Ansible Pilot

Three options to Safely Limit Ansible Playbooks Execution to a Single Machine

Three options to limit the execution of a potentially harmful Ansible Playbook to only one host.

March 31, 2022
Access the Complete Video Course and Learn Quick Ansible by 200+ Practical Lessons

Three options to Safely Limit Ansible Playbooks Execution to a Single Machine.

Today we’re going to talk about the three options to limit the execution of a potentially harmful Ansible Playbook to only one host. I’m Luca Berton and welcome to today’s episode of Ansible Pilot.

Limit Ansible Playbook to only one HOSTNAME

Let’s deep dive into our use case to Limit Ansible Playbook to only one HOSTNAME. I’m going to show three different ways to achieve this result: using the --limit parameter at runtime, limit the HOSTNAME in the Playbook code and the most advanced way is to define a variable in the Ansible Playbook that you could populate on-demand. Let’s discuss the pros and cons of each option.

The Best Resources For Ansible

Video Course

Books

demo

In the following demo scenarios, I’d like to execute my harmful Ansible Playbook ONLY against demo.example.com host. This is my demo inventory file:

[linux]
demo.example.com
demo2.example.com
[all:vars]
ansible_connection=ssh
ansible_user=devops
ansible_ssh_private_key_file=~/.ssh/id_rsa

Ansible command limit option

Using the --limit parameter of the ansible-playbook command is the easiest option to limit the execution of the code to only one host. The advantage is that you don’t need to edit the Ansible Playbook code before executing to only one host. The drawback is that you should remember every time you execute the command and sometimes humans are not so reliable.

code

---
- name: harmful playbook
  hosts: all
  tasks:
    - name: harmful task
      ansible.builtin.debug:
        msg: "harmful task"

execution

ansible-pilot $ ansible-playbook --limit demo.example.com -i limit/inventory limit/playbook.yml
PLAY [harmful playbook] ***************************************************************************
TASK [Gathering Facts] ****************************************************************************
ok: [demo.example.com]
TASK [harmful task] *******************************************************************************
ok: [demo.example.com] => {
    "msg": "harmful task"
}
PLAY RECAP ****************************************************************************************
demo.example.com           : ok=2    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0
ansible-pilot $

wrong execution

If we forgot the --limit option the result could be very harmful.

ansible-pilot $ ansible-playbook -i limit/inventory limit/playbook.yml
PLAY [harmful playbook] ***************************************************************************
TASK [Gathering Facts] ****************************************************************************
ok: [demo.example.com]
ok: [demo2.example.com]
TASK [harmful task] *******************************************************************************
ok: [demo.example.com] => {
    "msg": "harmful task"
}
ok: [demo2.example.com] => {
    "msg": "harmful task"
}
PLAY RECAP ****************************************************************************************
demo.example.com           : ok=2    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   
demo2.example.com          : ok=2    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0
ansible-pilot $

Ansible Playbook hosts

Using the hosts statement in the Ansible Playbook allows you to specify a host or a group of hosts for the execution. The advantage is that is more reliable than manually specifying the hostname than using the --limit parameter from the command line. The drawback is that you need to remember to edit the Ansible Playbook code every time. If you don’t you’re going to execute the code on the specified host, still a potential manual issue.

code

---
- name: harmful playbook
  hosts: demo.example.com
  tasks:
    - name: harmful task
      ansible.builtin.debug:
        msg: "harmful task"

execution

ansible-pilot $ ansible-playbook -i limit/inventory limit/playbook2.yml
PLAY [harmful playbook] ***************************************************************************
TASK [Gathering Facts] ****************************************************************************
ok: [demo.example.com]
TASK [harmful task] *******************************************************************************
ok: [demo.example.com] => {
    "msg": "harmful task"
}
PLAY RECAP ****************************************************************************************
demo.example.com           : ok=2    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0
ansible-pilot $

Ansible Playbook hosts advanced

Using the hosts statement in the Ansible Playbook allows you to specify also a variable that you could populate with a host or a group of host for the execution. Basically, if you blindly execute the Ansible Playbook code on the command line is doing nothing. The only way is to process is to populate the host variable via an extra variable via the console line. The advantage is that is more reliable than manually specifying the hostname than using the --limit parameter from the command line. This option combines the advantages of the previous option and my favorite as well.

code

---
- name: harmful playbook
  hosts: "{{ HOSTS }}"
  tasks:
    - name: harmful task
      ansible.builtin.debug:
        msg: "harmful task"

execution

ansible-pilot $ ansible-playbook -i limit/inventory -e "HOSTS=demo.example.com" limit/playbook3.yml
PLAY [harmful playbook] ***************************************************************************
TASK [Gathering Facts] ****************************************************************************
ok: [demo.example.com]
TASK [harmful task] *******************************************************************************
ok: [demo.example.com] => {
    "msg": "harmful task"
}
PLAY RECAP ****************************************************************************************
demo.example.com           : ok=2    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0
ansible-pilot $

wrong execution

ansible-pilot $ ansible-playbook -i limit/inventory limit/playbook3.yml 
[WARNING]: Could not match supplied host pattern, ignoring: HOSTS
PLAY [harmful playbook] ***************************************************************************
skipping: no hosts matched
PLAY RECAP ****************************************************************************************
ansible-pilot $

code with ❤️ in GitHub

Recap

Now you know the Three options to Safely Limit Ansible Playbooks Execution to a Single Machine that you could apply to your everyday journey based on your use case.

Subscribe to the YouTube channel, Medium, Website, Twitter, and Substack to not miss the next episode of the Ansible Pilot.

Academy

Learn the Ansible automation technology with some real-life examples in my

My book Ansible By Examples: 200+ Automation Examples For Linux and Windows System Administrator and DevOps

BUY the Complete PDF BOOK to easily Copy and Paste the 200+ Ansible code

Want to keep this project going? Please donate

Access the Complete Video Course and Learn Quick Ansible by 200+ Practical Lessons
Trustpilot
Follow me

Subscribe not to miss any new releases

FREE Top 10 Best Practices

Top 10 Best Practices of Ansible Automation: save time, reduce errors and stress