Apparently I studied Ansible in 2016 1, but I completely forgot, so I read Ansible Practical Guide 4th Edition [Basic Edition] again. I’ll note down what caught my attention.

Playbook Hierarchy

One Playbook consists of several Plays. A Play consists of four sections: Targets, Vars, Tasks, and Handlers. Targets and Tasks are basic sections, used to specify target hosts and a list of tasks to execute, respectively. Vars and Handlers are auxiliary sections, used to specify variables and execution control (for example, restarting systemd services), respectively.

  • Playbook
    • Play:
      • Targets
      • Vars
      • Tasks
      • Handlers
    • Play:
      • Targets
      • Vars
      • Tasks
      • Handlers

Testing

Simple tests can be covered with the ansible.builtin.assert module. For complex tests, use Ansible Molecule 2. It has mechanisms for test environment setup, syntax checking, idempotency checking, etc. Alternatively, using Ansible Spec 3, you can test with Serverspec using Ruby’s RSpec.

Ansible Galaxy

You can install roles with ansible-galaxy install geerlingguy.mysql. They are placed in ~/.ansible/roles or under /usr, /etc. You can also specify with --roles-path.

Collections are placed in ~/.ansible/collections. You can manage their list with requirements.txt.

Tuning

It’s good to enable fact caching with ansible.cfg or ANSIBLE_CACHE_PLUGIN. Increasing forks trades off with local node resources and network load, but increases parallelism.

When Ansible executes in parallel, all hosts execute tasks one by one in lockstep. This can be controlled with strategy plugins. For example, with ansible.builtin.free, tasks can progress independently per host. Of course, be careful of dependencies between hosts.

Enabling SSH multiplexing (ControlMaster, ControlPath, ControlPersist) can reduce the overhead of establishing SSH for each task. By the way, if OpenSSH 6.5 or later, multiplexing is enabled by default.

Debugging

You can run static syntax checks with the --check option of the ansible-playbook command. Also, with the --diff option, you can check the diff of results expanded by file and template.

In addition to the --verbose option, setting ANSIBLE_DEBUG=1 can output more detailed developer-oriented messages.

Using the ansible-console -i inventory.ini command, you can interactively execute modules or check the contents of facts.

Setting ANSIBLE_KEEP_REMOTE_FILES=1 keeps the execution script under $HOME/.ansible/tmp on the target node after playbook execution.

Setting debugger: on_failed in a task can start the debugger when that task fails.

Encryption

You can encrypt an entire YAML file with a password using the ansible-vault create command. Alternatively, you can encrypt only specific values or strings with the ansible-vault encrypt_string command. Using VaultID allows more flexible control.

Other

Inventory is easier to use when grouped as follows:

[jp_web]
sv01

[jp_db]
sv02

[us_web]
sv03

[us_db]
sv04

[db:children]
jp_db
us_db

[jp:children]
jp_web
jp_db

Best practices are summarized in General tips - Ansible Documentation, so it’s good to read it.

  1. Ansible Notes ↩︎

  2. Ansible Molecule ↩︎

  3. Ansible Spec ↩︎