Project

General

Profile

Bug #21999

Updated by Peter Amstutz 3 months ago

One of the advisories from the "Center for Internet Security":https://www.cisecurity.org regarding hardening hosts is mounting the @/tmp@ filesystem with @noexec@. This produces at least a couple of issues with the current way Arvados works in the cloud: 

 # Compute AMI creation fails: The compute image creation base script attempts to execute a program in @/tmp@ 
 <pre>tools/compute-images/scripts/base.sh:135:    unzip -q /tmp/awscliv2.zip -d /tmp && $SUDO /tmp/aws/install</pre> 
 # Arvados dispatch cloud by default copies itself to @/tmp@ when launching a new compute node instance: While this can be fixed by a configuration change, the fix implies that compute node AMIs need to be upgraded to get newer @crunch-run@ versions. 

 Implementation

Back