← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #92110

[Bug 1839899] Re: cloud-init will not run user-data scripts when /var filesystem is mounted with the noexec flag

  Thread PreviousDate PreviousThread Next 
Tracked in Github Issues as https://github.com/canonical/cloud-
init/issues/3429

** Bug watch added: github.com/canonical/cloud-init/issues #3429
   https://github.com/canonical/cloud-init/issues/3429

** Changed in: cloud-init
       Status: Triaged => Expired

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to cloud-init.
https://bugs.launchpad.net/bugs/1839899

Title:
  cloud-init will not run user-data scripts when /var filesystem is
  mounted with the noexec flag

Status in cloud-init:
  Expired

Bug description:
  Cloud Vendor: Amazon AWS
  Platform:     RHEL7.6
  Cloud-Init:   cloud-init-18.5-3.el7.x86_64
  Kernel:       3.10.0-1062.el7.x86_64
  SELinux:      selinux-policy-targeted-3.13.1-252.el7.1.noarch

  --

  We have identified that having the "noexec" flag set on the /var
  filesystem causes cloud-init to fail running user-data scripts. This
  is a security requirement mandated by STIG policies that we're
  purposefully trying to meet for Federal systems.

  The affected code is in:

  /usr/lib/python2.7/site-packages/cloudinit/util.py

  Under the function:

  runparts()

  The system checks for access to the executable using the following
  line:

          if os.path.isfile(exe_path) and os.access(exe_path, os.X_OK):
                                       ##  ^^^^^^^^^

  While the file is executable, the "noexec" flag on the filesystem
  causes os.access() to report False, which cancels the execution of the
  user-data script.

  To reproduce the problem:

  - Create new filesystem
  - Move /var files to new filesystem
  - Add /var to fstab with the "noexec" option
  - Mount new /var filesystem
  - Run cloud-init init
  - Run cloud-init modules -m final
  - Observe that the cloud-init scripts do not run

  Note that the files in /var/lib/cloud/instances/*/scripts/ are
  executable (mode 0755 or 0700)

  And that when trying to execute the file, you will get Error 13:
  Permission denied.

  --

  Possible fixes:

  - Search for marker on the first line of the file (#!) and add the requested shell as exe_prefix (as stated above)
  - Move /var/lib/cloud (or a portion thereof) to a different filesystem path and symlink it to original path

  We have tested the second workaround and it seems to help:

  # cloud-init clean
  # rm -Rf /var/lib/cloud
  # mkdir -p /etc/cloud/runtime
  # ln -s /etc/cloud/runtime /var/lib/cloud
  # restorecon -rv /var/lib/cloud

  After this, user-data scripts appear to execute.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-init/+bug/1839899/+subscriptions

References

  Thread PreviousDate PreviousThread Next