Bug 1756015 - Build libselinux-python3 subpackage [NEEDINFO]
Summary: Build libselinux-python3 subpackage
Keywords:
Status: VERIFIED
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: libselinux
Version: 7.7
Hardware: All
OS: Linux
high
medium
Target Milestone: rc
: 7.8
Assignee: Vit Mojzis 🔒
QA Contact: Milos Malik ♈🏡🍅
URL:
Whiteboard:
Depends On: 1719978
Blocks: 1711916 1639030
TreeView+ depends on / blocked
 
Reported: 2019-09-26 15:29 UTC by Zdenek Pytela 🎹
Modified: 2019-10-15 20:02 UTC (History)
26 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1719978
Environment:
Last Closed:
Target Upstream Version:
zpytela: needinfo? (vmojzis)


Attachments (Terms of Use)

Description Zdenek Pytela 🎹 2019-09-26 15:29:32 UTC
+++ This bug was initially created as a clone of Bug #1719978 +++

Description of problem:
I'm excited to see bug 1639030 (python3 stack) addressed in the RHEL 7.7 beta.  However, python3-libselinux was not included.  Building that will involve enabling the python3 subpackage in the libselinux spec file.

Version-Release number of selected component (if applicable):
libselinux-2.5-14.1.el7

Additional info:
Unlike other python modules, it isn't feasible to pip install this library, so building it from the main spec file is the only realistic option.

--- Additional comment from RHEL Product and Program Management on 2019-06-12 23:06:28 CEST ---

Since this bug report was entered in Red Hat Bugzilla, the release flag has been set to ? to ensure that it is properly evaluated for this release.

--- Additional comment from Petr Lautrbach on 2019-06-13 10:24:56 CEST ---

Note for libselinux maintainer: when/if you address this bug please consider also https://bugzilla.redhat.com/show_bug.cgi?id=1719771

--- Additional comment from Vit  Mojzis on 2019-06-20 08:49:08 CEST ---

Thank you for taking the time to report this issue to us. We appreciate the feedback and use reports such as this one to guide our efforts at improving our products. That being said, this bug tracking system is not a mechanism for requesting support, and we are not able to guarantee the timeliness or suitability of a resolution.

Unfortunately we were not able to address the problem in development phase, therefore we postpone it to next minor product update. If this issue is critical or in any way time sensitive, please raise a ticket through the regular Red Hat support channels to ensure it receives the proper attention and prioritization to assure a timely resolution.

--- Additional comment from Carl George on 2019-06-20 15:53:30 CEST ---

Ok Vit, I've opened case 02409561.  Considering that the entire python3 stack is new for 7.7, I'm hoping this can be resolved at the same time and won't be delayed until 7.8.

--- Additional comment from Vit  Mojzis on 2019-06-21 16:37:40 CEST ---

Could someone from the python team add a blocker+, or provide explanation to the reporter?

--- Additional comment from Petr Viktorin on 2019-06-21 16:42:22 CEST ---

This is a request for a new component, so it should be switched to "distribution", and evaluated by PM as any other new component in RHEL 7.

--- Additional comment from Petr Viktorin on 2019-06-21 16:47:29 CEST ---

Note that only the Python 3 interpreter, and some basic libraries, were added to RHEL 7. Not the entire stack.

As far as I know, requests for individual libraries are treated as any other request to add and support some software not yet in RHEL.

--- Additional comment from Miro Hrončok on 2019-06-23 00:29:02 CEST ---

I cannot provide the requested blocker+, talk to the PM instead.

--- Additional comment from Miro Hrončok on 2019-06-23 00:30:30 CEST ---

Note that this bugzilla is now private (due to being assigned to the distribution component) and the original reporter most likely lost access to it.

--- Additional comment from Miro Hrončok on 2019-09-11 12:37:25 CEST ---



--- Additional comment from Sorin Sbarnea on 2019-09-11 12:59:03 CEST ---

Refusal to include libselinux is almost as good as making python3 unusable for any practical means. (Example: Ansible will not work without it).

Not sure if this was by-design decision but a direct side-effect of it is that currently there is no usable python3 on current centos release and it will not be due to https://bugs.centos.org/view.php?id=16389

There is no release date for CentOS8 and Python 2.7 final day is 2020-01-01, less than 3 months away.

I do see the real danger that we will end-up without having any supported python version available on CentOS in general.

We did advertise python36 as helping developers port their code/products, but apparently what we gave is a broken stick.

The implications are really serious regarding testing because on OpenStack we have unittest and functional tests that do need to be tested with multiple versions of python (if selinux is missing some of them will fail, all of those using ansible).

Lucky for OpenStack upstream, their preferred test platform is Ubuntu, which is not subject to the selinux issue (cannot blame them for having that preference).

So we should wonder if we fail to deliver changes in time when we are not given the basic building blocks.

--- Additional comment from Miro Hrončok on 2019-09-11 13:29:49 CEST ---

> Refusal to include libselinux is almost as good as making python3 unusable for any practical means. (Example: Ansible will not work without it).

I don't think that ansible is the only use case of python, so I don't agree with "unusable for any practical means". Yet I agree completely that the missing modules, such as python3-selinux, make the entire thing less useful and I was always arguing to include them. However I've been told that it's too late to do it (note that I don't understand processes around RHEL much, but AFAIK 7.7 is shipped and 7.8 is beyond new features).

> Not sure if this was by-design decision 

It was designed that we will add python3 interpreter.

See comment #7:
> Note that only the Python 3 interpreter, and some basic libraries, were
> added to RHEL 7. Not the entire stack.
> 
> As far as I know, requests for individual libraries are treated as any other
> request to add and support some software not yet in RHEL.

--- Additional comment from Sorin Sbarnea on 2019-09-11 14:49:02 CEST ---

As I was notified that this bug is currently private, do we have any reason for keeping it private? If possible it would make sense to make it public (eventually making private some comments if needed).

--- Additional comment from Miro Hrončok on 2019-09-11 14:59:39 CEST ---

I don't know. AFAIK it has been marked private by assigning it to "distribution".

--- Additional comment from Carl George on 2019-09-11 15:13:47 CEST ---

Can we make this bug public again?  It's being discusses elsewhere on the internet (https://bugs.centos.org/view.php?id=16389) and it would be beneficial to be able to link this bug, if nothing else to show that Red Hat has declined to address it.

--- Additional comment from Honza Horak on 2019-09-11 16:48:40 CEST ---

(In reply to Carl George from comment #15)
> Can we make this bug public again?  It's being discusses elsewhere on the
> internet (https://bugs.centos.org/view.php?id=16389) and it would be
> beneficial to be able to link this bug, if nothing else to show that Red Hat
> has declined to address it.

Trying to re-open it again, not sure whether the bot will hide it again, because the request is on distribution bug, we'll see.

--- Additional comment from Honza Horak on 2019-09-11 17:02:16 CEST ---

As written above, the intention was to ship the minimal stack (to be able to do it all) and I totally understand that many binary extensions are missing now.

Considering the status of RHEL-7, which just entered Maintenance Support 1 phase according to https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/7.7_release_notes/index, inclusion of many new packages will likely not happen, so I'd rather take a look at specific cases and how we can solve them.

One obvious answer might be -- there is always possibility to build the missing packages yourself. Not having them available and supported in the RHEL itself should not block anybody to do it. But I guess this is not really helping much.

Would inclusion in EPEL be an option for example? (trying to brainstorm a bit..)

--- Additional comment from Carl George on 2019-09-11 22:48:45 CEST ---

It's possible, but not easy.  One can take a RHEL spec file (libselinux.spec for example), change the name (EPEL builds can't have a name conflict with RHEL, even on the SRPM name), and remove all sections of the spec that don't affect the Python extension they want.  That's much more difficult when the Python extension is created via makefile, like libselinux is.  Another approach would be to keep the same build steps as RHEL, then manually delete the files that would conflict with a RHEL package.  Again, doable, but difficult and error prone.  Enabling the python3 subpackage is really the right answer, and it's a shame that Red Hat isn't interested in that approach.  Doing that in any capacity (no support, extras, tech preview, whatever) would really help customers in their EL8/PY3 porting efforts.

And yes, I said customer.  Despite the misconception in bug 1639030 that this wasn't a customer request, Rackspace has case 02409561 open specifically requesting libselinux-python3.  I'm sorry I didn't open that support case sooner during the process to help y'all get this done.

--- Additional comment from Vit  Mojzis on 2019-09-25 14:04:33 CEST ---

This repo contains libselinux build including python3-libselinux.
https://copr.devel.redhat.com/coprs/vmojzis/libselinux-python3/repo/rhel-7.dev/vmojzis-libselinux-python3-rhel-7.dev.repo

--- Additional comment from Vit  Mojzis on 2019-09-25 14:22:58 CEST ---

The package can easily be built using the srpm without any changes (not sure if/how can the customer get the srpm and it's build dependencies):

rpmbuild --rebuild --with python3 libselinux-2.5-14.1.el7.src.rpm

--- Additional comment from Zdenek Pytela on 2019-09-25 16:30:27 CEST ---

Adding link to a jira story with all information available up to now.

Please follow the CEE process to get agreement and acquire acks to start the process.

--- Additional comment from Chris Kuperstein on 2019-09-25 21:48:31 CEST ---

How was this overlooked?

Like someone mentioned earlier, Python 3 is essentially useless without this.

We are building CI pipelines leveraging Molecule, Ansible, Helm, and Docker which all depend on libselinux. This means we can't build runners with RHEL 7, or 8 until this is resolved.

--- Additional comment from Carl George on 2019-09-26 01:30:48 CEST ---

FYI for those interested in this, I figured out a stand alone spec file and submitted it for review in bug 1754039.  If anyone has the time to do the package review I'd appreciate it.

--- Additional comment from Milos Malik on 2019-09-26 14:11:50 CEST ---

As SELinux QE, I'm aware of this effort (internal discussion already happened) and I agree with Vit Mojzis and Zdenek Pytela.

--- Additional comment from Miro Hrončok on 2019-09-26 15:01:15 CEST ---

As a side note:

If the package is named libselinux-python3, please provide python3-libselinux = %{version}-%{release} and python3-libselinux%{?_isa} = %{version}-%{release} for compatibility with RHEL 8 and Fedora.
If the package is named python3-libselinux, please provide libselinux-python3 = %{version}-%{release} and libselinux-python3%{?_isa} = %{version}-%{release} for compatibility with the Python 2 package.

--- Additional comment from Zdenek Pytela on 2019-09-26 17:02:17 CEST ---

As we managed to get acknowledgements from PM, devel, and QE, we are initiating the process to include the libselinux-python3 subpackage into RHEL 7.


Note You need to log in before you can comment on or make changes to this bug.