Red Hat Certification
60 practice questions with correct answers and detailed explanations. Use this guide to review concepts before taking the practice exam.
The Red Hat OpenStack Administrator (EX374) certification validates professional expertise in Red Hat technologies. This study guide covers all 60 practice questions from our EX374 practice test, complete with correct answers and explanations to help you understand each concept thoroughly.
Review each question and explanation below, then test yourself with the full interactive practice exam to measure your readiness.
When configuring Cinder volume backend storage, which parameter defines the physical location where volumes are stored?
The volume_backend_name parameter specifies the logical name of a storage backend, which identifies where volumes will be created and stored. This is essential for multi-backend Cinder deployments.
Which OpenStack service is responsible for managing container orchestration and lifecycle?
Magnum is the OpenStack service that manages Kubernetes and other container orchestration engines as first-class resources. The other services handle messaging, data processing, and database services respectively.
In Keystone, what is the primary purpose of using application credentials instead of user passwords?
Application credentials provide a secure alternative for API access with restricted permissions and optional expiration dates, reducing the exposure of user passwords while maintaining security boundaries.
Which command-line tool is used to manage Glance image properties and metadata?
The OpenStack CLI unified command 'openstack image set' is the standard way to modify Glance image properties and metadata. While legacy tools like glance CLI exist, the openstack CLI is the recommended approach.
When setting up Nova's PCI passthrough, what is the critical first step in the compute node configuration?
PCI passthrough requires IOMMU (Input/Output Memory Management Unit) to be enabled in the system BIOS and kernel, followed by device identification and whitelisting in Nova configuration. This is the prerequisite before any instance configuration.
What is the recommended approach for updating Nova compute nodes in a production environment without service interruption?
Rolling updates with instance evacuation on each compute node minimizes service disruption. The nova-manage command registers new hosts with the cell, and instances are migrated away before updates occur.
In Neutron, which mechanism allows you to isolate tenant traffic using VLAN tagging on a physical network?
VLAN network type with properly configured network_vlan_ranges in the ML2 plugin enables tenant isolation using 802.1q VLAN tagging on physical network interfaces. Flat networks don't support tagging, while VxLAN and GRE are overlay technologies.
When configuring Cinder backup, what must be verified to ensure proper functionality with a Swift backend?
For Swift-backed Cinder backups, proper credentials must be configured and the Cinder service account requires permissions to create and manage Swift containers. The other options are either false or not specific requirements for Swift backup functionality.
Which Heat parameter type is used for complex data structures with multiple properties and validation rules?
The 'json' parameter type in Heat allows you to define complex data structures with nested properties, providing validation capabilities for structured data. This is more appropriate than simple string types for complex configurations.
In Ironic, what is the significance of configuring the 'ipmi_address' parameter in node driver data?
The ipmi_address in Ironic node driver data specifies the BMC network address, allowing out-of-band management and control of the physical server independent of the operating system.
When troubleshooting Horizon dashboard performance issues, which log file should be examined first?
The Apache/httpd error log contains Horizon's application errors and performance issues since Horizon runs as a web application served by Apache. While other logs provide context, the web server log is the primary source for Horizon-specific issues.
Which network plugin configuration in Neutron allows for provider network creation without VLAN or overlay segmentation?
Flat provider networks allow network creation using a single physical interface without any segmentation mechanism, useful for direct layer-2 connectivity. This differs from segmented approaches like VLANs or overlays.
In Nova, what happens when an instance is in 'STOPPED' state versus 'SHELVED' state?
STOPPED keeps instance data and resources allocated on the compute node, while SHELVED (shelve-offload) moves the instance to Glance and deallocates compute resources, useful for long-term pause scenarios and resource optimization.
Which Glance setting determines the maximum size of images that can be uploaded to the service?
The image_size_cap setting in glance-api.conf specifies the maximum allowed image size in bytes. This prevents extremely large uploads from consuming excessive resources.
When configuring Cinder volume encryption, which component performs the actual encryption of data?
Cinder volume encryption involves Barbican (key manager) for key management and the Cinder volume driver for actual encryption operations at the storage layer, creating encrypted volumes at rest.
Which command correctly evacuates instances from a Nova compute node during maintenance?
The 'openstack server evacuate' command is the proper way to move instances from a source compute host to another host, with proper syntax for specifying target and source hosts. Option B uses deprecated nova CLI.
In Keystone, what is the difference between implicit and explicit role inheritance?
Explicit role inheritance uses Keystone's role hierarchy configuration to automatically grant child roles when parent roles are assigned. Implicit inheritance does not provide this automatic mechanism.
Which Neutron component is responsible for managing the actual configuration of network devices on compute nodes?
The Neutron L2 agent running on compute nodes configures the actual network devices (bridges, ports, VLANs) on the hypervisor based on Neutron server directives.
When using Placement API for scheduling, what does the 'generation' field in a resource provider represent?
The generation field is a version counter in the Placement API that changes whenever resource provider data (like traits or resource classes) is modified, preventing concurrent update conflicts.
What is the primary function of the Nova conductor service in an OpenStack deployment?
The Nova conductor performs database operations and acts as an intermediary for scheduler decisions, reducing the database load on compute nodes and enhancing security by preventing direct database access from compute services.
In a multi-region OpenStack deployment, which Keystone component must be synchronized across regions?
In multi-region deployments, the identity backend (users, projects, roles) must be synchronized or shared across regions, but tokens and service catalogs can be region-specific to reflect local services.
Which tool is used to validate and troubleshoot OpenStack configuration files syntax before deployment?
While openstack-config-validator exists for some validations, configuration syntax is typically validated through direct parsing and error messages during service startup. The openstack CLI and Ansible are not configuration validators.
When setting up volume snapshots in Cinder, what consideration must be made for encrypted volumes?
Snapshots of encrypted volumes inherit the encryption configuration, and the encryption key must remain available for both snapshot creation and restoration. The snapshot maintains the same encryption properties as the source.
Which Horizon setting enables you to customize the dashboard's appearance and branding for different organizations?
Horizon customization is done through LOCAL_SETTINGS.py where you can configure HORIZON_CONFIG dictionary with custom logos, CSS, and branding options for different organizations.
In Ironic, what is the purpose of the 'power state' field versus the 'provisioning state' field?
In Ironic, power state represents the actual hardware power status (on/off), while provisioning state tracks the deployment lifecycle (active, deploying, deployed, error), providing distinct visibility into hardware and software state.
You need to create a new project in OpenStack with specific resource quotas. Which command-line tool would you use to manage project creation and quota assignment?
The openstack project create command creates projects, and openstack quota set configures resource limits. These are the modern, unified OpenStack CLI tools for this task.
An instance is in an ERROR state and needs to be recovered. What is the first diagnostic step you should take?
Checking console logs and nova-compute logs provides the root cause of the error state, allowing for targeted troubleshooting rather than destructive actions.
You are configuring Neutron with ML2 plugin. Which of the following correctly describes the role of mechanism drivers?
Mechanism drivers are responsible for translating logical network configurations into actual device configurations on switches, hypervisors, and other network infrastructure.
When configuring Cinder for multi-backend support, how do you specify which backend a volume should be created on?
The volume_backend_name property in volume type extra specs is the standard way to direct volume creation to a specific backend in a multi-backend Cinder deployment.
Your OpenStack deployment experiences intermittent connectivity issues between instances on different compute nodes. What is the most likely cause?
Inter-node instance connectivity depends on proper overlay network configuration (VXLAN tunnels) and network node connectivity; issues here directly cause intermittent cross-node communication problems.
Which of the following statements about OpenStack role-based access control (RBAC) is correct?
Keystone supports flexible role assignment where users can have different roles across different projects and domains, allowing fine-grained access control.
You need to migrate a running instance from one compute node to another with zero downtime. Which migration method should you use?
Live migration (also called true migration) maintains instance uptime by transferring memory and disk state while the instance continues running, ensuring zero-downtime migration.
In Keystone, what is the primary purpose of a domain?
Domains in Keystone provide administrative isolation and separate authentication namespaces, allowing multiple independent project hierarchies within a single OpenStack deployment.
What is the correct order of operations for safely shutting down a compute node in OpenStack?
The correct procedure is to disable the node first (preventing new instance scheduling), then migrate running instances away, and finally stop services to ensure a clean shutdown.
You are configuring Swift for a highly available deployment. Which component is responsible for ensuring data replication across multiple servers?
The Ring defines data placement across the cluster, and the Replicator daemon actively maintains replicas by copying objects across devices and servers to maintain the desired replication factor.
An image in Glance is marked as 'protected'. What is the primary effect of this setting?
The protected flag in Glance prevents accidental deletion of critical images; the image remains fully usable but cannot be deleted while the flag is active.
When configuring Nova with placement service, what is the primary function of placement?
The Placement service maintains real-time inventory of compute resources and helps Nova's scheduler make intelligent decisions about instance placement based on available resources.
Your organization requires that all block storage volumes be encrypted. Where should this be configured?
Volume encryption is configured through volume type definitions in Cinder, specifying the encryption algorithm and integration with a key manager like Barbican.
What is the relationship between Nova flavors and compute node resources?
Flavors define vCPU, memory, and disk requirements for instances; the scheduler uses these specifications to ensure instances are placed on compute nodes with sufficient resources.
In an OpenStack deployment with multiple regions, how are user credentials and authentication shared across regions?
In a multi-region deployment, a centralized Keystone issues tokens with cross-region validity, allowing users to access resources across regions with a single authentication.
When configuring Neutron security groups, which direction of traffic does a security group rule control by default?
Security group rules explicitly control either ingress or egress traffic; each rule specifies its direction, and default behavior typically denies all traffic unless explicitly allowed.
You need to reclaim disk space from a Cinder volume that has been deleted. What operation should be performed on the underlying storage backend?
After volume deletion, filesystem-level operations like TRIM/UNMAP commands inform the storage that blocks are no longer in use, allowing the backend to reclaim space.
What is the primary advantage of using Heat orchestration templates in OpenStack?
Heat templates enable infrastructure-as-code, allowing complex multi-resource applications to be defined declaratively, version controlled, and repeatedly deployed consistently.
In a Neutron deployment using DVR (Distributed Virtual Routing), where does routing occur for instances?
DVR distributes routing to compute nodes for improved scalability and performance; the network node handles only SNAT for external traffic, reducing a critical bottleneck.
Which service is responsible for managing and provisioning bare metal nodes in OpenStack?
Ironic is the OpenStack service dedicated to provisioning and managing bare metal servers, providing PXE boot, hardware inventory, and lifecycle management.
When backing up OpenStack metadata, which database contains the most critical information that should be protected?
The central relational database stores all OpenStack service metadata including authentication, projects, instances, networks, and volumes; its loss would be catastrophic.
You are troubleshooting a port that appears to be down in Neutron. What is the first command to check the port status and details?
The openstack port show command (modern CLI) retrieves comprehensive port status and configuration details from Neutron, making it the first diagnostic step.
In OpenStack, what is the purpose of availability zones in Nova?
Availability zones group compute nodes (typically by physical location or failure domain), allowing users to distribute instances across zones to improve fault tolerance.
A user reports that they cannot create a snapshot of a running instance. What is the most likely cause?
Live snapshots of running instances may fail if the backing image uses formats that don't support consistent snapshots; cold snapshots after instance pause often work better.
When configuring OpenStack with Keystone using fernet tokens, what is a critical operational requirement?
Fernet tokens require synchronized keys across all Keystone instances and periodic rotation; key distribution and management is critical for multi-node Keystone deployments.
You need to configure Neutron to support multiple external networks for different tenant projects. Which mechanism driver combination best supports this requirement?
ML2 driver with OVS supports multiple external networks through bridge mappings that connect different physical networks to different external network providers. This is the standard approach for multi-external-network setups.
An instance fails to launch with error 'No valid host was found.' You suspect Nova scheduler filter issues. Which file should you examine first?
The scheduler filters in nova.conf determine which hosts are eligible for instance placement. The enabled_filters parameter controls which filters are active, making this the first place to verify scheduler configuration.
You are implementing role-based access control in Keystone. A user should be able to list instances across all projects but only modify instances in their own project. How should this be configured?
Nova policy.json allows fine-grained control using scope-based policies that can grant read access across projects while restricting write operations to a user's own project. This is the proper way to implement scoped RBAC in OpenStack.
During a Cinder backup operation, the backup fails with 'Insufficient space in backup backend.' Which configuration parameter controls where backups are stored?
The backup_driver parameter selects the backup backend driver (e.g., NFS, Ceph, Swift), but the actual storage path depends on how that specific driver is configured, typically through mount points or backend credentials.
Your Glance image service is experiencing slow uploads. You suspect the backend storage is the issue. Which storage backend would provide the fastest upload performance for large images?
Filesystem backend with local SSD provides the lowest latency and highest throughput for image uploads, making it ideal for performance-critical scenarios. Remote and distributed backends introduce network latency.
You need to enable live migration for instances with attached Cinder volumes. Which configuration must be verified on the compute nodes?
For live migration with Cinder volumes, you either need shared storage between compute nodes or must enable block_migration. Block migration allows copying instance storage during migration without requiring shared storage.
A tenant reports they cannot create security groups in a particular project. The project quota for security groups shows 10/10 used. What is the most likely cause?
Each project automatically gets a default security group created during project initialization, which counts against the security group quota. If the quota is 10 and 10 are used, the default group is likely occupying one slot.
You are configuring Heat to manage infrastructure as code. A Heat template fails to deploy because it references a resource that Heat cannot find in any catalog. Which file defines available Heat resource types?
Heat loads resource types from installed plugins. If a resource cannot be found, it indicates the required plugin package is missing. This is determined at runtime, not through static configuration files.
Your Ironic bare metal provisioning is failing with 'Failed to clean node.' Which Ironic conductor configuration is most likely the cause?
Bare metal node cleaning requires a valid network where the node can boot and access cleaning tools. If cleaning_network_uuid is not configured or invalid, the cleaning operation will fail.
A Keystone token has expired and the user receives a 401 Unauthorized response. Which Keystone configuration parameter controls how long tokens remain valid before expiration?
The token_expiration parameter in keystone.conf specifies the default validity duration for tokens in seconds, typically 3600 seconds (1 hour) by default. This applies across token types unless overridden.
You've reviewed all 60 questions. Take the interactive practice exam to simulate the real test environment.
▶ Start Practice Exam — Free