1

I have a CIS-benchmark-compliant base image. Pulling this to differentiate an immutable image for my application, if I attempt to do

apt-get install -y docker.io

I get an error

==> amazon-ebs: Can't exec "/tmp/docker.io.config.NzitwJ": Permission denied at /usr/share/perl/5.26/IPC/Open3.pm line 178.

==> amazon-ebs: open2: exec of /tmp/docker.io.config.NzitwJ configure  failed: Permission denied at /usr/share/perl5/Debconf/ConfModule.pm line 59.

This is because CIS-compliant images have noexec set on the /tmp filesystem.

Does anyone know of a command line or equivalent way to make apt-get use a different file system for install scripts, or am I going to have to schedule tasks to install from source? Note, this does not only affect docker.io, but others as well. I'm looking for an apt-get-level solution, not an app-specific package method.

Improve this question
  • 2
    Does this answer your question? How to change default /tmp to /home/user/tmp – djdomi Jan 14 at 17:07
  • I've changed my plea your honour. @djdomi it does work, but one has to change a few things around. As apt-get is a root-level command, and as I'm doing this non-interactively, I had to (1) change the install script that calls apt-get to remove the calls to sudo (2) add the content of the linked answer to the script so root's env gets a new TMPDIR and (3) called the script with sudo -i so that the single env that the script runs under uses the env with said modified TMPDIR. – volvox Jan 19 at 15:13
  • so it works for now? - Then please answer your question on yourself how did you got it worked – djdomi 2 days ago
1

I added the code from this post in the script which (insert pipeline orchestrator) runs to pull the base image and install the image-specific software.

Because the script had been using sudo, and because by default this does not adopt the root account, running sudo adopted the default ubuntu user so it sets up the tmp file in the wrong place and doesn't work. Because apt-get needs root to run it, I added this to ensure only root could run my script:

if [[ ${EUID} -ne 0 ]]; then
   echo "This script must be run as root" 1>&2
   exit 1
fi

I then removed the sudo prefix to the commands in my bash script, and ran the whole script with an sudo to make the orchestrator run my script as the root user, which meant the orchestrator created the tmp file correctly on the build machine.

Credence to @djdomi.

Improve this answer

Not the answer you're looking for? Browse other questions tagged or ask your own question.