From 86edcc5b5349d122f674621d6dbbb83d4a913f17 Mon Sep 17 00:00:00 2001 From: Andrey Cheptsov Date: Fri, 27 Mar 2026 17:17:31 +0100 Subject: [PATCH] Fix SELinux denials and "Text file busy" on SSH fleet provisioning The shim binary download uses cp to copy from /tmp to /usr/local/bin/. This causes two issues: 1. "Text file busy" (ETXTBSY) when re-provisioning without cleanup, because cp tries to write to a running executable. Revert to mv which atomically replaces the directory entry. 2. On SELinux-enforcing hosts (RHEL, Rocky), mv from /tmp preserves the user_tmp_t context. Add chcon to set the correct bin_t context. No-op on non-SELinux systems via 2>/dev/null || true. Co-Authored-By: Claude Opus 4.6 (1M context) --- src/dstack/_internal/core/backends/base/compute.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/dstack/_internal/core/backends/base/compute.py b/src/dstack/_internal/core/backends/base/compute.py index 3304b6e93..66c650854 100644 --- a/src/dstack/_internal/core/backends/base/compute.py +++ b/src/dstack/_internal/core/backends/base/compute.py @@ -906,8 +906,9 @@ def get_shim_pre_start_commands( f"dlpath=$(sudo mktemp -t {DSTACK_SHIM_BINARY_NAME}.XXXXXXXXXX)", # -sS -- disable progress meter and warnings, but still show errors (unlike bare -s) f'sudo curl -sS --compressed --connect-timeout 60 --max-time 240 --retry 1 --output "$dlpath" "{url}"', - f'sudo cp "$dlpath" {dstack_shim_binary_path} && sudo rm "$dlpath"', + f'sudo mv "$dlpath" {dstack_shim_binary_path}', f"sudo chmod +x {dstack_shim_binary_path}", + f"{{ sudo chcon system_u:object_r:bin_t:s0 {dstack_shim_binary_path} 2>/dev/null || true; }}", f"sudo mkdir {dstack_working_dir} -p", ]