Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AGAIN: Aborting, target uses selinux but python bindings (libselinux-python) aren't installed #34340

Closed
Rocking80 opened this issue Jan 2, 2018 · 20 comments

Comments

@Rocking80
Copy link

@Rocking80 Rocking80 commented Jan 2, 2018

ISSUE TYPE
  • Bug Report
COMPONENT NAME

copy module

ANSIBLE VERSION

I installed ansible via pip.

# ansible --version
ansible 2.4.2.0
  config file = /home/peng/ansible/ansible.cfg
  configured module search path = [u'/root/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python2.7/site-packages/ansible
  executable location = /usr/bin/ansible
  python version = 2.7.5 (default, Nov 20 2015, 02:00:19) [GCC 4.8.5 20150623 (Red Hat 4.8.5-4)]
CONFIGURATION

[root@test01 ansible]# ansible-config dump --only-changed
HOST_KEY_CHECKING(/home/peng/ansible/ansible.cfg) = False

OS / ENVIRONMENT

All CentOS 6.5 (64-bit)

SUMMARY

In my role there is a step using copy module, but it reports selinux error as below.

fatal: [222.7.7.152]: FAILED! => {"changed": false, "checksum": "c8ee7015b10f48acf4664ec33733e0c1eb025cb7", "msg": "Aborting, target uses selinux but python bindings (libselinux-python) aren't installed!"}

I installed libselinux-python on my control server (CentOS 6.5) but it does NOT work.
Also I tried to set selinux status to 'Permissive' on remote server using setenforce 0 (CentOS 6.5), also cannot fix the issue. As suggested by others, should be work if disable selinux which need a reboot. So I didn't try this solution yet.

Is this a bug in ansible code or is there anyone has a solution which not need to reboot the remote server? Many thanks.

STEPS TO REPRODUCE

Run playbook which has copy module

- name: Copy Server Agent file to remote
  copy:
    src: ServerAgent-2.2.1.zip
    dest: /install/perfmon/ServerAgent-2.2.1.zip
@ansibot

This comment has been minimized.

Copy link
Contributor

@ansibot ansibot commented Jan 2, 2018

Files identified in the description:

If these files are inaccurate, please update the component name section of the description or use the !component bot command.

click here for bot help

@Rocking80

This comment has been minimized.

Copy link
Author

@Rocking80 Rocking80 commented Jan 3, 2018

Is there anyone take this bug? Thanks.

@Rocking80

This comment has been minimized.

Copy link
Author

@Rocking80 Rocking80 commented Jan 4, 2018

OK, I installed libselinux-python on remote server, and fixed the issue.

@bcoca

This comment has been minimized.

Copy link
Member

@bcoca bcoca commented Jan 5, 2018

@Rocking80 that is the requirement, the library is needed on the target server so Ansible can correctly handle the selinux contexts.

@bcoca bcoca closed this Jan 5, 2018
@stefangweichinger

This comment has been minimized.

Copy link

@stefangweichinger stefangweichinger commented Feb 26, 2018

I hit the same issue, target is Debian Stretch with python3-selinux installed. Can someone point out the missing package for Debian? No "libselinux-python" there.

edit: python-selinux installed on target

SOLVED as described in https://dmsimard.com/2016/01/08/selinux-python-virtualenv-chroot-and-ansible-dont-play-nice/

@bdowling

This comment has been minimized.

Copy link
Contributor

@bdowling bdowling commented Mar 6, 2018

Ran into this as well, just trying to run some templates on localhost. Can the requirement for this be relaxed a bit? Delayed to fatal error only when it actually would be an issue? I was just attempting to run templates through ansible on localhost and encountered this (my ansible runs from a virtualenv as well).

@jborean93

This comment has been minimized.

Copy link
Contributor

@jborean93 jborean93 commented Mar 6, 2018

@bdowling touching files like the template module requires the bindings which is why the error comes up. You should ensure the selinux library is on the target server and accessible from the Python that is being used.

@ansibot ansibot added bug and removed bug_report labels Mar 7, 2018
@satishdotpatel

This comment has been minimized.

Copy link

@satishdotpatel satishdotpatel commented Jul 11, 2018

I have having same issue and i have disabled SELinux and reboot server but still having same error :(

@darkn3rd

This comment has been minimized.

Copy link

@darkn3rd darkn3rd commented Aug 14, 2018

I have this issue on Fedora 28 system using copy with ansible local connection:

fatal: [default]: FAILED! => {"changed": false, "checksum": "e3315badb0478807cedd68cd3b6705f28f7522d8", "msg": "Aborting, target uses selinux but python bindings (libselinux-python) aren't installed!"}

Caused by:

- name: "Copy Content"
  copy:
    src: "{{ role_path }}/files/index.html"
    dest: "{{ hello_web.docroot }}/index.html"

Fixed it with /usr/bin/dnf install -y libselinux-python.

@walidshaari

This comment has been minimized.

Copy link

@walidshaari walidshaari commented Aug 19, 2018

I am hitting the same issue I think on molecule 2.17.0 with Ansible 2.6.3 when I am doing a basic molecule test, the creation stage fails. my problem and workaround is explained in here https://dmsimard.com/2016/01/08/selinux-python-virtualenv-chroot-and-ansible-dont-play-nice/

@satishdotpatel

This comment has been minimized.

Copy link

@satishdotpatel satishdotpatel commented Aug 19, 2018

This is how i solved issue, I have disabled SELinux on ansible machine from where i was running ansible, that solved issue, earlier i disabled on target servers but look like you have to disabled SELinux on machine from where you executing your playbook.

This solved my problem.

@PascalNegwer

This comment has been minimized.

Copy link

@PascalNegwer PascalNegwer commented Oct 8, 2018

for me, installing libselinux-python solved the problem

@hareesh-panakanti

This comment has been minimized.

Copy link

@hareesh-panakanti hareesh-panakanti commented Oct 24, 2018

for me, installing libselinux-python solved the problem

@ssbarnea

This comment has been minimized.

Copy link
Contributor

@ssbarnea ssbarnea commented Oct 24, 2018

libselinux-python bindings issue is quite a serious issue and also complex due to few facts that make it hard to approach.

  • libselinux bindings are named different on py3-native platforms than on py2 ones, so no unique yum install ... line to install them
  • when you create a virtual environment they are not inhered from system unless you do a --use-system-packages, a controversial command that cannot be used by many users due to other conflicts it creates.

For tripleo-quickstart bootstrapping I ended up writing a lot of code to deal with the potentially missing libselinux https://review.openstack.org/#/c/612677/6/quickstart.sh

I am wondering if it would not be better to make selinux part of the python distribution as this would solve most of the problem related its unavailabiliuty, especially with venvs.

@clebergnu

This comment has been minimized.

Copy link

@clebergnu clebergnu commented Feb 15, 2019

How hard is it to make the explicit setting of SELinux contexts optional ? I mean, if your system is configured with SELinux, it will know the context to apply to files you're creating, based on the currently loaded policy.

I find it horrible to require yet another library on the target hosts for something as trivial as creating a file. This makes people resort to hacks such as using commands to create files and run chmod and the like to set permissions.

estheruary added a commit to estheruary/ansible that referenced this issue Feb 27, 2019
ssbarnea added a commit to ansible/molecule that referenced this issue Mar 11, 2019
Avoid akward error during templating of Dockerfile which happens
on selinux enabled machines when ansible template module fails
due to missing selinux bindings.

By using sitepackages=true in tox.ini we likely inherit the libselinux
bindings from the system when we create the virtualenvs.

Workaround for ansible/ansible#34340 which
happens even if selinux is set to permissive.

Fixes: #1724
Signed-off-by: Sorin Sbarnea <ssbarnea@redhat.com>
ssbarnea added a commit to ansible/molecule that referenced this issue Mar 11, 2019
Avoid akward error during templating of Dockerfile which happens
on selinux enabled machines when ansible template module fails
due to missing selinux bindings.

By using sitepackages=true in tox.ini we likely inherit the libselinux
bindings from the system when we create the virtualenvs.

Workaround for ansible/ansible#34340 which
happens even if selinux is set to permissive.

Documents these system dependencies into bindep.txt where we plan to
add other further requirements.

Fixes: #1724
Signed-off-by: Sorin Sbarnea <ssbarnea@redhat.com>
ssbarnea added a commit to ansible/molecule that referenced this issue Mar 13, 2019
Avoid akward error during templating of Dockerfile which happens
on selinux enabled machines when ansible template module fails
due to missing selinux bindings.

By using sitepackages=true in tox.ini we likely inherit the libselinux
bindings from the system when we create the virtualenvs.

Workaround for ansible/ansible#34340 which
happens even if selinux is set to permissive.

Documents these system dependencies into bindep.txt where we plan to
add other further requirements.

Fixes: #1724
Signed-off-by: Sorin Sbarnea <ssbarnea@redhat.com>
ssbarnea added a commit to ansible/molecule that referenced this issue Mar 14, 2019
Avoid akward error during templating of Dockerfile which happens
on selinux enabled machines when ansible template module fails
due to missing selinux bindings.

By using sitepackages=true in tox.ini we likely inherit the libselinux
bindings from the system when we create the virtualenvs.

Workaround for ansible/ansible#34340 which
happens even if selinux is set to permissive.

Documents selinux issues in install documentation in order to inform
users about what they could encounter.

Fixes: #1724
Signed-off-by: Sorin Sbarnea <ssbarnea@redhat.com>
webknjaz added a commit to ansible/molecule that referenced this issue Mar 14, 2019
PR #1823 by @ssbarnea

* Ensure python libselinux python bindings are installed

Avoid awkward error during templating of Dockerfile which happens
on SELinux enabled machines when Ansible template module fails
due to missing SELinux bindings.

By using sitepackages=true in tox.ini we inherit the libselinux
bindings from the system when tox creates virtualenvs if they
are installed system-wide.

Work around ansible/ansible#34340 which
happens even if SELinux is set to permissive.

Document SELinux issues in the install documentation in order to
inform users about what they could encounter.

Fixes: #1724
Signed-off-by: Sorin Sbarnea <ssbarnea@redhat.com>
@imlight

This comment has been minimized.

Copy link

@imlight imlight commented Mar 21, 2019

Hello,
Appreciate if someone can help with this.

I am hitting same error , my environment looks like this

Ansible Master node : - RHEL 7
Selinux enabled
libselinux-python : installed libselinux-python.x86_64 0:2.5-14.1.el7

Node :- RHeL 5
Selinux enabled
Using ansible_python_interpreter=/usr/bin/python26
libselinux-python : installed libselinux-python-1.33.4-5.7.el5.x86_64

I have tried all the workarounds mentioned above , like copying site-packages/selinux from python2.4 / python2.7 ( from ansible master) but that didn't work.

Any other suggestion , except disabling selinux ?

@imlight

This comment has been minimized.

Copy link

@imlight imlight commented Mar 21, 2019

We do have nearly 50 RHEL5 servers , and if we didnt find any feasible solution then it will be very difficult for us to manage these servers.

@imlight

This comment has been minimized.

Copy link

@imlight imlight commented Mar 22, 2019

I see the problem

With default Python ...

selinux]# python
Python 2.4.3 (#1, May 5 2011, 15:12:27)
[GCC 4.1.2 20080704 (Red Hat 4.1.2-50)] on linux2
Type "help", "copyright", "credits" or "license" for more information.

import selinux
selinux.is_selinux_enabled()
1

And with python26

[root@dev-bozo21 selinux]# python26
Python 2.6.8 (unknown, Nov 7 2012, 14:47:45)
[GCC 4.1.2 20080704 (Red Hat 4.1.2-52)] on linux2
Type "help", "copyright", "credits" or "license" for more information.

import selinux
Traceback (most recent call last):
File "", line 1, in
ImportError: No module named selinux

I tried copying

/usr/lib64/python2.4/site-packages/selinux to /usr/lib64/python2.6/site-packages/selinux ( this was empty earlier)

it throws this error

python26
Python 2.6.8 (unknown, Nov 7 2012, 14:47:45)
[GCC 4.1.2 20080704 (Red Hat 4.1.2-52)] on linux2
Type "help", "copyright", "credits" or "license" for more information.

import selinux
Traceback (most recent call last):
File "", line 1, in
File "/usr/lib64/python2.6/site-packages/selinux/init.py", line 5, in
import _selinux
ImportError: /usr/lib64/python2.6/site-packages/selinux/_selinux.so: undefined symbol: Py_InitModule4

And when copying

"/usr/lib64/python2.7/site-packages/selinux/init.py" ( from different centos 7 node) to /usr/lib64/python2.6/site-packages/selinux/

I get below error

python2.6
Python 2.6.8 (unknown, Nov 7 2012, 14:47:45)
[GCC 4.1.2 20080704 (Red Hat 4.1.2-52)] on linux2
Type "help", "copyright", "credits" or "license" for more information.

import selinux
Traceback (most recent call last):
File "", line 1, in
File "/usr/lib64/python2.6/site-packages/selinux/init.py", line 26, in
_selinux = swig_import_helper()
File "/usr/lib64/python2.6/site-packages/selinux/init.py", line 22, in swig_import_helper
_mod = imp.load_module('_selinux', fp, pathname, description)
ImportError: /lib64/libc.so.6: version `GLIBC_2.14' not found (required by /usr/lib64/python2.6/site-packages/selinux/_selinux.so)

Any solution for this problem ?

Remember these are Centos 5 hosts . And on EPEL 5 I dont see any update for libselinux-python

@patelkhelan11

This comment has been minimized.

Copy link

@patelkhelan11 patelkhelan11 commented Apr 10, 2019

@ssbarnea I'm running below ansible version with the selinux installed with pip (https://pypi.org/project/selinux/) ,

[root@python-plain ~]# ansible --version
ansible 2.7.10
  config file = None
  configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/lib/python3.7/site-packages/ansible
  executable location = /usr/local/bin/ansible
  python version = 3.7.2 (default, Apr  8 2019, 10:21:09) [GCC 4.8.5 20150623 (Red Hat 4.8.5-36)]

but it gives below error with selinux package while running in ansible task,

fatal: [localhost]: FAILED! => {"changed": false, "module_stderr": "/root/.ansible/tmp/ansible-
tmp-1554896350.4265718-70327139331115/AnsiballZ_file.py:17: DeprecationWarning: the imp 
module is deprecated in favour of importlib; see the module's documentation for alternative 
uses\n  import imp\nTraceback (most recent call last):\n  File \"/root/.ansible/tmp/ansible-tmp-
1554896350.4265718-70327139331115/AnsiballZ_file.py\", line 113, in <module>\n    
_ansiballz_main()\n  File \"/root/.ansible/tmp/ansible-tmp-1554896350.4265718-
70327139331115/AnsiballZ_file.py\", line 105, in _ansiballz_main\n    
invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n  File 
\"/root/.ansible/tmp/ansible-tmp-1554896350.4265718-70327139331115/AnsiballZ_file.py\", 
line 48, in invoke_module\n    imp.load_module('__main__', mod, module, MOD_DESC)\n  File 
\"/usr/local/lib/python3.7/imp.py\", line 234, in load_module\n    return load_source(name, 
filename, file)\n  File \"/usr/local/lib/python3.7/imp.py\", line 169, in load_source\n    module =
 _exec(spec, sys.modules[name])\n  File \"<frozen importlib._bootstrap>\", line 630, in _exec\n  
File \"<frozen importlib._bootstrap_external>\", line 728, in exec_module\n  File \"<frozen 
importlib._bootstrap>\", line 219, in _call_with_frames_removed\n  File 
\"/tmp/ansible_file_payload_ve_g_mm7/__main__.py\", line 885, in <module>\n  File 
\"/tmp/ansible_file_payload_ve_g_mm7/__main__.py\", line 877, in main\n  File 
\"/tmp/ansible_file_payload_ve_g_mm7/__main__.py\", line 483, in execute_touch\n  File 
\"/tmp/ansible_file_payload_ve_g_mm7/ansible_file_payload.zip/ansible/module_utils/basic.py\", 
line 1001, in load_file_common_arguments\n  File 
\"/tmp/ansible_file_payload_ve_g_mm7/ansible_file_payload.zip/ansible/module_utils/basic.py\", line 1025, in selinux_mls_enabled\nAttributeError: module 'selinux' has no attribute 
'is_selinux_mls_enabled'\n", "module_stdout": "", "msg": "MODULE FAILURE\nSee stdout/stderr 
for the exact error", "rc": 1}

line 1025, in selinux_mls_enabled\nAttributeError: module 'selinux' has no attribute

Can you please help?

reference: SELinuxProject/selinux#143

@sivel

This comment has been minimized.

Copy link
Member

@sivel sivel commented Apr 10, 2019

The selinux project on pypi is effectively an empty module, not providing any actual functionality. There is no pip installable package available.

@ansible ansible locked and limited conversation to collaborators Apr 10, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
You can’t perform that action at this time.