Actions
Bug #21999
openSupport compute nodes with /tmp mounted with "noexec" flag
Status:
New
Priority:
Normal
Assigned To:
-
Category:
Deployment
Target version:
Story points:
-
Description
One of the advisories from the Center for Internet Security regarding hardening hosts is mounting the /tmp
filesystem with noexec
. This produces at least a couple of issues with the current way Arvados works in the cloud:
- Compute AMI creation fails: The compute image creation base script attempts to execute a program in
/tmp
tools/compute-images/scripts/base.sh:135: unzip -q /tmp/awscliv2.zip -d /tmp && $SUDO /tmp/aws/install
- Arvados dispatch cloud by default copies itself to
/tmp
when launching a new compute node instance: While this can be fixed by a configuration change, the fix implies that compute node AMIs need to be upgraded to get newercrunch-run
versions.
Updated by Peter Amstutz 10 days ago
So if the problem is mainly using /tmp, we should be using a different directory, maybe /root or /var/spool/something ?
Updated by Lucas Di Pentima 10 days ago
Yes, I was thinking in just using $HOME/tmp
for every case. Maybe a-d-c would benefit of a new config knob to set that directory to some sensible (or /tmp
) default?
Actions