RHCA Labs

Advanced hands-on labs aligned with Red Hat Certified Architect specialist exams. Podman container management, Ansible Vault encryption, and performance tuning with tuned.

These Labs Cover All Major Linux Certifications

LPI Linux Essentials CompTIA Linux+ (XK0-006) LPIC-1 (101 & 102) LPIC-2 (201 & 202) LPIC-3 (300 / 303 / 305 / 306)
RHCSA (EX200) RHCE (EX294) RHCA LFCS LFCE LFCA CKA CKAD CKS

RHCA Labs - Module 8

Podman container management, Ansible Vault encryption, and Linux performance tuning — advanced specialist-level skills.

Lab 22: Podman Container Management
Advanced / Terminal + GUI
Scenario: Deploy and Manage Containers with Podman
You must deploy a web application as a rootless container using Podman. Check Podman info, pull an image, run a container with port mapping, list running containers, inspect the container, then stop and remove it. Podman is the standard container engine on RHEL and is tested on EX188.

Learning Objectives:

RHCA — EX188 Podman
  • Images: Pull container images from a registry
  • Run: Create containers with port mapping and detach
  • Inspect: View container details and networking
  • Lifecycle: Stop, remove, and clean up containers

📋 Step-by-Step Instructions

  1. Step 1: Check Podman Version and Info
    🎯 Goal: Verify Podman is installed

    💻 podman --version

    💻 podman info --format "{{.Host.Os}}"
    💡 Tip: Podman is daemonless and rootless-capable, unlike Docker.
  2. Step 2: Pull a Container Image
    🎯 Goal: Download the httpd image from the registry

    💻 podman pull registry.access.redhat.com/ubi9/httpd-24
    💡 Tip: On RHEL, images come from Red Hat's registry. Use podman images to verify.
  3. Step 3: Run the Container
    🎯 Goal: Start a detached container with port mapping

    💻 podman run -d --name weblab -p 8080:8080 registry.access.redhat.com/ubi9/httpd-24
    💡 Tip: -d detaches, --name sets a friendly name, -p maps host:container ports.
  4. Step 4: List Running Containers
    🎯 Goal: Verify the container is running

    💻 podman ps
    💡 Tip: podman ps -a shows all containers including stopped ones.
  5. Step 5: Inspect the Container
    🎯 Goal: View detailed container configuration

    💻 podman inspect weblab --format "{{.State.Status}}"
    💡 Tip: --format uses Go templates to extract specific fields from the JSON output.
  6. Step 6: Stop and Remove the Container
    🎯 Goal: Clean up the container

    💻 podman stop weblab

    💻 podman rm weblab
    🎓 Checkpoint: You managed a full container lifecycle with Podman — pull, run, inspect, stop, remove.

Linux Terminal

Terminal
Container Dashboard
Image Registry
Activity Log
user@podhost:~$
Container Status
Container NameNone
StateN/A
Port MappingN/A
ImageN/A
Local Images
No images pulled yet.
Recent Activity
[--:--:--]Lab session started. Ready for commands.
Progress: 0/6 tasks completed
Score: 0/100
🎉 After Completing All Steps:

1. Validate configuration to check container lifecycle tasks.
2. Use Container Dashboard and Image Registry for visual inspection.
Tip: Podman commands are intentionally Docker-compatible — most docker commands work with podman.
Lab 23: Ansible Vault & Security
Advanced / Terminal + GUI
Scenario: Manage Secrets with Ansible Vault
Sensitive data like passwords and API keys must be encrypted. You will create a vault-encrypted file, view its contents, write a playbook that uses vault variables, run the playbook with the vault password, edit the vault file, and rekey it with a new password. Vault management is required for RHCE and RHCA automation exams.

Learning Objectives:

RHCA — Ansible Vault
  • Create: Encrypt files with ansible-vault create
  • View: Decrypt and view vault files safely
  • Use: Run playbooks with vault-encrypted variables
  • Rekey: Change the encryption password on vault files

📋 Step-by-Step Instructions

  1. Step 1: Create an Encrypted Vault File
    🎯 Goal: Create a new vault-encrypted variables file

    💻 ansible-vault create /home/ansible/vault/secrets.yml --vault-password-file /home/ansible/.vault_pass
    💡 Tip: Using --vault-password-file avoids interactive prompts. The password file contains the encryption key.
  2. Step 2: View Vault File Contents
    🎯 Goal: Decrypt and display the vault file

    💻 ansible-vault view /home/ansible/vault/secrets.yml --vault-password-file /home/ansible/.vault_pass
    💡 Tip: view decrypts to stdout without modifying the file. Safe for verification.
  3. Step 3: View the Playbook Using Vault Variables
    🎯 Goal: Inspect a playbook that references vault-encrypted data

    💻 cat /home/ansible/deploy_secrets.yml
    💡 Tip: The playbook uses vars_files: to include the encrypted vault file. Variables are used normally.
  4. Step 4: Run Playbook with Vault Password
    🎯 Goal: Execute the playbook, decrypting vault variables at runtime

    💻 ansible-playbook /home/ansible/deploy_secrets.yml -i /home/ansible/inventory --vault-password-file /home/ansible/.vault_pass
    ⚠️ Exam Note: Without the vault password, the playbook will fail with a decryption error.
  5. Step 5: Edit the Vault File
    🎯 Goal: Modify encrypted contents in-place

    💻 ansible-vault edit /home/ansible/vault/secrets.yml --vault-password-file /home/ansible/.vault_pass
    💡 Tip: edit decrypts, opens in $EDITOR, then re-encrypts on save. The file stays encrypted on disk.
  6. Step 6: Rekey the Vault File
    🎯 Goal: Change the encryption password

    💻 ansible-vault rekey /home/ansible/vault/secrets.yml --vault-password-file /home/ansible/.vault_pass --new-vault-password-file /home/ansible/.vault_pass_new
    🎓 Checkpoint: You created, viewed, used, edited, and rekeyed an Ansible Vault file — essential for secure automation.

Ansible Control Node

Terminal
Vault Dashboard
Playbook Viewer
Activity Log
ansible@control:~$
Vault Status
secrets.ymlNot created
ViewedNo
Playbook runNo
EditedNo
RekeyedNo
deploy_secrets.yml
View playbook to populate this panel.
Recent Activity
[--:--:--]Lab session started. Ready for commands.
Progress: 0/6 tasks completed
Score: 0/100
🎉 After Completing All Steps:

1. Validate configuration to check vault operations.
2. Use Vault Dashboard to review encryption status.
Tip: Never commit unencrypted secrets to version control. Always use Vault.
Lab 24: Performance Tuning with tuned
Advanced / Terminal + GUI
Scenario: Optimize Server Performance Profiles
A database server needs its performance profile tuned for throughput. You must check the current tuned profile, list available profiles, switch to a throughput-optimized profile, verify the change, review system metrics, and create a custom tuned profile. Performance tuning is tested on EX442.

Learning Objectives:

RHCA — EX442 Tuning
  • Profiles: List and switch tuned performance profiles
  • Verify: Confirm active profile and compliance
  • Metrics: Review system performance data
  • Custom: Create a custom tuned profile

📋 Step-by-Step Instructions

  1. Step 1: Check Current Tuned Profile
    🎯 Goal: See what profile is active

    💻 tuned-adm active
    💡 Tip: The default is often virtual-guest on VMs or balanced on bare metal.
  2. Step 2: List Available Profiles
    🎯 Goal: See all tuned profiles on the system

    💻 tuned-adm list
    💡 Tip: Common profiles: throughput-performance, latency-performance, virtual-guest, balanced.
  3. Step 3: Apply a Throughput Profile
    🎯 Goal: Switch to throughput-performance for the DB workload

    💻 sudo tuned-adm profile throughput-performance
    ⚠️ Exam Note: Profile changes take effect immediately and persist across reboots.
  4. Step 4: Verify the Active Profile
    🎯 Goal: Confirm the profile changed and check compliance

    💻 tuned-adm active

    💻 tuned-adm verify
    💡 Tip: verify checks if current system settings match the profile. Drift means something changed.
  5. Step 5: Review System Performance Metrics
    🎯 Goal: Check system performance parameters

    💻 cat /proc/sys/vm/swappiness

    💻 cat /proc/sys/vm/dirty_ratio
    💡 Tip: throughput-performance typically sets swappiness=10 and dirty_ratio=40 for better I/O throughput.
  6. Step 6: Recommend Profile and Review
    🎯 Goal: Get tuned's recommendation for this system

    💻 tuned-adm recommend
    🎓 Checkpoint: You checked, listed, applied, verified, and analyzed tuned profiles — essential for EX442.

Linux Terminal

Terminal
Profile Dashboard
System Metrics
Activity Log
root@dbhost:~#
Tuned Profile Status
Active ProfileUnknown
VerifiedNo
RecommendationNot checked
Kernel Parameters
vm.swappinessUnknown
vm.dirty_ratioUnknown
Recent Activity
[--:--:--]Lab session started. Ready for commands.
Progress: 0/6 tasks completed
Score: 0/100
🎉 After Completing All Steps:

1. Validate to check profile changes and metric verification.
2. Use Profile Dashboard and System Metrics for visual review.
Tip: tuned profiles persist across reboots — unlike manual sysctl changes.

Confirm Reset

Are you sure you want to reset this lab? This will:

  • Clear all terminal output
  • Reset all completed tasks
  • Reset container, vault, and tuning simulated configurations
  • Reset progress to 0%

This action cannot be undone!