workaround ansible bug with selinux on and...

no python bindings for selinux installed Signed-off-by: Tomas Tomecek <[email protected]>
ansible-community · Apr 5, 2019 · 3a29a2e · 3a29a2e
1 parent 00b1e3a
commit 3a29a2e
Show file tree

Hide file tree

Showing 2 changed files with 93 additions and 0 deletions.
diff --git a/ansible_bender/core.py b/ansible_bender/core.py
@@ -30,6 +30,7 @@
 """
 import copy
 import datetime
+import importlib
 import json
 import logging
 import os
@@ -38,6 +39,7 @@
 import subprocess
 import sys
 import tempfile
+from pathlib import Path
 
 import yaml
 
@@ -238,12 +240,38 @@ def __init__(self, playbook_path):
         self.metadata = ImageMetadata()
         self.build.metadata = self.metadata
 
+    def _check_selinux_iz_gud(self):
+        """
+        This is a workaround for a weird behavior of ansible: if selinux is
+        in the enforcing mode and python3-libselinux is not installed, ansible freezes
+
+        https://bugzilla.redhat.com/show_bug.cgi?id=1696706
+        :return:
+        """
+        try:
+            enforcing_status = Path("/sys/fs/selinux/enforce").read_text()
+        except FileNotFoundError:
+            logger.debug("this system is not using selinux, /sys/fs/selinux/enforce is not present")
+            return
+        logger.debug(f"selinux enforce status = {enforcing_status}")
+        # it can be enforcing or not, selinux python module needs to be present
+        try:
+            importlib.import_module("selinux")
+        except ModuleNotFoundError:
+            raise RuntimeError(
+                "\nThis system is using selinux(8) and selinux python module is not installed. "
+                "There is a known issue in ansible that it freezes in this setup:\n"
+                "  https://bugzilla.redhat.com/show_bug.cgi?id=1696706\n"
+                "Please install libselinux python bindings (on Fedora the package name is python3-libselinux)."
+            )
+
     def expand_pb_vars(self):
         """
         populate vars from a playbook, defined in vars section
 
         :return: dict with the content of ansible_bender var
         """
+        self._check_selinux_iz_gud()
         with open(self.playbook_path) as fd:
             plays = yaml.safe_load(fd)
 

diff --git a/tests/unit/test_ansibla.py b/tests/unit/test_ansibla.py
@@ -0,0 +1,65 @@
+import importlib
+from functools import partial
+from pathlib import Path
+
+import pytest
+from flexmock import flexmock
+
+from ansible_bender.core import PbVarsParser
+
+
+def mock_read_text(return_val=None, raise_exc=False):
+    if raise_exc:
+        def _f():
+            raise FileNotFoundError()
+        flexmock(Path, read_text=_f)
+    else:
+        flexmock(Path, read_text=lambda: return_val)
+
+
+def mock_import_module(raise_exc=False):
+    if raise_exc:
+        def _f(name, package=None):
+            raise ModuleNotFoundError()
+        flexmock(importlib, import_module=_f)
+    else:
+        flexmock(importlib, import_module=lambda name: None)
+
+
+@pytest.mark.parametrize("mock_r_t,mock_i_m,should_raise", (
+    (
+        partial(mock_read_text, "1"),
+        partial(mock_import_module, False),
+        False
+    ),
+    (
+        partial(mock_read_text, "1"),
+        partial(mock_import_module, True),
+        True
+    ),
+    (
+        partial(mock_read_text, "0"),
+        partial(mock_import_module, False),
+        False
+    ),
+    (
+        partial(mock_read_text, "0"),
+        partial(mock_import_module, True),
+        True
+    ),
+    (
+        partial(mock_read_text, None, True),
+        partial(mock_import_module, False),
+        False
+    ),
+))
+def test_ansible_selinux_workaround(mock_r_t, mock_i_m, should_raise):
+    mock_r_t()
+    mock_i_m()
+    p = PbVarsParser("")
+    if should_raise:
+        with pytest.raises(RuntimeError) as ex:
+            p._check_selinux_iz_gud()
+        assert "libselinux" in str(ex.value)
+    else:
+        p._check_selinux_iz_gud()