I have a CIS-benchmark-compliant base image. Pulling this to differentiate an immutable image for my application, if I attempt to do
apt-get install -y docker.io
I get an error
==> amazon-ebs: Can't exec "/tmp/docker.io.config.NzitwJ": Permission denied at /usr/share/perl/5.26/IPC/Open3.pm line 178.
==> amazon-ebs: open2: exec of /tmp/docker.io.config.NzitwJ configure failed: Permission denied at /usr/share/perl5/Debconf/ConfModule.pm line 59.
This is because CIS-compliant images have noexec set on the /tmp filesystem.
Does anyone know of a command line or equivalent way to make apt-get use a different file system for install scripts, or am I going to have to schedule tasks to install from source? Note, this does not only affect docker.io, but others as well. I'm looking for an apt-get-level solution, not an app-specific package method.
I added the code from this post in the script which (insert pipeline orchestrator) runs to pull the base image and install the image-specific software.
Because the script had been using sudo, and because by default this does not adopt the root account, running sudo adopted the default ubuntu user so it sets up the tmp file in the wrong place and doesn't work. Because
apt-getneeds root to run it, I added this to ensure only root could run my script:I then removed the sudo prefix to the commands in my bash script, and ran the whole script with an sudo to make the orchestrator run my script as the root user, which meant the orchestrator created the tmp file correctly on the build machine.
Credence to @djdomi.