Portal | Level: L1: Foundations | Topics: Ansible | Domain: DevOps & Tooling
Ansible — Trivia & Knowledge Compendium¶
~880+ Q&A pairs covering everything from Ansible's sci-fi origins to Ansiballz internals. Compiled from local study materials, interview prep banks, certification resources, and web research.
Last updated: 2026-03-26
1. Origins, History & Trivia¶
Q: What is Ansible?
A: Ansible is an open-source IT automation tool for configuration management, application deployment, orchestration, and provisioning. It is agentless, written in Python, and uses SSH to communicate with managed nodes.
Q: Who created Ansible and when?
A: Michael DeHaan created Ansible in February 2012. He had previously created Cobbler (a provisioning tool) and Func (a remote command framework).
Q: When and by whom was Ansible acquired?
A: Red Hat acquired Ansible in October 2015.
Q: Where does the name "Ansible" come from?
A: The name comes from science fiction -- specifically a faster-than-light communication device. The term was first coined by Ursula K. Le Guin in her 1966 novel "Rocannon's World" and later popularized by Orson Scott Card in "Ender's Game" (1985), where the ansible is used to command a fleet of distant ships instantaneously.
Q: What does "ansible" mean etymologically?
A: It is a contraction of "answerable" -- reflecting the device's ability to deliver responses across interstellar distances with no delay.
Q: What language is Ansible written in?
A: Python (and PowerShell for Windows modules).
Q: What are the key features of Ansible?
A: Agentless architecture, SSH-based communication, human-readable YAML syntax, idempotent operations, push-based model, extensive module library, inventory management, and a large community ecosystem.
Q: What does "agentless" mean in the context of Ansible?
A: No software agents need to be installed on managed nodes. Ansible connects via SSH (Linux) or WinRM (Windows) directly from the control node.
Q: How does Ansible differ from Puppet?
A: Ansible is agentless (push-based, YAML syntax) while Puppet is agent-based (pull-based, uses its own DSL). Ansible is simpler to set up; Puppet is more mature for large-scale, complex environments.
Q: How does Ansible differ from Chef?
A: Ansible uses YAML and is agentless; Chef uses Ruby DSL and requires agent installation (client-server model). Ansible has a lower learning curve; Chef offers more flexibility for experienced users.
Q: How does Ansible differ from SaltStack?
A: Both can be agentless, but SaltStack also supports an agent-based (minion) model. SaltStack uses its own DSL and is typically faster at scale due to ZeroMQ messaging, while Ansible is simpler and uses SSH.
Q: What is the Ansible control node?
A: The machine where Ansible is installed and from which playbooks and commands are executed. It must run Linux or macOS (not Windows natively).
Q: What are managed nodes?
A: The target servers/systems that Ansible manages. They only need SSH access and Python installed (no Ansible agent required).
Q: What are the server requirements for Ansible?
A: The control node requires Linux/macOS with Python 2.6+ (or Python 3.5+). Managed nodes need SSH access and Python. Windows managed nodes need WinRM and PowerShell.
Q: How does Ansible communicate with Linux hosts?
A: Via SSH (Secure Shell). It pushes modules to the managed node, executes them, and retrieves results as JSON.
Q: How does Ansible communicate with Windows hosts?
A: Via WinRM (Windows Remote Management) with PowerShell modules.
Q: What is the push-based model in Ansible?
A: The control node initiates connections and pushes configurations to managed nodes, as opposed to pull-based models where agents on nodes poll a central server.
Q: When would you use ansible-pull instead of the default push model?
A: For decentralized environments, self-healing systems, edge devices, or scenarios where nodes should independently fetch and apply configurations from a Git repository on a schedule.
Q: What are the main components of Ansible's architecture?
A: Control node, managed nodes, inventory, playbooks, modules, tasks, roles, handlers, variables, facts, plugins, and the Ansible configuration file (ansible.cfg).
Q: What is Infrastructure as Code (IaC) and how does Ansible align with it?
A: IaC manages infrastructure through version-controlled code rather than manual processes. Ansible aligns by using YAML playbooks to define infrastructure tasks in a readable, code-like format, ensuring repeatability and idempotency.
Q: When did Red Hat acquire Ansible?
A: October 2015.
Q: When did IBM acquire Red Hat?
A: July 2019, for approximately $34 billion.
Q: When did Ansible collections replace the monolithic package?
A: Ansible 2.10 (September 2020) split the package into ansible-core (runtime engine) and separate collections. Ansible 2.9 was the last monolithic release.
Q: What was the major architectural change in Ansible 2.0?
A: A complete rewrite of the core engine with a new execution framework, improved variable handling, and better error reporting.
Q: What is the relationship between ansible-core and the ansible package?
A: ansible-core contains the runtime engine, CLI tools, and built-in plugins/modules. The ansible package is a meta-package that installs ansible-core plus a curated set of community collections.
Q: What versioning scheme does ansible-core follow vs the ansible package?
A: ansible-core uses traditional semver (e.g., 2.15.x, 2.16.x). The ansible package uses independent versioning (e.g., 7.x, 8.x, 9.x) where each major version pins a specific ansible-core version.
Q: When was Ansible Tower renamed to automation controller?
A: With the release of Ansible Automation Platform 2.0 in late 2021.
Q: Who created Ansible, and in what year was it first released?
A: Michael DeHaan created Ansible and released it as an open-source project in February 2012.
Q: What two open-source projects did Michael DeHaan create before Ansible, both at Red Hat?
A: Cobbler (a PXE-based bare-metal provisioning tool) and Func (a remote command execution framework). Concepts from both influenced Ansible's design.
Q: What was Michael DeHaan's job before creating Ansible, and why did he leave?
A: He worked briefly at Puppet Labs and then at another company doing integration work. Neither was a good fit, and he wanted to return to building open-source tooling. His frustration with multi-day setup times for DNS/NTP issues led him to create Ansible.
Q: What science fiction novel first coined the word "ansible," and who wrote it?
A: Ursula K. Le Guin coined the term in her 1966 novel Rocannon's World. It referred to a device enabling instantaneous faster-than-light communication.
Q: Many people attribute the word "ansible" to Orson Scott Card's Ender's Game. Why is that incorrect for the original coinage?
A: Card popularized the term in Ender's Game (1985), but Le Guin invented it 19 years earlier in 1966. Card's usage spread the word to a much wider audience, creating the common misattribution.
Q: What is the etymology of the word "ansible"?
A: It is a contraction of "answerable" -- reflecting the device's ability to deliver responses across interstellar distances in reasonable time.
Q: What was the original company name behind Ansible before it became "Ansible, Inc."?
A: AnsibleWorks, Inc., founded in 2013 by Michael DeHaan, Timothy Gerla, and Said Ziouani.
Q: When did Red Hat acquire Ansible, and what was the reported price?
A: Red Hat announced the acquisition on October 16, 2015. The price was reportedly around $150 million, though Red Hat never officially confirmed the amount. Ansible had raised only $6 million prior, mostly from Menlo Ventures and e.ventures.
Q: How many employees did Ansible, Inc. have at the time of the Red Hat acquisition?
A: Approximately 50 employees worldwide, headquartered in Durham, North Carolina.
Q: Where was Ansible, Inc. originally based before the Red Hat acquisition?
A: The company was based out of Durham, N.C., though some sources also reference Santa Barbara, California as an early location.
Q: How did Ansible end up under IBM's umbrella?
A: IBM acquired Red Hat in 2019 for $34 billion. Since Ansible was a Red Hat product, it became part of IBM's portfolio.
Q: What was the first AnsibleFest, and when did it take place?
A: The first AnsibleFest was held in 2013 in the early days of the Ansible community, organized by AnsibleWorks (later Ansible, Inc.) to bring together early adopters.
Q: What happened to AnsibleFest after 2022?
A: Starting in 2024, AnsibleFest was merged with Red Hat Summit into a combined "Red Hat Summit and AnsibleFest" event, rather than running as a separate standalone conference.
Q: What was significant about Ansible 1.0, and when was it released?
A: Ansible 1.0 was released in early 2013 (around February). It marked the project's first stable release, establishing the core push-based, agentless, SSH-driven architecture.
Q: What did Ansible 2.5 introduce that changed how network automation worked?
A: Ansible 2.5 introduced the network_cli, httpapi, and netconf connection plugins, fundamentally changing how Ansible connected to network devices by using persistent connections instead of spawning a new connection per task.
Q: What was "ansible-base" and when did it appear?
A: ansible-base was the name for the stripped-down core engine introduced with the 2.10 release cycle (mid-2020). It contained only the command-line tools, core modules (like copy, file, command, shell), and essential plugins. It was renamed to "ansible-core" starting with version 2.11.
Q: Why was ansible-base renamed to ansible-core?
A: The name change from ansible-base to ansible-core (starting with version 2.11) was made to better reflect that this package is the core engine of the Ansible automation framework, not just a "base" layer.
Q: Explain the versioning split that happened at Ansible 2.10. What are the two separate packages?
A: Starting with 2.10, Ansible split into two packages: (1) ansible-core (originally ansible-base), which is the automation engine with minimal built-in content, and (2) the "ansible" community package, which bundles ansible-core with a curated set of community collections.
Q: Why do Ansible community package version numbers jump from 2.10 to 3.0, 4.0, etc., while ansible-core continues with 2.11, 2.12, etc.?
A: The community package adopted a new versioning scheme (3.x, 4.x, 5.x...) to differentiate it from ansible-core versioning. ansible-core continues the 2.x line. For example, Ansible 4.0.0 shipped with ansible-core 2.11, Ansible 5.0.0 with ansible-core 2.12, and so on.
Q: What Ansible community package version corresponds to ansible-core 2.14?
A: Ansible 7.x ships with ansible-core 2.14.
Q: What Ansible community package version corresponds to ansible-core 2.16?
A: Ansible 9.x ships with ansible-core 2.16.
Q: How often does ansible-core release a new major version?
A: Approximately every six months, typically in May and November, with a 4-week Z-release patch cycle for bugfixes and security fixes.
Q: How long is each ansible-core major version maintained?
A: Each ansible-core major release is maintained for approximately 18 months (the current release plus two prior versions are actively maintained).
Q: When was the last time the migration script (migrate.py) was run to move content from the monolithic ansible repo to collections?
A: The final migration run happened on Friday, March 6, 2020. The ansible-community/collection_migration repository was left as a historical record.
Q: What is the ansible_managed variable?
A: A special variable that expands to a string (configurable in ansible.cfg) containing metadata about the Ansible template. Default: "Ansible managed". Commonly placed in template file headers to warn humans not to edit managed files.
Q: Can you run Ansible on Windows as a control node?
A: No. Ansible's control node must run on a Unix-like system (Linux, macOS, BSDs). Windows can only be a managed node (via WinRM or PSRP). WSL (Windows Subsystem for Linux) is the workaround for running Ansible on Windows.
Q: What is the "cow" in Ansible output?
A: Ansible can display output using cowsay (ASCII art cow). If cowsay is installed, Ansible uses it by default for playbook output. It can be disabled with ANSIBLE_NOCOWS=1 or nocows = 1 in ansible.cfg.
Q: What environment variable disables Ansible's cowsay output?
A: ANSIBLE_NOCOWS=1
Q: What is ansible-inventory --graph?
A: A command that displays the inventory hierarchy as an ASCII tree graph, showing groups, subgroups, and hosts. Adding --vars also shows the variables for each host.
Q: What is the .retry file that Ansible creates?
A: When a playbook fails on some hosts, Ansible creates a .retry file containing the hostnames that failed. You can re-run only the failed hosts with --limit @playbook.retry. This behavior can be disabled in ansible.cfg.
Q: What is ansible-doc used for?
A: Viewing documentation for modules, plugins, filters, and other Ansible components from the command line without needing internet access. Example: ansible-doc ansible.builtin.copy.
Q: How do you list all available modules with ansible-doc?
A: ansible-doc --list or ansible-doc -l. You can filter by collection: ansible-doc -l -t module community.general.
Q: What does the ANSIBLE_KEEP_REMOTE_FILES setting do?
A: When set to True, Ansible does NOT delete the temporary module files it copies to the remote host after execution. Extremely useful for debugging module behavior -- you can SSH to the target and inspect/run the module code manually.
Q: Where are remote temporary files stored on managed nodes?
A: By default in ~/.ansible/tmp/ on the remote host (configurable via remote_tmp in ansible.cfg).
Q: What is ansible-config dump?
A: Displays all current configuration settings with their values and sources (default, config file, environment variable). ansible-config dump --only-changed shows only settings that differ from defaults.
Q: What does meta: flush_handlers do?
A: Forces all pending handlers to execute at that point in the play, instead of waiting until the end of the play. Useful when subsequent tasks depend on services being restarted.
Q: What does meta: end_play do?
A: Immediately ends the current play for the current host. The host is not marked as failed -- it simply stops processing.
Q: What is the ANSIBLE_STDOUT_CALLBACK environment variable?
A: Selects which stdout callback plugin to use (e.g., yaml, json, minimal, debug). Equivalent to stdout_callback in ansible.cfg.
Q: What is ansible-galaxy collection verify?
A: Verifies the integrity of installed collections by comparing checksums against the Galaxy server manifest. Detects if collection files have been modified locally.
Q: What is the COLLECTIONS_PATHS configuration?
A: Defines the search paths where Ansible looks for installed collections. Default: ~/.ansible/collections:/usr/share/ansible/collections. Can be set in ansible.cfg or via the ANSIBLE_COLLECTIONS_PATH environment variable.
Q: What is the obscure ANSIBLE_FORCE_COLOR environment variable?
A: Forces colored output even when Ansible detects it's not running in a terminal (e.g., in CI/CD pipelines). Useful for readable CI logs.
Q: What is ansible_become_method and what options exist besides sudo?
A: The privilege escalation method. Options: sudo (default), su, pbrun, pfexec, doas, dzdo, ksu, runas (Windows), enable (network devices), machinectl (systemd).
Q: What is the ansible.cfg [inventory] section's enable_plugins setting?
A: Controls which inventory plugins are loaded. By default, only host_list, script, auto, yaml, ini, and toml are enabled. Cloud inventory plugins (aws_ec2, gcp_compute) must be explicitly enabled.
Q: What is the INTERPRETER_PYTHON configuration, and why was auto mode added?
A: Controls which Python interpreter Ansible uses on managed nodes. The auto mode (default since 2.8) uses a lookup table to find the correct Python path per platform, avoiding the /usr/bin/python vs /usr/bin/python3 headache.
Q: What is an "action plugin" and how does it differ from a module?
A: An action plugin runs on the control node before (and sometimes instead of) the module on the remote host. Some modules are actually action plugins in disguise (e.g., template, copy, fetch). The action plugin handles local processing and file transfer, while the module handles remote state.
Q: What is the ansible_become_exe variable?
A: Specifies the path to the privilege escalation binary. Default: /usr/bin/sudo. Useful when sudo is installed in a non-standard location.
Q: What is gather_subset and how does it speed up fact gathering?
A: Instead of gathering all facts, you can specify a subset: gather_subset: [network, hardware] or gather_subset: [!hardware, !virtual]. Minimizing gathered facts reduces setup time.
Q: What are the available gather_subset categories?
A: all, min (always gathered), network, hardware, virtual, ohai, facter, env (environment variables), and several more depending on the platform.
Q: What is the ansible_ssh_common_args variable used for?
A: Adds extra SSH arguments to ALL SSH-based connection types (ssh, sftp, scp). Common use: adding -o ProxyCommand for bastion/jump host configurations.
Q: What are custom facts (local facts) and where do they live?
A: Custom facts are files placed in /etc/ansible/facts.d/ on managed hosts. They can be INI, JSON, or executable files returning JSON. They appear under ansible_local in gathered facts.
Q: What is ansible.builtin.set_stats?
A: A module that sets custom statistics for playbook runs, visible in Automation Controller/AWX. Stats are displayed in the job summary and can be used for reporting.
Q: What happens if you use vars_prompt in Ansible Tower/Controller?
A: Tower/Controller presents a survey form to the user before job execution, mapping survey fields to the prompt variables. In CLI mode, the user is prompted interactively.
Q: What is the ansible_date_time fact?
A: A fact containing the managed host's date/time in multiple formats: date, time, epoch, iso8601, tz, weekday, year, month, day, hour, minute, second, and more.
Q: What happens when you apply become: true with the local connection?
A: Privilege escalation happens on the control node itself. Ansible will sudo on the machine running the playbook, which can be dangerous and is often unintended.
Q: What is the environment keyword at the task/play/block level?
A: Sets environment variables for the remote execution context. Example: setting http_proxy, PATH, or LD_LIBRARY_PATH for tasks that need them on the remote host.
Q: What happens if two collections provide a module with the same short name?
A: Ansible uses the collections keyword search order to resolve ambiguity. If no collections keyword is set, it falls back to ansible.builtin. This is exactly why FQCNs are recommended -- they eliminate ambiguity entirely.
Q: What is a "handler" in Ansible, and what makes it special?
A: A handler is a task that runs only when "notified" by another task that reported "changed." Handlers run at the end of the play (or when flushed with meta: flush_handlers) and are deduplicated -- even if notified multiple times, a handler runs only once.
Q: Can a handler notify another handler?
A: Yes, since Ansible 2.2. Handlers can chain notifications to other handlers, creating cascading restart sequences.
Q: What is the listen directive on handlers?
A: Allows a handler to respond to a generic notification topic rather than being called by exact name. Multiple handlers can listen to the same topic. Example: all handlers with listen: "restart web stack" run when any task notifies "restart web stack".
Q: What is ansible-playbook --syntax-check?
A: Parses the playbook and checks for YAML/Ansible syntax errors without executing anything. Faster than --check but only catches structural problems.
Q: What is the debug module's verbosity parameter?
A: Controls at which verbosity level (-v, -vv, -vvv, -vvvv) the debug message appears. verbosity: 2 means the message only shows with -vv or higher.
Q: What are the four verbosity levels in Ansible?
A: -v (verbose -- task results), -vv (more verbose -- task input), -vvv (even more -- connection debugging), -vvvv (maximum -- includes connection plugin details and local script execution).
Q: What Ansible module is used to create scheduled tasks on Windows?
A: win_scheduled_task (now ansible.windows.win_scheduled_task).
Q: What is ansible-test?
A: The testing tool bundled with ansible-core for testing collections. It supports sanity tests (code style, import checks), unit tests (Python unittest), and integration tests (full playbook runs).
Q: What file format does Ansible use for its return data from modules?
A: JSON. Every Ansible module returns a JSON dictionary to stdout, which the controller parses. This is why modules can be written in any language -- they just need to output valid JSON.
Q: What is an "Execution Environment" in the Ansible ecosystem?
A: A container image containing ansible-core, Python dependencies, collections, and system libraries needed to run automation. Built with ansible-builder and used by Automation Controller and ansible-navigator.
Q: What is ansible-navigator?
A: A modern text-based user interface (TUI) for running and developing Ansible content. It can run playbooks inside execution environments and provides interactive exploration of playbook results, inventory, and documentation.
Q: What is ansible-builder?
A: A tool that creates Execution Environment container images from a definition file (execution-environment.yml) that specifies Python requirements, system packages, collections, and the base image.
Q: What is until / retries / delay in a task?
A: Retry loop configuration. until specifies the success condition, retries is the max attempts (default 3), and delay is seconds between retries. Example: poll an API until it returns healthy.
Q: What is register and what does the registered variable contain?
A: register captures a task's return data into a variable. The variable contains: changed, failed, rc (return code), stdout, stderr, stdout_lines, stderr_lines, msg, and module-specific keys.
Q: What is ansible_play_name?
A: A magic variable containing the name of the currently executing play.
Q: What is the omit variable in Ansible?
A: A special variable used to conditionally exclude a module parameter entirely. Example: mode: "{{ file_mode | default(omit) }}" -- if file_mode is undefined, the mode parameter is not passed to the module at all (as if it wasn't written).
Q: What is ansible_loop?
A: A magic variable available inside loops (with loop/with_*) that contains metadata about the current iteration: index0, index, first, last, length, previtem, nextitem, revindex0, revindex.
Q: What happened to with_items, with_dict, with_fileglob etc.?
A: They still work but are considered legacy. The modern replacement is the loop keyword combined with filters: loop: "{{ my_list }}", loop: "{{ my_dict | dict2items }}", loop: "{{ query('fileglob', '*.conf') }}".
Q: What is the ansible.builtin.pause module?
A: Pauses playbook execution for a specified time or until the user presses Enter. Can also prompt for user input. Example: pause: seconds=30 or pause: prompt="Are you sure?".
Q: What is the failed_when: false idiom?
A: Makes a task NEVER fail, regardless of return code or output. The task always succeeds. Often combined with register to capture the result and handle it in subsequent tasks.
Q: What is the precedence order if the same variable is defined in group_vars for a parent group and a child group?
A: Child group variables override parent group variables. Ansible merges variables from parent to child, with the child winning. If a host is in multiple groups at the same level, alphabetical group name ordering determines precedence (last alphabetically wins).
Q: What is hash_behaviour in ansible.cfg?
A: Controls how dictionary variables are handled when the same variable is defined in multiple places. replace (default) replaces the entire dictionary. merge does a deep merge. The merge behavior is deprecated and being removed.
Q: Why is hash_behaviour: merge deprecated?
A: It causes globally unpredictable behavior, makes debugging variable values extremely difficult, and is a constant source of bugs. The recommended approach is explicit merging with the combine filter.
Q: What is the maximum recommended inventory size for a single Ansible control node?
A: There is no hard limit, but practical performance degrades beyond several thousand hosts without tuning (increasing forks, enabling pipelining, using fact caching, using pull mode or AWX/Controller for very large fleets).
Q: What port does Ansible use by default for SSH connections?
A: Port 22 (standard SSH). Configurable via ansible_port per host or remote_port in ansible.cfg.
Q: What port does WinRM use by default for Ansible Windows management?
A: Port 5985 for HTTP, port 5986 for HTTPS.
Q: What was the first commit to the Ansible GitHub repository, and approximately when?
A: Michael DeHaan made the first commit to the ansible/ansible GitHub repository in February 2012.
Q: What year did Ansible Galaxy launch?
A: Ansible Galaxy launched in 2013, as a community hub for sharing Ansible roles.
Q: What year did Ansible Tower (the commercial UI product) first appear?
A: Ansible Tower 1.0 was released in 2013 by AnsibleWorks, providing a web UI, REST API, and RBAC on top of Ansible.
Q: What year did Ansible 2.0 introduce the new execution engine?
A: January 2016.
Q: When did the collections concept first appear in Ansible?
A: Collections were introduced as a concept in Ansible 2.8 (2019) and became the primary content distribution mechanism in Ansible 2.10 (2020).
Q: When was Ansible 2.10 (the first "split" release) published?
A: September 2020 -- the first release with the monolithic content split into ansible-base + collections.
Q: What year was Event-Driven Ansible (EDA) first introduced?
A: 2022 as a technology preview, generally available in AAP 2.4 (2023).
Q: What year was Ansible Lightspeed announced?
A: 2023, with integration into AAP and the VS Code Ansible extension.
Q: How many modules were in the monolithic Ansible 2.9 repository before the split?
A: Over 3,400 modules lived in the single ansible/ansible repository before the collections migration.
Q: How many collections are typically included in the Ansible community package?
A: The Ansible community package (e.g., Ansible 9.x, 10.x) bundles approximately 85-100+ collections alongside ansible-core.
2. Installation & Configuration¶
Q: What is ansible.cfg?
A: The central configuration file that controls how Ansible behaves -- connection settings, defaults, module paths, plugin paths, etc.
Q: What is the ansible.cfg search order (precedence)?
A: 1) ANSIBLE_CONFIG environment variable, 2) ./ansible.cfg (current directory), 3) ~/.ansible.cfg (home directory), 4) /etc/ansible/ansible.cfg (global). First found wins.
Q: What is the forks setting?
A: Controls how many parallel processes Ansible uses to execute tasks across hosts. Default is 5.
Q: What is pipelining?
A: An SSH optimization that reduces the number of SSH connections needed by executing multiple operations over a single connection. Set pipelining = True in ansible.cfg.
Q: What is host_key_checking?
A: Controls whether Ansible verifies SSH host keys. Disabling it (host_key_checking = False) can speed up initial connections but reduces security.
Q: What is fact caching?
A: Storing gathered facts between playbook runs to avoid re-gathering. Backends include jsonfile, redis, and memcached. Configured in ansible.cfg.
Q: What is the ask_pass setting?
A: Controls whether Ansible prompts for an SSH password by default. Default is no (assumes SSH keys).
Q: What is the ask_sudo_pass setting?
A: Controls whether Ansible prompts for a sudo password. Default is no.
Q: What is the search order for ansible.cfg?
A: (1) ANSIBLE_CONFIG environment variable, (2) ./ansible.cfg in the current directory, (3) ~/.ansible.cfg in the home directory, (4) /etc/ansible/ansible.cfg.
Q: Do environment variables override ansible.cfg settings?
A: Yes. Individual ANSIBLE_* environment variables have higher precedence than ansible.cfg entries.
Q: What does ansible-config dump show?
A: All current configuration settings, their values, and their sources (default, config file, environment variable).
Q: What does ansible-config list show?
A: All available configuration options with descriptions, defaults, and environment variable names.
Q: What is the security concern with ./ansible.cfg in the current directory?
A: If Ansible is run in a world-writable directory, a malicious user could place an ansible.cfg that modifies behavior (e.g., pointing to a rogue callback plugin). Ansible warns or ignores current-directory config files in world-writable directories.
Q: What language is Ansible written in? What about Puppet, Chef, and SaltStack?
A: Ansible: Python. Puppet: Ruby (with its own Puppet DSL). Chef: Ruby (with Ruby DSL for recipes). SaltStack: Python.
Q: Which of the "big four" (Ansible, Puppet, Chef, Salt) are agentless?
A: Ansible is fully agentless (SSH/WinRM). Salt can run agentless via salt-ssh but normally uses agents (minions). Puppet and Chef both typically require agents, though Puppet can run agentless via bolt.
Q: Which tools are push-based vs. pull-based by default?
A: Ansible: push-based (pull available via ansible-pull). Salt: push-based (pull available). Puppet: pull-based (push via bolt). Chef: pull-based (push via knife/chef-push-jobs).
Q: What configuration language does each tool use?
A: Ansible: YAML (playbooks) + Jinja2 (templates). Puppet: Puppet DSL (declarative). Chef: Ruby DSL (imperative "recipes"). Salt: YAML (state files) + Jinja2 (templates).
Q: Which tool came first chronologically: Puppet, Chef, Ansible, or Salt?
A: Puppet (2005), Chef (2009), Salt (2011), Ansible (2012).
Q: Which config management tool uses a "master-minion" architecture with a ZeroMQ message bus?
A: SaltStack (Salt). The master communicates with minions over a ZeroMQ or TCP transport bus, which gives it very fast command execution across large fleets.
Q: What is Puppet Bolt, and how is it similar to Ansible?
A: Puppet Bolt is an agentless task-running tool from Puppet that connects via SSH/WinRM to execute tasks without requiring the Puppet agent. It is conceptually similar to Ansible ad-hoc commands and playbooks.
Q: What makes SaltStack's execution speed notably faster than Ansible for large fleets?
A: Salt uses persistent ZeroMQ connections to pre-installed minion agents, enabling near-simultaneous command execution across thousands of nodes. Ansible must establish SSH connections serially (limited by forks), which is inherently slower.
Q: Ansible is sometimes described as "procedural" while Puppet is "declarative." What does this mean in practice?
A: Ansible playbooks execute tasks in the order written (procedural) -- the order matters. Puppet manifests describe the desired end state (declarative) -- Puppet's engine determines the order of operations to converge to that state.
Q: What open-source tool can dramatically speed up Ansible by replacing SSH with a custom Python-based protocol?
A: Mitogen for Ansible. It replaces SSH with a bootstrapped Python interpreter tunnel, reducing the per-task overhead from multiple SSH round-trips to a single connection with multiplexed execution.
3. Inventory¶
Q: What is an Ansible inventory?
A: A file or script that defines the list of managed hosts (machines) that Ansible targets. It organizes systems into groups for task targeting.
Q: What are the two types of inventory?
A: Static inventory (manually defined in INI or YAML files) and dynamic inventory (generated at runtime using scripts or plugins from external sources like cloud providers).
Q: Where is the default inventory file located?
A: /etc/ansible/hosts
Q: How do you specify a custom inventory file?
A: Use the -i flag: ansible-playbook -i /path/to/inventory playbook.yml
Q: What command lists all hosts in an inventory?
A: ansible-inventory --list
Q: What is a group in an Ansible inventory?
A: A named collection of hosts that allows you to target multiple servers with a single reference. Example: [webservers] containing multiple web server hostnames.
Q: What is the all group?
A: A special built-in group that contains every host in the inventory.
Q: What is the ungrouped group?
A: A special built-in group containing hosts that are not members of any other group.
Q: What are group_vars and host_vars?
A: Directories for storing variables that apply to groups or individual hosts respectively. group_vars/webservers.yml applies to all hosts in the webservers group; host_vars/server1.yml applies only to server1.
Q: What is a dynamic inventory?
A: An inventory that automatically fetches host lists from external sources (AWS, Azure, GCP, VMware, etc.) at runtime using inventory plugins or scripts.
Q: How do you configure a dynamic inventory for AWS EC2?
A: Install boto/boto3, configure AWS credentials, create an aws_ec2.yml inventory plugin configuration file, and reference it with the -i flag.
Q: What format does a dynamic inventory script return?
A: JSON with host and group data, following a specific schema that Ansible expects.
Q: What are Ansible plugins?
A: Extensions that add functionality to Ansible core. They run on the control node (unlike modules which run on managed nodes).
Q: What are connection plugins?
A: Control how Ansible connects to managed nodes. Examples: ssh, winrm, local, docker, network_cli.
Q: What are callback plugins?
A: Customize how Ansible displays output, sends notifications, or logs results. Examples: profile_tasks (timing), json (JSON output), slack (notifications).
Q: What are lookup plugins?
A: Retrieve data from external sources. Examples: file, env, password, aws_ssm, pipe.
Q: What are filter plugins?
A: Transform data within Jinja2 expressions. Examples: to_json, to_yaml, regex_replace, combine, default.
Q: What are inventory plugins?
A: Generate dynamic inventory from external sources. Examples: aws_ec2, azure_rm, gcp_compute, vmware_vm_inventory.
Q: What are strategy plugins?
A: Control the order of task execution across hosts. Examples: linear (default -- tasks in order), free (each host runs independently), debug (interactive stepping).
Q: How do you enable a callback plugin?
A: Configure in ansible.cfg under [defaults]: callbacks_enabled = profile_tasks, timer (note: the old name callback_whitelist was renamed to callbacks_enabled in Ansible 2.15)
Q: What is the difference between an inventory script and an inventory plugin?
A: Inventory scripts are standalone executables that output JSON. Inventory plugins are Python classes integrated with Ansible's plugin system, supporting caching, configuration via ansible.cfg, and the constructed features. Plugins are recommended over scripts.
Q: What two methods must a custom inventory plugin implement?
A: verify_file(self, path) (validates the inventory source) and parse(self, inventory, loader, path, cache=True) (populates the inventory).
Q: What key inventory object methods are used in plugin development?
A: self.inventory.add_group(), self.inventory.add_host(), self.inventory.add_child(), self.inventory.set_variable().
Q: What does the Constructable base class provide to inventory plugins?
A: The ability to create host variables and groups from Jinja2 expressions using compose, keyed_groups, and groups options -- without writing custom code.
Q: How does inventory caching work?
A: Inventory plugins can use configured cache plugins (jsonfile, Redis, memcached, etc.) to store and retrieve data, avoiding repeated costly external API calls. Controlled by cache, cache_plugin, cache_timeout, and cache_connection settings.
Q: What file extension does the AWS EC2 inventory plugin expect?
A: Files ending in aws_ec2.yml or aws_ec2.yaml.
Q: What is a constructed inventory plugin?
A: A built-in plugin that creates groups and hostvars using Jinja2 expressions based on existing inventory data, without querying external sources.
Q: What are the two built-in inventory file formats?
A: INI format and YAML format.
Q: What is the auto inventory plugin?
A: A meta-plugin that automatically detects and delegates to the correct inventory plugin based on the inventory source file name or content. For example, a file ending in aws_ec2.yml triggers the aws_ec2 plugin.
Q: Name five dynamic inventory plugins included in popular collections.
A: (1) amazon.aws.aws_ec2; (2) google.cloud.gcp_compute; (3) azure.azcollection.azure_rm; (4) community.vmware.vmware_vm_inventory; (5) kubernetes.core.k8s.
Q: What was the old-style dynamic inventory approach before inventory plugins?
A: Executable inventory scripts (e.g., ec2.py). These scripts output JSON to stdout when called with --list or --host <hostname>. This approach is now deprecated in favor of inventory plugins.
Q: What special group exists in every Ansible inventory?
A: The all group, which contains every host. Also, ungrouped contains hosts not assigned to any other group.
Q: What is ansible_host in inventory?
A: A variable that overrides the hostname or IP used to connect to a host. The inventory name stays the same for variable lookups, but ansible_host tells Ansible the actual connection address.
Q: What is the constructed inventory plugin?
A: An inventory plugin that creates groups and variables dynamically based on Jinja2 expressions evaluated against existing inventory data. It lets you create groups based on facts or other variables without modifying the source inventory.
4. Playbooks, Plays & Tasks¶
Q: What is an Ansible playbook?
A: A YAML file that defines a series of plays (each targeting a group of hosts and specifying tasks, variables, and handlers) to automate configuration and deployment.
Q: What is a play in Ansible?
A: A section within a playbook that maps a group of hosts to a set of tasks. A playbook can contain multiple plays.
Q: What is a task in Ansible?
A: A single unit of action that calls a specific Ansible module with parameters. Tasks are executed sequentially within a play.
Q: What is the difference between a playbook and a play?
A: A playbook is a YAML file containing one or more plays. A play is a set of tasks and roles that run on one or more managed hosts within that playbook.
Q: What is the difference between a playbook and an ad-hoc command?
A: Playbooks are YAML files with multiple organized tasks for complex, repeatable automation. Ad-hoc commands are one-off CLI commands for quick, simple tasks.
Q: What command runs an Ansible playbook?
A: ansible-playbook playbook.yml
Q: How do you run a playbook with a specific inventory file?
A: ansible-playbook -i /path/to/inventory playbook.yml
Q: How do you check a playbook's syntax without running it?
A: ansible-playbook --syntax-check playbook.yml
Q: What is check mode (dry run)?
A: Running ansible-playbook --check playbook.yml shows what changes would occur without actually applying them. Not all modules support check mode.
Q: What is diff mode?
A: --diff flag displays the difference between the current state and the proposed changes, useful for validating before applying.
Q: How do you run a playbook in verbose mode?
A: Add -v (basic), -vv (more detail), -vvv (connection debugging), or -vvvv (maximum verbosity).
Q: How do you run only specific tasks using tags?
A: ansible-playbook playbook.yml --tags "install,configure" or skip tags with --skip-tags "debug".
Q: How do you limit playbook execution to specific hosts?
A: ansible-playbook playbook.yml --limit "webserver1" or --limit "webservers".
Q: How do you start a playbook at a specific task?
A: ansible-playbook playbook.yml --start-at-task "Install Nginx"
Q: What does the hosts keyword define in a play?
A: The target hosts or groups that the play will execute against.
Q: What keyword defines tasks in a playbook?
A: tasks:
Q: What is the serial keyword?
A: Controls how many hosts are updated at a time during a playbook run. serial: 2 updates two hosts at a time, enabling rolling updates.
Q: What is max_fail_percentage?
A: A play-level setting that stops a rolling update if the failure rate exceeds the specified percentage.
Q: What is an ad-hoc command in Ansible?
A: A quick, one-line command executed directly from the CLI without writing a playbook. Used for simple, one-off tasks.
Q: What is the syntax of an ad-hoc command?
A: ansible [host-pattern] -m [module] -a "[module arguments]"
Q: Give an example of an ad-hoc ping command.
A: ansible all -m ping
Q: How do you check disk space on all hosts ad-hoc?
A: ansible all -m shell -a "df -h"
Q: How do you install a package using an ad-hoc command?
A: ansible webservers -m apt -a "name=nginx state=present" --become
Q: When should you use ad-hoc commands vs playbooks?
A: Ad-hoc for quick checks, testing connectivity, gathering info, or one-time fixes. Playbooks for repeatable, complex, multi-step automation.
5. Modules¶
Q: What is an Ansible module?
A: A reusable, standalone script that performs a specific task (installing packages, managing files, restarting services, etc.) on managed nodes. Modules are idempotent and return JSON output.
Q: What are the two categories of Ansible modules?
A: Core modules (maintained by the Ansible team) and community/extras modules (maintained by the community). Both are fully usable.
Q: How do you look up documentation for a module?
A: ansible-doc <module_name> (e.g., ansible-doc copy)
Q: What does the ping module do?
A: Tests connectivity between the control node and managed nodes. It verifies SSH connection, authentication, and Python availability. Returns "pong" on success.
Q: What does the setup module do?
A: Gathers facts (system information) from managed nodes -- OS details, IP addresses, memory, disk, CPU, etc.
Q: What does the copy module do?
A: Copies files from the control node to managed nodes.
Q: What does the fetch module do?
A: Fetches (downloads) files from managed nodes to the control node. The inverse of copy.
Q: What does the template module do?
A: Processes a Jinja2 template file and deploys the rendered result to managed nodes.
Q: What does the file module do?
A: Manages files and directories -- create, delete, set permissions, ownership, and symlinks.
Q: What does the apt module do?
A: Manages packages on Debian/Ubuntu systems (install, remove, update).
Q: What does the yum module do?
A: Manages packages on RHEL/CentOS systems (install, remove, update).
Q: What does the package module do?
A: A generic OS-independent package manager module that auto-detects the appropriate package manager.
Q: What does the service module do?
A: Manages system services -- start, stop, restart, enable, disable.
Q: What does the user module do?
A: Manages user accounts -- create, remove, modify users, set passwords, manage groups.
Q: What does the cron module do?
A: Manages cron jobs on managed nodes.
Q: What does the shell module do?
A: Executes commands through the shell (/bin/sh), supporting pipes, redirects, and environment variable expansion.
Q: What does the command module do?
A: Executes commands directly without shell processing. Safer than shell but doesn't support pipes or redirects.
Q: What is the difference between command and shell modules?
A: command runs commands directly without shell processing (no pipes, redirects, or variable expansion). shell executes through a shell, allowing all shell features. command is more secure; shell is more flexible.
Q: What does the lineinfile module do?
A: Ensures a particular line is present (or absent) in a file. Useful for managing configuration files.
Q: What does the debug module do?
A: Prints variable values or custom messages during playbook execution. Useful for troubleshooting.
Q: What does the wait_for module do?
A: Waits for a specific condition (port open, file exists, string in file) before continuing. Supports customizable timeouts.
Q: What does the synchronize module do?
A: A wrapper around rsync for efficient file transfer between control node and managed nodes.
Q: What does the uri module do?
A: Makes HTTP/HTTPS requests -- useful for interacting with REST APIs.
Q: What does the docker_container module do?
A: Manages Docker containers -- create, start, stop, remove containers.
Q: What is the service_facts module?
A: Gathers data about all services on a managed node, returning their states.
Q: What does state: present mean in a module?
A: Ensures the resource exists (e.g., a package is installed, a user exists).
Q: What does state: absent mean in a module?
A: Ensures the resource does NOT exist (e.g., a package is removed, a user is deleted).
Q: What does state: latest mean in package modules?
A: Ensures the package is installed AND updated to the latest available version.
Q: What is the raw module, and when is it needed?
A: raw executes a raw SSH command without the Ansible module subsystem. It's needed when the target has no Python installed (bootstrapping Python on a new host) or for network devices that don't support the Ansible module system.
Q: What module would you use to wait for a port to become available?
A: wait_for -- can wait for a port, file, or regex match in a file. Common use: wait_for: port=8080 delay=5 timeout=300.
Q: What is the difference between include_tasks and import_tasks?
A: import_tasks is static -- processed at playbook parse time, so variables in filenames must be static. include_tasks is dynamic -- processed at runtime, supporting dynamic filenames, loops, and conditionals. Tags and task attributes behave differently between them.
Q: What is include_role vs import_role?
A: Same distinction: import_role is static (parsed at load time), include_role is dynamic (loaded at runtime). import_role tasks show up in --list-tasks; include_role tasks do not until runtime.
6. Variables, Facts & Data¶
Q: What are variables in Ansible?
A: Named values that store data for use in playbooks, templates, and tasks. They make automation flexible and dynamic.
Q: Where can variables be defined?
A: In playbook vars sections, vars_files, group_vars/, host_vars/, role defaults, role vars, inventory files, command line (-e/--extra-vars), registered variables, and set_fact.
Q: What is the difference between vars, vars_files, and vars_prompt?
A: vars declares variables inline in a play. vars_files references separate YAML files containing variables. vars_prompt prompts the user for input during execution.
Q: How do you reference a variable in a playbook?
A: Using Jinja2 double-curly-brace syntax: {{ variable_name }}
Q: What is the register keyword?
A: Captures the output of a task into a variable for use in subsequent tasks. Enables conditional logic based on previous task results.
Q: What is set_fact?
A: A module that sets host-level variables dynamically during playbook execution. Values persist for the rest of the play.
Q: How is set_fact different from vars?
A: set_fact creates variables dynamically at runtime after on-the-fly processing/filtering. vars defines variables with predetermined values before execution.
Q: What are Ansible facts?
A: System information automatically collected from managed nodes at the beginning of each play (OS, IP, CPU, memory, disk, etc.). Accessed via ansible_facts dictionary.
Q: How are facts gathered?
A: By the setup module, which runs automatically at the start of each play (unless gather_facts: no is set).
Q: How do you disable fact gathering?
A: Set gather_facts: no in the play definition. This speeds up playbook execution when facts are not needed.
Q: How do you view all facts for a host?
A: ansible hostname -m setup or filter with ansible hostname -m setup -a "filter=ansible_os_family"
Q: What are magic variables in Ansible?
A: Special variables automatically set by Ansible: hostvars, groups, group_names, inventory_hostname, ansible_play_hosts, ansible_version, etc.
Q: What is hostvars?
A: A dictionary containing variables for all hosts in the inventory, accessible via hostvars['hostname']['variable'].
Q: What is inventory_hostname?
A: The name of the current host as defined in the inventory file.
Q: How do you access a variable of the first host in a group?
A: {{ hostvars[groups['webservers'][0]]['ansible_eth0']['ipv4']['address'] }}
Q: What is the difference between variable names and environment variables?
A: Variable names are Ansible-internal. Environment variables reference system environment values using {{ ansible_env.SOME_VARIABLE }}.
Q: How do you pass variables from the command line?
A: ansible-playbook playbook.yml -e "var1=value1 var2=value2" or --extra-vars '{"var1": "value1"}'
Q: What is the complete Ansible variable precedence order (lowest to highest)?
A: 1) command line values (e.g., -u user), 2) role defaults, 3) inventory file/script group vars, 4) inventory group_vars/all, 5) playbook group_vars/all, 6) inventory group_vars/, 7) playbook group_vars/, 8) inventory file/script host vars, 9) inventory host_vars/, 10) playbook host_vars/, 11) host facts / cached set_facts, 12) play vars, 13) play vars_prompt, 14) play vars_files, 15) role vars (role/vars/main.yml), 16) block vars, 17) task vars, 18) include_vars, 19) set_facts / registered vars, 20) role/include_role params, 21) include params, 22) extra vars (-e) -- highest priority and always win.
Q: What is the difference between dot notation and array notation for variables?
A: Dot notation ({{ user.name }}) is for simple, readable access. Array notation ({{ user['first name'] }}) is required for keys with special characters, spaces, or dynamic variable names.
Q: How many levels of variable precedence does Ansible have?
A: 22 levels, from lowest (command line values like -u user) to highest (--extra-vars/-e).
Q: What has the highest variable precedence?
A: Extra vars (--extra-vars or -e), at level 22.
Q: What has the lowest variable precedence?
A: Command line values (e.g., -u my_user), followed by role defaults (roles/x/defaults/main.yml).
Q: Where do set_fact and registered vars fall in precedence?
A: Level 19 -- above include_vars, task vars, block vars, role vars, play vars_files, play vars_prompt, play vars, and all inventory variables. Below role parameters, include parameters, and extra-vars.
Q: What is the precedence difference between roles/x/defaults/main.yml and roles/x/vars/main.yml?
A: Role defaults are level 2 (lowest, easily overridden). Role vars are level 15 (quite high, hard to override except with set_fact, include_vars, role parameters, include parameters, or extra-vars).
Q: How does include_vars compare to vars_files in precedence?
A: include_vars (level 18) has higher precedence than vars_files (level 14).
Q: What is the hostvars magic variable?
A: A dictionary containing variables for all hosts in the inventory. Access another host's variables with hostvars['hostname']['variable_name'].
Q: What is groups in Ansible?
A: A dictionary/map of all groups in the inventory, where each group key maps to a list of hosts belonging to that group.
Q: What is group_names?
A: A list of all groups the current host is a member of.
Q: What is inventory_hostname vs ansible_hostname?
A: inventory_hostname is the name of the host as defined in the inventory file. ansible_hostname is the actual hostname discovered from the remote system via fact gathering.
Q: What is play_hosts?
A: A list of all hosts in the current play that are still active (not failed or unreachable).
Q: What is inventory_dir?
A: The directory path of the inventory source (the folder containing the inventory file).
Q: Can you set variables with magic variable names?
A: No. Magic variable names are reserved and setting them will be overridden by Ansible's internal values.
Q: What is omit?
A: A special variable that, when used as a module parameter value, causes that parameter to be omitted entirely. Useful with conditional defaults: mode: "{{ item.mode | default(omit) }}".
Q: What module gathers facts by default at the start of each play?
A: ansible.builtin.setup (called automatically by gather_facts: true).
Q: How do you disable automatic fact gathering?
A: Set gather_facts: false at the play level.
Q: What are custom/local facts?
A: Facts defined by files placed in /etc/ansible/facts.d/ on managed hosts. Files must end in .fact and can be JSON, INI, or executables that output JSON.
Q: Under what namespace are custom local facts accessible?
A: ansible_local -- e.g., ansible_local.custom_fact_name.key.
Q: If you create a custom fact in the same play, how do you access it?
A: You must explicitly re-run the setup module to refresh facts: ansible.builtin.setup: filter=ansible_local.
Q: What are the gather_subset and gather_timeout options?
A: gather_subset limits which facts to collect (e.g., network, hardware, virtual, !facter). gather_timeout sets the maximum time for fact gathering.
Q: What is fact caching and what backends are supported?
A: Fact caching stores gathered facts between playbook runs. Backends include jsonfile, redis, memcached, mongodb, and yaml.
Q: What is the exact search order for ansible.cfg files (highest to lowest priority)?
A: (1) ANSIBLE_CONFIG environment variable (pointing to a specific file); (2) ansible.cfg in the current working directory; (3) ~/.ansible.cfg in the user's home directory; (4) /etc/ansible/ansible.cfg.
Q: If both ANSIBLE_CONFIG and a local ansible.cfg exist in the current directory, which wins?
A: ANSIBLE_CONFIG always wins -- it has the highest precedence.
Q: Can individual ansible.cfg settings be overridden by environment variables?
A: Yes. Every ansible.cfg setting can be overridden by a corresponding environment variable, typically named ANSIBLE_ followed by the uppercase setting name. Environment variables have higher precedence than ansible.cfg file entries.
Q: What is the naming convention for Ansible environment variable overrides?
A: The pattern is ANSIBLE_ + the uppercase setting name. For settings in specific sections, the section name is included. For example, ssh_args in [ssh_connection] becomes ANSIBLE_SSH_ARGS.
Q: Why does Ansible refuse to load an ansible.cfg from a world-writable current directory?
A: This is a security measure introduced in Ansible 2.7. If the current directory is world-writable (e.g., /tmp), Ansible ignores the ansible.cfg found there to prevent privilege escalation attacks where a malicious user plants a crafted config file.
Q: List all 22 variable precedence levels from lowest to highest.
A: 1. command line values (e.g., -u my_user -- these are NOT extra vars) 2. role defaults (roles/x/defaults/main.yml) 3. inventory file or script group vars 4. inventory group_vars/all 5. playbook group_vars/all 6. inventory group_vars/ 7. playbook group_vars/ 8. inventory file or script host vars 9. inventory host_vars/ 10. playbook host_vars/ 11. host facts / cached set_facts 12. play vars 13. play vars_prompt 14. play vars_files 15. role vars (roles/x/vars/main.yml) 16. block vars (only for tasks in the block) 17. task vars (only for the task) 18. include_vars 19. set_facts / registered vars 20. role parameters (roles listed in play with vars:) 21. include parameters 22. extra vars (-e / --extra-vars) -- ALWAYS WIN
Q: What is the single most important thing to remember about extra vars (-e)?
A: Extra vars always win. They have the highest precedence of any variable source and cannot be overridden by anything else. This makes them useful for emergency overrides but dangerous if overused.
Q: What is the difference between role defaults and role vars in terms of precedence?
A: Role defaults (defaults/main.yml) are level 2 -- the second-lowest precedence, designed to be easily overridden. Role vars (vars/main.yml) are level 15 -- much higher precedence, intended for values that should NOT be easily overridden by inventory or group/host vars.
Q: Where do set_facts and registered variables fall in the precedence order?
A: Level 19 -- very high, above include_vars, block vars, task vars, and role vars. Only role parameters, include parameters, and extra vars can override them.
Q: A variable is defined in playbook group_vars/all and also in inventory group_vars/webservers. Which wins?
A: The inventory group_vars/webservers (level 6) wins over playbook group_vars/all (level 5), because specific group vars have higher precedence than "all" group vars, and inventory group vars and playbook group vars of the same type are on the same level but specific groups win over "all."
Q: If you set a fact with set_fact and also define the same variable as a role parameter, which wins?
A: Role parameters (level 20) win over set_facts (level 19).
Q: Can you override an extra var with set_fact?
A: No. Extra vars (level 22) always have the highest precedence. set_fact (level 19) cannot override them.
Q: What are "magic variables" in Ansible?
A: Variables automatically set by Ansible that provide information about the current play, host, and inventory. They cannot be set by the user directly and are always available during execution.
Q: What does the hostvars magic variable contain?
A: A dictionary of all variables for every host in the inventory, keyed by hostname. You can access another host's variables with hostvars['other_host']['variable_name'], even from a different play or role.
Q: What does the groups magic variable contain?
A: A dictionary mapping every group name in the inventory to a list of hosts in that group. For example, groups['webservers'] returns all hosts in the webservers group.
Q: What is the difference between inventory_hostname and ansible_hostname?
A: inventory_hostname is the name of the host as defined in the inventory file (set before any connection to the host). ansible_hostname is the actual hostname discovered from the remote machine via fact gathering (it comes from the OS).
Q: What is inventory_hostname_short?
A: The first part of inventory_hostname before the first dot. For example, if inventory_hostname is "web01.example.com", then inventory_hostname_short is "web01".
Q: What does group_names contain?
A: A list of all groups the current host belongs to. It always reflects the inventory_hostname and is not affected by delegation.
Q: What is the difference between ansible_play_hosts and ansible_play_hosts_all?
A: ansible_play_hosts contains only hosts still active (not failed). ansible_play_hosts_all contains all hosts originally targeted by the play, regardless of failures.
Q: What does ansible_check_mode contain?
A: A boolean (True/False) indicating whether the current playbook run is in check mode (--check). Useful for conditionally skipping tasks that don't support check mode.
Q: What is ansible_version?
A: A dictionary containing Ansible version information, including 'full' (e.g., "2.16.0"), 'major', 'minor', and 'revision' keys.
Q: What is ansible_run_tags and ansible_skip_tags?
A: ansible_run_tags contains the list of tags specified with --tags. ansible_skip_tags contains the list of tags specified with --skip-tags. Both are available to conditionals.
Q: What is role_path?
A: A magic variable available inside roles that contains the absolute path to the currently executing role's directory. Useful for referencing files relative to the role.
Q: What is playbook_dir?
A: The absolute path to the directory containing the playbook that was originally invoked by ansible-playbook.
Q: What does ansible_search_path contain?
A: The current search path for file lookups, templates, and other file-based operations. It includes the playbook directory, role directories, and any paths added via the roles_path configuration.
Q: What is ansible_facts?
A: A dictionary containing all facts gathered about the current host (previously accessed via ansible_* variables). Since Ansible 2.5, the recommended way to access facts is ansible_facts['os_family'] rather than ansible_os_family.
Q: What is ansible_local?
A: Facts defined in local .fact files placed in /etc/ansible/facts.d/ on the managed host. These are custom facts that persist on the target machine and are gathered automatically.
7. Jinja2 Templating & Filters¶
Q: What is Jinja2 in the context of Ansible?
A: The templating engine Ansible uses for dynamic content generation in templates and playbooks. It allows variables, filters, loops, and conditionals.
Q: What file extension is used for Jinja2 templates?
A: .j2 (e.g., nginx.conf.j2)
Q: How do you use variables in Jinja2 templates?
A: {{ variable_name }} for variable substitution.
Q: How do you write a conditional in Jinja2?
A: {% if condition %} ... {% elif condition %} ... {% else %} ... {% endif %}
Q: How do you write a loop in Jinja2?
A: {% for item in list %} {{ item }} {% endfor %}
Q: What are Jinja2 filters?
A: Functions that transform data. Examples: {{ var | default('fallback') }}, {{ list | join(',') }}, {{ string | upper }}, {{ data | to_json }}, {{ data | to_nice_yaml }}.
Q: What does the default filter do?
A: Provides a fallback value if the variable is undefined: {{ var | default('fallback_value') }}
Q: What does the password_hash filter do?
A: Generates hashed passwords suitable for the user module: {{ 'password' | password_hash('sha512', 'salt') }}
Q: Why do you always use {{ }} in Ansible except in when clauses?
A: The when clause is always processed through Jinja2 automatically, so adding braces would cause errors. Everywhere else, braces are required to distinguish variables from plain strings.
Q: What Jinja2 filter returns a default value when a variable is undefined?
A: default() or d() -- e.g., {{ var | default('fallback') }}.
Q: What does the combine filter do?
A: Merges two or more dictionaries: {{ dict1 | combine(dict2) }}. Later dictionaries override earlier ones for duplicate keys.
Q: What does the map filter do with the attribute keyword?
A: Extracts a specific attribute from each item in a list: {{ users | map(attribute='name') | list }}.
Q: How do selectattr and rejectattr work?
A: They filter a list of objects based on an attribute's value: {{ users | selectattr('active', 'equalto', true) | list }} returns only users where active is true.
Q: What is the ternary filter?
A: A conditional filter: {{ condition | ternary('true_value', 'false_value') }}.
Q: What does regex_replace do?
A: Performs regex substitution: {{ 'hello-world' | regex_replace('-', '_') }} produces hello_world.
Q: What is the to_json and from_json filter pair used for?
A: to_json serializes a Python object to a JSON string. from_json parses a JSON string into a Python data structure.
Q: What does the hash filter do?
A: Generates a hash of a string: {{ 'password' | hash('sha512') }}. Useful with password_hash for generating system password hashes.
Q: What is the ipaddr filter?
A: A network-focused filter from ansible.utils that validates and manipulates IP addresses: {{ '192.168.1.0/24' | ipaddr('network') }}.
Q: What is the "Norway Problem" in YAML, and how does it affect Ansible?
A: In YAML 1.1 (which Ansible uses), the string "NO" is interpreted as boolean false. This means the country code for Norway becomes false if unquoted. Similarly, "YES" becomes true and "OFF" becomes false. The fix is to always quote strings that could be misinterpreted as booleans.
Q: List all the string values that YAML 1.1 interprets as boolean true.
A: true, True, TRUE, yes, Yes, YES, on, On, ON.
Q: List all the string values that YAML 1.1 interprets as boolean false.
A: false, False, FALSE, no, No, NO, off, Off, OFF.
Q: What is the YAML octal number gotcha?
A: YAML 1.1 interprets numbers starting with 0 as octal. So 0777 is fine (it's an intentional octal for file permissions), but 0123 becomes decimal 83 -- not 123 as you might expect. If you mean the string "0123" or the integer 123, you must quote it or remove the leading zero.
Q: How does the YAML octal gotcha specifically bite Ansible users?
A: Most commonly with file permission modes. Writing mode: 0644 works as expected because 0644 octal is what you want. But writing mode: 644 (no leading zero) gives you decimal 644, which is octal 1204 -- not what you wanted. Best practice: always quote file modes as strings: mode: "0644".
Q: What happens if you write version: 1.0 in YAML without quotes?
A: YAML interprets it as the floating-point number 1.0, not the string "1.0". This can cause issues when version strings need to remain as strings. Always quote version numbers.
Q: What happens with port: 22 vs port: "22" in Ansible YAML?
A: port: 22 creates an integer. port: "22" creates a string. Most Ansible modules handle this transparently, but some modules or Jinja2 operations are type-sensitive and may behave differently.
Q: What YAML multiline syntax options does Ansible support, and what are the key differences?
A: (1) Literal block scalar (|) -- preserves newlines exactly as written. (2) Folded block scalar (>) -- folds newlines into spaces (paragraph-style). Both support + (keep trailing newline) and - (strip trailing newline) modifiers.
Q: What is the "naked variable" gotcha in Ansible YAML?
A: If a variable reference is the entire value (e.g., var: {{ some_var }}), YAML may parse it as a dictionary if the value looks like a mapping. The fix is to always quote full-line Jinja2 expressions: var: "{{ some_var }}".
Q: What ansible-lint rule catches boolean value problems in YAML?
A: The yaml[truthy] rule. It flags bare truthy values (yes/no/on/off) and recommends using true/false instead for clarity and YAML 1.2 forward-compatibility.
Q: Why is YAML 1.2 relevant to Ansible's future?
A: YAML 1.2 drops the boolean interpretation of yes/no/on/off (only true/false are booleans) and changes octal syntax from 0777 to 0o777. If Ansible ever migrates from PyYAML (YAML 1.1) to a YAML 1.2 parser, many playbooks using yes/no values would break.
Q: What is the relationship between Jinja2's built-in filters and Ansible's filters?
A: Ansible supports all standard Jinja2 filters (e.g., default, join, length, upper, lower, replace) PLUS Ansible-specific filters (e.g., to_yaml, to_json, from_json, ipaddr, regex_search, vault, combine). Users can also create custom filter plugins.
Q: Name five Jinja2 built-in filters commonly used in Ansible playbooks.
A: (1) default(value) -- provides a fallback if variable is undefined; (2) join(separator) -- joins list items; (3) length -- returns count of items; (4) upper/lower -- case conversion; (5) replace(old, new) -- string replacement.
Q: Name five Ansible-specific filters not found in stock Jinja2.
A: (1) to_yaml / to_nice_yaml -- convert to YAML; (2) to_json / to_nice_json -- convert to JSON; (3) from_json / from_yaml -- parse JSON/YAML strings; (4) ipaddr -- IP address manipulation (now in ansible.utils); (5) regex_search / regex_replace -- regex operations; (6) combine -- merge dictionaries; (7) hash / password_hash -- cryptographic hashing.
Q: What collection is the ipaddr filter now in, and why?
A: ansible.utils collection. It was moved there during the collections migration because it depends on the netaddr Python library, which is not part of ansible-core's dependencies.
Q: How do you create a custom Jinja2 filter for Ansible?
A: Create a Python file in a filter_plugins/ directory relative to your playbook or role, or in a path specified by ANSIBLE_FILTER_PLUGINS. Define a class with a filters() method that returns a dictionary mapping filter names to Python functions.
Q: What does the combine filter do, and why is it so useful?
A: It merges two or more dictionaries. With recursive=True, it does deep merging. This is essential for combining default values with overrides in complex variable structures. Example: {{ defaults | combine(overrides, recursive=True) }}.
Q: What does the mandatory filter do?
A: It forces a variable to be defined. If the variable is undefined, the playbook fails with a clear error message instead of silently using an empty value. Usage: {{ my_var | mandatory }}.
Q: What does {{ list | map('extract', dict) }} do?
A: It uses each item in list as a key to look up values in dict, returning the corresponding values. This is a powerful pattern for transforming lists of keys into lists of values.
Q: What filter would you use to base64-encode a string in Ansible?
A: {{ my_string | b64encode }} to encode, {{ my_string | b64decode }} to decode.
Q: How do you generate a password hash suitable for /etc/shadow in Ansible?
A: Use the password_hash filter: {{ 'mypassword' | password_hash('sha512', 'mysalt') }}. Supported algorithms include sha256, sha512, and blowfish.
8. Conditionals, Loops & Flow Control¶
Q: How do you write a conditional task in Ansible?
A: Use the when keyword: when: ansible_os_family == "Debian"
Q: How do you loop over a list of items?
A: Use the loop keyword: loop: [httpd, git, curl] and reference {{ item }} in the task.
Q: What is the difference between with_items and loop?
A: with_items is the legacy syntax for looping. loop is the modern, preferred keyword with cleaner syntax and more advanced features.
Q: What is the block keyword?
A: Groups multiple tasks together as a single logical unit. Allows applying common attributes (like when, become) and error handling to the group.
Q: What are block, rescue, and always?
A: block groups tasks. rescue handles failures (like catch). always executes regardless of outcome (like finally). Together they implement try-catch-finally error handling.
Q: What is ignore_errors?
A: Setting ignore_errors: yes allows a playbook to continue execution even if the task fails.
Q: What does changed_when do?
A: Overrides when Ansible considers a task as "changed." Useful for command/shell tasks where you want to control change reporting: changed_when: result.rc != 0
Q: What does failed_when do?
A: Overrides when Ansible considers a task as "failed." Allows custom failure conditions: failed_when: "'ERROR' in result.stdout"
Q: What does no_log: true do?
A: Suppresses task input/output from being logged, preventing sensitive data from appearing in logs.
Q: What is delegate_to?
A: Runs a task on a different host than the current play target. Useful for orchestration like removing a host from a load balancer before updating it.
Q: What is run_once?
A: Ensures a task executes only once across all hosts, even in a multi-host play. Often combined with delegate_to.
Q: How do you run tasks asynchronously?
A: Use async: <seconds> to set max runtime and poll: <seconds> to set check interval. poll: 0 means fire-and-forget.
Q: What is include_tasks vs import_tasks?
A: include_tasks is dynamic (processed at runtime, supports conditionals and loops). import_tasks is static (processed at parse time, no runtime conditionals but better for pre-validation).
Q: What does delegate_to do?
A: Runs a task on a different host than the current target, while still using the original host's variables and facts.
Q: What tasks cannot be delegated?
A: include, add_host, and debug tasks.
Q: What does run_once: true do?
A: Executes the task on only one host in the play, regardless of how many hosts are targeted. Typically runs on the first host in the batch.
Q: What happens when run_once is combined with serial?
A: The task runs once per serial batch, not once for the entire play.
Q: How does serial support rolling updates?
A: It limits how many hosts are updated at a time: serial: 2 updates two hosts at a time. It can also be a list: serial: [1, 5, 10] for gradual rollout.
Q: Can serial be expressed as a percentage?
A: Yes: serial: "25%" processes 25% of hosts per batch.
Q: What does throttle do?
A: Limits the number of concurrent workers for a specific task or block, independent of forks and serial. Cannot exceed the forks setting.
Q: What is order at the play level?
A: Controls host execution order: inventory (default), reverse_inventory, sorted, reverse_sorted, shuffle.
Q: What is the fundamental difference between import_* and include_*?
A: import_* is static -- processed at playbook parse time. include_* is dynamic -- processed at runtime when the task is encountered. This affects tag inheritance, when evaluation, and loop behavior.
Q: Can you use when conditions with import_tasks?
A: Yes, but the condition is applied to every task inside the imported file, not to the import itself. This is a common gotcha.
Q: Can you loop over import_tasks?
A: No. Loops only work with include_tasks. Import is static and cannot be looped.
Q: What is import_role vs include_role?
A: import_role statically includes the role at parse time (tags and conditions propagate). include_role dynamically includes it at runtime (more flexible but tags don't propagate the same way).
Q: What is the Ansible equivalent of try/catch/finally?
A: block/rescue/always. block contains the tasks to try, rescue runs if block fails, always runs regardless.
Q: What types of errors do NOT trigger the rescue block?
A: Invalid task definitions (syntax errors) and unreachable hosts. Only task execution failures trigger rescue.
Q: What is the difference between ignore_errors: true and using a rescue block?
A: ignore_errors marks a failed task as "ok" and continues unconditionally. rescue provides structured error handling -- you can run specific recovery tasks, log failures, or take corrective action.
Q: What is any_errors_fatal and when would you use it?
A: When set to true at the play level, if ANY host fails a task, all hosts in the play are immediately marked as failed and execution stops. Useful for critical tasks where partial success is dangerous (e.g., database migrations).
9. Handlers¶
Q: What is a handler in Ansible?
A: A special task that only runs when notified by another task via the notify directive. Commonly used for service restarts after configuration changes.
Q: How do handlers differ from regular tasks?
A: Handlers only execute when explicitly notified and only run once at the end of a play (or when meta: flush_handlers is called), even if notified multiple times.
Q: What is the notify keyword?
A: Used in a task to trigger a handler by name when the task reports a change.
Q: What is the listen keyword in handlers?
A: Allows multiple handlers to respond to a generic topic name, enabling grouped handler execution from a single notify.
Q: When do handlers execute?
A: At the end of each play, after all tasks have completed. You can force earlier execution with meta: flush_handlers.
Q: How do you force handlers to run mid-play?
A: Use the meta: flush_handlers task.
Q: What happens if a handler is notified multiple times?
A: It runs only once, regardless of how many tasks notified it.
Q: Can handlers notify other handlers?
A: Yes. Handlers can contain notify directives to trigger other handlers, creating a chain.
Q: What is listen in handlers?
A: A way to group handlers under a topic name. Multiple handlers can listen to the same topic, and notifying the topic triggers all listening handlers.
10. Roles & Collections¶
Q: What is an Ansible role?
A: A structured way to organize playbooks into reusable, modular components following a standard directory structure containing tasks, handlers, templates, files, variables, and metadata.
Q: What is the standard role directory structure?
A: tasks/main.yml (core tasks), handlers/main.yml (triggered actions), defaults/main.yml (default variables, lowest precedence), vars/main.yml (role variables, higher precedence), files/ (static files), templates/ (Jinja2 templates), meta/main.yml (role metadata and dependencies), tests/ (test playbooks).
Q: What is the difference between defaults/main.yml and vars/main.yml?
A: defaults has the lowest variable precedence and is meant to be overridden by users. vars has higher precedence and contains internal variables that should not normally be overridden.
Q: How do you create a new role skeleton?
A: ansible-galaxy init role_name creates the standard directory structure.
Q: How do you specify role dependencies?
A: In meta/main.yml under the dependencies key, listing other roles that must execute first.
Q: When should you use a role vs a simple task file?
A: Use roles for reusable, well-organized automation with standard layouts shared across projects. Task files suffice for simple, lightweight, one-off automation.
Q: How do you include roles in a playbook?
A: Using the roles: keyword in a play, or dynamically with include_role or import_role.
Q: What is Ansible Galaxy?
A: A community hub (website and CLI tool) for finding, sharing, and installing reusable Ansible roles and collections.
Q: How do you install a role from Galaxy?
A: ansible-galaxy install username.role_name
Q: How do you install roles from a requirements file?
A: ansible-galaxy install -r requirements.yml
Q: What is an Ansible Collection?
A: A distribution format that packages roles, modules, plugins, playbooks, and documentation together. More comprehensive than individual roles.
Q: What is a Fully Qualified Collection Name (FQCN)?
A: The format namespace.collection.module_name used to reference content within collections (e.g., community.general.docker_container).
Q: How do you install a collection?
A: ansible-galaxy collection install namespace.collection_name
Q: What is a collection namespace?
A: A unique name prefix that organizes collections and prevents naming conflicts between different authors.
Q: What is the standard directory structure of an Ansible role?
A: tasks/, handlers/, defaults/, vars/, files/, templates/, meta/, library/, module_utils/, lookup_plugins/, and optionally tests/.
Q: What is the difference between roles/x/defaults/ and roles/x/vars/?
A: Defaults have the lowest variable precedence (easily overridden). Vars have much higher precedence and are difficult to override without extra-vars or set_fact.
Q: What does meta/main.yml in a role contain?
A: Role metadata: dependencies, minimum Ansible version, supported platforms, Galaxy metadata (author, license, description, tags).
Q: What is the standard collection directory structure?
A: galaxy.yml, plugins/ (modules, filter, lookup, inventory, callback, etc.), roles/, playbooks/, docs/, meta/runtime.yml, tests/.
Q: What does meta/runtime.yml in a collection do?
A: Defines routing information: module/plugin redirects, deprecations, and tombstones for backward compatibility.
Q: What cannot collection role names contain?
A: Hyphens. When migrating roles to collections, hyphens must be replaced with underscores.
Q: How do you install a collection from a specific Git repository?
A: ansible-galaxy collection install git+https://github.com/org/repo.git,branch_or_tag
Q: What is collections: at the play level?
A: A list of collections to search for modules/plugins, allowing short names instead of FQCNs within that play.
Q: What is the default Ansible Galaxy server URL?
A: https://galaxy.ansible.com
Q: How do you install collections from a requirements file?
A: ansible-galaxy collection install -r requirements.yml
Q: What is the ansible-galaxy collection verify command?
A: It verifies that installed collection files match the Galaxy server's signatures and checksums, detecting tampering or corruption.
Q: Can you install collections from a tarball?
A: Yes: ansible-galaxy collection install /path/to/collection-1.0.0.tar.gz
Q: Before Ansible 2.10, how was all community-contributed content structured?
A: Everything -- thousands of modules, plugins, and roles -- lived in a single monolithic GitHub repository (ansible/ansible). This made Ansible an outlier among open-source projects.
Q: Why was the monolithic repo problematic?
A: The core dev team was burdened with thousands of issues and PRs for thousands of components they could not even test. It slowed releases, made testing unwieldy, and prevented module maintainers from releasing independently.
Q: What is a Fully Qualified Collection Name (FQCN), and why does it matter post-migration?
A: An FQCN is the complete namespace.collection.module_name identifier (e.g., ansible.builtin.copy, community.general.docker_container). After the migration, FQCNs became the authoritative way to specify which collection a module comes from, preventing ambiguity when multiple collections provide similarly-named modules.
Q: What happens if you use a short module name (e.g., "copy") instead of the FQCN in a post-2.10 playbook?
A: Ansible resolves it using the collections keyword search path or falls back to ansible.builtin. It still works for built-in modules, but using short names for collection modules is ambiguous and deprecated behavior. Best practice is always FQCN.
Q: Name five major collections that were extracted from the monolithic Ansible repo during the migration.
A: (1) community.general -- miscellaneous modules that didn't fit elsewhere; (2) community.network -- network device modules; (3) community.crypto -- cryptographic modules; (4) community.docker -- Docker modules; (5) community.mysql -- MySQL modules; (6) amazon.aws / community.aws -- AWS modules; (7) ansible.posix -- POSIX-specific modules; (8) ansible.windows -- Windows modules.
Q: What is the "routing" configuration in the context of collections migration?
A: Routing configuration (meta/routing.yml) in a collection defines redirects and tombstones for modules/plugins that have moved or been removed. It helps Ansible resolve old short names to new FQCNs and displays deprecation/removal warnings.
Q: What is a "tombstone" entry in Ansible's collection routing?
A: When a module has been deprecated and then fully removed, a tombstone entry is placed in the routing config. Instead of the module code, users see a message directing them to the replacement module or collection.
Q: What is the deprecation cycle length in ansible-core for features?
A: Features are deprecated across 4 feature releases and normally removed in the 4th release after deprecation. For example, something deprecated in 2.10 would be removed in 2.14.
Q: What is the difference between a Galaxy role and a Galaxy collection?
A: A role is a structured set of tasks, handlers, vars, templates, and files for a specific purpose. A collection is a broader distribution format that can contain roles, modules, plugins, playbooks, and documentation -- it is the modern packaging standard post-2.10.
Q: What file must exist in the root of an Ansible Galaxy role for it to be recognized?
A: A meta/main.yml file containing role metadata (author, description, license, platforms, dependencies, galaxy_info).
Q: What command initializes a new role skeleton?
A: ansible-galaxy role init my_role_name
Q: What command initializes a new collection skeleton?
A: ansible-galaxy collection init namespace.collection_name
Q: What is the namespace.collection format, and why does it matter?
A: Collections use a two-part name: namespace.collection (e.g., ansible.builtin, community.general, amazon.aws). The namespace prevents naming collisions and identifies the maintainer or organization.
Q: What is the galaxy.yml file in a collection?
A: The collection manifest file containing metadata: namespace, name, version, authors, description, license, dependencies on other collections, repository URL, and required Ansible version.
Q: How do you install a specific version of a collection?
A: ansible-galaxy collection install community.general:==5.0.0 or use a requirements.yml file with version pinning.
Q: What is a requirements.yml file for Galaxy?
A: A YAML file listing roles and/or collections with optional version constraints to install. Example:
Q: What is the Red Hat Certified Specialist in Ansible Automation exam called?
A: EX374 -- Red Hat Certified Specialist in Developing Automation with Ansible Automation Platform. There is also EX467 for older Tower-specific content.
Q: What is the difference between ansible-dev-tools and ansible-core?
A: ansible-core is the automation engine itself. ansible-dev-tools is a meta-package bundling development and testing tools: ansible-lint, molecule, ansible-navigator, ansible-builder, ansible-creator, and more.
Q: What is ansible-creator?
A: A scaffolding tool that generates new Ansible content projects (collections, roles, playbooks) with best-practice directory structures and boilerplate.
Q: What Python package manager does Ansible recommend for installation?
A: pip (pipx for isolated installations). The recommended approach is pipx install ansible or pip install ansible in a virtual environment.
11. Ansible Vault & Security¶
Q: What is Ansible Vault?
A: A feature for encrypting sensitive data (passwords, API keys, certificates) within Ansible files and variables, using AES256 encryption.
Q: How do you create an encrypted file?
A: ansible-vault create secrets.yml
Q: How do you encrypt an existing file?
A: ansible-vault encrypt existing_file.yml
Q: How do you decrypt a file?
A: ansible-vault decrypt secrets.yml
Q: How do you edit an encrypted file?
A: ansible-vault edit secrets.yml
Q: How do you view an encrypted file without decrypting?
A: ansible-vault view secrets.yml
Q: How do you encrypt a single string variable?
A: ansible-vault encrypt_string 'secret_value' --name 'variable_name'
Q: How do you run a playbook that uses vault-encrypted files?
A: ansible-playbook playbook.yml --ask-vault-pass (interactive) or --vault-password-file /path/to/password-file (automated).
Q: What are Vault IDs?
A: Labels that allow using multiple vault passwords in a single playbook run, enabling different encryption keys for different secrets.
Q: How do you reference vault-encrypted variables in a playbook?
A: Include the encrypted file with vars_files: - secrets.yml and reference variables normally with {{ variable_name }}.
Q: What does become do?
A: Enables privilege escalation (like sudo) to run tasks with elevated permissions.
Q: What is become_user?
A: Specifies which user to escalate to (default is root).
Q: What is become_method?
A: Specifies the escalation method (default is sudo). Other options: su, pbrun, pfexec, doas, dzdo.
Q: How do you specify the SSH user for Ansible?
A: Via CLI with -u username, in inventory with ansible_user=username, or in playbooks/ansible.cfg.
Q: How do you set up a jump host (bastion) in Ansible?
A: Configure ProxyJump in SSH config, or use ansible_ssh_common_args: '-o ProxyJump=jump_host' in inventory/playbooks.
Q: How do you securely manage control node credentials?
A: Use SSH key agents, keep credentials out of playbooks, use Ansible Vault for encryption, set no_log: true for sensitive tasks, and limit control node access.
Q: How do you handle external secret lookups?
A: Use lookup plugins for cloud secret managers (aws_ssm, hashi_vault), or integrate with HashiCorp Vault, AWS Secrets Manager, etc.
Q: What encryption algorithm does Ansible Vault use?
A: AES-256 in CTR mode with HMAC-SHA256 authentication.
Q: What is ansible-vault encrypt_string?
A: A command that encrypts a single string value inline, which can be embedded directly in a YAML file alongside unencrypted variables.
Q: Can you use multiple vault passwords in a single playbook run?
A: Yes. Pass multiple --vault-id options: ansible-playbook --vault-id dev@dev_pass --vault-id prod@prod_pass site.yml.
Q: What does ansible-vault rekey do?
A: Changes the encryption password on vault-encrypted files. Useful for password rotation. Can also change the vault ID with --new-vault-id.
Q: Can you encrypt only specific variables in a file?
A: Yes, using ansible-vault encrypt_string to create inline encrypted values within an otherwise plaintext YAML file.
Q: How do you use a script to provide vault passwords?
A: Pass an executable script as the password source: --vault-id label@/path/to/script.py. The script must output the password to stdout.
Q: What is ansible-vault encrypt_string used for?
A: It encrypts a single string value (rather than an entire file) for embedding directly in a YAML file as an inline encrypted variable. This lets you mix encrypted and plain-text variables in the same file.
Q: Can Ansible Vault encrypt an entire directory?
A: No. Vault operates on individual files. You must encrypt each file separately or use encrypt_string for individual variables.
Q: What is a Vault ID, and why would you use multiple?
A: A Vault ID labels an encrypted value with a name (e.g., "dev", "prod"), allowing different passwords for different environments. You can then pass multiple --vault-id arguments to decrypt values from different vaults in a single playbook run.
Q: What does no_log: true do, and how does it relate to Vault?
A: no_log: true prevents a task's input/output from being logged or displayed. This is critical for tasks that handle decrypted secrets -- Vault protects data at rest, but no_log protects data during execution output.
Q: What is the security warning about Vault and "data at rest" vs. "data in use"?
A: Vault ONLY protects data at rest (on disk). Once decrypted during play execution, secrets are in memory and potentially in logs. Play authors must use no_log to prevent disclosure during task execution.
Q: What are Ansible's default privilege escalation methods?
A: sudo (default), su, pbrun, pfexec, doas, dzdo, ksu, runas (Windows), enable (network), machinectl (systemd).
Q: What is the security risk of using shell or command modules with user-supplied variables?
A: Command injection. If variables are interpolated into command strings without proper quoting/validation, an attacker could inject arbitrary commands. Prefer purpose-built modules over shell/command when possible.
Q: What does the --ask-vault-pass flag do?
A: Prompts the user to enter the Vault password at runtime instead of storing it in a file. More secure for interactive use.
Q: What is --vault-password-file?
A: Points to a file (or executable script) containing the Vault password. If it's a script, Ansible executes it and uses stdout as the password. Useful for integration with secret managers (HashiCorp Vault, AWS Secrets Manager).
12. Error Handling & Debugging¶
Q: How do you debug a failing Ansible task?
A: Increase verbosity (-vvv), use debug module to inspect variables, use register to capture output, run in check mode, isolate with --limit and --start-at-task, and check system logs.
Q: What is Molecule?
A: A testing framework for Ansible roles that tests in isolated environments (Docker, Vagrant, etc.). It handles creation, convergence, idempotence, verification, and destruction.
Q: What is ansible-lint?
A: A linting tool that checks playbooks and roles for style, best practices, and potential errors.
Q: How do you test playbooks?
A: Use --syntax-check for syntax, --check for dry runs, ansible-lint for linting, Molecule for role testing, and integration with CI/CD for automated testing.
Q: What is the debug strategy?
A: A strategy plugin that enables interactive task-by-task debugging, allowing you to step through playbook execution.
Q: How does block/rescue/always work in Ansible?
A: block groups tasks. If any task in the block fails, execution jumps to the rescue section. The always section runs regardless of success or failure, similar to try/catch/finally in programming.
Q: If a rescue section succeeds, does Ansible consider the play failed?
A: No. If the rescue task succeeds, Ansible reverts the failed status and continues the play as if the original task succeeded.
Q: What types of errors do NOT trigger rescue blocks?
A: Errors caused by invalid task definitions (syntax errors) and unreachable hosts.
Q: What does ignore_errors: true do?
A: Forces Ansible to continue executing subsequent tasks even if the current task fails.
Q: What is ignore_unreachable?
A: A directive that tells Ansible to continue with remaining tasks even when a host becomes unreachable, rather than removing it from the play.
Q: How does failed_when work?
A: It defines a custom condition for when a task should be considered failed, overriding the module's default success/failure determination. Example: failed_when: "'ERROR' in result.stdout"
Q: How does changed_when work?
A: It overrides when a task reports "changed" status. Example: changed_when: false to suppress change reporting, or changed_when: "'Created' in result.stdout".
Q: Can you use any_errors_fatal at play level?
A: Yes. When set to true, any task failure on any host immediately aborts the entire play for all hosts.
13. Execution Strategies & Performance¶
Q: How do you optimize Ansible performance for large inventories?
A: Increase forks, enable SSH pipelining, use fact caching, disable fact gathering when not needed, use async tasks for long operations, and use ControlPersist for SSH.
Q: What is SSH ControlPersist?
A: An SSH feature that keeps connections open for reuse, reducing connection overhead. Configure in SSH config or ansible.cfg.
Q: How many forks does Ansible use by default?
A: 5 (configurable in ansible.cfg or with -f flag).
Q: What are the three main things to investigate for a slow playbook on 500 hosts?
A: 1) Enable SSH pipelining, 2) increase forks for more parallelism, 3) configure fact caching to avoid re-gathering facts.
Q: What is Mitogen for Ansible?
A: A completely redesigned UNIX connection layer that replaces Ansible's shell-centric SSH implementation with pure-Python equivalents using efficient remote procedure calls to persistent interpreters tunnelled over SSH.
Q: How does Mitogen achieve its performance gains?
A: Instead of opening a new SSH channel, transferring a module file, executing it, and cleaning up for every task, Mitogen establishes persistent Python interpreters on remote hosts and sends module code through an efficient RPC protocol.
Q: What speedup can Mitogen provide?
A: 1.25x to 7x speedup and at least 2x CPU usage reduction. One real-world example showed playbook runtime dropping from 45 minutes to under 3 minutes.
Q: How does Mitogen transfer data?
A: Using UNIX pipes on remote machines, passing "pickled" Python code compressed with zlib. It caches unmodified modules in RAM after first use.
Q: What are the three Mitogen strategy plugins?
A: mitogen_linear, mitogen_free, and mitogen_host_pinned -- corresponding to Ansible's built-in strategy plugins.
Q: What are key limitations of Mitogen?
A: The raw action requires Python on targets (preventing Python bootstrapping); only doas, su, and sudo are supported for become (not arbitrary become plugins); actions serialize per (host, user) combination; Python 3 performance lags behind Python 2.
Q: What other connection optimizations exist beyond Mitogen?
A: Enable pipelining = True in ansible.cfg (reduces SSH operations), increase forks for parallelism, configure SSH ControlPersist to keep connections open, and use fact caching to avoid repeated gathering.
Q: What does the pipelining setting do?
A: When enabled, Ansible pipes modules directly into the remote Python interpreter via stdin instead of writing temporary files to disk. This reduces SSH round-trips and avoids leaving sensitive data in temp files.
Q: What is the default strategy plugin in Ansible?
A: linear -- it runs each task on all targeted hosts before moving to the next task.
Q: How does the free strategy differ from linear?
A: With free, each host runs through tasks as fast as it can independently, without waiting for other hosts to complete the current task. Fast hosts finish the entire play before slow hosts.
Q: What is the host_pinned strategy?
A: Similar to free, but it pins each host to a dedicated worker, ensuring one host doesn't monopolize workers. This is useful for debugging or when tasks have varying execution times.
Q: What does the debug strategy allow?
A: Interactive step-through execution. When a task fails, it drops into a debug prompt where you can inspect variables, re-run the task, or continue execution.
Q: How do you set the strategy for a play?
A: With the strategy: keyword at the play level: strategy: free.
Q: Can you set strategy globally?
A: Yes, via DEFAULT_STRATEGY in ansible.cfg or the ANSIBLE_STRATEGY environment variable.
Q: What does the async keyword do?
A: Sets the maximum time (in seconds) an asynchronous task is allowed to run before Ansible terminates it.
Q: What happens when poll: 0 is set with async?
A: Ansible starts the task and immediately moves to the next task without waiting (fire-and-forget). The async task runs until it completes, fails, or times out.
Q: How do you check the status of a fire-and-forget async task?
A: Use the async_status module with the jid (job ID) returned by the original async task registered in a variable.
Q: What happens if a task exceeds its async timeout?
A: The process on the remote node is terminated.
Q: Does poll: 0 automatically clean up the async job cache file?
A: No. You must manually clean up using async_status with mode: cleanup.
Q: Can async tasks run in check mode?
A: No. Asynchronous mode does not support check mode and will fail.
Q: What is the default poll interval?
A: Controlled by the DEFAULT_POLL_INTERVAL configuration setting (default is typically 15 seconds).
Q: What is a practical use case for async with poll > 0?
A: Long-running tasks that might exceed the SSH connection timeout, like large package installations. Ansible keeps polling the task status rather than holding the SSH connection open for the duration.
Q: What are the four built-in strategy plugins in Ansible?
A: (1) linear -- the default; runs each task on all hosts before moving to the next task; (2) free -- lets each host run through tasks independently as fast as possible; (3) host_pinned -- like free, but does not interrupt execution on a host to start another; (4) debug -- interactive debugging on task failure.
Q: What is the default strategy, and what is its key characteristic?
A: linear. It waits for all hosts to complete a task before moving to the next task. This means a slow host delays all others.
Q: When would you use the free strategy?
A: When hosts are independent and don't need to synchronize between tasks. Each host runs through the playbook as fast as it can without waiting for others. Useful when tasks on different hosts have varying execution times.
Q: What is the difference between free and host_pinned?
A: free allows Ansible to interleave tasks across hosts (start task 3 on host A while host B is on task 1). host_pinned runs all tasks for a single host consecutively without interruption before moving to another host.
Q: What is the serial keyword, and how does it interact with strategy?
A: serial limits how many hosts are processed in each batch. With serial: 5, Ansible processes 5 hosts at a time through the play. It works with any strategy and is essential for rolling updates. You can specify a number, percentage, or a list that escalates (e.g., serial: [1, 5, 10]).
Q: What do async and poll do together in a task?
A: async sets the maximum runtime (seconds) for the task. poll sets how often (seconds) to check if the task is done. If poll: 0, the task fires and forgets -- Ansible moves on immediately without waiting.
Q: How do you fire-and-forget a long-running task?
A: Set async: <timeout> and poll: 0. The task starts in the background and Ansible continues. You can check on it later with async_status.
Q: What module checks the status of a previously fired async task?
A: async_status, using the jid (job ID) from the registered result of the original task.
Q: What is the forks setting, and what is its default value?
A: forks controls how many hosts Ansible connects to in parallel. The default is 5. Increasing this number can dramatically speed up playbook execution across large inventories.
Q: What is pipelining in Ansible's SSH configuration?
A: When enabled (pipelining = True in ansible.cfg), Ansible sends the module code and execution instructions in a single SSH session instead of multiple steps (copy module, execute, clean up). It reduces SSH round-trips but requires requiretty to be disabled in sudoers on the target.
Q: What does the gather_facts: false optimization do?
A: It skips the automatic fact-gathering step at the beginning of a play. If your play doesn't use any host facts, this saves the time of running the setup module on every host (which can be significant with hundreds of hosts).
Q: What is fact_caching, and what backends does it support?
A: Fact caching stores gathered facts between playbook runs so they don't need to be re-gathered. Supported backends include: jsonfile, redis, memcached, mongodb, yaml, and others via plugins.
14. Tags, Import vs Include¶
Q: What are tags used for?
A: Selective execution of tasks, roles, or plays. Run only tagged items with --tags or skip them with --skip-tags.
Q: What are the special tags always and never?
A: Tasks tagged always run even when --tags is specified (unless explicitly skipped with --skip-tags always). Tasks tagged never only run when explicitly requested with --tags never.
Q: Can tags be applied to roles?
A: Yes. Tags applied to a role import apply to all tasks within that role.
Q: Can tags be inherited through include_tasks?
A: Tags on include_tasks apply to the include statement itself, not to the tasks inside the included file. Use import_tasks for tag inheritance.
Q: What are the five reserved tag names in Ansible?
A: always, never, tagged, untagged, and all.
Q: What does the always tag do?
A: Tasks tagged with always run no matter what tags are specified with --tags, UNLESS you explicitly skip them with --skip-tags always.
Q: What does the never tag do?
A: Tasks tagged with never never run unless you explicitly request them with --tags never or another tag also applied to that task.
Q: What does --tags tagged mean?
A: Run only tasks that have at least one tag (skip all untagged tasks). The never tag still overrides -- tagged tasks with never won't run.
Q: What does --tags untagged mean?
A: Run only tasks that have NO tags. Tasks with the always tag still run.
Q: If you specify both --tags and --skip-tags for the same tag, what happens?
A: --skip-tags takes precedence. For example, --tags tag1,tag3 --skip-tags tag3 runs only tag1 tasks.
Q: Can you apply tags to roles, blocks, and imports?
A: Yes. Tags applied to roles:, import_tasks, import_role, or block are inherited by all tasks within. Tags on include_tasks apply only to the include task itself, NOT to the tasks inside.
15. Plugins Deep Dive¶
Q: What Python class must every custom Ansible module import?
A: AnsibleModule from ansible.module_utils.basic.
Q: How does a custom module return data to Ansible?
A: By calling module.exit_json(**result) for success or module.fail_json(msg="error message", **result) for failure. These methods print JSON to stdout and exit.
Q: What is the argument_spec in a custom module?
A: A dictionary defining all supported module parameters, their types, defaults, required status, choices, mutually_exclusive groups, and other validation constraints.
Q: What valid type values can be used in argument_spec?
A: str, list, dict, bool, int, float, path, raw, jsonarg, json, bytes, bits.
Q: What is the Ansiballz framework?
A: The mechanism Ansible uses to package Python modules for remote execution. It creates a zipfile containing the module file, imported module_utils files, and boilerplate code. This is Base64-encoded, wrapped in a small Python script, transferred to the remote host, and executed.
Q: How are module arguments passed to the remote module under Ansiballz?
A: The JSON arguments are included in the wrapper script. Before importing the module, the wrapper monkey-patches _ANSIBLE_ARGS in basic.py, which the module reads during initialization.
Q: What internal arguments does Ansible automatically inject into every module call?
A: _ansible_no_log, _ansible_debug, _ansible_diff, _ansible_verbosity, _ansible_selinux_special_fs, _ansible_syslog_facility, _ansible_version, _ansible_module_name, _ansible_keep_remote_files, _ansible_socket, _ansible_shell_executable, _ansible_tmpdir, _ansible_remote_tmp.
Q: Why does Ansible mark all strings returned by modules as "Unsafe"?
A: To prevent Jinja2 template injection attacks. Without this, malicious code embedded in module output could execute on the control node during template rendering.
Q: What is supports_check_mode in module development?
A: A boolean parameter passed to AnsibleModule() indicating the module can run in check (dry-run) mode. When True, the module should report what would change without making actual changes.
Q: What are the mutually_exclusive, required_together, required_one_of, required_if, and required_by parameters?
A: Validation constraints in AnsibleModule() that enforce relationships between arguments: mutually exclusive prevents using certain args together, required_together mandates certain args appear together, required_one_of needs at least one from a set, required_if requires args conditionally, and required_by specifies arg dependencies.
Q: What is the Module Replacer framework?
A: The older (legacy) module packaging mechanism, primarily used for PowerShell modules. It performs string substitution, replacing patterns like from ansible.module_utils.MOD_LIB_NAME import * with actual file contents.
Q: How does pipelining change module execution?
A: With pipelining enabled, Ansible pipes the module directly into the remote Python interpreter via stdin instead of writing it to a temporary file. This improves security (no file on disk with arguments) and performance (fewer SSH operations).
Q: Where should custom filter plugins be placed?
A: In a filter_plugins/ directory adjacent to the playbook, inside a role's filter_plugins/ directory, in a collection's plugins/filter/ directory, or in a path configured in ansible.cfg under DEFAULT_FILTER_PLUGIN_PATH.
Q: What must a filter plugin Python file contain?
A: A FilterModule class with a filters() method that returns a dictionary mapping filter names to Python callables.
Q: How are lookup plugins different from filter plugins in how they execute?
A: Lookup plugins run on the control node (not the remote host), pull data from external sources, and are expected to return lists. Filter plugins transform data inline within Jinja2 expressions.
Q: What base class do lookup plugins inherit from?
A: LookupBase from ansible.plugins.lookup.
Q: What method must a lookup plugin implement?
A: The run(self, terms, variables=None, **kwargs) method.
Q: How do you invoke a lookup plugin in a playbook?
A: Using lookup('plugin_name', 'arg') or the with_<plugin_name> loop syntax, or query('plugin_name', 'arg') which always returns a list.
Q: What is the difference between lookup() and query() in Ansible?
A: query() always returns a list. lookup() returns a comma-separated string by default (unless wantlist=True is passed). query() is the preferred modern form.
Q: What are callback plugins used for?
A: They respond to events during Ansible execution -- controlling output formatting, sending notifications, logging to external systems, or integrating with monitoring tools.
Q: How many stdout-type callback plugins can be active at once?
A: Only one. The stdout_callback setting in ansible.cfg controls which one is active. Other non-stdout callback plugins can be enabled simultaneously.
Q: What are the two categories of callback plugins?
A: stdout callbacks (control terminal output; only one active at a time) and notification/aggregate callbacks (multiple can be active simultaneously for logging, metrics, etc.).
Q: Name some built-in callback plugins.
A: default (standard output), minimal, json, yaml, debug, timer, profile_tasks, profile_roles, log_plays, mail, slack, splunk, grafana_annotations, cgroup_perf_recap.
Q: What method prefix do v2 callback plugin methods use?
A: v2_ -- for example, v2_runner_on_ok, v2_runner_on_failed, v2_playbook_on_start, v2_runner_on_async_poll.
Q: What class attributes must a callback plugin define?
A: CALLBACK_VERSION, CALLBACK_TYPE (stdout, notification, or aggregate), and CALLBACK_NAME.
Q: How do you enable a notification callback plugin?
A: Add it to the callback_whitelist (or callbacks_enabled in newer versions) setting in ansible.cfg.
Q: What is the default connection plugin in Ansible?
A: ssh (using OpenSSH). Prior to Ansible 2.0, paramiko was the default.
Q: Name all the major connection plugin types in Ansible.
A: ssh, paramiko_ssh, local, docker, kubectl, podman, network_cli, httpapi, netconf, winrm, psrp (PowerShell Remoting Protocol), lxd, jail (FreeBSD), zone (Solaris), chroot, funcd, and community-contributed options.
Q: When would you use the local connection plugin?
A: When running tasks on the Ansible control node itself (localhost). It bypasses SSH entirely and executes directly. Used with connection: local or delegate_to: localhost.
Q: What is the network_cli connection plugin used for?
A: Connecting to network devices (routers, switches, firewalls) over SSH using a persistent CLI session. It loads platform-specific Terminal plugins based on ansible_network_os to handle prompts, privilege escalation, and command execution.
Q: What Python library does the netconf connection plugin use under the hood?
A: The ncclient Python library, which provides a NETCONF client implementation for initiating NETCONF sessions over SSH.
Q: What is the httpapi connection plugin?
A: A plugin for communicating with devices that expose HTTP(S) APIs. It uses HTTPAPI plugins as adapters for specific vendor APIs (e.g., Arista EOS eAPI, F5 BIG-IP REST). Useful for devices where SSH-based management is limited.
Q: What is the psrp connection plugin, and how does it differ from winrm?
A: PSRP (PowerShell Remoting Protocol) is an alternative to WinRM for managing Windows hosts. It uses the same underlying protocol but is implemented in Python using the pypsrp library, offering better performance and more reliable stream handling than the winrm plugin.
Q: Can you use more than one connection plugin per host in a single play?
A: No. Only one connection plugin can be active per host at a time. However, you can use delegate_to with a different connection type for specific tasks.
Q: What is ansible_connection and where can it be set?
A: It specifies which connection plugin to use for a host. It can be set in inventory (per host or group), playbook vars, or command line. Examples: ssh, local, docker, network_cli, winrm.
Q: What is a lookup plugin in Ansible?
A: A plugin that retrieves data from external sources during playbook execution. Lookups run on the control node (not on managed hosts) and return data to the playbook.
Q: Name ten commonly used lookup plugins.
A: (1) file -- read file contents; (2) template -- render a Jinja2 template; (3) env -- read environment variables; (4) password -- generate or retrieve passwords; (5) pipe -- run a command and capture output; (6) csvfile -- read from CSV files; (7) ini -- read from INI files; (8) url -- fetch content from a URL; (9) hashi_vault -- read from HashiCorp Vault; (10) aws_ssm -- read from AWS Systems Manager Parameter Store.
Q: What is the difference between a lookup and a filter?
A: A lookup fetches data from an external source (file, URL, API) and runs on the control node. A filter transforms data that already exists in the playbook (string manipulation, type conversion, etc.).
Q: What is the query function, and how does it differ from lookup?
A: query (or q) always returns a list. lookup returns a comma-separated string by default. query('file', '/etc/hosts') returns a list with one element; lookup('file', '/etc/hosts') returns a string.
Q: What does wantlist=True do in a lookup?
A: Forces the lookup to return a list instead of a comma-separated string. lookup('file', '/etc/hosts', wantlist=True) is equivalent to query('file', '/etc/hosts').
Q: What is a callback plugin?
A: A plugin that hooks into Ansible's event system to modify output, perform logging, send notifications, or track metrics. The standard terminal output you see is itself a callback plugin.
Q: What is the difference between stdout callbacks and non-stdout callbacks?
A: Only ONE stdout callback can be active (it controls terminal output). Multiple non-stdout callbacks can run simultaneously for logging, notifications, or metrics.
Q: Name five notable callback plugins.
A: (1) default -- the standard verbose output; (2) minimal -- super-brief output (task name + result); (3) json -- JSON-formatted output for machine parsing; (4) yaml -- YAML-formatted output; (5) timer/profile_tasks -- displays per-task and total execution timing.
Q: What callback plugin would you use to profile task execution times?
A: profile_tasks -- shows execution time for each task. Also profile_roles for per-role timing and timer for total playbook time.
Q: What callback plugin profiles memory usage of Ansible tasks?
A: cgroup_memory_recap -- uses cgroups to measure maximum memory usage per task and overall.
16. Ansible Tower / AWX / Automation Controller¶
Q: What is Ansible Tower?
A: A web-based enterprise solution (now called Red Hat Ansible Automation Platform) providing a UI, RBAC, job scheduling, dashboards, and REST API for managing Ansible automation.
Q: What is AWX?
A: The open-source upstream project for Ansible Tower. Ideal for development and testing; lacks enterprise support and hardening.
Q: How do AWX and Red Hat Ansible Automation Platform differ?
A: AWX is free/open-source for dev/test. Ansible Automation Platform (AAP) is the commercial, enterprise-grade solution with official Red Hat support, SLAs, security hardening, and additional components like Automation Hub and Event-Driven Ansible.
Q: What features does Ansible Tower/AWX provide?
A: Web dashboard, role-based access control (RBAC), job scheduling, workflow orchestration, credential management, real-time job monitoring, REST API, activity logging, audit trails, integration with Git/SCM, and notifications.
Q: How do you implement RBAC in Ansible Tower?
A: Create users and teams, assign roles (Admin, User, Auditor) at global or object level, and set permissions on projects, inventories, job templates, and credentials.
Q: What is a Job Template in Tower/AWX?
A: A definition that combines a playbook, inventory, credentials, and other settings into a reusable, launchable automation job.
Q: What is a Workflow in Tower/AWX?
A: A chain of job templates linked by success/failure/always conditions, enabling multi-step automation pipelines.
Q: What is the Tower/AWX REST API used for?
A: Programmatic access to launch jobs, manage inventory, check job status, and integrate Tower with CI/CD tools and external systems.
Q: What is the difference between AWX, Ansible Tower, and automation controller?
A: AWX is the open-source upstream. Ansible Tower was the Red Hat commercial product (now retired name). Automation controller is the current name within Ansible Automation Platform.
Q: What is a Job Template in AWX/automation controller?
A: A definition that combines a playbook, inventory, credentials, and configuration into a reusable, launchable unit.
Q: What is a Workflow Job Template?
A: A template that chains multiple job templates together with conditional logic (on success, on failure, always), enabling complex multi-step automation pipelines.
Q: What are Surveys in AWX/automation controller?
A: Interactive forms that prompt users for input when launching a job template, passing responses as extra variables. They support text, passwords, dropdowns, multiple choice, integers, and floats.
Q: What is the automation controller REST API used for?
A: Programmatic interaction with all controller features: launching jobs, managing inventory, credentials, templates, users, and organizations. Enables CI/CD integration.
Q: What is automation mesh?
A: A scalable overlay network in AAP that distributes automation execution across multiple nodes, including hop nodes (relays) and execution nodes, enabling automation across network boundaries.
Q: What are execution nodes vs hop nodes in automation mesh?
A: Execution nodes run Ansible playbooks. Hop nodes relay traffic between the controller and execution nodes without running playbooks, useful for crossing network boundaries.
Q: What is Instance Groups in AWX?
A: A way to group execution capacity, allowing specific job templates to run on specific sets of instances for resource isolation or geographic distribution.
Q: What is a Smart Inventory?
A: A dynamic inventory in automation controller defined by a filter query against existing inventories. It automatically updates as source inventories change.
17. Ansible Automation Platform (AAP)¶
Q: What is an Ansible Execution Environment (EE)?
A: An EE is an OCI-compliant container image that serves as a portable, reproducible Ansible control node. It packages ansible-core, Python dependencies, system libraries, and Ansible collections into a single container image, eliminating "works on my machine" inconsistencies.
Q: What tool is used to build Execution Environments?
A: ansible-builder. It reads an execution-environment.yml definition file and uses a container runtime (podman or docker) to build the EE image.
Q: What are the key sections in an execution-environment.yml file?
A: version (schema version), build_arg_defaults (base image settings), dependencies (galaxy requirements, Python requirements, system packages), additional_build_steps (prepend/append custom build commands), and images (base and builder image references).
Q: Why do Execution Environments exist when Python virtual environments (venvs) already exist?
A: Virtual environments only isolate Python packages. They cannot bundle system-level tools like openssh-clients, vendor CLI utilities, or non-Python dependencies. EEs wrap everything into a container so the runtime is identical everywhere it executes.
Q: What is the default base image used by ansible-builder?
A: The default base image is the Red Hat-provided ee-minimal-rhel8 or the community quay.io/ansible/ansible-runner:latest, depending on the version and configuration.
Q: How do you specify which Ansible collections to include in an EE?
A: Add them to a requirements.yml file referenced in the dependencies.galaxy field of execution-environment.yml.
Q: What is the difference between a Decision Environment and an Execution Environment in Event-Driven Ansible?
A: A Decision Environment handles event logic -- listening for events, filtering, and evaluating conditions in rulebooks. An Execution Environment runs the actual Ansible playbooks triggered when a condition is matched.
Q: How does ansible-navigator differ from ansible-playbook?
A: ansible-navigator runs playbooks inside EE containers by default (using podman or docker), provides an interactive TUI for exploring results, and offers subcommands like images, collections, doc, and config. ansible-playbook runs directly on the control node with no container isolation and no TUI.
Q: What are the two display modes in ansible-navigator?
A: stdout mode (output goes directly to terminal, similar to traditional ansible-playbook) and interactive mode (TUI with navigable, drill-down views of playbook results).
Q: What configuration file does ansible-navigator use?
A: ansible-navigator.yml (or .ansible-navigator.yml), placed in the project directory or home directory. It can also read from ANSIBLE_NAVIGATOR_CONFIG environment variable.
Q: How do you run ansible-navigator without an Execution Environment (in local mode)?
A: Set execution-environment.enabled: false in ansible-navigator.yml or pass --execution-environment false on the command line.
Q: What subcommand in ansible-navigator lists available collections inside an EE?
A: ansible-navigator collections
Q: How do you inspect the contents of an EE image using ansible-navigator?
A: ansible-navigator images shows available EE images and lets you drill into their Python packages, Ansible collections, and system packages.
Q: What are the main components of Red Hat Ansible Automation Platform (AAP) 2.x?
A: (1) Automation Controller (formerly Ansible Tower) -- the web UI and API for running playbooks; (2) Automation Hub -- a repository for certified/validated collections; (3) Event-Driven Ansible (EDA) Controller -- event-driven automation triggers; (4) Ansible Lightspeed with IBM watsonx Code Assistant -- AI-powered playbook generation; (5) Platform Gateway -- unified web UI consolidating all components (introduced in AAP 2.5).
Q: What is the relationship between Ansible Tower and Automation Controller?
A: Automation Controller is the rebranded name for Ansible Tower, starting with AAP 2.x. The underlying technology (AWX upstream) remains the same, but "Tower" branding was retired in favor of "Automation Controller."
Q: What is AWX, and how does it relate to Ansible Tower/Automation Controller?
A: AWX is the upstream open-source project for Automation Controller (formerly Tower). It provides a web UI, REST API, RBAC, job scheduling, and credential management. Tower/Controller is the enterprise-supported derivative with additional features like SLA support, ISV compatibility guarantees, and supported upgrade paths.
Q: Name three enterprise features that Ansible Tower/Controller has that AWX lacks.
A: (1) Red Hat SLA-backed support with guaranteed security vulnerability response; (2) Supported, tested upgrade migration paths between versions; (3) ISV (Independent Software Vendor) compatibility certifications. AWX is community-supported only.
Q: What was the approximate annual cost of Ansible Tower licensing before the AAP rebrand?
A: Standard licensing ranged from approximately $13,000/year to $17,500/year for up to 100 managed nodes.
Q: What is Ansible Automation Hub, and how does it differ from Ansible Galaxy?
A: Automation Hub is Red Hat's curated repository of certified and validated Ansible collections for AAP subscribers. Galaxy is the free community repository. Hub content is tested, supported, and signed by Red Hat; Galaxy content is community-maintained with no support guarantees.
Q: What is Private Automation Hub?
A: A self-hosted instance of Automation Hub that organizations deploy internally to host their own custom collections, curate approved content, and serve as a proxy/mirror for certified collections.
Q: What is Event-Driven Ansible (EDA) and when was it introduced?
A: EDA was introduced as a technology preview in AAP 2.3 (2023) and became generally available in AAP 2.4. It allows automation to be triggered by events from external sources (monitoring tools, webhooks, ServiceNow, GitHub/GitLab) using rulebooks that define conditions and actions.
Q: What is the structure of an EDA rulebook?
A: A rulebook contains three main components: (1) sources -- where events come from (webhooks, Kafka, alertmanager, etc.); (2) rules -- conditions evaluated against incoming events; (3) actions -- what to do when conditions match (run a playbook, module, or trigger a workflow in Controller).
Q: What major AAP 2.5 feature unified the user experience across components?
A: The Platform Gateway introduced a single unified web UI that consolidates Automation Controller, Automation Hub, and EDA Controller interfaces with centralized authentication and management.
Q: What shift in AAP 2.5 changed how the platform is deployed?
A: AAP 2.5 introduced a containerized installer using Podman, while the traditional RPM-based installer was deprecated, signaling a move toward container-native deployments.
18. Event-Driven Ansible (EDA)¶
Q: What are the three main components of an Ansible rulebook?
A: Sources (define event origins like webhooks, Kafka, Alertmanager), Rules (define conditions to match against events), and Actions (specify what happens when conditions are met, like run_playbook).
Q: What command runs a rulebook?
A: ansible-rulebook --inventory inventory.yml --rulebook rulebook.yml
Q: What Python and Java versions does ansible-rulebook require?
A: Python 3.8+ and Java 17 (OpenJDK).
Q: Name three event source plugins in the ansible.eda collection.
A: ansible.eda.webhook, ansible.eda.kafka, ansible.eda.alertmanager.
Q: How does an event payload get passed to a triggered playbook?
A: Through the event variable, which contains the full event payload accessible in playbook tasks (e.g., event.payload.message).
Q: What happens after a rulebook condition matches an event?
A: The specified action executes -- typically run_playbook, which launches an Ansible playbook with the event data available as extra variables.
Q: Can rulebooks call Ansible Automation Platform job templates?
A: Yes. EDA integrates with AAP's automation controller, allowing rulebooks to trigger job templates via the run_job_template action.
19. Ansible Lightspeed & AI¶
Q: What is Ansible Lightspeed?
A: An AI-powered automation content creation tool from Red Hat, integrated into VS Code and Ansible Automation Platform, that generates Ansible task code from natural language descriptions.
Q: What AI model powers Ansible Lightspeed?
A: IBM watsonx Code Assistant, trained on Ansible community content and code patterns.
Q: When was Ansible Lightspeed generally available?
A: November 2023.
Q: What is the Ansible Lightspeed "intelligent assistant"?
A: A generative AI chat assistant embedded within AAP that helps administrators install, configure, maintain, and optimize Ansible Automation Platform, and helps operators troubleshoot automation jobs.
Q: What is BYOM in the context of Ansible Lightspeed?
A: "Bring Your Own Model" -- introduced in AAP 2.6, it allows customers to use LLM providers other than IBM watsonx, including Red Hat AI, OpenAI, and Azure OpenAI.
Q: What controversy surrounds Ansible Lightspeed and the community?
A: The LLM was trained on community-contributed code, and some contributors felt they wouldn't receive credit despite having built and shared that code publicly.
20. Testing with Molecule & Lint¶
Q: What are the key phases in a Molecule test sequence?
A: dependency, cleanup, destroy, syntax, create, prepare, converge, idempotence, side_effect, verify, cleanup, destroy. This is the default sequence; it can be customized.
Q: What is the default driver in modern Molecule?
A: The delegated driver (previously called default). Podman and Docker drivers are provided via separate packages like molecule-plugins.
Q: What is the converge step in Molecule?
A: It runs the role or playbook under test against the test instance. It is the core "apply the automation" step.
Q: What does the idempotence step verify?
A: It runs the converge playbook a second time and checks that no tasks report "changed." This validates that the role is idempotent.
Q: What is a Molecule scenario?
A: A scenario is a self-contained test suite within a role or collection. Each scenario has its own molecule.yml, converge playbook, and verify playbook. A single role can have multiple scenarios testing different configurations.
Q: What verifiers does Molecule support?
A: Ansible (default, using assert/stat/command tasks in a verify.yml playbook), testinfra (Python-based infrastructure testing), and third-party plugins like InSpec.
Q: Where does Molecule store scenario configuration?
A: In molecule/<scenario_name>/molecule.yml within the role directory.
Q: What Molecule command runs only the verify step without re-converging?
A: molecule verify
Q: How do you test a specific scenario when multiple exist?
A: molecule test -s <scenario_name>
Q: What are the six ansible-lint profiles in order from least to most strict?
A: min, basic, moderate, safety, shared, production. Each profile includes all rules from profiles below it.
Q: What does the min lint profile enforce?
A: Only rules that prevent fatal errors: internal-error, load-failure, parser-error, syntax-check.
Q: What does the safety lint profile add?
A: Rules that avoid non-determinant outcomes or security concerns: avoid-implicit, latest, package-latest, risky-file-permissions, risky-octal, risky-shell-pipe.
Q: What is the shared lint profile intended for?
A: Content creators publishing to galaxy.ansible.com, automation-hub, or private instances. It adds rules like ignore-errors, no-changed-when, no-handler, meta-incorrect, and meta-no-tags.
Q: What does the production lint profile add on top of shared?
A: Rules for inclusion in Ansible Automation Platform as validated or certified content, including fqcn (require fully qualified collection names) and sanity.
Q: What rule does no-changed-when enforce?
A: Tasks using command, shell, raw, or script modules must include a changed_when condition to prevent always reporting "changed."
Q: What does the fqcn lint rule require?
A: That all module references use Fully Qualified Collection Names (e.g., ansible.builtin.copy instead of just copy).
Q: How do you select a specific lint profile on the command line?
A: ansible-lint --profile production playbook.yml
Q: What configuration file does ansible-lint use?
A: .ansible-lint (YAML format) in the project root directory.
Q: What are Molecule's default test phases (the test sequence)?
A: dependency, lint, cleanup, destroy, syntax, create, prepare, converge, idempotence, side_effect, verify, cleanup, destroy.
Q: What is the "idempotence" test phase in Molecule?
A: Molecule runs the converge playbook a second time and checks that zero tasks report "changed." If any task reports changed on the second run, the idempotence test fails -- indicating the role is not properly idempotent.
Q: What drivers does Molecule support for creating test instances?
A: Docker (default), Podman, Delegated (custom), and community-maintained drivers for Vagrant, EC2, GCE, Azure, DigitalOcean, LXD, and more.
Q: What is the default verifier in Molecule 6+?
A: Ansible itself (using assert/debug tasks). Testinfra (Python-based) was the previous default and is now optional.
Q: Name five ansible-lint rules.
A: (1) yaml[truthy] -- flags bare yes/no booleans; (2) no-changed-when -- flags command/shell tasks without changed_when; (3) name[missing] -- flags tasks without names; (4) fqcn[action-core] -- flags non-FQCN module names; (5) deprecated-module -- flags usage of deprecated modules.
Q: What is the no_log lint rule about?
A: It warns when tasks handle potentially sensitive data (passwords, tokens) without no_log: true to prevent secrets from appearing in logs.
21. Network Automation¶
Q: How does Ansible manage network devices?
A: Using network-specific modules (ios_config, junos_config, eos_config, nxos_config) and connection plugins (network_cli, netconf, httpapi).
Q: What connection plugin is used for network devices?
A: network_cli for CLI-based devices, netconf for NETCONF-enabled devices, httpapi for API-based devices.
Q: How do you backup router configurations with Ansible?
A: Use ios_config module with backup: yes parameter. Backup files are stored in a backup directory.
Q: What are the three main connection types for network automation?
A: ansible.netcommon.network_cli (CLI over SSH), ansible.netcommon.netconf (NETCONF over SSH), and ansible.netcommon.httpapi (REST/HTTP APIs).
Q: Where do network modules execute -- on the control node or managed node?
A: On the control node. Unlike Linux automation, network modules do not execute on the network device itself because most network devices cannot run Python.
Q: How does privilege escalation work on network devices like Cisco IOS?
A: Using ansible_become: yes, ansible_become_method: enable, and ansible_become_password: <enable_password>. This tells Ansible to enter enable mode after connecting.
Q: What are network resource modules?
A: Modules that manage specific network resource configurations (interfaces, VLANs, ACLs, etc.) through a declarative state-based model with states like merged, replaced, overridden, deleted, and gathered.
Q: What is the gathered state in network resource modules?
A: It retrieves the current configuration from the device and returns it as structured data without making any changes.
Q: Why don't Juniper Junos Ansible modules require Python on the device?
A: They use Junos PyEZ and the Junos XML API over NETCONF to interface with the device, all executed from the control node.
Q: What is the cli_parse module used for?
A: Parsing unstructured CLI output from network devices into structured data using parsers like TextFSM, TTP, xmltodict, or pyATS.
Q: What collection provides platform-independent network modules?
A: ansible.netcommon -- it includes cli_command, cli_config, netconf_config, netconf_get, and cli_parse.
Q: What is ansible_network_os, and why is it critical for network automation?
A: It identifies the network operating system (e.g., ios, nxos, eos, junos) so Ansible loads the correct Terminal, cliconf, and httpapi plugins for that platform. Without it, network modules cannot function.
Q: What is the difference between network_cli and httpapi for network devices?
A: network_cli uses SSH to interact with the device's CLI (like a human at a terminal). httpapi uses REST API calls over HTTP(S). The choice depends on which interface the device exposes and which provides better functionality.
Q: What is cli_command vs platform-specific modules (e.g., ios_command)?
A: cli_command is a generic module that works across any network_cli-connected device. Platform-specific modules (ios_command, nxos_command) add platform awareness, resource modules (declarative state management), and better idempotency.
Q: What are "resource modules" in network automation?
A: Modules that manage a specific network resource declaratively (e.g., ios_interfaces, nxos_vlans, eos_bgp_global). They accept a desired state and determine the necessary commands to achieve it, providing true idempotency for network configurations.
22. Windows Automation¶
Q: How do you manage Windows systems with Ansible?
A: Enable WinRM on Windows hosts, install pywinrm on the control node, set ansible_connection=winrm in inventory, and use Windows-specific modules (win_feature, win_service, win_copy, etc.).
Q: What protocol does Ansible use for Windows?
A: WinRM (Windows Remote Management) with PowerShell.
Q: Can Ansible run on Windows as a control node?
A: No, the control node must be Linux or macOS. However, you can use WSL (Windows Subsystem for Linux) to run Ansible on Windows.
Q: What protocol does Ansible use to manage Windows hosts?
A: WinRM (Windows Remote Management), a SOAP-based protocol over HTTP/HTTPS. Ansible can use it through the psrp or winrm connection plugins.
Q: Can Ansible use SSH to manage Windows?
A: Yes, since Windows 10/Server 2019 include OpenSSH. However, WinRM remains the primary and most mature connection method.
Q: What Python packages are required on the control node for WinRM?
A: pywinrm (for the winrm connection plugin) or pypsrp (for the psrp connection plugin).
Q: What authentication methods does WinRM support?
A: Basic, Certificate, NTLM, Kerberos, and CredSSP. Each has different security characteristics and delegation capabilities.
Q: Why is CredSSP sometimes needed for Windows automation?
A: Because most WinRM auth methods don't delegate credentials, causing "double hop" authentication failures when accessing network resources. CredSSP forwards credentials, enabling access to network shares, SQL servers, etc.
Q: How does become work differently on Windows?
A: On Windows, become uses runas to bypass WinRM's non-interactive session restrictions. It creates an interactive token, allowing access to APIs blocked under WinRM (Windows Update API, DPAPI, etc.).
Q: What is the win_updates module used for?
A: Installing Windows updates by category (Security, Critical, etc.). The win_hotfix module handles individual hotfix files.
Q: What is the ansible.windows collection?
A: The official collection containing Windows-specific modules like win_copy, win_file, win_service, win_user, win_group, win_regedit, win_shell, win_command, win_dsc, etc.
Q: How are Windows modules different from Linux modules internally?
A: Windows modules are written in PowerShell (not Python) and use the Module Replacer framework instead of Ansiballz.
23. Cloud & Container Automation¶
Q: What are dynamic inventory plugins for cloud providers?
A: Plugins that query cloud infrastructure (AWS, Azure, GCP) to dynamically populate Ansible inventory without manual host list maintenance.
Q: How does Ansible interact with Kubernetes?
A: Using the kubernetes.core collection modules to deploy workloads, manage resources, apply manifests, and bootstrap clusters.
Q: How does Ansible interact with Docker?
A: Using community.docker collection modules (docker_container, docker_image, docker_network, docker_compose).
Q: How do you provision AWS EC2 instances with Ansible?
A: Use the amazon.aws.ec2_instance module with appropriate parameters (image_id, instance_type, key_name, security groups, etc.).
Q: What is the FQCN for the AWS EC2 module?
A: amazon.aws.ec2_instance (or amazon.aws.ec2 for the legacy version).
Q: What collection provides AWS modules?
A: amazon.aws for core AWS modules, and community.aws for community-contributed modules.
Q: How do dynamic inventory plugins for cloud providers work?
A: They query cloud provider APIs in real-time, returning current infrastructure as Ansible inventory. Examples: amazon.aws.aws_ec2, azure.azcollection.azure_rm, google.cloud.gcp_compute.
Q: What is the cloud.terraform collection?
A: An Ansible collection that integrates Terraform CLI operations within Ansible playbooks, allowing management of Terraform-provisioned infrastructure alongside Ansible configuration.
Q: What are Ansible Validated Content collections for cloud?
A: Pre-tested, Red Hat-supported collections with curated roles and playbooks that encapsulate industry best practices for cloud automation (e.g., cloud.gcp_ops for Google Cloud).
Q: What collection provides Podman modules and connection plugins?
A: containers.podman
Q: What collection provides Docker modules and connection plugins?
A: community.docker
Q: How do you run Ansible tasks inside an existing container?
A: Use the container's connection plugin: ansible_connection: containers.podman.podman or ansible_connection: community.docker.docker with the container name/ID as the host.
Q: What is the difference between community.docker.docker and community.docker.docker_api connection plugins?
A: docker uses the Docker CLI to execute commands. docker_api connects directly to the Docker daemon API, bypassing the CLI.
Q: What module creates and manages Podman containers?
A: containers.podman.podman_container
24. CI/CD Integration¶
Q: How is Ansible used in a CI/CD pipeline?
A: Ansible automates infrastructure provisioning, application deployment, and configuration management, triggered by code commits or merge requests via tools like Jenkins, GitHub Actions, or GitLab CI.
Q: How do you integrate Ansible with Jenkins?
A: Create Jenkins jobs that call ansible-playbook commands, use Jenkins Ansible plugin, pass build parameters as extra-vars, and archive job logs.
Q: How do you handle version control for playbooks?
A: Treat playbooks as code in Git. Use branches for changes, tags for versioning, code reviews for quality, and publish roles to Galaxy.
25. Best Practices & Patterns¶
Q: What is Event-Driven Ansible (EDA)?
A: A capability that reacts to events in real-time (monitoring alerts, webhooks, message queues) and triggers automated remediation playbooks immediately.
Q: What are the key parts of an EDA rulebook?
A: Sources (provide events), rules (check conditions), and actions (trigger automation). Together they form "if this, then that" logic.
Q: What is a Decision Environment?
A: A containerized runtime that runs EDA rulebook logic, handling event listening and filtering before passing decisions to Execution Environments.
Q: What are Execution Environments?
A: Container images that package Ansible with all required dependencies (Python packages, collections, system libraries). Used with ansible-navigator.
Q: What is ansible-navigator?
A: A CLI tool that provides a cleaner interface for interacting with Execution Environments, replacing ansible-playbook for containerized execution.
Q: What is a rolling update strategy?
A: Using serial to update hosts in batches, draining servers from load balancers before updating, performing health checks after each batch, and using block/rescue for rollback.
Q: How do you implement blue-green deployments with Ansible?
A: Maintain two identical environments (blue/green), deploy to the inactive environment, run health checks, then switch traffic at the load balancer.
Q: How do you implement canary deployments with Ansible?
A: Route traffic gradually to new version hosts, monitor health metrics, and roll back quickly if issues arise using serial: 1 and load balancer manipulation.
Q: What is configuration drift?
A: Changes on a host that cause it to differ from the desired/synced state, often from ad-hoc manual modifications. Ansible combats drift through idempotent playbook runs.
Q: How do you detect configuration drift with Ansible?
A: Run playbooks in check mode (--check --diff) to see what would change without applying. Schedule regular runs to enforce desired state.
Q: Name three strategies to keep playbooks DRY.
A: Use roles for reusable components, use includes/imports for shared task files, and use variables/defaults to eliminate hardcoded values.
Q: What are best practices for writing Ansible playbooks?
A: Use roles for modularity, maintain proper YAML formatting, use meaningful task names, test in staging first, use check mode for validation, use version control, keep secrets encrypted with Vault, document your automation.
Q: What are best practices for Ansible role organization?
A: Follow naming conventions, modularize functionality, document roles thoroughly, use version control, implement testing with Molecule, minimize dependencies, and reuse community roles when appropriate.
Q: How do you handle multiple environments (dev, staging, prod)?
A: Create separate inventory files per environment, use environment-specific group_vars and host_vars, and specify the appropriate inventory with -i at runtime.
Q: What indentation is recommended for YAML?
A: 2 spaces (never tabs).
Q: What symbol starts a list item in YAML?
A: A dash followed by a space (-).
Q: What does YAML stand for?
A: YAML Ain't Markup Language (originally "Yet Another Markup Language").
Q: What is the "two-stage" or "delegate and register" pattern?
A: Running a task on one host (via delegate_to), registering the result, and using that result on the original host. Common for checking load balancer status before making changes to a backend server.
Q: What is the "canary deployment" pattern in Ansible?
A: Using serial: [1, 5, "100%"] to deploy to one host first (canary), then a small batch, then the rest. If the canary fails, the entire play stops before affecting other hosts.
Q: What is the "pre_tasks / post_tasks" idiom for rolling updates?
A: pre_tasks remove a host from a load balancer, the main roles/tasks deploy updates, and post_tasks re-add the host to the load balancer.
Q: What is the "include_role with conditionals" anti-pattern?
A: Putting when on include_role only evaluates the condition once (at include time). If you need per-task conditions inside the role, use variables instead. This is a common source of bugs.
Q: What is the "golden image" pattern using Ansible?
A: Using Ansible with Packer to provision a base VM/container image with all required software, then deploying instances from that image. Ansible handles the configuration during image build time rather than at runtime.
Total: 220+ Q&A pairs covering Ansible history, ecosystem, trivia, deep internals, and edge cases.
26. Scenarios & Real-World Problems¶
Q: You deploy configuration but servers show inconsistent settings. How do you detect and fix it?
A: Use check_mode to detect changes, --diff to show differences, re-run playbooks to enforce idempotency, implement scheduled cron-based ansible-pull for continuous compliance.
Q: How would you apply BGP configuration across 100 routers with minimum downtime?
A: Use ios_config module, implement serial batching (serial: 5), verify with --check mode, validate BGP status with ios_command after each batch.
Q: You have a slow playbook on 500 hosts. What do you investigate first?
A: Enable SSH pipelining, increase forks, configure fact caching, check for unnecessary gather_facts, optimize slow tasks, consider async for long-running operations.
Q: How would you design a reusable playbook for multiple environments?
A: Use separate inventory files per environment, environment-specific group_vars, roles for modularity, parameterized configurations, and conditional logic based on environment variables.
Q: How do you implement zero-downtime deployments?
A: Rolling updates with serial, drain servers from load balancer before update, health checks after deployment, block/rescue for rollback capability.
Q: How do you handle a playbook that exposes sensitive data in logs?
A: Use no_log: true on sensitive tasks, store secrets in Ansible Vault, use callback plugins for redaction, avoid echoing passwords in debug statements.
Q: How do you manage secrets across multiple environments?
A: Separate vault files per environment, use Vault IDs for different passwords, integrate with external secret managers (HashiCorp Vault, AWS Secrets Manager), rotate secrets regularly.
Q: A playbook fails to decrypt Vault data. What do you check?
A: Verify the vault password is correct, check the file path, ensure the correct Vault ID is specified, verify the file was encrypted with the expected password.
Total: 300+ Q&A pairs covering Ansible core concepts, architecture, configuration, modules, plugins, Galaxy/Collections, Vault, Tower/AWX, facts/variables, Jinja2, best practices, networking, cloud, CI/CD, performance, security, testing, and history/trivia.
27. Quick-Fire Trivia & Rapid Recall¶
Q: What port does Ansible use for SSH by default?
A: Port 22.
Q: What is the default Ansible strategy?
A: linear -- tasks execute in order on all hosts before moving to the next task.
Q: What is the free strategy?
A: Each host runs as fast as possible without waiting for other hosts to complete each task.
Q: What command shows the Ansible version?
A: ansible --version
Q: What is the default number of forks?
A: 5.
Q: What does the ansible-config command do?
A: Displays, dumps, or validates Ansible configuration settings.
Q: What module is used to gather system information?
A: setup
Q: What module manages cron jobs?
A: cron
Q: What module manages users?
A: user
Q: What module manages services?
A: service or systemd
Q: What module creates directories?
A: file (with state: directory)
Q: What module copies files from remote to local?
A: fetch
Q: What is the default become method?
A: sudo
Q: What module is used to reboot a host?
A: reboot
Q: What is the default reboot timeout?
A: 600 seconds (10 minutes). Can be changed with reboot_timeout.
Q: Is Ansible open-source?
A: Yes, Ansible Core is open-source (GPL v3). Red Hat Ansible Automation Platform is the commercial enterprise product.
Q: What year was Ansible first released?
A: 2012.
Q: What year did Red Hat acquire Ansible?
A: 2015.
Q: What other tools did Michael DeHaan create before Ansible?
A: Cobbler (provisioning tool) and Func (remote command framework).
Q: What is the Ansible Tower rebrand name?
A: Red Hat Ansible Automation Platform (AAP). "Ansible Tower" is the legacy name for the web UI component.
Q: What is idempotency?
A: The property that running the same operation multiple times produces the same result as running it once. No unnecessary changes are made on subsequent runs.
Q: What is orchestration in Ansible?
A: Coordinating multiple systems and tasks together in a specific order to achieve complex multi-tier deployments.
Q: What is provisioning?
A: The process of setting up new servers and infrastructure. Ansible can automate the creation and initial configuration of systems.
Q: What does the ansible-galaxy CLI do?
A: Manages roles and collections -- install, create, remove, list, and search for reusable content.
Q: What does ansible-doc do?
A: Displays documentation for modules, plugins, and other Ansible components from the command line.
Q: What does ansible-config do?
A: Shows current configuration, dumps all settings, or validates configuration files.
Q: What does ansible-inventory do?
A: Displays or dumps the configured inventory in JSON or YAML format.
Q: What does ansible-console do?
A: Provides an interactive REPL (Read-Eval-Print Loop) for executing ad-hoc commands interactively.
Q: What does ansible-vault do?
A: Encrypts and decrypts files and strings for secure secret management.
Q: How do you generate an encrypted password for the user module?
A: ansible all -i localhost, -m debug -a "msg={{ 'password' | password_hash('sha512', 'salt') }}"
Q: How do you set the PATH or environment variables for a task?
A: Use the environment keyword: environment: PATH: "{{ ansible_env.PATH }}:/new/path"
Q: How do you loop over hosts in a group inside a template?
A: {% for host in groups['db_servers'] %} {{ host }} {% endfor %}
Q: What is the retry_until pattern in Ansible?
A: Using until, retries, and delay to retry a task until a condition is met or max retries is reached.
Q: What is meta: flush_handlers?
A: Forces all pending handlers to execute immediately, rather than waiting until the end of the play.
Q: What is meta: end_play?
A: Immediately ends the current play without executing remaining tasks.
Q: What is meta: clear_facts?
A: Removes all cached facts for the current host.
Q: What is meta: clear_host_errors?
A: Clears the failed state from hosts, allowing them to continue in subsequent tasks.
Q: What is the any_errors_fatal setting?
A: If set to true at the play level, any task failure on any host causes all hosts to fail and the play to abort.
Q: What does force_handlers: yes do?
A: Forces handlers to run even if a task fails, ensuring cleanup actions still execute.
Q: What is the ansible_connection variable?
A: Specifies the connection type for a host: ssh, winrm, local, docker, network_cli, etc.
Q: What is ansible_python_interpreter?
A: Specifies the path to Python on the managed node (useful when the default /usr/bin/python is incorrect).
Q: What is gather_subset?
A: Controls which subset of facts to gather (e.g., network, hardware, virtual, min). Reduces fact-gathering time.
Q: What module tests if a file exists on a remote host?
A: stat module -- returns file information including whether it exists.
Q: What module adds or modifies lines in files?
A: lineinfile (for single lines) or blockinfile (for blocks of text).
Q: What is the assert module used for?
A: Validates conditions and fails the playbook with a custom message if assertions are not met. Useful for pre-flight checks.
Q: What is the fail module?
A: Explicitly fails a play with a custom error message. Often used with when for conditional failures.
Q: What is the pause module?
A: Pauses playbook execution for a specified duration or until user input is provided.
Q: What is the set_stats module?
A: Sets custom statistics that are displayed at the end of a playbook run. Useful for reporting.
Q: What is a fact cache?
A: A persistent store (jsonfile, redis, memcached) that saves gathered facts between playbook runs, avoiding redundant fact collection.
Q: What is the raw module?
A: Executes a low-level command via SSH without requiring Python on the remote host. Useful for bootstrapping Python.
Q: What is the script module?
A: Transfers a script to the remote host and executes it. The script runs in the remote host's shell.
Q: What is the expect module?
A: Handles interactive command prompts by providing automated responses (requires pexpect library).
Q: What is the local_action keyword?
A: Runs a task on the control node instead of the remote host. Equivalent to delegate_to: localhost.
Q: What is callback plugin profile_tasks?
A: Displays timing information for each task, helping identify performance bottlenecks.
Q: What is callback plugin timer?
A: Shows the total playbook execution time.
Q: What happens if you reference an undefined variable?
A: Ansible raises a fatal error and stops execution, unless you use the default filter: {{ var | default('fallback') }}
Q: What is the lookup plugin?
A: Retrieves data from external sources at the control node level. Example: {{ lookup('file', '/path/to/file') }}
Q: What is the difference between lookup and query?
A: lookup returns a comma-separated string by default; query returns a list. query is preferred in modern Ansible for clarity.
Q: What is ansible_play_hosts?
A: A magic variable containing the list of active hosts in the current play (excludes failed hosts).
Q: What is ansible_play_batch?
A: A magic variable containing the list of hosts in the current batch when using serial.
Q: What is ansible_check_mode?
A: A magic variable that is true when the playbook is running in check mode (--check).
Q: What is the environment keyword used for?
A: Sets environment variables for task execution on the remote host.
Q: How do you access nested variables?
A: Use dot notation ({{ user.address.city }}) or bracket notation ({{ user['address']['city'] }}).
Q: What is ansible_host?
A: An inventory variable that specifies the actual IP/hostname to connect to, overriding the inventory name.
Q: What is ansible_port?
A: An inventory variable that specifies the SSH port to use for connecting to the host.
Q: What is an Ansible callback whitelist?
A: The list of enabled callback plugins in ansible.cfg. Only whitelisted callbacks are active.
Q: What format do Ansible modules return data in?
A: JSON (sent to stdout).
Q: Can you write custom Ansible modules?
A: Yes, write Python scripts using AnsibleModule from ansible.module_utils.basic, define argument specs, implement logic, and place in a library/ directory.
Q: What is creates parameter in command/shell modules?
A: If the specified file already exists, the task is skipped. Helps enforce idempotency for command tasks.
Q: What is removes parameter in command/shell modules?
A: If the specified file does NOT exist, the task is skipped. The inverse of creates.
Q: What is ansible_managed?
A: A special variable containing a string (configurable in ansible.cfg) used in templates to mark files as Ansible-managed: {{ ansible_managed }}
Q: How do you reboot a host and wait for it to come back?
A: Use the reboot module which handles both rebooting and waiting for reconnection automatically.
Q: What is max_fail_percentage used for?
A: Stops a rolling update if more than the specified percentage of hosts fail, preventing cascading failures.
Q: What is the throttle keyword?
A: Limits the number of concurrent hosts for a specific task (not the entire play like serial).
Q: What is order in a play?
A: Controls the order in which hosts are processed: inventory (default), reverse_inventory, sorted, reverse_sorted, shuffle.
Q: What is a pre_task and post_task?
A: pre_tasks run before roles; post_tasks run after roles and tasks. Useful for load balancer manipulation.
Q: What is a playbook import_playbook?
A: Imports another entire playbook into the current one, allowing playbook composition.
Q: What is collections keyword in a playbook?
A: Specifies which collections to search for modules/plugins, eliminating the need for FQCNs in tasks.
Q: What is the timeout connection parameter?
A: Sets the SSH connection timeout in seconds. Configurable per host or globally.
Q: What module manages SELinux?
A: selinux module (set mode to enforcing, permissive, or disabled).
Q: What module manages firewall rules?
A: firewalld (for firewalld) or iptables (for iptables).
Q: What module manages systemd services?
A: systemd (provides more systemd-specific options than the generic service module).
Q: What is changed_when: false used for?
A: Marks a task as never having made changes, useful for read-only commands that should not show as "changed" in output.
Q: What is ansible-pull?
A: A mode that inverts Ansible's default push architecture. Each managed node runs ansible-pull on a schedule (e.g., via cron), pulling playbooks from a Git repository and executing them locally.
Q: When is ansible-pull appropriate?
A: When central coordination of task completion isn't required and eventual consistency is acceptable. It scales well because processing is distributed across the fleet.
Q: What does ansible-pull require on each managed node?
A: Ansible must be installed, along with Git (to clone the playbook repository) and any Python dependencies needed by the playbooks.
Q: How does ansible-pull know which playbook to run?
A: Via the -U (repository URL) and optionally -C (branch/tag) and playbook file path arguments. It clones/pulls the repo, then runs the specified playbook locally.
Q: What connection type does ansible-pull use?
A: local -- since it runs on the target host itself, no SSH connection is needed.
Q: What is the set_fact module's cacheable option?
A: When cacheable: true, the fact is stored in the fact cache and persists across playbook runs (if fact caching is enabled).
Q: What is the meta module used for?
A: Executing Ansible internal operations: flush_handlers, refresh_inventory, noop, clear_facts, clear_host_errors, end_play, end_host, end_batch, reset_connection.
Q: What does meta: end_host do?
A: Stops executing tasks on the current host for the remainder of the play without failing it. Other hosts continue normally.
Q: What does meta: reset_connection do?
A: Forces Ansible to close and re-establish the connection to the current host. Useful after making changes that affect the connection (e.g., changing the SSH key or restarting sshd).
Q: What is the no_log: true directive?
A: Prevents Ansible from logging task parameters and results, useful for tasks handling sensitive data like passwords.
Q: What does module_defaults do at the play or block level?
A: Sets default parameter values for specific modules across multiple tasks. Example: setting become: true for all yum module calls without repeating it per task.
Q: What is the INJECT_FACTS_AS_VARS configuration?
A: When true (default), facts are injected as top-level variables (e.g., ansible_hostname). When false, facts are only accessible via ansible_facts['hostname']. Disabling it reduces variable namespace pollution and improves security.
Q: What is the ansible_host variable?
A: The connection address for a host, allowing the inventory name to differ from the actual hostname/IP used for SSH.
Q: What is register in Ansible?
A: Captures the return value of a task into a variable for use in subsequent tasks. The registered variable contains stdout, stderr, rc, changed, failed, and module-specific keys.
Q: What is wait_for_connection used for?
A: Waiting until a host becomes reachable, typically after a reboot. It repeatedly attempts to connect until successful or timeout.
Q: What is group_by module?
A: Dynamically creates groups during playbook execution based on facts or variables: group_by: key=os_{{ ansible_distribution }}.
Q: What does ANSIBLE_KEEP_REMOTE_FILES do?
A: When set to true, Ansible doesn't delete the temporary module files on remote hosts after execution. Useful for debugging module issues.
Q: What is the ansible-doc command?
A: Displays documentation for modules, plugins, and keywords from the command line: ansible-doc ansible.builtin.copy, ansible-doc -t callback json.
Q: What is the template module's output_encoding parameter?
A: Specifies the character encoding for the rendered template output file (default: utf-8).
Q: What is the auto interpreter discovery in Ansible?
A: Starting in Ansible 2.8, when ansible_python_interpreter is not set, Ansible uses a platform-specific discovery table to find the correct Python interpreter, preferring /usr/bin/python3.
Q: What does connection: local do?
A: Executes tasks on the control node itself instead of connecting to a remote host. Used with delegate_to: localhost or for local operations.
Q: What is ANSIBLE_COLLECTIONS_PATH?
A: An environment variable (or collections_paths in ansible.cfg) that specifies directories where Ansible searches for installed collections.
Q: What is ANSIBLE_ROLES_PATH?
A: Specifies additional directories where Ansible searches for roles beyond the default ./roles and ~/.ansible/roles.
Q: What are Ansible test plugins?
A: Jinja2 test functions used in when conditionals: is defined, is undefined, is match, is search, is regex, is file, is directory, is link, etc.
Q: What is the difference between is match and is search tests?
A: match anchors to the beginning of the string (like re.match). search finds a pattern anywhere in the string (like re.search).
Q: What is the ansible.builtin.raw module?
A: Executes a raw command over SSH without requiring Python on the remote host. Used for bootstrapping Python or managing devices that can't run Python.
Q: What is the ansible.builtin.script module?
A: Transfers and executes a local script on the remote host. The script runs in the remote host's shell.
Q: What does any_errors_fatal: true do at the play level?
A: Causes any task failure on any host to immediately abort the entire play for all hosts.
Q: What is gather_subset for?
A: Limits which categories of facts are collected: hardware, network, virtual, ohai, facter, all, min, or negated with ! (e.g., !hardware).
Q: What is the ansible.builtin.package module?
A: A generic OS package module that automatically selects the appropriate backend (yum, apt, dnf, zypper) based on the target OS.
Q: What is the loop_control directive?
A: Controls loop behavior: loop_var (rename loop variable), index_var (expose loop index), label (customize output display), pause (delay between iterations), extended (expose extended loop info).
Q: What does loop_control: extended provide?
A: Access to ansible_loop.allitems, ansible_loop.index, ansible_loop.index0, ansible_loop.first, ansible_loop.last, ansible_loop.length, ansible_loop.revindex, ansible_loop.revindex0.
Q: What is vars_prompt?
A: A play-level directive that prompts the user for input at playbook start. Supports private (hide input), default, confirm, and encrypt options.
Q: What is environment at the task or play level?
A: Sets environment variables for the duration of the task/play on the remote host. Commonly used for proxy settings or PATH modifications.
Q: What is the uri module?
A: Makes HTTP/HTTPS requests from the control node (or remote host if delegated). Used for API calls, health checks, and webhook triggers.
Q: What happened to with_items, with_dict, with_file, etc.?
A: These are legacy loop constructs. Modern Ansible uses loop: with filters: loop: "{{ my_list }}", loop: "{{ my_dict | dict2items }}", etc.
Q: What is the ansible.builtin.find module?
A: Searches for files/directories on remote hosts matching specified criteria (patterns, age, size). Returns a list of matching paths.
Q: What does ansible-inventory --graph do?
A: Displays the inventory as a tree graph showing groups and hosts hierarchically.
Q: What does ansible-inventory --list do?
A: Outputs the complete inventory as JSON, including all groups, hosts, and variables.
Q: What is ANSIBLE_STDOUT_CALLBACK?
A: Environment variable that sets the stdout callback plugin, controlling output formatting (json, yaml, debug, minimal, etc.).
Q: What are the _raw_params in free-form modules?
A: The internal parameter name used by modules like command, shell, and raw that accept a free-form command string instead of structured key=value arguments.
Q: What is the ansible.builtin.reboot module?
A: Reboots the remote host and waits for it to come back. Handles the connection drop and reconnection automatically.
Q: What timeout does the reboot module use by default?
A: 600 seconds (10 minutes) for the host to become reachable again after reboot.
Q: What is check_mode: true at the task level?
A: Forces a specific task to run in check mode even when the playbook is run normally. The inverse (check_mode: false) forces a task to run even in check mode.
Q: What is diff: true at the task level?
A: Shows a unified diff of changes made by the task (for modules that support it, like copy, template, lineinfile).
Q: What does ANSIBLE_PIPELINING control?
A: When true, reduces the number of SSH operations by piping the module to the remote Python interpreter's stdin instead of using temporary files. Requires requiretty to be disabled in sudoers.
Q: What is ansible.builtin.lineinfile vs ansible.builtin.blockinfile?
A: lineinfile manages single lines in files (insert, replace, ensure present/absent). blockinfile manages multi-line blocks surrounded by markers.
Q: What is a "fully qualified collection name" (FQCN)?
A: The complete namespace.collection.module path, e.g., ansible.builtin.copy, community.general.ufw, amazon.aws.ec2_instance.
Q: What is ansible.builtin.add_host?
A: Dynamically adds a host to the in-memory inventory during playbook execution. Useful for adding newly provisioned hosts.
Q: What is the ansible.builtin.debug module's var vs msg parameter?
A: var prints a variable's value (auto-evaluated, no Jinja2 braces needed). msg prints a formatted message string (supports Jinja2 expressions in braces).
Q: What does ANSIBLE_NOCOWS do?
A: Disables the cowsay output formatting that Ansible uses when cowsay is installed.
Q: What is ansible-console?
A: An interactive REPL-style console for running ad-hoc Ansible tasks against an inventory, with tab completion.
Q: What is the ansible.posix collection?
A: A collection of POSIX-system modules including acl, at, authorized_key, firewalld, mount, patch, seboolean, selinux, synchronize, sysctl.
Q: What is the synchronize module?
A: An Ansible wrapper around rsync. Requires rsync on both source and destination. Key gotchas: must use delegate_to to change source, and full paths are needed when using sudo.
Q: What is ansible.builtin.apt_key and why is it deprecated?
A: It managed APT repository GPG keys. Deprecated because modern apt recommends storing keys in /etc/apt/keyrings/ and referencing them with signed-by in sources.
Q: What is the become_method setting and what values does it support?
A: Controls how Ansible escalates privileges. Values: sudo (default), su, pbrun, pfexec, doas, dzdo, ksu, runas (Windows), machinectl, enable (network devices).
Q: What is the ansible_connection variable set to for network devices?
A: Typically ansible.netcommon.network_cli, ansible.netcommon.netconf, or ansible.netcommon.httpapi, depending on the platform and API type.
Q: What does the flatten filter do?
A: Recursively flattens nested lists into a single flat list: {{ [[1,2],[3,[4,5]]] | flatten }} produces [1,2,3,4,5].
Q: What is ansible_facts vs top-level fact variables?
A: ansible_facts is a dictionary namespace containing all gathered facts. When INJECT_FACTS_AS_VARS is true (default), facts are also available as top-level variables prefixed with ansible_.
Q: What is the password_hash filter?
A: Generates a system-compatible password hash: {{ 'mypassword' | password_hash('sha512', 'salt') }}. Used for setting user passwords idempotently.
Q: What happens when you use creates or removes with command/shell modules?
A: creates: /path/to/file skips the task if the file already exists. removes: /path/to/file skips the task if the file does NOT exist. Both enable idempotency for command-based tasks.
Q: What Python versions does Ansible 2.9 support on the control node?
A: Python 2.7 or Python 3.5+.
Q: When did Ansible drop Python 2 support on the control node?
A: ansible-core 2.12 dropped Python 2.7 support on the control node (requires Python 3.8+). However, managed nodes could still use Python 2.7 until ansible-core 2.17.
Q: What Python version does ansible-core 2.14 require on the control node?
A: Python 3.9+.
Q: What Python version does ansible-core 2.16 require on the control node?
A: Python 3.10+.
Q: What Python version does ansible-core 2.17+ require on managed nodes?
A: Python 3.7+ on managed nodes. Python 2.7 support on managed nodes was dropped.
Q: What is the latest ansible-core Python requirement (as of 2.20)?
A: Python 3.12+ on the control node.
Q: Why does Ansible have separate Python requirements for control node vs. managed nodes?
A: The control node runs the full Ansible engine and needs a modern Python for its dependencies. Managed nodes only need Python to execute transferred module code, so older Python versions are supported longer to accommodate legacy systems.
Q: What does --check (check mode / dry run) do?
A: Ansible simulates the playbook execution without making changes. Modules that support check mode report what would have changed.
Q: What is the major limitation of check mode?
A: It's a simulation. Tasks that use registered variables from prior tasks may not work correctly because those prior tasks didn't actually run. Conditional logic depending on real execution results will be unreliable.
Q: What does --diff do?
A: It shows before-and-after comparisons for tasks that modify files (template, copy, lineinfile, etc.). Very useful for reviewing what a playbook will change.
Q: Can you force a specific task to always or never run in check mode?
A: Yes. check_mode: true makes a task always run in check mode even during a normal run. check_mode: false makes a task always execute normally even during a check mode run.
Q: How can you detect check mode inside a playbook?
A: Use the ansible_check_mode magic variable: when: not ansible_check_mode to skip a task in check mode.
Q: What is delegate_facts: true?
A: When used with delegate_to, it assigns any gathered facts to the delegated host rather than the original target host. Without it, facts from the delegated task go to the inventory host being processed.
Q: What is the gotcha with run_once and serial?
A: With serial, run_once executes once PER BATCH, not once for the entire play. If you have serial: 5 and 20 hosts, run_once executes 4 times (once per batch of 5). To truly run once, use when: inventory_hostname == ansible_play_hosts_all[0].
Q: Can serial accept a list? What does that do?
A: Yes. serial: [1, 5, "20%"] runs the first batch with 1 host, the second with 5, then subsequent batches with 20% of remaining hosts. This is the "canary deployment" pattern -- test on one host first, then gradually expand.
Q: What does throttle do at the task level?
A: Limits the number of hosts executing that specific task simultaneously, regardless of the forks setting. Useful for tasks that hit rate-limited APIs or shared resources.
Q: What is ansible-pull and how does it invert Ansible's normal model?
A: Instead of a central control node pushing to targets, each target runs ansible-pull to clone a Git repository containing playbooks and execute them locally. This creates a pull-based (agent-like) model.
Q: What playbook filename does ansible-pull look for by default?
A: It looks for <hostname>.yml (matching the host's hostname) or local.yml in the repository root.
Q: How is ansible-pull typically scheduled?
A: Via a cron job (commonly every 15-30 minutes). Example: */30 * * * * ansible-pull -U git@repo.example.com/config.git
Q: When is ansible-pull preferred over the normal push model?
A: Auto-scaling environments (new instances configure themselves), edge deployments, large fleets where a central control node would be a bottleneck, and environments where nodes can't be reached from a central point (firewalled, NAT'd).
Q: Besides git, what other VCS does ansible-pull support?
A: Subversion, Mercurial (hg), and Bazaar (bzr). Git is the default.
28. Community & Governance¶
Q: What is the Ansible Community Steering Committee?
A: The governing body that provides continuity, guidance, and technical direction for the Ansible community project. It approves new proposals, policies, collection inclusion requests, and packaging decisions.
Q: How are Steering Committee members selected?
A: Based on their active contribution to the Ansible project and community. New members are nominated and voted on by existing committee members.
Q: Where does the Steering Committee conduct business?
A: Primarily on the Ansible Forum (forum.ansible.com) for asynchronous discussions and voting on proposals. Regular Community Working Group meetings are also held.
Q: What are Ansible Working Groups?
A: Self-organized teams of community members focused on specific topics -- often centered around particular collections (e.g., AWS, Windows, Network) or cross-cutting concerns (documentation, testing, security).
Q: What is the Community Working Group specifically?
A: A "catch-all" working group that focuses on keeping other working groups running and handles community activities not covered by specialized groups.
Q: Where did the Ansible community move after leaving IRC?
A: The community moved to the Ansible Forum (forum.ansible.com) based on Discourse, and Matrix for real-time chat (replacing IRC on Libera.Chat).
Q: Who is Jeff Geerling and why is he significant to the Ansible community?
A: Jeff Geerling is one of the most prolific Ansible community contributors, author of "Ansible for DevOps" (the most popular Ansible book), maintainer of dozens of the most-downloaded Galaxy roles (geerlingguy.docker, geerlingguy.mysql, geerlingguy.java, etc.), and a frequent speaker at AnsibleFest.
Q: What is the most downloaded Ansible Galaxy role author namespace?
A: geerlingguy -- Jeff Geerling's roles collectively have hundreds of millions of downloads, with roles like geerlingguy.docker, geerlingguy.java, geerlingguy.apache, and geerlingguy.nginx being among the most popular on Galaxy.