raw— sends a low-level command directly via sshcommand— sends a command to the operating systemshell— sends a command to the operating system shell
raw should be used on a remote host to install python, or to control active network hardware without the ability to install python
shell should be used if shell capabilities are needed (environment variables, anonymous pipes, redirecting output streams, etc.)
command should be used in all other cases, since using shell is slower than command, and raw makes no sense if python is already installed.
Each of these modules is not idempotent and their use is only permissible if there is no alternative in the form of another module
But if you still decide to use these modules, then you should follow ansible best-practice:
- For the
shellandcommandmodules, it is necessary to definechanged_when: <statement>a condition that will determine when the module changed the state of the infrastructure (CHANGED), and when the change has already been made (OK) - For the
shellmodule, when using anonymous pipes (pipe,|), useset -o pipefailbeforehand to handle errors correctly
Example:
- name: Get Kerberos ticket
ansible.builtin.shell:
cmd: |
set -o pipefail
echo {{ password }} | kinit admin
changed_when: false