Azure Arc extension manager installation of AMA fails with noexec on /var?

Question

Installation of Arc extension AzureMonitorLinuxAgent fails with the following message:

{"Blocked":false,"EnableEndTelemetrySent":false,"ErrorMsg":"Extension returned non-zero exit code for Install: 1. Extension error output: std error: Failed to find executable /var/lib/waagent/Microsoft.Azure.Monitor.AzureMonitorLinuxAgent-1.35.1/./shim.sh: Permission denied\n. ","Ext_output_size":12,"ExtensionHash":"xxxxxx","ExtensionName":"AzureMonitorLinuxAgent","ExtensionState":"FAILED_INSTALL","ExtensionVersion":"1.35.1","FailedDownloadCount":0,"IsMultiConfig":false,"MachineId":"xxxxxx","MultiConfigName":"","MultiConfigPropertiesHash":"","MultiConfigServiceRequestId":"","OldExtFormat":false,"ProcessingTime":0,"Publisher":"Microsoft.Azure.Monitor","SequenceNumberFinished":-1,"SequenceNumberStarted":0,"ServiceRequestId":"xxxxxx","Type":"AzureMonitorLinuxAgent","jobId":"xxxxxx"}

The /var filesystem is mounted with no exec. Could this be a problem and how to resolve it?

Answer 1

Hi @RobH,

azcmagent config info does not expose any option to configure or change the working directory or extension install path for the Azure Arc agent (including extensions like AzureMonitorLinuxAgent).

 This is by design. Azure Arc for servers is intended to provide a consistent, managed experience, and does not currently support customizing extension install directories via agent configuration.

 There’s no documented flag or config to change the install directory of the extension payloads.

 Fix the issue where shim.sh can’t execute (your original error) by:

 Remounting /var without noexec, at least temporarily:

sudo mount -o remount,exec /var

 Or relocating /var/lib/waagent to a path without noexec:

sudo mkdir /opt/waagent 
sudo cp -a /var/lib/waagent/* /opt/waagent/
sudo mv /var/lib/waagent /var/lib/waagent.bak
sudo ln -s /opt/waagent /var/lib/waag

Please let me know if you face any challenge here, I can help you to resolve this issue further

Provide your valuable Comments.

Please do not forget to "Accept the answer” and “upvote it” wherever the information provided helps you, this can be beneficial to other community members.it would be greatly appreciated and helpful to others.

Answer 2

Hi RobH,

Thanks for reaching out about this issue. The error you’re seeing indicates that the installation of the AzureMonitorLinuxAgent extension is failing because it cannot execute the shim.sh script located in /var/lib/waagent/. This is likely due to the /var filesystem being mounted with the noexec option, which prevents the execution of binaries or scripts from that location.

To resolve this, you have a couple of options. First, you could remount the /var filesystem without the noexec option, though this may not be ideal for security reasons if your environment requires it. Alternatively, you can configure the Azure Arc agent to use a different directory for extension operations, one that is not mounted with noexec. This can be done by modifying the agent’s working directory in its configuration.

Best regards,
Alex
P.S. If my answer help to you, please Accept my answer
PPS That is my Answer and not a Comment
http://ctrlaltdel.blog/