Feature #28288
closed
Feature #32080: Support running ansible with --tags and --skip-tags
Support option to "skip-tags" on Ansible runs
Description
Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1761421
We would like to have support for option to "skip-tags" on Ansible runs,
If you run OpenScap and create an Ansible Role from the results to fix the issues, then you get tags for each task. If you want to rewrite everything to "when" statements, it will be a lot of work and quite impossible to handle.
The reason to get that skip-task stuff is easy to describe. When you have a compliance role and there is a server where you need an "exec" mount option on /tmp you have to skip the tag instead of rewriting the task to use when statements for each sinlge CVE.
For Example, the following. You need a lot of when statements if you like to set "low" or "CCE-80150-6" or "mount_option_tmp_noexec".
The other point is, that you configure a variable which are global in Ansible which means, you must ensure to not reuse them in any way.
Tags are helpful. (the following is part of the openscap output which has been added to the ansible role)
- name: "Ensure permission noexecS are set on /tmp"
mount:
path: "/tmp"
src: "{{device_name.stdout}}"
opts: "{{device_cur_mountoption.stdout}},noexec"
state: "mounted"
fstype: "{{device_fstype.stdout}}"
when: device_cur_mountoption.stdout is not search("nodev")
tags:
- mount_option_tmp_noexec
- low
- CCE-80150-6
Updated by 
Updated by 
Updated by