Here is a curated list of Ansible interview questions, broken down by difficulty level, to help you prepare or interview others.

Beginner Level

1. What is Ansible, and how does it differ from other configuration management tools?

Ansible is an open-source automation platform used for configuration management, application deployment, and task automation.

• Agentless: Unlike Chef or Puppet, which require agent software to be installed on target nodes, Ansible is agentless. It connects via SSH (for Linux/Unix) or WinRM (for Windows) and uses Python on the target machine to execute tasks.
• Push Architecture: Ansible pushes configurations from a central control node to the managed nodes, whereas many other tools use a pull architecture where clients periodically check a master server for updates.

2. What is an Ansible Inventory?

An inventory is a file (usually in INI or YAML format) that lists the hosts or nodes that Ansible manages. It allows you to organize hosts into groups and assign variables to them.

Example INI Inventory:

Ini, TOML

[webservers]
web1.example.com
web2.example.com
[dbservers]
db1.example.com

3. What is the difference between an Ansible Playbook and a Task?

• Task: The smallest unit of action in Ansible. It defines a single operation to be executed, like installing a package or starting a service, usually by calling an Ansible module.
• Playbook: A YAML file containing one or more “plays.” A play maps a group of hosts from the inventory to a specific set of tasks.

Intermediate Level

4. What are Ansible Handlers, and when should you use them?

Handlers are special tasks that only run when triggered by a notify directive from another task, and only if that task actually changed something on the managed node. They are commonly used to restart services after a configuration file is updated.

Note: Handlers run once at the very end of a play, ensuring a service is only restarted once, even if multiple tasks notified it.

YAML

tasks:
  - name: Copy Nginx configuration
    ansible.builtin.copy:
      src: nginx.conf
      dest: /etc/nginx/nginx.conf
    notify: Restart Nginx
handlers:
  - name: Restart Nginx
    ansible.builtin.service:
      name: nginx
      state: restarted

5. What is the difference between variable_files and Ansible Vault?

• Variable Files: Standard YAML files used to store non-sensitive variables (like port numbers, usernames, or domain names) to keep playbooks clean and reusable.
• Ansible Vault: A feature that allows you to encrypt sensitive data (like passwords, API keys, and SSL certificates) within your playbooks or variable files. Encrypted files can be safely committed to version control (like Git).

6. Explain the difference between ad-hoc commands and playbooks.

• Ad-hoc Commands: Quick, one-liner commands used to perform a single task across one or many nodes without saving it for later (e.g., ansible all -m ping). Great for quick checks.
• Playbooks: Structured YAML files used for complex, repeatable, and multi-step deployments that need to be version-controlled and reused.

Advanced Level

7. How do you handle secrets and sensitive data in CI/CD pipelines using Ansible?

When running Ansible in an automated pipeline (like Jenkins, GitLab CI, or GitHub Actions), you can manage secrets by:

1. Storing the Ansible Vault password as a protected environment variable or secret in the CI/CD platform.
2. Passing the password to the playbook run using --vault-password-file pointing to a temporary file, or using a script that echoes the environment variable.
3. Integrating Ansible with external secret managers like HashiCorp Vault, CyberArk, or AWS Secrets Manager using Ansible lookup plugins.

8. What is the difference between include_tasks and import_tasks?

This is a classic architectural question regarding dynamic vs. static reuse:

• import_tasks (Static): Happens at playbook parsing time. Ansible pre-processes all tasks before the playbook runs. You cannot use loops with import_tasks, and variables defined earlier in the play might not be available during parsing.
• include_tasks (Dynamic): Happens at playbook execution time, as the play encounters the statement. This allows you to use loops, conditional statements (when), and runtime variables to decide whether or not to include the tasks.

9. What are Ansible Collections, and how do they differ from Roles?

• Ansible Roles: A structured way to bundle tasks, variables, handlers, templates, and modules together to make them easily reusable.
• Ansible Collections: Introduced in Ansible 2.9, collections are a broader distribution format. They can contain multiple roles, custom modules, plugins (like lookup or filter plugins), and playbooks. Collections allow third-party vendors (like AWS, Cisco, or Red Hat) to update their Ansible content independently of the core Ansible release cycle.

10. How can you optimize Ansible performance for a large infrastructure (hundreds of nodes)?

• Increase Forks: Adjust the forks parameter in ansible.cfg (default is 5) to increase the number of parallel processes Ansible spawns.
• Enable Pipelining: Turn on pipelining = True in ansible.cfg. This reduces the number of SSH operations required to execute a module by executing it directly in memory without transferring files.
• Use Mitogen: A third-party plugin for Ansible that replaces the default execution strategy with a highly optimized one, often speeding up runs by 1.5x to 3x.
• Disable Fact Gathering: If your tasks don’t rely on system facts (like OS version or IP addresses), set gather_facts: false in your playbook to save significant time.