My blog

Why Ansible? Ansible vs Puppet

Ansible PROS

  • For each “piece of code” you have nodes where code will be executed. In puppet thou, it is vice versa.
  • Orchestration. Macro events can be scheduled easily i.e. inter-nodes dependencies. Inter-action dependencies. E.g. live migration of the whole distributed cloud web app ( all the load balancers, web-/db-/cache servers) from one cloud vendor to another, can be achieved with an Ansible playbook. Because Ansible is declarative language that in some cases can be used as a Bash script.
  • consequences are important & can be leveraged. E.g. action1 on nodes1 before action2 on nodes2. In Puppet nodes don’t know about each other.

  • Ansible works via SSH connection, so you even can reboot the server & wait till it is booted up again, then execute something on it right after reboot. Everything via Ansible.

  • signing/revoking SSL certificates in Puppet is s hell comparing to SSH access which is enough for Ansible. With Ansible you only need SSH access, no agents/masters.

  • Initiator/Ansible model is better than polling a server/Puppet. No need to invent (GEO) caches on 100+ nodes Puppet-setup.

  • Some Ansible code can be executed hourly, some monthly, some ad-hoc manually. Hardly possible in puppet.

  • No need to install agent software on node. Python is enough.


  • It is difficult to find a module per your needs. Really, how can I trust the author of a module? Some modules provide what I need but abandoned, some are new but too simple.

Ansible CONS

  • Yaml sucks. Those nasty spaces VS tabs, formatting is something I havent been familiar with: some notions of YAML structure ( multiline VS single line). And YAML looks like Windows Registry!
  • Bad reports. Really, I need to know what happened after Ansible run & track history of runs.
  • Bad logging. What I am seeing on the screen, doesnt reflect major things I expect: what changed & how. How means the diff betwen it had been & had became.
  • Speed. O Lord, Ansible is slow. It takes 40 sec to apply a playbook with SSHD + Fail2ban + NRPE + APT roles. Technically it means to place a bunch of files based on templates & restart some services upon changes. I bet on Puppet it would take 10 sec.