Execute salt remote commands with /tmp mounted with "noexec"

This document (7023646) is provided subject to the disclaimer at the end of this document.

Environment


SUSE Manager 3.1
SUSE Manager 3.2
SUSE Linux Enterprise Server 11 Service Pack 3 (SLES 11 SP3)
SUSE Linux Enterprise Server 11 Service Pack 4 (SLES 11 SP4)
SUSE Linux Enterprise Server 12 Service Pack 1 (SLES 12 SP1)
SUSE Linux Enterprise Server 12 Service Pack 2 (SLES 12 SP2)
SUSE Linux Enterprise Server 12 Service Pack 3 (SLES 12 SP3)
SUSE Linux Enterprise Server 12 Service Pack 4 (SLES 12 SP4)
SUSE Linux Enterprise Server 15
or any other salt managed Linux client with default TMPDIR settings

Situation

In many environments /tmp will be mounted with the option "noexec" due to security requirements.
This will prohibit execution of files stored in this directory.
Salt "cmd.run" uses "/tmp" by default to store the content of remote commands and executes these commands
from there.  Trying to run such a remote command will result in an error message, such as:
Failed to execute script. [jid=20190117084157143144]

Resolution

To address this behavior, please change the directory where salt stores the remote commands intermittently by changing the environment variable for the salt-minion, e.g. :

systemctl edit --full salt-minion
...
[Unit]
Description=The Salt Minion
After=network.target salt-master.service

[Service]
Type=notify
NotifyAccess=all
LimitNOFILE=8192
ExecStart=/usr/bin/salt-minion
KillMode=process
Restart=on-failure
RestartSec=15
Environment="TMPDIR=/var/tmp"

[Install]
WantedBy=multi-user.target
...
systemctl daemon-reload
systemctl restart salt-minion

or, more elegantly, create a drop-in file:

cat /etc/systemd/system/salt-minion.service.d/TMPDIR.conf:

[Service]

Environment="TMPDIR=/var/tmp/"

Cause

From python doc:

tempfile.mkstemp([suffix=''[, prefix='tmp'[, dir=None[, text=False]]]])
...
If dir is specified, the file will be created in that directory; otherwise, a default directory
is used. The default directory is chosen from a platform-dependent list, but the user of
the application can control the directory location by setting the TMPDIR, TEMP or TMP
environment variables. There is thus no guarantee that the generated filename will have
any nice properties, such as not requiring quoting when passed to external commands
via os.popen().

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7023646
  • Creation Date: 17-Jan-2019
  • Modified Date:03-Mar-2020
    • SUSE Linux Enterprise Server
    • SUSE Manager
    • SLES 12 Module: Advanced System Management Module

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback@suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center