yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1717627] [NEW] permission denied when executing dhclient in Ec2 datasource

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Scott Moser <smoser@xxxxxxxxxx>
Date: Sat, 16 Sep 2017 02:14:41 -0000
Reply-to: Bug 1717627 <1717627@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

in the ec2 datasource, cloud-init runs dhclient from a tmp file in order
to avoid apparmor restrictions and side affects.

In a change for bug 1707222 we started using /run/cloud-init for tmpfiles.
/run is mounted noexec.  See example:


$ sudo /run/cloud-init/tmp/dhclient -1 -v -lf /run/cloud-init/tmp/cloud-init-dhcp-bs6g4xkw/dhcp.leases -pf /run/cloud-init/tmp/cloud-init-dhcp-bs6g4xkw/dhclient.pid eth0 -sf /bin/true
sudo: unable to execute /run/cloud-init/tmp/dhclient: Permission denied


So, we need a tmp file in a place that allows execution.

** Affects: cloud-init
     Importance: High
         Status: Confirmed

** Affects: cloud-init (Ubuntu)
     Importance: High
         Status: Confirmed

** Merge proposal linked:
   https://code.launchpad.net/~chad.smith/cloud-init/+git/cloud-init/+merge/330875

** Changed in: cloud-init
       Status: New => Confirmed

** Changed in: cloud-init
   Importance: Undecided => High

** Also affects: cloud-init (Ubuntu)
   Importance: Undecided
       Status: New

** Changed in: cloud-init (Ubuntu)
       Status: New => Confirmed

** Changed in: cloud-init (Ubuntu)
   Importance: Undecided => High

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to cloud-init.
https://bugs.launchpad.net/bugs/1717627

Title:
  permission denied when executing dhclient in Ec2 datasource

Status in cloud-init:
  Confirmed
Status in cloud-init package in Ubuntu:
  Confirmed

Bug description:
  in the ec2 datasource, cloud-init runs dhclient from a tmp file in
  order to avoid apparmor restrictions and side affects.

  In a change for bug 1707222 we started using /run/cloud-init for tmpfiles.
  /run is mounted noexec.  See example:

  
  $ sudo /run/cloud-init/tmp/dhclient -1 -v -lf /run/cloud-init/tmp/cloud-init-dhcp-bs6g4xkw/dhcp.leases -pf /run/cloud-init/tmp/cloud-init-dhcp-bs6g4xkw/dhclient.pid eth0 -sf /bin/true
  sudo: unable to execute /run/cloud-init/tmp/dhclient: Permission denied

  
  So, we need a tmp file in a place that allows execution.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-init/+bug/1717627/+subscriptions

Follow ups

[Bug 1717627] Re: permission denied when executing dhclient in Ec2 datasource
From: Scott Moser, 2017-09-23
[Bug 1717627] Re: permission denied when executing dhclient in Ec2 datasource
From: Launchpad Bug Tracker, 2017-09-19