Scripts without execute permissions

[julia326]

Running secotrec-gke up results in:

julia@fuzzy-epidisco:~$ secotrec-gke up
SECOTREC: instance--juliasec-secobox: Checking...
SECOTREC: instance--juliasec-secobox: Build In Progress
SECOTREC: firewall-rule--juliasec-secobox: Checking...
SECOTREC: firewall-rule--juliasec-secobox: Build In Progress
bash: /tmp/secotrecab8ecdscript.sh: Permission denied
SECOTREC: DNS juliasec-secobox.gcloud.hammerlab.org needs to be setup
SECOTREC: GCloud-DNS transaction: add/replace
* IP-file: /tmp/secotrece31bf0node-ip
* DNS-zone-file: /tmp/secotrecae0de6dnszone.yaml
* Transaction-file: /tmp/secotrec142b66transaction.yaml
SECOTREC: Waiting for DNS juliasec-secobox.gcloud.hammerlab.org to be *really* up, 60 attempts with 10 seconds in between (600 sec max)
0.1.2.3.4.5.6.7.8.9.10.11.12.13.14.15.16.17.18.19.20.21.22.23.24.25.26.27.28.29.
bash: /tmp/secotrec748042script.sh: Permission denied
Run-genspio: fatal error (script: /tmp/run-genspio4e9e0a-cmd.sh, errors: /tmp/secotrec1fa19berror.txt)
secotrec-gke: internal error, uncaught exception:
              (Failure "Run-genspio: fatal error")

[smondet]

It must a be a command within the script (scripts are called with the interpreter sh <path> so they don't need the x bit). Do you have access to /tmp/secotrec1fa19berror.txt?

[julia326]

I do, and the contents are:

Error:
CMD: "bash /tmp/run-genspio4e9e0a-cmd.sh" returned 126

[julia326]

Contents of /tmp/run-genspio4e9e0a-cmd.sh are:

export genspio_trap_42_63599=$$ 
 trap 'exit 77' USR1 
 if {  { { true &&  { (  eval "$(printf -- "exec %s>%s" 1 '/tmp/cmd-Copying__tmp_secotrec748042script_sh-stdout-0')" || { echo 'Exec "exec %s>%s" 1 '/tmp/cmd-Copying__tmp_secotrec748042script_sh-stdout-0' failed' >&2 ; }  
  eval "$(printf -- "exec %s>%s" 2 '/tmp/cmd-Copying__tmp_secotrec748042script_sh-stderr-0')" || { echo 'Exec "exec %s>%s" 2 '/tmp/cmd-Copying__tmp_secotrec748042script_sh-stderr-0' failed' >&2 ; }  
  {  { 'gcloud' 'compute' 'copy-files' '--zone' 'us-east1-c' '/tmp/secotrec748042script.sh' 'juliasec-secobox:/tmp/secotrec748042script.sh' ; }   ; } 
 ) ; [ $? -eq 0 ] ; } ; } ; [ $? -eq 0 ] ; } ; } 
 then : 
 else  { 'printf' 'SECOTREC: Copying /tmp/secotrec748042script.sh; FAILED:\n\n' ; }  
  { 'printf' '``````````stdout\n' ; }  
  { 'cat' '/tmp/cmd-Copying__tmp_secotrec748042script_sh-stdout-0' ; }  
  { 'printf' '\n``````````\n' ; }  
  { 'printf' '``````````stderr\n' ; }  
  { 'cat' '/tmp/cmd-Copying__tmp_secotrec748042script_sh-stderr-0' ; }  
  { 'printf' '\n``````````\n' ; }  
  { printf -- '%s\n' "EDSL.fail called" >&2 ; kill -s USR1 ${genspio_trap_42_63599} ; }  
 fi 
  { 'gcloud' 'compute' 'ssh' 'juliasec-secobox' '--zone' 'us-east1-c' '--command' 'sh /tmp/secotrec748042script.sh' ; } 
/tmp/run-genspio4e9e0a-cmd.sh (END)

[smondet]

A few notes:

• on the "from" host where this happens: gcloud is in version 111.0.0
• the fresh secoboxes get 140.0.0
• on my laptop (where it works™): 129.0.0

[smondet]

With this it kinda worked: https://github.com/hammerlab/secotrec/blob/access-rights-40/src/lib/gcloud_instance.ml#L124-L125

displays an error message but files' access rights are still changed and then we can execute:

chmod: cannot access 'sudo': No such file or directory

[smondet]

About the versions, can't find anything in the SDK's meta-changelog

[ihodes]

This is the branch that "fixed" the problem https://github.com/hammerlab/secotrec/commits/access-rights-40

[smondet]

Did this ever happen again?

[julia326]

I haven't seen this happen since, set up a new secobox recently and it went fine.

[smondet]

@julia326 what's gcloud's version on the one that works now?

[julia326]

julia@fuzzypgv-secobox:~$ gcloud --version
Google Cloud SDK 154.0.0
bq 2.0.24
core 2017.05.01
gcloud 
gsutil 4.25

[smondet]

OK, so the lesson is “If you see some suspicious SSH activity regarding access rights, upgrade gcloud or post you problem here.“