RHCE — Red Hat Certified Engineer
If you held an RHCE before RHEL 8, the current exam is a different certification in name only. Red Hat redesigned the RHCE (EX294) as a pure Ansible automation exam. The old RHCE covered advanced system administration tasks — firewall clustering, NFS, Kerberos authentication. The current RHCE asks you to automate RHEL administration using Ansible: write playbooks, build roles, manage secrets with Ansible Vault, and configure managed nodes. Your RHCSA covers the "what" of Linux administration; RHCE covers the "how do you automate it at scale."
Exam at a glance
| Detail | Value |
|---|---|
| Provider | Red Hat |
| Exam code | EX294 |
| Full name | Red Hat Certified Engineer (RHCE) |
| Prerequisite | Active RHCSA (required — EX294 cannot be taken without it) |
| RHEL version | RHEL 9 (current) |
| Duration | 240 minutes |
| Question format | Performance-based tasks (no multiple choice) |
| Passing score | 210 / 300 (70%) |
| Exam fee | ~$400–450 USD |
| Validity | 3 years |
| Delivery | In-person at Red Hat testing center or remote proctored |
| Retake policy | No mandatory wait; fee applies per attempt |
What's tested
Red Hat publishes the full EX294 objectives. The graded tasks map to these areas.
Core Ansible concepts. Installing Ansible, configuring ansible.cfg (inventory path, remote user, privilege escalation defaults), understanding ad hoc commands vs playbooks, and the Ansible execution model (control node, managed nodes, SSH-based communication).
Inventory management. Static inventory files (INI and YAML format), inventory variables (host_vars/, group_vars/), dynamic inventory concepts. The exam typically provides a static inventory — your job is to reference it correctly and understand group membership.
Playbooks. Writing well-structured playbooks with multiple plays, tasks, handlers, variables, and when conditions. Using built-in modules: yum/dnf, service, copy, template, file, user, group, command, shell, get_url, uri. Error handling with ignore_errors, failed_when, block/rescue/always.
Variables and facts. Defining variables at multiple levels (inventory, playbook, role), using set_fact, gathering host facts with the setup module, and referencing facts in templates. Variable precedence is a recurring exam topic.
Roles. Creating roles from scratch using ansible-galaxy init, structuring the tasks/, handlers/, vars/, defaults/, templates/, and files/ directories correctly. Installing roles from Ansible Galaxy. Using roles in playbooks — the difference between roles: and include_role.
Ansible Vault. Encrypting files with ansible-vault encrypt, decrypting inline (ansible-vault view), editing encrypted files, using vault in playbooks with --vault-password-file or --ask-vault-pass, and encrypting individual strings with ansible-vault encrypt_string.
Advanced automation. Managing parallelism with serial and forks, using delegate_to for tasks that must run on a specific host, working with loops (loop, with_items), and conditionals based on OS facts.
Common exam traps
become: yes at the wrong level. Privilege escalation in Ansible can be set at three levels: in ansible.cfg (global), at the play level, or at the task level. The exam often describes a scenario where most tasks run as a normal user but one task requires root. Candidates who set become: yes at the play level get it working but fail tasks that should not run as root (file ownership, for example). Setting become: yes only on the specific tasks that need it is the precise answer. This is a low-level detail that experienced Ansible users skip over but the grader does not.
Handlers only run once at the end of a play. If you notify the same handler from three different tasks, the handler runs once after all three tasks complete — not after each task. This is correct behavior, but it trips candidates on exam questions about when a service restart takes effect. If a task later in the same play depends on the service having been restarted, you need meta: flush_handlers to force the handler to run immediately rather than waiting for the play to end.
Variable precedence — the 22-level hierarchy. Ansible's variable precedence is deep. The most common exam trap: a variable defined in group_vars/all is overridden by the same variable defined in host_vars/hostname (host variables win over group variables). Extra vars passed with -e override everything. The exam constructs scenarios where a variable is defined in two places and asks which value wins. Know the hierarchy: extra vars > task vars > block vars > play vars > host facts > host_vars > group_vars > inventory vars > role defaults.
ansible-vault encrypt_string vs encrypting the whole file. When you only need to encrypt a single value (a password in a variables file, for example), ansible-vault encrypt_string is the right tool — it produces an inline encrypted string you embed directly in a YAML file. Encrypting the whole file with ansible-vault encrypt works but makes the file unreadable without decryption, which creates friction in code review and version control. The exam tests whether you can use the right tool for each scope. Forum reports from test-takers consistently note that vault task variants appear on most exam forms.
Role directory structure errors. A role created manually (rather than via ansible-galaxy init) often has missing directories or incorrect names. The exam may give you a partially created role and ask you to complete it. The key directories: tasks/main.yml (required), handlers/main.yml, templates/, files/, vars/main.yml, defaults/main.yml. A common error is putting variable files in vars/ (which has high precedence and should not be overridden by inventory) when defaults/ (low precedence, can be overridden) was the intent. The difference determines whether the role is reusable across environments or hardcoded.
How ARIA prepares you for RHCE
RHCE is a longer exam than RHCSA — 240 minutes versus 150 — and the scope is narrower but deeper. My evaluation focuses on Ansible fluency: can you write a correct playbook from a requirement description? Can you construct a role that handles the edge cases the requirement implies?
The CAT evaluation identifies which parts of Ansible you have used in practice versus which parts you have only read about. Most candidates have used basic playbooks but have gaps in vault, role structure, and variable precedence. The roadmap addresses those gaps with hands-on tasks that mirror the exam format.
For someone with regular Ansible use on RHEL, plan for 4–6 weeks. For someone coming from a non-Red Hat Linux background who is learning Ansible simultaneously, 8–10 weeks is realistic. The RHCSA prerequisite is not just a gate — it ensures you can administer the managed nodes when the Ansible tasks require verifying the end state of the system you automated.
Pass guarantee for RHCE
RHCE qualifies for the ClaudeLab pass guarantee. Prerequisites: active RHCSA plus the standard five readiness conditions. Full conditions here.
Related certifications
RHCSA is a hard prerequisite — Red Hat does not allow you to sit EX294 without it. After RHCE, the track continues to RHCA (Red Hat Certified Architect), which requires a combination of RHCE plus additional specialist exams (OpenShift, Ansible Automation Platform, etc.). For the broader infrastructure automation picture, the Terraform Associate covers infrastructure provisioning (what Ansible orchestrates on top of), and CKA (Certified Kubernetes Administrator) covers orchestration at the container layer. These three together represent the full scope of modern infrastructure automation.
Start your RHCE roadmap
Start your RHCE roadmap with ARIA → claudelab.me
Most people who fail EX294 lose points on vault and role structure — areas that feel straightforward in isolation but have edge cases that only surface when you build them from scratch under time pressure. The evaluation will expose those gaps before the exam does.