AWS re:Post을(를) 사용하면 다음에 동의하게 됩니다. AWS re:Post 이용 약관
AWS re:Postre:Post

"Operation not permitted" while deploying the Hello world comonent in AWS Greengrass device

0

We have followed the AWS documentation to deploy the Hello world python component on AWS greengrass which is running on a container.

**Note : I need to run the container with greengrass as a non-root user. **

**Workaround used in Dockerfile: **

RUN apt-get update -y && apt-get install sudo

RUN groupadd ggc_group && \
  useradd -m -G ggc_group ggc_user  && echo "ggc_user:ggc_user" | chpasswd && adduser ggc_user sudo

USER ggc_user

**Also when I do whoami inside the container, I get a random user such as u7777775emnfnppabnt3r7cpg5q instead of ggc_user **

I was able to deploy the greengrass cli without any issue. But the Hello world deployment is throwing the errors as shown below:

2021-12-13T09:45:32.066Z [ERROR] (pool-2-thread-23) com.aws.greengrass.lifecyclemanager.GenericExternalService: update-artifact-owner. Error updating service artifact owner. {serviceName=com.example.HelloWorld, currentState=STARTING, user=ggc_user, group=ggc_group}
java.nio.file.FileSystemException: /var/lib/veea/greengrasspv/app/greengrass/v2/packages/artifacts/com.example.HelloWorld/1.0.0/hello_world.py: Operation not permitted
	at java.base/sun.nio.fs.UnixException.translateToIOException(UnixException.java:100)
	at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:111)
	at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:116)
	at java.base/sun.nio.fs.UnixFileAttributeViews$Posix.setOwners(UnixFileAttributeViews.java:268)
	at java.base/sun.nio.fs.UnixFileAttributeViews$Posix.setOwner(UnixFileAttributeViews.java:290)
	at com.aws.greengrass.util.platforms.unix.UnixPlatform.setOwner(UnixPlatform.java:382)
	at com.aws.greengrass.util.platforms.Platform.lambda$setPermissions$1(Platform.java:147)
	at com.aws.greengrass.util.platforms.Platform$1.visitFile(Platform.java:178)
	at com.aws.greengrass.util.platforms.Platform$1.visitFile(Platform.java:167)
	at java.base/java.nio.file.Files.walkFileTree(Files.java:2725)
	at java.base/java.nio.file.Files.walkFileTree(Files.java:2797)
	at com.aws.greengrass.util.platforms.Platform.setPermissions(Platform.java:167)
	at com.aws.greengrass.util.platforms.Platform.setPermissions(Platform.java:109)
	at com.aws.greengrass.lifecyclemanager.RunWithPathOwnershipHandler.setPermissions(RunWithPathOwnershipHandler.java:91)
	at com.aws.greengrass.lifecyclemanager.RunWithPathOwnershipHandler.updateOwner(RunWithPathOwnershipHandler.java:74)
	at com.aws.greengrass.lifecyclemanager.GenericExternalService.updateComponentPathOwner(GenericExternalService.java:593)
	at com.aws.greengrass.lifecyclemanager.GenericExternalService.run(GenericExternalService.java:655)
	at com.aws.greengrass.lifecyclemanager.GenericExternalService.run(GenericExternalService.java:625)
	at com.aws.greengrass.lifecyclemanager.GenericExternalService.handleRunScript(GenericExternalService.java:444)
	at com.aws.greengrass.lifecyclemanager.GenericExternalService.startup(GenericExternalService.java:364)
	at com.aws.greengrass.lifecyclemanager.Lifecycle.lambda$handleStateTransitionStartingToRunningAsync$9(Lifecycle.java:531)
	at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
	at java.base/java.lang.Thread.run(Thread.java:829)

2021-12-13T09:45:32.075Z [ERROR] (pool-2-thread-23) com.aws.greengrass.lifecyclemanager.GenericExternalService: Service artifacts may not be accessible to user. {serviceName=com.example.HelloWorld, currentState=STARTING}
2021-12-13T09:45:32.094Z [INFO] (pool-2-thread-23) com.aws.greengrass.lifecyclemanager.GenericExternalService: service-report-state. {serviceName=com.example.HelloWorld, currentState=STARTING, newState=RUNNING}

**Kindly help me to resolve this user permissions issue. **

주제
사물 인터넷(IoT)
태그
AWS IoT Greengrass
언어
English
Hariharnath Paduchuru
질문됨 2년 전623회 조회
2개 답변
0

Thanks for the response. I do understand we need the root permissions but we have secure docker containers where root access is not allowed.

So I am looking for a workaround for a non-root user to run Greengrass components.

Is there a way that we can modify the source code of the Greengrass to avoid using sudo for running the components?

Also can you please let me know why it needs sudo only for custom components deployment and not for public components ?

Hariharnath Paduchuru
답변함 2년 전
  • MichaelDombrowski-AWS 전문가
    2년 전

    Greengrass uses the sudo command in order to run your components as the user which they are configured to run as. If you do not want to use sudo then you must configure the components to run as the exact same user that Greengrass runs as. This is settable during the setup phase when you run Greengrass with --component-default-user.

    Note that running as root inside of a docker container is not the same as running as root outside of the container. The user is still confined in the docker container.

    Many Greengrass components run as plugins to the Greengrass Nucleus, therefore since they are not separate processes, they do not run as different users and therefore sudo isn't needed.

  • Hariharnath Paduchuru
    2년 전

    Thanks for your suggestion. The problem is solved when I tried to use Greengrass with --component-default-user with the current user

0

Hello,

Please see: https://github.com/aws-greengrass/aws-greengrass-docker to run Greengrass inside a container without issue.

Greengrass must run as root, the error that you are seeing is exactly because Greengrass isn't running with the appropriate permissions.

Cheers, Michael

AWS
전문가
MichaelDombrowski-AWS
답변함 2년 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠