Richard Lenkovits
Test Ansible playbooks using Docker

Okay so this is what we're going to do:

  • Setting up an ssh accessible Ubuntu container.
  • Running an Ansible playbook against it to test that playbook.

Come again?

I know it's weird, hear me out.

Here's the scenario that we're trying to tackle. Imagine that:
1. You have Ansible playbooks to configure certain machines.
2. You run these playbooks once during the initial setup and forget about them.
3. A lot of time passes.
4. Later a developer needs to add a package or some change to the given host or host group.
5. They should update the ansible playbook and run it, but they're afraid they'll break the environment. Who knows when were those playbooks last run? Maybe they even have an invalid description of the current system. As a result the developer either: A.: Just does the changes by hand and best case, B.: ...updates the playbooks as well. But who know if it's a correct update.

This is how playbooks decay - at least in our environments.

People playing a clutch Jenga game.

Why such a basic validity check could be of good use

Having some simple tests could solve our issues, and provide some constant feedback about the playbooks' validity. But how do you test Ansible playbooks (other than lint them)? Playbooks are just ordered instructions describing a desired state.

Still, they could be faulty - it's easy to make mistakes when you're trying to translate your desired configuration steps into Ansible tasks. You may mess up a task, forget a necessary parameter on a module, maybe you try to install something for which you forget to provide it's prerequisites.

Preferably we want some tests which can run our playbooks against an ephemeral environment to see if they're -well- runnable. This is where docker comes into the picture. In docker you can test most of the things that you'd want to do with Ansible. Obviously for more complicated playbooks this might not be a good solution.

Test setup

This is how our small demo directory -with which we'll make our point- looks like:

├── Dockerfile
├── ansible.cfg
├── machine-setup.yml
1. Example Playbook and config

There's a very simple playbook machine-setup.yml, that sets up some packages on the host group called target_group.

# yamllint disable rule:line-length
- name: Setup Machine
  hosts: target_group
  gather_facts: false
  become: true

    - name: Install requirements
        update_cache: true
          - python3
          - flake8
          - pylint
          - python3-pip
        state: latest
      register: task_result
      until: not task_result.failed
      retries: 1
We provide some necessary Ansible config in a cfg file ansible.cfg:

# Avoid host key checking - to to run without interaction.
host_key_checking = False
2. Test Container

We create a Dockerfile too which describes for us an ssh accessible ubuntu container.

FROM ubuntu:latest


# Add sudo and openssh-server
ENV DEBIAN_FRONTEND=noninteractive
RUN apt update && apt install openssh-server sudo -y

# Setup running user on the container with sudo rights and
# password-less ssh login
RUN useradd -m ${USER}
RUN adduser ${USER} sudo
RUN echo "${USER} ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/sudoers

# As the user setup the ssh identity using the key in the tmp folder
RUN mkdir ~/.ssh
RUN chmod -R 700 ~/.ssh
COPY --chown=${USER}:sudo /home/${USER}/.ssh/
RUN cat ~/.ssh/ >> ~/.ssh/authorized_keys
RUN chmod 644 ~/.ssh/
RUN chmod 644 ~/.ssh/authorized_keys

# start ssh with port exposed
USER root
RUN service ssh start


CMD ["/usr/sbin/sshd", "-D"]
3. Testing Script

Our script will start this container, run the playbook against it and clean up everything. Let's see it step by step.

  • We make sure to have a unique container name, and a path to our assets.
identifier="$(< /dev/urandom tr -dc 'a-z0-9' | fold -w 5 | head -n 1)" ||:
base_dir="$(dirname "$(readlink -f "$0")")"
  • We add a function to create temporary directory to store our temporary assets (like the inventory and the ssh id).
function setup_tempdir() {
    TEMP_DIR=$(mktemp --directory "/tmp/${NAME}".XXXXXXXX)
    export TEMP_DIR
  • We setup a cleanup function which will be able to clean up the temporary folder and the container as well.
function cleanup() {
    container_id=$(docker inspect --format="{{.Id}}" "${NAME}" ||:)
    if [[ -n "${container_id}" ]]; then
        echo "Cleaning up container ${NAME}"
        docker rm --force "${container_id}"
    if [[ -n "${TEMP_DIR:-}" && -d "${TEMP_DIR:-}" ]]; then
        echo "Cleaning up tepdir ${TEMP_DIR}"
        rm -rf "${TEMP_DIR}"
  • We need a function that will create ssh identities so Ansible can access the container through ssh. During docker build these will be added inside the container by a COPY step (see above in the Dockerfile).
function create_temporary_ssh_id() {
    ssh-keygen -b 2048 -t rsa -C "${USER}" -f "${TEMP_DIR}/id_rsa" -N ""
    chmod 600 "${TEMP_DIR}/id_rsa"
    chmod 644 "${TEMP_DIR}/"
  • We build and start the container with this function - providing the TEMP_DIR as it's context. We figure out the container's address for ssh.
function start_container() {
    docker build --tag "compute-node-sim" \
        --build-arg USER \
        --file "${base_dir}/Dockerfile" \
    docker run -d -P --name "${NAME}" "compute-node-sim"
    CONTAINER_ADDR=$(docker inspect --format='{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' "${NAME}")
  • We create a test inventory which has our target_group containing only the container by it's address we fetched above. We also add the ssh identity to be used when running the playbook.
function setup_test_inventory() {

    cat > "${TEMP_INVENTORY_FILE}" << EOL
  • We add the playbook runner function. It will run against our temporary inventory.
function run_ansible_playbook() {
    ansible-playbook -i "${TEMP_INVENTORY_FILE}" -vvv "${base_dir}/machine-setup.yml"
  • Now we run it all:
trap cleanup EXIT
trap cleanup ERR
Full script for reference:

#!/usr/bin/env bash

set -euo pipefail

identifier="$(< /dev/urandom tr -dc 'a-z0-9' | fold -w 5 | head -n 1)" ||:
base_dir="$(dirname "$(readlink -f "$0")")"

function cleanup() {
    container_id=$(docker inspect --format="{{.Id}}" "${NAME}" ||:)
    if [[ -n "${container_id}" ]]; then
        echo "Cleaning up container ${NAME}"
        docker rm --force "${container_id}"
    if [[ -n "${TEMP_DIR:-}" && -d "${TEMP_DIR:-}" ]]; then
        echo "Cleaning up tepdir ${TEMP_DIR}"
        rm -rf "${TEMP_DIR}"

function setup_tempdir() {
    TEMP_DIR=$(mktemp --directory "/tmp/${NAME}".XXXXXXXX)
    export TEMP_DIR

function create_temporary_ssh_id() {
    ssh-keygen -b 2048 -t rsa -C "${USER}" -f "${TEMP_DIR}/id_rsa" -N ""
    chmod 600 "${TEMP_DIR}/id_rsa"
    chmod 644 "${TEMP_DIR}/"

function start_container() {
    docker build --tag "compute-node-sim" \
        --build-arg USER \
        --file "${base_dir}/Dockerfile" \
    docker run -d -P --name "${NAME}" "compute-node-sim"
    CONTAINER_ADDR=$(docker inspect --format='{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' "${NAME}")

function setup_test_inventory() {

    cat > "${TEMP_INVENTORY_FILE}" << EOL

function run_ansible_playbook() {
    ansible-playbook -i "${TEMP_INVENTORY_FILE}" -vvv "${base_dir}/machine-setup.yml"

trap cleanup EXIT
trap cleanup ERR
Hope you found something useful here!

Top comments (3)

zmzlois profile image

Great article, thanks!

If anyone is also reading this and face the error

fatal: []: UNREACHABLE! => {
    "changed": false,
    "msg": "Failed to connect to the host via ssh: ssh: connect to host port 22: Operation timed out",
    "unreachable": true
Change the line in shell script

docker run -d -P --name "${NAME}" "compute-node-sim"
 docker run -d -p --name "${NAME}" "compute-node-sim"
and also one line below [target_group] in the setup_test_inventory() function to
to specify a port

pencillr profile image
Richard Lenkovits

Hey! Thanks for catching that!
I was using the -P flag to publish to random exposed ports, but maybe the docker inspect command couldn't parse the random assigned address. The structure might have changed since I wrote this.

vladrassokhin profile image
Vladislav Rassokhin

I'd suggest connecting to the randomly mapped host port. Adjust the script as follows:

function start_container() { 
    HOST_PORT=$(docker inspect --format='{{ (index (index .NetworkSettings.Ports "22/tcp") 0).HostPort }}' "${NAME}")
    export HOST_PORT


    cat > "${TEMP_INVENTORY_FILE}" << EOL
