En utilisant AWS re:Post, vous acceptez les AWS re:Post Conditions d’utilisation
AWS re:Postre:Post

Dir owner 'nobody' and group 'root' after mounting container volume with `addGroupOwner` set to true.

0

When running a lambda function component in Greengrass v2.12.2 the mounted volume does not seem to have the correct owner.

For the host dir I have the following owner, group and permissions: drwxr-xr-x root root.

Greengrass is installed with --component-default-user ggc_user:ggc_group which I can confirm in the effective config as posixUser: "ggc_user:ggc_group"

My lambda configuration is as follows

{
  "lambdaFunction": {
    ...
    "componentLambdaParameters": {
      "pinned": true,
      ...
      "linuxProcessParams": {
        ...
        "containerParams": {
          "volumes": [
            {
              "sourcePath": "/host/dir",
              "destinationPath": "/dir",
              "addGroupOwner": true,
              "permission": "rw"
            }
          ]
        }
      }
    }
  }
}

And in my lambda the owner I get is nobody and group is root while the posix permisssions for the mounted directory are drwxr-xr-x.

Also neithrer addGroupOwner nor permission seem to make a difference in my case; it's always drwxr-xr-x nobody root.

(Just in case it is relevant I fetch the owner programmatically in Kotlin/Java with Files.getOwner(path) and group with Files.getAttribute(this, "posix:group", NOFOLLOW_LINKS))

I was expecting the group to be ggc_group and owner to be ggc_user. Am I missing something?

My ultimate goal is to be able to create a file in the mounted volume but I get permission denied not surprisingly.

Sujets
Internet des objets (IoT)Sans serveurCalculConteneurs
Balises
AWS IoT GreengrassAWS LambdaConteneurs
Langue
English
George H
demandé il y a 2 mois180 vues
1 réponse
1
Réponse acceptée

Hello,

When using local resources the local resources must not be owned by root, or else only root can access those resources. Please use a directory that you have permission to write to. Lambdas are always started with a current working directory which is writable, you can write to .; the current working directory without any other changes.

You are migrating from Greengrass V1, what was the exact configuration of your lambda in Greengrass V1? That same configuration should be used with Greengrass v2.

AddGroupOwner would mean that your lambda is execute with the group ID which owns the volume. Your lambda cannot run as the root group, so this has no effect as root owns the volume. Using the default path that Greengrass gives you will work without needing to mount anything. File permissions are not changed by this setting.

If you still need assistance please enable DEBUG level logs in the Greengrass Nucleus component configuration and provide the debug logs from the lambda component. They will show what is happening.

Regards,

Michael

AWS
EXPERT
MichaelDombrowski-AWS
répondu il y a 2 mois
profile picture
EXPERT
Oleksii Bebych
vérifié il y a 2 mois
  • George H
    il y a 2 mois

    Changing owner to ggc_user:ggc_group for the relevant dir worked indeed.

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Instructions pour répondre aux questions

Contenus pertinents