google-compute-engine,google-cloud-sql"/>

I've created my first Compute instance with container-optimized OS and following scopes:

Cloud SQL       Enabled
Compute Engine      Read Write
Service Control     Enabled
Service Management      Read Only
Stackdriver Logging API     Write Only
Stackdriver Monitoring API      Write Only
Stackdriver Trace       Write Only
Storage     Read Only

I need to install Cloud SQL Proxy and I follow this documentation: https://cloud.google.com/sql/docs/postgres/connect-compute-engine#gce-connect-proxy

I can SSH without any problem, but I can't execute a command:

leszek@backend-app ~ $ wget https://dl.google.com/cloudsql/cloud_sql_proxy.linux.amd64 -O cloud_sql_proxy
2018-04-10 19:52:00 (211 MB/s) - 'cloud_sql_proxy' saved [7505002/7505002]
leszek@backend-app ~ $ chmod +x cloud_sql_proxy
leszek@backend-app ~ $ ./cloud_sql_proxy -instances=my-instance=tcp:0.0.0.0:54
32
    -bash: ./cloud_sql_proxy: Permission denied
lgr@backend-app ~ $ sudo ./cloud_sql_proxy -instances=my-instance=tcp:0.0.0.0:5432
sudo: unable to execute ./cloud_sql_proxy: Permission denied

What obvious thing am I missing that I cannot even start the sql_proxy command?

Answer
      • 2
    • Thanks, tried with sudo and the issue remains. I have no idea what is going on. Is there such limitation for container-optimised OS?
      • 2
    • The popped to my eyes is the separation between 54 32 is it all in the same line and a mistake pasting it or are separated? if not a whole port number (like 5432) you need sudo as the first 1024 ports are reserved to root (still I guess is more on the paste here than in the command you run)

Container-Optimized OS mounts the majority of the file-system with "noexec" flags. This can be see by running the following:

mount | grep noexec

The 'noexec' option doesn't allow direct execution of any binaries on the mounted filesystem. This is because of the default security lock-down implementation on COS.

There are however some writable locations (for example /var/lib/docker and /var/lib/cloud) in the Container-Optimized OS file system. These locations are mounted as "executable" (i.e. they are mounted without the noexec mount flag).

Following the guide linked in the post, you are better off using Debian or Red Hat instances. However, if you want to execute the binary file (cloud_sql_proxy) on a Google Container-Optimized OS instance, you could try copying the file to a writable location (for example /var/lib/docker):

sudo cp cloud_sql_proxy /var/lib/docker

The try executing the file there:

sudo ./cloud_sql_proxy

This should allow you to get past the permissions denied error.

At this point, presuming the instance has the correct scope applied, you will receive an output such as this:

2018/04/23 08:48:21 must specify -projects, -fuse, or -instances

If the instance doesn't have the correct scope set, you will receive a message suggesting service account is not configured with sufficient permissions.

If this is the case, you can get passed this error by stopping and editing the instance, and setting the Cloud SQL scope to enabled.

  • 3
Reply Report
    • This is google's container-optimized OS. When I switch to regular Debian, I can execute cloud sql proxy. It seems there is a restriction for container-optimized OS, but I can't find a thing about that in any docs.
      • 1
    • I used once again Container-Optimized OS 65-10323.69.0 stable. Created instance, wget the cloud proxy, chmod and still permission_denied. Literally nothing else. Which image have you chosen? #: ls -lt total 7336 -rwxr-xr-x 1 lgr lgr 7505002 Oct 3 2017 cloud_sql_proxy
    • Apologies, I was sure I tested this on a Container optimised OS. However, I've just tried again now and it doesn't work (I must have created a different machine to what I intended the first time around). I think I know why this doesn't work, and I'll update my answer with that information now.
      • 2
    • No problem. So it seems that CO OS does not allow to execute any other program than docker itself.
      • 1
    • Yes, that appears to be the case. Even though you can execute binaries in other specific directories, CoreOS is not designed for this use case.

The best option for deploying CloudSQL proxy on Container OS would be using the official CloudSQL container and linking networks.

docker run -d -v /cloudsql:/cloudsql \
  -v <PATH_TO_KEY_FILE>:/config \
  -p 127.0.0.1:5432:5432 \
  gcr.io/cloudsql-docker/gce-proxy:1.11 /cloud_sql_proxy \
  -instances=<INSTANCE_CONNECTION_NAME>=tcp:0.0.0.0:5432 -credential_file=/config

See: https://cloud.google.com/sql/docs/postgres/connect-docker

  • 1
Reply Report

Warm tip !!!

This article is reproduced from Stack Exchange / Stack Overflow, please click

Trending Tags

Related Questions