2093589 – ansible selinux related modules broken due to missing dependencies

Bug 2093589 - ansible selinux related modules broken due to missing dependencies

Summary: ansible selinux related modules broken due to missing dependencies

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora EPEL
Classification:	Fedora
Component:	ansible
Sub Component:
Version:	epel8
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	Kevin Fenzi
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-06-04 15:00 UTC by Harald Gutmann
Modified:	2023-09-07 08:52 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2022-06-04 20:34:44 UTC
Type:	Bug
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1932650	1	unspecified	CLOSED	add python38-libselinux	2024-06-14 00:34:12 UTC

Description Harald Gutmann 2022-06-04 15:00:27 UTC

Description of problem:
All SELinux related modules are currently broken on RHEL8.6 with epel packages active.

At least the following python dependencies are missing.
python38-libsemanage
python38-libselinux

Version-Release number of selected component (if applicable):
REHL8.6
Ansible 5.4
Python 3.8

How reproducible:
Steps to Reproduce:

1. Enable EPEL on REHL8.
2. Install ansible (as of writing ansible-5.4.0-2.el8.noarch, ansible-core-2.12.2-3.1.el8.x86_64)
3. run ansible -m ansible.posix.seboolean -a "name=virt_use_comm state=yes persistent=yes" localhost
4. run pip3.8 install selinux
5. run ansible -m ansible.posix.seboolean -a "name=virt_use_comm state=yes persistent=yes" localhost
6. realize that there is no easy way to install the missing semanage python module with pip3.8 or dnf.
7. ansible 5.4 uses ansible-core 2.12 which requires python 3.8

https://github.com/ansible/ansible/blob/v2.12.0/changelogs/CHANGELOG-v2.12.rst#major-changes

Actual results:
step 3:
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: ModuleNotFoundError: No module named 'selinux'
localhost | FAILED! => {
"changed": false,
"msg": "Failed to import the required Python library (libselinux-python) on rhel86's Python /usr/bin/python3.8. Please read the module documentation and install it in the appropriate location. If the required library is installed, but Ansible is using the wrong Python interpreter, please consult the documentation on ansible_python_interpreter"
}

step: 5
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: ModuleNotFoundError: No module named 'semanage'
localhost | FAILED! => {
"changed": false,
"msg": "Failed to import the required Python library (libsemanage-python) on rhel86's Python /usr/bin/python3.8. Please read the module documentation and install it in the appropriate location. If the required library is installed, but Ansible is using the wrong Python interpreter, please consult the documentation on ansible_python_interpreter"
}

Expected results:
SELinux boolean being activated by ansible.

Additional info:

Comment 1 Maxwell G 2022-06-04 16:57:21 UTC

The correct solution here is to run the modules on the target node using the default system python interpreter (/usr/libexec/platform-python for RHEL 8) for which libsemanage-python3 is already packaged. Ansible is supposed to detect the correct python interpreter, but this does not happen in a couple cases.

Are you relying on implicit localhost[1] or is localhost actually present in your ansible inventory? If you are, you will need to add localhost to your inventory, as ansible does not discover the correct system python interpreter when using implicit localhost; it uses the Python version used for the controller which is different than the system one, in this case. According to the ansible docs[1], this is intentional. In any case, this package only contains a bundle of collections, while ansible-core contains the core engine, so there's nothing we can do about that here.

Additionally, even if you have localhost in your inventory, ansible-core 2.12 has a bug where it detects the correct interpreter on RHEL, CentOS Stream, and Oracle Linux but not on other EL distributions (e.g. Rocky Linux or Almalinux). You can get around this by manually setting ansible_python_interpreter to /usr/libexec/platform-python in your inventory. I have asked[2] the RHEL ansible-core maintainers to backport the upstream patch that fixes this issue so hopefully this workaround won't be required for too long. You said that you were running actual RHEL so that shouldn't be necessary in your case.

Thank you for the bug report, and please let us know if this solves your problem.


[1]: https://docs.ansible.com/ansible/latest/inventory/implicit_localhost.html
[2]: https://bugzilla.redhat.com/show_bug.cgi?id=2093105#c4

Comment 2 Harald Gutmann 2022-06-04 20:34:44 UTC

Hello Maxwell G,

thank you for your quick and accurate reply.
The scenarios where the tasks failed where during automated deployments running playbooks against implicit declared localhost.

Running the commands with explicit declaration works:
[root@rhel86 ~]# ansible all -i "localhost," --connection=local -m ansible.posix.seboolean -a "name=virt_use_comm state=yes persistent=yes" 
localhost | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/libexec/platform-python"
    },
    "changed": false,
    "name": "virt_use_comm",
    "persistent": true,
    "state": true
}
[root@rhel86 ~]#


This can be considered as NOTABUG, knowing all these details about the different discovery procedures for various types of usages.

Anyways this change did break several usages that worked before without issues but the joy of having a recent version of ansible available on the REHL 8 family outshines this issue.

Note You need to log in before you can comment on or make changes to this bug.