Red Hat Certification
60 practice questions with correct answers and detailed explanations. Use this guide to review concepts before taking the practice exam.
The Red Hat RHCE Engineer (EX294) certification validates professional expertise in Red Hat technologies. This study guide covers all 60 practice questions from our EX294 practice test, complete with correct answers and explanations to help you understand each concept thoroughly.
Review each question and explanation below, then test yourself with the full interactive practice exam to measure your readiness.
You need to configure a system to automatically mount an NFS share at boot time. Which file must you edit to ensure the mount persists across reboots?
/etc/fstab is the static filesystem table used by the system to automatically mount filesystems at boot time. /etc/mtab is dynamic and only reflects currently mounted filesystems.
When using Ansible to manage multiple hosts, you want to execute a task only on hosts matching a specific pattern. Which inventory construct allows you to group hosts by characteristics?
Groups in the inventory file allow you to organize hosts by characteristics and target them with patterns like [webservers] or [databases]. This enables selective execution of tasks across matched groups.
You are configuring SELinux and need to temporarily disable it without restarting the system. Which command accomplishes this task?
The setenforce command temporarily sets SELinux mode to permissive (0) or enforcing (1) without requiring a reboot. Permanent changes require editing /etc/selinux/config.
In an Ansible playbook, you need to include sensitive data like passwords without storing them in plain text. What is the recommended approach?
ansible-vault is the standard tool for encrypting sensitive data in playbooks and variable files. It allows encrypted content to be checked into version control safely while still being accessible during playbook execution.
You configure a service to start automatically with systemd. After making changes to the service unit file, what must you do to ensure systemd recognizes the changes?
systemctl daemon-reload instructs systemd to reload its unit configuration files from disk. This must be done after modifying unit files but before restarting the service for changes to take effect.
When using Ansible roles, where should you place files that are copied to remote hosts unchanged during role execution?
The files/ directory in a role contains static files that are copied to remote hosts using the copy module without any variable substitution or templating.
You need to configure firewall rules to allow traffic on port 443 while maintaining persistence across reboots. Which approach is correct for firewalld?
Using --permanent flag modifies the persistent configuration, but changes don't take effect immediately. You must use --reload to reload the firewall rules from disk for the new rules to become active.
In Ansible, you create a playbook that uses a variable defined in a role's defaults/main.yml. At what point in the variable precedence hierarchy does this value get evaluated?
Role defaults have the lowest precedence in Ansible's variable hierarchy and can be overridden by inventory variables, group variables, host variables, and task variables.
You need to ensure that a critical service restarts automatically if it crashes unexpectedly. Which systemd directive in the service unit file accomplishes this?
The Restart= directive controls systemd's automatic restart behavior. Setting it to 'always' ensures the service restarts regardless of exit code, while other values like 'on-failure' provide more conditional restart behavior.
When configuring a user account via Ansible, you want to set the default shell to /bin/bash and ensure the home directory is created. Which module parameters achieve both goals?
The user module in Ansible accepts the 'shell' parameter to set the login shell and the 'createhome' parameter to create the home directory if it doesn't exist.
You configure SSH key-based authentication and place a public key in ~/.ssh/authorized_keys. After setting permissions to 600, SSH still denies key-based login. What is the most likely issue?
SSH requires the ~/.ssh directory to have permissions 700 (rwx------) and authorized_keys to have 600 (rw-------). If ~/.ssh has incorrect permissions, SSH will reject key-based authentication as a security measure.
In a playbook, you use the debug module to display variable values during execution. What is the primary use case for this module in production environments?
The debug module is used to display messages and variable values during playbook execution, primarily for troubleshooting and verification purposes. It helps confirm that variables have expected values at specific execution points.
You need to deploy the same configuration to 50 servers but with slight variations per server. Which Ansible feature best supports this requirement while maintaining code reusability?
Combining inventory variables (per-host or per-group) with the template module allows you to maintain a single configuration template that generates different outputs for each server based on its variables.
When configuring log rotation with logrotate, which configuration option ensures that compressed log files are retained for a specific number of days?
The 'maxage' option in logrotate specifies the maximum number of days to keep rotated log files. The 'rotate' option specifies how many rotated logs to keep, and 'compress' enables compression of rotated logs.
You create an Ansible task that registers the output of a command in a variable. Later, you need to extract a specific field from this output. Which approach is most appropriate?
Ansible filters like json_query for JSON output or regex_search for pattern matching allow you to elegantly extract specific fields from registered command output without re-executing the command.
In SELinux, what does the context label 'unconfined_u:unconfined_r:unconfined_t:s0' indicate about a process?
The unconfined domain (unconfined_t) indicates a process that operates with minimal SELinux restrictions. Most user processes and system services run with more specific confined domains for security.
You configure a network bond using NetworkManager for redundancy. After creating the bond0 interface, what is the next step to ensure both underlying interfaces are enslaved to the bond?
With NetworkManager, you use nmcli to add physical interfaces as slaves to the bond connection. For example: 'nmcli connection add type ethernet ifname eth0 master bond0 slave-type bond' and similar for each interface.
An Ansible playbook uses the copy module to deploy a configuration file. You need the file to be processed by Jinja2 for variable substitution before copying. Which module should you use instead?
The template module is specifically designed to process files through Jinja2 and substitute variables, providing the same copy functionality as the copy module but with variable interpolation support.
You need to restrict a user's cron job execution. Which approach is most secure and maintainable in a Red Hat environment?
Using /etc/cron.allow with an explicit whitelist is more secure and maintainable than /etc/cron.deny. When /etc/cron.allow exists, only users listed in it can schedule cron jobs, providing better access control.
When configuring a service with systemd, you need it to wait for network availability before starting. Which directive accomplishes this?
To ensure a service waits for network availability, use both 'After=network-online.target' (ordering dependency) and 'Wants=network-online.target' (soft dependency) to ensure the target is reached before the service starts.
In Ansible, you want to execute a task only if a variable has a specific value. Which conditional syntax is correct?
Ansible uses the 'when' keyword with standard Jinja2 conditional expressions. The syntax 'when: variable == "value"' is the correct way to conditionally execute a task based on variable value.
You need to monitor log files for specific error patterns and send alerts. Which tool is most appropriate for this task in a Red Hat environment?
rsyslog allows you to define rules that match log patterns and execute scripts to send alerts. This is more efficient than periodic grep execution and provides real-time pattern matching for error detection.
An Ansible playbook deploys packages using the yum module. You want to ensure that a package is installed but don't require a specific version. Which state value is appropriate?
state=present installs the package if it's not present but doesn't upgrade it if a newer version is available. state=latest would upgrade to the newest version, while 'installed' and 'available' are not valid yum module states.
You configure a firewall rule that must apply to a specific network interface. Which firewalld zone configuration approach is most appropriate?
Firewalld zones allow you to group interfaces and apply rules per zone. Creating a custom zone and assigning an interface to it via firewall-cmd with --permanent ensures the configuration persists across reboots and is properly managed by firewalld.
In a disaster recovery scenario, you need to verify that file permissions were preserved in a backup. Which tar option enables extended attributes and SELinux contexts to be backed up?
The --selinux flag preserves SELinux contexts while --xattr (or --xattrs) preserves extended attributes. Using both together ensures complete metadata preservation during backup and restoration.
You configure an Ansible handler that should run after multiple tasks. When does this handler execute?
Handlers execute at the end of the current play block, after all tasks have run. This allows multiple tasks to notify the same handler, which then executes only once at the end, improving efficiency.
You need to configure a managed node to use a specific DNS server. Which Ansible module is best suited for this task?
The nmcli module is the recommended way to manage NetworkManager connections, including DNS configuration on modern RHEL systems. Using lineinfile on /etc/resolv.conf is not idempotent as the file is managed by NetworkManager.
Which of the following best describes the purpose of ansible-inventory command?
The ansible-inventory command lists hosts and groups from inventory sources, useful for debugging inventory configuration. It does not validate playbook syntax, encrypt data, or generate scripts.
You are writing a role that manages firewall rules. The role should support both firewalld and iptables backends. What is the best approach to implement this?
Using a variable makes the role flexible and reusable across different environments. This follows the principle of making roles parameterizable while conditional logic based on detection can handle edge cases.
When using Ansible vault to encrypt a variable file, what command encrypts an existing unencrypted YAML file?
The encrypt subcommand encrypts an existing plaintext file. The create command is used to create a new encrypted file from scratch, while lock and secure are not valid vault subcommands.
You need to ensure that a handler runs only once during a play, even if multiple tasks trigger it. Which handler attribute accomplishes this?
The run_once directive on a handler ensures it executes only once per play, regardless of how many tasks notify it. The listen attribute is for handler naming, not for controlling execution frequency.
Which Ansible module is used to manage SELinux file contexts and ensure they persist across reboots?
The sefcontext module manages SELinux file context mappings in the policy, making changes persistent. The selinux module controls global mode, and direct semanage calls are not idempotent in Ansible.
When configuring a role to deploy a web application, you want to ensure sensitive credentials are never logged. What mechanism prevents logging of specific variables?
The no_log: true parameter on a task prevents that task's output from appearing in logs. Variable naming conventions and special attributes do not automatically hide logs; no_log is the proper mechanism.
You are troubleshooting a playbook that uses multiple loops. Which variable provides the current iteration index in a loop?
The loop.index variable contains the current iteration number (1-based indexing) when using the loop keyword. Other options are not valid Ansible loop variables.
A playbook needs to gather facts about target systems but only for hosts that will actually run tasks. Which play-level setting optimizes this behavior?
The smart setting gathers facts only on hosts that are included in the play after any host filtering. This optimizes performance when using limits or conditionals that exclude some hosts.
You must create a role that manages packages, but the package names differ between RHEL 8 and RHEL 9. What is the recommended approach?
Using version-specific variable files in the role's vars directory keeps role logic clean and reusable. While conditionals work, separating variable definitions is more maintainable.
When using the copy module to deploy configuration files, which parameter ensures the deployed file has specific ownership and permissions?
The copy module accepts owner, group, and mode parameters directly, allowing idempotent file deployment with correct ownership and permissions in one task.
You are implementing a role that should fail fast if certain critical variables are not defined. Which validation approach is best?
The assert module provides a clean, reusable way to validate multiple conditions and fail with informative messages. The mandatory option does not exist; relying on rendering errors produces poor error messages.
Which strategy in an Ansible playbook allows tasks to run in parallel across different hosts while respecting serial batches?
The free strategy runs tasks in parallel per host without waiting for all hosts to complete each task, and serial batches hosts in groups. Linear strategy waits for all hosts per task; async is for background jobs.
You need to ensure that a configuration file is deployed with content from a template, but only if the file does not exist. Which approach is most idempotent?
The template module is idempotent by default and will only modify files if content changes. If you want to skip existing files, use force: false (not 'no'); however, the template module handles all scenarios appropriately without conditions.
When writing a complex playbook, you need to stop execution if a critical task fails, but allow other plays to continue. Which play-level option achieves this?
Setting max_fail_percentage: 0 stops the play if any host fails, preventing progression to the next task but allowing other plays to run. any_errors_fatal stops all plays; ignore_errors allows continuation within the play.
You are designing a role for database configuration. The role needs to work with both PostgreSQL and MySQL. Where should database-specific variables be stored?
The standard approach is to store default variables in defaults/main.yml and conditionally include database-specific variable files from vars/ based on a role variable. This keeps the role self-contained and reusable.
Which of the following correctly uses the block statement to handle multiple related tasks with a single error handler?
Blocks group tasks and allow a single rescue section (error handler) and always section to apply to all tasks in the block. Retry is a separate mechanism; blocks do not enforce completion order or idempotency.
You need to configure the sudoers file to allow specific commands without passwords. Which module is safest for this task?
Files in /etc/sudoers.d/ are validated by sudo itself and are safer than editing /etc/sudoers directly. Using copy to deploy a pre-validated sudoers.d snippet is the recommended approach. visudo is not an Ansible module.
When using Ansible to manage systemd units, which module parameter ensures a service is enabled to start at boot and is currently running?
The systemd module accepts both state: started (ensures service is running) and enabled: yes (ensures it starts at boot) in a single idempotent task. These can be combined in one module call.
You are implementing error handling in a playbook using blocks. A rescue section should handle specific errors, but others should fail the playbook. What is the best approach?
Organizing blocks by error type allows each block's rescue section to handle only expected errors for that block's logic. Other blocks can fail naturally. Multiple rescue blocks in one block is not possible; there is only one rescue per block.
Which approach ensures that a role's default variables can be overridden by inventory-level variables without modifying the role?
Ansible's variable precedence automatically gives inventory variables (group_vars, host_vars) higher priority than role defaults, allowing role reuse with environment-specific overrides without modification.
You need to register the output of a task and use it in a subsequent task only if the first task succeeded. Which construct best handles this?
Registering output and then using when conditions to check the result status (e.g., when: previous_task.rc == 0) is the standard conditional approach. changed_when affects reporting, not execution flow.
When deploying a role that manages system services, how should you handle the case where a service does not exist on all distributions?
Using the stat module to check for service existence before attempting to manage it is the most reliable approach. This allows conditional logic without assuming service availability across all distributions.
You are documenting a role for team use. Which file in a role directory serves as the primary documentation for the role's purpose and usage?
The README.md file in the role's root directory is the standard location for role documentation, describing purpose, variables, examples, and usage. The meta/ directory contains role metadata, not user documentation.
You need to configure a firewall rule to allow incoming traffic on port 8080 for a web application. Which firewalld command would you use to add this rule permanently?
The --permanent flag ensures persistence across reboots, --zone=public specifies the zone, and --reload applies the changes immediately. Using --add-port with both permanent flag and reload is the correct method.
When using Ansible handlers, which statement best describes their primary purpose?
Handlers are special tasks that only run when notified by another task and only if that task reported a change, making them ideal for actions like service restarts.
You are troubleshooting an Ansible playbook that references a variable defined in a vars_files directive, but the variable is not being recognized. Which of the following is the most likely cause?
If vars_files cannot load the specified file due to incorrect path or YAML syntax errors, the variables will be undefined. Verify the file path and validate YAML syntax.
A system administrator needs to implement role-based access control (RBAC) for Ansible Tower. Which of the following best describes the purpose of RBAC in this context?
RBAC in Ansible Tower enables organizations to control which users can view, modify, and execute specific projects, inventories, and job templates based on their organizational roles.
You have a task that conditionally registers a variable based on the previous task's result. However, the registered variable needs to be available to tasks in subsequent plays. What is the best approach?
Registered variables are only available within the current play. To make them available across plays, convert them to facts using set_fact, which persists for the entire playbook execution.
Which SELinux context component is responsible for defining what a process can do?
In SELinux contexts (user:role:type:level), the type component defines the domain and determines what processes can access. User and role are also important but type is the primary enforcement mechanism.
You need to create a custom SELinux policy module for a third-party application. Which command sequence would you use to compile and install the policy?
The correct sequence is: compile the type enforcement file (.te) into a module (.mod), package it into a policy package (.pp), and install it with semodule -i. This is the standard method for custom policy creation.
When configuring a system to use Kerberos authentication with Ansible, which of the following best describes the authentication flow?
Kerberos uses ticket-based authentication where a TGT is obtained once and then used for service authentication, avoiding password transmission and enabling single sign-on capabilities.
You are using Ansible to manage multiple environments (dev, staging, production) with different variables for each. What is the recommended approach to organize this?
Separate inventory files with group_vars/host_vars directories is the Ansible best practice for managing multiple environments, keeping configurations organized, scalable, and maintainable.
A playbook task uses the command module to execute a shell script, but the script requires environment variables to function properly. Which approach is most appropriate?
The environment keyword in Ansible tasks allows you to pass environment variables directly to that task without affecting the global shell environment, which is the cleanest and most reliable approach.
You've reviewed all 60 questions. Take the interactive practice exam to simulate the real test environment.
▶ Start Practice Exam — Free