Using collections

Collections are a distribution format for Ansible content that can include playbooks, roles, modules, and plugins. As modules move from the core Ansible repository into collections, the module documentation will move to the collections pages.

You can install and use collections through Ansible Galaxy.

Installing collections

Note

If you install a collection manually as described in this paragraph, the collection will not be upgraded automatically when you upgrade the ansible package or ansible-core.

Installing collections with ansible-galaxy

By default, ansible-galaxy collection install uses https://galaxy.ansible.com as the Galaxy server (as listed in the ansible.cfg file under GALAXY_SERVER). You do not need any further configuration.

See Configuring the ansible-galaxy client if you are using any other Galaxy server, such as Red Hat Automation Hub.

To install a collection hosted in Galaxy:

ansible-galaxy collection install my_namespace.my_collection

To upgrade a collection to the latest available version from the Galaxy server you can use the --upgrade option:

ansible-galaxy collection install my_namespace.my_collection --upgrade

You can also directly use the tarball from your build:

ansible-galaxy collection install my_namespace-my_collection-1.0.0.tar.gz -p ./collections

You can build and install a collection from a local source directory. The ansible-galaxy utility builds the collection using the MANIFEST.json or galaxy.yml metadata in the directory.

ansible-galaxy collection install /path/to/collection -p ./collections

You can also install multiple collections in a namespace directory.

ns/
├── collection1/
│   ├── MANIFEST.json
│   └── plugins/
└── collection2/
    ├── galaxy.yml
    └── plugins/
ansible-galaxy collection install /path/to/ns -p ./collections

Note

The install command automatically appends the path ansible_collections to the one specified with the -p option unless the parent directory is already in a folder called ansible_collections.

When using the -p option to specify the install path, use one of the values configured in COLLECTIONS_PATHS, as this is where Ansible itself will expect to find collections. If you don’t specify a path, ansible-galaxy collection install installs the collection to the first path defined in COLLECTIONS_PATHS, which by default is ~/.ansible/collections

You can also keep a collection adjacent to the current playbook, under a collections/ansible_collections/ directory structure.

./
├── play.yml
├── collections/
│   └── ansible_collections/
│               └── my_namespace/
│                   └── my_collection/<collection structure lives here>

See Collection structure for details on the collection directory structure.

Installing an older version of a collection

You can only have one version of a collection installed at a time. By default ansible-galaxy installs the latest available version. If you want to install a specific version, you can add a version range identifier. For example, to install the 1.0.0-beta.1 version of the collection:

ansible-galaxy collection install my_namespace.my_collection:==1.0.0-beta.1

You can specify multiple range identifiers separated by ,. Use single quotes so the shell passes the entire command, including >, !, and other operators, along. For example, to install the most recent version that is greater than or equal to 1.0.0 and less than 2.0.0:

ansible-galaxy collection install 'my_namespace.my_collection:>=1.0.0,<2.0.0'

Ansible will always install the most recent version that meets the range identifiers you specify. You can use the following range identifiers:

  • *: The most recent version. This is the default.

  • !=: Not equal to the version specified.

  • ==: Exactly the version specified.

  • >=: Greater than or equal to the version specified.

  • >: Greater than the version specified.

  • <=: Less than or equal to the version specified.

  • <: Less than the version specified.

Note

By default ansible-galaxy ignores pre-release versions. To install a pre-release version, you must use the == range identifier to require it explicitly.

Installing a collection from a git repository

You can install a collection from a git repository instead of from Galaxy or Automation Hub. As a developer, installing from a git repository lets you review your collection before you create the tarball and publish the collection. As a user, installing from a git repository lets you use collections or versions that are not in Galaxy or Automation Hub yet.

The repository must contain a galaxy.yml or MANIFEST.json file. This file provides metadata such as the version number and namespace of the collection.

Installing a collection from a git repository at the command line

To install a collection from a git repository at the command line, use the URI of the repository instead of a collection name or path to a tar.gz file. Prefix the URI with git+ (or with git@ to use a private repository with ssh authentication). You can specify a branch, commit, or tag using the comma-separated git commit-ish syntax.

For example:

# Install a collection in a repository using the latest commit on the branch 'devel'
ansible-galaxy collection install git+https://github.com/organization/repo_name.git,devel

# Install a collection from a private github repository
ansible-galaxy collection install [email protected]:organization/repo_name.git

# Install a collection from a local git repository
ansible-galaxy collection install git+file:///home/user/path/to/repo_name.git

Warning

Embedding credentials into a git URI is not secure. Use safe authentication options to prevent your credentials from being exposed in logs or elsewhere.

Specifying the collection location within the git repository

When you install a collection from a git repository, Ansible uses the collection galaxy.yml or MANIFEST.json metadata file to build the collection. By default, Ansible searches two paths for collection galaxy.yml or MANIFEST.json metadata files:

  • The top level of the repository.

  • Each directory in the repository path (one level deep).

If a galaxy.yml or MANIFEST.json file exists in the top level of the repository, Ansible uses the collection metadata in that file to install an individual collection.

├── galaxy.yml
├── plugins/
│   ├── lookup/
│   ├── modules/
│   └── module_utils/
└─── README.md

If a galaxy.yml or MANIFEST.json file exists in one or more directories in the repository path (one level deep), Ansible installs each directory with a metadata file as a collection. For example, Ansible installs both collection1 and collection2 from this repository structure by default:

├── collection1
│   ├── docs/
│   ├── galaxy.yml
│   └── plugins/
│       ├── inventory/
│       └── modules/
└── collection2
    ├── docs/
    ├── galaxy.yml
    ├── plugins/
    |   ├── filter/
    |   └── modules/
    └── roles/

If you have a different repository structure or only want to install a subset of collections, you can add a fragment to the end of your URI (before the optional comma-separated version) to indicate the location of the metadata file or files. The path should be a directory, not the metadata file itself. For example, to install only collection2 from the example repository with two collections:

ansible-galaxy collection install git+https://github.com/organization/repo_name.git#/collection2/

In some repositories, the main directory corresponds to the namespace:

namespace/
├── collectionA/
|   ├── docs/
|   ├── galaxy.yml
|   ├── plugins/
|   │   ├── README.md
|   │   └── modules/
|   ├── README.md
|   └── roles/
└── collectionB/
    ├── docs/
    ├── galaxy.yml
    ├── plugins/
    │   ├── connection/
    │   └── modules/
    ├── README.md
    └── roles/

You can install all collections in this repository, or install one collection from a specific commit:

# Install all collections in the namespace
ansible-galaxy collection install git+https://github.com/organization/repo_name.git#/namespace/

# Install an individual collection using a specific commit
ansible-galaxy collection install git+https://github.com/organization/repo_name.git#/namespace/collectionA/,7b60ddc245bc416b72d8ea6ed7b799885110f5e5

Install multiple collections with a requirements file

You can set up a requirements.yml file to install multiple collections in one command. This file is a YAML file in the format:

---
collections:
# With just the collection name
- my_namespace.my_collection

# With the collection name, version, and source options
- name: my_namespace.my_other_collection
  version: 'version range identifiers (default: ``*``)'
  source: 'The Galaxy URL to pull the collection from (default: ``--api-server`` from cmdline)'

You can specify four keys for each collection entry:

  • name

  • version

  • source

  • type

The version key uses the same range identifier format documented in Installing an older version of a collection.

The type key can be set to galaxy, url, file, and git. If type is omitted, the name key is used to implicitly determine the source of the collection.

When you install a collection with type: git, the version key can refer to a branch or to a git commit-ish object (commit or tag). For example:

collections:
  - name: https://github.com/organization/repo_name.git
    type: git
    version: devel

You can also add roles to a requirements.yml file, under the roles key. The values follow the same format as a requirements file used in older Ansible releases.

---
roles:
  # Install a role from Ansible Galaxy.
  - name: geerlingguy.java
    version: 1.9.6

collections:
  # Install a collection from Ansible Galaxy.
  - name: geerlingguy.php_roles
    version: 0.9.3
    source: https://galaxy.ansible.com

To install both roles and collections at the same time with one command, run the following:

$ ansible-galaxy install -r requirements.yml

Running ansible-galaxy collection install -r or ansible-galaxy role install -r will only install collections, or roles respectively.

Note

Installing both roles and collections from the same requirements file will not work when specifying a custom collection or role install path. In this scenario the collections will be skipped and the command will process each like ansible-galaxy role install would.

Downloading a collection for offline use

To download the collection tarball from Galaxy for offline use:

  1. Navigate to the collection page.

  2. Click on Download tarball.

You may also need to manually download any dependent collections.

Configuring the ansible-galaxy client

By default, ansible-galaxy uses https://galaxy.ansible.com as the Galaxy server (as listed in the ansible.cfg file under GALAXY_SERVER).

You can use either option below to configure ansible-galaxy collection to use other servers (such as Red Hat Automation Hub or a custom Galaxy server):

To configure a Galaxy server list in ansible.cfg:

  1. Add the server_list option under the [galaxy] section to one or more server names.

  2. Create a new section for each server name.

  3. Set the url option for each server name.

  4. Optionally, set the API token for each server name. Go to https://galaxy.ansible.com/me/preferences and click Show API key.

Note

The url option for each server name must end with a forward slash /. If you do not set the API token in your Galaxy server list, use the --api-key argument to pass in the token to the ansible-galaxy collection publish command.

For Automation Hub, you additionally need to:

  1. Set the auth_url option for each server name.

  2. Set the API token for each server name. Go to https://cloud.redhat.com/ansible/automation-hub/token/ and click :Get API token from the version dropdown to copy your API token.

The following example shows how to configure multiple servers:

[galaxy]
server_list = automation_hub, my_org_hub, release_galaxy, test_galaxy, my_galaxy_ng

[galaxy_server.automation_hub]
url=https://cloud.redhat.com/api/automation-hub/
auth_url=https://sso.redhat.com/auth/realms/redhat-external/protocol/openid-connect/token
token=my_ah_token

[galaxy_server.my_org_hub]
url=https://automation.my_org/
username=my_user
password=my_pass

[galaxy_server.release_galaxy]
url=https://galaxy.ansible.com/
token=my_token

[galaxy_server.test_galaxy]
url=https://galaxy-dev.ansible.com/
token=my_test_token

[galaxy_server.my_galaxy_ng]
url=http://my_galaxy_ng:8000/api/automation-hub/
auth_url=http://my_keycloak:8080/auth/realms/myco/protocol/openid-connect/token
client_id=galaxy-ng
token=my_keycloak_access_token

Note

You can use the --server command line argument to select an explicit Galaxy server in the server_list and the value of this argument should match the name of the server. To use a server not in the server list, set the value to the URL to access that server (all servers in the server list will be ignored). Also you cannot use the --api-key argument for any of the predefined servers. You can only use the api_key argument if you did not define a server list or if you specify a URL in the --server argument.

Galaxy server list configuration options

The GALAXY_SERVER_LIST option is a list of server identifiers in a prioritized order. When searching for a collection, the install process will search in that order, for example, automation_hub first, then my_org_hub, release_galaxy, and finally test_galaxy until the collection is found. The actual Galaxy instance is then defined under the section [galaxy_server.{{ id }}] where {{ id }} is the server identifier defined in the list. This section can then define the following keys:

  • url: The URL of the Galaxy instance to connect to. Required.

  • token: An API token key to use for authentication against the Galaxy instance. Mutually exclusive with username.

  • username: The username to use for basic authentication against the Galaxy instance. Mutually exclusive with token.

  • password: The password to use, in conjunction with username, for basic authentication.

  • auth_url: The URL of a Keycloak server ‘token_endpoint’ if using SSO authentication (for example, Automation Hub). Mutually exclusive with username. Requires token.

  • validate_certs: Whether or not to verify TLS certificates for the Galaxy server. This defaults to True unless the --ignore-certs option is provided or GALAXY_IGNORE_CERTS is configured to True.

  • client_id: The Keycloak token’s client_id to use for authentication. Requires auth_url and token. The default client_id is cloud-services to work with Red Hat SSO.

As well as defining these server options in the ansible.cfg file, you can also define them as environment variables. The environment variable is in the form ANSIBLE_GALAXY_SERVER_{{ id }}_{{ key }} where {{ id }} is the upper case form of the server identifier and {{ key }} is the key to define. For example I can define token for release_galaxy by setting ANSIBLE_GALAXY_SERVER_RELEASE_GALAXY_TOKEN=secret_token.

For operations that use only one Galaxy server (for example, the publish, info, or install commands). the ansible-galaxy collection command uses the first entry in the server_list, unless you pass in an explicit server with the --server argument.

Note

Once a collection is found, any of its requirements are only searched within the same Galaxy instance as the parent collection. The install process will not search for a collection requirement in a different Galaxy instance.

Downloading collections

To download a collection and its dependencies for an offline install, run ansible-galaxy collection download. This downloads the collections specified and their dependencies to the specified folder and creates a requirements.yml file which can be used to install those collections on a host without access to a Galaxy server. All the collections are downloaded by default to the ./collections folder.

Just like the install command, the collections are sourced based on the configured galaxy server config. Even if a collection to download was specified by a URL or path to a tarball, the collection will be redownloaded from the configured Galaxy server.

Collections can be specified as one or multiple collections or with a requirements.yml file just like ansible-galaxy collection install.

To download a single collection and its dependencies:

ansible-galaxy collection download my_namespace.my_collection

To download a single collection at a specific version:

ansible-galaxy collection download my_namespace.my_collection:1.0.0

To download multiple collections either specify multiple collections as command line arguments as shown above or use a requirements file in the format documented with Install multiple collections with a requirements file.

ansible-galaxy collection download -r requirements.yml

You can also download a source collection directory. The collection is built with the mandatory galaxy.yml file.

ansible-galaxy collection download /path/to/collection

ansible-galaxy collection download git+file:///path/to/collection/.git

You can download multiple source collections from a single namespace by providing the path to the namespace.

ns/
├── collection1/
│   ├── galaxy.yml
│   └── plugins/
└── collection2/
    ├── galaxy.yml
    └── plugins/
ansible-galaxy collection install /path/to/ns

All the collections are downloaded by default to the ./collections folder but you can use -p or --download-path to specify another path:

ansible-galaxy collection download my_namespace.my_collection -p ~/offline-collections

Once you have downloaded the collections, the folder contains the collections specified, their dependencies, and a requirements.yml file. You can use this folder as is with ansible-galaxy collection install to install the collections on a host without access to a Galaxy or Automation Hub server.

# This must be run from the folder that contains the offline collections and requirements.yml file downloaded
# by the internet-connected host
cd ~/offline-collections
ansible-galaxy collection install -r requirements.yml

Listing collections

To list installed collections, run ansible-galaxy collection list. This shows all of the installed collections found in the configured collections search paths. It will also show collections under development which contain a galaxy.yml file instead of a MANIFEST.json. The path where the collections are located are displayed as well as version information. If no version information is available, a * is displayed for the version number.

# /home/astark/.ansible/collections/ansible_collections
Collection                 Version
-------------------------- -------
cisco.aci                  0.0.5
cisco.mso                  0.0.4
sandwiches.ham             *
splunk.es                  0.0.5

# /usr/share/ansible/collections/ansible_collections
Collection        Version
----------------- -------
fortinet.fortios  1.0.6
pureport.pureport 0.0.8
sensu.sensu_go    1.3.0

Run with -vvv to display more detailed information.

To list a specific collection, pass a valid fully qualified collection name (FQCN) to the command ansible-galaxy collection list. All instances of the collection will be listed.

> ansible-galaxy collection list fortinet.fortios

# /home/astark/.ansible/collections/ansible_collections
Collection       Version
---------------- -------
fortinet.fortios 1.0.1

# /usr/share/ansible/collections/ansible_collections
Collection       Version
---------------- -------
fortinet.fortios 1.0.6

To search other paths for collections, use the -p option. Specify multiple search paths by separating them with a :. The list of paths specified on the command line will be added to the beginning of the configured collections search paths.

> ansible-galaxy collection list -p '/opt/ansible/collections:/etc/ansible/collections'

# /opt/ansible/collections/ansible_collections
Collection      Version
--------------- -------
sandwiches.club 1.7.2

# /etc/ansible/collections/ansible_collections
Collection     Version
-------------- -------
sandwiches.pbj 1.2.0

# /home/astark/.ansible/collections/ansible_collections
Collection                 Version
-------------------------- -------
cisco.aci                  0.0.5
cisco.mso                  0.0.4
fortinet.fortios           1.0.1
sandwiches.ham             *
splunk.es                  0.0.5

# /usr/share/ansible/collections/ansible_collections
Collection        Version
----------------- -------
fortinet.fortios  1.0.6
pureport.pureport 0.0.8
sensu.sensu_go    1.3.0

Verifying collections

Verifying collections with ansible-galaxy

Once installed, you can verify that the content of the installed collection matches the content of the collection on the server. This feature expects that the collection is installed in one of the configured collection paths and that the collection exists on one of the configured galaxy servers.

ansible-galaxy collection verify my_namespace.my_collection

The output of the ansible-galaxy collection verify command is quiet if it is successful. If a collection has been modified, the altered files are listed under the collection name.

ansible-galaxy collection verify my_namespace.my_collection
Collection my_namespace.my_collection contains modified content in the following files:
my_namespace.my_collection
    plugins/inventory/my_inventory.py
    plugins/modules/my_module.py

You can use the -vvv flag to display additional information, such as the version and path of the installed collection, the URL of the remote collection used for validation, and successful verification output.

ansible-galaxy collection verify my_namespace.my_collection -vvv
...
Verifying 'my_namespace.my_collection:1.0.0'.
Installed collection found at '/path/to/ansible_collections/my_namespace/my_collection/'
Remote collection found at 'https://galaxy.ansible.com/download/my_namespace-my_collection-1.0.0.tar.gz'
Successfully verified that checksums for 'my_namespace.my_collection:1.0.0' match the remote collection

If you have a pre-release or non-latest version of a collection installed you should include the specific version to verify. If the version is omitted, the installed collection is verified against the latest version available on the server.

ansible-galaxy collection verify my_namespace.my_collection:1.0.0

In addition to the namespace.collection_name:version format, you can provide the collections to verify in a requirements.yml file. Dependencies listed in requirements.yml are not included in the verify process and should be verified separately.

ansible-galaxy collection verify -r requirements.yml

Verifying against tar.gz files is not supported. If your requirements.yml contains paths to tar files or URLs for installation, you can use the --ignore-errors flag to ensure that all collections using the namespace.name format in the file are processed.

Using collections in a Playbook

Once installed, you can reference a collection content by its fully qualified collection name (FQCN):

- hosts: all
  tasks:
    - my_namespace.my_collection.mymodule:
        option1: value

This works for roles or any type of plugin distributed within the collection:

- hosts: all
  tasks:
    - import_role:
        name: my_namespace.my_collection.role1

    - my_namespace.mycollection.mymodule:
        option1: value

    - debug:
        msg: '{{ lookup("my_namespace.my_collection.lookup1", 'param1')| my_namespace.my_collection.filter1 }}'

Simplifying module names with the collections keyword

The collections keyword lets you define a list of collections that your role or playbook should search for unqualified module and action names. So you can use the collections keyword, then simply refer to modules and action plugins by their short-form names throughout that role or playbook.

Warning

If your playbook uses both the collections keyword and one or more roles, the roles do not inherit the collections set by the playbook. This is one of the reasons we recommend you always use FQCN. See below for roles details.

Using collections in roles

Within a role, you can control which collections Ansible searches for the tasks inside the role using the collections keyword in the role’s meta/main.yml. Ansible will use the collections list defined inside the role even if the playbook that calls the role defines different collections in a separate collections keyword entry. Roles defined inside a collection always implicitly search their own collection first, so you don’t need to use the collections keyword to access modules, actions, or other roles contained in the same collection.

# myrole/meta/main.yml
collections:
  - my_namespace.first_collection
  - my_namespace.second_collection
  - other_namespace.other_collection

Using collections in playbooks

In a playbook, you can control the collections Ansible searches for modules and action plugins to execute. However, any roles you call in your playbook define their own collections search order; they do not inherit the calling playbook’s settings. This is true even if the role does not define its own collections keyword.

- hosts: all
  collections:
    - my_namespace.my_collection

  tasks:
    - import_role:
        name: role1

    - mymodule:
        option1: value

    - debug:
        msg: '{{ lookup("my_namespace.my_collection.lookup1", "param1")| my_namespace.my_collection.filter1 }}'

The collections keyword merely creates an ordered ‘search path’ for non-namespaced plugin and role references. It does not install content or otherwise change Ansible’s behavior around the loading of plugins or roles. Note that an FQCN is still required for non-action or module plugins (for example, lookups, filters, tests).

Using a playbook from a collection

New in version 2.11.

You can also distribute playbooks in your collection and invoke them using the same semantics you use for plugins:

ansible-playbook my_namespace.my_collection.playbook1 -i ./myinventory

From inside a playbook:

- import_playbook: my_namespace.my_collection.playbookX

A few recommendations when creating such playbooks, hosts: should be generic or at least have a variable input.

- hosts: all  # Use --limit or customized inventory to restrict hosts targeted

- hosts: localhost  # For things you want to restrict to the controller

- hosts: '{{target|default("webservers")}}'  # Assumes inventory provides a 'webservers' group, but can also use ``-e 'target=host1,host2'``

This will have an implied entry in the collections: keyword of my_namespace.my_collection just as with roles.

Note

Playbook names, like other collection resources, have a restricted set of valid characters. Names can contain only lowercase alphanumeric characters, plus _ and must start with an alpha character. The dash - character is not valid for playbook names in collections. Playbooks whose names contain invalid characters are not addressable: this is a limitation of the Python importer that is used to load collection resources.

See also

Developing collections

Develop or modify a collection.

Collection Galaxy metadata structure

Understand the collections metadata structure.

Mailing List

The development mailing list

Real-time chat

How to join Ansible chat channels