Ansible on openSUSE Tumbleweed Automation Complete Guide

openSUSE Tumbleweed is a rolling-release distribution that always carries the latest stable upstream packages — typically kernel 6.x, Python 3.13/3.14, GNOME/KDE current, OpenSSH 10.0, Podman 5.x. It pairs aggressive updates with Btrfs snapshots and Snapper rollback to keep developer and lab systems safe. This guide covers idempotent Ansible automation on Tumbleweed.

Tumbleweed release facts

| Item | Value | |---|---| | Type | Rolling release | | Kernel | latest stable (~6.16+) | | Python | 3.13/3.14 | | Package manager | zypper | | Update mode | zypper dup | | Snapshot tool | Snapper (Btrfs) |

See also: Ansible on openSUSE Leap 15.6 Automation Complete Guide

Ansible-core compatibility

Use ansible-core 2.20 with ansible_python_interpreter=/usr/bin/python3.

Baseline playbook

- name: Tumbleweed baseline
  hosts: tumbleweed
  become: true
  tasks:
    - name: Refresh repos
      community.general.zypper_repository: { repo: "*", autorefresh: true, runrefresh: true }
- name: Distribution upgrade
      community.general.zypper:
        name: "*"
        state: dist-upgrade
        update_cache: true
- name: Install baseline tools
      community.general.zypper:
        name: [vim, chrony, firewalld, apparmor-utils, cockpit, podman, snapper]
        state: present
- name: Enable services
      ansible.builtin.service:
        name: "{{ item }}"
        enabled: true
        state: started
      loop: [chronyd, firewalld, cockpit.socket, snapper-timeline.timer, snapper-cleanup.timer]

See also: Ansible on SUSE Linux Enterprise Server 15 SP6 Automation Complete Guide

Snapshot-aware patching

- name: Patch with explicit pre/post snapshots
  hosts: tumbleweed
  become: true
  tasks:
    - name: Pre-update snapshot
      ansible.builtin.command: snapper create --type pre --description "Ansible pre-dup" --print-number
      register: pre
- name: Distribution upgrade
      community.general.zypper: { name: "*", state: dist-upgrade }
- name: Post-update snapshot linked to pre
      ansible.builtin.command: snapper create --type post --pre-number {{ pre.stdout }} --description "Ansible post-dup"
- name: Reboot if kernel updated
      ansible.builtin.reboot:
      when: ansible_facts['kernel'] != lookup('ansible.builtin.file', '/proc/version')

Rollback (when an update breaks something)

- name: Rollback last snapshot
  hosts: tumbleweed
  become: true
  tasks:
    - name: List snapshots
      ansible.builtin.command: snapper list
      register: snaps
      changed_when: false
- name: Roll back to specified snapshot
      ansible.builtin.command: snapper rollback {{ rollback_number }}
      register: rb
      changed_when: "'New default subvolume' in rb.stdout"
- name: Reboot
      ansible.builtin.reboot:
      when: rb.changed

See also: Ansible on SUSE Linux Enterprise Server 16 Automation Complete Guide

Best practices

• Always create a Snapper pre/post pair around zypper dup runs. • Pin development tooling per project (containers, venvs) to absorb rolling churn. • Don't run Tumbleweed for production workloads — pick SLES 15/16 or Leap.

Conclusion

Tumbleweed gives you bleeding-edge Linux backed by Btrfs snapshots. Ansible orchestrates the rolling-update workflow safely: snapshot, dup, verify, reboot, and roll back if needed.

Install Ansible on openSUSE Tumbleweed

# Install via zypper
sudo zypper install ansible
# Or via pip
sudo zypper install python3-pip
pip install --user ansible
# Verify
ansible --version

Managing Packages with zypper Module

- name: Package management on Tumbleweed
  hosts: tumbleweed
  become: true
  tasks:
    - name: Install specific packages
      community.general.zypper:
        name:
          - nginx
          - python3-pip
          - git
        state: present
- name: Remove unnecessary packages
      community.general.zypper:
        name: telnet
        state: absent
- name: Install from specific repository
      community.general.zypper:
        name: docker
        state: present
        disable_gpg_check: false

AppArmor Management

- name: Configure AppArmor profiles
  hosts: tumbleweed
  become: true
  tasks:
    - name: Ensure AppArmor is running
      ansible.builtin.service:
        name: apparmor
        state: started
        enabled: true
- name: Set nginx profile to enforce mode
      ansible.builtin.command: aa-enforce /etc/apparmor.d/usr.sbin.nginx
      changed_when: false
- name: Reload AppArmor profiles
      ansible.builtin.service:
        name: apparmor
        state: reloaded

Firewall Configuration with firewalld

- name: Configure firewall on Tumbleweed
  hosts: tumbleweed
  become: true
  tasks:
    - name: Allow web traffic
      ansible.posix.firewalld:
        service: "{{ item }}"
        permanent: true
        state: enabled
        immediate: true
      loop:
        - http
        - https
- name: Allow custom port
      ansible.posix.firewalld:
        port: 8080/tcp
        permanent: true
        state: enabled
        immediate: true

Automated Tumbleweed Updates with Ansible Cron

- name: Schedule automated updates
  hosts: tumbleweed
  become: true
  tasks:
    - name: Create update script
      ansible.builtin.copy:
        dest: /usr/local/bin/auto-dup.sh
        mode: "0755"
        content: |
          #!/bin/bash
          snapper create --type pre --description "auto-dup pre" --print-number > /tmp/snap-pre
          zypper --non-interactive dup --no-recommends
          snapper create --type post --pre-number $(cat /tmp/snap-pre) --description "auto-dup post"
- name: Schedule weekly update
      ansible.builtin.cron:
        name: "Tumbleweed weekly dist-upgrade"
        weekday: "0"
        hour: "3"
        minute: "0"
        job: "/usr/local/bin/auto-dup.sh >> /var/log/auto-dup.log 2>&1"

FAQ

Why use Ansible with a rolling release like Tumbleweed?

Tumbleweed receives daily package updates. Ansible ensures updates are applied safely with Snapper snapshots, allowing automatic rollback if something breaks.

Should I use community.general.zypper or ansible.builtin.package?

Use community.general.zypper for openSUSE-specific features like distribution upgrades (state: dist-upgrade), repository management, and pattern installation. Use ansible.builtin.package for simple install/remove tasks that should work across distributions.

How do I handle Tumbleweed kernel updates?

Always create Snapper snapshots before kernel updates and reboot after. If the new kernel has issues, use snapper rollback to revert. The playbook examples above show this pattern.

Is Tumbleweed suitable for servers?

openSUSE Tumbleweed is primarily designed for development and desktop use. For production servers, consider SUSE Linux Enterprise Server (SLES) or openSUSE Leap. However, Ansible can manage Tumbleweed servers effectively with proper snapshot-based update strategies.

Related Articles

• Ansible on openSUSE Leap 15.6 Automation • Ansible Package Management Guide