Ansible — Agentless Server Automation

Ansible is an agentless automation tool from Red Hat that lets you provision servers, configure them and roll out software – without running any agent on the managed hosts. Everything happens over plain SSH, and your desired state lives as code in declarative YAML playbooks. The name actually covers several binaries: ansible for ad-hoc commands, ansible-playbook for full workflows, plus ansible-galaxy, ansible-vault and ansible-inventory. This guide takes you from a quick ping through structured playbooks all the way to encrypted secrets management.

Ad-Hoc Commands

ansible <hosts> -m ping — Test connectivity to hosts.

ansible all -m ping

ansible <hosts> -a '<command>' — Run a shell command on remote hosts.

ansible webservers -a 'uptime'

ansible <hosts> -m <module> -a '<args>' — Run a module with arguments.

ansible webservers -m apt -a 'name=nginx state=present' -b

ansible <hosts> -m copy -a 'src=<src> dest=<dest>' — Copy a file to remote hosts.

ansible all -m copy -a 'src=config.conf dest=/etc/app/config.conf' -b

ansible <hosts> -m service -a 'name=<svc> state=restarted' — Restart a service on remote hosts.

ansible webservers -m service -a 'name=nginx state=restarted' -b

ansible <hosts> -b -a '<command>' — Run command with sudo (become).

ansible all -b -a 'apt update'

Playbooks

ansible-playbook <playbook> — Run a playbook.

ansible-playbook site.yml

ansible-playbook <playbook> -i <inventory> — Run with a specific inventory file.

ansible-playbook deploy.yml -i production/hosts

ansible-playbook <playbook> --check — Dry run: show what would change without applying.

ansible-playbook site.yml --check

ansible-playbook <playbook> --diff — Show file differences when making changes.

ansible-playbook site.yml --diff

ansible-playbook <playbook> -l <hosts> — Limit execution to specific hosts.

ansible-playbook site.yml -l webserver01

ansible-playbook <playbook> -t <tags> — Run only tasks with specific tags.

ansible-playbook site.yml -t nginx,deploy

ansible-playbook <playbook> -e '<key>=<value>' — Pass extra variables.

ansible-playbook deploy.yml -e 'version=2.0 env=production'

Inventory

ansible-inventory --list — Show the full inventory in JSON format.

ansible-inventory --list -i hosts.yml

ansible-inventory --graph — Show inventory as a tree graph.

ansible-inventory --graph

ansible <hosts> --list-hosts — List which hosts match a pattern.

ansible webservers --list-hosts

ansible-playbook <playbook> --list-tasks — List all tasks in a playbook.

ansible-playbook site.yml --list-tasks

ansible-playbook <playbook> --list-tags — List all tags in a playbook.

ansible-playbook site.yml --list-tags

Galaxy & Roles

ansible-galaxy init <role> — Create a new role directory structure.

ansible-galaxy init my-role

ansible-galaxy install <role> — Install a role from Ansible Galaxy.

ansible-galaxy install geerlingguy.docker

ansible-galaxy install -r requirements.yml — Install roles from a requirements file.

ansible-galaxy install -r requirements.yml

ansible-galaxy collection install <collection> — Install an Ansible collection.

ansible-galaxy collection install community.docker

ansible-galaxy list — List installed roles.

ansible-galaxy list

Vault (Secrets)

ansible-vault create <file> — Create a new encrypted file.

ansible-vault create secrets.yml

ansible-vault edit <file> — Edit an encrypted file.

ansible-vault edit secrets.yml

ansible-vault encrypt <file> — Encrypt an existing file.

ansible-vault encrypt vars/passwords.yml

ansible-vault decrypt <file> — Decrypt an encrypted file.

ansible-vault decrypt secrets.yml

ansible-vault view <file> — View an encrypted file without decrypting.

ansible-vault view secrets.yml

ansible-playbook <playbook> --ask-vault-pass — Run playbook and prompt for vault password.

ansible-playbook site.yml --ask-vault-pass

ansible-vault encrypt_string '<string>' --name '<var>' — Encrypt a single string for use in YAML.

ansible-vault encrypt_string 'mysecret' --name 'db_password'

Debugging & Config

ansible-playbook <playbook> -v — Run with verbose output (-v, -vv, -vvv, -vvvv).

ansible-playbook site.yml -vvv

ansible-config dump — Show all configuration settings.

ansible-config dump --only-changed

ansible-doc <module> — Show documentation for a module.

ansible-doc ansible.builtin.apt

ansible-doc -l — List all available modules.

ansible-doc -l | grep docker

ansible-playbook <playbook> --syntax-check — Check playbook syntax without running.

ansible-playbook site.yml --syntax-check

ansible-playbook <playbook> --step — Run playbook step by step with confirmation.

ansible-playbook site.yml --step

Conclusion

The same toolbox covers both worlds: quick ad-hoc fixes and reproducible playbooks versioned in YAML – idempotent, so running them repeatedly converges on the same target state. For risky changes, dry-run with --check and --diff before you apply for real, because ad-hoc shell or command calls and state=absent take effect immediately and irreversibly. Keep secrets encrypted in ansible-vault only – never in plaintext in a Git repository – and reach for -b/--become solely where you genuinely need root privileges.

Further Reading

• Ansible documentation – official reference for playbooks, modules and inventory
• Ansible Vault – encrypting secrets – official guide to managing secrets securely
• Ansible (software) – background and context on the English Wikipedia

Related Commands

• aws – command-line client for Amazon Web Services resources
• terraform – declarative infrastructure as code across providers