Skip to content
Latchkey

ansible-playbook: Usage, Options & Common CI Errors

Run an Ansible playbook against your inventory - the core of configuration management.

ansible-playbook executes the plays in one or more YAML playbooks against the hosts in your inventory. It is the command CI runs to configure servers, and the one that trips on SSH host keys.

What it does

ansible-playbook runs the tasks defined in a playbook against the hosts selected from an inventory, in order, applying handlers and respecting check/become settings. It connects over SSH (or a configured connection plugin), gathers facts, and reports changed/ok/failed counts per host.

Common usage

Terminal
# Run a playbook against an inventory
ansible-playbook -i inventory.ini site.yml

# Limit to a host group and pass extra vars
ansible-playbook -i inventory.ini site.yml --limit web --extra-vars "env=prod"

# Dry run (no changes) and show diffs
ansible-playbook -i inventory.ini site.yml --check --diff

# CI: supply the vault password from a file, escalate privileges
ansible-playbook -i inventory.ini site.yml --become --vault-password-file .vault_pass

Common error in CI: host key verification failed

On a fresh runner the first SSH connection fails with "Host key verification failed" or "Are you sure you want to continue connecting (yes/no)?" - and the job hangs or aborts because there is no known_hosts entry. Fix: export ANSIBLE_HOST_KEY_CHECKING=false (or set host_key_checking=False in ansible.cfg) for ephemeral CI hosts, or pre-seed known_hosts with ssh-keyscan. Never disable host key checking against long-lived production hosts where MITM matters.

Key options

OptionPurpose
-i INVENTORYInventory file, directory, or host list
--limit PATTERNRestrict to matching hosts/groups
--check / --diffDry run / show file diffs
--becomeEscalate privileges (sudo)
--vault-password-fileRead vault password non-interactively
--tags / --skip-tagsRun or skip tagged tasks

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →