Commands & Configuration Flashcards
Which option for the ‘ansible’ command allows one to specify an inventory file to be used?
-i
With the ‘-i’ option, one can specify a path to an inventory file or one can pass a comma separated list of hosts.
Which ansible option allows one to specify which user to use when connecting/logging-in to the hosts?
-u
The ‘-u’ option allows you to specify the remote user for the SSH connection.
Which option forces ansible to use password-based authentication when connecting to remote hosts?
When might it be necessary?
-k
The ‘-k’ option informs ansible to prompt for a password when attempting to login via SSH.
By default, ansible assumes you want to connect with SSH keys rather than by password.
Which option is used to instruct ansible which user to switch to after logging in to the remote host?
‘-b’ or ‘–become’
The ‘-b’ option can instruct ansible to effectively ‘su’ to another user after logging in to the host. This is often used to elevate to root or some account with administrative privileges.
When used without an argument, the ‘-b’ option defaults to root.
Which option for the ‘ansible’ command instructs the command to prompt for a password to use to elevate to the account specified by the ‘-b’ option?
-K
This option instructs ansible to prompt for a privilege escalation password.
Suppose you want to use ansible to create the ‘student’ user account on all hosts in the inventory. You’re going to log-in to the remote hosts as the ‘admin’ user but then elevate to root on all of the hosts. How can this be done in a one-liner?
Assume that the ‘ansible.cfg’ file doesn’t specify an inventory file.
ansible -i inventory all -u admin -k -b -K -m user -a “name=student”
The built-in ‘user’ module allows you to manage user accounts via ansible.
Suppose you wanted to enable the user ‘student’ to have permission to run all commands as all users on all hosts without needing to input a password. How would you enable this?
Add the following to ‘/etc/sudoers’ or a drop-in file in ‘/etc/sudoers.d/’
student ALL=(ALL) NOPASSWD: ALL
The first ‘ALL’ corresponds to all hosts.
The second ‘ALL’ corresponds to being able to run the relevant command as all users/groups.
The third ‘ALL’ corresponds to being able to run all commands.
The ‘NOPASSWD’ tag allows student to run all commands without giving a password.
Suppose you wanted to enable the user ‘student’ to have permission to run ‘kill’ as all users on all hosts without needing to input a password and run ‘arp’ as all users on all hosts with needing a password. How would you enable this?
Add the following to ‘/etc/sudoers’ or a drop-in file in ‘/etc/sudoers.d/’
student ALL=(ALL) NOPASSWD: /bin/kill, PASSWD: /sbin/arp
Where is the default ansible inventory stored?
/etc/ansible/hosts
An alternative inventory location can be specified in ansible.cfg
Suppose in your ansible inventory you have a group titled ‘webservers’ and you want to see the hosts that belong to this group. Which command will do this?
ansible -i inventory webservers –list-hosts
‘-i inventory’ is used to define an inventory file different than the default
Describe the following inventory file:
ansible1
ansible2
[webservers]
apache1
apache2
apache3
[databases]
pgsql1
pgsql2
[servers:children]
webservers
databases
There are 7 unique hosts being managed by the inventory.
There are 3 groups being managed. The ‘webservers’ and ‘databases’ groups are nested within the ‘servers’ group.
The hosts ‘ansible1’ and ‘ansible2’ are considered ‘ungrouped’ which means they belong to no group.
‘ungrouped’ is technically a group itself. This group refers to all hosts that belong to no group other than the built-in ‘all’ group.
Where is the ansible configuration file stored?
/etc/ansible/ansible.cfg
‘ansible –version’ will show the ‘ansible.cfg’ file being used.
Each project can have its own ‘ansible.cfg’ file. If a project-specific ‘ansible.cfg’ file is found, the main ‘/etc/ansible.ansible.cfg’ will be ignored.
Describe the following ansible.cfg file:
[defaults] inventory=inventory remote_user=ansible host_key_checking=false deprecation_warning=false [privilege_escalation] become=True become_method=sudo become_user=root become_ask_pass=False
The [defaults] section sets the default settings while the [privilege_escalation] section sets how ansible runs commands on managed hosts.
‘inventory’ defines the path to the inventory file
‘remote_user’ is the name of the user that will log in on the remote host
‘ask_pass’ specifies whether or not to prompt for a password
‘become’ indicates whether you want to automatically switch to the ‘become_user’
‘become_user’ specifies the user that ansible will change to after connecting to the remote host
‘become_method’ sets how to become the other user after connecting
What is ansible-navigator?
ansible-navigator is a command-line tool and text-based interface for creating, reviewing, running and troubleshooting different types of Ansible content.
ansible-navigator is primarily used alongside execution environments.
An execution environment is just a container image serving as an Ansible control node.
Which command can be used to list all currently available Ansible modules on a machine?
ansible-doc -l
The ‘-l’ option lists all available modules.
The ‘ansible-doc’ command is used for viewing Ansible-specific documentation.
Suppose you want to find detailed documentation on how to use the ‘ansible.builtin.shell’ module. How could you do this?
ansible-doc -t module shell
If you don’t know the name of the module, you could first list all available modules with the ‘ansible-doc -l’ command.
If you’re interested in a different plugin type, you could run the command ‘ansible-doc -t [plugin-type] -l’ instead. Then after finding the plugin name, you would run ‘ansible-doc -t [plugin-type] [plugin-name]’ to get the detailed documenation page.
The ‘-t’ option allows you to filter the documentation for specific types of plugins (the default plugin type is ‘module’)
What is the ‘requirements.yml’ file?
The ‘requirements.yml’ file lists all required collections for a project.
This file is usually found in the current project directory.
The ‘requirements.yml’ file is usually used as an argument to the ‘ansible-galaxy’ command.
What is the ‘ansible-galaxy’ command?
‘ansible-galaxy’ is used to install collections from a Galaxy server.
The default Galaxy server is ‘galaxy.ansible.com’
How can one list all installed collections with the ‘ansible-galaxy’ command?
ansible-galaxy collection list
How can one install all collections specified by the ‘requirements.yml’ file?
ansible-galaxy collection install -r requirements.yml
The -r option allows one to specify a requirements file.
How can one install the Ansible ‘my.collection’ collection while making sure that it is accessible from the execution environment?
ansible-galaxy collection install my.collection -p collections
The ‘-p’ option allows one to specify the path where collections will be placed after being downloaded.
‘-p collections’ installs collections in ‘./collection/’
Without the ‘-p’ option, the collection is installed in the default collections path which is ‘~/.ansible/collections:/usr/share/ansible/collections’
The default path for collections is specified by the ‘collections_path’ variable in the ‘ansible.cfg’ file.
The default ‘collections_path’ is not available from within the ‘ansible-navigator’ execution environment.
How does one set up ‘ansible-navigator’ on a Linux machine?
- First, ensure that the proper RedHat repository is enabled:
sudo subscription-manager repos --enable ansible-automation-platform-2.5-for-rhel-9-x86_64-rpms - Install ‘ansible-navigator’:
sudo dnf install ansible-navigator - Login to the RedHat container registry:
podman login registry.redhat.io - Pull the RedHat execution environment image:
podman pull registry.redhat.io/ansible-automation-platform-22/ee-supported-rhel8:latest - All ‘ansible-navigator’ commands should now work!
Use RedHat developer account credentials for the registry login
The repository used in the example is just one of the many RedHat repositories containing the ‘ansible-navigator’ RPM. Additionally, the execution environment image is one of many.
’~/.ansible-navigator.yml’ can be defined to include generic settings for ‘ansible-navigator’
Like other Ansible commands, if an ‘ansible-navigator.yml’ file is found in the current project directory, this will have higher priority than the settings file found in the home directory.
How would you ping all hosts in the inventory to verify connectivity?
ansible all -m ping
What is the default module for running ad-hoc commands with the ‘ansible’ utility?
ansible.builtin.command
This means that ‘-m command’ isn’t necessary when using this module
How could you ensure that the ‘httpd’ service is running on ‘managed-node1’ ?
ansible managed-node1 -m service -a "name=httpd state=started"
How could you list the user account being used after connecting to each managed node? (without using the shell module)
ansible all -a 'whoami'
The command module is not idempotent.
‘-m command’ isn’t necessary since the command module is the default module.
The ‘ansible.builtin.command’ module doesn’t support the use of shell metacharacters (a metacharacter is a space, tab, newline, or one of the following characters: ‘|’, ‘&’, ‘;’, ‘(’, ‘)’, ‘<’, or ‘>’)
How could you verify that the ‘nginx’ package is installed on every managed host?
ansible all -m shell -a ‘rpm -qa | grep nginx’
Use of the pipe (‘|’) is supported in the ‘ansible.builtin.shell’ module
How could you copy the contents ‘Welcome!’ into the ‘message of the day’ file on each managed host?
ansible all -m copy -a ‘content=”Welcome!” dest=/etc/motd’
Why is it better to use the ‘user’ module than to use the ‘command’ module for managing users with Ansible?
The ‘command’ module is not idemptotent. The ‘user’ module is idemptotent.
The ‘command’ module should only be used when no dedicated module exists or can be found for a task.
Describe the important pieces of the following playbook:
This playbook will install/enable the ‘vsftpd’ package on the ‘ansible2’ managed node. It will then use the ‘copy’ module to add content to the ‘/var/ftp/pub/README’ file.
Lines that begin with a dash (-) are part of a YAML list. The first line (-name: deploy vsftpd) is a ‘play’ within the playbook. Each playbook can contain multiple plays and within each play there can be multiple tasks.
The first two tasks use the old, deprecated Ansible playbook syntax for specifying arguments. The final task (copy) uses the modern syntax for specifying arguments. This modern syntax conforms better with YAML syntax.
How could you run the ‘vsftpd.yml’ file using ‘ansible-navigator’ with the output being displayed similarly to running playbooks normally?
ansible-navigator run -m stdout –pp never vsftpd.yml
‘-m stdout’ will write the command output to STDOUT instead of using interactive mode.
’–pp never’ will instruct ‘ansible-navigator’ to not check for a newer version of the specified container image.
Suppose you want to instruct ‘ansible-navigator’ to not check for a new container image every time you run a playbook without having to manually specify ‘–pp never’ on the command line every time. How can you do this?
Add the following to your ‘.ansible-navigator.yml’ file:
What matters here is the “policy: missing” for pulling container images. This will tell ‘ansible-navigator’ to only pull an image if the desired one is missing.
What is the purpose of running a playbook with interactive mode in ‘ansible-navigator’ ?
Interactive mode is good for debugging. It allows you to separately view each individual play/task in a playbook.
It can be used by simply running a playbook with ‘ansible-navigator’ and not specifying ‘-m stdouot’
What is a ‘play’ in an Ansible playbook?
A ‘play’ is a series of tasks executed against selected hosts from the inventory, using specific credentials.
Using multiple plays allows running tasks on different hosts, using different credentials from the same playbook.
Each play can have its own escalation parameters defined. Some of the common ones include the following:
remote_user become become_method become_user
Where/How can variables be defined?
- Variables can be defined in playbooks
- The output of a command/task can be used as a variable via the ‘register’ keyword
- ‘vars_prompt’ can be used to ask for user input and then store that as a variable
- Variables can be specified on the command line
- Variables can be defined in include files
Include files make for the most portable playbooks as an include file can be creatd per environment, rather than hardcoding site-specific values in multiple different playbooks.
How could you define a ‘web_package’ variable with the value ‘httpd’ at the beginning of a play within a playbook?
Suppose you want to use an include file named ‘users.yml’ to define variables for a play. How could you do this?
It’s common practice to have a ‘vars’ subdirectory in your Ansible project directory for storing different include files. If the ‘var’ subdirectory exists, then it isn’t necessary to include it in the path when including a variables file.
How do you refer to a variable within a playbook after defining it? Use ‘web_package’ as an example.
Refer to a variable as: {{ web_package }}
If the variable is the first element, quotes must be used: "{{ web_package }}"
If the variable is used in a conditional, no curly braces are needed: web_package
What are host variables and how do they work?
Host variables are variables that are specific to a single host. They are defined in a YAML file that has the name of the inventory hostname and are stored in a ‘host_vars’ subdirectory within the project directory.
You can also define variables for host groups. This file should have the name of the host group and be located within the ‘group_vars’ directory in the project directory.
What are some common system variables?
hostvars: a dictionary that contains all variables applied to a specific host
inventory_hostname: inventory name of the current host
inventory_hostname_short: short host inventory name
groups: all hosts in inventory, and groups these hosts belong to
group_names: list of groups the current host is a part of
ansible_check_mode: boolean that indicates if play is in check mode
ansible_play_hosts: active hosts in the current play
ansible_version: current Ansible version
System variables are built in and cannot be used for anything else.
Suppose you want to create an encrypted host variables file for the ‘webserver01’ host.
1. Where should it be located so that ‘ansible-playbook’ automatically uses it?
2. Which command can be used to create the encrypted variables file?
3. After creating it, how can the file then be used? (Assume you want to run the ‘startup.yml’ playbook)
- The file could be located in a subdirectory (inside the base host_vars directory) named after the host in question. In this scenario that would be ‘host_vars/webserver01/vault.yml’ (the name of the variables file ultimately doesn’t matter as long as it’s inside the host_vars directory)
- ‘ansible-vault create host_vars/webserver01/vault.yml’
- ‘ansible-playbook –ask-vault-pass startup.yml’
When creating a vault file via the ‘ansible-vault create’ command, the user will be prompted for a password that will then be used to protect the vault file.
The ‘–ask-vault-pass’ option allows the ‘ansible-playbook’ command to prompt the user for the encryption password for the vault file.
Suppose you want to run the ‘startup.yml’ playbook and it requires variables from a vault protected variables file. You don’t want to input the vault password via the command line. How can you instruct Ansible to run the playbook and automatically use the ‘/root/vault-pass’ file to find the vault password?
ansible-playbook –vault-password-file=/root/vault-pass startup.yml
What could you add to a playbook to disable fact gathering?
In the play header, add the following:
gather_facts: no
Even if fact gathering is disabled, it can be enabled again by running the ‘setup’ module in a task.
Which variable contains all of the facts discovered by Ansible?
ansible_facts
Suppose you want to access a fact gathered by Ansible within a playbook. The fact is ‘address’ which is within the ‘default_ipv4’ dictionary which itself is inside the ‘ansible_facts’ dictionary. What is the preferred syntax for accessing this value?
ansible_facts[‘default_ipv4’][‘address’]
This syntax also works:
ansible_facts.default_ipv4.address
This syntax, although deprecated, works as well:
ansible_default_ipv4.address
What are custom facts in Ansible?
Custom facts, unlike host variables, are stored on the managed host. Custom facts are stored in an ‘ini’ or ‘json’ file in the ‘/etc/ansible/facts.d’ directory on the managed host.
These files must end with a ‘.fact’ extension.
Custom facts must have a ‘[label]’ to help identify the variables.
The ‘/etc/ansible/facts.d’ directory doesn’t usually exist by default on a host.
While Ansible is running, where are custom facts stored?
Custom facts are stored in the “ansible_facts[‘ansible_local’]” variable.
Suppose you want to create some custom facts on a managed host describing the Apache service/package. You want the package to be installed and the service to be enabled. This content will be placed in the ‘/etc/ansible/facts.d/localfacts.fact’ file on the managed host. What content should be in this file? (use ‘ini’ file format and use ‘apache’ as the label)
[apache]
package=httpd
package_state=installed
service=httpd
state=started
enabled=true
Suppose a host named ‘pg-01’ is expected to contain certain local variables. Which ad-hoc command can allow you to quickly view the local variables for this host?
ansible pg-01 -m setup -a “filter=ansible_local”
The ‘setup’ module is useful for verifying whether variables are available to a host. It is automatically called by other playbooks during the fact gathering phase.
What conditionals are available in Ansible?
loop: allows you to loop over a list of items
when: performs tasks only when a variable is equal to a specific value
handlers: tasks that only run when notified by other tasks
Suppose you want to create an Ansible playbook that creates the following three users:
1. anna
2. linda
3. bob
These three users should belong to the following groups, respectively:
1. wheel
2. users
3. users
How could you do this by using a loop with the ‘ansible.builtin.users’ module?
‘item’ is the variable that is automatically created per loop iteration.
Suppose you have a playbook with a list variable created named ‘supported_distros’ defined at the beginning of the play. The list contains Ubuntu, CentOS, and Fedora as values. There’s also a ‘mypackage’ variable containing the value ‘nmap.’ How could you use a ‘when’ conditional to only install ‘mypackage’ on managed hosts whose operating systems are in the ‘supported_distros’ variable?
Remember, variables used in ‘when’ conditionals don’t need to be surrounded in curly brackets or double quotes. They’re automatically considered to be in Jinja2 syntax.
What are some conditional operators available in Ansible ‘when’ statements?
Under what conditions will this package be installed?
The ‘httpd’ package will only be installed when the target host is running CentOS and when the host has less than 512 MB of memory available.
Ansible ‘when’ statements can take lists to form complex multi-conditional requirements.
Under what conditions will ‘httpd’ be removed?
‘httpd’ will be removed from a host if it is running RedHat and has less than 512 MB of memory free, or if the host is running CentOS and it has less than 1024 MB of memory available.
The ‘>’ at the beginning of the ‘when’ statement allows the following value to wrap across multiple lines.
What does this playbook do?
This playbook prompts the user for a value and then places that value in the ‘username’ variable. Next, it searches the ‘/etc/passwd’ file and prints out a debug message only when the ‘/etc/passwd’ file contains the ‘username’ for which the user is searching.
“private: no” allows the user to see their input as they type it out at the command line.
This ‘when’ statement showcases how to access fields within registered output.
Suppose you have a playbook that copies an ‘index.html’ file to an Apache project root directory. You want to create a handler named ‘restart_web’ that triggers Apache to restart only when the ‘index.html’ file is copied to the DocumentRoot. How can this be done?
To run a handler, a ‘notify’ statement with the name of the handler must be present in the main task.
Normally, handlers only execute after running all tasks in a play. However, using ‘meta: flush_handlers’ will run handlers immediately. Only handlers that have been notified by this point in the play are flushed, not all handlers.
If one of the next tasks in the play fails, handlers will not run. This can be overridden by using ‘force_handlers: True’
What are some things that can be done with the ‘ansible.builtin.meta’ module?
What are the three main sections of a ‘block’ in Ansible and what are they used for?
Blocks are best used for error handling:
- ‘block’ defines the main tasks to run
- ‘rescue’ defines tasks to run if the tasks defined in ‘block’ fail
- ‘always’ defines tasks that will always run
Describe the following Ansible ‘block’
This block will attempt to remove the ‘/var/www/html/index.html’ file.
If this removal command fails, then the ‘rescue’ section will be triggered and ‘/tmp/rescuefile’ will be created.
Then, no matter the outcome of the previous sections, the ‘always’ section will be triggered. This will log a message to the system logs and then print a debug message.
By default, Ansible aborts the rest of the play on a host if any task fails for that host. How can this behavior be bypassed?
Using ‘ignore_errors’ in a task/play will instruct Ansible to ignore errors generated and continue the play/task for that host.
If ‘ignore_errors: yes’ and ‘force_handlers: no’ are both set, then handlers will run after failing tasks.
What will the results be for the following playbook?
The first task in this playbook will always fail, however it will still continue to the debug task due to ‘ignore_errors: yes’ being set for the first task.
‘failed_when’ can be used to specify custom failure conditions for a task.
What will the results be for the following playbook?
The first task in this playbook will always fail, however it will still continue to the debug task due to ‘ignore_errors: yes’ being set for the entire play.
Additionally, the ‘fail’ module is being used to print a custom error message. The ‘fail’ task will trigger when the string ‘world’ is found in the output of the ‘echo’ command in the first task.
When using the ‘fail’ module, the failing task must have ‘ignore_errors’ set to ‘yes’
When might you want to define a custom ‘changed’ status for a task?
You may want to define custom ‘changed’ conditions for non-idempotent modules such as ‘command’ or ‘shell.’
Non-idempotent modules can only discern a difference between success and failure and cannot discern between changed/not-changed. Therefore, non-idempotent modules may falsely report ‘changed’ when in reality no change has happened.
In a playbook, what is the difference between an include and an import?
An ‘include’ is a dynamic process. Ansible processes the contents of the included files at the moment the include is reached.
An ‘import’ is a static process. Ansible preprocesses the imported file contents before the actual play is started.
Playbook imports must be defined at the beginning of the playbook, using ‘import_playbook’
You cannot trigger a handler in an imported task file from the main task file.
Describe the following playbook:
This playbook will only include the tasks in the ‘tasks/service.yaml’ file when the host OS is in the RedHat family. This include will happen dynamically, meaning that the tasks will be included only once execution reaches this ‘include_tasks’ line.
On the other hand, the ‘tasks/firewall.yaml’ file will always be imported into the playbook. Additionally, this will occur before the playbook begins executing tasks.
Both tasks are using variables that are defined in the included/imported task files.
What are some of the common built-in in modules for managing files with Ansible?
ansible.builtin.lineinfile - useful for changing a single line in a file
ansible.builtin.blockinfile - manipulates multi-line blocks of text in files
ansible.builtin.file - sets attributes to files, and can also create and remove files, symbolic links and more
ansible.builtin.stat - useful for requesting file statistics (works well when combined with registering output to a variable)
What are some of the common built-in modules for copying files with Ansible?
ansible.builtin.copy - copies a file from a local machine to a location on a manged host
ansible.builtin.fetch - used to fetch a file from a remote machine
ansible.posix.synchronize - synchronizes files ‘rsync’ style (only works if ‘rsync’ is installed on on the target hosts)
ansible.posix.patch - applies patches to files
What is the special variable ‘ansible_managed’ used for in Ansible?
‘ansible_managed’ is often used as a comment in configuration files to indicate that the file is managed by Ansible. It is commonly used in templates or tasks that generate files to ensure that users know the file is managed by Ansible and should not be modified manually.
‘ansible_managed’ is commonly defined in ‘ansible.cfg’ under the ‘[defaults]’ section.
Here is an example:ansible_managed={file} modified by Ansible on %d-%m-%Y by {uid}
Suppose you want to use a Jinja2 template named ‘vsftpd.j2’ to create the ‘/etc/vsftpd/vsftpd.conf’ file on all target hosts. How could you do this in a task?
- name: Create VSFTPD config from template
template:
src: vsftpd.j2
dest: /etc/vsftpd/vsftpd.conf
This assumes that ‘vsftpd.j2’ is located under ‘./templates/vsftpd.j2’
In Jinja2 syntax, how could you iterate over each server in the ‘db_servers’ host group?
{% for host in groups['db_servers'] %}
{{ host }}
{% endfor %}Suppose you want to loop over each host in the ‘db_servers’ group and access the IPv4 address of each host. How could you do this in Jinja2 syntax?
{% for host in groups['db_servers'] %}
{{ hostvars[host]['ansible_eth0']['ipv4']['address'] }}
{% endfor %}
Before accessing facts about a host, you have to first be sure that the facts have been populated. You can ensure this by having a previous play/task contact the server.
What is the difference between the ‘ansible.builtin.file’ module and the ‘community.general.sefcontext’ module with regard to managing SELinux?
‘ansible.builtin.file’ sets SELinux context directly on files and not in the policy.
‘community.general.sefcontext’ sets context in the SELinux policy but not to files. It’s common to then use ‘ansible.builtin.command’ to run ‘restorecon’ so that these changes are applied to the filesystem.
For current versions of RHEL, which package must be installed on managed hosts so that SELinux can be appropriately managed?
policycoreutils-python-utils
You can easily install this with the ‘ansible.builtin.yum’ module.
What are some of the most commonly used ‘magic variables’ in Ansible?
hostvars groups group_names inventory_hostname
groups is a dictionary of all groups in the inventory with each host that belongs to each group.
group_names is a list of groups to which the current host belongs.
How does Ansible know where to install roles?
Ansible uses the ‘roles_path’ setting when installing roles.
The default ‘roles_path’ will use the following order of precedence:
* A roles directory in the current project directory
* The ‘~/.ansible/roles’ directory
* ‘/etc/ansible/roles’
* ‘/usr/share/ansible/roles’
Roles will be installed to the first directory in the ‘roles_path’
‘ansible-galaxy role install -p [alternate-path]’ can be used to install roles in different locations.
How can you list all roles that are currently installed?
ansible-galaxy role list
A ‘roles/requirements.yml’ file can be used to specify roles for a specific project.
Describe the following ‘requirements.yml’ file:
The first source installs version 2 of ‘myrole’ from a Git repository.
The second source installs ‘myrole’ as ‘mytarrole’ from a file URI.
The last source installs ‘myrole’ as ‘mywebrole’ from a web location.
If a role is hosted in Git, the ‘scm: git’ attribute is required, otherwise Ansible will interpret the Git URL incorrectly.
SCM (Source Code Management)
How can tasks be specified to run before/after roles in a playbook?
Tasks specified under ‘pre_tasks:’ will run before roles while tasks specified under ‘post_tasks:’ will run after roles.
In a role, what is the difference between variables defined in the ‘defaults’ directory versus the ‘vars’ directory.
Variables in the ‘defaults’ directory in the role provide default variables that are intended to be changed in plays.
Variables in the ‘vars’ directory in the role are used for internal purposes in the role and are not intended to be overwritten in the playbook.
Suppose you want to create a custom role named ‘database’ and you want it to be stored in your current directory. How can you easily create the standard structure for a role?
ansible-galaxy init database
What’s the best way to install Ansible RHEL System Roles?
Installing the RPM is better than installing the content collection. The RPM comes with sample playbooks located in the ‘/usr/share/doc/rhel-system-roles’ directory.
dnf install rhel-system-roles
What are the main ways in which roles can be included into your playbooks?
- at the play level with the ‘roles’ option: This is the classic way of using roles in a play.
- at the tasks level with ‘ansible.builtin.include_role’: You can reuse roles dynamically anywhere in the tasks section of a play using ‘include_role’
- at the tasks level with ‘ansible.builtin.import_role’: You can reuse roles statically anywhere in the tasks section of a play using ‘import_role’
- as a dependency of another role
Suppose you have the following play header at the top of your playbook:
--- - hosts: webservers
How could you include the ‘common’ and ‘webservers’ roles at the play level?
---
- hosts: webservers
roles:
- common
- webservers
You could also use fully qualified paths:
---
- hosts: webservers
roles:
- role: '/path/to/my/roles/common'
- role: '/path/to/my/roles/webservers'
By default, running playbooks with ‘ansible-navigator run’ will create artifact files containg log information. How can you disable the creation of these log files?
Add the following to ‘ansible-navigator.yml’
ansible-navigator: playbook-artifact: enable: false
How does the ‘verbosity’ argument work in the ‘debug’ module?
‘verbosity’ allows you to set a condition for when specific ‘debug’ tasks will run. For example, if you have a ‘debug’ task with ‘verbosity: 2’ set, then the task will only execute if the playbook is executed from the command line with the ‘-vv’ option.
The number passed to ‘verbosity’ determines how many ‘-v’ options are necessary for it to run.
How can you see what would happen if you ran a playbook without actually making the changes?
You can use the ‘–check’ option with ‘ansible-playbook’ on the command line.
‘-C’ is the short form of the check option.
Modules in the playbook must support check mode for this to work. Check mode doesn’t always work well in conditionals.
Which ‘ansible-playbook’ command line option can be used to show the differences between templates and target files?
–diff
For example, if you had a playbook named ‘apache_setup.yml’ that used the ‘web_conf.j2’ template to create the ‘/etc/issue’ file, you could see the differences between the template and the current file by running the following:
ansible-playbook apache_setup.yml --check --diff
What are some Ansible modules that can be useful for troubleshooting?
The ‘uri’ module is used to check content that is returned from a specific URL.
The ‘stat’ module returns a dictionary of statistics about a specific file. These results can be registered in a variable for future testing.
The ‘assert’ module will fail with an error if a specific condition is not met.
The ‘stat’ module in Ansible returns a dictionary of file statistics. What are some of the most important fields in this dictionary?
atime: last access time of the file
isdir: true if file is a directory
exists: true if file exists
size: size in bytes
Describe the following playbook:
The playbook prompts the user for a number (representing a filesize in megabytes) and then stores that in the ‘filesize’ variable.
Next, the ‘assert’ module is used to determine whether the input provided is in between 1 and 100. If it is, then the ‘success_msg’ is displayed. If not, the ‘fail_msg’ is displayed.
Lastly, if the ‘assert’ is succesful, the file is created.
In the ‘assert’ task, the ‘filesize’ variable must be converted into an integer before being compared. The input from ‘vars_prompt’ is stored as a string by default.
Suppose you want to write an Ansible task that installs the ‘Virtualization Host’ package group. How could you do this?
To install a package group, put a ‘@’ in front of the name.
Ansible does not gather facts about packages by default. How could you instruct your playbook to gather facts about packages on managed hosts?
- name: Get information about packages
ansible.builtin.package_facts:
manager: auto
This will cause Ansible to gather package facts and store them within the ‘ansible_facts[‘packages’]’ variable.
The ‘manager’ argument is used to specify which package manager to use. The value of ‘auto’ tells the module to automatically detect the appropriate package manager to use.
Which Ansible module is used for configuring package repositories?
ansible.builtin.yum_repository
This module creates a repository file in the ‘/etc/yum.repos.d’ directory.
If the module argument ‘gpgcheck: yes’ is used, then the ‘ansible.builtin.rpm_key’ module must be used to install the GPG key.
Which command is necessary for creating custom repositories from scratch on a RedHat system?
createrepo
Install this command with ‘dnf install createrepo_c’
Which Ansible modules are commonly used for creating/managing user accounts on Linux?
Which Ansible module is used for copying the public SSH key of a user account from the local control host to the corresponding user account on a remote host?
ansible.posix.authorized_key
The public key being copied must be in a public location on the control host, where it is readable.
Which Ansible module is used to copy host keys from managed hosts to the local host?
ansible.builtin.known_hosts
This is often used to ensure that users are not prompted to verify the remote host SSH key fingerprint before connecting to the server.
What are the two common methods for generating secure passwords for user accounts via Ansible?
The ‘shell’ module can be used. Here is an example task using variables ‘password’ and ‘user’:
- name: setting user password
shell: echo {{ password }} | passwd --stdin {{ user }}
The ‘ansible.builtin.password_hash’ filter can also be used. Example:
"{{ 'testing' | password_hash('sha512') }}"
Which Ansible modules are commonly used to schedule tasks/jobs to run in the future?
‘ansible.posix.at’ is used to run a one-time job at a future time.
‘ansible.builtin.cron’ is used to run repeating jobs through the Linux cron daemon.
Describe the following playbook:
This playbook is using the ‘ansible.builtin.cron’ module to schedule a cron job to run every 2 minutes during the hours of 8 AM to 6 PM.
The ‘job’ parameter contains the actual shell commands that will be executed.
The ‘cron_file’ parameter specifies the file where the job definition will be stored. By default, a relative path will be interpreted with respect to the ‘/etc/cron.d’ directory.
What Ansible modules are available for managing storage on Linux?
‘ansible.posix.mount’ is used to mount existing filesystems.
‘community.general.parted’ is used to manage partitions.
‘community.general.lvg’ is used for managing volume groups.
‘community.general.lvol’ is used to manage logical volumes.
‘community.general.filesystem’ can be used to create filesystems on the new devices.
When setting up an Ansible managed environment, where does Python need to be installed?
Python must be installed on both the controller node and the managed nodes.
Ansible generates Python scripts from playbooks and then pushes those scripts out to managed nodes where they will execute.
Network devices are an exception, as they don’t typically have a Python interpreter installed.
What will Ansible do if no inventory file can be used?
Ansible will attempt to run the playbook and/or commands against localhost.
Suppose you want your inventory file to include the names for all servers from ‘server1.example.com’ to ‘server10.example.com’. How could you include all of these servers in the inventory file but in a single line?
server[1:10].example.com
Ansible allows you to specify ranges in inventory files.
You want to list the contents of the Ansible inventory in a readable graph format. Assume you’re just using the default inventory file. How can this be done?
ansible-inventory --graph
Suppose you want to get a quick summary of all of the available options for the Ansible ‘user’ module without having to read the entire main doc page. How can you do this?
ansible-doc -s user
‘-s’ stands for snippet.
Which option can be used in the ‘ansible.cfg’ file to change the default module used by executing ansible in ad-hoc mode?
module_name=
Suppose you want to perform a dry-run (see what would happen during a real run) of your ‘setup.yml’ playbook. How could you do this?
ansible-playbook -C setup.yml
The long option also works:
~~~
ansible-playbook –check setup.yml```
Suppose you want to run the ‘file_server.yml’ playbook. This playbook includes multiple Vault-encrypted variable files, each protected by the same password. How can you run this playbook while instructing Ansible to prompt the user for the password for the Vault-encrypted files?
ansible-playbook --vault-id @prompt file_server.yml
When no ID is specified during the created of the vault encrypted file, the default Vault ID is used. Passing --vault-id @prompt to ansible-playbook tells Ansible to prompt for a password for the default Vault ID. If you wanted to ask for a password for a specific Vault ID, you would use --vault-id <label>@prompt on the command line.
Suppose you have the following playbook:
--- - name: test register hosts: all tasks: - shell: cat /etc/passwd register: passwd_contents
How could you use the ‘debug’ module coupled with a ‘when’ conditional to check for the presence of the string ‘lisa’ in the ‘passwd_contents’ variable?
Hint: Python functions are available in Ansible.
---
- name: test register
hosts: all
tasks:
- shell: cat /etc/passwd
register: passwd_contents
- debug
msg: passwd contains users lisa
when: passwd_contents.stdout.find('lisa') != -1
This ‘debug’ task will use the Python ‘find’ function to search for the string ‘lisa’ within ‘passwd_contents.stdout’
If the Python ‘find’ function finds the string, it returns a number (a byte offset) representing the location of the beginning of the string relative to the beginning of the file.
If the string isn’t found, the function returns the integer -1
The indentation of this example is incorrect, because Brainscape cannot properly format the YAML text.
Which attribute can be used at the play and/or block level to force Ansible to halt playbook execution when a task fails?
any_errors_fatal: true
If you set any_errors_fatal and a task returns an error, Ansible finishes the fatal task on all hosts in the current batch and then stops executing the play on all hosts. Subsequent tasks and plays are not executed. You can recover from fatal errors by adding a rescue section to the block.
Which Ansible module can be used to poll a managed host, waiting for the connection to come back online?
ansible.builtin.wait_for_connection
The ‘delay’ parameter is the number of seconds to wait before starting to poll.
The ‘timeout’ parameter is the maximum number of seconds to wait for.
By default, in an attempt to prevent the control host from being overloaded, the maximum number of simultaneous connections for Ansible is set to 5. How can this setting be changed?
Suppose you want to increase it to 50.
1: In ‘ansible.cfg’ add:
forks=50
2: As a command line option to ‘ansible’ or ‘ansible-playbook’ use:
-f 50
or
--forks 50
Processing is performed on the managed host when it has a Python stack. Network devices and IoT devices often do not have Python, in which case processing is performed on the control node.
How could you list all of the configuration options available to Ansible, along with their default values?
ansible-config list
By default, Ansible runs task by task. This means that it runs the first task on all hosts, and once that is done, it proceeds to run the next task on all hosts.
Suppose you have a playbook named ‘opensearch_upgrade.yml’ with just one big play. How could you configure this playbook to execute all of the tasks on one host before moving on to the next host?
Insert the following into the play header:serial: 1
You can define how many hosts Ansible should manage at a single time using the serial keyword.
The serial keyword also takes batch sizes as a percentage of the total number of hosts being managed.
How can you set up logging for Ansible?
The ‘log_path’ parameter can be configured in the ‘ansible.cfg’ file.
Alternatively, Ansible can log to the filename that is specified by the ‘$ANSIBLE_LOG_PATH’ variable.
Suppose you want to execute an Ansible playbook task by task, being prompted for confirmation before running each task. How could you do this? Assume you want to run the ‘postgres_setup.yml’ playbook.
ansible-playbook --step postgres_setup.yml
Suppose you have a complex playbook named ‘cache_review.yml’ containing multiple plays and tasks. You want to start playbook execution specifically at the ‘gather repo info’ task. How could you do this?
ansible-playbook --start-at-task="gather repo info" cache_review.yml
How could you list all tasks that have been configured in the ‘apache_setup.yml’ playbook?
ansible-playbook --list-tasks apache_setup.yml
This will not list tasks that are included dynamically.
What are tags in an Ansible playbook?
In Ansible playbooks, tags are attributes applied to tasks (or other items such as blocks, plays, roles, imported tasks/playbooks) that allow you to selectively run specific parts of a playbook.
On the command line, you can specify tags to be executed via the ansible-playbook --tags "<tags_list>" <playbook_name> command.
Additionally, you can specify tags to not be executed via the ansible-playbook --skip-tags "<tags_list>" <playbook_name> command.
The "<tags_list>" is specified as a comma separated list of values.
What are some of the special tags available in Ansible and what do they mean?
always: makes sure a task always runs, unless specifically skipped via --skip-tags always
never: never runs a task, unless it is specifically requested
tagged: runs all tagged tasks
untagged: runs all untagged tasks
all: runs all tasks
Suppose you have a managed host named ‘web-nginx-01.example.com’ that can be reached via multiple IP addresses. You want Ansible to connect to this server via the 192.168.4.55 address. How can you ensure this behavior from Ansible?
Add the following line to the inventory file:
web-nginx-01.example.com ansible_host=192.168.4.55
Which attribute can be used on a task to ensure that it never runs in check mode?
check_mode: no
How could you update all currently installed packages to their latest version via one short Ansible task?
- ansible.builtin.dnf name: '*' state: latest
Suppose you want to set up an FTP-based repository on your local server. What are the general steps to doing this?
- Install the FTP package.
- Start and enable the FTP server.
- Open the firewall for FTP traffic.
- Make sure the FTP shared repository directory is available.
- Download packages to the repository directory.
- Use the Linux
createrepocommand to generate the index that is required in each repository.
A repository is a directory that contains RPM files, as well as the repository metadata.
The metadata is an index that allows repository clients to figure out which packages are available in the repository.
For a very basic FTP server, it’s easiest to just allow anonymous login. If you’re using VSFTPD, you can add the following line to the ‘/etc/vsftpd/vsftpd.conf’ file:anonymous_enable=YES
Suppose you are setting up a local FTP-based Yum repository. You want your RPMs to be store in the ‘/var/ftp/repo’ directory. How could you write an Ansible playbook task that downloads (not install) the Nmap RPM to this directory?
- ansible.builtin.yum
name: nmap
download_only: true
download_dir: /var/ftp/repo
The download_only argument ensures that the package is just downloaded, not installed.
To finish setting up this repository, assuming all FTP related settings are configured, you would only need to run the createrepo /var/ftp/repo command (via the Ansible ‘command’ module) to generate the repository metadata.
Suppose the ‘vsftpd’ package has been installed on a system. Next, you want to allow anonymous logins, start/enable the service and open up the firewall for FTP. How can you do this in an Ansible playbook?
Add the following three tasks:
- ansible.builtin.lineinfile:
path: /etc/vsftpd/vsftpd.conf
regexp: '^anonymous_enable=NO'
line: anonymous_enable=YES
- ansible.builtin.service:
name: vsftpd
state: started
enabled: true
- ansible.posix.firewalld:
service: ftp
state: enabled
immediate: yes
permanent: yes
Which RPM provides the createrepo command?
createrepo_c
If you forget this, you can always execute dnf whatprovides createrepo to search the repositories for the relevant RPMs.
Which RPM may need to be installed in order for certain password-related SSH things to work?
sshpass
sshpass allows you to provide the ssh password without using the prompt, which can be helpful for scripting.
Suppose you want to register your RHEL system and subscribe to the only pool to which you’re entitled. Suppose your RedHat credentials are stored in an Ansible Vault encrypted ‘rh-creds-vault.yml’ file as the following variables:
rh_username: <username> rh_password: <password>
How could you accomplish this registration/subscription in a single playbook task? (assume the vault file is already being included via ‘vars_files’ in the play header)
- community.general.redhat_subscription:
username: "{{ rh_username }}"
password: "{{ rh_password }}"
state: present
Don’t forget to run this playbook with the --ask-vault-pass option on the command line. This is necessary if no vault password file is being provided.
Suppose you want to create a user named ‘william’ who belongs to (in addtition to his default group) the ‘wheel’ and ‘students’ groups. You also want to ensure that a home directory is created for this new user account. How could you accomplish this via a playbook task?
- ansible.builtin.user:
name: william
create_home: yes
groups: wheel, students
append: yes
The ‘append’ argument is necessary to ensure that exisiting group memberships are not overwritten.
Suppose you’re using the ‘ansible.builtin.template’ module to generate a ‘sudoers’ configuration from a Jinja2 template. In this playbook task, how could you validate that correct sudoers syntax was used before copying the generated file to the final destination?
What single line could be added to this ‘template’ task?
validate: 'visudo -cf %s'
The ‘-c’ or ‘–check’ option for ‘visudo’ stands for check. By default, this instructs the command to check for syntax errors.
The ‘-f’ or ‘–file’ option specifies an alternate sudoers file location.
In the above example, the location passed to the ‘-f’ option is the ‘%s’ placeholder. The ‘validate’ argument in the ‘ansible.builtin.template’ module exposes the ‘%s’ variable as a placeholder for working with the newly generated file.
When initiating SSH connections, the SSH server first sends back an identification token that is encrypted with the server’s private key to the client. The client then uses the server’s public key fingerprint, which is stored in the ‘~/.ssh/known_hosts’ file, to verify the identification token. If no public key fingerprint was stored yet in the ‘~/.ssh/known_hosts’ file, the user is prompted to store the remote server identity in this file.
Which Ansible module is used to manage an SSH server’s public key? (in the context of Ansible managed environments, the SSH server is often the managed host)
ansible.builtin.known_hosts
After establishing the identity of remote server via the SSH server’s identification token and public key fingerprint, the SSH client can now generate an authentication token that is based on the user’s private key. When this token is sent over to the SSH server, the server will try to match it against the user’s public key which should be stored in the ‘~/.ssh/authorized_keys’ file.
Which Ansible module is used to manage a user’s public/private key pair?
ansible.posix.authorized_key
In the play header of an Ansible playbook, using the ‘lookup’ plugin, how could you create a variable named ‘file_contents’ that contains the contents of the ‘/etc/hosts’ file on the control node?
---
- name: lookup plugin demo
hosts: localhost
vars:
file_contents: "{{ lookup('file', '/etc/hosts') }}"Suppose you have a user named ‘ansible’ on all hosts. Their public SSH key has been copied over to the ‘files/ansible/id_rsa.pub’ file. In a playbook task, how could you copy their public SSH key over to the corresponding ‘~/.ssh/authorized_keys’ file on each managed host?
- ansible.posix.authorized_key:
user: ansible
state: present
key: "{{ lookup('file', 'files/ansible/id_rsa.pub) }}"
The authorized_key module cannot read files from a hidden directory, therefore the contents of the public SSH key file must be copied over to a non-hidden directory before being copied to the SSH server via this module.
On ‘localhost’ how could you generate a new user named admin, along with their SSH key pair?
---
- name: create user with SSH keys
hosts: localhost
vars:
username: admin
tasks:
- ansible.builtin.user:
name: "{{ username }}"
generate_ssh_key: trueWhich Ansible module could be used to gather facts for services managed by BSD init, upstart or systemd?
ansible.builtin.service_facts
What does the mask parameter in the systemd module do?
mask marks a systemd service in such a way that it cannot be started, not even by accident.
Ansible has no module specifically designed for managing the default Systemd target. How could you write an Ansible task to set ‘graphical.target’ as the default target?
- ansible.builtin.file:
src: /usr/lib/systemd/system/graphical.target
dest: /etc/systemd/system/default.target
state: link
The default Systemd target is detemined by the symbolic link ‘/etc/systemd/system/default.target’ pointing to the desired target unit file.
Suppose you want to define a cron job that appends the following line to the ‘/var/log/rebooted’ file upon a system reboot:
“rebooted at <date>”
How could you do this in an Ansible task?
- ansible.builtin.cron: name: "run on reboot" state: present special_time: reboot job: "echo rebooted at $(date) >> /var/log/rebooted"
Which Ansible module can be used to set additional facts (variables) during the execution of a play?
ansible.builtin.set_fact
For example, this task will search the devices on managed nodes and then set a new ‘disk2name’ variable if ‘sdb’ is detected:
- ansible.builtin.set_fact:
disk2name: sdb
when: ansible_facts['devices']['sdb'] is defined
Suppose you want to use Ansible to create a new partition on the ‘/dev/vdb’ device. It is the first partition being created on this device. It should be a GPT partition. It should leave enough space at the beginning of the disk for the required metadata. Lastly, the partition should only stretch to 2 GiB. How could you do this via an Ansible task?
- community.general.parted:
name: partition1
label: gpt
device: /dev/vdb
number: 1
state: present
part_start: 1MiB
part_end: 2GiB
Spacing is incorrect due to Brainscape. Each argument should be flush.
The ‘name’ argument is required for GPT partitions. This gives the partition a unique name.
The ‘label’ argument specifies the type of partition to be created. This is ‘msdos’ by default.
The ‘number’ argument specifies the partition number.
The ‘state: present’ argument is used to create/ensure the partition while ‘state: absent’ would delete the partition.
The ‘part_start’ argument indicates the starting position for the partition, expressed as an offset from the beginning of the device. Similarly, the ‘part_end’ argument indicates the ending point for the partition, expressed as an offset from the beginning of the device. In the above example, the partition is not created right at the very beginning of the device in order to leave enough room for the metadata.
Suppose you want to use Ansible to create a new partition on the ‘/dev/vdb’ device. This will be the second partition on the device as there already exists a 2 GiB partition. You want this second partition to be a GPT partition that takes up the remaining space on the device. The partition should be flagged as an LVM partition. How could you do this via an Ansible task?
- community.general.parted:
name: partition2
label: gpt
device: /dev/vdb
number: 2
state: present
part_start: 2 GiB
flags: [ lvm ]
Spacing is incorrect due to Brainscape. Each argument should be flush.
Leaving out the ‘part_end’ argument informs Ansible to use the default value of 100%, using up the rest of the device space.
The ‘flags’ argument sets the partition type to ‘lvm’ and is required in order to use it in logical volume groups.
Suppose you’re on a RHEL system with a ‘vgdata’ volume group and a ‘lvdata’ logical volume. What is the easiest way to refer to this logical volume?
/dev/vgdata/lvdata
Suppose you want to create a volume group named ‘vgdata’ using the ‘/dev/sdb1’ and ‘/dev/sdc1’ partitions. You want to use a physical extent size of 8 megabytes. How could you do this in an Ansible task?
- community.general.lvg:
vg: vgdata
pesize: "8"
pvs: /dev/sdb1, /dev/sdc1Suppose you have a volume group named ‘vgdata’ and you want to create the ‘lvdata’ logical volume on top of this group. You want it to take up all of the volume group space. How could you do this?
- community.general.lvol:
lv: lvdata
size: 100%FREE
vg: vgdataSuppose you have the ‘lvdata’ logical volume within the ‘vgdata’ volume group. How could you use an Ansible task to create an XFS filesystem on top of this logical volume?
- community.general.filesystem:
dev: /dev/vgdata/lvdata
fstype: xfsSuppose you have an XFS filesystem residing on the ‘/dev/vgdata/lvdata’ logical volume. How could you mount this volume on the ‘/indices’ directory via an Ansible task?
- ansible.posix.mount:
src: /dev/vgdata/lvdata
fstype: xfs
state: mounted
path: /indicesHow do you create/manage swap space via Ansible?
In Ansible, there’s no well-known module designed specifically for managing swap space, therefore the ‘ansible.builtin.command’ module is used to directly run the ‘swapon’ command.
Just make sure to format the filesystem as swap (via the ‘community.general.filesystem’ module or via the ‘mkswap’ command) before running the ‘swapon’ command.
Suppose you have hosts ‘ansible[1:3]’ in the ‘example.com’ domain. How could you structure the Ansible inventory file such that the hosts are reachable by both their short hostname and their FQDN?
ansible1 ansible_host=ansible1.example.com ansible2 ansible_host=ansible2.example.com ansible3 ansible_host=ansible3.example.com
Suppose you need to change the Python interpreter that Ansible uses for a specific playbook. How could you do this?
For this example, assume we want to use /usr/bin/python3.9
At the command line, add the following argument:
-e ansible_python_interpreter=/usr/bin/python3.9
In your playbook play header, add the following:
vars: ansible_python_interpreter: /usr/bin/python3.9
How could you access the facts/variables for an individual Ansible host? Assume the relevant host name is stored in the host variable.
hostvars[host]['ansible_facts']
Suppose you had a vault encrypted variables file titled ‘secrets.yml’ which was encrypted using the ‘prod’ Vault ID. The password used by this Vault ID to encrypt the variables file is being stored in the ‘~/ansible/.prodpass’ file. This ‘secrets.yml’ file is being included in the ‘apache_setup.yml’ playbook. How could you execute this playbook while automatically including this vault password file for the ‘prod’ ID?
ansible-playbook --vault-id prod@~/ansible/.prodpass apache_setup.yml
Suppose you want to run the ‘nginx_setup.yml’ playbook which includes two different vault encrypted files, one of them being encrypted using the ‘dev’ Vault ID while the other was encrypted using the ‘prod’ Vault ID. You don’t want to have to supply both individual Vault ID passwords every time you run the playbook. How could you edit the ‘ansible.cfg’ file to automatically include the individual vault password files for both IDs?
The password for the ‘dev’ Vault ID is located at: ~/ansible/.devpass
The password for the ‘prod’ Vault ID is located at: ~/ansible/.prodpass
Add the following line to the ‘defaults’ section of the ‘ansible.cfg’ file:
vault_identity_list=dev@~/ansible/.devpass,prod@~/ansible/.prodpass
