ansible-pull - Man Page

• Pull a playbook from a VCS and execute a default local.yml playbook: ansible-pull -U repository_url
• Pull a playbook from a VCS and execute a specific playbook: ansible-pull -U repository_url playbook
• Pull a playbook from a VCS at a specific branch and execute a specific playbook: ansible-pull -U repository_url -C branch playbook
• Pull a playbook from a VCS, specify hosts file and execute a specific playbook: ansible-pull -U repository_url -i hosts_file playbook

tldr.sh

usage: ansible-pull [-h] [--version] [-v] [--private-key PRIVATE_KEY_FILE]

[-u REMOTE_USER] [-c CONNECTION] [-T TIMEOUT] [--ssh-common-args SSH_COMMON_ARGS] [--sftp-extra-args SFTP_EXTRA_ARGS] [--scp-extra-args SCP_EXTRA_ARGS] [--ssh-extra-args SSH_EXTRA_ARGS] [-k | --connection-password-file CONNECTION_PASSWORD_FILE] [--vault-id VAULT_IDS] [-J | --vault-password-file VAULT_PASSWORD_FILES] [-e EXTRA_VARS] [-t TAGS] [--skip-tags SKIP_TAGS] [-i Inventory] [--list-hosts] [-l SUBSET] [-M MODULE_PATH] [-K | --become-password-file BECOME_PASSWORD_FILE] [--purge] [-o] [-s SLEEP] [-f] [-d DEST] [-U URL] [--full] [-C CHECKOUT] [--accept-host-key] [-m MODULE_NAME] [--verify-commit] [--clean] [--track-subs] [--check] [--diff] [playbook.yml ...]

Used to pull a remote copy of ansible on each managed node, each set to run via cron and update playbook source via a source repository. This inverts the default push architecture of ansible into a pull architecture, which has near-limitless scaling potential.

None of the CLI tools are designed to run concurrently with themselves, you should use an external scheduler and/or locking to ensure there are no clashing operations.

The setup playbook can be tuned to change the cron frequency, logging locations, and parameters to ansible-pull. This is useful both for extreme scale-out as well as periodic remediation. Usage of the 'fetch' module to retrieve logs from ansible-pull runs would be an excellent way to gather and analyze remote logs from ansible-pull.

--accept-host-key

adds the hostkey for the repo url if not already added

--become-password-file 'BECOME_PASSWORD_FILE', --become-pass-file 'BECOME_PASSWORD_FILE'

Become password file

--check

don't make any changes; instead, try to predict some of the changes that may occur

--clean

modified files in the working repository will be discarded

--connection-password-file 'CONNECTION_PASSWORD_FILE', --conn-pass-file 'CONNECTION_PASSWORD_FILE'

Connection password file

--diff

when changing (small) files and templates, show the differences in those files; works great with --check

--full

Do a full clone, instead of a shallow one.

--list-hosts

outputs a list of matching hosts; does not execute anything else

--private-key 'PRIVATE_KEY_FILE', --key-file 'PRIVATE_KEY_FILE'

use this file to authenticate the connection

--purge

purge checkout after playbook run

--scp-extra-args 'SCP_EXTRA_ARGS'

specify extra arguments to pass to scp only (e.g. -l)

--sftp-extra-args 'SFTP_EXTRA_ARGS'

specify extra arguments to pass to sftp only (e.g. -f, -l)

--skip-tags

only run plays and tasks whose tags do not match these values. This argument may be specified multiple times.

--ssh-common-args 'SSH_COMMON_ARGS'

specify common arguments to pass to sftp/scp/ssh (e.g. ProxyCommand)

--ssh-extra-args 'SSH_EXTRA_ARGS'

specify extra arguments to pass to ssh only (e.g. -R)

--track-subs

submodules will track the latest changes. This is equivalent to specifying the --remote flag to git submodule update

--vault-id

the vault identity to use. This argument may be specified multiple times.

--vault-password-file,  --vault-pass-file

vault password file

--verify-commit

verify GPG signature of checked out commit, if it fails abort running the playbook. This needs the corresponding VCS module to support such an operation

--version

show program's version number, config file location, configured module search path, module location, executable location and exit

-C 'CHECKOUT', --checkout 'CHECKOUT'

branch/tag/commit to checkout. Defaults to behavior of repository module.

-J,  --ask-vault-password,  --ask-vault-pass

ask for vault password

-K,  --ask-become-pass

ask for privilege escalation password

-M,  --module-path

prepend colon-separated path(s) to module library (default={{ ANSIBLE_HOME ~ "/plugins/modules:/usr/share/ansible/plugins/modules" }}). This argument may be specified multiple times.

-T 'TIMEOUT', --timeout 'TIMEOUT'

override the connection timeout in seconds (default depends on connection)

-U 'URL', --url 'URL'

URL of the playbook repository

-c 'CONNECTION', --connection 'CONNECTION'

connection type to use (default=ssh)

-d 'DEST', --directory 'DEST'

absolute path of repository checkout directory (relative paths are not supported)

-e,  --extra-vars

set additional variables as key=value or YAML/JSON, if filename prepend with @. This argument may be specified multiple times.

-f,  --force

run the playbook even if the repository could not be updated

-h,  --help

show this help message and exit

-i,  --inventory,  --inventory-file

specify inventory host path or comma separated host list. --inventory-file is deprecated. This argument may be specified multiple times.

-k,  --ask-pass

ask for connection password

-l 'SUBSET', --limit 'SUBSET'

further limit selected hosts to an additional pattern

-m 'MODULE_NAME', --module-name 'MODULE_NAME'

Repository module name, which ansible will use to check out the repo. Choices are ('git', 'subversion', 'hg', 'bzr'). Default is git.

-o,  --only-if-changed

only run the playbook if the repository has been updated

-s 'SLEEP', --sleep 'SLEEP'

sleep for random interval (between 0 and n number of seconds) before starting. This is a useful way to disperse git requests

-t,  --tags

only run plays and tasks tagged with these values. This argument may be specified multiple times.

-u 'REMOTE_USER', --user 'REMOTE_USER'

connect as this user (default=None)

-v,  --verbose

Causes Ansible to print more debug messages. Adding multiple -v will increase the verbosity, the builtin plugins currently evaluate up to -vvvvvv. A reasonable level to start is -vvv, connection debugging might require -vvvv. This argument may be specified multiple times.

playbook.yml

The name of one the YAML format files to run as an Ansible playbook.This can be a relative path within the checkout. By default, Ansible willlook for a playbook based on the host's fully-qualified domain name,on the host hostname and finally a playbook named local.yml.

Ansible stores the hosts it can potentially operate on in an inventory. This can be an YAML file, ini-like file, a script, directory, list, etc. For additional options, see the documentation on https://docs.ansible.com/.

The following environment variables may be specified.

ANSIBLE_INVENTORY  -- Override the default ansible inventory sources

ANSIBLE_LIBRARY -- Override the default ansible module library path

ANSIBLE_CONFIG -- Specify override location for the ansible config file

Many more are available for most options in ansible.cfg

For a full list check https://docs.ansible.com/. or use the ansible-config command.

/etc/ansible/hosts -- Default inventory file

/etc/ansible/ansible.cfg -- Config file, used if present

~/.ansible.cfg -- User config file, overrides the default config if present

./ansible.cfg -- Local config file (in current working directory) assumed to be 'project specific' and overrides the rest if present.

As mentioned above, the ANSIBLE_CONFIG environment variable will override all others.

Ansible was originally written by Michael DeHaan.

Copyright © 2018 Red Hat, Inc | Ansible. Ansible is released under the terms of the GPLv3 license.

ansible (1), ansible-config (1), ansible-console (1), ansible-doc (1), ansible-galaxy (1), ansible-inventory (1), ansible-playbook (1), ansible-vault (1)

Extensive documentation is available in the documentation site: <https://docs.ansible.com>. IRC and mailing list info can be found in file CONTRIBUTING.md, available in: <https://github.com/ansible/ansible>