Executing Spectrum Scale Install Package from /tmp could be blocked if /tmp is mounted with no_exec permissions

[mamuthiah]

It is not uncommon to find /tmp mounted with a no_exec option for security reasons. We currently copy the self extracting Spectrum Scale Install Package to /tmp on every node and execute it from there, which will fail if /tmp is mounted with the no_exec option.

To get around this problem, we should copy the package to some other directory on the root file system and extract from there.

[whowutwut]

Not completely related, but a question. Why do we create temporary stanza files in /var/tmp but then delete them afterwards? The /var/tmp allows for files to persist across reboot?? But if we delete them right away, what's the purpose of using that over /tmp?

[janfrode]

IMHO it would be much better to use something like /var/mmfs/tmp for all these stanza files, which is only root-writable and would then avoid the risk of race conditions during temp file creation.

Created a pull request for that now..

[janfrode]

Come to think of a simpler fix for the installer-package.. It's just a shell script, so can easily be executed from noexec mounted tmpdir by starting it as argument to bash..

# git diff
diff --git a/roles/core/node/tasks/install_local_pkg.yml b/roles/core/node/tasks/install_local_pkg.yml
index cd44429..38c206a 100644
--- a/roles/core/node/tasks/install_local_pkg.yml
+++ b/roles/core/node/tasks/install_local_pkg.yml
@@ -74,7 +74,7 @@
 - name: install | Extract installation package
   vars:
     localpkg: "{{ scale_install_localpkg_tmpdir_path + '/' + scale_install_localpkg_path | basename }}"
-  command: "{{ localpkg + ' --silent' }}"
+  command: "{{ '/bin/bash ' + localpkg + ' --silent' }}"
   args:
     creates: "{{ scale_gpfs_path_url }}"

[janfrode]

Tested on /tmp mounted with:

# systemctl start tmp.mount
# mount -o remount,noexec,size=1800m  /tmp
# mount |grep /tmp
tmpfs on /tmp type tmpfs (rw,nosuid,nodev,noexec,size=1843200k)