Actions
Bug #21999
openSupport compute nodes with /tmp mounted with "noexec" flag
Status:
New
Priority:
Normal
Assigned To:
-
Category:
Deployment
Target version:
Story points:
-
Description
One of the advisories from the Center for Internet Security regarding hardening hosts is mounting the /tmp
filesystem with noexec
. This produces at least a couple of issues with the current way Arvados works in the cloud:
- Compute AMI creation fails: The compute image creation base script attempts to execute a program in
/tmp
tools/compute-images/scripts/base.sh:135: unzip -q /tmp/awscliv2.zip -d /tmp && $SUDO /tmp/aws/install
- Arvados dispatch cloud by default copies itself to
/tmp
when launching a new compute node instance: While this can be fixed by a configuration change, the fix implies that compute node AMIs need to be upgraded to get newercrunch-run
versions.
Actions