed nodes. The playbook should run only on nodes that are part of the 'web_servers' group in the inventory. Which approach is best practice?

A.Set 'hosts: web_servers' in the play.
B.Set 'hosts: all' and use '--limit web_servers' when running ansible-playbook.
C.Set 'hosts: localhost' and delegate tasks to web_servers.
D.Set 'hosts: all' and use a 'when' condition to check if the node is in the web_servers group.
AnswerA

Directly targeting the group is the simplest and most readable approach.

Why this answer

Option A is correct because setting 'hosts: web_servers' in the play directly targets only the nodes in that inventory group, which is the simplest and most maintainable approach. This follows Ansible's best practice of declaring the target group explicitly in the playbook rather than relying on runtime flags or conditional logic, ensuring the playbook's intent is clear and portable.

Exam trap

The trap here is that candidates may overcomplicate the solution by choosing runtime flags or conditional logic, forgetting that Ansible's simplest and most explicit targeting method—setting 'hosts' to the group name—is both best practice and the most reliable for clarity and execution.

How to eliminate wrong answers

Option B is wrong because using '--limit web_servers' with 'hosts: all' is a runtime override that can be forgotten or misapplied, making the playbook less self-documenting and error-prone; it also requires the operator to remember the flag each time. Option C is wrong because setting 'hosts: localhost' and delegating tasks to web_servers is unnecessary complexity—delegation is meant for tasks that must run on the control node (e.g., fetching files), not for targeting a group of managed nodes. Option D is wrong because using a 'when' condition to check group membership (e.g., 'when: "web_servers" in group_names') still runs the play on all nodes, wasting resources and potentially causing failures on non-target nodes if tasks are not idempotent.

59
MCQhard

Refer to the exhibit. The playbook uses the 'yum' module to install 'httpd' on a RHEL 8 system. Which of the following is the most likely cause of the failure?

A.The 'yum' module is deprecated for RHEL 8; must use 'dnf'.
B.The AppStream repository is not enabled on the target host.
C.The remote host does not have subscription-manager access.
D.The package name is misspelled; it should be 'apache2'.
AnswerB

httpd is in AppStream; if disabled, package won't be found.

Why this answer

On RHEL 8, the `yum` command is a symbolic link to `dnf`, and the `yum` Ansible module internally uses `dnf` as the backend. The most common cause of failure when installing a package like `httpd` on RHEL 8 is that the AppStream repository (which contains `httpd`) is not enabled or available on the target host. Without an enabled repository containing the package, the module cannot resolve and install it, leading to a failure.

Exam trap

The trap here is that candidates assume the `yum` module is deprecated or incompatible with RHEL 8, but the actual failure is almost always a repository availability issue, not the module itself.

How to eliminate wrong answers

Option A is wrong because the `yum` module is not deprecated for RHEL 8; it is fully functional and internally delegates to `dnf` on RHEL 8 systems, so using the `yum` module is valid. Option C is wrong because subscription-manager access is not required for installing `httpd`; the package is available from standard repositories (e.g., AppStream) and does not require a Red Hat subscription to be accessed. Option D is wrong because the package name `httpd` is correct for RHEL 8; `apache2` is the package name used on Debian-based systems, not on RHEL.

60
MCQhard

A team has developed several roles that share common variables. They want to organize these variables in a central file. Where should they place this file so it is automatically loaded by all roles?

A.In the inventory directory as host_vars/localhost.yml
B.In a common role's vars/main.yml
C.In a common role's defaults/main.yml
D.In the playbook directory as group_vars/all.yml
AnswerD

group_vars/all.yml is automatically included and applies to all hosts.

Why this answer

Variables defined in group_vars/all.yml are applied globally to all hosts and are accessible by all roles. This is the standard way to share common variables across roles in a playbook.

61
Multi-Selectmedium

An Ansible playbook uses the 'block' and 'rescue' directives. Which two statements are true about this construct? (Choose two.)

Select 2 answers
A.Rescue tasks are executed on all hosts in the play.
B.A rescue section executes only if the block tasks fail.
C.Blocks cannot be nested.
D.The 'always' section runs regardless of success or failure.
E.A block can have multiple rescue sections.
AnswersB, D

Rescue runs when a task in the block fails.

Why this answer

Options A and C are correct. Option B is false because only one rescue section per block is allowed. Option D is false because rescue runs only on hosts where the block failed.

Option E is false because blocks can be nested.

62
MCQhard

You are managing a fleet of 50 RHEL 8 servers that host a critical web application. Your Ansible control node runs RHEL 8 with Ansible 2.9. The application requires a specific package 'app-pkg' that is only available from a private YUM repository. The repository is configured on each server via a role 'repo_config'. Recently, after a security update, the repository GPG key was changed. Now, when you run the playbook to install 'app-pkg' on all servers, it fails on some servers with the error: "GPG check FAILED: key ID mismatch". On other servers, the installation succeeds. All servers have the same OS version and are configured identically via the same role. The playbook uses the 'yum' module with 'state: present'. You verify that the GPG key file on the control node is the correct new key and that the role copies it to the servers. What is the most likely cause and the best course of action?

A.Add a task before installing the package to clean the yum cache using the 'command' module: 'yum clean all'. This ensures the new GPG key is used.
B.The repository URL might be incorrect on some servers. Use the 'uri' module to test connectivity to the repository.
C.The role is not copying the new GPG key to all servers. Re-run the role with 'force: yes' to ensure the key is overwritten.
D.Add 'disable_gpg_check: yes' to the task to bypass the GPG check temporarily.
AnswerA

Cleaning the cache removes old key data, allowing the new key to be imported correctly.

Why this answer

Option A is correct because the 'GPG check FAILED: key ID mismatch' error indicates that the yum cache on some servers still holds the old GPG key metadata. Running 'yum clean all' before installing the package forces yum to refresh its metadata and re-import the new GPG key from the repository, resolving the mismatch. Since the role copies the new key file, the issue is not the key file itself but stale cached metadata.

Exam trap

The trap here is that candidates assume the GPG key file itself is not being copied correctly (option C) or that a connectivity test (option B) is needed, when the real issue is stale yum cache metadata causing a key ID mismatch.

How to eliminate wrong answers

Option B is wrong because the error is specifically a GPG key mismatch, not a connectivity issue; the repository URL is irrelevant to GPG key validation. Option C is wrong because the role already copies the new key file, and the error persists despite the key being present; the problem is stale yum cache, not missing or outdated key files. Option D is wrong because disabling GPG check bypasses security entirely and is not a proper fix; it would allow installation but leave the system vulnerable and does not address the root cause of the key mismatch.

63
Multi-Selectmedium

Which TWO statements about Ansible roles are correct?

Select 2 answers
A.Roles must follow a specific directory structure.
B.Roles can be shared via Ansible Galaxy.
C.Ansible Galaxy is a continuous integration tool for testing roles.
D.Role dependencies must be defined in a file named dependencies.yml.
E.Role names must have a .role extension.
AnswersA, B

Roles require a defined directory layout (tasks, handlers, etc.).

Why this answer

Option A is correct because Ansible roles enforce a specific directory structure (e.g., tasks/, handlers/, templates/, files/, vars/, defaults/, meta/, and library/) to organize automation content. This structure is mandatory for Ansible to correctly locate and load role components during playbook execution.

Exam trap

The trap here is that candidates confuse Ansible Galaxy as a CI tool because it has 'Galaxy' in its name, or assume role dependencies require a separate file like dependencies.yml, when in fact they must be placed in meta/main.yml.

64
MCQmedium

A playbook uses roles with default variables. The administrator needs to override a default variable for a specific role only when that role is used. Which method should be used?

A.Set the variable in the inventory host_vars.
B.Pass the variable as a parameter to the role in the playbook.
C.Set the variable in the role's vars/main.yml.
D.Set the variable in the playbook's vars section.
AnswerB

Role parameters take precedence over defaults and are specific to that role invocation.

Why this answer

Option D (role parameters) is correct because they are passed directly to the role in the playbook and override defaults. Option A (role vars) have higher priority but are static. Option B (playbook vars) apply to all roles.

Option C (inventory vars) apply to all hosts/roles.

Ready to test yourself?

Try a timed practice session using only Manage task execution and roles questions.