Table of Contents
Ansible best practices are crucial for anyone who wants to automate infrastructure safely and efficiently. Although Ansible is a powerful tool, it is important to know when it is suitable and when it is not. In this blog we cover those moments and examine a commonly used example: SSH-based monitoring via Ansible. This example is often promoted by influencers in their homelabs, but has pitfalls that you should avoid in production.
[top]
What is the idea behind SSH monitoring with Ansible?
You see it more and more: influencers on YouTube and other social media channels — often from their homelab — show how you can periodically log in to remote systems via SSH with Ansible, combined with cronjobs or schedulers. This approach is presented as easy and quick for basic metrics such as memory and disk usage.
It works like this:
- A cronjob on a central machine regularly starts an Ansible playbook.
- This playbook connects to various servers via SSH.
- Via simple shell commands (
free -m,df -h,uptime) system statistics are collected. - The results are logged or shared via email or chat tools.
Although this seems like an accessible method, it is mainly suitable for small homelabs and not for production environments. It does not meet Ansible best practices, especially in terms of security and scalability.
[top]
Why is this problematic?
1. Security risks
This approach often requires you to use SSH keys without a passphrase, and to give the monitoring user sudo access without a password. This opens up major vulnerabilities: a single compromise of the Ansible controller can mean full access to your infrastructure. This goes against the principles of least privilege and secure automation, core points of Ansible best practices.
2. Inefficiency and delay
SSH connections are relatively heavy due to handshakes and authentication. With dozens or hundreds of systems this can lead to high latencies and delays in data acquisition. The polling frequency is therefore limited, meaning you may miss critical peaks and troughs.
3. No real-time monitoring
Monitoring should ideally be continuous and event-driven, based on time series. The SSH pull method only gives snapshots, not fluid insights into trends or deviations. This limits your ability to respond quickly to incidents.
4. Poor scalability
For a handful of servers this method still works, but when growing to dozens or hundreds of systems problems arise with SSH concurrency, cronjob overlap and managing log files.
[top]
Why do influencers promote this?
The popularity of this approach among influencers is mainly because it is easy to make and demonstrate. A short Ansible playbook and visible terminal output are attractive for tutorials and demos. However, they often do not indicate that this is primarily a homelab solution, where security and scalability are less critical. For production environments this is not a best practice.
[top]
When to use Ansible according to best practices
Ansible excels in:
- Configuration management (packages, services, configurations).
- Provisioning of infrastructure (cloud, containers).
- Orchestration of workflows and multi-step deploys.
- One-time or periodic tasks such as updates and patches.
Use Ansible mainly for declarative, repeatable processes and not for continuous monitoring or polling.
[top]
What should you use for monitoring instead?
1. Lightweight agents
Install agents such as Netdata, Node Exporter, Zabbix Agent or Telegraf on your servers. These run with minimal rights and send metrics securely to a central server.
2. Monitoring stacks
Build a monitoring environment with tools such as Prometheus + Grafana, Zabbix, Elastic Stack or Netdata Cloud.
3. Push-based logging
Let systems actively send logs and metrics via tools such as Rsyslog, Filebeat or Vector.dev, instead of pulling via SSH.
4. Security
Ensure monitoring accounts have minimal rights, secure data streams with TLS, also monitor your monitoring infrastructure itself, and restrict dashboard access.
[top]
Conclusion
Ansible best practices help you keep automation safe, scalable and reliable. SSH-based monitoring via Ansible, as often shown in homelabs, is only suitable for demos and small-scale setups. For serious production environments, choose specialized monitoring tools and minimize risks by using secure, modern architectures.