search

pycontribs / selinux

Pure-python selinux shim module for use in virtualenvs
MIT License
20 stars 19 forks source link

/usr/bin/python3 not found when using pyenv #42

Closed markfaine closed 4 years ago

markfaine commented 4 years ago 

[bean @ p-msfc-enms-cm ../run/ansible-playbook] [master] $ ansible-playbook --limit=p-msfc-ils-logagg3.cso.nasa.gov playbooks/openscap.yml 
ERROR! Unexpected Exception, this is probably a bug: [Errno 2] No such file or directory: '/usr/bin/python3': '/usr/bin/python3'
the full traceback was:

Traceback (most recent call last):
  File "/home/bean/.pyenv/versions/venv-3.6.9/bin/ansible-playbook", line 92, in <module>
    mycli = getattr(__import__("ansible.cli.%s" % sub, fromlist=[myclass]), myclass)
  File "/home/bean/.pyenv/versions/3.6.9/envs/venv-3.6.9/lib/python3.6/site-packages/ansible/cli/__init__.py", line 25, in <module>
    from ansible.parsing.dataloader import DataLoader
  File "/home/bean/.pyenv/versions/3.6.9/envs/venv-3.6.9/lib/python3.6/site-packages/ansible/parsing/dataloader.py", line 17, in <module>
    from ansible.module_utils.basic import is_executable
  File "/home/bean/.pyenv/versions/3.6.9/envs/venv-3.6.9/lib/python3.6/site-packages/ansible/module_utils/basic.py", line 74, in <module>
    import selinux
  File "/home/bean/.pyenv/versions/3.6.9/envs/venv-3.6.9/lib/python3.6/site-packages/selinux/__init__.py", line 104, in <module>
    check_system_sitepackages()
  File "/home/bean/.pyenv/versions/3.6.9/envs/venv-3.6.9/lib/python3.6/site-packages/selinux/__init__.py", line 93, in check_system_sitepackages
    system_sitepackages = get_system_sitepackages()
  File "/home/bean/.pyenv/versions/3.6.9/envs/venv-3.6.9/lib/python3.6/site-packages/selinux/__init__.py", line 83, in get_system_sitepackages
    "import json, site; print(json.dumps(site.getsitepackages()))",
  File "/home/bean/.pyenv/versions/3.6.9/lib/python3.6/subprocess.py", line 356, in check_output
    **kwargs).stdout
  File "/home/bean/.pyenv/versions/3.6.9/lib/python3.6/subprocess.py", line 423, in run
    with Popen(*popenargs, **kwargs) as process:
  File "/home/bean/.pyenv/versions/3.6.9/lib/python3.6/subprocess.py", line 729, in __init__
    restore_signals, start_new_session)
  File "/home/bean/.pyenv/versions/3.6.9/lib/python3.6/subprocess.py", line 1364, in _execute_child
    raise child_exception_type(errno_num, err_msg, err_filename)
FileNotFoundError: [Errno 2] No such file or directory: '/usr/bin/python3': '/usr/bin/python3'

I'm using pyenv. I did try to edit it to change the system python to /usr/bin/python, I got no errors but it just failed to work.

My python is: ~/.pyenv/versions/venv-3.6.9/bin/python3 version 3.6.9 I have selinux loaded in my virtual env:

[bean @ p-msfc-enms-cm ../versions/venv-3.6.9/bin] [master] $ pip list | grep selinux
selinux             0.2.1
ssbarnea commented 4 years ago

I am afraid that pyenv is not supported and I do not know a way to make it work, basically you need to build selinux bindings from source and install them, something that is not done by this extension.

I think that this also means that you cannot really use ansible from a pyenv environment on selinux enabled systems. I may be wrong but this needs to be confirmed with ansible core team.

beenje commented 4 years ago

I have the same issue when running ansible-lint from inside a conda environment. selinux is disabled on that server (CentOS 7):

$ sudo getenforce
Disabled

Is the libselinux-python3 package still required to detect that?

ssbarnea commented 4 years ago

AFAIK yes and also ansible would fail. So is not so much about if you have selinux enabled or not, whenver is available, ansible would ask about missing bindings.

beenje commented 4 years ago

Are you really sure about that? I've been running tests on several gitlab-runners (CentOS 7) with molecule. When we switched from Python 2 to Python 3 for Ansible, I had issues because there were no libselinux-python3 RPM for CentOS 7 at the time. Disabling selinux fixed the problem (it was in permissive mode before). I've been running tests successfully with ansible 2.9.11, ansible-lint 4.2.0, molecule 2.22 without bindings.

It's when upgrading to molecule 3.0.8 and ansible-lint 4.3.0 that I got an issue again and was forced to install libselinux-python3.

ssbarnea commented 4 years ago

You did not search well enough, the python3 library rpm is called python3-libselinux and is available from the default repositories.

beenje commented 4 years ago

You did not search well enough, the python3 library rpm is called python3-libselinux and is available from the default repositories.

$ yum search libselinux
...
libselinux-python.x86_64 : SELinux python bindings for libselinux
libselinux-python3.x86_64 : SELinux python 3 bindings for libselinux
...

I know it is available now. My point was that it wasn't at the time we switched to Python 3, but I could make ansible work. I think you are the one that opened this issue: https://bugs.centos.org/view.php?id=16389

ssbarnea commented 4 years ago

Yes, I did. It was fixed after I lost hope. Lots of things changed in regards to python3 and centos-7, as some unprecedented backporting of python3.6 occurred in 7.8 -- a very useful move as it allows people to switch from py2 to py3 without having to also switch the entire operating system.