AI 资讯
🐍 When to choose ansible roles over playbooks
When to choose ansible roles over playbooks depends on the need for reusable structure, clear separation of concerns, and scalable maintenance across many environments. In a deployment that touches 1,200 servers, the early design decision determines whether the codebase remains maintainable or devolves into ad‑hoc tasks that require weeks of debugging. 📑 Table of Contents 📦 Modularity — Why Structure Matters 🧩 Reusability — When Scaling Demands Roles 🔧 Example: Deploying a Database Across Multiple Environments ⚙️ Dependency Management — How Requirements Influence Choice 🔗 Role Dependency Example 📁 File Layout — Organizing Artifacts for Maintenance 📊 Performance & Execution — Impact on Runtime 🔍 Comparison – Roles vs. Playbooks 🟩 Final Thoughts ❓ Frequently Asked Questions When should I still use a flat playbook? Can I mix roles and tasks in the same playbook? How do I test a role without affecting production? 📚 References & Further Reading 📦 Modularity — Why Structure Matters Roles enforce a predictable directory hierarchy that isolates tasks, variables, handlers, and files. What this does: # roles/webserver/tasks/main.yml - name: Install Nginx apt: name: nginx state: present - name: Deploy configuration template: src: nginx.conf.j2 dest: /etc/nginx/nginx.conf mode: '0644' notify: Restart Nginx # roles/webserver/handlers/main.yml - name: Restart Nginx service: name: nginx state: restarted tasks/main.yml: defines the ordered steps the role performs. handlers/main.yml: runs only when notified, preventing unnecessary restarts. The directory roles/webserver groups all related artifacts, making the role portable. Because the role encapsulates its logic, a playbook can invoke webserver without repeating internal steps. This eliminates duplication and aligns with the DRY principle. Key point: Enforced structure turns a loose collection of tasks into a self‑contained unit that can be shared across multiple playbooks. 🧩 Reusability — When Scaling Demands Roles Roles enable r
AI 资讯
Ansible Vault — Managing Secrets Securely in Ansible and AWX — My DevOps Journey By Sireesha
One thing I kept putting off when I started with Ansible was properly securing my secrets. Passwords, API keys, tokens — they were just sitting in plain text inside my vars files. I knew it was wrong but it worked and I kept moving forward. Then I started thinking about what happens when this goes into GitLab. Anyone with access to the repo can see every password. That's when I properly sat down and learned Ansible Vault — and honestly I wish I'd done it from day one. In this blog I'll walk through how I use Ansible Vault from the command line and then how I handle it properly inside AWX so scheduled jobs and workflow templates can still run without someone manually typing a password every time. What is Ansible Vault? Ansible Vault is a built-in feature that lets you encrypt sensitive data — passwords, keys, tokens — so they can be safely stored in your playbooks and pushed to GitLab without exposing anything. The beauty of it is that it works right inside your existing YAML files. Your playbook structure doesn't change — Vault just encrypts the values that need protecting. What I Was Doing Before — The Wrong Way This is what my vars file looked like before Vault: # vars/main.yml ubuntu_sudo_password : MyPassword123 db_password : SuperSecret456 api_token : abcd1234efgh5678 Pushed straight to GitLab. Anyone with repo access could read every single one of those. Not good. Encrypting a Single Value with Ansible Vault The first thing I learned was how to encrypt just a single variable value — not the entire file. This is cleaner because the rest of the vars file stays readable. ansible-vault encrypt_string 'MyPassword123' --name 'ubuntu_sudo_password' It asks you to create a vault password — this is the master password you'll use to decrypt later. Enter it twice: New Vault password: Confirm New Vault password: The output looks like this: ubuntu_sudo_password : !vault | $ANSIBLE_VAULT;1.1;AES256 6638643965323633646262656665333738623539613862393436316162336466383462343733
AI 资讯
Inside Swift's plan to modernize thousands of Ansible Playbooks - and govern automation at scale
At Red Hat Summit 2026, SWIFT shared the approach they’re rolling out — including the pilot results that informed it, and the scale they’re targeting next. Imagine running automation that touches roughly one third of global GDP every day. Tens of thousands of VMs, network devices in production, elevated privileges across production systems — and every playbook you run is, effectively, a software supply chain. That is the everyday reality at SWIFT, the secure financial messaging backbone connecting 11,000+ financial institutions across more than 200 countries. At Red Hat Summit 2026, Suvasish Ghosh , Product Owner for CI/CD Engineering and DevOps Engineering Services at SWIFT, joined Gregor Berginc , CEO of XLAB Steampunk, on stage to talk about how SWIFT is using Steampunk Spotter to govern Ansible automation at this scale. Why automation at SWIFT scale needs governance by design For SWIFT, security, availability and auditability are not features added on top — they are baseline engineering requirements. Regulatory frameworks (including DORA) codify the expectations, but as Suvasish made clear on stage, governance is by design at SWIFT, not driven solely by regulation. That stance reflects a simple truth that more and more platform teams are arriving at: automation is production infrastructure, and it must be governed as such. When you run an Ansible playbook, you are executing a software supply chain — collections, modules, roles, Python packages, system packages, the execution environment, the operating system underneath. The playbook itself is just the tip of the iceberg. Errors propagate fast. The blast radius is large. And yet, until recently, most of the security and compliance attention in IT organizations went to the applications shipping to production. The automation that built and configured everything around them often slipped through. Suvasish put it directly during the session: “We spent a lot of time being compliant and secure in our application, but w