Cannot run executable shell script on Google Container-Optimized OS

Question

On any other linux distro, I can create a file with a shebang and run shell scripts like so:

$ chmod +x test.sh
$ ./test.sh Johnny
hello Johnny

But on Google Cloud Platform Container-Optimized OS, I get -bash: ./test.sh: Permission denied

If I prefix with sh e.g. sh test.sh Johnny it will work. How can I get this to work normally?

$ cat test.sh
#!/usr/bin/env sh

echo "Hello $@"

matt@rancher-4mmm /tmp/matt $ chmod +x test.sh 
matt@rancher-4mmm /tmp/matt $ sh ./test.sh matt
Hello matt

matt@rancher-4mmm /tmp/matt $ ./test.sh matt
-bash: ./test.sh: Permission denied
matt@rancher-4mmm /tmp/matt $ ls -la
total 4
drwxr-xr-x  2 matt matt  60 Feb 28 20:00 .
drwxrwxrwt 14 root root 280 Feb 28 19:59 ..
-rwxr-xr-x  1 matt matt  35 Feb 28 20:00 test.sh

Answer 1

Most filesystems on a COS node are mounted with "noexec" flag so you can't execute binaries from them.

Some workarounds:

• For scripts, invoke the interpreter with the script as the argument, "bash /path/script.sh", "python /path/app.py"
• Mount an extra data disk under /mnt/disks. You can mount it without the "noexec" flag. Use startup-script to mount at boot.

Answer 2

Container-Optimized OS mounts the file-system with "noexec" flag except "Among the writable locations, only /var/lib/docker and /var/lib/cloud are mounted as "executable" (i.e. without the noexec mount flag)." [1]. You can verify with the following command:

mount | grep noexec

For more information on the layout of Container-Optimized OS (COS) file system, refer to the documentation. The 'noexec' option do not allow direct execution of any binaries on the mounted filesystem. This is because of by default security lock-down implementation on COS.