Ansible changes for RH 7 and Python3 #278
Conversation
pull-request-size
bot
added
the
size/M
roles/StackStorm.st2/tasks/main.yml
Outdated
| - name: Install python3 SELinux policies | ||
| become: yes | ||
| yum: | ||
| name: libselinux-python3 |
There was a problem hiding this comment.
Do we really need libselinux-python3 dependency? I can't find any usage in StackStorm.st2 role.
There was a problem hiding this comment.
It depends really on what python3 modules are used, ST2 itself doesn't need it, but there may be packs that import modules that need it given they are being moved from python2 -> 3, and therefore don't get the python3 selinux policies by default.
We could remove it, and then it would be up to the packs to ensure that they add the dependency if they need it.
I'm fine with either method.
There was a problem hiding this comment.
That dependency is already installed in nginx role:
ansible-st2/roles/StackStorm.nginx/vars/redhat_8.yml
Lines 1 to 3 in 75193b9
which is then used to adjust some security restrictions that may come by default in RHEL/CentOS
ansible-st2/roles/StackStorm.nginx/tasks/nginx_redhat.yml
Lines 81 to 95 in 75193b9
With that, we don't need it in st2 role, but may need to update the
ansible-st2/roles/StackStorm.nginx/vars/redhat.yml
Lines 1 to 3 in 75193b9
There was a problem hiding this comment.
Thanks - that's a better place to put it. Will move it to Nginx role.
| - libselinux-python | ||
| - libselinux-python3 |
There was a problem hiding this comment.
That looks even more weird now.
If we install libselinux-python, why do we need libselinux-python3 then (and vice-versa)?
Feels like we're doing something wrong.
There was a problem hiding this comment.
selinux lib is used just for this:
ansible-st2/roles/StackStorm.nginx/tasks/nginx_redhat.yml
Lines 88 to 95 in d587460
There was a problem hiding this comment.
According to https://docs.ansible.com/ansible/2.5/modules/seboolean_module.html#requirements
The below requirements are needed on the host that executes this module.
libselinux-python
libsemanage-python
It looks like selinux python3 is not needed at all in this situation as we have all the required dependencies for seboolean Ansible module already in place.
There was a problem hiding this comment.
I've done a bit more searching... I don't believe nginx needs libselinux-python3.
I've taken it off the system, and everything is still functioning. I
However...
If we have in our code or any code that gets imported an "import selinux" then it's going to fail on the move to python3 without the include of libselinux-python3. But I've searched and none of the packs in StackStorm exchange do this explicitly (and we don't include it in the st2 repo either).
ansible itself will still use python2, and it's a well reported one of failing if libselinux-python is not installed. So I believe we will want to keep the libselinux-python. It's also a dependency of policycoreutils-python, which is needed for the semanage call. So libselinux-python would be required.
I'm going to take libselinux-python3 out for now. And I'll do the same in the bash installer so that it's same environment.
There was a problem hiding this comment.
Thanks for the research, @amanda11!
This should also shed more light about the pack dependencies topic:
StackStorm/st2-packages#241
StackStorm/st2docs#979 (comment)
Updates for playbooks to install the libselinux-python3 module on EL 7
Updates for playbooks to check that python3-devel is available. If not available then locate the optional server repo and install python3-devel RPM from there. Needed for RHEL where python3-devel is in a disabled repo, and therefore will not get pulled in automatically as a dependency when st2 rpm is installed.
Part of StackStorm/community#54