Ansible: Inventory and configuration tips

Ansible can execute commands in Linux hosts using ssh, powershell in Windows hosts and just plain bash commands when interacting with the localhost and don’t want to use a remote protocol.

We can define what protocol to use along some other options specific to the hosts in the inventory file, lets see an example

[linux_hosts]
nginx1 ansible_host=nginx1.example.com ansible_connection=ssh[windows_hosts]
db1 ansible_host=db1.example.com ansible_connection=winrm[local_machine]
ansible_master ansible_host=localhost ansible_connection=local

ansible_host must point to the real hostname or ip address of the host, also hosts can have an alias in order to avoid long or complicated hostnames, nginx1 is the alias for nginx1.example.com

ansible_connection defines the protocol to be used, winrm is for powershell commands

Other inventory parameters

ansible_port = ssh: 22/ wirm: 5986

ansible_user = root/administrator

ansible_ssh_pass if you dont want (or you cant) use an ssh key

ansible_password for winrm authentication

ansible_winrm_transport (basic, CredSSP, NTLM, Kerberos, Certificate)

Windows authentication protocols

Basic is an authentication protocol for local accounts only

ansible_user: LocalUsername
ansible_password: Password
ansible_connection: winrm
ansible_winrm_transport: basic

Certificate, also for local accounts, it need extra configuration

ansible_connection: winrm
ansible_winrm_cert_pem: /path/to/certificate/public/key.pem
ansible_winrm_cert_key_pem: /path/to/certificate/private/key.pem
ansible_winrm_transport: certificate

NTLM can be used for local and domain accounts, no extra configuration is needed

ansible_user: LocalUsername
ansible_password: Password
ansible_connection: winrm
ansible_winrm_transport: ntlm

Kerberos is a more modern way and better suited for domains, but it needs extra configuration

ansible_user: username@MY.DOMAIN.COM
ansible_password: Password
ansible_connection: winrm
ansible_winrm_transport: kerberos

CredSSP is a newer protocol both for local and domain accounts but it needs extra configuration

ansible_user: Username
ansible_password: Password
ansible_connection: winrm
ansible_winrm_transport: credssp

SSH fingerprint connection error

If you use SSH you might face a connection error in case that the hosts fingerprint have not be added to the known_hosts file of your ansible workstation, to tackle thise you can edit the ansible.cfg file and set host_key_checking to False

host_key_checking = False