LFS457 Advanced OpenStack Practice Exam, Exams of Technology

This exam evaluates advanced expertise in deploying, configuring, and optimizing OpenStack components including Nova, Neutron, Cinder, Keystone, and Horizon. It includes high-availability architecture planning, multi-region deployments, SDN integrations, performance tuning, and advanced troubleshooting scenarios. Realistic lab tasks reinforce deep operational knowledge.

Typology: Exams

2025/2026

Available from 01/12/2026

shilpi-jain-1
shilpi-jain-1 🇮🇳

4.2

(5)

29K documents

1 / 92

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
LFS457 Advanced OpenStack Practice
Exam
Question 1. Which Keystone feature enables isolation of resources for separate business units
within a single OpenStack deployment?
A) Service Catalog
B) Domains
C) Regions
D) Endpoints
Answer: B
Explanation: Domains provide a toplevel container for projects, users, and groups, allowing
hierarchical multitenancy and resource isolation across business units.
Question 2. In Keystone, what is the purpose of a trust?
A) To delegate a user’s role to another user for a limited time
B) To create a readonly copy of the database
C) To synchronize passwords with LDAP
D) To enable twofactor authentication
Answer: A
Explanation: A trust allows one user (the trustee) to act on behalf of another (the trustor) with a
defined set of roles and an expiration, without sharing longterm credentials.
Question 3. Which authentication protocol does Keystone use to integrate with Microsoft Active
Directory via LDAP?
A) SAML2
B) OpenID Connect
C) Kerberos
D) LDAP
Answer: D
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46
pf47
pf48
pf49
pf4a
pf4b
pf4c
pf4d
pf4e
pf4f
pf50
pf51
pf52
pf53
pf54
pf55
pf56
pf57
pf58
pf59
pf5a
pf5b
pf5c

Partial preview of the text

Download LFS457 Advanced OpenStack Practice Exam and more Exams Technology in PDF only on Docsity!

Exam

Question 1. Which Keystone feature enables isolation of resources for separate business units within a single OpenStack deployment? A) Service Catalog B) Domains C) Regions D) Endpoints Answer: B Explanation: Domains provide a top‑level container for projects, users, and groups, allowing hierarchical multi‑tenancy and resource isolation across business units. Question 2. In Keystone, what is the purpose of a trust? A) To delegate a user’s role to another user for a limited time B) To create a read‑only copy of the database C) To synchronize passwords with LDAP D) To enable two‑factor authentication Answer: A Explanation: A trust allows one user (the trustee) to act on behalf of another (the trustor) with a defined set of roles and an expiration, without sharing long‑term credentials. Question 3. Which authentication protocol does Keystone use to integrate with Microsoft Active Directory via LDAP? A) SAML B) OpenID Connect C) Kerberos D) LDAP Answer: D

Exam

Explanation: Keystone can bind to an LDAP server such as Active Directory for user authentication and group mapping. Question 4. When configuring Keystone to accept tokens from an external OpenID Connect provider, which service must be enabled? A) keystone-credential B) keystone-federation C) keystone-identity D) keystone-authorization Answer: B Explanation: The keystone-federation service provides the SAML2 and OpenID Connect federation back‑ends. Question 5. In a complex policy.yaml file, which rule type allows conditional checks based on the request’s HTTP method? A) role:admin B) http_method:POST C) rule:admin_or_owner D) rule:allowed_http_methods Answer: D Explanation: “allowed_http_methods” is a custom rule that can be defined to permit actions only for specified HTTP verbs. Question 6. Which of the following is the default role that grants full administrative privileges across all projects in Keystone? A) admin

Exam

Question 9. When using SAML2 federation, what XML element in the IdP metadata contains the Single Sign‑On Service URL? A) B) C) D) Answer: C Explanation: The element specifies the endpoint where authentication requests are sent. Question 10. Which Keystone API version introduced support for domain‑specific service catalogs? A) v2. B) v C) v1. D) v3. Answer: B Explanation: Keystone v3 added domain‑aware service catalogs, allowing different catalogs per domain. Question 11. In Neutron, what is the primary difference between a provider network and a tenant (project) network? A) Provider networks are VLAN‑tagged; tenant networks are flat only B) Provider networks map directly to physical networks; tenant networks are overlay networks managed by Neutron

Exam

C) Provider networks support security groups; tenant networks do not D) Provider networks use DHCP; tenant networks use static IPs only Answer: B Explanation: Provider networks expose the underlying physical network to instances, while tenant networks are virtual overlays (VXLAN/VLAN) managed by Neutron. Question 12. Which Neutron plugin implements Distributed Virtual Routing (DVR) on compute nodes? A) linuxbridge B) openvswitch C) ml D) router‑agent Answer: B Explanation: The Open vSwitch (OVS) agent works with the DVR scheduler to place L3 routing functions on compute nodes. Question 13. In a DVR deployment, where does the SNAT function reside? A) Centralized L3 agent only B) Distributed L3 agents on each compute node hosting instances C) DHCP agent on the network node D) Metadata agent on the controller node Answer: B Explanation: DVR places SNAT on the compute node where the instance resides, eliminating the need for centralized SNAT. Question 14. Which Neutron service is responsible for managing floating IP address allocation?

Exam

Question 17. In a Neutron HA router configuration, what does the “ha_mode” option set to “shared” indicate? A) The router’s HA state is stored in a shared database B) The router’s HA agents run on the same host C) Multiple routers share the same floating IP pool D) The router’s HA uses a shared secret for authentication Answer: A Explanation: “ha_mode=shared” means the HA state (e.g., router status) is stored in a database shared among the agents, enabling failover. Question 18. Which of the following technologies can be used with Neutron to achieve near‑line‑rate packet processing for telco workloads? A) VXLAN tunneling B) SR‑IOV with vhost‑user C) GRE tunneling D) VLAN tagging only Answer: B Explanation: SR‑IOV combined with vhost‑user allows direct NIC assignment to VMs, bypassing the Linux kernel for high throughput. Question 19. DPDK in Neutron is primarily used to improve which part of the networking stack? A) DHCP lease management B) Security group rule processing C) Data‑plane packet forwarding performance D) Floating IP address translation Answer: C

Exam

Explanation: DPDK (Data Plane Development Kit) accelerates packet I/O in user space, boosting data‑plane throughput. Question 20. When integrating OpenStack with an external SDN controller like OpenDaylight, which Neutron API extension is typically used? A) L2 population B) ML2 mechanism driver C) QoS policy D) Port‑binding extension Answer: B Explanation: The ML2 mechanism driver allows Neutron to delegate network provisioning to an external SDN controller. Question 21. In an OpenDaylight‑backed Neutron deployment, what does the “odl_l2” driver manage? A) L3 routing only B) DHCP services C) Layer‑2 network topology (VLAN, VXLAN) D) Load‑balancing as a service (LBaaS) Answer: C Explanation: The “odl_l2” driver handles L2 resources such as networks, subnets, and ports via the OpenDaylight controller. Question 22. Which Neutron command line tool can be used to list all network namespaces on a compute node? A) neutron net-show

Exam

Question 25. Which Neutron feature allows a tenant to create a network that maps directly to a physical VLAN on the upstream switch? A) Provider network with “network_type: vlan” B) Tenant network with “segmentation_id” set to 0 C) Flat network with “physical_network” set to “physnet1” D) Overlay network with “network_type: vxlan” Answer: A Explanation: A provider network with “network_type: vlan” and a specific “segmentation_id” maps to a physical VLAN. Question 26. In Heat, which resource type is used to launch an instance from an image? A) OS::Nova::Server B) OS::Cinder::Volume C) OS::Neutron::Port D) OS::Heat::ResourceGroup Answer: A Explanation: OS::Nova::Server creates a compute instance (VM) based on an image, flavor, and network settings. Question 27. How does a nested Heat stack improve template modularity? A) By allowing a stack to be created inside another stack as a resource B) By converting HOT to HOT version 2 automatically C) By enabling simultaneous deployment of multiple regions D) By providing built‑in auto‑scaling for all resources Answer: A

Exam

Explanation: A nested stack is defined with OS::Heat::Stack, letting you reuse a sub‑template as a resource within a parent template. Question 28. Which Heat resource type is used to define a group of identical resources that can be scaled horizontally? A) OS::Heat::AutoScalingGroup B) OS::Heat::ResourceGroup C) OS::Heat::ScalingPolicy D) OS::Heat::LaunchConfiguration Answer: B Explanation: OS::Heat::ResourceGroup creates multiple instances of a defined resource, useful for scaling. Question 29. In Heat, what is the purpose of the “get_param” intrinsic function? A) To retrieve a value from another stack’s output B) To fetch a service catalog entry C) To obtain the value of a template parameter at runtime D) To generate a random password Answer: C Explanation: “get_param” returns the value supplied for a parameter when the stack is launched. Question 30. Which Heat engine component evaluates alarm conditions from Ceilometer/Aodh to trigger scaling actions? A) heat-api-cfn B) heat-engine

Exam

Question 33. In Heat, how can you pass a value from a parent stack to a nested stack? A) Using the “environment” section only B) By defining “parameters” in the nested stack and supplying them via “properties” in the OS::Heat::Stack resource C) Through “outputs” of the parent stack only D) By editing the nested stack’s template file directly on the controller node Answer: B Explanation: The parent stack passes values to a nested stack by mapping its parameters to the OS::Heat::Stack resource’s “properties”. Question 34. Which of the following is a valid Heat resource that creates a load balancer using Octavia? A) OS::Octavia::LoadBalancer B) OS::Neutron::LBaaS::LoadBalancer C) OS::Heat::LoadBalancer D) OS::Nova::LoadBalancer Answer: A Explanation: OS::Octavia::LoadBalancer creates an Octavia load balancer; the older Neutron LBaaS resources are deprecated. Question 35. What does the “OS::Heat::WaitCondition” resource enable in a template? A) Automatic rollback on failure B) Pausing stack creation until a signal is received from an external process C) Scheduling a cron job on the instance D) Creating a password‑less SSH key pair Answer: B

Exam

Explanation: WaitCondition allows the stack to wait for a signal (e.g., from cloud‑init) before proceeding, useful for ordering. Question 36. Which Heat intrinsic function is used to concatenate strings? A) str_replace B) join C) concat D) merge Answer: B Explanation: The “join” function concatenates a list of strings using a delimiter. Question 37. In a Heat auto‑scaling group, which property defines the minimum number of resource instances to keep? A) min_size B) desired_capacity C) max_size D) scaling_policy Answer: A Explanation: “min_size” sets the lower bound for the number of resources in the group. Question 38. Which OpenStack service provides the telemetry data that Heat uses for auto‑scaling decisions? A) Ceilometer (or Aodh for alarming) B) Cinder C) Glance D) Keystone

Exam

D) The maximum packet size for replication Answer: A Explanation: “wsrep_sst_method” defines how a new node receives a state snapshot (e.g., rsync, xtrabackup) when joining the cluster. Question 42. Which Pacemaker resource agent is used to manage the HAProxy process in an OpenStack HA deployment? A) ocf:heartbeat:haproxy B) systemd:haproxy C) lsb:haproxy D) ocf:heartbeat:keepalived Answer: A Explanation: The OCF resource agent “ocf:heartbeat:haproxy” controls HAProxy instances within Pacemaker. Question 43. When configuring RabbitMQ HA for OpenStack, which policy type should be applied to mirror queues across all nodes? A) federation B) shovel C) mirrored D) quorum Answer: C Explanation: A “mirrored” policy replicates queues to all members of the RabbitMQ cluster, providing HA. Question 44. In a Corosync configuration, what does the “token” value represent?

Exam

A) The size of the message buffer B) The maximum time a node can be silent before being considered failed C) The encryption key for inter‑node traffic D) The number of nodes in the quorum Answer: B Explanation: The “token” parameter defines the heartbeat interval; if a node doesn’t send a token within this period, it’s marked down. Question 45. Which OpenStack service is typically placed behind an HAProxy VIP to provide a single endpoint for API traffic? A) Nova compute service only B) All core services (Keystone, Nova, Glance, Neutron, Cinder) C) Only the dashboard (Horizon) D) Only the message queue (RabbitMQ) Answer: B Explanation: HAProxy front‑ends are commonly configured for all core service APIs to provide a unified virtual IP. Question 46. In Cell V2 architecture, what is the primary role of a “cell conductor”? A) To schedule instances across cells B) To manage database synchronization between the API database and cell databases C) To provide DHCP services for tenant networks D) To act as a load balancer for API requests Answer: B Explanation: The cell conductor synchronizes instance information between the central API database and each cell’s database.

Exam

Answer: A Explanation: “discover_hosts” scans the compute service for hosts and registers them in the cell database. Question 50. Which of the following is NOT a recommended practice for scaling Nova compute services? A) Deploying compute nodes in separate availability zones B) Using libvirt’s “qemu” driver on all nodes regardless of hardware C) Enabling live migration with shared storage D) Grouping compute nodes by similar hardware characteristics Answer: B Explanation: Using “qemu” (software emulation) on all nodes defeats performance; KVM (hardware acceleration) is preferred for scaling. Question 51. In OpenStack log analysis, which field is commonly used to correlate a request across Nova, Neutron, and Cinder? A) request_id B) timestamp C) user_id D) host_name Answer: A Explanation: The “request_id” (UUID) is attached to every API call and propagated through service logs, enabling end‑to‑end tracing. Question 52. Which log file contains the audit trail for Keystone authentication events? A) /var/log/keystone/keystone.log

Exam

B) /var/log/keystone/keystone-audit.log C) /var/log/auth.log D) /var/log/keystone/keystone-auth.log Answer: B Explanation: Keystone writes detailed audit entries to keystone-audit.log, including login attempts and token issuance. Question 53. When a Nova instance fails to spawn due to “NoValidHost” error, which log file is most likely to contain the root cause? A) /var/log/nova/nova-scheduler.log B) /var/log/nova/nova-compute.log C) /var/log/nova/nova-conductor.log D) /var/log/nova/nova-api.log Answer: A Explanation: The scheduler decides host placement; “NoValidHost” errors are logged in nova- scheduler.log. Question 54. Which command can be used to dump the contents of a RabbitMQ queue for debugging message backlog? A) rabbitmqctl list_queues B) rabbitmqadmin get queue=name requeue=false count= C) rabbitmqctl purge_queue name D) rabbitmq-diagnostics list_queues Answer: B Explanation: “rabbitmqadmin get” retrieves messages from a queue without requeuing, useful for inspection.