Rhce

← Back to all decks

56 cards — 🟢 19 easy | 🟡 24 medium | 🔴 7 hard

🟢 Easy (19)

1. How do you install Ansible on a RHEL 9 control node?

Show answer

sudo dnf install ansible-core
Verify with: ansible --version

Example: systemctl enable --now httpd starts httpd immediately AND sets it to start on boot.

Remember: "enable = boot, start = now, enable --now = both."

2. What are the requirements for an Ansible managed node?

Show answer

1. Python 3 installed
2. SSH access from the control node
3. A user with sudo privileges (for become)
4. SSH key-based authentication (recommended)

Example: nmcli con mod eth0 ipv4.addresses 192.168.1.10/24 ipv4.gateway 192.168.1.1 ipv4.method manual && nmcli con up eth0

Remember: "nmcli = NetworkManager CLI. con mod = modify, con up = activate."

3. How do you define host groups and nested groups in an INI inventory?

Show answer

[webservers]
web1.example.com
web2.example.com

[dbservers]
db1.example.com

[datacenter:children]
webservers
dbservers

Remember: "firewalld uses zones." Default zone is public. Common commands: firewall-cmd --add-service=http --permanent && firewall-cmd --reload.

Example: firewall-cmd --list-all shows current zone rules.

4. What is the syntax for running an Ansible ad hoc command?

Show answer

ansible -m -a ""
Example: ansible all -m ping
Example: ansible webservers -m dnf -a "name=httpd state=present" --become

Remember: "RHEL 8+ uses dnf (replaces yum)." Key commands: dnf install, dnf update, dnf module list.

Example: dnf module enable php:8.1 && dnf install php selects the PHP 8.1 stream.

5. What are the key components of an Ansible playbook?

Show answer

A playbook is a YAML file containing one or more plays. Each play has:
- name: description
- hosts: target pattern
- become: privilege escalation
- vars/vars_files: variables
- tasks: ordered list of module calls
- handlers: triggered by notify

6. How do you create and use an Ansible Vault encrypted file?

Show answer

Create: ansible-vault create secrets.yml
Encrypt existing: ansible-vault encrypt vars/passwords.yml
Edit: ansible-vault edit secrets.yml
View: ansible-vault view secrets.yml
Use at runtime: ansible-playbook site.yml --ask-vault-pass
Or: ansible-playbook site.yml --vault-password-file .vault_pass

7. How do you access Ansible facts and what do they contain?

Show answer

Facts are gathered automatically via the setup module.
Access: ansible_facts['distribution'], ansible_default_ipv4.address
Gather manually: ansible host -m setup
Filter: ansible host -m setup -a "filter=ansible_distribution*"
Disable: gather_facts: false in the play
Custom facts: place .fact files in /etc/ansible/facts.d/ → ansible_local.*

8. How do you deploy a Jinja2 template with Ansible?

Show answer

- ansible.builtin.template:
src: templates/httpd.conf.j2
dest: /etc/httpd/conf/httpd.conf
owner: root
group: root
mode: '0644'
validate: httpd -t -f %s
notify: Restart httpd

Example: ansible-playbook site.yml --limit webservers runs only against the webservers group.

Remember: "Ansible is agentless — it uses SSH. No daemon needed on managed hosts."

9. How do you scaffold a new Ansible role?

Show answer

ansible-galaxy role init
This creates the full directory structure under roles// with defaults/, tasks/, handlers/, templates/, files/, vars/, meta/ directories and main.yml files.

Remember: "journalctl -xe = recent errors with explanation." -u filters by unit, -f follows live, --since/--until filter by time.

Example: journalctl -u nginx --since "1 hour ago" shows recent nginx logs.

10. How do you use ansible-doc to find module documentation?

Show answer

ansible-doc ansible.builtin.dnf — full module docs
ansible-doc -s ansible.builtin.user — short/snippet form
ansible-doc -l — list all modules
ansible-doc -l | grep firewall — search modules
ansible-doc -t callback -l — list plugins by type
Critical on exam: no internet access, ansible-doc is your only reference.

11. How do you manage packages with the ansible.builtin.dnf module?

Show answer

Install: state: present
Remove: state: absent
Update: state: latest
Specific version: name: httpd-2.4.51
Package group: name: "@Development Tools"
Module stream: name: "@postgresql:15/server"
Multiple: pass a list to name:

Remember: "autofs = automount on access, unmount on idle." It reduces NFS load by only mounting when directories are accessed.

Example: /etc/auto.master defines mount points; /etc/auto.misc defines the actual mounts.

12. How do you manage services with Ansible?

Show answer

ansible.builtin.service:
name: httpd
state: started/stopped/restarted/reloaded
enabled: true/false
Common pattern: state: started + enabled: true to ensure service is running and persists across reboots.

13. What is the difference between the copy and template modules?

Show answer

copy: deploys static files as-is from files/ directory
template: processes Jinja2 templates from templates/ directory, substituting variables
Both support: owner, group, mode, backup
template supports: validate (run a command to check syntax before deploying)

14. How do you manage cron jobs with Ansible?

Show answer

ansible.builtin.cron:
name: "Backup database"
minute: "0"
hour: "2"
job: "/usr/local/bin/backup.sh"
user: root
Special time: special_time: daily/weekly/monthly/yearly/reboot
Remove: state: absent

Remember: "podman = docker without daemon." It runs rootless containers by default, uses the same CLI as Docker.

Example: podman run -d -p 8080:80 nginx — same syntax as docker run.

15. What do --check and --diff do in ansible-playbook?

Show answer

--check: dry run mode, shows what WOULD change without making changes
--diff: shows file content differences (like diff output)
Combine both: ansible-playbook site.yml --check --diff
Also: --syntax-check validates YAML syntax
--list-tasks shows all tasks without running
--list-tags shows all available tags

16. How do you change the password on a vault-encrypted file?

Show answer

`ansible-vault rekey secrets.yml` prompts for the old password and then the new password to re-encrypt the file. With vault IDs: `ansible-vault rekey --vault-id dev@prompt secrets.yml`. This is essential when rotating credentials or when a team member with vault access leaves.
Gotcha: rekey does not change the file contents, only the encryption key protecting them.

17. How does privilege escalation work in Ansible?

Show answer

Set in ansible.cfg or per-play/per-task:
become: true
become_method: sudo
become_user: root
become_ask_pass: false
Precedence: task > play > ansible.cfg
The remote user needs passwordless sudo (sudoers.d entry).

Gotcha: The RHCE exam expects you to use Ansible for automation tasks. Know playbook structure, handlers, templates, and roles.

Remember: "Playbook = YAML, Play = host group + tasks, Task = module + args."

18. What can the ansible.builtin.file module do?

Show answer

Create directory: state: directory
Create symlink: state: link, src: target
Delete: state: absent
Set permissions: owner, group, mode
Touch: state: touch
Recursive ownership: recurse: true

19. What are the top exam day tips for the RHCE (EX294)?

Show answer

1. Use ansible-doc extensively (no internet)
2. Always use FQCN for module names
3. Test with --syntax-check then --check --diff
4. Playbooks must be idempotent (second run = 0 changes)
5. Set both permanent: true and immediate: true for firewall rules
6. After sefcontext, always restorecon
7. Note the vault password immediately
8. Run playbooks twice to verify idempotency
9. Use handlers for service restarts after config changes
10. Extra vars (-e) always override everything

🟡 Medium (24)

1. What is the precedence order for ansible.cfg files (highest to lowest)?

Show answer

1. ANSIBLE_CONFIG environment variable
2. ./ansible.cfg (current directory)
3. ~/.ansible.cfg (home directory)
4. /etc/ansible/ansible.cfg (system-wide)

Remember: "RHCE = Red Hat Certified Engineer." It builds on RHCSA with advanced system administration, automation, and Ansible.

Fun fact: RHCE is a performance-based exam — no multiple choice, you must actually configure systems.

2. How do you define a YAML-format inventory with groups and variables?

Show answer

all:
children:
webservers:
hosts:
web1.example.com:
web2.example.com:
vars:
http_port: 80
dbservers:
hosts:
db1.example.com:

Example: timedatectl set-timezone America/New_York && chronyc tracking shows sync status.

Remember: "chrony replaced ntpd in RHEL 7+." It syncs faster and handles intermittent connectivity better.

3. What is FQCN and why should you always use it in playbooks?

Show answer

FQCN = Fully Qualified Collection Name. Format: namespace.collection.module (e.g., ansible.builtin.copy, ansible.posix.firewalld). Required to avoid ambiguity when multiple collections provide modules with the same name. Always use FQCN on the exam.

Gotcha: The RHCE exam is time-limited — practice speed. Know how to use man pages quickly (man -k keyword).

Remember: "man -k = apropos = search manual page descriptions."

4. When do Ansible handlers run, and how do you trigger them?

Show answer

Handlers run at the end of a play, only when notified by a task that reported "changed". Trigger with:
notify: Handler Name
Flush mid-play with:
ansible.builtin.meta: flush_handlers
Handlers run only once even if notified multiple times.

5. How do you use tags to selectively run tasks in a playbook?

Show answer

Add tags to tasks:
tags: [install, packages]
Run tagged tasks: ansible-playbook site.yml --tags "install"
Skip tagged tasks: ansible-playbook site.yml --skip-tags "configure"
Special tags: 'always' (always runs), 'never' (skipped unless explicitly tagged)

6. How do you use the 'when' conditional in Ansible tasks?

Show answer

when: ansible_facts['os_family'] == "RedHat"
Multiple conditions (AND): list items under when:
when:
- condition1
- condition2
OR condition: when: "'web' in group_names or 'proxy' in group_names"
Check defined: when: my_var is defined

7. How do you iterate over items in Ansible using loops?

Show answer

Simple loop:
loop:
- httpd
- php
Dict loop:
loop:
- { name: alice, group: devs }
- { name: bob, group: admins }
Access with {{ item }} or {{ item.name }}
For packages, prefer passing a list directly to the name parameter instead of looping.

8. What does loop_control provide in Ansible?

Show answer

loop_control options:
- label: "{{ item.name }}" — cleaner output (hides full dict)
- index_var: idx — exposes loop index
- pause: 3 — seconds between iterations
- extended: true — adds ansible_loop.* vars (first, last, length, etc.)

9. How do you encrypt a single variable value with Ansible Vault?

Show answer

ansible-vault encrypt_string 'SuperSecret123' --name 'db_password'
Output is a !vault tagged YAML value you paste into your vars file.
The rest of the vars file remains readable — only that value is encrypted.

10. How do you capture and use the output of a task in Ansible?

Show answer

Use register:
- ansible.builtin.command: cat /etc/hostname
register: hostname_output
changed_when: false

- ansible.builtin.debug:
var: hostname_output.stdout

Common attributes: .stdout, .stderr, .rc, .changed, .failed, .stat.exists

Remember: "at = one-time, cron = recurring." at runs a command once at a specified time.

Example: echo "reboot" | at 02:00 schedules a reboot at 2 AM.

11. What are Ansible's key magic variables?

Show answer

hostvars — all variables for all hosts
groups — dict of all groups and their hosts
group_names — groups the current host belongs to
inventory_hostname — current host's name from inventory
ansible_play_hosts — active hosts in current play
ansible_check_mode — true if in check mode

12. What are the key Jinja2 syntax elements used in Ansible templates?

Show answer

{{ variable }} — variable substitution
{% if condition %} ... {% endif %} — conditional
{% for item in list %} ... {% endfor %} — loop
{# comment #} — comment
{{ var | default('fallback') }} — filter
{{ var | upper }} — string filter
{{ list | join(', ') }} — join filter

13. What is the directory structure of an Ansible role?

Show answer

roles/rolename/
defaults/main.yml — default variables (lowest precedence)
vars/main.yml — role variables (high precedence)
tasks/main.yml — main task list
handlers/main.yml — handler definitions
templates/ — Jinja2 templates
files/ — static files
meta/main.yml — metadata and dependencies

14. How do you install roles and collections from a requirements file?

Show answer

Create requirements.yml:
roles:
- name: geerlingguy.apache
version: "3.2.0"
collections:
- name: ansible.posix
- name: community.general

Install: ansible-galaxy install -r requirements.yml
Collections: ansible-galaxy collection install -r requirements.yml

15. How do you control parallelism in Ansible?

Show answer

forks (ansible.cfg): number of parallel host connections (default 5)
serial: run on N hosts at a time (rolling updates)
serial: 2 or serial: "25%"
Stepped: serial: [1, 5, "100%"]
async/poll: fire-and-forget long tasks
async: 3600, poll: 0
throttle: limit concurrent task execution
throttle: 2

16. What are the key Ansible collections needed for the RHCE exam?

Show answer

ansible.builtin — core modules (dnf, copy, service, template, file, user, group, command, shell, debug, etc.)
ansible.posix — SELinux, firewalld, mount, authorized_key, cron, sysctl
community.general — nmcli, parted, lvg, lvol, filesystem, sefcontext, seport, timezone

17. How do you create users with the ansible.builtin.user module?

Show answer

ansible.builtin.user:
name: jdoe
uid: 2001
group: developers
groups: wheel
append: true
shell: /bin/bash
password: "{{ 'P@ss' | password_hash('sha512') }}"
state: present
Remove with state: absent, remove: true

18. How do you manage firewall rules with Ansible?

Show answer

ansible.posix.firewalld:
service: http (or port: 8080/tcp)
permanent: true
immediate: true
state: enabled
Always set BOTH permanent (survives reboot) and immediate (applies now). Forgetting permanent means rules vanish on reboot.

19. What is the difference between lineinfile and blockinfile?

Show answer

lineinfile: manages a single line (uses regexp to find and replace)
Great for: changing one setting in a config file
blockinfile: manages a multi-line block between markers
Uses: marker: "# {mark} ANSIBLE MANAGED BLOCK"
Great for: adding a block of config (e.g., hosts entries)
Both support backup: true for safety.

20. What does idempotency mean in Ansible and why does it matter?

Show answer

Idempotent = running the playbook multiple times produces the same result. Second run should show zero changes. The exam expects idempotent playbooks.
Common violations: command/shell without changed_when, using 'latest' state when not needed.
Fix: use changed_when: false for read-only commands, prefer state: present over state: latest.

21. How do host_vars and group_vars directories work?

Show answer

Create directories alongside inventory:
inventory/
hosts
host_vars/
web1.example.com.yml
group_vars/
all.yml
webservers.yml
Files are automatically loaded. host_vars override group_vars. Child group vars override parent group vars.

22. How do you perform rolling updates with Ansible?

Show answer

Use serial in the play:
- hosts: webservers
serial: 2 (2 hosts at a time)
Percentage: serial: "25%"
Stepped: serial: [1, 5, "100%"] — first 1 host (canary), then 5, then the rest.
Combine with max_fail_percentage to abort if too many hosts fail.

23. What is the difference between command and shell modules?

Show answer

command: runs a command directly (no shell). No pipes, redirects, env vars, or glob expansion. Safer (no injection risk).
shell: runs through /bin/sh. Supports pipes, redirects, env vars, globs.
Rule: use command by default, shell only when you need shell features.
Both need changed_when for idempotency.

24. How do you download and extract files with Ansible?

Show answer

Download:
ansible.builtin.get_url:
url: https://example.com/file.tar.gz
dest: /tmp/file.tar.gz
checksum: sha256:abc123

Extract:
ansible.builtin.unarchive:
src: /tmp/file.tar.gz
dest: /opt/app/
remote_src: true
Note: remote_src: true means the archive is already on the managed node.

🔴 Hard (7)

1. How do you implement try/catch/finally error handling in Ansible?

Show answer

Use block/rescue/always:
block:
- name: Risky task
...
rescue:
- name: Runs if block fails
...
always:
- name: Always runs
...
Also available: ignore_errors: true, failed_when, changed_when

Remember: "LVM layers: PV → VG → LV." Physical Volume → Volume Group → Logical Volume.

Example: pvcreate /dev/sdb && vgcreate myvg /dev/sdb && lvcreate -L 10G -n mylv myvg

2. What is Ansible's variable precedence from lowest to highest?

Show answer

Lowest to highest:
1. Role defaults
2. Inventory group_vars/all
3. Inventory group_vars/
4. Inventory host_vars/
5. Play vars_files
6. Play vars
7. Task vars
8. set_fact / registered vars
9. Role vars
10. Extra vars (-e) — ALWAYS WIN

Remember: "tuned = performance profiles." tuned-adm profile throughput-performance for maximum throughput.

Example: tuned-adm list shows available profiles; tuned-adm active shows the current one.

3. What Ansible modules are used for SELinux management?

Show answer

ansible.posix.selinux — set enforcing/permissive/disabled
ansible.posix.seboolean — set SELinux booleans (e.g., httpd_can_network_connect)
community.general.sefcontext — set file context rules
community.general.seport — set port labels
After sefcontext, always run restorecon to apply to existing files.

4. How do you automate LVM setup with Ansible?

Show answer

1. community.general.lvg: create VG (vg: datavg, pvs: /dev/sdb)
2. community.general.lvol: create LV (vg: datavg, lv: datalv, size: 5g)
3. community.general.filesystem: create FS (fstype: xfs, dev: /dev/datavg/datalv)
4. ansible.posix.mount: mount (path: /mnt/data, src: /dev/datavg/datalv, fstype: xfs, state: mounted)

5. How do you configure network interfaces with Ansible?

Show answer

community.general.nmcli:
conn_name: eth0
ifname: eth0
type: ethernet
ip4: 192.168.1.100/24
gw4: 192.168.1.1
dns4: [8.8.8.8, 8.8.4.4]
state: present
Also: ansible.builtin.hostname for setting hostname
ansible.builtin.lineinfile for /etc/hosts entries

6. What is the difference between include_role and import_role?

Show answer

import_role: static, parsed at playbook load time. Tags inherited by all tasks. Cannot be used in loops.
include_role: dynamic, parsed at runtime. Tags only on the include task. Can be used in loops and with conditionals.
Simplest approach: use roles: section in the play. Use include_role only when you need conditional or looped role inclusion.

7. How do you run long-running tasks asynchronously in Ansible?

Show answer

Fire and forget:
async: 3600 (max seconds)
poll: 0 (don't wait)
register: long_job

Check later:
ansible.builtin.async_status:
jid: "{{ long_job.ansible_job_id }}"
register: result
until: result.finished
retries: 60
delay: 10

Remember: "LUKS = Linux Unified Key Setup." It encrypts entire block devices.

Example: cryptsetup luksFormat /dev/sdb1 && cryptsetup open /dev/sdb1 mydata && mkfs.xfs /dev/mapper/mydata