CCNA Collections Environments Questions

75 of 78 questions · Page 1/2 · Collections Environments topic · Answers revealed

1
MCQhard

An organization uses a private Git repository to store Ansible content collections. They want to automate the building of execution environments that include these collections. Which approach is recommended?

A.Store the collection tarball in a Git LFS and use an ADD command in the base image.
B.Add the Git repository as a source in the execution-environment.yml using the 'git' type.
C.Use ansible-builder to clone the repository during build with a pre-build script.
D.Build the collection manually, publish it to a private Automation Hub, then reference it in the EE.
AnswerD

Publishing to Automation Hub is the standard method for managing collections in execution environments.

Why this answer

Option D is correct because the recommended workflow for including private collections in an execution environment is to build the collection, publish it to a private Automation Hub, and then reference it in the `execution-environment.yml` file. This ensures the collection is available as a signed, versioned artifact that `ansible-builder` can pull during the build process, maintaining integrity and reproducibility without exposing Git credentials or requiring network access during build.

Exam trap

The trap here is that candidates assume Git repositories can be directly referenced in the execution environment definition file, but the EX294 exam expects you to know that only Galaxy or Automation Hub sources are valid, and that private collections must be published to a private Automation Hub first.

How to eliminate wrong answers

Option A is wrong because Git LFS stores large files, not tarballs of collections, and using an ADD command in a Containerfile bypasses the dependency resolution and signing provided by Automation Hub, leading to potential version mismatches. Option B is wrong because the `execution-environment.yml` file does not support a 'git' type source; it only supports 'galaxy' or 'automation_hub' types for pulling collections from a Galaxy server or Automation Hub. Option C is wrong because `ansible-builder` does not support pre-build scripts that clone repositories; it builds execution environments from a definition file and expects collections to be available from a configured Galaxy or Automation Hub source, not from arbitrary Git clones.

2
MCQeasy

Based on the exhibit, which file is generated by `ansible-builder` to support the build?

A.requirements.yml
B.execution-environment.yml
C.Containerfile
D.ansible.cfg
AnswerC

`ansible-builder` generates a Containerfile from the definition.

Why this answer

The `ansible-builder` tool uses a definition file (typically `execution-environment.yml`) to construct a container image. During the build process, it generates a `Containerfile` (or `Dockerfile`) that contains the exact instructions for building the container image, such as base image selection, package installation, and collection inclusion. This generated file is the actual artifact that the container runtime (e.g., Podman or Docker) uses to create the execution environment image.

Exam trap

Red Hat often tests the distinction between the input definition file (`execution-environment.yml`) and the output build artifact (`Containerfile`), causing candidates to mistakenly select the input file as the generated output.

How to eliminate wrong answers

Option A is wrong because `requirements.yml` is an input file used to specify Ansible collections or Python dependencies for an execution environment, not a file generated by `ansible-builder` during the build process. Option B is wrong because `execution-environment.yml` is the definition file that you provide to `ansible-builder` as input, describing the base image, dependencies, and other settings; it is not generated by the tool. Option D is wrong because `ansible.cfg` is a configuration file for Ansible itself, controlling settings like inventory, roles path, and connection parameters, and it has no direct role in the `ansible-builder` build process.

3
MCQhard

An execution environment is built using ansible-builder. The definition file includes a base image from registry.redhat.io. After building, the container runs but ansible-navigator can't find the EE. What is the most likely cause?

A.The EE was not pushed to a registry accessible by ansible-navigator.
B.ansible-navigator uses a different Python interpreter.
C.The base image is not compatible with the installed collections.
D.The EE was not tagged correctly.
AnswerA

ansible-navigator by default pulls EEs from a registry; a locally built EE must be pushed to a configured registry.

Why this answer

The most likely cause is that the execution environment (EE) was built locally but not pushed to a registry that `ansible-navigator` can access. By default, `ansible-navigator` pulls EEs from a container registry (e.g., `registry.redhat.io` or a private registry) specified in its configuration; it does not automatically discover locally built images. If the EE is only present in the local Docker/Podman store, `ansible-navigator` will fail to find it, resulting in a runtime error.

Exam trap

The trap here is that candidates assume `ansible-navigator` can use any locally built container image without pushing it to a registry, overlooking the default pull behavior that requires registry access.

How to eliminate wrong answers

Option B is wrong because `ansible-navigator` does not use a separate Python interpreter; it runs inside the EE container, inheriting the Python interpreter from the EE's base image. Option C is wrong because base image compatibility with collections is not the issue here — the EE was built successfully and runs, so the collections are compatible. Option D is wrong because tagging is a metadata issue that would affect image identification, not the fundamental ability of `ansible-navigator` to locate the EE; even a correctly tagged local image would still be invisible to `ansible-navigator` if not pushed to a registry.

4
MCQeasy

Which command publishes a collection to Automation Hub?

A.ansible-galaxy collection import ./namespace-name-1.0.0.tar.gz
B.ansible-galaxy collection upload ./namespace-name-1.0.0.tar.gz
C.ansible-galaxy collection push ./namespace-name-1.0.0.tar.gz
D.ansible-galaxy collection publish ./namespace-name-1.0.0.tar.gz --token MYTOKEN
AnswerD

'ansible-galaxy collection publish' with an API token is the correct way to publish.

Why this answer

Option D is correct because `ansible-galaxy collection publish` is the specific command used to upload a collection tarball to Automation Hub (or any Galaxy server). The `--token` flag provides the required API authentication token for the publish operation. This command sends the tarball to the server's API endpoint, which validates and imports the collection.

Exam trap

The trap here is that candidates confuse the `ansible-galaxy role push` command (used for roles) with the collection workflow, mistakenly assuming 'push' or 'upload' are valid for collections, when only `publish` is correct.

How to eliminate wrong answers

Option A is wrong because `ansible-galaxy collection import` is not a valid command; the correct command for importing a collection from a source (like a Git repository) is `ansible-galaxy collection build` followed by `publish`, and `import` is used for roles, not collections. Option B is wrong because `ansible-galaxy collection upload` does not exist; the verb 'upload' is not used in the Ansible Galaxy CLI for collections. Option C is wrong because `ansible-galaxy collection push` is not a valid subcommand; 'push' is used with `ansible-galaxy role` (e.g., `ansible-galaxy role push`), not for collections.

5
Multi-Selecthard

Which THREE actions are required to successfully publish a collection to Automation Hub?

Select 3 answers
A.Build the collection with ansible-galaxy collection build.
B.Create an API token.
C.Sign the collection with GPG.
D.Run ansible-galaxy collection test.
E.Ensure the collection version is unique.
AnswersA, B, E

The collection must be built into a tarball before publishing.

Why this answer

Option A is correct because `ansible-galaxy collection build` is the required command to package a collection into a distributable tarball (e.g., `namespace-collection-1.0.0.tar.gz`). This tarball is the artifact that is then uploaded to Automation Hub. Without building the collection, there is no file to publish.

Exam trap

The trap here is that candidates confuse optional security hardening (GPG signing) with a mandatory publishing step, or they invent a non-existent command like `ansible-galaxy collection test` as a required action.

6
Multi-Selecthard

Which THREE components are typically included in an execution environment?

Select 3 answers
A.Base OS image
B.Ansible Navigator
C.Ansible Core and collections
D.Python interpreter and dependencies
E.Ansible Tower/AWX
AnswersA, C, D

The foundation of the container.

Why this answer

An execution environment is a container image that provides a consistent, self-contained runtime for Ansible automation. It must include a base OS image (e.g., Red Hat Universal Base Image) to host the environment, Ansible Core and collections for automation logic, and a Python interpreter with its dependencies to execute modules and manage system interactions. These three components ensure portability and reproducibility across different control nodes.

Exam trap

Red Hat often tests the distinction between tools that manage execution environments (like Ansible Navigator) versus components that are actually inside the execution environment, leading candidates to mistakenly include Navigator or Tower/AWX as part of the image.

7
Multi-Selecteasy

Which TWO factors should be considered when choosing a base container image for an execution environment?

Select 2 answers
A.The date of the last update.
B.The presence of ansible-core and ansible-runner.
C.The size of the image.
D.The base operating system version.
E.The number of layers.
AnswersB, D

These components are essential for running Ansible inside the container.

Why this answer

An execution environment is a container image that includes all dependencies needed to run Ansible automation. For it to function correctly, the base image must contain `ansible-core` and `ansible-runner`, as these provide the core automation engine and the runner that manages playbook execution, respectively. Without these components, the container cannot execute Ansible jobs, making their presence a mandatory requirement.

Exam trap

Red Hat often tests the misconception that image size or layer count are critical selection criteria, when in fact the mandatory technical requirement is the presence of `ansible-core` and `ansible-runner` to ensure the container can actually run Ansible jobs.

8
Drag & Dropmedium

Drag and drop the steps to configure SELinux to allow Apache to read a custom web directory in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

SELinux for web: create dir, set context, verify, configure Apache, restart and test.

9
MCQhard

Refer to the exhibit. A developer builds an execution environment using this execution-environment.yml. After building, the container starts but ansible-navigator cannot connect to the container because the required SSH packages are missing. Which file most likely needs to be updated?

A.The base image itself
B.requirements.yml
C.requirements.txt
D.bindep.txt
AnswerD

Contains system package dependencies.

Why this answer

D is correct because `bindep.txt` specifies system-level package dependencies (like `openssh-clients` or `sshpass`) that must be installed in the container image. When building an execution environment, `ansible-builder` reads `bindep.txt` to install RPM packages via `dnf` (or `apt` on Debian-based images). If SSH packages are missing, the `bindep.txt` file is the most likely place to add them, as it directly controls which system packages are included in the final image.

Exam trap

Red Hat often tests the distinction between system-level dependencies (`bindep.txt`), Python dependencies (`requirements.txt`), and Ansible collections (`requirements.yml`), and the trap here is that candidates confuse `requirements.txt` (Python packages) with system packages, leading them to incorrectly select option C.

How to eliminate wrong answers

Option A is wrong because the base image itself (e.g., `quay.io/ansible/ansible-runner:latest`) is a pre-built container that already includes Ansible and Python but does not include SSH client packages by default; modifying the base image is not the standard approach—`bindep.txt` is the intended mechanism. Option B is wrong because `requirements.yml` is used to install Ansible collections from Galaxy or Automation Hub, not system packages like SSH clients. Option C is wrong because `requirements.txt` is used to install Python packages via `pip` (e.g., `ansible-core`, `pywinrm`), not RPM-level dependencies like `openssh-clients`.

10
MCQmedium

Your organization uses Ansible Automation Platform 2.2 with private Automation Hub. You have developed a custom collection named 'my_company.network' that depends on 'cisco.ios' and 'vyos.vyos'. The collection is published in your private hub. You are building an execution environment using ansible-builder. The execution-environment.yml specifies 'EE_BASE_IMAGE: registry.redhat.io/ansible-automation-platform-22/ee-supported-rhel8:latest'. The dependencies section points to a requirements.yml file that includes your collection. When you run 'ansible-builder build', the build succeeds, but when running a playbook that uses modules from 'cisco.ios', you get an error 'module not found'. What is the most likely reason and the correct action to resolve it?

A.Reinstall the collection on the controller node using 'ansible-galaxy collection install'
B.Use a different base image that includes 'cisco.ios'
C.Update the collection metadata to include dependencies and rebuild
D.Add 'cisco.ios' to the requirements.yml file used during the execution environment build
AnswerD

Explicitly listing the dependency ensures it is included in the execution environment.

Why this answer

The execution environment build process uses the requirements.yml file to determine which collections to include in the image. If the custom collection 'my_company.network' depends on 'cisco.ios', but that dependency is not explicitly listed in the requirements.yml, the builder will not include 'cisco.ios' in the execution environment. Adding 'cisco.ios' to the requirements.yml ensures it is installed during the build, making the module available at runtime.

Exam trap

The trap here is that candidates assume collection dependencies declared in metadata are automatically resolved during the execution environment build, but ansible-builder only installs collections explicitly listed in requirements.yml, not their transitive dependencies.

How to eliminate wrong answers

Option A is wrong because reinstalling the collection on the controller node does not affect the execution environment; the controller uses the execution environment's content, not locally installed collections. Option B is wrong because the base image 'ee-supported-rhel8' already includes many supported collections, but 'cisco.ios' is not guaranteed to be included; the issue is the build process, not the base image selection. Option C is wrong because updating the collection metadata to declare dependencies only affects the collection's metadata, but the execution environment builder does not automatically resolve transitive dependencies from the metadata; it only installs what is explicitly listed in requirements.yml.

11
Multi-Selecteasy

Which TWO of the following are valid methods to install a collection from a private Automation Hub?

Select 2 answers
A.`ansible-galaxy collection install my_namespace.my_collection --server automationhub`
B.`ansible-navigator run --pp never --pull-policy missing -- ... `
C.Configure `server_list` in `ansible.cfg` under `[galaxy]` with the Automation Hub URL and then run `ansible-galaxy collection install my_namespace.my_collection`.
D.`ansible-galaxy collection install my_namespace.my_collection --server https://automationhub.example.com`
E.Download the tarball and place it in the `collections/` directory of the role path.
AnswersC, D

Uses configuration to point to the private Automation Hub.

Why this answer

Option C is correct because configuring the `server_list` in `ansible.cfg` under the `[galaxy]` section allows you to define multiple Galaxy servers, including a private Automation Hub. Once configured, `ansible-galaxy collection install` will automatically use the specified server list to resolve and install the collection. Option D is also correct because the `--server` flag directly specifies the Automation Hub URL, overriding any default server configuration for that single command.

Exam trap

Red Hat often tests the distinction between specifying a server via a keyword versus a full URL, and the fact that `ansible-navigator` is for execution environments, not collection installation, leading candidates to confuse command purposes.

12
MCQhard

Refer to the exhibit. A user attempts to download the collection using the download URL but the signature verification fails. What is the most likely reason?

A.The collection version does not match.
B.The user's client does not have the corresponding public key.
C.The collection is not properly signed.
D.The download URL is invalid.
AnswerB

Signature verification requires the public key; if missing, verification fails.

Why this answer

B is correct because signature verification of a downloaded collection requires the client to have the corresponding public key that was used to sign the collection. If the user's client lacks this public key, the verification process will fail, even if the collection itself is properly signed and the URL is valid.

Exam trap

Red Hat often tests the misconception that signature verification failures are always due to a corrupted or unsigned collection, when in reality the client-side public key management is a common oversight.

How to eliminate wrong answers

Option A is wrong because a version mismatch would not cause a signature verification failure; it would instead result in a different collection being downloaded or a version conflict error. Option C is wrong because if the collection were not properly signed, the signature verification would fail for that reason, but the question states the user attempts to download using the download URL, implying the collection exists and is signed; the most likely reason is the missing public key on the client side. Option D is wrong because an invalid download URL would prevent the download from starting or return a 404 error, not cause a signature verification failure after the download completes.

13
MCQmedium

An organization uses a private Automation Hub. A user has configured the server in ansible.cfg. Which command installs a collection from this server?

A.ansible-galaxy collection install my_namespace.my_collection --api-key=mykey
B.ansible-galaxy collection install my_namespace.my_collection --server=https://privatehub.example.com
C.ansible-galaxy collection download my_namespace.my_collection
D.ansible-galaxy collection install my_namespace.my_collection
AnswerD

Uses the configured server from ansible.cfg.

Why this answer

Option D is correct because when the Automation Hub server is already configured in ansible.cfg under the [galaxy] section with the server_url and auth_url, the ansible-galaxy collection install command will automatically use that server and its authentication. No additional flags are needed; the command simply specifies the collection name in the format namespace.collection.

Exam trap

The trap here is that candidates may think they need to specify the server URL or API key on the command line, but the EX294 exam expects you to know that the server is pre-configured in ansible.cfg, so only the collection name is required.

How to eliminate wrong answers

Option A is wrong because the --api-key flag is not a valid argument for ansible-galaxy collection install; authentication is handled via the server configuration in ansible.cfg or the GALAXY_TOKEN environment variable, not a command-line API key. Option B is wrong because the --server flag is not a valid option for ansible-galaxy collection install; the server URL is defined in ansible.cfg, not passed as a command-line argument. Option C is wrong because ansible-galaxy collection download is used to download a collection without installing it, not to install it from a configured server.

14
MCQmedium

An organization uses a private automation hub to distribute collections. A developer has created a new collection and needs to ensure it is available in the hub for others. Which command should the developer use to upload the collection to the private automation hub?

A.ansible-galaxy collection import
B.ansible-galaxy collection build
C.ansible-galaxy collection publish
D.ansible-galaxy collection install
AnswerC

Correct. This command uploads the collection tarball to the configured Galaxy server.

Why this answer

Option C is correct because `ansible-galaxy collection publish` is the command specifically designed to upload a built collection artifact (a .tar.gz file) to a Galaxy server, including a private automation hub. This command sends the collection to the configured Galaxy server endpoint, making it available for others to install via `ansible-galaxy collection install`.

Exam trap

The trap here is that candidates confuse `build` (which only creates the artifact) with `publish` (which uploads it), or they mistakenly think `import` is the correct command for uploading a built artifact, when in fact `import` is for source-based imports from a repository.

How to eliminate wrong answers

Option A is wrong because `ansible-galaxy collection import` is used to import a collection from a Git repository or a source distribution into a Galaxy server, but it is not the command for uploading a pre-built collection artifact; it expects a source repository URL or a path to a source directory, not a built .tar.gz file. Option B is wrong because `ansible-galaxy collection build` creates the collection artifact (a .tar.gz file) from the collection source files, but it does not upload or publish it to any server; it only produces the local artifact. Option D is wrong because `ansible-galaxy collection install` downloads and installs a collection from a Galaxy server or a local path, but it does not upload or publish collections to a hub.

15
MCQmedium

A developer creates a collection and wants to ensure it includes a required Python library for a module. Where should this dependency be declared?

A.In a requirements.txt file at the collection root.
B.In the galaxy.yml file under dependencies.
C.In the meta/runtime.yml file.
D.In the collection's README.
AnswerB

galaxy.yml supports a 'dependencies' key listing Python packages and other collections.

Why this answer

In Ansible collections, Python library dependencies for modules are declared in the `galaxy.yml` file under the `dependencies` key. This ensures that when the collection is installed via `ansible-galaxy collection install`, the required Python packages are automatically resolved and installed. The `dependencies` field in `galaxy.yml` specifically supports listing Python package requirements using the format `python: package_name`.

Exam trap

Red Hat often tests the distinction between `galaxy.yml` (for collection metadata and dependencies) and `requirements.txt` (a generic Python file not automatically consumed by Ansible collection installation), leading candidates to mistakenly choose `requirements.txt`.

How to eliminate wrong answers

Option A is wrong because `requirements.txt` is a standard Python file for pip, but Ansible collections do not automatically read it for dependency resolution during collection installation; the collection's dependencies are declared in `galaxy.yml`. Option C is wrong because `meta/runtime.yml` is used to define Ansible runtime behavior such as action groups, module defaults, and redirects, not Python library dependencies. Option D is wrong because the README is documentation-only and has no effect on dependency installation or resolution.

16
MCQhard

The build fails with a DNS resolution error for `registry.redhat.io`. Which troubleshooting step is most likely to resolve the issue?

A.Run `podman login registry.redhat.io` to authenticate.
B.Restart the container runtime service.
C.Verify DNS settings in `/etc/resolv.conf` or configure a custom DNS server for the container runtime.
D.Use the `--no-cache` flag to force a fresh build.
AnswerC

Corrects the underlying DNS issue.

Why this answer

A DNS resolution error for `registry.redhat.io` indicates that the container runtime (e.g., Podman) cannot resolve the registry's hostname to an IP address. This is a network/DNS issue, not an authentication or caching problem. Verifying or correcting DNS settings in `/etc/resolv.conf` or configuring a custom DNS server for the container runtime directly addresses the root cause by ensuring the host or container runtime can resolve the registry's FQDN.

Exam trap

The trap here is that candidates confuse DNS resolution errors with authentication or cache issues, leading them to choose `podman login` or `--no-cache` instead of recognizing that DNS must work before any network communication can occur.

How to eliminate wrong answers

Option A is wrong because `podman login` authenticates to the registry, but DNS resolution occurs before authentication; if the hostname cannot be resolved, authentication is irrelevant. Option B is wrong because restarting the container runtime service does not fix underlying DNS configuration issues; it only restarts the daemon without changing network or resolver settings. Option D is wrong because `--no-cache` forces a fresh build by ignoring cached layers, but it does not affect DNS resolution; the build will still fail if the registry hostname cannot be resolved.

17
MCQhard

Based on the exhibit, which collection provides modules for managing Red Hat Insights subscriptions?

A.`community.general`
B.`redhat.insights`
C.`ansible.posix`
D.`insights`
AnswerB

The official Red Hat collection for Insights.

Why this answer

The `redhat.insights` collection is the official Ansible collection from Red Hat that provides modules specifically for managing Red Hat Insights subscriptions, including `insights_register` and `insights_unregister`. This collection is maintained by Red Hat and is the correct source for automating Insights registration and subscription management tasks.

Exam trap

The trap here is that candidates may confuse the generic term 'insights' with a valid collection name, or assume `community.general` covers all Red Hat-specific modules, when in fact Red Hat provides a dedicated, namespaced collection (`redhat.insights`) for this purpose.

How to eliminate wrong answers

Option A is wrong because `community.general` is a community-maintained collection that contains a wide variety of general-purpose modules, but it does not include dedicated modules for Red Hat Insights subscription management. Option C is wrong because `ansible.posix` is a collection focused on POSIX system utilities (like `mount`, `firewalld`, `authorized_key`) and has no modules for Red Hat Insights. Option D is wrong because `insights` is not a valid Ansible collection name; the correct collection namespace is `redhat.insights`, and using a bare `insights` would cause a module resolution failure.

18
Multi-Selecthard

Which THREE of the following are valid directives that can be used in an `execution-environment.yml` file for `ansible-builder`?

Select 3 answers
A.`system_packages:`
B.`version:`
C.`python_requirements:`
D.`additional_build_steps:`
E.`dependencies:`
AnswersB, D, E

Specifies the version of the execution environment definition.

Why this answer

Option B is correct because `version:` is a valid directive in an `execution-environment.yml` file for ansible-builder. It specifies the version of the execution environment definition format, ensuring compatibility with the builder tool. This directive is used at the top level of the file to declare the schema version, such as `version: 1`.

Exam trap

The trap here is that candidates confuse `version:` as a dependency version specifier rather than recognizing it as a top-level schema version directive, leading them to incorrectly select options like `system_packages:` or `python_requirements:` as valid top-level keys.

19
Multi-Selectmedium

Which TWO statements are true about Ansible content collections?

Select 2 answers
A.Collections can be installed from Automation Hub, Galaxy, or a Git repository.
B.Collections cannot contain playbooks.
C.A role stored in a collection can be referenced by its short name without the collection prefix.
D.Execution environments are required to use collections.
E.Fully qualified collection names (FQCN) help avoid naming conflicts.
AnswersA, E

Collections support multiple installation sources.

Why this answer

Option A is correct because Ansible collections can be installed from multiple sources: Automation Hub (a Red Hat curated repository), Galaxy (the community repository), or directly from a Git repository using the `ansible-galaxy collection install` command with a Git URL. This flexibility allows users to leverage curated, community, or custom collections as needed.

Exam trap

The trap here is that candidates often assume collections cannot contain playbooks (option B) or that execution environments are mandatory (option D), but the EX294 exam expects you to know that collections can include playbooks and that EEs are optional for basic collection usage.

20
MCQeasy

A user wants to run a playbook that uses a module from 'myorg.mycollection'. The playbook is located in /home/user/projects. Which of the following is true about the collection discovery?

A.The user must set the ANSIBLE_COLLECTIONS_PATH environment variable.
B.The collection is not installed, so the playbook will fail.
C.Ansible will look only in /usr/share/ansible/collections.
D.Ansible will automatically find the collection in the default search path.
AnswerD

Ansible searches ~/.ansible/collections by default.

Why this answer

Option D is correct because Ansible automatically searches for collections in the default search path, which includes the collections directory adjacent to the playbook. Since the playbook is located in /home/user/projects, Ansible will look in /home/user/projects/collections/ansible_collections/myorg/mycollection, among other default paths, without requiring any environment variable or manual configuration.

Exam trap

The trap here is that candidates often assume a collection must be installed system-wide or require an environment variable, but Ansible's default search path automatically includes the playbook-adjacent collections directory, making local collection discovery seamless.

How to eliminate wrong answers

Option A is wrong because the ANSIBLE_COLLECTIONS_PATH environment variable is not required; it is only used to override or extend the default search path, not a mandatory setting. Option B is wrong because the question does not state whether the collection is installed or not; the focus is on discovery, not installation status, and a playbook can succeed if the collection is present in a default path. Option C is wrong because Ansible does not look only in /usr/share/ansible/collections; it also checks the playbook-adjacent collections directory and the user-level ~/.ansible/collections path.

21
MCQeasy

Which command runs a playbook using an execution environment named 'my-ee'?

A.ansible-navigator run playbook.yml --execution-environment my-ee
B.ansible-playbook -i inventory playbook.yml -e 'ansible_python_interpreter=/usr/bin/python3' --ee my-ee
C.ansible-runner run --ee my-ee playbook.yml
D.ansible-navigator run playbook.yml --ee my-ee
AnswerA

Correct command with full flag.

Why this answer

Option A is correct. The 'ansible-navigator run' command with the '--execution-environment' flag specifies the EE to use. Options B and C use incorrect commands.

Option D uses a short flag but is also correct; however, only A is listed as correct to avoid ambiguity.

22
MCQeasy

You are a Red Hat Certified Engineer tasked with creating a content collection for your organization. The collection will contain roles and modules used by multiple teams. The requirements are: (1) The collection must follow the Ansible community structure. (2) It must include a module that manages network devices. (3) The collection must be versioned and published to Automation Hub. (4) You must provide a minimal working example for other developers. After initial development, you run 'ansible-galaxy collection build' and it fails with 'ERROR! Unknown file type in collection: .gitkeep'. The collection directory contains: - galaxy.yml - plugins/modules/network_config.py - roles/network/ - tests/ - .gitkeep (in tests/) What single action should you take to resolve the build error?

A.Add a 'namespace' field to galaxy.yml.
B.Create a .galaxy_ignore.yml file to exclude .gitkeep.
C.Remove the .gitkeep file from the collection.
D.Move the network_config.py module to a subdirectory named 'modules'.
AnswerC

Correct: ansible-galaxy collection build only accepts certain file types (e.g., .yml, .py, .rst). .gitkeep is unrecognized and must be removed.

Why this answer

The `ansible-galaxy collection build` command fails because it encounters a `.gitkeep` file inside the `tests/` directory, which is not a recognized file type for Ansible collections. The correct action is to remove the `.gitkeep` file, as Ansible collections only allow specific file types (e.g., `.yml`, `.yaml`, `.py`, `.rst`, `.md`, `.txt`, `.cfg`, `.json`, `.j2`, `.ps1`, `.psm1`, `.psd1`, `.csv`, `.env`, `.gitignore`, `.galaxy_ignore.yml`, and a few others). The `.gitkeep` file is not in this allowed list, causing the build to abort.

Exam trap

The trap here is that candidates may think they need to use `.galaxy_ignore.yml` to exclude the `.gitkeep` file, but the build process fails before ignoring rules are applied because the file type check occurs first.

How to eliminate wrong answers

Option A is wrong because the `namespace` field is already required in `galaxy.yml` for a valid collection, and its absence would cause a different error (e.g., 'ERROR! Missing required field: namespace'), not the 'Unknown file type' error. Option B is wrong because `.galaxy_ignore.yml` is used to exclude files from the built collection tarball, but it does not prevent the build from failing due to an unknown file type; the build process checks file types before applying ignore rules. Option D is wrong because the `network_config.py` module is already correctly placed in `plugins/modules/`; moving it to a subdirectory named `modules` would violate the required Ansible collection directory structure, causing a different error.

23
MCQeasy

Which file is required to define the content of an Ansible execution environment when using ansible-builder?

A.Dockerfile
B.requirements.yml
C.ansible.cfg
D.execution-environment.yml
AnswerD

execution-environment.yml is the required file that defines the base image, collections, and dependencies.

Why this answer

The `execution-environment.yml` file is the required definition file for `ansible-builder` because it specifies the base image, custom dependencies (Python, system, or collections), and additional build instructions needed to construct a containerized Ansible execution environment. Without this file, `ansible-builder` has no manifest to process, as it is the sole input that defines the environment's content.

Exam trap

The trap here is that candidates confuse the generated `Dockerfile` (an output artifact) with the required input file, or they assume `requirements.yml` is the main definition because it is commonly used for collection installation in playbooks, but `ansible-builder` specifically requires `execution-environment.yml` as the blueprint.

How to eliminate wrong answers

Option A is wrong because a `Dockerfile` is not required; `ansible-builder` generates a `Dockerfile` automatically from the `execution-environment.yml` definition, so providing one manually would override the builder's logic and is not the required input. Option B is wrong because `requirements.yml` is an optional file used to list Ansible collections for installation, but it is not the primary definition file; it can be referenced within `execution-environment.yml` under the `dependencies` section. Option C is wrong because `ansible.cfg` is a configuration file for Ansible's runtime behavior (e.g., inventory, roles path, forks) and has no role in defining the content of an execution environment for `ansible-builder`.

24
MCQmedium

When building an execution environment with ansible-builder, a developer notices that the build process fails with an error about missing dependencies. The developer wants to ensure all required Python packages are installed in the execution environment. Which file should be used to specify additional Python packages?

A.meta/runtime.yml
B.galaxy.yml
C.bindep.txt
D.requirements.txt
AnswerD

Standard file for Python dependencies in execution environments.

Why this answer

In Ansible Builder, the `requirements.txt` file is used to specify additional Python packages that should be installed in the execution environment. When building an execution environment, Ansible Builder reads this file and installs the listed packages via pip, ensuring all required Python dependencies are present.

Exam trap

The trap here is that candidates confuse `bindep.txt` (for system packages) with `requirements.txt` (for Python packages), as both are used in execution environment builds but serve different dependency types.

How to eliminate wrong answers

Option A is wrong because `meta/runtime.yml` is used to define runtime dependencies and compatibility for Ansible collections, not for specifying Python packages for an execution environment. Option B is wrong because `galaxy.yml` is a metadata file for Ansible collections, used to define collection name, version, and dependencies, not for listing Python packages. Option C is wrong because `bindep.txt` is used to specify system-level package dependencies (e.g., for apt or yum), not Python packages.

25
MCQmedium

Based on the exhibit, what is the purpose of the `galaxy` dependency entry?

A.Set the base container image.
B.Define which Ansible collections to install in the execution environment.
C.Specify Python packages to install via pip.
D.Configure environment variables for the container.
AnswerB

The `galaxy` key points to a requirements file for collections.

Why this answer

In the context of Ansible execution environments (EEs), the `galaxy` key within the `dependencies` section of the `execution-environment.yml` file specifies a list of Ansible collections to be installed from Ansible Galaxy or an Automation Hub. This allows the EE to include the necessary content collections required for playbook execution, ensuring all roles and modules are available inside the container.

Exam trap

Red Hat often tests the distinction between `galaxy` (for Ansible collections) and `python` (for pip packages) in the `dependencies` section, leading candidates to confuse the two or assume `galaxy` installs Python packages.

How to eliminate wrong answers

Option A is wrong because the base container image is defined by the `base_image` key in the `execution-environment.yml` file, not by the `galaxy` dependency entry. Option C is wrong because Python packages to install via pip are specified under the `python` key within `dependencies`, not under `galaxy`. Option D is wrong because environment variables for the container are configured using the `environment` key in the `execution-environment.yml` file, not through the `galaxy` dependency entry.

26
Multi-Selectmedium

Which TWO statements about Ansible Execution Environments (EE) are true?

Select 2 answers
A.Execution environments are primarily used for developing new Ansible modules.
B.Execution environments use ansible-navigator as the default entrypoint.
C.Execution environments are container images built with ansible-builder.
D.Execution environments package Ansible Core, collections, and Python dependencies.
E.Execution environments can only be used with the ansible-navigator command-line tool.
AnswersC, D

Correct: ansible-builder is used to create EE images.

Why this answer

Option C is correct because execution environments are container images that package Ansible Core, collections, and Python dependencies, and they are built using the `ansible-builder` tool. The `ansible-builder` reads a definition file (e.g., `execution-environment.yml`) to construct a container image that includes all necessary components for running Ansible automation in a consistent, isolated environment.

Exam trap

The trap here is that candidates may confuse the purpose of execution environments (packaging and running automation) with module development, or assume that `ansible-navigator` is the only way to use them, when in fact they are container images that can be used with multiple Ansible tools.

27
Multi-Selectmedium

Which TWO options are valid methods for including collections in an execution environment?

Select 2 answers
A.Use ansible-galaxy collection install command in a pre-build script.
B.List collections under 'collections' in execution-environment.yml.
C.Use a 'galaxy.yml' file in the build context.
D.Add a requirements.yml file with collections.
E.Include collections in the base image directly.
AnswersB, D

This is the primary method; you can specify collections directly in execution-environment.yml.

Why this answer

Option B is correct because the `execution-environment.yml` file is the primary configuration file for building an Ansible execution environment, and it supports a `collections` key where you can list collections to be included. This is the standard method for specifying collections that should be installed during the build process, ensuring they are available in the final execution environment.

Exam trap

The trap here is that candidates confuse the `galaxy.yml` file (used for defining a collection's metadata) with the `execution-environment.yml` file (used for specifying collections to include in an execution environment), or they mistakenly think runtime commands like `ansible-galaxy collection install` are valid build-time methods.

28
Multi-Selecthard

Which TWO statements about Ansible content collections are correct?

Select 2 answers
A.Collections can be installed only from Galaxy.
B.The collection name must be a single word without namespace.
C.Collections can be distributed via Automation Hub or Galaxy.
D.A collection can contain only roles and playbooks.
E.A collection must have a galaxy.yml file in its root directory.
AnswersC, E

Both are valid distribution platforms for collections.

Why this answer

Option C is correct because Ansible content collections can be distributed via either Red Hat Automation Hub (for certified collections) or Ansible Galaxy (for community collections). This dual distribution model allows organizations to use curated, supported content from Automation Hub while also leveraging community-contributed collections from Galaxy.

Exam trap

Red Hat often tests the requirement for a `galaxy.yml` file in the collection root, as candidates may mistakenly think it is optional or confuse it with other configuration files like `meta/main.yml`.

29
MCQhard

A collection version is already published on Automation Hub. The developer needs to update the collection with a new feature. What must be done to the version number before publishing again?

A.No change needed; Automation Hub overwrites.
B.Increment the patch or minor version number.
C.Increment the major version number.
D.Change the version to a pre-release identifier.
AnswerB

Automation Hub requires a unique version; incrementing patch or minor is appropriate for a new feature.

Why this answer

Option B is correct because Automation Hub enforces immutable collection versions; once a version is published, it cannot be overwritten or deleted. To publish a new feature, you must increment the patch (e.g., 1.0.0 → 1.0.1) or minor (e.g., 1.0.0 → 1.1.0) version number in the galaxy.yml file, following semantic versioning (semver) as required by Ansible collections.

Exam trap

The trap here is that candidates assume Automation Hub behaves like a mutable artifact repository (e.g., overwriting on re-upload), but Red Hat enforces immutability to ensure version integrity and reproducibility across environments.

How to eliminate wrong answers

Option A is wrong because Automation Hub does not allow overwriting an existing version; collections are immutable once published, and attempting to publish the same version will result in an error. Option C is wrong because incrementing the major version (e.g., 1.0.0 → 2.0.0) is only required when introducing breaking changes, not for a new feature that is backward-compatible. Option D is wrong because pre-release identifiers (e.g., 1.0.0-alpha.1) are used for testing or development versions and are not intended for publishing a stable new feature to Automation Hub.

30
MCQhard

You are building an execution environment for a large enterprise that requires several collections from both Red Hat Automation Hub and an internal GitLab repository. Your execution-environment.yml file includes both sources. However, the build process consistently fails during the 'adding collections' step with an error indicating that a specific collection from the internal Git repository cannot be found. You have confirmed that the Git repository URL and branch are correct, and that the repository is accessible from the build host. The collection's galaxy.yml file exists and is valid. What is the most likely reason for the failure?

A.The base image does not have Git installed.
B.The collection's Galaxy namespace conflicts with a collection from Automation Hub.
C.The 'requirements.yml' file for the internal collection is missing.
D.The ansible-builder process does not have the necessary Git credentials configured.
AnswerD

Correct. Private Git repos require SSH keys or HTTPS tokens, which must be provided to the builder.

Why this answer

The correct answer is D. The ansible-builder process requires Git credentials to clone collections from private Git repositories. Even if the URL and branch are correct and the repository is accessible from the build host, the builder itself may not have the necessary SSH keys or HTTPS credentials configured.

This is a common oversight when using internal GitLab repositories, as the builder runs in a containerized environment that does not inherit the host's credentials by default.

Exam trap

The trap here is that candidates assume that because the repository is accessible from the build host, the builder will automatically have the same access, but the builder runs in an isolated container without inheriting host credentials.

How to eliminate wrong answers

Option A is wrong because if Git were missing from the base image, the error would likely be 'git: command not found' or a similar toolchain error, not a 'collection cannot be found' error. Option B is wrong because namespace conflicts would cause a different error, such as a duplicate collection warning or failure during dependency resolution, not a 'cannot be found' error for a specific collection. Option C is wrong because the 'requirements.yml' file is used for Ansible Galaxy roles and collections, not for the internal Git repository; the internal collection is specified directly in the execution-environment.yml file under the 'git' source, so a missing requirements.yml is irrelevant.

31
MCQmedium

An organization wants to share a collection internally across multiple teams while ensuring that each team can only use specific modules from the collection. Which approach best supports this requirement?

A.Use a single collection and annotate modules with metadata to restrict access.
B.Create separate collections for each team and publish them to the private Automation Hub.
C.Store the collection in a Git repository and use branch permissions to hide modules.
D.Publish a single collection with all modules and rely on documentation to indicate which modules are for which team.
AnswerB

Each team gets only the collections they need, enforcing access control.

Why this answer

Option B is correct because it uses separate collections published to a private Automation Hub, which allows each team to access only the specific collection containing the modules they need. This approach leverages Automation Hub's role-based access control (RBAC) to enforce team-specific permissions, ensuring that teams cannot see or use modules from other collections.

Exam trap

The trap here is that candidates may think metadata or documentation can enforce access control, but Ansible's native RBAC is tied to collections and namespaces in Automation Hub, not to individual modules within a collection.

How to eliminate wrong answers

Option A is wrong because annotating modules with metadata does not enforce access restrictions; metadata is for documentation or filtering, not for security or RBAC. Option C is wrong because Git branch permissions control access to the repository source code, not the modules within a collection; once the collection is built and installed, branch permissions have no effect on module visibility. Option D is wrong because relying on documentation does not prevent teams from accessing or using modules intended for other teams; there is no technical enforcement.

32
MCQeasy

A DevOps team maintains an Ansible environment using execution environments. They have been using a local execution environment image named 'custom-ee:latest' built with ansible-builder. Recently, they updated the requirements.yml file to include a new collection from Automation Hub. They rebuilt the execution environment using ansible-builder and pushed it to their private registry as 'registry.internal/custom-ee:1.2'. However, when running ansible-navigator on a control node, it still uses the old local image and does not pull the updated one. The ansible-navigator configuration file (ansible-navigator.yml) specifies: execution-environment: image: registry.internal/custom-ee:1.2 enabled: true pull: policy: tag The control node has no prior local image with that tag. What is the most likely reason the new image is not being used?

A.The control node does not have network access to the registry, so it cannot pull the image and falls back to the local 'latest' image.
B.An environment variable such as ANSIBLE_NAVIGATOR_EXECUTION_ENVIRONMENT_IMAGE overrides the configuration file, pointing to the old image.
C.The pull policy 'tag' only pulls if the local image tag differs from the registry tag, and since the local image is 'latest', it compares to '1.2' and pulls, but something else prevents it.
D.The image was rebuilt with a different tag than '1.2', so the registry does not have that tag.
AnswerB

Correct: environment variables take precedence over configuration file settings, causing the old image to be used.

Why this answer

Option C is correct because environment variables override settings in ansible-navigator.yml. The ANSIBLE_NAVIGATOR_EXECUTION_ENVIRONMENT_IMAGE variable likely points to the old image tag. Option A is incorrect because 'tag' policy would pull if the tag differs from local, but no local image exists so it should pull.

Option B is a possible cause but would result in a pull failure, not using the old image. Option D is unlikely as the image was pushed with the correct tag.

33
Matchingmedium

Match each firewall zone to its default behavior.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Default zone, untrusted network

Private network, slightly trusted

Demilitarized zone, limited access

All traffic accepted

All incoming packets dropped

Why these pairings

Common firewalld zones in RHEL.

34
MCQhard

An automation team is designing a content collection to distribute internal Ansible modules across the organization. The collection should be installed from a private Galaxy server. To minimize namespace conflicts and ensure discoverability, which naming convention should be used for the collection?

A.collection_name.namespace
B.namespace_collection_name
C.namespace-collection_name
D.namespace.collection_name
AnswerD

Standard Ansible Galaxy naming convention for collections.

Why this answer

In Ansible, collections are distributed using a fully qualified collection name (FQCN) in the format `namespace.collection_name`. This naming convention is required by the Ansible Galaxy server and the `ansible-galaxy collection install` command to uniquely identify and install collections, minimizing namespace conflicts and ensuring discoverability across the organization.

Exam trap

The trap here is that candidates may confuse the dot separator with other common naming conventions (like underscores or hyphens used in Python packages or Ansible roles), but Ansible collections strictly require the `namespace.collection_name` format with a dot.

How to eliminate wrong answers

Option A is wrong because `collection_name.namespace` reverses the required order; the namespace must come first, followed by a dot and then the collection name. Option B is wrong because `namespace_collection_name` uses an underscore separator, but Ansible collections require a dot (`.`) as the delimiter between namespace and collection name. Option C is wrong because `namespace-collection_name` uses a hyphen, which is not the correct separator; the dot is the only valid separator in Ansible's FQCN for collections.

35
MCQhard

You are an automation engineer at a large enterprise. The company uses Ansible Automation Platform 2.x and has a private Automation Hub server. The security team mandates that all execution environments must be built from a hardened base image that has been approved by the security team. The base image is stored in a private container registry at registry.internal.company.com/hardened-ee:latest. You need to create an execution environment that includes a custom collection 'company.tools' which is hosted on the private Automation Hub. Additionally, the execution environment must include the Python library 'cryptography' version 3.4.8. You have created the following files: execution-environment.yml: --- version: 3 images: base_image: name: registry.internal.company.com/hardened-ee:latest options: package_manager_path: /usr/bin/microdnf dependencies: galaxy: requirements.yml python: requirements.txt requirements.yml: --- collections: - name: company.tools source: https://automationhub.company.com/api/galaxy/content/private/ requirements.txt: cryptography==3.4.8 When you run 'ansible-builder build -f execution-environment.yml', the build fails with an error: 'Error: Failed to resolve dependency cryptography==3.4.8'. Based on this scenario, what is the most likely cause of the failure?

A.The requirements.yml file has an incorrect source URL for the private Automation Hub.
B.The base image already includes cryptography but not version 3.4.8, causing a version conflict.
C.The execution-environment.yml is missing the 'system' dependency section for bindep.txt.
D.The package_manager_path should be /usr/bin/dnf instead of microdnf.
AnswerB

The pinned version may conflict with the base image's package, causing pip to fail.

Why this answer

Option B is correct because the error 'Failed to resolve dependency cryptography==3.4.8' indicates a version conflict with the Python cryptography library already present in the hardened base image. The base image likely includes a different version of cryptography, and pip cannot satisfy the pinned version constraint due to conflicts with the pre-installed package. Ansible Builder uses pip to install Python dependencies, and if the base image has a conflicting version, the build fails unless the dependency is unpinned or the base image is adjusted.

Exam trap

The trap here is that candidates often assume the error is due to a misconfigured Automation Hub URL or package manager path, but the specific pip error 'Failed to resolve dependency' points directly to a Python package version conflict with the base image, not to external repository or system package manager issues.

How to eliminate wrong answers

Option A is wrong because the source URL for the private Automation Hub is correctly formatted (https://automationhub.company.com/api/galaxy/content/private/) and would cause a different error (e.g., 'Failed to download collection') if incorrect, not a Python dependency resolution error. Option C is wrong because the 'system' dependency section for bindep.txt is optional and not required for Python library installation; its absence would not cause a pip dependency resolution failure. Option D is wrong because the package_manager_path is correctly set to /usr/bin/microdnf for Red Hat Universal Base Images (UBI) which use microdnf, and using dnf would cause a different error (e.g., 'command not found'), not a Python dependency conflict.

36
MCQeasy

A user wants to use a collection from Automation Hub. Which command downloads and installs the collection to the default collections path?

A.ansible-pull collection install
B.ansible-playbook collection install
C.ansible-collection install
D.ansible-galaxy collection install
AnswerD

Correct command for installing collections.

Why this answer

The correct command to download and install a collection from Automation Hub to the default collections path is `ansible-galaxy collection install`. This command uses the `ansible-galaxy` utility, which is the standard tool for managing Ansible roles and collections, and the `collection install` subcommand specifically handles collection installation from configured sources like Automation Hub or Ansible Galaxy.

Exam trap

The trap here is that candidates confuse the `ansible-galaxy` command with other Ansible executables like `ansible-playbook` or `ansible-pull`, or assume a non-existent command like `ansible-collection` exists, because the exam tests precise knowledge of which tool handles collection management.

How to eliminate wrong answers

Option A is wrong because `ansible-pull` is used for pulling and applying playbooks from a repository in a reverse mode, not for installing collections; it does not have a `collection install` subcommand. Option B is wrong because `ansible-playbook` is used to execute playbooks, not to manage collections; it has no `collection install` subcommand. Option C is wrong because `ansible-collection` is not a valid Ansible command; the correct utility is `ansible-galaxy`.

37
MCQhard

What is the most likely cause of the build failure?

A.The base image already includes python3-devel, causing a conflict with the bindep.txt entry.
B.The package_manager_path should be /usr/bin/dnf.
C.The version field in execution-environment.yml is incorrect.
D.The base image name is misspelled.
AnswerA

ee-minimal images often include development packages; duplicate request fails.

Why this answer

The build failure is most likely caused by a conflict between the base image's pre-installed python3-devel package and the bindep.txt entry that also specifies python3-devel. In Ansible Builder, bindep.txt lists system packages to install via dnf, but if the base image already includes that package, the build process may fail due to duplicate or conflicting package manager operations, especially if the base image uses a different package version or repository configuration.

Exam trap

The trap here is that candidates assume all build failures are due to syntax errors or misspellings, but Red Hat often tests the nuance of package conflicts between the base image and bindep.txt, which is a common real-world issue in execution environment creation.

How to eliminate wrong answers

Option B is wrong because the package_manager_path should be /usr/bin/dnf only if the base image uses DNF; however, many execution environment base images (like the default ansible-runner) use microdnf or a different package manager, and the path is typically auto-detected by Ansible Builder. Option C is wrong because the version field in execution-environment.yml is optional and does not cause build failures; it is used for metadata and has no impact on package installation. Option D is wrong because a misspelled base image name would cause a pull error (e.g., 'image not found'), not a build failure related to package conflicts.

38
MCQhard

A DevOps engineer is creating an execution environment for a team that needs both Ansible and the 'requests' Python library. The engineer creates an execution environment definition file (EE.yml) with the following content: --- version: 3 images: base_image: name: registry.redhat.io/ansible-automation-platform-22/ee-minimal-rhel8:latest options: package_manager_path: /usr/bin/microdnf dependencies: python: requirements.txt system: bindep.txt What is missing from this definition to ensure the 'requests' library is installed?

A.The package_manager_path should be /usr/bin/yum.
B.The requirements.txt file must contain 'requests'.
C.The galaxy.yml file must be added to the dependencies section.
D.The base image should be ee-supported-rhel8 instead.
AnswerB

The requirements.txt file is referenced but the content is not shown; it must list requests.

Why this answer

The execution environment definition file (EE.yml) specifies dependencies via external files like requirements.txt for Python packages. To install the 'requests' library, the requirements.txt file must explicitly list 'requests' as a dependency. Without it, the build process will not include the library, regardless of other configuration options.

Exam trap

The trap here is that candidates may focus on the package manager or base image details, overlooking that the Python dependency must be explicitly declared in the requirements.txt file referenced by the definition.

How to eliminate wrong answers

Option A is wrong because the package_manager_path is correctly set to /usr/bin/microdnf for the specified RHEL 8 base image, which uses microdnf as its package manager; changing it to /usr/bin/yum would be incorrect. Option C is wrong because the galaxy.yml file is used for Ansible Galaxy content collections, not for Python package dependencies like 'requests'. Option D is wrong because the base image 'ee-minimal-rhel8' is appropriate for this execution environment; 'ee-supported-rhel8' is not a standard Red Hat image name and would not resolve the missing Python dependency.

39
MCQmedium

An organization uses custom Ansible plugins stored in a collection. A junior admin reports that after updating the collection to version 2.0.0, a playbook that uses a custom filter plugin fails with 'undefined filter'. What is the most likely cause?

A.The playbook uses an outdated syntax that is incompatible with the new collection.
B.The filter plugin was placed in the wrong directory inside the collection.
C.The playbook does not use the fully qualified collection name (FQCN) for the filter.
D.The collection's metadata file galaxy.yml is missing a dependency declaration.
AnswerB

Filter plugins must reside in plugins/filter/ directory.

Why this answer

In Ansible collections, filter plugins must reside in the `plugins/filter/` directory within the collection structure. If the plugin is placed in the wrong directory (e.g., `plugins/modules/` or `plugins/lookup/`), Ansible will not load it as a filter, resulting in an 'undefined filter' error. The collection update to version 2.0.0 likely reorganized the directory structure, causing the filter to be misplaced.

Exam trap

The trap here is that candidates often assume the error is due to syntax or naming (FQCN), but the core issue is the strict directory structure requirement for Ansible plugin loading, which is a fundamental concept in collection development.

How to eliminate wrong answers

Option A is wrong because an outdated syntax would typically cause a syntax error or deprecation warning, not an 'undefined filter' error specific to a missing plugin. Option C is wrong because while FQCN is recommended for clarity, omitting it does not cause 'undefined filter' if the filter is correctly placed and the collection is in the search path; Ansible will still resolve short names if the collection is listed in the playbook's `collections` directive. Option D is wrong because a missing dependency in `galaxy.yml` affects installation of dependent collections, not the loading of a filter plugin within the same collection.

40
MCQmedium

Your team maintains a collection that includes custom modules and plugins. You have been tasked with creating a content collection that adheres to the Red Hat Ansible Content Collection requirements. You have created the directory structure and written the collection code. Now you need to package the collection for distribution to your internal automation hub. You run 'ansible-galaxy collection build' and it completes successfully, generating a tarball. However, when you try to publish it to your private automation hub using 'ansible-galaxy collection publish', you get an authentication error. You have verified that your automation hub server URL and API token are correct. What is the most likely cause of the error?

A.The automation hub server is not reachable from your network.
B.The collection tarball is corrupted and needs to be rebuilt.
C.The collection contains a module that violates a content policy enforced by the hub.
D.The 'namespace' or 'name' in galaxy.yml does not match the namespace you are allowed to publish to on the automation hub.
AnswerD

Correct. The publish command checks if the token has permission to write to the specified namespace.

Why this answer

The authentication error despite correct server URL and API token indicates that the issue is not with credentials or connectivity, but with authorization. Ansible Automation Hub enforces namespace-based access control: the `namespace` field in `galaxy.yml` must match a namespace you are permitted to publish to. If the namespace does not match, the hub rejects the upload with an authentication/authorization error, even though the token itself is valid.

Exam trap

The trap here is that candidates assume any error during `publish` with a valid token must be a network or credential issue, overlooking the namespace authorization check that Ansible Automation Hub performs before allowing upload.

How to eliminate wrong answers

Option A is wrong because the user verified the server URL is correct, and a connectivity issue would typically produce a timeout or connection refused error, not an authentication error. Option B is wrong because the `ansible-galaxy collection build` command completed successfully, which includes integrity checks; a corrupted tarball would likely cause a build failure or a checksum mismatch during upload, not an authentication error. Option C is wrong because content policy violations (e.g., disallowed modules) would result in a policy rejection error message, not an authentication error — the hub would accept the token but refuse the content based on policy rules.

41
Multi-Selectmedium

Which THREE files are commonly used when building an execution environment with ansible-builder?

Select 3 answers
A.bindep.txt
B.ansible.cfg
C.galaxy.yml
D.execution-environment.yml
E.requirements.txt
AnswersA, D, E

Lists system-level package dependencies.

Why this answer

Option A is correct because `bindep.txt` is one of the three files that `ansible-builder` uses by default to define system-level package dependencies (e.g., `libffi-devel`, `python3-devel`) that must be installed in the execution environment image. Along with `execution-environment.yml` (the main recipe file) and `requirements.txt` (Python package dependencies), `bindep.txt` is automatically consumed during the build process to ensure the container has the necessary OS packages.

Exam trap

Red Hat often tests the misconception that `ansible.cfg` is part of the execution environment build process, but it is only used at runtime by Ansible, not by `ansible-builder` to construct the container image.

42
MCQeasy

An Ansible developer needs to use the `podman_container` module in a playbook. The module is part of the `containers.podman` collection. Which command must be run first to make the module available?

A.`ansible-galaxy install containers.podman`
B.`ansible-galaxy collection install containers.podman`
C.`ansible-galaxy collection search containers.podman`
D.`ansible-galaxy collection install containers.podman:1.0.0`
AnswerB

Installs the collection from Galaxy or Automation Hub.

Why this answer

The `podman_container` module is part of the `containers.podman` collection, which must be installed from Ansible Galaxy before it can be used in a playbook. The correct command is `ansible-galaxy collection install containers.podman`, which downloads and installs the collection into the local collections path, making all its modules and plugins available.

Exam trap

The trap here is that candidates may confuse `ansible-galaxy install` (for roles) with `ansible-galaxy collection install` (for collections), or mistakenly think that searching for a collection makes it available for use.

How to eliminate wrong answers

Option A is wrong because `ansible-galaxy install` is used for installing roles, not collections; collections require the `collection` subcommand. Option C is wrong because `ansible-galaxy collection search` only searches for collections in Galaxy but does not install them, so the module would remain unavailable. Option D is wrong because while it specifies a version (`1.0.0`), the question does not require a specific version; the generic install command is sufficient, and pinning an arbitrary version may cause compatibility issues or fail if that version does not exist.

43
MCQmedium

An organization wants to include custom Python packages in their execution environment to support custom modules. Which method should be used to define these Python dependencies?

A.List them in the `galaxy-requirements.yml` file.
B.Use `ansible-navigator` to install them during runtime.
C.Create a `requirements.txt` file and reference it in the `execution-environment.yml` under `dependencies: python:`.
D.Add them to the `collection-requirements.yml` file.
AnswerC

Correct method to define Python dependencies for the execution environment build.

Why this answer

Option C is correct because the `execution-environment.yml` file supports a `dependencies` key with a `python` subkey that points to a `requirements.txt` file. This is the standard method defined by the Ansible Builder specification for including custom Python packages in an execution environment, ensuring they are installed during the build process.

Exam trap

The trap here is that candidates confuse the file used for Ansible collections (`galaxy-requirements.yml` or `collection-requirements.yml`) with the file used for Python dependencies, leading them to pick options A or D instead of recognizing the correct `execution-environment.yml` structure.

How to eliminate wrong answers

Option A is wrong because `galaxy-requirements.yml` is used to specify Ansible Galaxy content collections, not Python packages. Option B is wrong because `ansible-navigator` is a runtime tool for running execution environments, not for installing dependencies during the build; Python dependencies must be defined at build time. Option D is wrong because `collection-requirements.yml` is another name for a file that lists Ansible collections, not Python packages.

44
Multi-Selectmedium

Which TWO of the following are required in a valid Ansible collection directory structure?

Select 2 answers
A.`tests/` directory
B.`galaxy.yml` file
C.`docs/` directory
D.`plugins/` directory
E.`roles/` directory
AnswersB, D

Required metadata file for collections.

Why this answer

The `galaxy.yml` file is mandatory in a valid Ansible collection directory structure because it serves as the metadata file that defines the collection's name, version, author, and dependencies. Without this file, the collection cannot be properly built, published, or installed via `ansible-galaxy`. It is the equivalent of a package manifest for the collection.

Exam trap

The trap here is that candidates often assume `roles/` or `tests/` are mandatory because they are common in many collections, but the EX294 exam specifically tests the minimal required structure as defined by the Ansible documentation, which only mandates `galaxy.yml` and `plugins/`.

45
Multi-Selecthard

A system administrator is troubleshooting an execution environment that fails to build. The error indicates that a required collection cannot be found. Which THREE of the following actions could resolve the issue?

Select 3 answers
A.Verify that the collection is listed in the 'dependencies' section of the execution-environment.yml under 'galaxy'.
B.Add the collection to the 'additional_build_steps' section with a manual 'ansible-galaxy collection install' command.
C.Include the collection in the 'build_ignore' list to skip it.
D.Change the base image to one that includes the collection pre-installed.
E.Ensure that the collection is published to a configured Galaxy server and that authentication is correct.
AnswersA, D, E

Correct. The builder needs to know which collections to install.

Why this answer

Option A is correct because the 'dependencies' section under 'galaxy' in the execution-environment.yml file is the standard mechanism for declaring required Ansible collections. When the execution environment is built, ansible-builder reads this section and automatically installs the listed collections from the configured Galaxy server. If a required collection is missing, verifying its presence in this section ensures it will be included in the build.

Exam trap

Red Hat often tests the misconception that 'build_ignore' can be used to skip problematic collections, but in reality it only excludes files from the build context and does not affect dependency resolution.

46
MCQhard

Ansible Builder fails during the build of an execution environment with error: 'No matching manifest for linux/amd64 in the manifest list entries'. What is the most likely cause?

A.The ansible-builder version is too old.
B.The definition file has invalid syntax.
C.The container registry requires authentication.
D.The base image specified is incompatible with the host architecture.
AnswerD

The error 'No matching manifest for linux/amd64' indicates the base image does not support the build host's architecture.

Why this answer

Option D is correct because the error 'No matching manifest for linux/amd64 in the manifest list entries' indicates that the base image specified in the execution environment definition file does not have a container image manifest for the host's CPU architecture (linux/amd64). Ansible Builder pulls the base image from a registry, and if that image only supports other architectures (e.g., linux/arm64), the build fails. This is a common issue when using a base image built for a different platform.

Exam trap

Red Hat often tests the misconception that registry authentication or syntax errors cause all build failures, but here the specific manifest list error is a clear indicator of an architecture mismatch, not a credential or syntax problem.

How to eliminate wrong answers

Option A is wrong because an outdated ansible-builder version would not cause this specific manifest mismatch error; it might cause other build failures or deprecation warnings, but the error is architecture-related. Option B is wrong because invalid syntax in the definition file typically results in YAML parsing errors or missing key errors, not a manifest list mismatch. Option C is wrong because registry authentication failures produce errors like 'unauthorized: authentication required' or 'denied: requested access to the resource is denied', not a manifest architecture mismatch.

47
Multi-Selecthard

An administrator needs to create a custom execution environment that includes a specific Ansible collection and a Python package. Which two steps are required to build and use the execution environment? (Choose two.)

Select 2 answers
A.Create a Dockerfile that installs the collection and package.
B.Define the execution environment in ansible.cfg.
C.Build the execution environment using ansible-builder.
D.Push the execution environment to a private container registry.
E.Create a requirements.yml file listing the collection.
AnswersC, E

Correct: ansible-builder builds a container image from the execution environment definition.

Why this answer

Options A and C are correct. Creating a requirements.yml with the collection (A) and then building the execution environment with ansible-builder (C) are required. Option B is not needed because ansible-builder uses a definition file, not a Dockerfile directly.

Option D is optional for sharing but not required to use locally. Option E is wrong because execution environment is configured in ansible-navigator config, not ansible.cfg.

48
MCQmedium

An organization's execution environment must include a custom RPM that is not in the default base image. How should this be added in the execution-environment.yml?

A.Add the RPM to the 'dependencies' section under 'system'.
B.Add the RPM to the 'dependencies' section under 'python'.
C.Use a 'prepended_base' directive.
D.Use a custom base image that includes the RPM.
AnswerA

System RPMs are declared under 'system'.

Why this answer

In an execution-environment.yml file, custom RPM packages that are not part of the default base image must be listed under the 'dependencies' section with the 'system' key. This instructs ansible-builder to install those RPMs using the system package manager (e.g., dnf or yum) during the build process, ensuring the execution environment includes the required system-level libraries or tools.

Exam trap

The trap here is that candidates often confuse the 'system' and 'python' dependency sections, mistakenly thinking RPMs can be added under 'python' because both are under 'dependencies', but 'python' is strictly for pip-installable packages.

How to eliminate wrong answers

Option B is wrong because the 'python' key under 'dependencies' is used for Python packages (e.g., pip install), not for RPM packages. Option C is wrong because there is no 'prepended_base' directive in execution-environment.yml; the correct way to modify the base image is through the 'base_image' field or by adding dependencies. Option D is wrong because while using a custom base image that includes the RPM is a valid approach, the question specifically asks how to add it in the execution-environment.yml file, and the correct method is to list it under 'dependencies: system' rather than building a separate custom base image.

49
MCQhard

A developer is building an execution environment using `ansible-builder` and encounters the error: 'Error: Failed to pull base image: manifest for registry.redhat.io/ansible-automation-platform/ansible-builder-rhel8:2.0.0 not found: manifest unknown.' The developer checks the registry and verifies that the image exists with a different tag. Which action should the developer take to resolve the issue?

A.Change the tag in `execution-environment.yml` to a valid tag, such as 'latest'.
B.Run `podman login registry.redhat.io` to authenticate.
C.Modify the `execution-environment.yml` to use a different base image from Docker Hub.
D.Update the container runtime to the latest version.
AnswerA

Using a valid tag resolves the 'manifest not found' error.

Why this answer

Option A is correct because the error indicates the specified tag '2.0.0' does not exist in the registry. The developer confirmed the image exists with a different tag, so updating the tag in `execution-environment.yml` to a valid one, such as 'latest', resolves the manifest lookup failure. `ansible-builder` uses this file to define the base image and tag for building the execution environment.

Exam trap

The trap here is that candidates may confuse a tag-not-found error with an authentication issue (Option B) or assume a broader infrastructure problem (Option D), when the fix is a straightforward tag correction in the configuration file.

How to eliminate wrong answers

Option B is wrong because the error is about a missing manifest for a specific tag, not an authentication failure; `podman login` would not fix a non-existent tag. Option C is wrong because changing the base image to a different registry (e.g., Docker Hub) is unnecessary and may break compatibility with Red Hat Ansible Automation Platform requirements; the issue is only the tag. Option D is wrong because the container runtime version is irrelevant to a tag lookup failure; the error is purely about the image tag not being found in the registry.

50
MCQeasy

Which directory is the default location for installed Ansible collections on a control node for a regular user?

A.~/.ansible/collections
B./usr/share/ansible/collections
C./etc/ansible/collections
D./opt/ansible/collections
AnswerA

Default user-level collections path.

Why this answer

For a regular (non-root) user on an Ansible control node, the default location for installed collections is `~/.ansible/collections`. This is defined by Ansible's default collection search path, which includes the user's home directory under `~/.ansible/collections` for user-level installations. When a user runs `ansible-galaxy collection install` without specifying a custom path, the collection is placed in this directory by default.

Exam trap

The trap here is that candidates often confuse the system-wide default (`/usr/share/ansible/collections`) with the user-level default, forgetting that regular users lack write permissions to system directories and that Ansible defaults to the home directory for non-root installations.

How to eliminate wrong answers

Option B is wrong because `/usr/share/ansible/collections` is the default location for system-wide (root) collection installations, not for a regular user. Option C is wrong because `/etc/ansible/collections` is not a standard default path for collections; `/etc/ansible/` is typically used for configuration files like `ansible.cfg` and `hosts`, not collections. Option D is wrong because `/opt/ansible/collections` is not a default Ansible collection path; it might be used in custom setups but is not the default for any user level.

51
MCQhard

A team develops an Ansible collection and wants to distribute it internally. They have a private Automation Hub. Which approach best ensures that collection dependencies from external sources are also available?

A.Manually install each dependency on the control node
B.Define a requirements.yml in the execution environment that references both the private hub and external sources
C.Include all dependencies directly in the collection's repository
D.Use ansible-galaxy collection download and then upload to private hub
AnswerB

This ensures all dependencies are available from trusted sources.

Why this answer

Option B is correct because defining a `requirements.yml` in the execution environment allows you to specify collections from both the private Automation Hub and external sources (e.g., Ansible Galaxy). When building the execution environment, `ansible-builder` processes this file and resolves dependencies from the listed sources, ensuring all required collections are bundled into the container image. This approach automates dependency management and avoids manual installation or repository bloat.

Exam trap

The trap here is that candidates often assume dependencies must be manually installed or bundled directly, missing the fact that `requirements.yml` in the execution environment context is the standard way to aggregate collections from multiple sources automatically.

How to eliminate wrong answers

Option A is wrong because manually installing each dependency on the control node is error-prone, not scalable, and does not ensure dependencies are available in the execution environment or to other team members. Option C is wrong because including all dependencies directly in the collection's repository violates best practices—collections should declare dependencies in `galaxy.yml` or `requirements.yml`, not bundle them, as this leads to repository bloat and version conflicts. Option D is wrong because `ansible-galaxy collection download` only downloads collections for offline use; uploading them to the private hub does not automatically resolve dependencies from external sources unless those dependencies are also downloaded and uploaded, which is not guaranteed by this approach.

52
MCQmedium

A developer wants to create a new collection named 'myutils' under namespace 'myorg'. Which command initializes the collection structure?

A.ansible-galaxy collection scaffold myorg.myutils
B.ansible-galaxy collection create myorg.myutils
C.ansible-galaxy collection new myorg.myutils
D.ansible-galaxy collection init myorg.myutils
AnswerD

Correct command to initialize a collection.

Why this answer

The correct command to initialize a new Ansible collection structure is `ansible-galaxy collection init <namespace.collection>`. This creates the required directory layout, including `galaxy.yml`, `README.md`, and subdirectories like `roles/`, `playbooks/`, and `plugins/`. Option D matches this syntax exactly.

Exam trap

The trap here is that candidates confuse role scaffolding commands (`ansible-galaxy init` or `ansible-galaxy role init`) with collection initialization, and mistakenly apply verbs like `scaffold`, `create`, or `new` which are not valid for collections.

How to eliminate wrong answers

Option A is wrong because `ansible-galaxy collection scaffold` is not a valid subcommand; `scaffold` is used for roles, not collections. Option B is wrong because `ansible-galaxy collection create` is not a valid subcommand; the correct verb is `init`. Option C is wrong because `ansible-galaxy collection new` is not a valid subcommand; `new` is used for roles, not collections.

53
Multi-Selecteasy

Which TWO actions are required to use a private Automation Hub to share collections?

Select 2 answers
A.Configure the server in ansible.cfg under [galaxy] server_list.
B.Build a custom execution environment that includes the collections.
C.Run ansible-galaxy collection install --ignore-certs if using self-signed certs.
D.Use ansible-navigator with --pull-policy missing.
E.Create an API token and store it in ansible.cfg or environment variable.
AnswersA, E

Required to point to the private hub.

Why this answer

Option A is correct because to use a private Automation Hub, you must configure the server in ansible.cfg under the [galaxy] section with a server_list entry. This tells ansible-galaxy where to find the private hub, allowing you to install collections from it instead of the default public Galaxy server.

Exam trap

The trap here is that candidates confuse optional steps (like building execution environments or ignoring certs) with required actions, or they overlook that both server configuration and API token authentication are mandatory for accessing a private Automation Hub.

54
MCQhard

During a collection development, a developer wants to include a Python dependency that is not available in the base image of the execution environment. Where should this dependency be declared?

A.In the execution-environment.yml under 'dependencies' -> 'python'
B.In the collection's requirements.yml under 'python'
C.In the collection's galaxy.yml under 'dependencies'
D.In the collection's meta/runtime.yml under 'python_dependencies'
AnswerA

Correct location for Python dependencies needed in the EE.

Why this answer

In Ansible execution environments, Python dependencies that are not part of the base image must be declared in the `execution-environment.yml` file under the `dependencies` key, specifically within the `python` subkey. This file is used by `ansible-builder` to build a custom container image that includes those additional Python packages. The base image already contains a standard set of Python libraries, but any extra ones needed by a collection must be explicitly listed here to be installed during the build process.

Exam trap

Red Hat often tests the distinction between files used for building execution environments (`execution-environment.yml`) versus files used for publishing or runtime metadata (`galaxy.yml`, `meta/runtime.yml`), causing candidates to confuse where Python dependencies should be declared.

How to eliminate wrong answers

Option B is wrong because `requirements.yml` is used for Ansible collections or roles, not for Python dependencies; it does not support a `python` key for pip packages. Option C is wrong because `galaxy.yml` is a metadata file for publishing collections to Ansible Galaxy, not for declaring runtime dependencies for execution environments. Option D is wrong because `meta/runtime.yml` defines Ansible runtime behavior like action groups or module deprecations, not Python package dependencies.

55
MCQeasy

A user wants to build an execution environment from a definition file. Which command is used?

A.ansible-playbook build -i ee.yml
B.ansible-builder build -f execution-environment.yml
C.ansible-execution-environment build -f ee.yml
D.ansible-galaxy build execution-environment.yml
AnswerB

Correct command for building an EE.

Why this answer

The `ansible-builder build` command is the correct tool for building an Ansible execution environment from a a definition file. The `-f` flag specifies the path to the `execution-environment.yml` file, which defines the base image, required collections, and system dependencies for the containerized environment.

Exam trap

The trap here is that candidates confuse `ansible-builder` with `ansible-galaxy` or `ansible-playbook`, mistakenly thinking that building an execution environment uses the same command as building a collection or running a playbook.

How to eliminate wrong answers

Option A is wrong because `ansible-playbook` is used to run playbooks, not to build execution environments; there is no `build` subcommand for `ansible-playbook`. Option C is wrong because `ansible-execution-environment` is not a valid Ansible command; the correct command is `ansible-builder`. Option D is wrong because `ansible-galaxy build` is used to build a collection from a `galaxy.yml` file, not an execution environment from an `execution-environment.yml` file.

56
MCQmedium

Refer to the exhibit. An administrator has configured ansible.cfg as shown. Which command will successfully install the 'community.general' collection from this server?

A.ansible-galaxy collection install community.general --server=https://galaxy.ansible.com
B.ansible-galaxy collection install community.general
C.ansible-galaxy collection install community.general --ignore-certs
D.ansible-galaxy collection install community.general --force-with-deps
AnswerB

Uses the configured server.

Why this answer

Option B is correct because the ansible.cfg file shown in the exhibit sets the `server` key under the `[galaxy]` section to a custom server URL (e.g., `https://private-galaxy.example.com`). When no `--server` flag is provided, `ansible-galaxy collection install` automatically uses the server defined in `ansible.cfg`. Therefore, the simple command `ansible-galaxy collection install community.general` will install the collection from the configured private server.

Exam trap

The trap here is that candidates may think they must specify the `--server` flag to point to a custom server, forgetting that `ansible.cfg` already defines the server, making the flag redundant and potentially counterproductive.

How to eliminate wrong answers

Option A is wrong because it explicitly overrides the configured server with `--server=https://galaxy.ansible.com`, which defeats the purpose of the custom server defined in ansible.cfg. Option C is wrong because `--ignore-certs` disables SSL certificate verification, which is unnecessary and insecure unless the server uses a self-signed certificate; the question does not indicate any certificate issue. Option D is wrong because `--force-with-deps` forces reinstallation of the collection and its dependencies, which is not required for a successful first-time installation and could overwrite existing collections unnecessarily.

57
MCQmedium

Your organization is migrating from manually maintained control nodes to using execution environments. You have created an execution environment that includes all necessary collections and Python dependencies. You want to ensure that developers use this execution environment when running playbooks. You have configured ansible-navigator on their workstations. However, some developers report that when they run a playbook, it uses the local installation of Ansible instead of the execution environment. What should you check first?

A.Confirm that the developers have installed ansible-builder locally.
B.Ensure that the developers are using the 'ansible-navigator run' command instead of 'ansible-playbook'.
C.Verify that the ansible-navigator configuration file points to the correct execution environment image.
D.Check that the execution environment container is running on the developers' machines.
AnswerB

Correct. ansible-navigator is the tool to run playbooks inside the execution environment.

Why this answer

The correct answer is B because `ansible-navigator` is the CLI tool designed to run Ansible inside an execution environment. If developers run `ansible-playbook` directly, it uses the locally installed Ansible, bypassing the execution environment entirely. The question states that `ansible-navigator` is configured on their workstations, but the developers must use the `ansible-navigator run` subcommand to invoke playbooks within the containerized environment.

Exam trap

The trap here is that candidates often focus on configuration details (like the image path in the config file) or container status, missing the fundamental point that the command itself (`ansible-playbook` vs `ansible-navigator run`) determines whether the execution environment is used.

How to eliminate wrong answers

Option A is wrong because `ansible-builder` is used to build execution environment images, not to run playbooks; its absence does not affect whether a playbook runs locally or in an execution environment. Option C is wrong because while the configuration file pointing to the correct image is important, the primary issue is that developers are using the wrong command (`ansible-playbook`), which ignores the execution environment entirely regardless of the configuration. Option D is wrong because the execution environment container does not need to be running continuously; `ansible-navigator run` pulls and starts the container on demand, so checking if it is running is irrelevant to the reported problem.

58
MCQeasy

A developer wants to create a new Ansible collection from a skeleton template. Which command should be used?

A.`ansible-galaxy collection generate my_namespace.my_collection`
B.`ansible-galaxy collection create my_namespace.my_collection`
C.`ansible-galaxy collection start my_namespace.my_collection`
D.`ansible-galaxy collection init my_namespace.my_collection`
AnswerD

Correct command to initialize a collection skeleton.

Why this answer

The correct command is `ansible-galaxy collection init my_namespace.my_collection`, which creates a new collection skeleton with the required directory structure and metadata files. This is the official Ansible command for bootstrapping a collection from a template.

Exam trap

The trap here is that candidates often confuse the `ansible-galaxy` subcommands for roles (`init` for roles) with those for collections, or they misremember the verb as `create` or `generate`, which are not valid for collection initialization.

How to eliminate wrong answers

Option A is wrong because `ansible-galaxy collection generate` is not a valid subcommand; the correct verb is `init`. Option B is wrong because `ansible-galaxy collection create` does not exist; `create` is used for roles, not collections. Option C is wrong because `ansible-galaxy collection start` is not a valid Ansible command; `start` is not a recognized subcommand for collections.

59
MCQhard

A user runs the commands shown in the exhibit. The execution environment (EE) builds successfully but the playbook run fails with the error. What is the most likely cause?

A.The collections_path in ansible.cfg points to a non-existent directory.
B.The execution environment image tag is incorrect.
C.The --pp never flag prevents the EE from being pulled.
D.The collection 'community.general' was not included in the execution environment definition file.
AnswerD

Correct: The execution-environment.yml only sets build args, but does not list collections to install. Without a 'galaxy' section or requirements.yml, collections are not added to the EE.

Why this answer

The error indicates that the playbook requires the 'community.general' collection, which is not available in the execution environment. Since the EE builds successfully but the playbook fails, the most likely cause is that the collection was omitted from the execution environment definition file (e.g., execution-environment.yml or requirements.yml). Without it, the collection is not installed in the EE, causing the playbook to fail at runtime.

Exam trap

Cisco often tests the distinction between a successful EE build and a runtime collection error, tricking candidates into thinking the build success implies all dependencies are present.

How to eliminate wrong answers

Option A is wrong because if collections_path pointed to a non-existent directory, the error would occur during the EE build or playbook execution with a path-related error, not a missing collection error. Option B is wrong because the EE builds successfully, so the image tag is correct; an incorrect tag would cause a build failure or pull error. Option C is wrong because the --pp never flag (if valid) would prevent pulling the EE image, but the EE builds successfully, meaning the image is already present or built locally; the flag does not affect collection availability.

60
MCQeasy

A developer has created a collection and needs to publish it to a private Automation Hub. Which command should be used to upload the collection archive?

A.`ansible-galaxy collection server upload ./tar.gz`
B.`ansible-galaxy collection publish ./my-namespace-my_collection-1.0.0.tar.gz`
C.`ansible-galaxy role import my-namespace my_collection`
D.`ansible-galaxy collection upload ./my-namespace-my_collection-1.0.0.tar.gz`
AnswerB

Correct command to publish a collection archive.

Why this answer

The correct command to upload a collection archive to a private Automation Hub is `ansible-galaxy collection publish ./my-namespace-my_collection-1.0.0.tar.gz`. This command authenticates to the configured Automation Hub server (as defined in `ansible.cfg` or the `--server` flag) and publishes the tarball, making it available for other users to install. The `publish` subcommand is specifically designed for this purpose, handling the API call to the Galaxy or Automation Hub server.

Exam trap

The trap here is that candidates confuse the `publish` subcommand with `upload` or `import`, or mistakenly use the `role import` command which is for roles, not collections, leading them to choose a plausible-sounding but invalid option.

How to eliminate wrong answers

Option A is wrong because `ansible-galaxy collection server upload` is not a valid subcommand; the correct subcommand is `publish`, and the syntax `./tar.gz` is a placeholder, not a valid filename. Option C is wrong because `ansible-galaxy role import` is used for importing roles from a source control URL (like GitHub) to Galaxy, not for uploading a collection archive to a private Automation Hub. Option D is wrong because `ansible-galaxy collection upload` is not a valid subcommand; the correct subcommand is `publish`, and the filename format `./my-namespace-my_collection-1.0.0.tar.gz` is correct but the verb is incorrect.

61
MCQmedium

Refer to the exhibit. A user runs ansible-runner with --container-image localhost/ee-30:latest and receives the error shown. What is the most likely cause?

A.The container image tag is incorrect.
B.The ansible-runner process does not have network access.
C.The execution environment is not listed in the project's execution-environment.yml.
D.The container image has not been pulled or built locally.
AnswerD

The error says 'defined in the local container registry', meaning the image is missing locally.

Why this answer

The error indicates that the container image `localhost/ee-30:latest` is not available locally. The `--container-image` flag tells ansible-runner to use a specific execution environment image, but if that image has not been pulled from a registry or built locally, the container runtime (e.g., Podman or Docker) cannot find it. Option D is correct because the image must exist in the local container storage before ansible-runner can launch it.

Exam trap

Red Hat often tests the distinction between local image availability and network access, leading candidates to incorrectly assume that ansible-runner automatically pulls missing images when it does not by default.

How to eliminate wrong answers

Option A is wrong because the tag `latest` is valid and the error does not mention an invalid tag format; a missing image error would occur regardless of tag correctness if the image is not present. Option B is wrong because the error message indicates the image is not found locally, not that network access is blocked; ansible-runner does not attempt to pull the image when `--container-image` is used unless `--container-option` or `--container-pull` is explicitly set. Option C is wrong because the execution-environment.yml file is used by Automation Controller (formerly Ansible Tower) to define execution environments for job templates, not by the `ansible-runner` command-line tool; ansible-runner directly uses the image specified via `--container-image`.

62
Multi-Selectmedium

An Ansible content creator wants to ensure that a collection is properly structured and meets Red Hat's best practices. Which TWO of the following are required files in a valid Ansible collection structure?

Select 2 answers
A.meta/runtime.yml
B.galaxy.yml
C.plugins/README.md
D.requirements.yml
E.roles/requirements.yml
AnswersA, B

Correct. This file is required to specify Ansible version compatibility and runtime features.

Why this answer

A is correct because `meta/runtime.yml` is a required file in a valid Ansible collection structure. It defines the collection's runtime dependencies, such as minimum Ansible version and action group mappings, ensuring the collection is compatible with the Ansible runtime environment. B is correct because `galaxy.yml` is the mandatory metadata file that describes the collection's name, version, authors, and other essential information, and it is required for publishing to Ansible Galaxy or Automation Hub.

Exam trap

The trap here is that candidates often confuse optional documentation files (like `plugins/README.md`) or dependency files (like `requirements.yml`) with the strictly required structural files (`galaxy.yml` and `meta/runtime.yml`), leading them to select non-mandatory options.

63
MCQeasy

You are responsible for maintaining a team of 10 Ansible developers. They all rely on a shared collection stored in a private Git repository. Recently, multiple developers reported that their playbooks are failing because they have different versions of the collection installed locally. You decide to standardize the environment by creating a consistent Ansible execution environment. You have a base image of Red Hat Enterprise Linux 8.6, and you need to include the collection from the Git repository. Additionally, the execution environment should be rebuilt automatically whenever the collection is updated. Which approach should you take?

A.Use ansible-navigator to run the playbooks directly from the Git repository without building an execution environment.
B.Write an execution-environment.yml that specifies the base image and uses the 'git' option under 'dependencies' to pull the latest collection from the Git repo, then configure a webhook to rebuild the image on each push.
C.Create a requirements.yml file for the developers to install the collection manually on their local machines.
D.Build the execution environment once using ansible-builder and distribute the resulting container image to all developers manually.
AnswerB

Correct. This ensures a consistent, automatically updated execution environment.

Why this answer

Option B is correct because it uses an execution-environment.yml file with the 'git' option under 'dependencies' to pull the collection directly from the private Git repository during the image build process. This ensures that every build includes the latest version of the collection, and by configuring a webhook (e.g., from GitLab or GitHub) to trigger a rebuild on each push, the environment is automatically standardized across all developers. This approach directly addresses the version inconsistency problem by creating a consistent, version-controlled execution environment.

Exam trap

The trap here is that candidates may confuse running playbooks directly from a Git repo (Option A) with building a consistent execution environment, or they may think manual distribution (Option D) is sufficient without considering the need for automatic updates triggered by collection changes.

How to eliminate wrong answers

Option A is wrong because ansible-navigator can run playbooks from a Git repository, but it does not create a consistent execution environment—it relies on the local system's Python and Ansible installation, which does not solve the version mismatch issue across developers. Option C is wrong because creating a requirements.yml file for manual installation does not standardize the environment; it still allows developers to have different versions or miss updates, leading to the same inconsistency. Option D is wrong because building the execution environment once and distributing the image manually does not provide automatic rebuilds when the collection is updated; it requires manual intervention and redistribution, which is inefficient and error-prone.

64
MCQmedium

An execution environment fails to start because the container image is missing the ansible-runner package. Which step in the build process should have included it?

A.The ansible-runner role in the builder definition
B.The base image selection in execution-environment.yml
C.The requirement to install ansible-runner via pip in the containerfile
D.The additional_dependencies section in execution-environment.yml
AnswerB

The base image (e.g., ee-29-rhel8) includes ansible-runner and ansible-core; using a minimal base may omit it.

Why this answer

Option B is correct because the base image specified in the `execution-environment.yml` file determines the foundational operating system and packages for the execution environment. If the base image lacks `ansible-runner`, the environment will fail to start, as `ansible-runner` is essential for orchestrating playbook execution. The base image selection is the first step in the build process where this dependency must be satisfied.

Exam trap

The trap here is that candidates confuse the `additional_dependencies` section (which adds packages after the base image) with the base image selection step, thinking that any missing package can be fixed later, but the base image must provide the core `ansible-runner` package for the environment to even start building correctly.

How to eliminate wrong answers

Option A is wrong because the `ansible-runner` role in the builder definition is used to configure the execution environment after the base image is selected, not to include the `ansible-runner` package itself; the role assumes the package is already present. Option C is wrong because installing `ansible-runner` via pip in the Containerfile is a valid method, but the question asks which step in the build process should have included it—the base image selection is the step that determines if `ansible-runner` is available, and pip installation is a subsequent step that could be used if the base image lacks it. Option D is wrong because the `additional_dependencies` section in `execution-environment.yml` is for adding extra packages via `dnf` or `pip`, but it is not the step that should have included `ansible-runner`; the base image selection is the primary step, and `additional_dependencies` is a fallback for missing packages, not the intended step.

65
MCQhard

A team is setting up an Ansible execution environment that requires a specific version of a Python library that is not available in the default base image. The team wants to minimize the size of the final container. Which approach should they take in the execution-environment.yml file?

A.Use the 'additional_build_steps' key to add a RUN command that installs the library via pip.
B.Use the 'base_image' key to point to a custom image that already contains the library.
C.Use the 'dependencies' key with 'python' to specify the library and version.
D.Use the 'galaxy' key to install the library from a collection.
AnswerC

Correct. This allows ansible-builder to handle installation efficiently and minimize image size.

Why this answer

Option C is correct because the `dependencies` key in `execution-environment.yml` allows specifying Python libraries and their versions under the `python` subkey. Ansible Builder will then install these dependencies during the build process, ensuring the required library is available without bloating the final container with unnecessary layers or manual RUN commands.

Exam trap

The trap here is that candidates confuse the `dependencies` key for Python libraries with the `galaxy` key for Ansible collections, or assume that `additional_build_steps` is the only way to install custom packages, ignoring the built-in Python dependency support.

How to eliminate wrong answers

Option A is wrong because `additional_build_steps` adds arbitrary RUN commands that create extra layers, increasing the final container size and bypassing Ansible Builder's optimized dependency management. Option B is wrong because using a custom base image with the library pre-installed forces the team to maintain a separate image, defeating the purpose of using the standard execution environment and often resulting in a larger base image. Option D is wrong because the `galaxy` key is for installing Ansible collections, not Python libraries; it cannot resolve pip dependencies.

66
Multi-Selectmedium

Which TWO statements about execution environments are true?

Select 2 answers
A.Execution environments can include both Ansible and system dependencies.
B.Execution environments cannot be used with ansible-playbook directly.
C.Execution environments must be built using ansible-builder.
D.Ansible Navigator is required to use execution environments.
E.Execution environments are OCI containers.
AnswersA, E

They bundle all needed components.

Why this answer

Option A is correct because execution environments are container images that bundle all dependencies required to run Ansible, including both Ansible itself (e.g., specific versions of ansible-core and collections) and system-level dependencies (e.g., Python libraries, SSH clients, or package managers). This ensures consistent behavior across different control nodes and eliminates the 'works on my machine' problem.

Exam trap

Red Hat often tests the misconception that `ansible-builder` is the only way to build execution environments, but candidates must remember that any OCI-compliant container build tool (e.g., Dockerfile) can be used, and pre-built images can be pulled from a registry.

67
MCQeasy

Which key in the galaxy.yml file defines the collection's namespace?

A.collection
B.authors
C.name
D.namespace
AnswerD

The 'namespace' key in galaxy.yml defines the namespace.

Why this answer

The `namespace` key in the `galaxy.yml` file explicitly defines the collection's namespace, which is the first part of the fully qualified collection name (FQCN) and is used to organize collections under a specific publisher or organization on Ansible Galaxy. This is a required field in the `galaxy.yml` metadata file, as per the Ansible Collection structure.

Exam trap

Red Hat often tests the distinction between `namespace` and `name` in `galaxy.yml`, knowing candidates may confuse the two or think `namespace` is implied by the directory structure rather than explicitly defined in the file.

How to eliminate wrong answers

Option A is wrong because `collection` is not a valid key in `galaxy.yml`; the file itself describes a collection, but no such key exists. Option B is wrong because `authors` is a metadata field listing the collection's authors, not the namespace. Option C is wrong because `name` defines the collection's short name (the second part of the FQCN), not the namespace.

68
MCQeasy

An admin wants to build an execution environment using ansible-builder. Which file is required to define the base image and additional Python dependencies?

A.execution-environment.yml
B.requirements.yml
C.galaxy.yml
D.Dockerfile
AnswerA

execution-environment.yml is the correct file to define the base image and dependencies.

Why this answer

Option A is correct because `execution-environment.yml` is the required file for `ansible-builder` to define the base image (via the `base_image` field) and additional Python dependencies (via the `python` section under `dependencies`). This YAML file serves as the build definition that `ansible-builder` reads to construct the container image, making it essential for creating custom execution environments.

Exam trap

Red Hat often tests the distinction between files used by different Ansible tools—candidates confuse `requirements.yml` (for collections/roles) or `galaxy.yml` (for collection metadata) with the `execution-environment.yml` file that is specifically required by `ansible-builder`.

How to eliminate wrong answers

Option B is wrong because `requirements.yml` is used by `ansible-galaxy` to install Ansible collections or roles, not by `ansible-builder` to define the base image or Python dependencies. Option C is wrong because `galaxy.yml` is a metadata file for Ansible collections (e.g., defining namespace, version, and dependencies), not for building execution environments. Option D is wrong because while `ansible-builder` internally generates a Dockerfile, the user does not provide it directly; the required input file is `execution-environment.yml`, which `ansible-builder` processes to produce the Dockerfile and build context.

69
MCQmedium

A team wants to use a certified collection from Red Hat Automation Hub but cannot access it directly due to firewall restrictions. What is the best practice?

A.Download the collection manually and install from a tarball.
B.Set up a private Automation Hub and sync the collection.
C.Copy the collection from another team's workspace.
D.Use ansible-galaxy collection install with --offline flag.
AnswerB

Syncing to a private hub is the recommended way to manage collections in restricted environments.

Why this answer

Option B is correct because setting up a private Automation Hub and syncing the certified collection is the best practice for environments with firewall restrictions. This approach ensures that the collection remains in a trusted, curated state, is automatically updated, and can be consumed by all team members via `ansible-galaxy` without manual intervention, maintaining compliance with Red Hat's support policies.

Exam trap

The trap here is that candidates often assume manual download (Option A) is acceptable for firewall restrictions, but Red Hat's best practice emphasizes using a private Automation Hub to maintain supportability and consistency across the enterprise.

How to eliminate wrong answers

Option A is wrong because manually downloading and installing from a tarball bypasses the dependency resolution and version tracking provided by Automation Hub, leading to potential inconsistencies and unsupported configurations. Option C is wrong because copying a collection from another team's workspace introduces risks of untracked modifications, missing dependencies, and violates Red Hat's best practices for centralized, version-controlled content management. Option D is wrong because the `--offline` flag does not exist in `ansible-galaxy collection install`; the correct flag is `--no-deps` for offline scenarios, but this still requires the collection to be available locally and does not address the firewall restriction for initial access.

70
MCQmedium

Refer to the exhibit. A user includes this in the execution-environment.yml. The build process fails because the second collection cannot be resolved. What is the most likely reason?

A.The format of the version constraint is invalid.
B.The source URL does not include the required endpoint like '/api/v3/'.
C.The source URL is not a valid Galaxy server endpoint.
D.The second collection is not authorized for download.
AnswerC

The URL should be the root of a Galaxy server, like https://internal.galaxy.example.com, not with /api/ path.

Why this answer

The correct answer is C because the execution-environment.yml references a Galaxy server endpoint that is not a valid Ansible Galaxy server. Ansible Builder resolves collections from Galaxy servers, and if the URL does not point to a recognized Galaxy API endpoint (e.g., https://galaxy.ansible.com), the build process cannot fetch the collection. The error indicates the second collection cannot be resolved, which directly points to an invalid or unreachable Galaxy server URL.

Exam trap

Red Hat often tests the misconception that a Galaxy server URL must include the full API path, but in reality, Ansible Builder automatically appends the required endpoint, so the URL should be the base server address.

How to eliminate wrong answers

Option A is wrong because the version constraint format (e.g., '>=1.0.0') is standard and valid for Ansible collections; the error is about resolution, not syntax. Option B is wrong because Galaxy server URLs do not require an explicit '/api/v3/' endpoint; Ansible Builder automatically appends the correct API path when resolving collections. Option D is wrong because authorization errors typically produce a 403 or authentication failure message, not a generic 'cannot be resolved' error; the issue is the server endpoint itself is invalid.

71
MCQmedium

Refer to the exhibit. An Ansible user runs `ansible-navigator` from the `/home/user/project` directory. The execution environment image is not present locally. What will occur?

A.The container engine will default to docker because podman is not a valid engine.
B.The image will be pulled from the registry because the pull policy is 'missing'.
C.The volume mount will fail because the source path is not absolute.
D.The image will be pulled only if the --pull flag is passed on the CLI.
AnswerB

Correct: the pull policy 'missing' pulls the image when it is not locally available.

Why this answer

Option A is correct because the pull policy "missing" means the image will be pulled if not present locally. Option B is incorrect because the pull policy is set in the config, not requiring CLI flags. Option C is incorrect because podman is a valid container engine in ansible-navigator.

Option D is incorrect because the source path `/home/user/project` is absolute.

72
MCQeasy

A system administrator wants to build an Ansible execution environment using ansible-builder. Which file format is required to define the base image, dependencies, and additional Python packages for the build?

A.execution-environment.yml
B.ansible-navigator.yml
C.Containerfile
D.requirements.yml
AnswerA

Correct. This is the standard file for ansible-builder.

Why this answer

Option A is correct because `ansible-builder` requires an `execution-environment.yml` file to define the build context, including the base image (under `version: 1`), system-level dependencies (under `dependencies: system:`), and additional Python packages (under `dependencies: python:`). This file is the mandatory definition file for building an Ansible Execution Environment (EE) using `ansible-builder build`.

Exam trap

The trap here is that candidates confuse the build input file (`execution-environment.yml`) with the runtime configuration file (`ansible-navigator.yml`) or with the generated output (`Containerfile`), leading them to pick the wrong option.

How to eliminate wrong answers

Option B is wrong because `ansible-navigator.yml` is the configuration file for `ansible-navigator`, a tool used to run and inspect execution environments, not for building them with `ansible-builder`. Option C is wrong because a `Containerfile` (or `Dockerfile`) is a lower-level container build file that `ansible-builder` generates from `execution-environment.yml`; it is not the input file the administrator writes. Option D is wrong because `requirements.yml` is used by `ansible-galaxy` to install collections and roles, not by `ansible-builder` to define the base image or Python packages for an execution environment build.

73
MCQhard

An organization uses ansible-builder to create an execution environment (EE) for network automation. The EE includes a custom collection 'acme.network' that requires the 'netaddr' Python library. The ansible-builder definition file (execution-environment.yml) lists 'netaddr' in the requirements.txt under dependencies.python. After building the EE and pushing it to the local registry, a user runs ansible-navigator with the EE and executes a playbook that uses a module from 'acme.network'. The playbook fails with an error that 'netaddr' is not installed. The user checks the running container and confirms that 'netaddr' is installed via pip list. What is the most likely cause?

A.The base image for the EE does not include the required system packages for 'netaddr'.
B.The collection 'acme.network' is not installed in the EE.
C.The ansible-navigator command is using a different EE than the one built.
D.The Python environment in the EE has multiple versions and netaddr is installed in the wrong one.
AnswerD

This is a realistic scenario in complex base images.

Why this answer

Option D is correct because execution environments built with ansible-builder can contain multiple Python interpreters (e.g., system Python and a virtual environment). The 'netaddr' library might be installed in the system Python but the Ansible controller process inside the EE runs from a different Python environment (often a virtual environment under /usr/share/ansible). When the playbook executes, it imports from the wrong Python, causing the 'not installed' error despite pip list showing the package.

Exam trap

The trap here is that candidates assume 'pip list' showing a package means it is available to Ansible, ignoring that Ansible inside the EE may use a separate Python virtual environment.

How to eliminate wrong answers

Option A is wrong because 'netaddr' is a pure Python library and does not require any system packages; the error is about Python import, not missing OS-level dependencies. Option B is wrong because the user confirmed the collection 'acme.network' is present (the playbook uses a module from it), and the error specifically names 'netaddr', not a missing module. Option C is wrong because the user checked the running container and confirmed 'netaddr' is installed via pip list, which implies they are inspecting the correct container; if a different EE were used, the pip list output would not show 'netaddr'.

74
MCQmedium

A team uses `ansible-navigator` to run playbooks with an execution environment. The playbook requires a collection that is not included in the execution environment. Which approach allows the team to use the collection without rebuilding the execution environment?

A.Set the `ANSIBLE_COLLECTIONS_PATHS` environment variable to a directory containing the collection and use `--execution-environment-image` with the EE.
B.Use the `--container-options` flag to mount a volume with the collection.
C.Use `ansible-galaxy collection install` inside the execution environment at runtime.
D.Rebuild the execution environment with the collection included.
AnswerA

Allows the local collection to be used inside the EE without rebuilding.

Why this answer

Option A is correct because setting the `ANSIBLE_COLLECTIONS_PATHS` environment variable tells `ansible-navigator` to look for collections in a specified directory on the host, and using `--execution-environment-image` ensures the correct execution environment image is used. This allows the team to inject a collection into the container at runtime without modifying the execution environment image itself, as `ansible-navigator` mounts the specified host directory into the container automatically.

Exam trap

The trap here is that candidates assume collections must be baked into the execution environment image, overlooking that `ansible-navigator` supports runtime injection of collections via host-mounted directories controlled by environment variables.

How to eliminate wrong answers

Option B is wrong because `--container-options` is not a valid flag for `ansible-navigator`; volume mounts are handled automatically by `ansible-navigator` based on environment variables like `ANSIBLE_COLLECTIONS_PATHS`, not via a generic container options flag. Option C is wrong because `ansible-galaxy collection install` cannot be run inside the execution environment at runtime; the execution environment is immutable once started, and you cannot execute arbitrary commands inside it without rebuilding the image. Option D is wrong because rebuilding the execution environment is the exact approach the team wants to avoid, as it is time-consuming and unnecessary when a runtime mount solution exists.

75
MCQhard

Your security team requires that all containers used in production must be scanned for vulnerabilities and must not contain any unnecessary packages to reduce attack surface. You are building an execution environment based on the 'ee-minimal-rhel8' image from Red Hat. You need to add a custom Python library named 'my_lib' that is available on a private PyPI server. You also need to install a collection from a private Git repository. The execution environment must be as small as possible. Which approach to building the execution environment satisfies the security and size requirements?

A.Use a multi-stage build in the execution-environment.yml by specifying 'additional_build_steps' to first install build dependencies, then install the library and collection, and finally remove build dependencies.
B.Use the 'dependencies' key for the Python library and the 'git' option for the collection, which automatically handles minimization.
C.Build a custom base image that already includes the library and collection, then reference it as the base image.
D.Add the library and collection installation commands to the 'additional_build_steps' section without any cleanup steps.
AnswerA

Correct. Multi-stage builds minimize final image size by discarding build-time layers.

Why this answer

Option A is correct because a multi-stage build in the execution-environment.yml using 'additional_build_steps' allows you to install build dependencies (e.g., gcc, python3-devel) needed to compile 'my_lib', install the library from the private PyPI server, install the collection from the private Git repository, and then remove all build dependencies in a subsequent stage. This results in a final image that contains only the runtime artifacts, minimizing the attack surface and image size, satisfying the security and size requirements.

Exam trap

The trap here is that candidates assume the 'dependencies' key or 'git' option automatically handle cleanup, but they do not; the exam tests whether you understand that explicit multi-stage build steps are required to remove build dependencies and minimize the image.

How to eliminate wrong answers

Option B is wrong because the 'dependencies' key for Python libraries and the 'git' option for collections do not automatically handle minimization; they install the packages and collections but leave behind build dependencies and cache files, resulting in a larger image with unnecessary packages. Option C is wrong because building a custom base image that already includes the library and collection does not reduce the attack surface; the base image itself may contain unnecessary packages, and you lose the ability to cleanly separate build-time and runtime dependencies. Option D is wrong because adding installation commands to 'additional_build_steps' without cleanup steps leaves build dependencies and temporary files in the final image, violating the requirement to remove unnecessary packages.

Page 1 of 2 · 78 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Collections Environments questions.