"Operation not permitted" while deploying the Hello world comonent in AWS Greengrass device


We have followed the AWS documentation to deploy the Hello world python component on AWS greengrass which is running on a container.

**Note : I need to run the container with greengrass as a non-root user. **

**Workaround used in Dockerfile: **

RUN apt-get update -y && apt-get install sudo

RUN groupadd ggc_group && \
  useradd -m -G ggc_group ggc_user  && echo "ggc_user:ggc_user" | chpasswd && adduser ggc_user sudo

USER ggc_user

**Also when I do whoami inside the container, I get a random user such as u7777775emnfnppabnt3r7cpg5q instead of ggc_user **

I was able to deploy the greengrass cli without any issue. But the Hello world deployment is throwing the errors as shown below:

2021-12-13T09:45:32.066Z [ERROR] (pool-2-thread-23) com.aws.greengrass.lifecyclemanager.GenericExternalService: update-artifact-owner. Error updating service artifact owner. {serviceName=com.example.HelloWorld, currentState=STARTING, user=ggc_user, group=ggc_group}
java.nio.file.FileSystemException: /var/lib/veea/greengrasspv/app/greengrass/v2/packages/artifacts/com.example.HelloWorld/1.0.0/hello_world.py: Operation not permitted
	at java.base/sun.nio.fs.UnixException.translateToIOException(UnixException.java:100)
	at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:111)
	at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:116)
	at java.base/sun.nio.fs.UnixFileAttributeViews$Posix.setOwners(UnixFileAttributeViews.java:268)
	at java.base/sun.nio.fs.UnixFileAttributeViews$Posix.setOwner(UnixFileAttributeViews.java:290)
	at com.aws.greengrass.util.platforms.unix.UnixPlatform.setOwner(UnixPlatform.java:382)
	at com.aws.greengrass.util.platforms.Platform.lambda$setPermissions$1(Platform.java:147)
	at com.aws.greengrass.util.platforms.Platform$1.visitFile(Platform.java:178)
	at com.aws.greengrass.util.platforms.Platform$1.visitFile(Platform.java:167)
	at java.base/java.nio.file.Files.walkFileTree(Files.java:2725)
	at java.base/java.nio.file.Files.walkFileTree(Files.java:2797)
	at com.aws.greengrass.util.platforms.Platform.setPermissions(Platform.java:167)
	at com.aws.greengrass.util.platforms.Platform.setPermissions(Platform.java:109)
	at com.aws.greengrass.lifecyclemanager.RunWithPathOwnershipHandler.setPermissions(RunWithPathOwnershipHandler.java:91)
	at com.aws.greengrass.lifecyclemanager.RunWithPathOwnershipHandler.updateOwner(RunWithPathOwnershipHandler.java:74)
	at com.aws.greengrass.lifecyclemanager.GenericExternalService.updateComponentPathOwner(GenericExternalService.java:593)
	at com.aws.greengrass.lifecyclemanager.GenericExternalService.run(GenericExternalService.java:655)
	at com.aws.greengrass.lifecyclemanager.GenericExternalService.run(GenericExternalService.java:625)
	at com.aws.greengrass.lifecyclemanager.GenericExternalService.handleRunScript(GenericExternalService.java:444)
	at com.aws.greengrass.lifecyclemanager.GenericExternalService.startup(GenericExternalService.java:364)
	at com.aws.greengrass.lifecyclemanager.Lifecycle.lambda$handleStateTransitionStartingToRunningAsync$9(Lifecycle.java:531)
	at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
	at java.base/java.lang.Thread.run(Thread.java:829)

2021-12-13T09:45:32.075Z [ERROR] (pool-2-thread-23) com.aws.greengrass.lifecyclemanager.GenericExternalService: Service artifacts may not be accessible to user. {serviceName=com.example.HelloWorld, currentState=STARTING}
2021-12-13T09:45:32.094Z [INFO] (pool-2-thread-23) com.aws.greengrass.lifecyclemanager.GenericExternalService: service-report-state. {serviceName=com.example.HelloWorld, currentState=STARTING, newState=RUNNING}

**Kindly help me to resolve this user permissions issue. **

asked 2 years ago600 views
2 Answers

Thanks for the response. I do understand we need the root permissions but we have secure docker containers where root access is not allowed.

So I am looking for a workaround for a non-root user to run Greengrass components.

Is there a way that we can modify the source code of the Greengrass to avoid using sudo for running the components?

Also can you please let me know why it needs sudo only for custom components deployment and not for public components ?

answered 2 years ago
  • Greengrass uses the sudo command in order to run your components as the user which they are configured to run as. If you do not want to use sudo then you must configure the components to run as the exact same user that Greengrass runs as. This is settable during the setup phase when you run Greengrass with --component-default-user.

    Note that running as root inside of a docker container is not the same as running as root outside of the container. The user is still confined in the docker container.

    Many Greengrass components run as plugins to the Greengrass Nucleus, therefore since they are not separate processes, they do not run as different users and therefore sudo isn't needed.

  • Thanks for your suggestion. The problem is solved when I tried to use Greengrass with --component-default-user with the current user



Please see: https://github.com/aws-greengrass/aws-greengrass-docker to run Greengrass inside a container without issue.

Greengrass must run as root, the error that you are seeing is exactly because Greengrass isn't running with the appropriate permissions.

Cheers, Michael

answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions