[英]Cannot run executable shell script on Google Container-Optimized OS
On any other linux distro, I can create a file with a shebang and run shell scripts like so:在任何其他 linux 发行版上,我可以使用 shebang 创建一个文件并运行 shell 脚本,如下所示:
$ chmod +x test.sh
$ ./test.sh Johnny
hello Johnny
But on Google Cloud Platform Container-Optimized OS, I get -bash: ./test.sh: Permission denied
但是在 Google Cloud Platform Container-Optimized OS 上,我得到
-bash: ./test.sh: Permission denied
If I prefix with sh
eg sh test.sh Johnny
it will work.如果我以
sh
前缀,例如sh test.sh Johnny
,它将起作用。 How can I get this to work normally?我怎样才能让它正常工作?
$ cat test.sh
#!/usr/bin/env sh
echo "Hello $@"
matt@rancher-4mmm /tmp/matt $ chmod +x test.sh
matt@rancher-4mmm /tmp/matt $ sh ./test.sh matt
Hello matt
matt@rancher-4mmm /tmp/matt $ ./test.sh matt
-bash: ./test.sh: Permission denied
matt@rancher-4mmm /tmp/matt $ ls -la
total 4
drwxr-xr-x 2 matt matt 60 Feb 28 20:00 .
drwxrwxrwt 14 root root 280 Feb 28 19:59 ..
-rwxr-xr-x 1 matt matt 35 Feb 28 20:00 test.sh
Most filesystems on a COS node are mounted with "noexec" flag so you can't execute binaries from them. COS 节点上的大多数文件系统都挂载了“noexec”标志,因此您无法从它们执行二进制文件。
Some workarounds:一些解决方法:
Container-Optimized OS mounts the file-system with "noexec" flag except "Among the writable locations, only /var/lib/docker and /var/lib/cloud are mounted as "executable" (ie without the noexec mount flag)." Container-Optimized OS 使用“noexec”标志挂载文件系统,除了“在可写位置中,只有 /var/lib/docker 和 /var/lib/cloud 挂载为“可执行”(即没有 noexec 挂载标志)。 ” [1] .
[1] . You can verify with the following command:
您可以使用以下命令进行验证:
mount | grep noexec
For more information on the layout of Container-Optimized OS (COS) file system, refer to the documentation .有关 Container-Optimized OS (COS) 文件系统布局的更多信息,请参阅文档。 The 'noexec' option do not allow direct execution of any binaries on the mounted filesystem.
'noexec' 选项不允许在挂载的文件系统上直接执行任何二进制文件。 This is because of by default security lock-down implementation on COS.
这是因为默认情况下 COS 上的安全锁定实现。
If you want to run a binary one-off and don't want to deal with having another PD, you could also just mount a tmpfs device and run it from there.如果您想一次性运行二进制文件并且不想处理另一个 PD,您也可以只安装一个 tmpfs 设备并从那里运行它。
sudo mkdir /mnt/disks/scratch
sudo mount -t tmpfs tmpfs /mnt/disks/scratch/
One solution is to use another image family, eg ubuntu
.一种解决方案是使用另一个图像系列,例如
ubuntu
。
There, /tmp/
is not mounted with noexec
.在那里,
/tmp/
没有挂载noexec
。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.