Ansible Playbook Dry Run - check and diff mode
How to use the check and diff mode to debug and deeply understand the action performed by your Ansible Playbook.
How to Dry Run an Ansible Playbook?
The check and diff modes are extremely useful to have a clear vision of the changes that are going to be performed on the target node. I’m going to show you a live demo with some simple Ansible code. I’m Luca Berton and welcome to today’s episode of Ansible Pilot.
Ansible Playbook Dry Run
How to Dry Run the Ansible Playbook:
- check
- diff
command-line interface parameters
--check--diff
Ansible Task statements
check_mode: truediff: true
How to Dry Run an Ansible Playbook
Sometimes you need to deep-dive your Ansible Playbook to validate any changes on the target node.
It is useful to validate the code and have a clear vision of the single Ansible Task or Ansible Playbook outcome.
Let’s explore the two modes: check and diff that you could enable via the ansible-playbook command or the Ansible Task statements check_mode: true and diff: trueinside the Playbook code.
These modes can be used separately or together.
The check mode is just a simulation, it’s great to validate the Ansible Playbook without performing any action on the target machine.
The diff mode reports the changes made for any module that supports the diff mode.
It’s common to combine together the two modes --check --diff in order to simulate the execution and have the full reports of changes and increase the execution verbosity.
Links
The Best Resources For Ansible
Certifications
The Linux Foundation Linux Performance Tuning - Build a broad toolkit to optimize Linux performance from the kernel up
Coursera Pro - Unlimited access to 7,000+ world-class courses, hands-on projects, and job-ready certificate programs—all included in your subscription
Video Course
Printed Book
Ansible For VMware by Examples
Ansible for Kubernetes by Example
Hands-on Ansible Automation
Red Hat Ansible Automation Platform
eBooks
Ansible by Examples: 200+ Automation Examples For Linux and Windows System Administrator and DevOps
Ansible Cookbook: A Comprehensive Guide to Unleashing the Power of Ansible via Best Practices, Troubleshooting, and Linting Rules with Luca Berton
Terraform By Example: A Practical Approach for Beginners to Learn Cloud Infrastructure with Terraform
Ansible For Windows By Examples: 50+ Automation Examples For Windows System Administrator And DevOps
Ansible For Linux by Examples: 100+ Automation Examples For Linux System Administrator and DevOps
Ansible Linux Filesystem By Examples: 40+ Automation Examples on Linux File and Directory Operation for Modern IT Infrastructure
Ansible For Security by Examples: 100+ Automation Examples to Automate Security and Verify Compliance for IT Modern Infrastructure
Ansible Tips and Tricks: 10+ Ansible Examples to Save Time and Automate More Tasks
Ansible Linux Users & Groups By Examples: 20+ Automation Examples on Linux Users and Groups Operation for Modern IT Infrastructure
Ansible For PostgreSQL by Examples: 10+ Examples To Automate Your PostgreSQL database
Ansible For Amazon Web Services AWS By Examples: 10+ Examples To Automate Your AWS Modern Infrastructure
Ansible Automation Platform By Example: A step-by-step guide for the most common user scenarios
demo
How to Dry Run the Ansible Playbook with the check and diff modes.
I’m going to show you the outcome of the check and diff modes on an Ansible Playbook with a simple task to enable the PermitRootLogin parameter in the SSH configuration file /etc/ssh/sshd_config.
code
---
- name: root login enabled
hosts: all
become: true
gather_facts: false
tasks:
- name: ssh PermitRootLogin
ansible.builtin.lineinfile:
dest: /etc/ssh/sshd_config
regexp: '^PermitRootLogin'
line: "PermitRootLogin yes"
state: present
notify: ssh restart
handlers:
- name: ssh restart
ansible.builtin.service:
name: sshd
state: restarted
before execution
Before the execution of the Ansible Playbook the PermitRootLogin is disabled in the SSH configuration file - no value.
$ ssh [email protected]
[devops@demo ~]$ sudo grep ^PermitRootLogin /etc/ssh/sshd_config
PermitRootLogin no
check execution
$ ansible-playbook --check -i virtualmachines/demo/inventory edit\ single-line\ text/enable_root_login.yml
PLAY [root login enabled] *************************************************************************
TASK [ssh PermitRootLogin] ************************************************************************
changed: [demo.example.com]
RUNNING HANDLER [ssh restart] *********************************************************************
changed: [demo.example.com]
PLAY RECAP ****************************************************************************************
demo.example.com : ok=2 changed=2 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
After the execution of the Ansible Playbook with check mode, the SSH configuration file was NOT modified.
$ ssh [email protected]
[devops@demo ~]$ sudo grep ^PermitRootLogin /etc/ssh/sshd_config
PermitRootLogin no
check diff execution
$ ansible-playbook --check --diff -i virtualmachines/demo/inventory edit\ single-line\ text/enable_root_login.yml
PLAY [root login enabled] *************************************************************************
TASK [ssh PermitRootLogin] ************************************************************************
--- before: /etc/ssh/sshd_config (content)
+++ after: /etc/ssh/sshd_config (content)
@@ -41,7 +41,7 @@
#LoginGraceTime 2m
#PermitRootLogin yes
-PermitRootLogin no
+PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
changed: [demo.example.com]
RUNNING HANDLER [ssh restart] *********************************************************************
changed: [demo.example.com]
PLAY RECAP ****************************************************************************************
demo.example.com : ok=2 changed=2 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
After the execution of the Ansible Playbook with check and diff mode, the SSH configuration file was NOT modified.
ansible-pilot $ ssh [email protected]
[devops@demo ~]$ sudo grep ^PermitRootLogin /etc/ssh/sshd_config
PermitRootLogin no
diff execution
$ ansible-playbook --diff -i virtualmachines/demo/inventory edit\ single-line\ text/enable_root_login.yml
PLAY [root login enabled] *************************************************************************
TASK [ssh PermitRootLogin] ************************************************************************
--- before: /etc/ssh/sshd_config (content)
+++ after: /etc/ssh/sshd_config (content)
@@ -41,7 +41,7 @@
#LoginGraceTime 2m
#PermitRootLogin yes
-PermitRootLogin no
+PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
changed: [demo.example.com]
RUNNING HANDLER [ssh restart] *********************************************************************
changed: [demo.example.com]
PLAY RECAP ****************************************************************************************
demo.example.com : ok=2 changed=2 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
After the execution of the Ansible Playbook with diff mode, the SSH configuration file was modified.
ansible-pilot $ ssh [email protected]
[devops@demo ~]$ sudo grep ^PermitRootLogin /etc/ssh/sshd_config
PermitRootLogin yes
Recap
Now you know how to Dry Run an Ansible Playbook using accordingly the check and diff Ansible modes.
You know how to use it based on your use case.
Academy
Learn the Ansible automation technology with some real-life examples in my
My book Ansible By Examples: 200+ Automation Examples For Linux and Windows System Administrator and DevOps
Donate
Want to keep this project going? Please donate
