Hi Guys,
I compiled my 389 with selinux enabled (--with-selinux):
configure:21564: checking for --with-selinux configure:21575: result: yes
with_selinux='yes'
but If I ran dscreate interactive, shows me: selinux is disabled, will not relabel ports or files.
The selinux is enabled on the system ~# getenforce Enforcing
Centos7 # ns-slapd -v 389 Project 389-Directory/1.4.2.4 B2019.352.1557
What am I missing? Could not found any related doc at 389 or rhds pages. Thanks.
Alberto Viana
On 12/18/19 3:21 PM, Alberto Viana wrote:
Hi Guys,
I compiled my 389 with selinux enabled (--with-selinux):
configure:21564: checking for --with-selinux configure:21575: result: yes
with_selinux='yes'
but If I ran dscreate interactive, shows me: selinux is disabled, will not relabel ports or files.
The selinux is enabled on the system ~# getenforce Enforcing
Centos7 # ns-slapd -v 389 Project 389-Directory/1.4.2.4 http://1.4.2.4 B2019.352.1557
What am I missing? Could not found any related doc at 389 or rhds pages.
Not sure, this is the code that is generating the error message:
import selinux if selinux.is_selinux_enabled(): # We have selinux, continue. status = True else: # We have the module, but it's disabled. log.error('selinux is disabled, will not relabel ports or files.' )
So this is all happening in the python library (python3-libselinux). Are you running dscreate as root?
Mark
Thanks.
Alberto Viana
389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
Mark,
Yes, I'm.
To compile lib389 I installed a package for python3 called "selinux" (via pip)
# pip3 show selinux Name: selinux Version: 0.2.1 Summary: shim selinux module Home-page: https://github.com/pycontribs/selinux Author: Sorin Sbarnea Author-email: sorin.sbarnea@gmail.com License: MIT license
May be am I missing this lib(python3-libselinux)?
On Wed, Dec 18, 2019 at 5:39 PM Mark Reynolds mreynolds@redhat.com wrote:
On 12/18/19 3:21 PM, Alberto Viana wrote:
Hi Guys,
I compiled my 389 with selinux enabled (--with-selinux):
configure:21564: checking for --with-selinux configure:21575: result: yes
with_selinux='yes'
but If I ran dscreate interactive, shows me: selinux is disabled, will not relabel ports or files.
The selinux is enabled on the system ~# getenforce Enforcing
Centos7 # ns-slapd -v 389 Project 389-Directory/1.4.2.4 B2019.352.1557
What am I missing? Could not found any related doc at 389 or rhds pages.
Not sure, this is the code that is generating the error message:
import selinux if selinux.is_selinux_enabled(): # We have selinux, continue. status = True else: # We have the module, but it's disabled. log.error('selinux is disabled, will not relabel ports or
files.' )
So this is all happening in the python library (python3-libselinux). Are you running dscreate as root?
Mark
Thanks.
Alberto Viana
389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
--
389 Directory Server Development Team
On 12/18/19 4:05 PM, Alberto Viana wrote:
Mark,
Yes, I'm.
To compile lib389 I installed a package for python3 called "selinux" (via pip)
# pip3 show selinux Name: selinux Version: 0.2.1 Summary: shim selinux module Home-page: https://github.com/pycontribs/selinux Author: Sorin Sbarnea Author-email: sorin.sbarnea@gmail.com mailto:sorin.sbarnea@gmail.com License: MIT license
May be am I missing this lib(python3-libselinux)?
It's a requirement for lib389 in our specfile, should be easy to check for it.
What if you try an rpm using "make -f rpm.mk rpms" from the 389-ds-base/ directory?
On Wed, Dec 18, 2019 at 5:39 PM Mark Reynolds <mreynolds@redhat.com mailto:mreynolds@redhat.com> wrote:
On 12/18/19 3:21 PM, Alberto Viana wrote:
Hi Guys, I compiled my 389 with selinux enabled (--with-selinux): configure:21564: checking for --with-selinux configure:21575: result: yes with_selinux='yes' but If I ran dscreate interactive, shows me: selinux is disabled, will not relabel ports or files. The selinux is enabled on the system ~# getenforce Enforcing Centos7 # ns-slapd -v 389 Project 389-Directory/1.4.2.4 <http://1.4.2.4> B2019.352.1557 What am I missing? Could not found any related doc at 389 or rhds pages.
Not sure, this is the code that is generating the error message: import selinux if selinux.is_selinux_enabled(): # We have selinux, continue. status = True else: # We have the module, but it's disabled. log.error('selinux is disabled, will not relabel ports or files.' ) So this is all happening in the python library (python3-libselinux). Are you running dscreate as root? Mark
Thanks. Alberto Viana _______________________________________________ 389-users mailing list --389-users@lists.fedoraproject.org <mailto:389-users@lists.fedoraproject.org> To unsubscribe send an email to389-users-leave@lists.fedoraproject.org <mailto:389-users-leave@lists.fedoraproject.org> Fedora Code of Conduct:https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
-- 389 Directory Server Development Team
Mark,
Seems that's not going to be so easy hehehe: error: Failed build dependencies: icu is needed by 389-ds-base-1.4.2.4-20191218.el7.x86_64 bzip2-devel is needed by 389-ds-base-1.4.2.4-20191218.el7.x86_64 doxygen is needed by 389-ds-base-1.4.2.4-20191218.el7.x86_64 python3-ldap is needed by 389-ds-base-1.4.2.4-20191218.el7.x86_64 python3-six is needed by 389-ds-base-1.4.2.4-20191218.el7.x86_64 python3-pyasn1 is needed by 389-ds-base-1.4.2.4-20191218.el7.x86_64 python3-pyasn1-modules is needed by 389-ds-base-1.4.2.4-20191218.el7.x86_64 python3-dateutil is needed by 389-ds-base-1.4.2.4-20191218.el7.x86_64 python3-argcomplete is needed by 389-ds-base-1.4.2.4-20191218.el7.x86_64 python3-argparse-manpage is needed by 389-ds-base-1.4.2.4-20191218.el7.x86_64 python3-policycoreutils is needed by 389-ds-base-1.4.2.4-20191218.el7.x86_64 python3-libselinux is needed by 389-ds-base-1.4.2.4-20191218.el7.x86_64 python3-packaging is needed by 389-ds-base-1.4.2.4-20191218.el7.x86_64 npm is needed by 389-ds-base-1.4.2.4-20191218.el7.x86_64
Most packages are pretty easy to install but seems that python3-libselinux was not shipped into centos7: https://bugs.centos.org/view.php?id=16389 https://bugzilla.redhat.com/show_bug.cgi?id=1756015 https://bugzilla.redhat.com/show_bug.cgi?id=1719978
Seems to me there's no solution at this point, Am I right?
Thanks
On Wed, Dec 18, 2019 at 6:20 PM Mark Reynolds mreynolds@redhat.com wrote:
On 12/18/19 4:05 PM, Alberto Viana wrote:
Mark,
Yes, I'm.
To compile lib389 I installed a package for python3 called "selinux" (via pip)
# pip3 show selinux Name: selinux Version: 0.2.1 Summary: shim selinux module Home-page: https://github.com/pycontribs/selinux Author: Sorin Sbarnea Author-email: sorin.sbarnea@gmail.com License: MIT license
May be am I missing this lib(python3-libselinux)?
It's a requirement for lib389 in our specfile, should be easy to check for it.
What if you try an rpm using "make -f rpm.mk rpms" from the 389-ds-base/ directory?
On Wed, Dec 18, 2019 at 5:39 PM Mark Reynolds mreynolds@redhat.com wrote:
On 12/18/19 3:21 PM, Alberto Viana wrote:
Hi Guys,
I compiled my 389 with selinux enabled (--with-selinux):
configure:21564: checking for --with-selinux configure:21575: result: yes
with_selinux='yes'
but If I ran dscreate interactive, shows me: selinux is disabled, will not relabel ports or files.
The selinux is enabled on the system ~# getenforce Enforcing
Centos7 # ns-slapd -v 389 Project 389-Directory/1.4.2.4 B2019.352.1557
What am I missing? Could not found any related doc at 389 or rhds pages.
Not sure, this is the code that is generating the error message:
import selinux if selinux.is_selinux_enabled(): # We have selinux, continue. status = True else: # We have the module, but it's disabled. log.error('selinux is disabled, will not relabel ports or
files.' )
So this is all happening in the python library (python3-libselinux). Are you running dscreate as root?
Mark
Thanks.
Alberto Viana
389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
--
389 Directory Server Development Team
--
389 Directory Server Development Team
On 19 Dec 2019, at 08:09, Alberto Viana albertocrj@gmail.com wrote:
Mark,
Seems that's not going to be so easy hehehe: error: Failed build dependencies: icu is needed by 389-ds-base-1.4.2.4-20191218.el7.x86_64 bzip2-devel is needed by 389-ds-base-1.4.2.4-20191218.el7.x86_64 doxygen is needed by 389-ds-base-1.4.2.4-20191218.el7.x86_64 python3-ldap is needed by 389-ds-base-1.4.2.4-20191218.el7.x86_64 python3-six is needed by 389-ds-base-1.4.2.4-20191218.el7.x86_64 python3-pyasn1 is needed by 389-ds-base-1.4.2.4-20191218.el7.x86_64 python3-pyasn1-modules is needed by 389-ds-base-1.4.2.4-20191218.el7.x86_64 python3-dateutil is needed by 389-ds-base-1.4.2.4-20191218.el7.x86_64 python3-argcomplete is needed by 389-ds-base-1.4.2.4-20191218.el7.x86_64 python3-argparse-manpage is needed by 389-ds-base-1.4.2.4-20191218.el7.x86_64 python3-policycoreutils is needed by 389-ds-base-1.4.2.4-20191218.el7.x86_64 python3-libselinux is needed by 389-ds-base-1.4.2.4-20191218.el7.x86_64 python3-packaging is needed by 389-ds-base-1.4.2.4-20191218.el7.x86_64 npm is needed by 389-ds-base-1.4.2.4-20191218.el7.x86_64
Most packages are pretty easy to install but seems that python3-libselinux was not shipped into centos7: https://bugs.centos.org/view.php?id=16389 https://bugzilla.redhat.com/show_bug.cgi?id=1756015 https://bugzilla.redhat.com/show_bug.cgi?id=1719978
Seems to me there's no solution at this point, Am I right?
Okay, I see what's going on here.
When we develop DS, there is some strong parallels to which enterprise distros exist at the time. That's just the nature of it because enterprises tend to be the ldap customer, so we bend over backwards to make that work for RHEL and now SLES too. But it also means that we have to be careful about what versions of packages we use, and when. It causes "big jumps" between major versions, which you are feeling here.
When 1.3.x series was developed it was for RHEL7. That meant python2 and whatever gcc it had. At the time the setup of the instance was handled by perl, and a lot of the python tools were actually developed by me and others to be forward looking to python3 (ie dscreate which was always a python3 only tool).
When we "started" to prepare for RHEL8 and SLE15, we forked to the 1.4.x series and made the changes to our requirements to match - that included removing all perl tools in favour of dscreate and friends, and that meant requiring python3.
There is a lot more than just selinux that won't work for you here - I know for a fact I've started to use f-strings (a python 3 only feature) in lib389 now. I'm sure there is much more that will break for you as well as we don't test that combination. And it's really a good idea to use the versions/combinations we are developing on/support if you want the best experience.
My advice is that if you want to run 1.4.x, you should use it either on:
* Fedora 30/31 * RHEL8 * SLES or OpenSUSELeap 15.2 * RHEL7 + docker with -> https://hub.docker.com/r/389ds/dirsrv
Does that help explain what's going on and some possible ways forward?
— Sincerely,
William Brown
Senior Software Engineer, 389 Directory Server SUSE Labs
William,
It's clear to me.
I will try centos8 :)
Thanks.
Alberto VIana
On Thu, Dec 19, 2019 at 2:50 AM William Brown wbrown@suse.de wrote:
On 19 Dec 2019, at 08:09, Alberto Viana albertocrj@gmail.com wrote:
Mark,
Seems that's not going to be so easy hehehe: error: Failed build dependencies: icu is needed by 389-ds-base-1.4.2.4-20191218.el7.x86_64 bzip2-devel is needed by 389-ds-base-1.4.2.4-20191218.el7.x86_64 doxygen is needed by 389-ds-base-1.4.2.4-20191218.el7.x86_64 python3-ldap is needed by 389-ds-base-1.4.2.4-20191218.el7.x86_64 python3-six is needed by 389-ds-base-1.4.2.4-20191218.el7.x86_64 python3-pyasn1 is needed by 389-ds-base-1.4.2.4-20191218.el7.x86_64 python3-pyasn1-modules is needed by
389-ds-base-1.4.2.4-20191218.el7.x86_64
python3-dateutil is needed by 389-ds-base-1.4.2.4-20191218.el7.x86_64 python3-argcomplete is needed by 389-ds-base-1.4.2.4-20191218.el7.x86_64 python3-argparse-manpage is needed by
389-ds-base-1.4.2.4-20191218.el7.x86_64
python3-policycoreutils is needed by
389-ds-base-1.4.2.4-20191218.el7.x86_64
python3-libselinux is needed by 389-ds-base-1.4.2.4-20191218.el7.x86_64 python3-packaging is needed by 389-ds-base-1.4.2.4-20191218.el7.x86_64 npm is needed by 389-ds-base-1.4.2.4-20191218.el7.x86_64
Most packages are pretty easy to install but seems that
python3-libselinux was not shipped into centos7:
https://bugs.centos.org/view.php?id=16389 https://bugzilla.redhat.com/show_bug.cgi?id=1756015 https://bugzilla.redhat.com/show_bug.cgi?id=1719978
Seems to me there's no solution at this point, Am I right?
Okay, I see what's going on here.
When we develop DS, there is some strong parallels to which enterprise distros exist at the time. That's just the nature of it because enterprises tend to be the ldap customer, so we bend over backwards to make that work for RHEL and now SLES too. But it also means that we have to be careful about what versions of packages we use, and when. It causes "big jumps" between major versions, which you are feeling here.
When 1.3.x series was developed it was for RHEL7. That meant python2 and whatever gcc it had. At the time the setup of the instance was handled by perl, and a lot of the python tools were actually developed by me and others to be forward looking to python3 (ie dscreate which was always a python3 only tool).
When we "started" to prepare for RHEL8 and SLE15, we forked to the 1.4.x series and made the changes to our requirements to match - that included removing all perl tools in favour of dscreate and friends, and that meant requiring python3.
There is a lot more than just selinux that won't work for you here - I know for a fact I've started to use f-strings (a python 3 only feature) in lib389 now. I'm sure there is much more that will break for you as well as we don't test that combination. And it's really a good idea to use the versions/combinations we are developing on/support if you want the best experience.
My advice is that if you want to run 1.4.x, you should use it either on:
- Fedora 30/31
- RHEL8
- SLES or OpenSUSELeap 15.2
- RHEL7 + docker with -> https://hub.docker.com/r/389ds/dirsrv
Does that help explain what's going on and some possible ways forward?
— Sincerely,
William Brown
Senior Software Engineer, 389 Directory Server SUSE Labs _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
Thanks for the great explanation William!
On Thu, Dec 19, 2019 at 9:16 AM Alberto Viana albertocrj@gmail.com wrote:
William,
It's clear to me.
I will try centos8 :)
Thanks.
Alberto VIana
On Thu, Dec 19, 2019 at 2:50 AM William Brown wbrown@suse.de wrote:
On 19 Dec 2019, at 08:09, Alberto Viana albertocrj@gmail.com wrote:
Mark,
Seems that's not going to be so easy hehehe: error: Failed build dependencies: icu is needed by 389-ds-base-1.4.2.4-20191218.el7.x86_64 bzip2-devel is needed by 389-ds-base-1.4.2.4-20191218.el7.x86_64 doxygen is needed by 389-ds-base-1.4.2.4-20191218.el7.x86_64 python3-ldap is needed by 389-ds-base-1.4.2.4-20191218.el7.x86_64 python3-six is needed by 389-ds-base-1.4.2.4-20191218.el7.x86_64 python3-pyasn1 is needed by 389-ds-base-1.4.2.4-20191218.el7.x86_64 python3-pyasn1-modules is needed by
389-ds-base-1.4.2.4-20191218.el7.x86_64
python3-dateutil is needed by 389-ds-base-1.4.2.4-20191218.el7.x86_64 python3-argcomplete is needed by 389-ds-base-1.4.2.4-20191218.el7.x86_64 python3-argparse-manpage is needed by
389-ds-base-1.4.2.4-20191218.el7.x86_64
python3-policycoreutils is needed by
389-ds-base-1.4.2.4-20191218.el7.x86_64
python3-libselinux is needed by 389-ds-base-1.4.2.4-20191218.el7.x86_64 python3-packaging is needed by 389-ds-base-1.4.2.4-20191218.el7.x86_64 npm is needed by 389-ds-base-1.4.2.4-20191218.el7.x86_64
Most packages are pretty easy to install but seems that
python3-libselinux was not shipped into centos7:
https://bugs.centos.org/view.php?id=16389 https://bugzilla.redhat.com/show_bug.cgi?id=1756015 https://bugzilla.redhat.com/show_bug.cgi?id=1719978
Seems to me there's no solution at this point, Am I right?
Okay, I see what's going on here.
When we develop DS, there is some strong parallels to which enterprise distros exist at the time. That's just the nature of it because enterprises tend to be the ldap customer, so we bend over backwards to make that work for RHEL and now SLES too. But it also means that we have to be careful about what versions of packages we use, and when. It causes "big jumps" between major versions, which you are feeling here.
When 1.3.x series was developed it was for RHEL7. That meant python2 and whatever gcc it had. At the time the setup of the instance was handled by perl, and a lot of the python tools were actually developed by me and others to be forward looking to python3 (ie dscreate which was always a python3 only tool).
When we "started" to prepare for RHEL8 and SLE15, we forked to the 1.4.x series and made the changes to our requirements to match - that included removing all perl tools in favour of dscreate and friends, and that meant requiring python3.
There is a lot more than just selinux that won't work for you here - I know for a fact I've started to use f-strings (a python 3 only feature) in lib389 now. I'm sure there is much more that will break for you as well as we don't test that combination. And it's really a good idea to use the versions/combinations we are developing on/support if you want the best experience.
My advice is that if you want to run 1.4.x, you should use it either on:
- Fedora 30/31
- RHEL8
- SLES or OpenSUSELeap 15.2
- RHEL7 + docker with -> https://hub.docker.com/r/389ds/dirsrv
Does that help explain what's going on and some possible ways forward?
— Sincerely,
William Brown
Senior Software Engineer, 389 Directory Server SUSE Labs _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
On 20 Dec 2019, at 03:56, Chase Miller chasejmiller@gmail.com wrote:
Thanks for the great explanation William!
You're most welcome
On Thu, Dec 19, 2019 at 9:16 AM Alberto Viana albertocrj@gmail.com wrote: William,
It's clear to me.
I will try centos8 :)
Great! If you have any other issues please let us know, we'd be happy to help.
You may have already seen it, but also take a look at http://www.port389.org/docs/389ds/contributing.html and if you spot any issues let us know so we can fix them.
And as it's that time of year, I hope you all have a great holiday season and new years :)
— Sincerely,
William Brown
Senior Software Engineer, 389 Directory Server SUSE Labs
389-users@lists.fedoraproject.org