Cannot start server if volume is on noexec mount

[nminchow]

Describe the bug

When the server attempts to start on a linux host where the supplied volume is on a noexec mounted filesystem, the server does not start.

To Reproduce

1. Create a GCP VM instance with the: thijsvanloef/palworld-server-docker container image
2. Set environment variables to the defaults provided in the readme
3. Add a volume mount. (i'm mounting /home/palworld on the host to /palworld for simplicity)
4. Start the instance

Expected behavior

The server starts 😄

Env

• OS: Google Container Optimized OS

docker-compose.yml contents

not using compose

Container/Host Logs

*****CHECKING FOR EXISTING CONFIG*****
*****GENERATING CONFIG*****
timeout: failed to run command './PalServer.sh': Permission denied
cp: cannot create regular file '/palworld/Pal/Saved/Config/LinuxServer/PalWorldSettings.ini': No such file or directory
RCON_ENABLED=true
sed: can't read /palworld/Pal/Saved/Config/LinuxServer/PalWorldSettings.ini: No such file or directory
RCON_PORT=25575
sed: can't read /palworld/Pal/Saved/Config/LinuxServer/PalWorldSettings.ini: No such file or directory
*****STARTING SERVER*****
./PalServer.sh -port=8211 -players=16 -adminpassword=xxx -queryport=27015
sh: 1: ./PalServer.sh: Permission denied

Additional context

The volume mounts and installs fine, and all permissions look correct. If I go in and manually create the Saved/Config/LinuxServer path, the settings file does get made, but the sh: 1: ./PalServer.sh: Permission denied error persists.

user@palworld /home $ ls -la
total 20
(...)
drwxrwxrwx  7 chronos chronos 4096 Jan 24 17:50 palworld

user@palworld /home/palworld $ ls -la
total 44160
drwxrwxrwx 7 chronos chronos     4096 Jan 24 17:40 .
drwxr-xr-x 5 root    root        4096 Jan 24 17:32 ..
-rwxr-xr-x 1 chronos chronos     1974 Jan 24 17:35 DefaultPalWorldSettings.ini
drwxr-xr-x 6 chronos chronos     4096 Jan 24 17:39 Engine
-rwxr-xr-x 1 chronos chronos      654 Jan 24 17:35 Manifest_DebugFiles_Linux.txt
-rwxr-xr-x 1 chronos chronos     3027 Jan 24 17:35 Manifest_NonUFSFiles_Linux.txt
-rwxr-xr-x 1 chronos chronos  7506646 Jan 24 17:35 Manifest_UFSFiles_Linux.txt
drwxr-xr-x 5 chronos chronos     4096 Jan 24 17:39 Pal
-rwxr-xr-x 1 chronos chronos      252 Jan 24 17:35 PalServer.sh
drwxr-xr-x 2 chronos chronos     4096 Jan 24 17:34 backups
drwxr-xr-x 2 chronos chronos     4096 Jan 24 17:39 linux64
drwxr-xr-x 4 chronos chronos     4096 Jan 24 17:40 steamapps
-rwxr-xr-x 1 chronos chronos 37665020 Jan 24 17:35 steamclient.so

In COS, most mounts are "noexec", and I suspect that is the culprit here. If an interpreter can be used to start the server, I believe this will work: bash ./PalServer.sh.

I have manually created and stuck the volume on a non-noexec mount and I can start it successfully. However, this isn't easily sustainable as one needs to reconfigure the instance after every boot.

[thijsvanloef]

@nminchow I am not able to test this in GCP, are you willing to open a PR for this to test it? I suspect you only will need to change this: https://github.com/thijsvanloef/palworld-server-docker/blob/aaf8ef5231f0fed920a332417bdac5d64fee2a8e/scripts/start.sh#L3C1-L3C30

[nminchow]

Thanks for the quick response!

I'm glad you had me try. When I tell it to go through the interpreter by swapping the start command, it pushes the problem further down:

./PalServer.sh: line 5: /palworld/Pal/Binaries/Linux/PalServer-Linux-Test: Permission denied

And I believe that file is going to get overwritten ever time the container starts.

I'm a bit surprised as I've never run into issues of this variety in the past and I've run several images on this host OS without issue, including game servers that look to have a similar structure: ex1, ex2

[thijsvanloef]

@nminchow Have you made any new discoveries on this topic?

[nminchow]

Nothing beyond my previous comment, I'm afraid.

[Luatan]

I did some tests on Google Cloud. I can reproduce the errors @nminchow gets, if I define the docker image in the creation of the image as described above.

Success! App '2394010' fully installed.
*****CHECKING FOR EXISTING CONFIG*****
*****GENERATING CONFIG*****
timeout: failed to run command './PalServer.sh': Permission denied
cp: cannot create regular file '/palworld/Pal/Saved/Config/LinuxServer/PalWorldSettings.ini': No such file or directory
RCON_ENABLED=true
sed: can't read /palworld/Pal/Saved/Config/LinuxServer/PalWorldSettings.ini: No such file or directory
RCON_PORT=25575
sed: can't read /palworld/Pal/Saved/Config/LinuxServer/PalWorldSettings.ini: No such file or directory
BACKUP_ENABLED=true
*****STARTING SERVER*****
./PalServer.sh -queryport=27015
./start.sh: line 319: ./PalServer.sh: Permission denied
time="2024-01-31T22:21:04Z" level=info msg="read crontab: /home/steam/server/crontab"

To see if Palworld runs without docker (on a VM with a predefined Container), I also tried to run it directly with /home/palworld $ sh ./PalServer.sh which gave me the error:

chmod: changing permissions of '/home/palworld/Pal/Binaries/Linux/PalServer-Linux-Test': Operation not permitted
./PalServer.sh: line 5: /home/palworld/Pal/Binaries/Linux/PalServer-Linux-Test: Permission denied

if I try to run the binary directly with bash or sh with the command sudo bash ./Pal/Binaries/Linux/PalServer-Linux-Test Pal "$@" I get:

./Pal/Binaries/Linux/PalServer-Linux-Test: ./Pal/Binaries/Linux/PalServer-Linux-Test: cannot execute binary file

If found this on Stackoverflow, talking about this issue, but the suggested workaround, which was also mentioned in this thread doesn't seem to work.

---

If I do the following, it works:

1. Create a VM without docker container
2. Install docker sudo apt install docker docker-compose
3. (Optional) give your user the rights to use docker without sudo sudo usermod -aG <your username> docker + logout and login again
4. run the image with the docker run or docker compose. For testing I used docker run -p 8211:8211/udp -p 27015:27015/udp -v /home/palworld:/palworld/ thijsvanloef/palworld-server-docker:latest

Success! App '2394010' fully installed.
*****CHECKING FOR EXISTING CONFIG*****
*****GENERATING CONFIG*****
[S_API] SteamAPI_Init(): Loaded local 'steamclient.so' OK.
CAppInfoCacheReadFromDiskThread took 3 milliseconds to initialize
Setting breakpad minidump AppID = 2394010
[S_API FAIL] Tried to access Steam interface SteamUser021 before SteamAPI_Init succeeded.
[S_API FAIL] Tried to access Steam interface SteamFriends017 before SteamAPI_Init succeeded.
[S_API FAIL] Tried to access Steam interface STEAMAPPS_INTERFACE_VERSION008 before SteamAPI_Init succeeded.
[S_API FAIL] Tried to access Steam interface SteamNetworkingUtils004 before SteamAPI_Init succeeded.
RCON_ENABLED=true
RCON_PORT=25575
BACKUP_ENABLED=true
*****STARTING SERVER*****
./PalServer.sh -queryport=27015
time="2024-01-31T22:11:13Z" level=info msg="read crontab: /home/steam/server/crontab"
Shutdown handler: initalize.
Increasing per-process limit of core file size to infinity.
- Existing per-process limit (soft=18446744073709551615, hard=18446744073709551615) is enough for us (need only 18446744073709551615)
[S_API] SteamAPI_Init(): Loaded local 'steamclient.so' OK.
Setting breakpad minidump AppID = 2394010
[S_API FAIL] Tried to access Steam interface SteamUser021 before SteamAPI_Init succeeded.
[S_API FAIL] Tried to access Steam interface SteamFriends017 before SteamAPI_Init succeeded.
CAppInfoCacheReadFromDiskThread took 31 milliseconds to initialize
[S_API FAIL] Tried to access Steam interface STEAMAPPS_INTERFACE_VERSION008 before SteamAPI_Init succeeded.
[S_API FAIL] Tried to access Steam interface SteamNetworkingUtils004 before SteamAPI_Init succeeded.

If you create a VM with a docker container the home partition is mounted with noexec. If you install docker yourself it is not the case:

without docker container in VM creation

instance-1:~$ mount | grep noexec
sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime)
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000)
tmpfs on /run type tmpfs (rw,nosuid,nodev,noexec,relatime,size=402304k,mode=755,inode64)
securityfs on /sys/kernel/security type securityfs (rw,nosuid,nodev,noexec,relatime)
tmpfs on /run/lock type tmpfs (rw,nosuid,nodev,noexec,relatime,size=5120k,inode64)
cgroup2 on /sys/fs/cgroup type cgroup2 (rw,nosuid,nodev,noexec,relatime,nsdelegate,memory_recursiveprot)
pstore on /sys/fs/pstore type pstore (rw,nosuid,nodev,noexec,relatime)
efivarfs on /sys/firmware/efi/efivars type efivarfs (rw,nosuid,nodev,noexec,relatime)
bpf on /sys/fs/bpf type bpf (rw,nosuid,nodev,noexec,relatime,mode=700)
mqueue on /dev/mqueue type mqueue (rw,nosuid,nodev,noexec,relatime)
debugfs on /sys/kernel/debug type debugfs (rw,nosuid,nodev,noexec,relatime)
tracefs on /sys/kernel/tracing type tracefs (rw,nosuid,nodev,noexec,relatime)
fusectl on /sys/fs/fuse/connections type fusectl (rw,nosuid,nodev,noexec,relatime)
configfs on /sys/kernel/config type configfs (rw,nosuid,nodev,noexec,relatime)
ramfs on /run/credentials/systemd-sysctl.service type ramfs (ro,nosuid,nodev,noexec,relatime,mode=700)
ramfs on /run/credentials/systemd-sysusers.service type ramfs (ro,nosuid,nodev,noexec,relatime,mode=700)
ramfs on /run/credentials/systemd-tmpfiles-setup-dev.service type ramfs (ro,nosuid,nodev,noexec,relatime,mode=700)
ramfs on /run/credentials/systemd-tmpfiles-setup.service type ramfs (ro,nosuid,nodev,noexec,relatime,mode=700)
binfmt_misc on /proc/sys/fs/binfmt_misc type binfmt_misc (rw,nosuid,nodev,noexec,relatime)

with docker container in VM creation

instance-2 ~ $ mount | grep noexec
devtmpfs on /dev type devtmpfs (rw,nosuid,noexec,relatime,size=2006260k,nr_inodes=501565,mode=755)
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime)
securityfs on /sys/kernel/security type securityfs (rw,nosuid,nodev,noexec,relatime)
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev,noexec)
devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000)
cgroup2 on /sys/fs/cgroup type cgroup2 (rw,nosuid,nodev,noexec,relatime,nsdelegate,memory_recursiveprot)
pstore on /sys/fs/pstore type pstore (rw,nosuid,nodev,noexec,relatime)
bpf on /sys/fs/bpf type bpf (rw,nosuid,nodev,noexec,relatime,mode=700)
mqueue on /dev/mqueue type mqueue (rw,nosuid,nodev,noexec,relatime)
debugfs on /sys/kernel/debug type debugfs (rw,nosuid,nodev,noexec,relatime,gid=605,mode=750)
tracefs on /sys/kernel/tracing type tracefs (rw,nosuid,nodev,noexec,relatime)
tmpfs on /tmp type tmpfs (rw,nosuid,nodev,noexec)
fusectl on /sys/fs/fuse/connections type fusectl (rw,nosuid,nodev,noexec,relatime)
configfs on /sys/kernel/config type configfs (rw,nosuid,nodev,noexec,relatime)
ramfs on /run/credentials/systemd-sysctl.service type ramfs (ro,nosuid,nodev,noexec,relatime,mode=700)
ramfs on /run/credentials/systemd-tmpfiles-setup-dev.service type ramfs (ro,nosuid,nodev,noexec,relatime,mode=700)
/dev/sda8 on /usr/share/oem type ext4 (ro,nosuid,nodev,noexec,relatime)
/dev/sda1 on /mnt/stateful_partition type ext4 (rw,nosuid,nodev,noexec,relatime,commit=30)
/dev/sda1 on /home type ext4 (rw,nosuid,nodev,noexec,relatime,commit=30)
/dev/sda1 on /var type ext4 (rw,nosuid,nodev,noexec,relatime,commit=30)
ramfs on /run/credentials/systemd-tmpfiles-setup.service type ramfs (ro,nosuid,nodev,noexec,relatime,mode=700)
ramfs on /run/credentials/systemd-resolved.service type ramfs (ro,nosuid,nodev,noexec,relatime,mode=700)

I hope this helps. Maybe someone with more experience in Google Cloud can help with this issue.

[thijsvanloef]

This issue has not been updated in a while. Marking this won't fix, as I have no plans to work on a fix.