Using Ansible-Lint in Air-Gapped Environments: Best Practices and Troubleshooting

When managing infrastructure in air-gapped environments—where systems are isolated from the internet for security purposes—teams often encounter challenges related to software dependencies that require online access. One common tool that may pose issues in such setups is ansible-lint, which is used to enforce coding standards for Ansible playbooks.

In this article, we’ll explore how ansible-lint operates in air-gapped environments, the errors you might encounter, and solutions to help it work smoothly offline.

Understanding Ansible-Lint and Galaxy Dependencies

ansible-lint is a powerful tool for validating and enforcing standards across Ansible playbooks, roles, and collections. However, ansible-lint often requires access to collections or roles hosted on Ansible Galaxy (galaxy.ansible.com), the public repository for sharing Ansible content. In an air-gapped environment, calls to Galaxy will fail, resulting in errors and incomplete checks.

When trying to use ansible-lint in such an environment, you may encounter errors like:

Unknown error when attempting to call galaxy galaxy.ansible.com/api

This error indicates that ansible-lint is attempting to reach Galaxy to verify or download a collection, which is inaccessible in your air-gapped setup.

Steps to Use Ansible-Lint Offline

To configure ansible-lint to work effectively in an air-gapped environment, follow these best practices.

1. Use the Offline Mode

Recent versions of ansible-lint include an --offline option that disables all attempts to download collections or roles, ideal for air-gapped setups.

Run the following command to lint your playbooks offline:

ansible-lint --offline

The --offline flag will ensure that ansible-lint doesn’t try to access Galaxy and instead only works with content available locally.

2. Pre-Download Required Collections and Roles

If your playbooks rely on specific collections or roles from Galaxy, the best approach is to download them in an environment with internet access and then transfer them to the air-gapped environment. Here’s a step-by-step guide on how to do this:

  1. Download required collections in an internet-enabled environment:

    ansible-galaxy collection download <namespace.collection> -p /path/to/collections

    This command will save the collection as a compressed file (e.g., .tar.gz) in the specified path.

  2. Transfer the downloaded files to your air-gapped environment using secure media (USB, secure transfer protocols, etc.).

  3. Install the collections in the air-gapped environment:

    In your air-gapped environment, use the following command to install collections from the downloaded files:

    ansible-galaxy collection install /path/to/collections/namespace-collection-version.tar.gz -p /path/to/collections

  4. Add the Collections Path to Your Ansible Configuration:

    Update your ansible.cfg file to include the new path to the collections. This configuration helps ansible-lint locate collections without needing access to Galaxy.

    [defaults]
collections_paths = /path/to/collections

    With this setting, ansible-lint will look for the necessary collections in the specified path, bypassing the need for Galaxy access.

3. Double-Check Ansible-Lint Configuration

ansible-lint uses configuration files such as .ansible-lint or ansible-lint.yml. Certain rules or configurations may inadvertently prompt Galaxy calls, especially if they reference specific roles or collections by URL or path. Examine these files to ensure no external URLs or online dependencies are specified. Comment out or remove any configuration items that are unnecessary for your offline setup.

4. Testing and Running Ansible-Lint

With everything set up, it’s time to test ansible-lint in offline mode. Run the following command to check for any errors:

ansible-lint --offline

If you’ve correctly configured your environment, ansible-lint should complete without attempting any external calls, and any errors should now relate to the content or structure of the playbooks themselves rather than connectivity issues.

Troubleshooting Common Issues

Here are some additional troubleshooting tips if ansible-lint continues to raise errors in your air-gapped environment:

  • Missing dependencies: If ansible-lint reports missing roles or collections, confirm that all required dependencies are pre-downloaded and installed correctly.

  • Configuration issues: Ensure the paths in your ansible.cfg and any .ansible-lint files are correct and point to the local collections directory.

  • Older versions: If ansible-lint doesn’t recognize the --offline flag, you may be using an outdated version. Updating ansible-lint in an internet-enabled environment and transferring it to your air-gapped environment can resolve this issue.

Final Thoughts

Air-gapped environments add complexity to managing tools that rely on internet resources, but with proper setup, ansible-lint can function effectively offline. By following these steps—leveraging the --offline flag, pre-downloading dependencies, configuring local paths, and ensuring compatible configurations—you can ensure that ansible-lint will run smoothly in even the most restricted environments.

Subscribe to the YouTube channel, Medium, and Website, X (formerly Twitter) to not miss the next episode of the Ansible Pilot.

Academy

Learn the Ansible automation technology with some real-life examples in my Udemy 300+ Lessons Video Course.

BUY the Complete Udemy 300+ Lessons Video Course

My book Ansible By Examples: 200+ Automation Examples For Linux and AWX System Administrator and DevOps

BUY the Complete PDF BOOK to easily Copy and Paste the 250+ Ansible code

Want to keep this project going? Please donate

Patreon Buy me a Pizza