Ansible skips my tags

Question

When I label any specific tags inside of my playbooks, Ansible ignores it and executes every task in my role. The same effect I observed, when I marked tags in ansible-playbook command. Clearly, here is a simple instance. I'm trying to change LAMP stack configuration. Here is the role:

 - name: install packages [Debian]
   apt: name={{ item }} state=present
   with_items:
     - php5-fpm
     - php5-mysql
     - php5-gd
     - php5-imagick
     - php5-pgsql
   when: ansible_distribution == "Debian"
   tags: 
     - debian_install

 - name: change php configuration
   lineinfile: dest={{ item.dest }} regexp={{ item.regexp }} line={{ item.line }}
   with_items:
    - { dest: '/etc/php5/fpm/php.ini', regexp: '^cgi.fix_pathinfo=', line: 'cgi.fix_pathinfo=0' }
   tags: 
     - configure

 - name: make site directory
   file: path={{ site_directory }} owner={{ remote_user }} group={{ remote_group }} mode=0755 state=directory
   tags: 
     - configure

Here is the playbook:

---
 - hosts: webservers
   remote_user: "{{ remote_user }}"
   become: sudo
   gather_facts: yes
   vars_files:
     - host_vars/all.yml

   roles:
     - { role: iptables, tags: 'configure' }
     - { role: apache, tags: 'configure' }
     - { role: mysql, tags: 'configure' }
     - { role: php, tags: 'configure' }

   post_tasks:
     - reboot.yml

I'm running it by this command:

ansible-playbook lamp.yml -i hosts

But it still does every role in the task. Second way. Role configuration is the same. Playbook example:

---
 - hosts: webservers
   remote_user: "{{ remote_user }}"
   become: sudo
   gather_facts: yes
   vars_files:
     - host_vars/all.yml

   roles:
     - iptables
     - apache
     - mysql
     - php

   post_tasks:
     - reboot.yml

Command example:

ansible-playbook lamp.yml -i hosts --tags "configure"

The same result. Ansible skips task if it's favorable for when condition. I hope it's not a bug, cause I didn't meet any similar issue in net. Think it's my bad, but still can't recognize where is it. Probably someone of Ansible users faced with similar issue. Prompt me, please.

Answer 1

I believe you misunderstood how tags work. If you do not provide any tags when invoking ansible-playbook, everything is executed.

To make ansible (>= 2.1) ignore tasks by default, you can add the never tag. So for your use case you could define these tags:

tags:
  - never
  - configure

Now it will only be executed when you explicitly call ansible with --tagd configure.

---

Old answer, pre Ansible 2.1:

There is absolutely no way to define tasks which will get only executed if the assigned tag is passed. You explicitly have to specify --skip-tags "debian_install" if you do not want those tasks to be executed OR call Ansible with a different tag. As @ydaetskcoR already commended above, by calling --tags "configure" your tasks which are not tagged as configure should actually be skipped.

If that's really not the case you might have found a bug. But I'm not aware there has been any issue like that in any version since I use Ansible (about 1 year, version 1.6 I believe)

This problem, where you can not force Ansible to only execute a task when the assigned tag is provided, in my opinion is one of the biggest issues with Ansible. This is not only a lacking feature but can get really dangerous. Imagine you have a task to wipe the database, restart service, delete users, etc. Which you might have created to only be called when the corresponding tag is applied to the call. And then you accidentally run the playbook without any tags. Boom!

Many people therefore do not call Ansible directly. Instead they use a simple bash wrapper script, which makes sure all --tags and --skip-tags are set correctly. By default skipping the dangerous tags and only allowing them if the script was explicitly called to run the dangerous tasks.