CheatSheet – Ansible

Ansible Back to Index

A random collection of commands and playbook features for Ansible.

Setting SSH options

In /etc/ansible/ansible.cfg, SSH settings can be defined.

# uncomment this to disable SSH key host checking
host_key_checking = False
private_key_file = /etc/ansible/ansible.ppk


# ssh arguments to use ssh_args = -o BatchMode=yes -o ForwardAgent=yes

Problems with -o BatchMode

Ansible gives you the option to pass SSH options such as “BatchMode” on to your ansible runs. However, I ran into a problem regarding BatchMode and the Ansible –ask-pass (-k) option.

I used the following command to check if ldap login worked on all hosts.

ansible 'all' -a hostname -u username -k

With ssh_args = -o BatchMode=yes enabled in /etc/ansible/ansible.cfg the command failed. After I removed BatchMode=yes, everything worked.

Fetch configs and store them on Ansible

To backup single files with ansible, use the following fetch-configs.yml playbook

# Fetch Configs before rollout
- hosts: all:!fail
  remote_user: root
  gather_facts: true
  - name: Fetch config /etc/example.conf
    fetch: src=/etc/example.conf dest=/srv/ansible/archive/fetched/
  - name: Fetch config /etc/another.conf
    fetch: src=/etc/another.conf dest=/srv/ansible/archive/fetched/
# Optional: Push to git repository (/srv/ansible/ must be git repo!)
# For more info, read below about automatically pushing configs to git
- tasks:
  include: ansible_commit.yml

To backup multiple files, use the synchronize module in pull mode.

- hosts: all:!fail
  gather_facts: true
  remote_user: root
    - name: Fetch all configs in /root/.ssh/ with ansible sync-module
      synchronize: mode=pull src=/./root/.ssh/ dest=/srv/ansible/archive/fetched/{{ inventory_hostname }}/ rsync_opts=-avR perms=yes

The last part rsync_opts=-arR perms=yes can still be optimised. I think perms and -ar is on by default in ansibles synchronize module.

FYI, the hosts: all:!fail selects all hosts, except the ones I have added to the group [fail]. These can be hosts that have been known to fail during playbook runs but haven’t been fixed yet.

Automatically commit fetched configs to git
Assuming that you store all your fetched configs in one place on your Ansible server, e.g. /srv/ansible/archive/{{ansible_hostname}}/etc/example.conf, you can use the following autocommit.yml playbook to automatically push changes to your repository.

- hosts: localhost
  remote_user: root

  # Check if commit is necessary
  - name: check if git commit is necessary
    command: git --git-dir=/srv/ansible/.git/ --work-tree=/srv/ansible/ status
    register: git_check

  # Commit Changes in Ansible Directory
  - name: Committing changes on Ansible server
    local_action: shell cd /srv/ansible/ && git add * && git commit -m "Ansible Automated Commit" && git push
    when: "'nothing to commit' not in git_check.stdout"

In order to execute the playbook, just append it to your other playbooks. This is usefull if you have for example a webserver.yml playbook which fetches all configs before deploying new changes.

# Webserver playbook
[...] # <- whatever you do in your playbook

# Update & Push Ansible Local Repository
- tasks:
  include: autocommit.yml

Deploy time settings with Ansible CLI

sudo ansible 'mygroup' -m shell -a 'echo "Europe/Berlin" |sudo tee /etc/timezone' -u user -K
sudo ansible 'mygroup' -m shell -a 'sudo cp -f /usr/share/zoneinfo/Europe/Berlin /etc/localtime' -u user -K
sudo ansible 'mygroup' -m shell -a 'sudo ntpdate-debian' -u user -K