Month: February 2026

by

Ansible – Protecting Sensitive Data

Ansible Automation routinely requires the use of sensitive values. You can use Ansible Vault to provide a way to encrypt and decrypt, and manage sensitive data such as passwords, certificates, keys, and API tokens

Encrypt the File

Step 1: Create the YAML file named prod.yaml

    ansible-vault create prod.yaml

    Step 2: After running the command, the terminal will prompt you to enter the password that will be used to encrypt the file

    New Vault Password: 
    Confirm New Vault Password:

    Step 3: Ansible will open up the system editor to allow you to define the value that should be encrypted. 

    Username: Secret-Information-1
    Password: Secret-Information-2

    Step 4: Upon saving the file, Ansible will encrypt its content and place the output on disk

    $ANSIBLE_VAULT;1.1;AES256
    xxxxxxxxxxxxxxxxxxxxxx
    yyyyyyyyyyyyyyyyyyyyyy

    The file is now encrypted!

    Decrypt the File

    Run the following command in the terminal to validate that the variable definition file is decrypted and values are injected into the playbook. 

    ansible-playbook -i inventory --extra-vars "@prod.yml" --ask-vau;t-pass playbook-enc.yaml

    The output of the playbook will show the content decrypted in the managed host

    References:

    • Red Hat Certified Engineer (RHCE) Ansible Automation Study Guide (Alexc Soto Bueno)
    by

    Ansible Execution Strategies

    Ansible execution is versatile enough that we can modify how and when tasks are executed. The settings can be made globally or at the play level. The number of parallel threads is determined by fork. The default is 5

    Execution StrategiesExplanationExample
    linearThis is the default. The task is executed simultaneously against all the hosts using the forks, and then the next series of hosts until the batch is done before going to the next task At ansible.cfg
    ….
    [defaults]
    strategy = linear
    fork=10

    Or at Play Level
    – name: web servers
    hosts: webservers
    strategy: linear
    debugTask execution is like the linear strategy, but controlled by an interactive debug sessionAt ansible.cfg
    ….
    [defaults]
    strategy = debug
    fork=10

    Or at Play Level
    – name: web servers
    hosts: webservers
    strategy: debug
    freeAnsible will not wait for other hosts to finish before queueing for more tasks on other hosts. It prevents blocking new tasks for hosts that have already completed.At ansible.cfg
    ….
    [defaults]
    strategy = free
    fork=10

    Or at Play Level
    – name: web servers
    hosts: webservers
    strategy: free

    Rolling Updates Strategies.

    Fork is based on the hardware limitation. The more powerful your servers are in terms of processing resources, the higher the fork parameters can be set. But there are occasions where the number of parallel executions is determined by software/application restrictions. For example, if you have a rolling updates for your webserver, you can use the “serial” parameters to instruct how many hosts should be updated at a time. In such a way, you can avoid simultaneously avoid simultaneous to avoid downtime.

    Execution StrategiesExplanationExample
    serialExecute all the hosts in the same batch before moving to the next batch

    You can use an absolute number or a percentage    		– name: Serial Example
    hosts: webservers
    serial: “50%”

    tasks:
    – name: First tasks

    References:

    • Red Hat Certified Engineer (RHCE) Ansible Automation Study Guide (Alexc Soto Bueno)
    by

    Ansible-Playbook Commonly Used Optional Arguments

    These are commonly used Ansible-Playbook Optional Arguments

    FlagDescription
    -i, –inventorySpecify inventory host path or comma-seperated host list
    -b, –becomeRun operations with become (not imply password prompting). Uses existing privilege escalation like sudo, dzdo, runas etc
    -K –ask-become-passAsk for the privilege escalation password
    –become-method <become-method>Privilege escalation method to use. Default is sudo.
    –become-password-file <BECOME_PASSWORD_FILE>Privilege escalation password file
    –become-user <BECOME_USER>Run the operation as this user. Default is root
    -f <FORKS>, –fSpecify the number of parallel processes to use. Default is 5
    -e, –extra-varsAdditional variables as key=value. When specifying a filecontaining a set of variables, prepend the file with @
    -t <Tags> –tags <TAGS>Only run plays and tasks tagged with these values
    –ask-vault-password, –ask-vault-passAsk foir vault password

    References:

    • Red Hat Certified Engineer (RHCE) Ansible Automation Study Guide (Alexc Soto Bueno)