Modify /tmp mount point in FSTAB for single node
60 views
Skip to first unread message
Brian S
Jan 30, 2017, 1:58:26 PM1/30/17
to SIMP Q&A Forum
Im curious what the best method would be to modify the /tmp mount partition so that it has exec instead of noexec. I do not want to apply this change across the entire environment maintained by SIMP but only on a single node. I tried to set /tmp within a single custom manifest using mount, but it is controlled elsewhere in the environment.
The reason for this is within an environment where docker-compose and docker is being used, the docker-compose program needs to be able to extract and exec a program. By default this is /tmp. I was able to manually get around this by running "mount /tmp -o remount,exec" on the box but would like this command to be permanent.
Thanks-
Brian
The reason for this is within an environment where docker-compose and docker is being used, the docker-compose program needs to be able to extract and exec a program. By default this is /tmp. I was able to manually get around this by running "mount /tmp -o remount,exec" on the box but would like this command to be permanent.
Thanks-
Brian
Nick Miller
Jan 30, 2017, 2:10:07 PM1/30/17
to Brian S, SIMP Q&A Forum
Brian,
Check out this line, from the secure_mountpoints class in simplib: https://github.com/simp/pupmod-simp-simplib/blob/5.X/manifests/secure_mountpoints.pp#L51simplib::secure_mountpoints::tmp_opts: ['nodev','nosuid']
--
You received this message because you are subscribed to the Google Groups "SIMP Q&A Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to simp+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/simp/650174a3-444a-488b-8b46-c4b56d5796f4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
Nicholas Miller 7050 Hi Tech Drive, Suite 102 Hanover, MD. 21076 | |
Nicholas Hughes
Jan 30, 2017, 2:14:42 PM1/30/17
to Nick Miller, Brian S, SIMP Q&A Forum
FWIW, it might be better security-wise to have docker-compose use a different temp path...
$ TMPDIR=/not_tmp/ docker-compose ...To view this discussion on the web visit https://groups.google.com/d/msgid/simp/CAHY4EYOX59GiQWGQ_DGEQ0Vp0fFGYkLyUTrSz_%2BO%2B5wu5T0_jg%40mail.gmail.com.
Brian S
Jan 30, 2017, 2:16:54 PM1/30/17
to SIMP Q&A Forum
Nick-
Thanks for pointing me in the correct direction for setting up the variable. Its also good to know which SIMP manifest controls the secure mountpoints.
This worked like a charm!
-Brian
Thanks for pointing me in the correct direction for setting up the variable. Its also good to know which SIMP manifest controls the secure mountpoints.
This worked like a charm!
-Brian
On Monday, January 30, 2017 at 2:10:07 PM UTC-5, Nick Miller wrote:
Nick MillerGood luck!It's where noexec is set from. You should be able to mount /tmp as exec by adding the following to the node-specific hiera file:Brian,Check out this line, from the secure_mountpoints class in simplib: https://github.com/simp/pupmod-simp-simplib/blob/5.X/manifests/secure_mountpoints.pp#L51
simplib::secure_mountpoints::tmp_opts: ['nodev','nosuid']
On Mon, Jan 30, 2017 at 1:58 PM, Brian S <brians...@gmail.com> wrote:
Im curious what the best method would be to modify the /tmp mount partition so that it has exec instead of noexec. I do not want to apply this change across the entire environment maintained by SIMP but only on a single node. I tried to set /tmp within a single custom manifest using mount, but it is controlled elsewhere in the environment.
The reason for this is within an environment where docker-compose and docker is being used, the docker-compose program needs to be able to extract and exec a program. By default this is /tmp. I was able to manually get around this by running "mount /tmp -o remount,exec" on the box but would like this command to be permanent.
Thanks-
Brian
--
You received this message because you are subscribed to the Google Groups "SIMP Q&A Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to simp+uns...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/simp/650174a3-444a-488b-8b46-c4b56d5796f4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Brian S
Jan 30, 2017, 2:21:09 PM1/30/17
to SIMP Q&A Forum, nick....@onyxpoint.com, brians...@gmail.com
Yes, the method mentioned is going to be the final implementation in the production environment. But I was also curious about where SIMP defined the mountpoints, so it was good to understand that as well.
-Brian
-Brian
On Monday, January 30, 2017 at 2:14:42 PM UTC-5, Nicholas Hughes wrote:
-NickFWIW, it might be better security-wise to have docker-compose use a different temp path...$ TMPDIR=/not_tmp/ docker-compose ...
On Mon, Jan 30, 2017 at 2:09 PM, Nick Miller <nick....@onyxpoint.com> wrote:
Nick MillerGood luck!It's where noexec is set from. You should be able to mount /tmp as exec by adding the following to the node-specific hiera file:Brian,Check out this line, from the secure_mountpoints class in simplib: https://github.com/simp/pupmod-simp-simplib/blob/5.X/manifests/secure_mountpoints.pp#L51
simplib::secure_mountpoints::tmp_opts: ['nodev','nosuid']
On Mon, Jan 30, 2017 at 1:58 PM, Brian S <brians...@gmail.com> wrote:
Im curious what the best method would be to modify the /tmp mount partition so that it has exec instead of noexec. I do not want to apply this change across the entire environment maintained by SIMP but only on a single node. I tried to set /tmp within a single custom manifest using mount, but it is controlled elsewhere in the environment.
The reason for this is within an environment where docker-compose and docker is being used, the docker-compose program needs to be able to extract and exec a program. By default this is /tmp. I was able to manually get around this by running "mount /tmp -o remount,exec" on the box but would like this command to be permanent.
Thanks-
Brian
--
You received this message because you are subscribed to the Google Groups "SIMP Q&A Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to simp+uns...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/simp/650174a3-444a-488b-8b46-c4b56d5796f4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
Nicholas Miller
Consultant | Onyx Point, Inc.7050 Hi Tech Drive, Suite 102
Hanover, MD. 21076
e: nick....@onyxpoint.com
w: 443-655-3675
--
You received this message because you are subscribed to the Google Groups "SIMP Q&A Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to simp+uns...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages