Run playbooks the way operators do — target a subset of hosts, run only tagged tasks, dry-run with check and diff, and configure Ansible with ansible.cfg.
Why: you rarely want to hit every host at once. --limit restricts a run to one host or group — roll out to a single canary before the fleet, or re-run against just the box that failed. It narrows the inventory without editing any file.
Run against just one host
ansible-playbook site.yml -i inventory.ini --limit web1.example.comRun against a whole group
ansible-playbook site.yml -i inventory.ini --limit webWhy: a big playbook has parts you sometimes want to run alone — just the config, just the deploy. Tag tasks, then select them at run time. This turns one playbook into many targeted operations without splitting it up.
- name: Web server
hosts: web
become: true
tasks:
- name: Install packages
ansible.builtin.package:
name: nginx
state: present
tags: [install]
- name: Deploy config
ansible.builtin.template:
src: nginx.conf.j2
dest: /etc/nginx/nginx.conf
tags: [config]Why: the safe operator’s loop, before touching production. --check reports what would change without changing it; --diff shows the exact file edits; --list-hosts confirms which machines you are about to hit. Run these first, read the output, then run for real.
Confirm the target hosts
ansible-playbook site.yml -i inventory.ini --list-hostsDry run with diffs
ansible-playbook site.yml -i inventory.ini --check --diffWhy: an ansible.cfg in your project sets defaults so you stop repeating flags — the inventory path, whether to gather facts, SSH behavior. Ansible reads it automatically from the current directory. Commit it so everyone runs with the same settings.
# ansible.cfg
[defaults]
inventory = ./inventory.ini
host_key_checking = False # skip SSH prompts in a lab
stdout_callback = yaml # readable, structured output
# now you can drop the -i flag: ansible-playbook site.yml