ansible task with tag 'never' inside role executed when the role is executed using another tag

Question

I have a playbook which has three roles netdata, netdata_master, netdata_slaves:

---
- hosts: netdata_master
  become: yes
  roles: 
    - role: netdata
    - role: netdata_master
  tags: ['netdata_master']

- hosts: netdata_slaves
  become: yes
  roles:
    - role: netdata
    - role: netdata_slave
  tags: ['netdata_slave']

Inside the netdata role I have a task which has tag never and update_netdata in order to be executed only when I pass the tag update_netdata:

- name: Generating Netdata prebuilt script
  template:
    src: kickstart-static64.sh.j2
    dest: /tmp/kickstart-static64.sh
    mode: 0744
- name: update netdata
  shell: /opt/netdata/usr/libexec/netdata/netdata-updater.sh
  tags: ['never', 'update_netdata']

The problem is when I execute the ansible playbook with no tags, everything works fine and update netdata is not executed but when I run the ansible playbook with netdata_slave tag, the update netdata task also gets executed.

I'm using ansible 2.9.2

How can I fix this?

Vladimir Botka · Answer 1 · 2020-01-07T01:00:14.140

Q: "When I run the ansible playbook with netdata_slave tag, the update netdata task also gets executed."

A: This works as expected. Quoting from Tag Inheritance:

Adding tags: to a play, or to statically imported tasks and roles, adds those tags to all of the contained tasks.

The directive tags: ['netdata_slave'] adds this tag to all of the contained tasks of the role: netdata

  roles:
    - role: netdata
  tags: ['netdata_slave']

This makes the task to look effectively

- name: update netdata
  shell: /opt/netdata/usr/libexec/netdata/netdata-updater.sh
  tags: ['never', 'update_netdata', 'netdata_slave']

score 1 · Answer 2 · answered Jul 08 '22 at 02:03

Unfortunately, you can't do it with tags:, because the tag inheritance will override never.

However, you could do it in a sneaky way, by checking if the desired tag is in ansible_run_tags:

- name: Generating Netdata prebuilt script
  template:
    src: kickstart-static64.sh.j2
    dest: /tmp/kickstart-static64.sh
    mode: 0744
- name: update netdata
  shell: /opt/netdata/usr/libexec/netdata/netdata-updater.sh
  when: "'update_netdata' in ansible_run_tags"

Alternatively you could test a boolean variable (not tag) like

- name: update netdata
  shell: /opt/netdata/usr/libexec/netdata/netdata-updater.sh
  when: update_netdata | d() | bool

where the d() filter ensures this returns false if update_netdata is undefined.

The downside of this technique is that unlike a missing tag, a false conditional will still show up as 'skipped'. That isn't too bad in your case, but it works poorly for a common use case: hiding debug statements.

ansible task with tag 'never' inside role executed when the role is executed using another tag

2 Answers2