Issues with debops --skip-tags

[evilham]

Hello there,

I've noticed today that if I run debops --limit host, everything runs fine.

However, if I run debops --limit host --skip-tags role::ferm, it fails in role::kmod (output below).

Furthermore, if I run debops --limit host --skip-tags role::ferm,role::kmod, it fails in role::tinc (output below)

It happens to me with ansible version: 2.6.3 under python 2.7.13.

Can anyone reproduce this?

This worked before and I don't see any recent changes that would have changed that.

--skip-tags role::ferm output

TASK [debops.kmod : Check if modprobe is available] ***********************************************
ok: [host]

TASK [debops.kmod : Install required packages] ****************************************************
ok: [host] => (item=python-kmodpy)

TASK [debops.kmod : Make sure that Ansible local facts directory exists] **************************
ok: [host]

TASK [debops.kmod : Save kmod local facts] ********************************************************
ok: [host]

TASK [debops.kmod : Update Ansible facts if they were modified] ***********************************

TASK [debops.kmod : Configure kernel modules] *****************************************************
included: /path_to_debops/debops/ansible/roles/debops.kmod/tasks/modprobe.yml for host

TASK [debops.kmod : Remove module configuration] **************************************************

TASK [debops.kmod : Generate module configuration] ************************************************
ok: [host]

TASK [debops.kmod : Unload kernel module if configuration changed] ********************************

TASK [debops.kmod : Load kernel module if configuration changed] **********************************

TASK [debops.kmod : Update Ansible facts if the list of loaded kernel modules might have changed] *

TASK [debops.kmod : Remove module load configuration] *********************************************
fatal: [host]: FAILED! => {"msg": "'ifupdown__env_kmod__dependent_load' is undefined"}

--skip-tags role::ferm,role::kmod output

PLAY [Configure Tinc VPN] *************************************************************************

TASK [Gathering Facts] ****************************************************************************
ok: [host]

TASK [debops.secret : Create secret directories on Ansible Controller] ****************************
fatal: [host]: FAILED! => {"msg": "'tinc__env_secret__directories' is undefined"}

[drybjed]

The debops.kmod role is used in the debops.ifupdown playbook. The ifupdown role has a debops.ifupdown/env "sub-role" that prepares the environment for both debops.kmod and debops.ferm roles. When you skip the role::ferm tag, it also skips the invocation of debops.ifupdown/env "sub-role", the environment is not prepared for debops.kmod and it fails.

Solution, solution... I guess the current naming scheme for tags is not conductive for Ansible --skip-tags parameter, works fine with --tags. Fixing the roles that depend on the environment defined by other roles might break idempotency, so I would avoid doing that for now. Perhaps adding a new tag, say skip::<role_name> just with the main roles could be a solution. Then you could use this tag to skip debops.ferm execution with debops.ifupdown/env role working as expected. Want to test it out?

[evilham]

Wow :-D. That's sneaky, thank you!

I agree, having skip::<role_name> sounds like a decent compromise and also sounds like it should work. Will give it a go and if it works add a patch for the ones I skip the most often :-).

[evilham]

@drybjed question: the nfs_server playbook tags debops.etc_services as role::etc_services,role::ferm, is that correct?

[drybjed]

@evilham Yes. It's not obvious, but debops.nfs_server configures various TCP/UDP ports for NFS access in the firewall using names instead of the port numbers. The ports are registered in /etc/services by debops.etc_services, and are then used in the firewall configuration defined by debops.ferm. Without debops.etc_services running at least once, these port names would be non-existent and thus invalid.

So, it's not really needed every time, but it's tagged just in case.

[evilham]

Since this issue is linked from the documentation, I write this here for future reference and for anyone who lands here:

Adding a skip::<role_name> tag is not as simple as search and replace in the repository. It does require manual checking, because otherwise the tags would be equivalent and adding a new one would not solve anything.
Rule of thumb: anything under <role>/env should not have skip::<role_name> tags.

Also: skipping debops.ferm does save quite a bit of time when running everything, but it shouldn't be used too often :-) only if it's really clear that it's not needed, up to you!