1

I have a CIS-benchmark-compliant base image. Pulling this to differentiate an immutable image for my application, if I attempt to do

apt-get install -y docker.io

I get an error

==> amazon-ebs: Can't exec "/tmp/docker.io.config.NzitwJ": Permission denied at /usr/share/perl/5.26/IPC/Open3.pm line 178.

==> amazon-ebs: open2: exec of /tmp/docker.io.config.NzitwJ configure  failed: Permission denied at /usr/share/perl5/Debconf/ConfModule.pm line 59.

This is because CIS-compliant images have noexec set on the /tmp filesystem.

Does anyone know of a command line or equivalent way to make apt-get use a different file system for install scripts, or am I going to have to schedule tasks to install from source? Note, this does not only affect docker.io, but others as well. I'm looking for an apt-get-level solution, not an app-specific package method.

volvox
  • 202
  • 1
  • 2
  • 8
  • 2
    Does this answer your question? [How to change default /tmp to /home/user/tmp](https://serverfault.com/questions/72955/how-to-change-default-tmp-to-home-user-tmp) – djdomi Jan 14 '21 at 17:07
  • I've changed my plea your honour. @djdomi it does work, but one has to change a few things around. As `apt-get` is a root-level command, and as I'm doing this non-interactively, I had to (1) change the install script that calls `apt-get` to remove the calls to `sudo` (2) add the content of the linked answer to the script so root's env gets a new `TMPDIR` and (3) called the script with `sudo -i` so that the single env that the script runs under uses the env with said modified `TMPDIR`. – volvox Jan 19 '21 at 15:13
  • so it works for now? - Then please answer your question on yourself how did you got it worked – djdomi Jan 20 '21 at 07:44

1 Answers1

1

I added the code from this post in the script which (insert pipeline orchestrator) runs to pull the base image and install the image-specific software.

Because the script had been using sudo, and because by default this does not adopt the root account, running sudo adopted the default ubuntu user so it sets up the tmp file in the wrong place and doesn't work. Because apt-get needs root to run it, I added this to ensure only root could run my script:

if [[ ${EUID} -ne 0 ]]; then
   echo "This script must be run as root" 1>&2
   exit 1
fi

I then removed the sudo prefix to the commands in my bash script, and ran the whole script with an sudo to make the orchestrator run my script as the root user, which meant the orchestrator created the tmp file correctly on the build machine.

Credence to @djdomi.

volvox
  • 202
  • 1
  • 2
  • 8