Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

Dir owner 'nobody' and group 'root' after mounting container volume with `addGroupOwner` set to true.

0

When running a lambda function component in Greengrass v2.12.2 the mounted volume does not seem to have the correct owner.

For the host dir I have the following owner, group and permissions: drwxr-xr-x root root.

Greengrass is installed with --component-default-user ggc_user:ggc_group which I can confirm in the effective config as posixUser: "ggc_user:ggc_group"

My lambda configuration is as follows

{
  "lambdaFunction": {
    ...
    "componentLambdaParameters": {
      "pinned": true,
      ...
      "linuxProcessParams": {
        ...
        "containerParams": {
          "volumes": [
            {
              "sourcePath": "/host/dir",
              "destinationPath": "/dir",
              "addGroupOwner": true,
              "permission": "rw"
            }
          ]
        }
      }
    }
  }
}

And in my lambda the owner I get is nobody and group is root while the posix permisssions for the mounted directory are drwxr-xr-x.

Also neithrer addGroupOwner nor permission seem to make a difference in my case; it's always drwxr-xr-x nobody root.

(Just in case it is relevant I fetch the owner programmatically in Kotlin/Java with Files.getOwner(path) and group with Files.getAttribute(this, "posix:group", NOFOLLOW_LINKS))

I was expecting the group to be ggc_group and owner to be ggc_user. Am I missing something?

My ultimate goal is to be able to create a file in the mounted volume but I get permission denied not surprisingly.

Argomenti
Internet delle cose (IoT)ServerlessComputazionaliContainer
Tag
AWS IoT GreengrassAWS LambdaContainer
Lingua
English
George H
posta 2 mesi fa178 visualizzazioni
1 Risposta
1
Risposta accettata

Hello,

When using local resources the local resources must not be owned by root, or else only root can access those resources. Please use a directory that you have permission to write to. Lambdas are always started with a current working directory which is writable, you can write to .; the current working directory without any other changes.

You are migrating from Greengrass V1, what was the exact configuration of your lambda in Greengrass V1? That same configuration should be used with Greengrass v2.

AddGroupOwner would mean that your lambda is execute with the group ID which owns the volume. Your lambda cannot run as the root group, so this has no effect as root owns the volume. Using the default path that Greengrass gives you will work without needing to mount anything. File permissions are not changed by this setting.

If you still need assistance please enable DEBUG level logs in the Greengrass Nucleus component configuration and provide the debug logs from the lambda component. They will show what is happening.

Regards,

Michael

AWS
ESPERTO
MichaelDombrowski-AWS
con risposta 2 mesi fa
profile picture
ESPERTO
Oleksii Bebych
verificato 2 mesi fa
  • George H
    2 mesi fa

    Changing owner to ggc_user:ggc_group for the relevant dir worked indeed.

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente