[Ansible] Solution for "(libselinux-python) aren't installed!" for CentOS 6 Playbook

2024.08.02

• Server construction/operation
• Infrastructure related
• Osaka office

2

79

Hello everyone.
He is a member of the System Solutions Department and has a sudden urge to eat tsukemen and pasta.

When trying to update or change a manually managed CentOS 6 environment using Ansible, the error " (libselinux-python) isn't installed! " tends to occur.

I think this error can often be dealt with manually.

However a hassle to have to manually manage all the machines even though there are a lot of them and you want to manage them with Ansible .

In that case, I thought, `` It would be easier to solve that with Ansible,'' and wrote a playbook.

This time, we will introduce and explain the "(libselinux-python) isn't installed!" solution playbook for CentOS 6.

Preface

• We do not recommend operating on CentOS 6.
  This is only an emergency response to CentOS 6, which exists for unavoidable reasons
• You are using a version that is no longer supported.
  This is also for emergency use and is not intended to be recommended.

basic cause

(libselinux-python) isn't installed!

When using modules that require changes such as file operations,

• not completely disabled
• AND (*1) The libselinux-python package is not included (*2)

This is an error that occurs when

*1. This error will not occur if SELinux is disabled.
*2. Ansible runs on Python, so Python is required to operate his SELinux.
*For Python 3, it is "python3-libselinux", but it seems that it is not generally provided for CentOS 6.

Manual solution

# sudo yum install libselinux-python

If you include "libselinux-python" on the target side, the problem is basically resolved.

* "python3-libselinux" for Python 3

However, CentOS 6 is EOL, a high possibility that you will not be able to use yum if the repository remains the default .

In that case, you will need to perform a local installation using wget & rpm from an available repository.

Therefore, manual handling in multiple environments is relatively difficult.

Q. Why do you change it using a playbook?

A. I want to do the work with Ansible, but it's a pain to do it manually beforehand... Not only because it's a pain to do it manually, but also because it
's easy to think, "If I need to do it manually, I'll do it all manually," so I want to avoid putting the cart before the horse. .

Therefore, our stance is, ``We want to actively bring things that can be done stably with Ansible to that.''

Q. Isn't it compatible with CentOS 7?

A. I think it would be smarter to handle version differences by separating the playbooks and making decisions/branching at the include/import stage.

I was worried about making it compatible, but it already includes branching when ``yum'' cannot be used, making it a little complicated.

Since the directory hierarchy name of the repository may change depending on the OS version, there will be more branches.

We did not include it because we judged that creating version branches within a single playbook would reduce readability and maintainability.

Execution environment

■ Linux environment
OS: AlmaLinux release 8.5 (WSL2 environment)
Shell: Bash
Docker: 26.1.0, build 9714adc

■ Ansible environment (Docker container in WSL2)
OS: AlmaLinux release 8.9
Ansible: Ansible-core 2.12.10

■ Windows environment
OS: Windows11 Pro (version: 23H2)
Language setting: Changed to Japanese

■ CentOS 6 environment (Vagrant + VirtualBox)
OS: CentOS 6.9 (bento / centos-6.9)
Vagrant: 2.4.1
VirtualBox: 7.0.18 r162988 (Qt5.15.2)
IP: 192.168.33.15

Ansible 2.12 environment construction steps

uses the corresponding old version (2.12)

In the previous article, I explained how to build Ansible 2.12, so please refer to it.

[Ansible 2.12] Build an Ansible execution environment for CentOS 6 using Docker in WSL2

Playbook

When executing a playbook in a CentOS 6 environment, is intended to be used preventively, ` `If you include/import it first, you can execute it without causing an error ''

*Of course, you can also use this playbook to resolve the issue after the error occurs.

libselinux-python_wget.yml

The format is to use import_tasks on the main.yml side to load this playbook.
(Because the author likes to separate playbooks into roles in order to improve reusability, readability, and maintainability)

--- ## Variable default # wget_repo | default ("http://ftp.iij.ad.jp/pub/linux/centos-vault") - name: Check SELinux ansible.builtin.command: cmd: getenforce register: SELinux_result - ansible.builtin.debug: var: SELinux_result.stdout - name: Check libeselinux-python ansible.builtin.shell: cmd: rpm -aq | grep libselinux-python register: rpm_result ignore_errors: yes - ansible.builtin.debug: var : rpm_result.stdout # If SELinux is disabled, Ansible can be executed without addition, so it will not be executed. # Additionally, if libselinux-python is already installed, it will not be executed - name: yum install libselinux-python ansible.builtin .yum: name: libselinux-python state: present register: yum_libselinux_result ignore_errors: yes when: not ( SELinux_result.stdout is search("disabled") ) and not ( rpm_result.stdout is search("libselinux-python*")) # If installation with yum fails, install with wget - name: Setup libselinux-python when: yum_libselinux_result is failed and not ( rpm_result.stdout is search("libselinux-python*")) block: # Due to version differences , since the package name will also change, store the HTML of the Package list in a variable -name: Get OS_version Packages ansible.builtin.uri: url: "{{ wget_repo | default('http://ftp.iij.ad.jp/pub/ linux/centos-vault') }}/{{ ansible_distribution_version }}/os/x86_64/Packages/" method: GET return_content: yes register: packages_content # Get the rpm name of "libselinux-python" from the HTML - name: Extract rpm_name ansible.builtin.set_fact: rpm_name: "{{ packages_content.content | regex_search('libselinux-python-(.*?)\\.x86_64\\.rpm') }}" - ansible.builtin.debug: var : rpm_name # Download with the obtained rpm name - name: Download libselinux-python ansible.builtin.get_url: url: "{{ wget_repo | default('http://ftp.iij.ad.jp/pub/linux/centos- vault') }}/{{ ansible_distribution_version }}/os/x86_64/Packages/{{ rpm_name }}" dest: "/tmp/{{ rpm_name }}" # Install with rpm for situations where yum cannot be used - name: Install libselinux-python ansible.builtin.command: rpm -ivh /tmp/"{{ rpm_name }}"

# wget_repo: | default ("http://ftp.iij.ad.jp/pub/linux/centos-vault")

If you can't use yum, get libselinux-python directly from the repository.

The repository to be used at that time is specified by a variable, but if it is not specified, a comment is made at the beginning to specify that the repository from IIJ is used.

- name:Check SELinux
- name:Check libeselinux-python

In an environment where SELinux is disabled, it is not necessary as it will run without "libselinux-python".
First, I check the status and then put it in a variable for judgment.

Also, considering that yum cannot be used on CentOS 6 , we will check whether it has been installed using rpm from the shell module.
This is also saved in a variable for judgment.

- name: yum install libselinux-python

Execute the SELinux status other than "disabled" and "libselinux-python" is not installed

Try installing with the yum module, and if it is installed or already installed, it is OK.

If "yum" cannot be used and fails, continue with "ignore_errors: yes" , put the failure of the task in a variable for determination, and try to retrieve it directly from the repository in subsequent tasks.

- name:Setup libselinux-python
when:yum_libselinux_result is failed
block:

when installation with "yum" fails (when condition).
a task block for directly fetching packages from the repository and .

First, use "ansible_distribution_version" of ansible_facts to obtain the official package name of "libselinux-python" from the directory hierarchy of the repository that matches the minor version of the OS and save it in a variable.

Then use that variable to download with the get_uri module and install locally with rpm via the command module.

Execution example

-- all: vars: ansible_user: vagrant hosts: targetnode: ansible_host: 192.168.33.15 ansible_ssh_pass: vagrant

main.yml

No tasks are written on the main.yml side, and the playbook is loaded using import_tasks.
(Because the author likes to separate playbooks into roles in order to improve reusability, readability, and maintainability)

- name: libselinux-python hosts: targetnode< become: yes vars: wget_repo: "http://ftp.iij.ad.jp/pub/linux/centos-vault" tasks - name: Include libeselinux-python(wget) ansible .builtin.import_tasks: libselinux-python_wget.yml

Playbook execution

In this article, we will run it from a container with a previous Ansible version.

[root@author container environment work]# ansible-playbook -i hosts main.yml

lastly

Although it takes a lot of time, I tried to incorporate the work that can be standardized into Ansible.
After that, you can reuse it many times, and it was good because I learned a lot in terms of getting used to Ansible.

There is a high probability that ``yum'' cannot be used in the CentOS 6 environment, making the hurdles for installing Ansible high, so
I hope this article will give those who read this article an opportunity to try Ansible or provide some useful knowledge/information.

Thank you for reading this far!

Reference materials

ansible.builtin.yum module – Manages packages with the yum package manager
https://docs.ansible.com/ansible/9/collections/ansible/builtin/yum_module.html

8.6. SELinux
https://docs.redhat.com/ja/documentation/red_hat_enterprise_linux/8/html/considerations_in_adopting_rhel_8/selinux_security

If you found this article helpful , please give it a like!

2

Loading...

2

79