cloud-init will not run user-data scripts when /var filesystem is mounted with the noexec flag
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
cloud-init |
Expired
|
Medium
|
Unassigned |
Bug Description
Cloud Vendor: Amazon AWS
Platform: RHEL7.6
Cloud-Init: cloud-init-
Kernel: 3.10.0-
SELinux: selinux-
--
We have identified that having the "noexec" flag set on the /var filesystem causes cloud-init to fail running user-data scripts. This is a security requirement mandated by STIG policies that we're purposefully trying to meet for Federal systems.
The affected code is in:
/usr/lib/
Under the function:
runparts()
The system checks for access to the executable using the following line:
if os.path.
While the file is executable, the "noexec" flag on the filesystem causes os.access() to report False, which cancels the execution of the user-data script.
To reproduce the problem:
- Create new filesystem
- Move /var files to new filesystem
- Add /var to fstab with the "noexec" option
- Mount new /var filesystem
- Run cloud-init init
- Run cloud-init modules -m final
- Observe that the cloud-init scripts do not run
Note that the files in /var/lib/
And that when trying to execute the file, you will get Error 13: Permission denied.
--
Possible fixes:
- Search for marker on the first line of the file (#!) and add the requested shell as exe_prefix (as stated above)
- Move /var/lib/cloud (or a portion thereof) to a different filesystem path and symlink it to original path
We have tested the second workaround and it seems to help:
# cloud-init clean
# rm -Rf /var/lib/cloud
# mkdir -p /etc/cloud/runtime
# ln -s /etc/cloud/runtime /var/lib/cloud
# restorecon -rv /var/lib/cloud
After this, user-data scripts appear to execute.
tags: | added: selinux |
tags: | added: aws rhel |
description: | updated |
Changed in cloud-init: | |
status: | Incomplete → New |
Update:
Further testing leads us to believe that this problem may actually occur when having the "noexec" flag set on the /var filesystem. This is a security requirement that we're purposefully trying to meet for Federal systems.
Possible fixes:
- Search for marker (#!) and add the requested shell as exe_prefix (as stated above)
- Move /var/lib/cloud to a different filesystem path and symlink it to original path
We have tested the second item and it seems to work:
# cloud-init clean init-runtime init-runtime /var/lib/cloud
# rm -Rf /var/lib/cloud
# mkdir -p /etc/cloud-
# ln -s /etc/cloud-
# restorecon -rv /var/lib/cloud
After this, user-data scripts appear to execute.