Bug #21999
Updated by Peter Amstutz 3 months ago
One of the advisories from the "Center for Internet Security":https://www.cisecurity.org regarding hardening hosts is mounting the @/tmp@ filesystem with @noexec@. This produces at least a couple of issues with the current way Arvados works in the cloud:
# Compute AMI creation fails: The compute image creation base script attempts to execute a program in @/tmp@
<pre>tools/compute-images/scripts/base.sh:135: unzip -q /tmp/awscliv2.zip -d /tmp && $SUDO /tmp/aws/install</pre>
# Arvados dispatch cloud by default copies itself to @/tmp@ when launching a new compute node instance: While this can be fixed by a configuration change, the fix implies that compute node AMIs need to be upgraded to get newer @crunch-run@ versions.
Implementation