set mount option noexec on /tmp in coreos-cloudinit

[baldeynz]

Hi all
Can someone point me in the right direction with how to set mount options on mount points if im still using cloudinit? e.g i need to set "noexec" on /tmp but im not sure whether its possible without using ignition?
thanks
baldeynz

[baldeynz]

I guess to clarify .. i can see that /tmp seemed to be mounted by /usr/lib64/systemd/system/tmp.mount  but how do i over-ride this using cloudinit?

[Alex Crawford]

On 05/08, baldeynz wrote:
> I guess to clarify .. i can see that /tmp seemed to be mounted by
> /usr/lib64/systemd/system/tmp.mount but how do i over-ride this using
> cloudinit?

You can create a systemd drop-in to override the mount options:

$ cat /etc/systemd/system/tmp.mount.d/noexec.conf
[Mount]
Options=mode=1777,strictatime,nosuid,nodev,noexec

This can be done with either Ignition (via a Container Linux Config):

systemd:
units:
- name: tmp.mount
dropins:
- name: noexec.conf
contents: |
[Mount]
Options=mode=1777,strictatime,nosuid,nodev,noexec

It can also be done with a cloud-config:

#cloud-config

coreos:
units:
- name: tmp.mount
drop-ins:
- name: noexec.conf
content: |
[Mount]
Options=mode=1777,strictatime,nosuid,nodev,noexec

While this can be done with either a Container Linux Config or a
cloud-config, I highly recommend against using coreos-cloudinit. Reason
being, on first boot, /tmp won't have the noexec option! You have to
reboot the system in order for this to take effect (because of how late
in the boot process coreos-cloudinit starts). Ignition, on the other
hand, doesn't suffer from these problems.

-Alex

[baldeynz]

Thanks Alex