Ansible on AlmaLinux 9 Automation Complete Guide

AlmaLinux 9 (Turquoise Kodkod) is a community-driven RHEL 9 rebuild produced by the AlmaLinux OS Foundation. It tracks RHEL 9.x ABI and is supported through May 2032. AlmaLinux additionally backports critical fixes for hardware that Red Hat has dropped from RHEL 9 (the Application Binary Compatibility model). This is the master Ansible guide for AlmaLinux 9.

AlmaLinux 9 release facts

| Item | Value | |---|---| | Code name | Turquoise Kodkod | | GA | 2022-05-26 | | Support end | 2032-05-31 | | Default kernel | 5.14 | | Default Python | 3.9 |

See also: Ansible on AlmaLinux 10 Automation Complete Guide

Ansible-core compatibility

Use ansible-core 2.18 LTS.

Baseline playbook

- name: AlmaLinux 9 baseline
  hosts: alma9
  become: true
  tasks:
    - name: Update packages
      ansible.builtin.dnf: { name: "*", state: latest, update_cache: true }
- name: Enable EPEL
      ansible.builtin.dnf: { name: epel-release, state: present }
- name: Install baseline tools
      ansible.builtin.dnf:
        name: [vim-enhanced, chrony, firewalld, policycoreutils-python-utils, podman, cockpit]
        state: present
- name: Enable services
      ansible.builtin.service:
        name: "{{ item }}"
        enabled: true
        state: started
      loop: [chronyd, firewalld, cockpit.socket]
- name: SELinux enforcing
      ansible.posix.selinux: { policy: targeted, state: enforcing }

See also: Ansible on RHEL 9 Automation Complete Guide

ELevate migration (CentOS 7 -> AlmaLinux 9)

The AlmaLinux ELevate project migrates major versions across RHEL forks (CentOS 7 -> 8/9). Drive it from Ansible:

- name: Migrate CentOS 7 to AlmaLinux 9 with ELevate
  hosts: centos7
  become: true
  tasks:
    - name: Add ELevate repo
      ansible.builtin.dnf:
        name: "https://repo.almalinux.org/elevate/elevate-release-latest-el7.noarch.rpm"
        state: present
        disable_gpg_check: true
- name: Install leapp + AlmaLinux migration data
      ansible.builtin.dnf:
        name: [leapp-upgrade, leapp-data-almalinux]
        state: present
- name: Run preupgrade
      ansible.builtin.command: leapp preupgrade
      register: pre
      changed_when: false
- name: Run upgrade (will reboot through several stages)
      ansible.builtin.command: leapp upgrade
      async: 7200
      poll: 0

Kernel live patching with kpatch

- name: Subscribe to AlmaLinux kpatch
  hosts: alma9
  become: true
  tasks:
    - name: Install kpatch
      ansible.builtin.dnf: { name: [kpatch, kpatch-dnf], state: present }
- name: Auto subscribe
      ansible.builtin.command: dnf kpatch auto

See also: Ansible on Fedora 44 Automation Complete Guide

Best practices

• ELevate is one-way; always snapshot or back up before running. • Mirror AlmaLinux repos in your local Satellite/Pulp for air-gapped sites. • Pair dnf-automatic with Ansible-driven reboots for predictable patching.

Conclusion

AlmaLinux 9 is a binary-compatible RHEL 9 alternative with strong community governance and the unique ELevate migration path. Existing RHEL/CentOS Ansible playbooks run unchanged.

Installing Ansible on AlmaLinux 9

# Enable EPEL repository
sudo dnf install epel-release -y
# Install Ansible
sudo dnf install ansible-core -y
# Or install via pip
pip3 install ansible --user
# Verify installation
ansible --version

DNF Package Management

- name: Manage AlmaLinux 9 server
  hosts: almalinux
  become: true
  tasks:
    - name: Install essential packages
      ansible.builtin.dnf:
        name:
          - vim-enhanced
          - git
          - htop
          - wget
          - curl
          - bash-completion
          - firewalld
        state: present
- name: Enable CRB repository
      ansible.builtin.command: dnf config-manager --set-enabled crb
      changed_when: true
- name: Install EPEL
      ansible.builtin.dnf:
        name: epel-release
        state: present

Security Hardening

    - name: Configure firewalld
      ansible.posix.firewalld:
        service: "{{ item }}"
        permanent: true
        immediate: true
        state: enabled
      loop:
        - ssh
        - http
        - https
- name: Set SELinux to enforcing
      ansible.posix.selinux:
        policy: targeted
        state: enforcing
- name: Configure automatic security updates
      ansible.builtin.dnf:
        name: dnf-automatic
        state: present
- name: Enable automatic updates timer
      ansible.builtin.systemd:
        name: dnf-automatic-install.timer
        state: started
        enabled: true

User Management

    - name: Create admin user
      ansible.builtin.user:
        name: "{{ item.name }}"
        groups: wheel
        append: true
        shell: /bin/bash
        state: present
      loop: "{{ vault_admin_users }}"
- name: Deploy SSH authorized keys
      ansible.posix.authorized_key:
        user: "{{ item.name }}"
        key: "{{ item.ssh_key }}"
      loop: "{{ vault_admin_users }}"

FAQ

Is AlmaLinux 9 compatible with RHEL 9 Ansible playbooks?

Yes. AlmaLinux 9 is binary-compatible with RHEL 9. Playbooks written for RHEL 9 work on AlmaLinux 9 without modification.

Should I use EPEL or pip to install Ansible?

EPEL provides ansible-core which is maintained by the Fedora/EPEL community. Use pip if you need a newer version or want to install in a virtual environment.

How do I migrate from CentOS 8 to AlmaLinux 9?

Use the almalinux-deploy tool for in-place migration from CentOS 8 to AlmaLinux 8, then upgrade to AlmaLinux 9. Ansible can automate pre/post migration checks.