DevOps · K8s · Volleyball · Travel  •  DevOps · K8s · Volleyball · Travel  •  DevOps · K8s · Volleyball · Travel
Explore NY Stream

Red Hat Exam Test

— ny_wk

Red Hat Exam Test

Red Hat certification is earned at a keyboard, not on an answer sheet. The RHCSA (EX200) and RHCE (EX294) are fully hands-on, performance-based exams: you sit at a live Red Hat Enterprise Linux system and actually build the configuration the tasks describe, then an automated grader checks whether it works. There are no multiple-choice questions, no essays, and no partial credit for "knowing the theory."

This guide breaks down what the exams test on current RHEL versions, the real commands and skills you need, how to practice efficiently, and a set of representative practice tasks with fully explained solutions so you can train the way you will be graded.

What the RHCSA and RHCE exams actually are

The two core credentials sit in sequence. RHCSA (Red Hat Certified System Administrator, exam EX200) proves you can run a single RHEL server day to day. RHCE (Red Hat Certified Engineer, exam EX294) builds on it and, on modern RHEL, is entirely about automation with Ansible. You must already hold a current RHCSA to be credited with the RHCE.

  • Performance-based, not multiple choice. Every task is "make the system do X." The grader logs in afterward and tests the result.
  • Closed environment. No internet, no notes. You get the man pages, /usr/share/doc, and the tools installed on the system. Learning to use man fast is itself an exam skill.
  • Duration. Both exams run roughly 2.5 to 3 hours. Budget time per task and never get stuck on one item.
  • Passing score. 210 out of 300 (70%) is the published bar for both EX200 and EX294.
  • Reboot-safe. Graders typically reboot your machine before scoring. Anything that does not survive a reboot (an unmounted filesystem, a service that was started but not enabled) earns zero. Persistence is everything.

The exams are versioned to a RHEL release (RHEL 8 and RHEL 9 era at the time of writing). That matters because the tooling changed dramatically from the old RHEL 6 days: systemctl replaced service and chkconfig, firewalld and nftables replaced raw iptables, nmcli replaced interactive network setup, dnf replaced yum, and containers are now rootless Podman rather than Docker. Study to the current objectives, not to decade-old dumps.

Current RHCSA objective domains

Red Hat publishes the objective list per exam version. The RHCSA domains cluster into a handful of areas you should be able to do without hesitation:

DomainRepresentative skills
Tools & shellSSH, tar/gzip, redirection, grep and regex, find files, edit with vim
Operate running systemsboot to targets, interrupt boot, reset root password, systemctl, journalctl, schedule jobs
Local storagepartitions (MBR/GPT), swap, LVM physical volumes / volume groups / logical volumes
Filesystemscreate/mount XFS and ext4, persistent /etc/fstab mounts, extend logical volumes, NFS/autofs mounts
Deploy & maintaininstall packages with dnf, manage repos, set the default boot target, network with nmcli, time sync
Users & groupscreate/modify accounts, passwords and aging, sudo, group membership
Securityfile permissions, ACLs, firewalld, key-based SSH, and managing SELinux (modes, contexts, booleans)
Containersfind/run/manage images with Podman, run a container rootless, persistent storage, run a container as a systemd service

The RHCE (EX294) objectives are a different shape: install and configure Ansible, write playbooks, use variables and facts, templates with Jinja2, conditionals and loops, roles and Ansible Galaxy/collections, the Vault for secrets, and task delegation. If RHCSA is "do it by hand," RHCE is "make Ansible do it for a fleet."

Core RHCSA skills with the real, current commands

Users, groups, and sudo

Account work is the most predictable scoring on the exam. Know these cold:

  • Create a group: groupadd sysadmin
  • Create a user with a supplementary group and no login shell: useradd -G sysadmin -s /sbin/nologin harry
  • Set a password non-interactively: echo 'Str0ngP@ss' | passwd --stdin sarah (RHEL 8); on RHEL 9 prefer passwd sarah or chpasswd.
  • Add a user to a secondary group without wiping existing groups: usermod -aG manager natasha — the -a is critical.
  • Password aging: chage -M 60 -m 2 -W 7 sarah.
  • Grant sudo: drop a file in /etc/sudoers.d/, e.g. %sysadmin ALL=(ALL) ALL.

Permissions, ACLs, and SELinux

Three layers of access control, and the exam tests all three.

  • Standard permissions and special bits. A shared collaboration directory needs group write plus the setgid bit so new files inherit the group: chgrp manager /home/manager && chmod 2770 /home/manager. The leading 2 is setgid.
  • POSIX ACLs. Grant a single user read/write without touching the group: setfacl -m u:sarah:rw /var/tmp/fstab, deny another user entirely with setfacl -m u:natasha:0 /var/tmp/fstab, and verify with getfacl. Note that cp -p preserves ACLs.
  • SELinux. Set enforcing persistently in /etc/selinux/config (SELINUX=enforcing) or live with setenforce 1; check with getenforce. Fix a mislabeled web file with restorecon -Rv /var/www, set a custom context permanently with semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?" then restorecon, and flip a boolean persistently with setsebool -P httpd_enable_homedirs on. Use ausearch / sealert to read denials.

Storage and LVM

LVM tasks appear on essentially every exam. The classic flow to create a logical volume and mount it persistently:

  • Create the physical volume: pvcreate /dev/vdb1
  • Create the volume group with a specific extent size: vgcreate -s 8M devgroup /dev/vdb1
  • Create a logical volume by extent count: lvcreate -l 100 -n wshare devgroup (100 extents x 8 MB = 800 MB). Use -L 500M when given a size instead.
  • Make a filesystem: mkfs.xfs /dev/devgroup/wshare (or mkfs.vfat / mkfs.ext4 if the task names one).
  • Persist it in /etc/fstab by UUID (find it with blkid), then systemctl daemon-reload && mount -a and confirm with df -h. Always test mount -a before you move on — a typo in fstab that blocks boot is a fast way to fail.
  • Extend a logical volume and grow the filesystem in one step: lvextend -r -L +200M /dev/devgroup/wshare (the -r resizes the filesystem too; for XFS the grow is xfs_growfs, for ext4 resize2fs).
  • Swap: create a partition or LV, then mkswap, add a swap line to fstab by UUID, and swapon -a. Never delete existing swap unless told to.

systemd services and scheduling

  • Enable and start in one command (and make it reboot-safe): systemctl enable --now httpd.
  • Check status and follow logs: systemctl status httpd, journalctl -u httpd.
  • Set the default boot target: systemctl set-default multi-user.target.
  • User cron job: crontab -e -u sarah then a line like 23 14 * * * /bin/echo "hyer" for 14:23 daily. System-wide one-offs can use systemd timers, but cron is simplest for "user X runs Y at time Z."

Networking, time, and firewalld

  • Static IP with NetworkManager: nmcli con mod "System eth0" ipv4.addresses 192.168.0.10/24 ipv4.gateway 192.168.0.254 ipv4.dns 192.168.0.254 ipv4.method manual then nmcli con up "System eth0". Set the hostname with hostnamectl set-hostname server.example.com.
  • Time sync is handled by chronyd: edit /etc/chrony.conf to point at the time server, then systemctl enable --now chronyd and verify with chronyc sources.
  • firewalld is the exam firewall, not iptables. Open a service permanently: firewall-cmd --permanent --add-service=http then firewall-cmd --reload. Use --add-port=8080/tcp for arbitrary ports, and rich rules to allow a single source network. The --permanent flag is what survives a reboot.
  • Restrict SSH by source network with a firewalld rich rule rather than the legacy /etc/hosts.deny, e.g. firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.0.0/24" service name="ssh" accept'.

Containers with Podman

Containers are an RHCSA objective on current RHEL, and the toolchain is Podman, not Docker. Expect to:

  • Search and pull images: podman search registry.access.redhat.com/ubi9, podman pull.
  • Run a rootless container as a regular user, mapping a host directory for persistent storage: podman run -d --name web -p 8080:80 -v /opt/webdata:/var/www/html:Z registry.access.redhat.com/ubi9/httpd-24 — the :Z applies the correct SELinux label.
  • Make the container start at boot as a systemd service. On current RHEL this is a Quadlet: write a .container unit under ~/.config/containers/systemd/, run systemctl --user daemon-reload, then systemctl --user enable --now. (Older RHEL 8 used podman generate systemd; know which your exam version expects.)
  • Enable user services to run without a login session: loginctl enable-linger username.

A smart study and practice strategy

The single biggest predictor of passing is hours of hands-on practice in a real RHEL VM, not how many PDFs you read. Build the muscle memory the grader rewards.

  • Build a lab. Run RHEL (free via the Red Hat Developer subscription), or AlmaLinux/Rocky Linux as near-identical stand-ins, in two or three VMs so you can practice NFS, SSH restrictions, and Ansible across machines.
  • Time yourself. Do a full mock under a 2.5-hour clock. Skip anything that stalls you and circle back — leaving points on easy tasks because you over-invested in a hard one is the classic failure mode.
  • Always make it persistent. After every task, ask: "Will this survive a reboot?" Actually reboot the VM mid-practice and re-verify. systemctl enable, fstab entries, and --permanent firewalld rules are where points quietly vanish.
  • Live in the man pages. You will not have Google. Practice finding setfacl examples, firewalld.richlanguage, and semanage-fcontext from man and /usr/share/doc alone.
  • Verify with the system's own tools: getfacl, getenforce, systemctl is-enabled, df -h, id user, firewall-cmd --list-all. If you can prove it works, the grader will too.
  • For RHCE, automate everything you learned for RHCSA. Re-do user creation, package install, services, and firewall rules as Ansible playbooks until idempotent runs report no changes.

Representative practice tasks with explained solutions

These mirror the style of real exam items. Build them in a lab, then reboot and confirm they hold.

Task 1 — Create and persistently mount an LVM volume

Create a logical volume wshare of 800 MB in volume group devgroup (8 MB extents) and mount it on /mnt/secret as XFS.

  • pvcreate /dev/vdb1 then vgcreate -s 8M devgroup /dev/vdb1
  • lvcreate -l 100 -n wshare devgroup (100 x 8 MB = 800 MB) then mkfs.xfs /dev/devgroup/wshare
  • mkdir /mnt/secret, get the UUID with blkid, add a line to /etc/fstab: UUID=... /mnt/secret xfs defaults 0 0
  • systemctl daemon-reload && mount -a && df -h to confirm.

Why: using extent count matches the wording, XFS is the RHEL default, and the fstab + mount -a step is what makes it reboot-safe — the only version that scores.

Task 2 — Shared group directory with inherited ownership

Members of manager get full access to /home/manager; others get none; new files inherit the manager group.

  • mkdir /home/manager && chgrp manager /home/manager
  • chmod 2770 /home/manager

Why: 2770 means rwx for owner and group, nothing for others, and the leading 2 is setgid, so every file created inside automatically belongs to the manager group. Root always retains access regardless.

Task 3 — ACLs on a copied file

Copy /etc/fstab to /var/tmp. Sarah can read/write it, Natasha can do neither, others can read it, and it is not executable by others.

  • cp /etc/fstab /var/tmp/
  • setfacl -m u:sarah:rw /var/tmp/fstab
  • setfacl -m u:natasha:0 /var/tmp/fstab
  • Verify: getfacl /var/tmp/fstab

Why: ACLs grant per-user rights without changing ownership. A plain cp already gives root:root ownership and standard read-for-others; the explicit ACLs handle the two named users.

Task 4 — Restrict SSH to one network with firewalld

Allow SSH only from the 192.168.0.0/24 network; block it from elsewhere.

  • firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.0.0/24" service name="ssh" accept'
  • Remove the broad ssh allow if present: firewall-cmd --permanent --remove-service=ssh
  • firewall-cmd --reload then firewall-cmd --list-all

Why: the modern, supported approach is firewalld rich rules. Editing /etc/hosts.deny (the old RHEL 6 answer) relies on TCP wrappers, which were removed from OpenSSH on current RHEL and will not score.

Task 5 — Run a rootless container as a boot-persistent service

Run an httpd container as user web, serving content from /home/web/site, and have it start automatically at boot.

  • As web: podman run -d --name mysite -p 8080:80 -v /home/web/site:/var/www/html:Z registry.access.redhat.com/ubi9/httpd-24
  • Create a Quadlet unit at ~/.config/containers/systemd/mysite.container, then systemctl --user daemon-reload && systemctl --user enable --now mysite
  • As root: loginctl enable-linger web so the user service runs without an active login.

Why: :Z sets the SELinux label so the container can read the volume, and linger plus a user systemd unit is what makes a rootless container survive a reboot.

Task 6 — Search a file and save matching lines

Copy every line containing strator from /usr/share/dict/words into /root/lists.txt.

  • grep 'strator' /usr/share/dict/words > /root/lists.txt

Why: simple but exact — the grader checks the precise lines. Watch redirection (> overwrites) and confirm with cat. Tasks like "find files owned by a user and copy them" follow the same pattern: find / -user dax 2>/dev/null -exec cp -a {} /root/found/ \;.

Key Takeaways

  • The exams are 100% hands-on. You build working configurations on a live RHEL system; an automated grader verifies results, with a 70% (210/300) pass bar.
  • Persistence wins points. Graders reboot before scoring, so always systemctl enable --now, mount via /etc/fstab, and use --permanent firewalld rules.
  • Use current tooling: systemctl, nmcli, firewalld, dnf, chronyd, SELinux semanage/restorecon, and rootless podman — not the retired RHEL 6 commands.
  • RHCSA is do-it-by-hand; RHCE is automate-it-with-Ansible. You need a valid RHCSA to be credited the RHCE.
  • Practice in real VMs under a timer, verify with the system's own tools, and learn to work from man pages because the exam has no internet.

Frequently Asked Questions

Are the RHCSA and RHCE exams multiple choice?

No. Both are entirely performance-based. You are given tasks and a live RHEL system, and you must actually configure it so the requirements are met. The grading is automated and checks whether your configuration works, so memorizing answers does not help — you have to be able to do the work.

Which RHEL version should I study for?

Study to the version your exam is offered on, currently the RHEL 8 / RHEL 9 generation. The tooling differs meaningfully from older releases, so avoid RHEL 6-era "dumps" with commands like service, chkconfig, and raw iptables. Use systemctl, firewalld, nmcli, dnf, and podman instead.

Do I need RHCSA before RHCE?

Yes. You must hold a current RHCSA to earn the RHCE credential. Even though they are separate exams, the RHCE is only credited to people with an active RHCSA, and the RHCE (EX294) focuses on Ansible automation built on top of RHCSA skills.

What is the most common reason people fail?

Configurations that work in the moment but do not survive a reboot. Forgetting to enable a service, leaving a mount out of /etc/fstab, or using a non-permanent firewall rule all score zero once the grader reboots. Always reboot your practice VM and re-verify before considering a task done.

Want more Linux and sysadmin walkthroughs? Subscribe on YouTube: @explorenystream.