Aborting, target uses selinux but python bindings (libselinux-python) aren't installed! #1724
Comments
|
Yesterday I had a small chat in IRC #ansible-molecule We came to the following workaround/solution: Afterwards the VENV is usable. Maybe it can be added to the docs, that for some selinux systems it is needed to symlink the selinux libraries + the c-library. |
|
@daniel-wtd Do not ever try to use "docker-py" package, is 4 years old, it was replaced by "docker". I woudl go so far to even request its removal from pypi and replacing it with a placeholder that installs docker one. |
|
The root core issue here is different, is a design issue with molecule where by default it does hide the output when creation fails, something that is really common for new users and not only for new users. I think we should find a way to address this and avoid the case where user needs to run again with --debug switch in order to find-out what went wrong. I would call it an unfortunate design decision, but we shoudl be able to find a way to address it. |
|
@ssbarnea maybe the video from https://github.com/ansible/molecule/README.md leads to the opinion to use docker-py. EDIT: it works woith docker-py and docker The root cause here is not the docker package, but that the support for selinux is a little bit problematic. Using system-site-packages leads to problems and not using them forces to manual symlinking the selinux packages. |
Just to link, I have a proposal out for an idea to fix this in #1666 (comment). |
|
This problem is not limited to Fedora, is happening with CentOS too. I think it may prove to be a good enough reason to delay release of 2.20. The magic line is: |
ssbarnea
changed the title
Adds libselinux python extensions to the default Dockerfile template used by molecule in order to avoid failure to build it on selinux systems. Fixes: #1724 Signed-off-by: Sorin Sbarnea <ssbarnea@redhat.com>
|
While trying to fix it I realised that we don't need to install libselinux into the container because the problem was with template module itself, cased by ansible/ansible#34340 This is guaranteed to happen if you run tox on a redhat distro withotu sitespackages=true as libselinux bindings will be missing and there is no way to install them with pip. |
Avoid akward error during templating of Dockerfile which happens on selinux enabled machines when ansible template module fails due to missing selinux bindings. By using sitepackages=true in tox.ini we likely inherit the libselinux bindings from the system when we create the virtualenvs. Workaround for ansible/ansible#34340 which happens even if selinux is set to permissive. Fixes: #1724 Signed-off-by: Sorin Sbarnea <ssbarnea@redhat.com>
|
Since Fedora has also some of the ansible packages in their repositories, it may happen, that sitepackages=true conflicts with the other python modules, already installed on the machine. Is there a way, to import/link only selinux into the virtualenv? |
Avoid akward error during templating of Dockerfile which happens on selinux enabled machines when ansible template module fails due to missing selinux bindings. By using sitepackages=true in tox.ini we likely inherit the libselinux bindings from the system when we create the virtualenvs. Workaround for ansible/ansible#34340 which happens even if selinux is set to permissive. Documents these system dependencies into bindep.txt where we plan to add other further requirements. Fixes: #1724 Signed-off-by: Sorin Sbarnea <ssbarnea@redhat.com>
|
@daniel-wtd what if you used WRT linking just Other than that, the community could try putting together an OS-specific wheel dist compilation process to tackle the ability to do |
|
First use sitepackages does not cause conflicts because pip would remove syumlinked packages if they are not compatible and install compatible ones (newer or older). The is still a very small risk which is more about the fact that other packages already installed on the system may become available during testing, for example pytest or flake8 plugins. In the past I had few cases where this caused different behavior during local testing, but it was easy to deal with it (they can be disabled in config). Regarding installing libselinux inside virtualenvs, I know some workarounds but do really not want to go this route, involved doing manual file copy of the selinux module binaries from system into the virtualenv after creation. It is very specific to each distro/version and likely to break in so many cases... not to mention the additional ugliness added inside There are other reasons why we may want to use python system packages: for avoiding to compile binary modules like openssl. PS. Yep, I asked about selinux binary, I am not sure is doable yet with current wheel. I know few projects had partial success with some libraries but with selinux it may be too specific to each disto and version to make it possible. Even so, we kinda need a fix "now". |
All openssl wrappers I know already ship proper wheels. So it's not a good example.
Agreed. I can live with this now, but let's at least add more comprehensive comments there explaining the situation and downsides. |
Avoid akward error during templating of Dockerfile which happens on selinux enabled machines when ansible template module fails due to missing selinux bindings. By using sitepackages=true in tox.ini we likely inherit the libselinux bindings from the system when we create the virtualenvs. Workaround for ansible/ansible#34340 which happens even if selinux is set to permissive. Documents these system dependencies into bindep.txt where we plan to add other further requirements. Fixes: #1724 Signed-off-by: Sorin Sbarnea <ssbarnea@redhat.com>
|
I made an update on the proposed change and also included a link to this bug, which will allow anyone that wonders about the resons behind to see the full discussion. |
ssbarnea
added
test
|
2019-03-13 IRC Meeting. Agreed this isn't 2.20 blocking |
Avoid akward error during templating of Dockerfile which happens on selinux enabled machines when ansible template module fails due to missing selinux bindings. By using sitepackages=true in tox.ini we likely inherit the libselinux bindings from the system when we create the virtualenvs. Workaround for ansible/ansible#34340 which happens even if selinux is set to permissive. Documents selinux issues in install documentation in order to inform users about what they could encounter. Fixes: #1724 Signed-off-by: Sorin Sbarnea <ssbarnea@redhat.com>
PR #1823 by @ssbarnea * Ensure python libselinux python bindings are installed Avoid awkward error during templating of Dockerfile which happens on SELinux enabled machines when Ansible template module fails due to missing SELinux bindings. By using sitepackages=true in tox.ini we inherit the libselinux bindings from the system when tox creates virtualenvs if they are installed system-wide. Work around ansible/ansible#34340 which happens even if SELinux is set to permissive. Document SELinux issues in the install documentation in order to inform users about what they could encounter. Fixes: #1724 Signed-off-by: Sorin Sbarnea <ssbarnea@redhat.com>
Avoid akward error during templating of Dockerfile which happens on selinux enabled machines when ansible template module fails due to missing selinux bindings. By using sitepackages=true in tox.ini we likely inherit the libselinux bindings from the system when we create the virtualenvs. Workaround for ansible/ansible#34340 which happens even if selinux is set to permissive. Documents selinux issues in install documentation in order to inform users about what they could encounter. Fixes: ansible#1724 Signed-off-by: Sorin Sbarnea <ssbarnea@redhat.com>
Avoid akward error during templating of Dockerfile which happens on selinux enabled machines when ansible template module fails due to missing selinux bindings. By using sitepackages=true in tox.ini we likely inherit the libselinux bindings from the system when we create the virtualenvs. Workaround for ansible/ansible#34340 which happens even if selinux is set to permissive. Documents selinux issues in install documentation in order to inform users about what they could encounter. Fixes: ansible#1724 Signed-off-by: Sorin Sbarnea <ssbarnea@redhat.com>
Avoid akward error during templating of Dockerfile which happens on selinux enabled machines when ansible template module fails due to missing selinux bindings. By using sitepackages=true in tox.ini we likely inherit the libselinux bindings from the system when we create the virtualenvs. Workaround for ansible/ansible#34340 which happens even if selinux is set to permissive. Documents selinux issues in install documentation in order to inform users about what they could encounter. Fixes: ansible#1724 Signed-off-by: Sorin Sbarnea <ssbarnea@redhat.com>
Avoid akward error during templating of Dockerfile which happens on selinux enabled machines when ansible template module fails due to missing selinux bindings. By using sitepackages=true in tox.ini we likely inherit the libselinux bindings from the system when we create the virtualenvs. Workaround for ansible/ansible#34340 which happens even if selinux is set to permissive. Documents selinux issues in install documentation in order to inform users about what they could encounter. Fixes: ansible#1724 Signed-off-by: Sorin Sbarnea <ssbarnea@redhat.com>
For systems running selinux, the selinux package must be installed in the virtualenv, otherwise it fails to properly find the required system packages. See ansible/molecule#1724 for background.
|
Will this be fixed and released into 2.20.2, or 2.21.0? |
|
@Lirt This is not really molecule bug and it cannot eveb be attributed to Ansible, so is not really a priority to address it. Still you are welcomed to apply the workaround. If you are lucky simple installing selinux froom pypi may sort it for you. |
Error message was: "Aborting, target uses selinux but python bindings (libselinux-python) aren't installed!" See https://pypi.org/project/selinux/ and comment at ansible/molecule#1724 (comment)
|
I don't understand why I have selinux disabled on the CentOS 7.7 distros (on Azure) but Ansible when runs from local workstation says it's not installed so a docker_container module fails. Why does it even require any selinux packages, when that one is disabled? o.O |
|
@Dmitry1987 take a look here for an easy straight forward workaround. |
|
It looks like in these circumstances we have to revert to python 2.7, but we get warnings saying python 2.7 will be deprecated which is why I started to update everything and ran into this problem. Where package_python_interpreter is deifined as python2.7 for any centos 7 host. I hope functions like and yum and copy will eventually work in python3 on Centos 7, before python 2.7 is deprecated. |
…ecution. -wmcd
…ecution. -wmcd
Molecule and Ansible details
Molecule installation method (one of):
Ansible installation method (one of):
Detail any linters or test runners used:
Desired Behavior
molecule testshould run locally on Fedora 29 in virtualenvActual Behaviour
molecule testbrakes due to missing libselinux-python at StepCreate Dockerfiles from image namesCreating an env with site-packages is not able to perform due to pyyaml version.
Creating an env without site packages is not able to perform due to missing selinux python bindings.
Copying the selinux packages in the venv does not help.
Output of
molecule testwithout site packages.Please feel free to reach out to me here or in IRC @freenode #ansible-molecule. I will do my best to support you.
Thanks a lot in advance!
The text was updated successfully, but these errors were encountered: