Ansible Pull

Ansible is one of the most powerful free and open-source automation tools. It is a versatile tool that allows us to automate a variety of tasks such as configuration management, application deployment, and more over SSH.

When we think of Ansible, we consider a single control node that manages and configures all the other defined nodes. However, Ansible provides a more decentralized option using the ansible-pull utility. This utility allows the managed nodes to pull the configurations from a version control repository.

In this post, we will explore how to work with the ansible-pull command and provide some basic examples.

When to Use the Ansible Pull

Before diving into the practical part of the tutorial, let us understand some common scenarios where you may need to use the ansible-pull.

Dynamic environments – In a dynamic environment such as cloud infrastructure where nodes can be ephemeral, allowing them to configure themselves upon boot up can be advantageous.

Avoiding central points of failure – When using a single control node, it can lead to a single point of failure where the control nodes of all the configurations are lost and need rebuilding.

Edge Environments – Pulling configurations might be more efficient if you have edge locations with limited connectivity to central areas.


Before diving into the examples, ensure that you have the following:

  • Installed Ansible on your nodes
  • A VCS repository (like Git) containing your Ansible playbooks
  • Appropriate SSH keys or credentials to access the repository

Ansible Pull Command

The following shows the syntax of the ansible-pull command:

ansible-pull [-h] [--version] [-v] [--private-key PRIVATE_KEY_FILE]
                 [-u REMOTE_USER] [-c CONNECTION] [-T TIMEOUT]
                 [--ssh-common-args SSH_COMMON_ARGS]
                 [--sftp-extra-args SFTP_EXTRA_ARGS]
                 [--scp-extra-args SCP_EXTRA_ARGS]
                 [--ssh-extra-args SSH_EXTRA_ARGS]
                 [-k | --connection-password-file CONNECTION_PASSWORD_FILE]
                 [--vault-id VAULT_IDS]
                 [--ask-vault-password | --vault-password-file VAULT_PASSWORD_FILES]
                 [-e EXTRA_VARS] [-t TAGS] [--skip-tags SKIP_TAGS]
                 [-i INVENTORY] [--list-hosts] [-l SUBSET] [-M MODULE_PATH]
                 [-K | --become-password-file BECOME_PASSWORD_FILE]
                 [--purge] [-o] [-s SLEEP] [-f] [-d DEST] [-U URL] [--full]
                 [-C CHECKOUT] [--accept-host-key] [-m MODULE_NAME]
                 [--verify-commit] [--clean] [--track-subs] [--check]
                 [playbook.yml ..

Basic Ansible Pull

The most basic use of ansible-pull is pulling and applying a playbook from a repository. The command syntax is as follows:

ansible-pull -U <repository_url> <playbook.yml>

For example:

ansible-pull -U git:// main.yml

Once we run the previous command, the Ansible pull command will:

  • Clone the specified repository
  • Run the specified playbook (main.yml)

Scheduling Ansible Pull with Cron

The most common and useful application of the ansible-pull feature is to have the nodes periodically check for updates on the repository using cron jobs. An example demonstration is as follows:

0 * * * * /usr/local/bin/ansible-pull -U site.yml > /var/log/ansible-pull.log

This allows us to automate the target repository’s pull operation and fetch the repo changes. If there are any changes, Ansible will perform them and ensures that the nodes have the latest configuration defined in the playbooks.


We explored working with the ansible-pull command to reverse the typical Ansible operations by fetching the configurations from a version control system instead of pushing the configuration from a central node.

About the author

John Otieno

My name is John and am a fellow geek like you. I am passionate about all things computers from Hardware, Operating systems to Programming. My dream is to share my knowledge with the world and help out fellow geeks. Follow my content by subscribing to LinuxHint mailing list