Skip to content

Portal | Level: L1: Foundations | Topics: Ansible | Domain: DevOps & Tooling

Ansible - Skill Check

Mental model (bottom-up)

Ansible is: controller connects over SSH/WinRM, transfers a module, runs it, and returns structured results. Idempotency comes from modules knowing state, not from "shell scripts".

Visual guide

Controller -> SSH -> remote temp module -> execute -> report changed/ok/failed

Glossary

  • inventory - targets: hosts and groups
  • playbook - ordered set of plays/tasks
  • module - unit of work (package, service, file, etc)
  • idempotent - re-run yields same end state without repeated changes
  • handler - delayed action triggered only when notified
  • facts - discovered host data used for conditionals
  • role - packaged reusable tasks/templates/vars/handlers

Common failure modes

  • Using shell everywhere -> non-idempotent snowflakes.
  • Variable precedence confusion -> "why is my value ignored?"
  • Secrets leak via debug output.

Roadmap core (10, easy -> hard)

  • What is Ansible (one line)?
  • Agentless automation over SSH using YAML playbooks.
  • Inventory: what is it?
  • The list/grouping of hosts (static or dynamic) Ansible targets.
  • Play vs task vs role?
  • Play targets hosts; tasks are steps; roles package reusable content.
  • Idempotency meaning in Ansible?
  • Re-running yields same end state without repeated changes.
  • Variables precedence: why it matters?
  • Same var defined multiple places; precedence controls which wins.
  • Handlers: what are they for?
  • Run actions (like restart) only when notified by changed tasks.
  • Templates vs files?
  • Templates (Jinja2) render variables; files copy as-is.
  • Facts + gather_facts: what does it do?
  • Collect host info for conditional logic.
  • Vault: what problem does it solve?
  • Encrypt secrets in repo; control access.
  • Collections + modules: how to stay sane?
  • Pin versions; prefer modules over shell; avoid snowflake hacks.

Inventory & targeting (easy -> hard)

  • How do groups help?
  • Target sets of hosts; apply vars/roles cleanly.
  • What is --limit?
  • Narrow run to specific hosts/groups.
  • Static vs dynamic inventory?
  • Static file vs generated from cloud APIs/CMDB.
  • Why tags are useful?
  • Run subsets of tasks safely: --tags, --skip-tags.
  • How do you avoid "blast radius"?
  • Limit + serial + check mode + good defaults.

Variables, templating, and structure (easy -> hard)

  • Why use roles?
  • Reuse and standardize with a known structure.
  • include_role vs import_role?
  • Include is dynamic; import is static (affects load/vars).
  • When to use defaults vs vars?
  • Defaults are override-friendly; vars are higher precedence.
  • Jinja2 pitfall #1?
  • Forgetting quotes / type coercion; test rendering.
  • How to validate inputs?
  • Use role argument validation + asserts.

Idempotency and "don't shell out" (easy -> hard)

  • Why avoid shell/command when modules exist?
  • Modules are idempotent and parse state; shell is fragile.
  • How do you detect "changed" correctly?
  • Let modules decide; else use changed_when carefully.
  • When do handlers run?
  • End of play by default, after notifications; can meta: flush_handlers.
  • How to do safe restarts?
  • Notify handler only on config change; avoid restart storms.
  • What's a common idempotency bug?
  • Appending lines repeatedly; use lineinfile/templates instead.

Secrets (easy -> hard)

  • What does Ansible Vault encrypt?
  • Vars files/strings; content at rest in git.
  • Vault operational risk?
  • Key management; sharing; rotation; CI handling.
  • What's the "right" secret source in enterprise?
  • External secret store (Vault/Secrets Manager) + dynamic creds when possible.
  • How to prevent secret leaks?
  • no_log: true, avoid debug dumps, keep secrets out of CLI args.

Debugging & reliability (easy -> hard)

  • First triage flags?
  • -vvv, --check, --diff, --step.
  • How to debug vars?
  • debug: var=... (watch for secrets).
  • How to make runs stable under flaky SSH?
  • Control forks, retries, timeouts; fix SSH known_hosts policy.
  • What's a sane "test before prod" workflow?
  • Run in lab/stage inventory; then prod with serial and health checks.

Sources

  • Ansible community documentation (playbooks, roles, handlers, vault).
  • https://docs.ansible.com/

Wiki Navigation

Related Content