What Ansible is & the push model

Agentless automation over SSH.

Beginner12 min · lesson 1 of 12

Ansible is an automation tool for configuring servers, deploying software, and orchestrating changes across a fleet — and its defining trait is that it is agentless. There is no daemon to install on the machines you manage; a control node connects to them over ordinary SSH (or WinRM for Windows), pushes the tasks, runs them using the target’s Python, and disconnects. If a host has SSH and Python, Ansible can manage it.

That push model is the opposite of agent-based tools like Chef or Puppet, where each node runs an agent that pulls its config from a server. Agentless means almost nothing to bootstrap and a tiny attack surface on the managed hosts — but it also means the control node holds the SSH keys and privilege to change every machine, which becomes the security story. Ansible describes desired state in YAML, so the same playbook run twice converges rather than repeating work.

Push (Ansible) vs pull (agent-based)
Ansible — push, agentless
control node
holds playbooks + SSH keys
SSH to hosts
no agent to install
run + disconnect
uses target Python
Chef/Puppet — pull, agent
central server
stores desired state
agent on each node
polls for its config
converge locally
on a schedule
Agentless = nothing to install on nodes, but the control node becomes a high-value, privileged asset.

What you write

Two artifacts define an Ansible setup: an inventory (which hosts exist, grouped by role) and playbooks (what to do to them). Everything is YAML and declarative — you describe the state you want (“nginx installed and running,” “this config file present”) rather than the shell commands to get there, and Ansible’s modules make it so, reporting whether anything actually changed.

The control node is a privileged asset
Because Ansible pushes over SSH with the keys and sudo rights to reconfigure every host, whoever controls the control node effectively controls the fleet. Treat it like a jump box: restrict who can log in, protect the SSH keys and any Vault password, and keep playbooks in reviewed version control — the agentless model trades node-side agents for a very sensitive control node.