We have followed the AWS documentation to deploy the Hello world python component on AWS greengrass which is running on a container.
**Note : I need to run the container with greengrass as a non-root user. **
**Workaround used in Dockerfile: **
RUN apt-get update -y && apt-get install sudo
RUN groupadd ggc_group && \
useradd -m -G ggc_group ggc_user && echo "ggc_user:ggc_user" | chpasswd && adduser ggc_user sudo
USER ggc_user
**Also when I do whoami
inside the container, I get a random user such as u7777775emnfnppabnt3r7cpg5q
instead of ggc_user **
I was able to deploy the greengrass cli without any issue. But the Hello world deployment is throwing the errors as shown below:
2021-12-13T09:45:32.066Z [ERROR] (pool-2-thread-23) com.aws.greengrass.lifecyclemanager.GenericExternalService: update-artifact-owner. Error updating service artifact owner. {serviceName=com.example.HelloWorld, currentState=STARTING, user=ggc_user, group=ggc_group}
java.nio.file.FileSystemException: /var/lib/veea/greengrasspv/app/greengrass/v2/packages/artifacts/com.example.HelloWorld/1.0.0/hello_world.py: Operation not permitted
at java.base/sun.nio.fs.UnixException.translateToIOException(UnixException.java:100)
at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:111)
at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:116)
at java.base/sun.nio.fs.UnixFileAttributeViews$Posix.setOwners(UnixFileAttributeViews.java:268)
at java.base/sun.nio.fs.UnixFileAttributeViews$Posix.setOwner(UnixFileAttributeViews.java:290)
at com.aws.greengrass.util.platforms.unix.UnixPlatform.setOwner(UnixPlatform.java:382)
at com.aws.greengrass.util.platforms.Platform.lambda$setPermissions$1(Platform.java:147)
at com.aws.greengrass.util.platforms.Platform$1.visitFile(Platform.java:178)
at com.aws.greengrass.util.platforms.Platform$1.visitFile(Platform.java:167)
at java.base/java.nio.file.Files.walkFileTree(Files.java:2725)
at java.base/java.nio.file.Files.walkFileTree(Files.java:2797)
at com.aws.greengrass.util.platforms.Platform.setPermissions(Platform.java:167)
at com.aws.greengrass.util.platforms.Platform.setPermissions(Platform.java:109)
at com.aws.greengrass.lifecyclemanager.RunWithPathOwnershipHandler.setPermissions(RunWithPathOwnershipHandler.java:91)
at com.aws.greengrass.lifecyclemanager.RunWithPathOwnershipHandler.updateOwner(RunWithPathOwnershipHandler.java:74)
at com.aws.greengrass.lifecyclemanager.GenericExternalService.updateComponentPathOwner(GenericExternalService.java:593)
at com.aws.greengrass.lifecyclemanager.GenericExternalService.run(GenericExternalService.java:655)
at com.aws.greengrass.lifecyclemanager.GenericExternalService.run(GenericExternalService.java:625)
at com.aws.greengrass.lifecyclemanager.GenericExternalService.handleRunScript(GenericExternalService.java:444)
at com.aws.greengrass.lifecyclemanager.GenericExternalService.startup(GenericExternalService.java:364)
at com.aws.greengrass.lifecyclemanager.Lifecycle.lambda$handleStateTransitionStartingToRunningAsync$9(Lifecycle.java:531)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.base/java.lang.Thread.run(Thread.java:829)
2021-12-13T09:45:32.075Z [ERROR] (pool-2-thread-23) com.aws.greengrass.lifecyclemanager.GenericExternalService: Service artifacts may not be accessible to user. {serviceName=com.example.HelloWorld, currentState=STARTING}
2021-12-13T09:45:32.094Z [INFO] (pool-2-thread-23) com.aws.greengrass.lifecyclemanager.GenericExternalService: service-report-state. {serviceName=com.example.HelloWorld, currentState=STARTING, newState=RUNNING}
**Kindly help me to resolve this user permissions issue. **
Greengrass uses the sudo command in order to run your components as the user which they are configured to run as. If you do not want to use sudo then you must configure the components to run as the exact same user that Greengrass runs as. This is settable during the setup phase when you run Greengrass with
--component-default-user
.Note that running as root inside of a docker container is not the same as running as root outside of the container. The user is still confined in the docker container.
Many Greengrass components run as plugins to the Greengrass Nucleus, therefore since they are not separate processes, they do not run as different users and therefore sudo isn't needed.
Thanks for your suggestion. The problem is solved when I tried to use Greengrass with --component-default-user with the current user