Tracked in Github Issues as https://github.com/canonical/cloud- init/issues/3429
** Bug watch added: github.com/canonical/cloud-init/issues #3429 https://github.com/canonical/cloud-init/issues/3429 ** Changed in: cloud-init Status: Triaged => Expired -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to cloud-init. https://bugs.launchpad.net/bugs/1839899 Title: cloud-init will not run user-data scripts when /var filesystem is mounted with the noexec flag Status in cloud-init: Expired Bug description: Cloud Vendor: Amazon AWS Platform: RHEL7.6 Cloud-Init: cloud-init-18.5-3.el7.x86_64 Kernel: 3.10.0-1062.el7.x86_64 SELinux: selinux-policy-targeted-3.13.1-252.el7.1.noarch -- We have identified that having the "noexec" flag set on the /var filesystem causes cloud-init to fail running user-data scripts. This is a security requirement mandated by STIG policies that we're purposefully trying to meet for Federal systems. The affected code is in: /usr/lib/python2.7/site-packages/cloudinit/util.py Under the function: runparts() The system checks for access to the executable using the following line: if os.path.isfile(exe_path) and os.access(exe_path, os.X_OK): ## ^^^^^^^^^ While the file is executable, the "noexec" flag on the filesystem causes os.access() to report False, which cancels the execution of the user-data script. To reproduce the problem: - Create new filesystem - Move /var files to new filesystem - Add /var to fstab with the "noexec" option - Mount new /var filesystem - Run cloud-init init - Run cloud-init modules -m final - Observe that the cloud-init scripts do not run Note that the files in /var/lib/cloud/instances/*/scripts/ are executable (mode 0755 or 0700) And that when trying to execute the file, you will get Error 13: Permission denied. -- Possible fixes: - Search for marker on the first line of the file (#!) and add the requested shell as exe_prefix (as stated above) - Move /var/lib/cloud (or a portion thereof) to a different filesystem path and symlink it to original path We have tested the second workaround and it seems to help: # cloud-init clean # rm -Rf /var/lib/cloud # mkdir -p /etc/cloud/runtime # ln -s /etc/cloud/runtime /var/lib/cloud # restorecon -rv /var/lib/cloud After this, user-data scripts appear to execute. To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-init/+bug/1839899/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
