Bug 1719978

Summary: build python3-libselinux
Product: Red Hat Enterprise Linux 7 Reporter: Carl George <carl>
Component: distributionAssignee: RHEL Product and Program Management <pm-rhel>
Status: NEW --- QA Contact: Release Test Team <release-test-team>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.7CC: ajacocks, amike, awestbro, briang, ckuperst, degts, dwalsh, farrotin, hhorak, jwboyer, kdreyer, kenyon, lvrabec, mhroncok, mmalik, pdwyer, plautrba, pviktori, ssbarnea, ssekidde, torsava, vmojzis, zpytela
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1756015 (view as bug list) Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On:    
Bug Blocks: 1756015, 1639030    

Description Carl George 2019-06-12 21:06:26 UTC
Description of problem:
I'm excited to see bug 1639030 (python3 stack) addressed in the RHEL 7.7 beta.  However, python3-libselinux was not included.  Building that will involve enabling the python3 subpackage in the libselinux spec file.

Version-Release number of selected component (if applicable):
libselinux-2.5-14.1.el7

Additional info:
Unlike other python modules, it isn't feasible to pip install this library, so building it from the main spec file is the only realistic option.

Comment 3 Vit Mojzis 2019-06-20 06:49:08 UTC
Thank you for taking the time to report this issue to us. We appreciate the feedback and use reports such as this one to guide our efforts at improving our products. That being said, this bug tracking system is not a mechanism for requesting support, and we are not able to guarantee the timeliness or suitability of a resolution.

Unfortunately we were not able to address the problem in development phase, therefore we postpone it to next minor product update. If this issue is critical or in any way time sensitive, please raise a ticket through the regular Red Hat support channels to ensure it receives the proper attention and prioritization to assure a timely resolution.

Comment 4 Carl George 2019-06-20 13:53:30 UTC
Ok Vit, I've opened case 02409561.  Considering that the entire python3 stack is new for 7.7, I'm hoping this can be resolved at the same time and won't be delayed until 7.8.

Comment 7 Petr Viktorin 2019-06-21 14:47:29 UTC
Note that only the Python 3 interpreter, and some basic libraries, were added to RHEL 7. Not the entire stack.

As far as I know, requests for individual libraries are treated as any other request to add and support some software not yet in RHEL.

Comment 9 Miro Hrončok 2019-06-22 22:30:30 UTC
Note that this bugzilla is now private (due to being assigned to the distribution component) and the original reporter most likely lost access to it.

Comment 10 Miro Hrončok 2019-09-11 10:37:25 UTC
*** Bug 1751163 has been marked as a duplicate of this bug. ***

Comment 11 Sorin Sbarnea 2019-09-11 10:59:03 UTC
Refusal to include libselinux is almost as good as making python3 unusable for any practical means. (Example: Ansible will not work without it).

Not sure if this was by-design decision but a direct side-effect of it is that currently there is no usable python3 on current centos release and it will not be due to https://bugs.centos.org/view.php?id=16389

There is no release date for CentOS8 and Python 2.7 final day is 2020-01-01, less than 3 months away.

I do see the real danger that we will end-up without having any supported python version available on CentOS in general.

We did advertise python36 as helping developers port their code/products, but apparently what we gave is a broken stick.

The implications are really serious regarding testing because on OpenStack we have unittest and functional tests that do need to be tested with multiple versions of python (if selinux is missing some of them will fail, all of those using ansible).

Lucky for OpenStack upstream, their preferred test platform is Ubuntu, which is not subject to the selinux issue (cannot blame them for having that preference).

So we should wonder if we fail to deliver changes in time when we are not given the basic building blocks.

Comment 12 Miro Hrončok 2019-09-11 11:29:49 UTC
> Refusal to include libselinux is almost as good as making python3 unusable for any practical means. (Example: Ansible will not work without it).

I don't think that ansible is the only use case of python, so I don't agree with "unusable for any practical means". Yet I agree completely that the missing modules, such as python3-selinux, make the entire thing less useful and I was always arguing to include them. However I've been told that it's too late to do it (note that I don't understand processes around RHEL much, but AFAIK 7.7 is shipped and 7.8 is beyond new features).

> Not sure if this was by-design decision 

It was designed that we will add python3 interpreter.

See comment #7:
> Note that only the Python 3 interpreter, and some basic libraries, were
> added to RHEL 7. Not the entire stack.
> 
> As far as I know, requests for individual libraries are treated as any other
> request to add and support some software not yet in RHEL.

Comment 15 Carl George 2019-09-11 13:13:47 UTC
Can we make this bug public again?  It's being discusses elsewhere on the internet (https://bugs.centos.org/view.php?id=16389) and it would be beneficial to be able to link this bug, if nothing else to show that Red Hat has declined to address it.

Comment 16 Honza Horak 2019-09-11 14:48:40 UTC
(In reply to Carl George from comment #15)
> Can we make this bug public again?  It's being discusses elsewhere on the
> internet (https://bugs.centos.org/view.php?id=16389) and it would be
> beneficial to be able to link this bug, if nothing else to show that Red Hat
> has declined to address it.

Trying to re-open it again, not sure whether the bot will hide it again, because the request is on distribution bug, we'll see.

Comment 17 Honza Horak 2019-09-11 15:02:16 UTC
As written above, the intention was to ship the minimal stack (to be able to do it all) and I totally understand that many binary extensions are missing now.

Considering the status of RHEL-7, which just entered Maintenance Support 1 phase according to https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/7.7_release_notes/index, inclusion of many new packages will likely not happen, so I'd rather take a look at specific cases and how we can solve them.

One obvious answer might be -- there is always possibility to build the missing packages yourself. Not having them available and supported in the RHEL itself should not block anybody to do it. But I guess this is not really helping much.

Would inclusion in EPEL be an option for example? (trying to brainstorm a bit..)

Comment 18 Carl George 2019-09-11 20:48:45 UTC
It's possible, but not easy.  One can take a RHEL spec file (libselinux.spec for example), change the name (EPEL builds can't have a name conflict with RHEL, even on the SRPM name), and remove all sections of the spec that don't affect the Python extension they want.  That's much more difficult when the Python extension is created via makefile, like libselinux is.  Another approach would be to keep the same build steps as RHEL, then manually delete the files that would conflict with a RHEL package.  Again, doable, but difficult and error prone.  Enabling the python3 subpackage is really the right answer, and it's a shame that Red Hat isn't interested in that approach.  Doing that in any capacity (no support, extras, tech preview, whatever) would really help customers in their EL8/PY3 porting efforts.

And yes, I said customer.  Despite the misconception in bug 1639030 that this wasn't a customer request, Rackspace has case 02409561 open specifically requesting libselinux-python3.  I'm sorry I didn't open that support case sooner during the process to help y'all get this done.

Comment 22 Chris Kuperstein 2019-09-25 19:48:31 UTC
How was this overlooked?

Like someone mentioned earlier, Python 3 is essentially useless without this.

We are building CI pipelines leveraging Molecule, Ansible, Helm, and Docker which all depend on libselinux. This means we can't build runners with RHEL 7, or 8 until this is resolved.

Comment 23 Carl George 2019-09-25 23:30:48 UTC
FYI for those interested in this, I figured out a stand alone spec file and submitted it for review in bug 1754039.  If anyone has the time to do the package review I'd appreciate it.

Comment 25 Miro Hrončok 2019-09-26 13:01:15 UTC
As a side note:

If the package is named libselinux-python3, please provide python3-libselinux = %{version}-%{release} and python3-libselinux%{?_isa} = %{version}-%{release} for compatibility with RHEL 8 and Fedora.
If the package is named python3-libselinux, please provide libselinux-python3 = %{version}-%{release} and libselinux-python3%{?_isa} = %{version}-%{release} for compatibility with the Python 2 package.

Comment 26 Zdenek Pytela 2019-09-26 15:02:17 UTC
As we managed to get acknowledgements from PM, devel, and QE, we are initiating the process to include the libselinux-python3 subpackage into RHEL 7.

Comment 28 Carl George 2019-09-26 18:59:11 UTC
I see that this bug was cloned as bug 1756015.  Should we close this one now?

Comment 29 Zdenek Pytela 2019-09-27 06:14:07 UTC
Carl,

Please do not close any bug as both of them are needed for the process to continue.