Greengrass/Docker local volume permissions

Question

I have a greengrass component that runs a docker container, I am struggling to understand how the permissions of folders and file are set when this is run by greengrass.

A snippet of my recipe looks like this:

```
"Install": {
          "Skipif": {
            "exists": "/home/ggc_user/data/package.json"
          },
          "Script": "mkdir -m 777 /home/ggc_user/data"
        },
        "Run": {
          "Script": "docker run --restart always -v /home/ggc_user/onwatch-data:/home/node/.signalk --log-opt max-size=10m --log-opt max-file=5  --network host --name testContainter testContainer"
        }
```
When I look at the permissions of `/home/ggc_user/` using `ls -l` after the component is installed the file permissions look like:

`drwxrwxrwx 4 ggc_user ggc_group 4096 Oct  6 15:38 data`

I then go into the 'data' directory and look at the permissions of the files created inside from the docker container and the files are owned by `admin` which is my standard user.
```
-rw-r--r-- 1 admin admin   186 Oct  6 15:33 package.json
drwxr-xr-x 2 admin admin  4096 Oct  6 15:33 plugin-config-data
```
I would have thought it would create these with ggc_user as the owner. I have issues getting the container to run unless I set the permissions to 777.

What am I doing wrong?

Answer

You might consider setting the "runWith" parameter in your component recipe. For more information, see the "runWith" property description at https://docs.aws.amazon.com/greengrass/v2/developerguide/create-deployments.html

Answer

Hi Phil,

This is just the normal behaviour of Docker on Linux and has nothing to do with Greengrass. Files written to an host mounted volume have the owner set to the user running the process the container. In your case, as the container runs with the user `admin:admin`, any file written to the host will have the same ownership.

I do not know which issues you are encountering in running your container, but you can try to run the component as `admin:admin` so that the user running in the container matches the user on the host.

You can set the `uid` and `gid` for the component in the deployment configuration.

Cheers,

Massimiliano

Answer

Inside the Dockerfile the user and group created was GID:1000 UID:1000, which is the same as my admin user on the host. I have changed the component to run as admin and the permission errors have gone away.

Greengrass/Docker local volume permissions

관련 콘텐츠