Top 100 Ansible Interview Questions

1. What is Ansible?

Ansible is an open-source automation tool that simplifies configuration management, application deployment, cloud provisioning, and other IT automation tasks. It is agentless, meaning it connects to managed nodes over SSH and requires no special software to be installed on them. You can learn more from the official Ansible website.

2. What are the key features of Ansible?

• Agentless: No client software is needed on the managed nodes.
• Simple & Human-Readable: Uses YAML for playbooks, which is easy to read and write.
• Idempotent: Running a playbook multiple times will result in the same system state, only making changes when necessary.
• Extensible: A large library of built-in modules, with the ability to write custom modules.
• Orchestration: Can manage complex, multi-tier application deployments.

3. Explain the architecture of Ansible.

Ansible's architecture consists of:

• Control Node: The machine where Ansible is installed and from which playbooks are run.
• Managed Nodes: The servers or devices being managed by Ansible.
• Inventory: A file (usually INI or YAML) that lists the managed nodes.
• Playbooks: YAML files that define the automation tasks.
• Modules: Reusable units of code that Ansible executes on managed nodes (e.g., `apt`, `copy`, `service`).
• Plugins: Pieces of code that augment Ansible's core functionality.

4. What is the difference between Ansible and other tools like Puppet or Chef?

• Architecture: Ansible is agentless (push-based), while Puppet and Chef are agent-based (pull-based), requiring client software on managed nodes.
• Language: Ansible uses YAML, which is generally considered simpler than Puppet's DSL or Chef's Ruby-based DSL.
• Simplicity: Ansible is often seen as having a lower barrier to entry due to its simplicity and agentless nature.

5. What is the difference between Ansible and Terraform?

Ansible is primarily a configuration management tool (procedural), focused on installing and configuring software on existing servers. Terraform is an infrastructure provisioning tool (declarative), focused on creating and managing infrastructure resources like virtual machines, networks, and storage.

6. What is idempotency in Ansible?

Idempotency means that running an Ansible playbook multiple times will produce the same result without causing unintended changes. If a system is already in the desired state, Ansible won't make any changes. This is a key feature that ensures predictable and safe automation.

7. What are the main components of Ansible?

• Inventory: Lists of hosts/nodes to be managed
• Playbooks: YAML files containing automation instructions
• Modules: Reusable units of code that perform specific tasks
• Plugins: Extend Ansible's core functionality
• Roles: Predefined ways to organize playbooks and other files
• Collections: Distributable packages of Ansible content

8. What is Ansible Galaxy?

Ansible Galaxy is a hub for finding, reusing, and sharing Ansible content. It provides a platform for community-contributed roles, collections, and other resources that can be easily integrated into Ansible automation workflows.

9. What programming language is Ansible written in?

Ansible is primarily written in Python. This allows it to run on most systems with Python installed and makes it extensible through Python modules and plugins.

10. What is Ansible Tower/AWX?

Ansible Tower (commercial) and AWX (open-source upstream project) are web-based solutions that make Ansible easier to use for IT teams. They provide a dashboard, role-based access control, job scheduling, graphical inventory management, and other enterprise features.

11. What is an Ansible inventory file?

An inventory file is a text file that defines the hosts and groups of hosts that Ansible manages. It can be in INI or YAML format and contains information about the managed nodes, including hostnames, IP addresses, and connection variables.

12. How do you organize hosts in an inventory file?

Hosts can be organized into groups using section headers in INI format or as YAML dictionaries. Groups can be nested, and hosts can belong to multiple groups. For example:

[webservers]
web1.example.com
web2.example.com

[databases]
db1.example.com
db2.example.com

[production:children]
webservers
databases

13. What are inventory variables and how are they defined?

Inventory variables are key-value pairs that define properties for hosts or groups. They can be defined inline with hosts, in group sections, or in separate variable files. For example:

[webservers]
web1.example.com http_port=80
web2.example.com http_port=8080

[webservers:vars]
nginx_version=1.18
service_state=running

14. What is the default location of the Ansible configuration file?

The default location of the Ansible configuration file (ansible.cfg) is /etc/ansible/ansible.cfg. However, Ansible checks for this file in multiple locations in this order:

1. ANSIBLE_CONFIG environment variable
2. ./ansible.cfg (current directory)
3. ~/.ansible.cfg (home directory)
4. /etc/ansible/ansible.cfg

15. What is the purpose of the ansible.cfg file?

The ansible.cfg file contains configuration settings for Ansible, including default options for connecting to hosts, privilege escalation, plugin paths, and other behavioral settings. It allows customization of Ansible's behavior without having to specify command-line options.

16. How can you specify a custom inventory file?

You can specify a custom inventory file using the -i or --inventory option followed by the path to the inventory file:

ansible-playbook -i /path/to/custom/inventory playbook.yml

Alternatively, you can set the inventory file path in the ansible.cfg file.

17. What are patterns in Ansible and how are they used?

Patterns are used to target specific hosts or groups in Ansible commands. They can include:

• Single host: host1
• Group: webservers
• Multiple groups: webservers:dbservers
• Exclusion: webservers:!db1 (all webservers except db1)
• Wildcards: *.example.com

18. How do you define a range of hosts in an inventory file?

You can define a range of hosts using numeric or alphabetic patterns:

[webservers]
web[01:10].example.com  # web01.example.com to web10.example.com

[databases]
db-[a:d].example.com    # db-a.example.com to db-d.example.com

19. What is the difference between static and dynamic inventory?

A static inventory is a fixed file that lists all managed hosts. A dynamic inventory is generated by a script or program that can query external sources (like cloud providers, CMDBs, or other systems) to get the current list of hosts, making it more flexible for dynamic environments.

20. How can you set up a dynamic inventory for AWS?

To set up a dynamic inventory for AWS, you can use the aws_ec2 inventory plugin:

1. Install the AWS collection: ansible-galaxy collection install amazon.aws
2. Configure AWS credentials
3. Create an inventory configuration file that uses the aws_ec2 plugin
4. Use the inventory with -i inventory_aws_ec2.yml

21. What is an Ansible Playbook?

A Playbook is a YAML file that contains a set of ordered tasks to be executed against managed nodes. It's the core of Ansible's configuration, deployment, and orchestration language, allowing you to define the desired state of your systems.

22. What are the basic components of a playbook?

The basic components of a playbook include:

• Hosts: The target hosts or groups
• Variables: Data that can be used in tasks
• Tasks: Actions to be performed
• Handlers: Tasks that run only when notified
• Roles: Reusable units of organization
• Blocks: Logical groupings of tasks

23. What is a play in Ansible?

A play is a set of tasks mapped to a set of hosts. A playbook can contain one or more plays. Each play defines which hosts the tasks should run against and what tasks to execute.

24. How do you execute a playbook?

You execute a playbook using the ansible-playbook command:

ansible-playbook playbook.yml

You can add options like -i for inventory, --limit to limit hosts, --check for dry-run, etc.

25. What is the difference between a task and a play?

A task is a single action to be performed (like installing a package or copying a file), while a play is a set of tasks applied to a specific set of hosts. A playbook contains one or more plays.

26. How can you control the order of task execution in a playbook?

Tasks in a playbook execute in the order they are defined. You can control execution flow using:

• when conditions for conditional execution
• notify handlers for triggered execution
• block and rescue for error handling
• include_tasks or import_tasks for modularization
• Tags for selective execution

27. What is the purpose of the gather_facts option in a play?

The gather_facts option controls whether Ansible collects system information (facts) about the managed nodes before executing tasks. When set to true (default), Ansible runs the setup module to gather facts that can be used in playbooks.

28. How do you run a specific task in a playbook?

You can run specific tasks using tags. First, tag the tasks in your playbook:

- name: Install package
  apt:
    name: nginx
    state: present
  tags: install

Then run only tasks with that tag:

ansible-playbook playbook.yml --tags "install"

29. What is the difference between serial and max_fail_percentage in play execution?

serial defines how many hosts to process at a time (rolling update), while max_fail_percentage defines the percentage of hosts that can fail before the entire play fails. They can be used together to control execution behavior across hosts.

30. How can you make a playbook continue execution even if a task fails?

You can use the ignore_errors directive on a task:

- name: Attempt something that might fail
  command: /bin/false
  ignore_errors: yes

Alternatively, you can use blocks with rescue sections for more sophisticated error handling.

31. What is the purpose of the --check flag?

The --check flag runs Ansible in "dry run" mode, showing what changes would be made without actually making them. This is useful for testing playbooks before applying them to production systems.

32. How do you limit playbook execution to specific hosts?

You can use the --limit option to restrict execution to specific hosts:

ansible-playbook playbook.yml --limit "webserver1,webserver2"

You can also use patterns to limit execution to specific groups or combinations.

33. What is the difference between include_tasks and import_tasks?

include_tasks dynamically includes and executes tasks during playbook runtime, while import_tasks statically imports tasks during playbook parsing. This affects how variables are handled and when the included content is processed.

34. How can you make a playbook executable without the ansible-playbook command?

You can add a shebang line at the top of the playbook and make it executable:

#!/usr/bin/env ansible-playbook
---
- name: My playbook
  hosts: all
  tasks:
    - name: Example task
      debug:
        msg: "Hello World"

Then make it executable: chmod +x playbook.yml and run it directly: ./playbook.yml

35. What is the purpose of the --syntax-check flag?

The --syntax-check flag validates the syntax of a playbook without executing it. This helps catch YAML syntax errors before running the playbook:

ansible-playbook playbook.yml --syntax-check

36. What is an Ansible module?

A module is a discrete unit of code that Ansible executes on managed nodes. Modules perform specific tasks like managing packages, files, services, or users. Ansible ships with hundreds of built-in modules, and you can also write custom modules.

37. What are some commonly used Ansible modules?

• apt/yum: Package management
• copy/template: File management
• service/systemd: Service management
• user/group: User/group management
• command/shell: Running commands
• debug: Printing messages
• git: Version control operations
• lineinfile/blockinfile: File content management

38. What is the difference between the command and shell modules?

The command module executes commands directly without shell processing (no pipes, redirects, or variables), while the shell module executes commands through a shell (/bin/sh by default), allowing shell features like pipes, redirects, and variables.

39. How do you use the copy module?

The copy module copies files from the control node to managed nodes:

- name: Copy file
  copy:
    src: /path/to/local/file
    dest: /path/to/remote/file
    owner: root
    group: root
    mode: '0644'

40. How do you use the template module?

The template module uses Jinja2 templates to generate files on managed nodes:

- name: Configure from template
  template:
    src: templates/nginx.conf.j2
    dest: /etc/nginx/nginx.conf
    owner: root
    group: root
    mode: '0644'

41. What is the purpose of the lineinfile module?

The lineinfile module ensures a particular line is present or absent in a file. It's useful for making single-line changes to configuration files:

- name: Ensure SELinux is set to permissive mode
  lineinfile:
    path: /etc/selinux/config
    regexp: '^SELINUX='
    line: 'SELINUX=permissive'

42. How do you install a package using Ansible?

You can use package management modules like apt (Debian/Ubuntu), yum (RHEL/CentOS), or dnf (Fedora):

- name: Install nginx
  apt:
    name: nginx
    state: present
    update_cache: yes

43. How do you manage services with Ansible?

You can use the service or systemd module to manage services:

- name: Ensure nginx is running and enabled
  service:
    name: nginx
    state: started
    enabled: yes

44. What is the difference between state: present and state: installed in package modules?

For most package modules, state: present and state: installed are synonymous - both ensure the package is installed. Some modules also support state: latest to ensure the latest version is installed.

45. How do you create a user with Ansible?

You can use the user module to manage users:

- name: Create user
  user:
    name: john
    comment: "John Doe"
    groups: wheel
    append: yes
    shell: /bin/bash
    password: "{{ 'password' | password_hash('sha512') }}"

46. What are variables in Ansible and how are they defined?

Variables in Ansible are used to store values that can be reused throughout playbooks. They can be defined in multiple places:

• In playbooks using the vars section
• In inventory files
• In separate variable files
• As facts gathered from systems
• As extra variables passed on the command line

47. What are Ansible facts and how are they used?

Facts are system information automatically discovered by Ansible about managed nodes. They include details about network interfaces, operating system, hardware, and more. Facts are gathered by the setup module and can be used in playbooks as variables.

48. How do you access variable values in Ansible?

You access variable values using Jinja2 templating syntax with double curly braces:

{{ variable_name }}

For facts, you can access them directly:

{{ ansible_facts['os_family'] }}

49. What is the difference between vars, vars_files, and vars_prompt?

• vars: Defines variables directly in a playbook
• vars_files: Includes variables from external files
• vars_prompt: Prompts users for variable values during execution

50. How do you set variables with different priorities?

Ansible has a specific variable precedence order. From lowest to highest priority:

1. Role defaults
2. Inventory variables
3. Playbook variables
4. Role variables
5. Block variables
6. Task variables
7. Extra variables (-e)

51. What is a handler in Ansible?

A handler is a special type of task that only runs when notified by another task. Handlers are typically used to restart services or perform actions when configuration changes occur.

52. How do you define and use a handler?

Handlers are defined in a handlers section and triggered using the notify directive:

tasks:
  - name: Update config file
    template:
      src: template.j2
      dest: /etc/app.conf
    notify: Restart app

handlers:
  - name: Restart app
    service:
      name: app
      state: restarted

53. How can you conditionally run a task based on a variable value?

You can use the when condition to run tasks based on variable values:

- name: Install package on Debian systems
  apt:
    name: package
    state: present
  when: ansible_facts['os_family'] == "Debian"

54. What are registered variables and how are they used?

Registered variables capture the output of a task using the register keyword. The output can then be used in subsequent tasks:

- name: Check if service is running
  command: systemctl is-active nginx
  register: nginx_status
  ignore_errors: yes

- name: Debug service status
  debug:
    var: nginx_status.stdout

55. How do you use loops in Ansible?

You can use the loop keyword to iterate over items:

- name: Install multiple packages
  apt:
    name: "{{ item }}"
    state: present
  loop:
    - nginx
    - mysql-server
    - php-fpm

56. What is the difference between with_items and loop?

with_items was the older way to create loops in Ansible, while loop is the newer, more consistent syntax introduced in Ansible 2.5. loop is now the recommended approach.

57. How do you use conditionals with loops?

You can combine when conditions with loops. The condition is evaluated for each item in the loop:

- name: Install packages only on specific systems
  apt:
    name: "{{ item }}"
    state: present
  loop:
    - nginx
    - mysql-server
  when: inventory_hostname in groups['webservers']

58. What are magic variables in Ansible?

Magic variables are special variables automatically provided by Ansible. They include:

• groups: All groups in inventory
• group_names: Groups the current host belongs to
• inventory_hostname: Current hostname as known by Ansible
• hostvars: Variables of all hosts
• ansible_version: Ansible version information

59. How do you use Jinja2 filters in Ansible?

Jinja2 filters transform variable data. They're used with the pipe (|) character:

{{ variable_name | upper }}  # Convert to uppercase
{{ list_variable | join(',') }}  # Join list with commas
{{ 'password' | password_hash('sha512') }}  # Hash a password

60. How can you disable fact gathering for performance?

You can disable fact gathering by setting gather_facts: no in your play:

- name: Play without facts
  hosts: all
  gather_facts: no
  tasks:
    - name: Task that doesn't need facts
      debug:
        msg: "No facts gathered"

61. What is an Ansible Role?

A Role is a standardized, reusable way of organizing Ansible content (tasks, handlers, variables, templates, etc.) into a structured directory format. Roles make it easy to share and reuse automation logic.

62. What is the directory structure of an Ansible Role?

A typical role directory structure includes:

role_name/
  defaults/
    main.yml
  files/
  handlers/
    main.yml
  meta/
    main.yml
  tasks/
    main.yml
  templates/
  vars/
    main.yml
  README.md

63. How do you create a new role?

You can create a new role using the ansible-galaxy command:

ansible-galaxy init role_name

This creates the standard directory structure for the role.

64. How do you use a role in a playbook?

You can include roles in a playbook using the roles keyword:

- name: Example playbook using roles
  hosts: all
  roles:
    - common
    - webserver
    - { role: database, database_type: mysql }

65. What is the difference between role variables in vars and defaults?

Variables in the defaults directory have the lowest priority and are meant to be overridden. Variables in the vars directory have higher priority and are meant for role internal variables that shouldn't be overridden.

66. What is Ansible Galaxy?

Ansible Galaxy is a hub for finding, reusing, and sharing Ansible content. It provides a platform for community-contributed roles and collections that can be easily integrated into Ansible automation workflows.

67. How do you install a role from Ansible Galaxy?

You can install roles from Galaxy using the ansible-galaxy command:

ansible-galaxy install username.role_name

Roles are typically installed to /etc/ansible/roles/ or ~/.ansible/roles/.

68. What are Ansible Collections?

Collections are a distribution format for Ansible content that can include playbooks, roles, modules, and plugins. They provide a way to package and share related automation content as a single unit.

69. How do you install and use a collection?

You can install collections using the ansible-galaxy command:

ansible-galaxy collection install namespace.collection_name

Once installed, you can reference content from the collection using its fully qualified name:

- namespace.collection_name.module_name:
    parameter: value

70. What is the difference between roles and collections?

Roles are focused on organizing tasks, handlers, and variables for specific automation scenarios. Collections are packaging format that can contain multiple roles, modules, plugins, and other content related to a specific technology or use case.

71. What is Ansible Vault?

Ansible Vault is a feature that allows you to encrypt sensitive data such as passwords, keys, and other secrets rather than storing them as plaintext in playbooks or roles.

72. How do you create an encrypted file with Ansible Vault?

You can create an encrypted file using the ansible-vault create command:

ansible-vault create secrets.yml

This will prompt you for a password and open an editor to enter the content.

73. How do you edit an existing encrypted file?

You can edit an encrypted file using the ansible-vault edit command:

ansible-vault edit secrets.yml

74. How do you use vault-encrypted files in a playbook?

You can include vault-encrypted variable files in your playbooks using vars_files or the include_vars module. When running the playbook, use the --ask-vault-pass option or provide a vault password file.

75. How can you provide the vault password non-interactively?

You can use a vault password file and reference it with the --vault-password-file option:

ansible-playbook playbook.yml --vault-password-file vault.txt

Make sure the password file is secured with appropriate permissions.

76. How do you encrypt an existing file?

You can encrypt an existing file using the ansible-vault encrypt command:

ansible-vault encrypt existing_file.yml

77. How do you decrypt a vault-encrypted file?

You can decrypt a file using the ansible-vault decrypt command:

ansible-vault decrypt secrets.yml

This will prompt for the vault password and save the decrypted content.

78. What are some best practices for using Ansible Vault?

• Use different vault passwords for different environments
• Never commit vault passwords to version control
• Use vault password files with restricted permissions
• Rotate vault passwords regularly
• Limit access to vault-encrypted files

79. How can you view the contents of an encrypted file without editing it?

You can use the ansible-vault view command:

ansible-vault view secrets.yml

This will display the decrypted content without allowing editing.

80. How do you rekey a vault-encrypted file (change the password)?

You can use the ansible-vault rekey command:

ansible-vault rekey secrets.yml

This will prompt for the current password and then for the new password.

81. What is dynamic inventory in Ansible?

Dynamic inventory is an inventory that is generated by executing a script or program, rather than being defined in a static file. This allows Ansible to automatically discover hosts from cloud providers, virtualization platforms, or other external systems.

82. How does a dynamic inventory script work?

A dynamic inventory script returns JSON data with information about hosts and groups. When executed with the --list flag, it should return all hosts and groups. With the --host flag, it should return variables for a specific host.

83. What are some common sources for dynamic inventory?

• Cloud providers (AWS, Azure, GCP)
• Virtualization platforms (VMware, OpenStack)
• Container orchestration (Kubernetes, Docker)
• Configuration management databases (CMDB)
• Custom applications or databases

84. How do you use the AWS EC2 dynamic inventory?

To use AWS EC2 dynamic inventory:

1. Install the AWS collection: ansible-galaxy collection install amazon.aws
2. Configure AWS credentials (environment variables, IAM roles, or credentials file)
3. Use the aws_ec2 inventory plugin in your inventory configuration
4. Run Ansible with the dynamic inventory: ansible-playbook -i aws_ec2.yml playbook.yml

85. What are inventory plugins?

Inventory plugins are a newer way to create dynamic inventories in Ansible. They replace the older script-based approach and provide a more consistent and maintainable way to generate inventory from various sources.

86. How do you create a custom dynamic inventory script?

To create a custom dynamic inventory script:

1. Create a script that returns JSON when called with --list and --host options
2. Make the script executable
3. Use it with Ansible: ansible-playbook -i custom_inventory.py playbook.yml

87. What is the purpose of the meta module?

The meta module allows you to execute certain 'meta' tasks that influence how Ansible behaves. Common uses include:

• meta: refresh_inventory - Refresh dynamic inventory
• meta: clear_facts - Clear gathered facts
• meta: clear_host_errors - Clear host errors
• meta: end_play - End the play for specific hosts

88. What are strategies in Ansible and how are they used?

Strategies control how Ansible executes tasks across hosts. The main strategies are:

• linear (default): Execute tasks on each host in order, waiting for all hosts to complete
• free: Execute tasks as quickly as possible without waiting for other hosts
• debug: Interactive debugging strategy

You can set the strategy in a play: strategy: free

89. What is the purpose of the async and poll parameters?

The async and poll parameters allow you to run tasks asynchronously. async sets the maximum runtime in seconds, and poll sets how often to check for completion (0 for fire-and-forget):

- name: Run long-running task
  command: /path/to/long_running_script.sh
  async: 3600
  poll: 30

90. How do you use Ansible for rolling updates?

You can perform rolling updates using the serial keyword to limit how many hosts are updated at once:

- name: Rolling update
  hosts: webservers
  serial: 2
  tasks:
    - name: Update application
      command: /opt/app/update.sh

This will update 2 hosts at a time, waiting for each batch to complete before moving to the next.

91. How do you debug Ansible playbooks?

You can debug Ansible playbooks using:

• The debug module to print variable values
• The -v, -vv, -vvv flags for increasing verbosity
• The --check flag for dry-run mode
• The --syntax-check flag for syntax validation
• The --start-at-task flag to start from a specific task

92. What are some common Ansible playbook errors and how do you fix them?

• YAML syntax errors: Check indentation and formatting
• Module parameter errors: Verify module documentation
• Permission errors: Use become/become_user for privilege escalation
• Connection errors: Check SSH configuration and network connectivity
• Variable undefined errors: Ensure variables are properly defined

93. How do you handle errors in Ansible playbooks?

You can handle errors using:

• ignore_errors: yes to continue on failure
• block, rescue, and always for structured error handling
• failed_when to define custom failure conditions
• changed_when to define custom changed conditions
• max_fail_percentage to control play failure thresholds

94. What are some Ansible best practices?

• Use roles to organize content
• Keep playbooks simple and focused
• Use meaningful names for tasks and variables
• Use vault for sensitive data
• Test playbooks with --check before running
• Use version control for all Ansible content
• Document your playbooks and roles
• Use tags for selective execution

95. How do you optimize Ansible performance?

• Use gather_facts: no when facts aren't needed
• Use the free strategy for faster execution
• Enable SSH pipelining in ansible.cfg
• Use async for long-running tasks
• Limit fact gathering with gather_subset
• Use local connections when appropriate

96. How do you test Ansible playbooks?

You can test Ansible playbooks using:

• --syntax-check for syntax validation
• --check for dry-run mode
• Molecule for role testing
• Test containers or VMs for integration testing
• Linting tools like ansible-lint

97. What is ansible-lint and how is it used?

ansible-lint is a command-line tool that checks Ansible playbooks for practices and behavior that could potentially be improved. It helps enforce best practices and identify potential issues before running playbooks.

Usage: ansible-lint playbook.yml

98. How do you manage different environments (dev, staging, prod) with Ansible?

You can manage different environments using:

• Separate inventory files for each environment
• Group variables for environment-specific settings
• Different vault passwords for each environment
• Conditionals based on environment variables
• Role parameters to customize behavior per environment

99. How do you use Ansible with CI/CD pipelines?

You can integrate Ansible with CI/CD pipelines by:

• Running playbooks as part of pipeline stages
• Using vault password files or environment variables for secrets
• Testing playbooks in pipeline validation stages
• Using dynamic inventory for cloud environments
• Implementing rolling updates for zero-downtime deployments

100. What are some security best practices for Ansible?

• Use Ansible Vault for all sensitive data
• Limit SSH access to managed nodes
• Use privilege escalation carefully
• Secure vault password files with proper permissions
• Regularly review and update playbooks for security
• Use secure protocols for connections (SSH, HTTPS)
• Limit the use of the shell module when possible