Bug #21999
closed
Support compute nodes with /tmp mounted with "noexec" flag
Description
One of the advisories from the Center for Internet Security regarding hardening hosts is mounting the /tmp filesystem with noexec. This produces the following issue when creating a compute node image:
Compute AMI creation fails: The compute image creation base script attempts to execute a program in /tmp
tools/compute-images/scripts/base.sh:135: unzip -q /tmp/awscliv2.zip -d /tmp && $SUDO /tmp/aws/install
Related issues
Updated by Peter Amstutz 4 months ago
So if the problem is mainly using /tmp, we should be using a different directory, maybe /root or /var/spool/something ?
Updated by Lucas Di Pentima 4 months ago
Yes, I was thinking in just using $HOME/tmp for every case. Maybe a-d-c would benefit of a new config knob to set that directory to some sensible (or /tmp) default?
Updated by Peter Amstutz 4 months ago
- Target version changed from Development 2024-08-07 sprint to Development 2024-08-28 sprint
Updated by Peter Amstutz 4 months ago
- Target version changed from Development 2024-08-28 sprint to Development 2024-08-07 sprint
Updated by Peter Amstutz 4 months ago
- Target version changed from Development 2024-08-07 sprint to Development 2024-08-28 sprint
- Description updated (diff)
Updated by Peter Amstutz 3 months ago
- Related to Feature #22029: arvados-dispatch-cloud option to use a different directory than /tmp for staging the crunch-run binary added
Updated by Peter Amstutz 3 months ago
- Target version changed from Development 2024-08-28 sprint to Development 2024-09-11 sprint
Updated by Peter Amstutz 3 months ago
- Target version changed from Development 2024-09-11 sprint to Development 2024-09-25 sprint
Updated by Peter Amstutz 3 months ago
- Blocked by Support #22030: Have a testing environment where /tmp is noexec added
Updated by Peter Amstutz about 2 months ago
- Target version changed from Development 2024-09-25 sprint to Development 2024-10-09 sprint
Updated by Lucas Di Pentima about 1 month ago
- Status changed from New to In Progress
Updated by Lucas Di Pentima about 1 month ago
21999-packer-fixes @ 72d634e3cf
packer-build-compute-image: #260
- All agreed upon points are implemented / addressed. Describe changes from pre-implementation design.
- Yes
- Anything not implemented (discovered or discussed during work) has a follow-up story.
- This story doesn't explicitly mention that the packer scripts should work with a CIS L1 AMI (ami-0dc4762eb2bdd9a25). I've done some manual testing and it fails on the singularity build stage, unrelated to running things in
/tmp.
- This story doesn't explicitly mention that the packer scripts should work with a CIS L1 AMI (ami-0dc4762eb2bdd9a25). I've done some manual testing and it fails on the singularity build stage, unrelated to running things in
- Code is tested and passing, both automated and manual, what manual testing was done is described.
- I've manually tested creating an AMI passing
--workdir /home/adminand it worked fine.
- I've manually tested creating an AMI passing
- New or changed UX/UX and has gotten feedback from stakeholders.
- Just a new
--workdir <path>argument
- Just a new
- Documentation has been updated.
- Yes
- Behaves appropriately at the intended scale (describe intended scale).
- N/A
- Considered backwards and forwards compatibility issues between client and server.
- Yes. The working directory is now parametrized, and defaults to
/tmpso it's backwards compatible.
- Yes. The working directory is now parametrized, and defaults to
- Follows our coding standards and GUI style guidelines.
- N/A
Because this story is about being able to support base images with /tmp mounted with noexec, I made it possible for the user to specify another path instead of /tmp.
Additional work is required to make it work with CIS Level 1 Debian 11, because for some reason when trying to build singularity it doesn't detect the Go compiler (although there's no error output related to the Go compiler installation phase):
...
amazon-ebs: Processing triggers for libc-bin (2.31-13+deb11u11) ...
amazon-ebs: Configuring for project `singularity-ce' with languages: C, Golang
amazon-ebs: => running pre-basechecks project specific checks ...
amazon-ebs: => running base system checks ...
amazon-ebs: checking: host C compiler... cc
amazon-ebs: checking: host C++ compiler... c++
amazon-ebs: checking: host Go compiler (at least version 1.17)... not found!
amazon-ebs: mconfig: could not complete configuration
==> amazon-ebs: Provisioning step had errors: Running the cleanup provisioner, if present...
==> amazon-ebs: Terminating the source AWS instance...
==> amazon-ebs: Cleaning up any extra volumes...
==> amazon-ebs: No volumes to clean up, skipping
==> amazon-ebs: Deleting temporary security group...
==> amazon-ebs: Deleting temporary keypair...
Build 'amazon-ebs' errored after 6 minutes 7 seconds: Script exited with non-zero exit status: 1. Allowed exit codes are: [0]
If we're going to officially support these CIS issued images, I can continue investigating the cause of the failures and make an official pipeline on Jenkins for it on this ticket, or maybe on a separate one.
Updated by Peter Amstutz about 1 month ago
- Target version changed from Development 2024-10-09 sprint to Development 2024-10-23 sprint
Updated by Brett Smith about 1 month ago
Lucas Di Pentima wrote in #note-15:
21999-packer-fixes @ 72d634e3cf
Just one --workdir documentation nit: in the phrase "The directory on which," using the preposition "on" to describe stuff that happens "in" the directory sounds just slightly off to native English speaker ears. Suggest instead:
The directory where data files are staged and setup scripts are run
If you want to workshop it further in chat, happy to do that. Please go ahead and merge, thanks.
Updated by Lucas Di Pentima about 1 month ago
Thanks for the suggestion, fixed and merged!
Updated by Lucas Di Pentima about 1 month ago
- Status changed from In Progress to Resolved
Applied in changeset arvados|ab23c5a297429d1cf659946c2f03a718f02fa543.