amazon-ebs: sudo: unable to execute /tmp/worker/awscli-install/aws/install: Permission denied
Closed this issue · 1 comments
What happened:
I am attempting to use the AL2023 base AMI for EKS optimized with the AMI Release v20240531. However, I am encountering a "permission denied" error. I have tried several different methods to resolve this issue, including using "{{.Vars}} bash '{{.Path}}'", but none have been successful. This appears to be a bug.
Do you have any suggestions for a workaround to fix this issue?
Error Details:
amazon-ebs: sudo: unable to execute /tmp/worker/awscli-install/aws/install: Permission denied
2024-06-06T21:18:33Z: amazon-ebs: Installing awscli v2 bundle
2024-06-06T21:18:35Z: amazon-ebs: sudo: unable to execute /tmp/worker/awscli-install/aws/install: Permission denied
2024-06-06T21:18:35Z: ==> amazon-ebs: Provisioning step had errors: Running the cleanup provisioner, if present...
2024-06-06T21:18:35Z: ==> amazon-ebs: Terminating the source AWS instance...
2024-06-06T21:19:35Z: ==> amazon-ebs: Cleaning up any extra volumes...
2024-06-06T21:19:36Z: ==> amazon-ebs: No volumes to clean up, skipping
2024-06-06T21:19:36Z: ==> amazon-ebs: Deleting temporary security group...
2024-06-06T21:19:36Z: ==> amazon-ebs: Deleting temporary keypair...
2024-06-06T21:19:36Z: Build 'amazon-ebs' errored after 2 minutes 4 seconds: Script exited with non-zero exit status: 1. Allowed exit codes are: [0]
==> Wait completed after 2 minutes 4 seconds
==> Some builds didn't complete successfully and had errors:
--> amazon-ebs: Script exited with non-zero exit status: 1. Allowed exit codes are: [0]
code snippet
template/al2023/install-workser.sh
################################################################################
### awscli #####################################################################
################################################################################
### isolated regions can't communicate to awscli.amazonaws.com so installing awscli through dnf
ISOLATED_REGIONS="${ISOLATED_REGIONS:-us-iso-east-1 us-iso-west-1 us-isob-east-1}"
if ! [[ ${ISOLATED_REGIONS} =~ $BINARY_BUCKET_REGION ]]; then
# https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html
echo "Installing awscli v2 bundle"
AWSCLI_DIR="${WORKING_DIR}/awscli-install"
mkdir "${AWSCLI_DIR}"
curl \
--silent \
--show-error \
--retry 10 \
--retry-delay 1 \
-L "https://awscli.amazonaws.com/awscli-exe-linux-${MACHINE}.zip" -o "${AWSCLI_DIR}/awscliv2.zip"
unzip -q "${AWSCLI_DIR}/awscliv2.zip" -d "${AWSCLI_DIR}"
sudo "${AWSCLI_DIR}/aws/install" --bin-dir /bin/ --update
else
echo "Installing awscli package"
sudo dnf install -y awscli
fi
template.json
{
"type": "shell",
"remote_folder": "{{ user `remote_folder`}}",
"script": "{{template_dir}}/provisioners/install-worker.sh",
"environment_vars": [
"AWS_ACCESS_KEY_ID={{user `aws_access_key_id`}}",
"AWS_SECRET_ACCESS_KEY={{user `aws_secret_access_key`}}",
"AWS_SESSION_TOKEN={{user `aws_session_token`}}",
"BINARY_BUCKET_NAME={{user `binary_bucket_name`}}",
"BINARY_BUCKET_REGION={{user `binary_bucket_region`}}",
"CONTAINERD_VERSION={{user `containerd_version`}}",
"KUBERNETES_BUILD_DATE={{user `kubernetes_build_date`}}",
"KUBERNETES_VERSION={{user `kubernetes_version`}}",
"RUNC_VERSION={{user `runc_version`}}",
"SSM_AGENT_VERSION={{user `ssm_agent_version`}}",
"WORKING_DIR={{user `working_dir`}}"
],"execute_command": "{{.Vars}} bash '{{.Path}}'"
},
Environment:
- AWS Region: us-east-1
- Instance Type(s): AL2023
- EKS Platform version : 1.30
- Kubernetes version : 1.30
- AMI Version: CIS Amazon Linux 2023 Benchmark - Level 1
This is because you're using a "CIS hardened" base image, those have some requirement around not allowing executables in /tmp. You can set the working_dir variable of the AMI template to another location for your use case.