Mastering Ansible Inventory: Define Hosts, Groups, and Configuration Files

Define Hosts and Groups

When using Ansible to manage multiple machines, you first create an inventory file (default /etc/ansible/hosts) that lists the hosts and groups you want to control.

Host definition

Hosts can be identified by hostname, fully‑qualified domain name, or IP address. The name must resolve to an IP if you use a hostname or domain.

[devops@node1 ~]$ cat hosts
node1
node2
node1.example.com
node2.example.com
192.168.200.100
192.168.200.200

You can also define a range of IP addresses:

[devops@node1 ~]$ cat hosts
192.168.200.[1:10]
# ansible all --list
hosts (10):
192.168.200.1
192.168.200.2
192.168.200.3
192.168.200.4
192.168.200.5
192.168.200.6
192.168.200.7
192.168.200.8
192.168.200.9
192.168.200.10

Group definition

Groups are declared by surrounding the group name with square brackets, followed by the member hosts.

[devops@node1 ~]$ cat hosts
[webserver]
node1
node2

A host can belong to multiple groups; simply list the host under each group.

[devops@node1 ~]$ cat hosts
[webserver]
node1
node2
[sqlserver]
node2
node3

Order matters: a single host must appear **before** any group that references it, otherwise Ansible treats the host as part of the preceding group.

Group nesting

Nested groups let you build hierarchical structures. For example, to represent two data‑centers you can create a parent group that contains the two child groups:

[devops@node1 ~]$ cat hosts
192.168.1.1
[webserver]
node1
node2
[sqlserver]
node2
node3
[MachineRoom:children]
webserver
sqlserver

Running ansible MachineRoom --list now returns all hosts from both webserver and sqlserver groups.

Select Hosts and Groups

After defining inventory, you can select specific hosts or groups when running Ansible commands.

Exact matching

# list all hosts
[devops@node1 ~]$ ansible all --list
hosts (4):
192.168.1.1
node1
node2
node3

# match a single host
[devops@node1 ~]$ ansible 192.168.1.1 --list
hosts (1):
192.168.1.1

# match a group
[devops@node1 ~]$ ansible webserver --list
hosts (2):
node1
node2

# match multiple targets (comma‑separated)
[devops@node1 ~]$ ansible 192.168.1.1,webserver --list
hosts (3):
192.168.1.1
node1
node2

# list hosts that are not part of any group
[devops@node1 ~]$ ansible ungrouped --list
hosts (1):
192.168.1.1

Wildcard matching

Use shell‑style patterns to match groups of hosts.

# match all hosts ending with .example.com
[devops@node1 ~]$ ansible *.example.com --list
hosts (2):
node1.example.com
node2.example.com

# exclude a subset (quote the pattern to avoid shell history expansion)
[devops@node1 ~]$ ansible '*.example.com,!node2*' --list
hosts (1):
node1.example.com

Configuration File Priority

Ansible reads configuration files in the following order (highest to lowest priority):

File pointed to by the ANSIBLE_CONFIG environment variable. ./ansible.cfg in the current directory. ~/.ansible.cfg in the user's home directory. /etc/ansible/ansible.cfg (default).

Configuration File Details

Sections

The ansible.cfg file is divided into several sections, e.g.:

[defaults]
inventory = /etc/ansible/hosts
ask_pass = false
remote_user = root

[privilege_escalation]
become = true
become_method = sudo
become_user = root
become_ask_pass = false

Key parameters:

inventory : path to the default inventory file.

remote_user : user Ansible uses on remote hosts (default root).

ask_pass : whether to prompt for a password (set false when using SSH keys).

become : enable privilege escalation.

become_method : method for escalation (usually sudo).

become_user : target user for escalation (default root).

become_ask_pass : prompt for sudo password (set false for password‑less sudo).

Example Setup

The following example shows a complete, password‑less, sudo‑enabled Ansible environment using a regular user devops:

Create a non‑privileged user on each managed node and set a password.

# useradd devops
# echo 123|passwd --stdin devops

Configure password‑less sudo for the user.

# cat /etc/sudoers.d/devops
devops ALL=(root) NOPASSWD:ALL

Generate an SSH key pair for devops and copy the public key to every managed host.

# su - devops
$ ssh-keygen   # accept defaults, no passphrase
$ ssh-copy-id node1
$ ssh-copy-id node2

Copy the default Ansible configuration to the devops home directory and adjust it.

# cp -r /etc/ansible/ .
# cd ansible
# cat ansible.cfg
[defaults]
inventory = ./hosts
sudo_user = devops
ask_sudo_pass = False
ask_pass = False
host_key_checking = False

[privilege_escalation]
become = True
become_method = sudo
become_user = root
become_ask_pass = False

Write the host inventory (example with two nodes).

# cat hosts
node1
node2

Verify the configuration .

# ansible all --list
hosts (2):
node1
node2

# run a test command as root
# ansible all -m shell -a 'whoami'
node2 | CHANGED | rc=0 >>
root
node1 | CHANGED | rc=0 >>
root

Successful output confirms that the devops user can connect without a password, elevate to root via sudo, and execute commands on all managed hosts.