Ansible one screen interview quick ref
Ansible - one-screen interview quick ref¶
Core model¶
- Control node runs Ansible.
- Managed nodes are targets over SSH/WinRM/SSH-on-Windows.
- Inventory = who to hit.
- Playbook = desired state.
- Module = idempotent unit of work.
- Role = reusable layout for tasks, vars, handlers, templates.
Golden rules¶
- Prefer modules over
shell/command. - Think in desired state, not imperative scripts.
- Chase idempotence: second run should be mostly
ok, notchanged. - Use
templatewhen you own the whole file,lineinfilefor surgical edits,blockinfilefor injected managed blocks. - Use
validatebefore replacing critical configs. - Use handlers for restart/reload only when something changed.
Variable sanity¶
- Lowest-ish practical place: role
defaults. - Stronger override: inventory / group_vars / host_vars / play vars.
- Highest:
-eextra vars. - Interview line: “When behavior is weird, it’s usually precedence, inventory targeting, or an idempotence bug.”
Safe rollout patterns¶
- Use
serialfor rolling changes. - Use
--limitin prod. - Use
--check --diffbefore real runs. - Use
block/rescue/alwaysfor rollback or cleanup logic. - Use
delegate_tofor LB/API/control-plane actions.
Error handling truths¶
ignore_errorsdoes not ignore everything - not syntax, undefined vars, or connection failures.failed_whenandchanged_whenlet you define truth correctly.- Handlers normally wait until end of play;
meta: flush_handlersforces them now.
Check mode truths¶
- Good with many declarative modules.
- Weak with imperative tasks.
commandhas partial support when usingcreates/removes.
Debug / triage¶
ansible all -m ping
ansible-inventory -i inventory --graph
ansible-playbook site.yml --syntax-check
ansible-playbook site.yml --list-hosts --list-tasks --list-tags
ansible-playbook site.yml --check --diff --limit web1 -vvv
ansible host1 -m debug -a "var=hostvars[inventory_hostname]"
ansible host1 -m setup
Commands worth memorizing¶
ansible-playbook site.yml -i inventory
ansible-playbook site.yml --limit web1
ansible-playbook site.yml --tags nginx
ansible-playbook site.yml -e "app_port=8080"
ansible-vault create secrets.yml
ansible-galaxy role install geerlingguy.nginx
ansible-galaxy collection install community.general
ansible-lint
molecule test
Modern Ansible talking points¶
ansible-core= engine/basic tooling.ansible= broader community package.- Collections are the modern packaging model.
- Use FQCNs like
ansible.builtin.apt. - Execution Environments package controller-side deps consistently.
ansible-navigatoris the modern CLI/TUI around EE workflows.
Best-practice sound bites¶
- “Use Ansible for configuration and orchestration, Terraform for provisioning infrastructure.”
- “A good role is readable, idempotent, linted, tested, and safe in check mode where possible.”
- “
shellis not evil; it’s just guilty until proven necessary.” - “Production safety is mostly blast-radius control:
--limit,serial, validation, and rollback planning.”
Common footguns¶
- Running against
allby accident. - Global
become: truewhen only one task needs privilege. - Restarting services directly instead of via handlers.
- Hiding bad logic with
ignore_errors. - Letting templates replace config files without
validate. - Secrets on CLI or in plaintext vars.
Minimal example they love¶
- hosts: web
serial: 25%
tasks:
- name: Render nginx config safely
ansible.builtin.template:
src: nginx.conf.j2
dest: /etc/nginx/nginx.conf
validate: "nginx -t -c %s"
notify: reload nginx
handlers:
- name: reload nginx
ansible.builtin.service:
name: nginx
state: reloaded
20-second interview answer¶
Ansible is an agentless, mostly declarative automation tool for config management, app deployment, and orchestration. Its strength is idempotent modules, inventory-driven targeting, and reusable roles. In real life, the hard parts are variable precedence, safe rollout strategy, and avoiding imperative shell spaghetti.