google_metadata_script_runner runs temporary script with bash -c, fails on noexc /tmp
mbanck opened this issue · comments
The default appears to be that the scripts are being copied to a temp directory in /tmp
, then executed via bash -c
(see line 299) of google_metadata_script_runner/main.go):
c = exec.Command(config.Section("MetadataScripts").Key("default_shell").MustString("/bin/bash"), "-c", tmpFile)
However, if /tmp
is on a noexec
file system (which is not uncommon in locked down environment) this fails and one gets an error like
google_metadata_script_runner[523]: startup-script: /bin/bash: line 1: /tmp/metadata-scripts433978404/startup-script: Permission denied
Shouldn't it be possible to just let bash run the script directly, i.e. remove the "-c"
?
It is true one can change the run_dir
directory in the config to point to another directory as a work-around, but maybe the above suggestion could be applied to make it work in general?
bash -c /path/to/script
is basically the same as /path/to/script
, removing the -c
should restore the intended meaning of "use bash to execute that script".
You can define an option in the configuration file:
run_dir
- String base directory where metadata scripts are executed
https://github.com/GoogleCloudPlatform/guest-agent/tree/main#configuration