AnsiblePilot — Master Ansible Automation

AnsiblePilot is the leading resource for learning Ansible automation, DevOps, and infrastructure as code. Browse over 1,100 tutorials covering Ansible modules, playbooks, roles, collections, and real-world examples. Whether you are a beginner or an experienced engineer, our step-by-step guides help you automate Linux, Windows, cloud, containers, and network infrastructure.

Popular Topics

About Luca Berton

Luca Berton is an Ansible automation expert, author of "Ansible for VMware by Examples" and "Ansible for Kubernetes by Example" published by Apress, and creator of the Ansible Pilot YouTube channel. He shares practical automation knowledge through tutorials, books, and video courses to help IT professionals and DevOps engineers master infrastructure automation.

Ansible shell Module vs command: Differences, Security & When to Use Each

By Luca Berton · Published 2024-01-01 · Category: installation

Ansible shell vs command module comparison. Key differences in shell processing, pipes, security, and when to use shell, command, or raw with practical examples.

Ready to advance your Ansible expertise? Explore Linux Administrator Job openings today!

What is the difference between command vs shell Ansible modules?

These two Ansible modules are confused one for another but they're fundamentally different. Both modules allow you to execute command on a target host but in a slightly different way. I'm Luca Berton and welcome to today's episode of Ansible Pilot.

command vs shell

command • execute commands against the target Unix-based hosts • it bypasses the shell • always set changed to True

shell • execute shell commands against the target Unix-based hosts • redirections and shell's inbuilt functionality • always set changed to True

The command and shell Ansible modules execute commands on the target node. Generally speaking, is always better to use a specialized Ansible module to execute a task. However, sometimes the only way is to execute a Linux command via command or shell module. Let me reinforce again, you should avoid as much as possible the usage of command/shell instead of a better module. Both modules execute commands on target nodes but in a sensible different way. The command modules execute commands on the target machine without using the target shell, it simply executes the command. The target shell is for example the popular bash, zsh, or sh. As a side effect user environment, variable expansions, output redirections, stringing two commands together, and other shell features are not available. On the other side, every command executed using shell module has all shell features so it could be expanded in runtime. From the security point of viewcommand module is more robust and has a more predictable outcome because it bypasses the shell. Both modules returned always changed status because Ansible is not able to predict if the execution has or has not altered the target system.

command module • Execute commands on targets

The "command" module is the default module in Ansible Ad-hoc mode. The command module is able to execute only the binaries on remote hosts. The command module won't be impacted by local shell variables because it bypasses the shell. At the same time, it may not be able to run "shell" built-in features and redirections.

shell module • Execute shell commands on targets

The shell Ansible module is potentially more dangerous than the command module and should only be used when you actually really need the shell functionality. So if you're not stringing two commands together (using pipes or even just && or ;), you don't really need the shell module. Similarly, expanding shell variables or file global requires the shell module. If you're not using these features, don't use the shell module. Sometimes it's the only way, I know.

Linksansible.builtin.shellansible.builtin.command

## Playbook The command vs shell Ansible modules in Ansible Playbook. Let me show you the difference between command vs shell Ansible modules in an Ansible Playbook.

command code

command execution

shell execution

wrong module code

wrong module execution

Conclusion

Now you know the difference between command vs shell Ansible modules and their use case. You know how to use it based on your use case.

Key Difference

When to Use command

When to Use shell

Security Comparison

Idempotency

raw Module (SSH Only)

Comparison Table

| Feature | command | shell | raw | |---------|---------|-------|-----| | Pipes | ❌ | ✅ | ✅ | | Redirects | ❌ | ✅ | ✅ | | Wildcards | ❌ | ✅ | ✅ | | Env vars ($HOME) | ❌ | ✅ | ✅ | | Shell injection safe | ✅ | ❌ | ❌ | | Needs Python | ✅ | ✅ | ❌ | | creates/removes | ✅ | ✅ | ❌ | | chdir | ✅ | ✅ | ❌ | | stdin | ✅ | ✅ | ❌ |

Best Practices

FAQ

Why does command fail with pipes?

command bypasses the shell entirely — it calls the executable directly. Pipes (|) are a shell feature. Use shell for pipes.

Can I specify which shell to use?

script module vs shell?

script copies a local script to the remote host and executes it. shell runs inline commands. Use script for complex multi-line scripts stored as files.

Related ArticlesAnsible Inventory Guide

Category: installation

Watch the video: Ansible shell Module vs command: Differences, Security & When to Use Each — Video Tutorial

Browse all Ansible tutorials · AnsiblePilot Home