Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

Dir owner 'nobody' and group 'root' after mounting container volume with `addGroupOwner` set to true.

0

When running a lambda function component in Greengrass v2.12.2 the mounted volume does not seem to have the correct owner.

For the host dir I have the following owner, group and permissions: drwxr-xr-x root root.

Greengrass is installed with --component-default-user ggc_user:ggc_group which I can confirm in the effective config as posixUser: "ggc_user:ggc_group"

My lambda configuration is as follows

{
  "lambdaFunction": {
    ...
    "componentLambdaParameters": {
      "pinned": true,
      ...
      "linuxProcessParams": {
        ...
        "containerParams": {
          "volumes": [
            {
              "sourcePath": "/host/dir",
              "destinationPath": "/dir",
              "addGroupOwner": true,
              "permission": "rw"
            }
          ]
        }
      }
    }
  }
}

And in my lambda the owner I get is nobody and group is root while the posix permisssions for the mounted directory are drwxr-xr-x.

Also neithrer addGroupOwner nor permission seem to make a difference in my case; it's always drwxr-xr-x nobody root.

(Just in case it is relevant I fetch the owner programmatically in Kotlin/Java with Files.getOwner(path) and group with Files.getAttribute(this, "posix:group", NOFOLLOW_LINKS))

I was expecting the group to be ggc_group and owner to be ggc_user. Am I missing something?

My ultimate goal is to be able to create a file in the mounted volume but I get permission denied not surprisingly.

Themen
Internet der Dinge (IoT)ServerlosKalkulationBehälter
Tags
AWS IoT GreengrassAWS LambdaBehälter
Sprache
English
George H
gefragt vor 2 Monaten179 Aufrufe
1 Antwort
1
Akzeptierte Antwort

Hello,

When using local resources the local resources must not be owned by root, or else only root can access those resources. Please use a directory that you have permission to write to. Lambdas are always started with a current working directory which is writable, you can write to .; the current working directory without any other changes.

You are migrating from Greengrass V1, what was the exact configuration of your lambda in Greengrass V1? That same configuration should be used with Greengrass v2.

AddGroupOwner would mean that your lambda is execute with the group ID which owns the volume. Your lambda cannot run as the root group, so this has no effect as root owns the volume. Using the default path that Greengrass gives you will work without needing to mount anything. File permissions are not changed by this setting.

If you still need assistance please enable DEBUG level logs in the Greengrass Nucleus component configuration and provide the debug logs from the lambda component. They will show what is happening.

Regards,

Michael

AWS
EXPERTE
MichaelDombrowski-AWS
beantwortet vor 2 Monaten
profile picture
EXPERTE
Oleksii Bebych
überprüft vor 2 Monaten
  • George H
    vor 2 Monaten

    Changing owner to ggc_user:ggc_group for the relevant dir worked indeed.

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt