By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Greengrass/Docker local volume permissions

0

I have a greengrass component that runs a docker container, I am struggling to understand how the permissions of folders and file are set when this is run by greengrass.

A snippet of my recipe looks like this:

"Install": {
          "Skipif": {
            "exists": "/home/ggc_user/data/package.json"
          },
          "Script": "mkdir -m 777 /home/ggc_user/data"
        },
        "Run": {
          "Script": "docker run --restart always -v /home/ggc_user/onwatch-data:/home/node/.signalk --log-opt max-size=10m --log-opt max-file=5  --network host --name testContainter testContainer"
        }

When I look at the permissions of /home/ggc_user/ using ls -l after the component is installed the file permissions look like:

drwxrwxrwx 4 ggc_user ggc_group 4096 Oct 6 15:38 data

I then go into the 'data' directory and look at the permissions of the files created inside from the docker container and the files are owned by admin which is my standard user.

-rw-r--r-- 1 admin admin   186 Oct  6 15:33 package.json
drwxr-xr-x 2 admin admin  4096 Oct  6 15:33 plugin-config-data

I would have thought it would create these with ggc_user as the owner. I have issues getting the container to run unless I set the permissions to 777.

What am I doing wrong?

Topics
Internet of Things (IoT)Containers
Tags
AWS IoT GreengrassContainers
Language
English
Phil Begg
asked 2 years ago214 views
3 Answers
1

Hi Phil,

This is just the normal behaviour of Docker on Linux and has nothing to do with Greengrass. Files written to an host mounted volume have the owner set to the user running the process the container. In your case, as the container runs with the user admin:admin, any file written to the host will have the same ownership.

I do not know which issues you are encountering in running your container, but you can try to run the component as admin:admin so that the user running in the container matches the user on the host.

You can set the uid and gid for the component in the deployment configuration.

Cheers,

Massimiliano

AWS
EXPERT
MassimilianoAWS
answered 2 years ago
1

You might consider setting the "runWith" parameter in your component recipe. For more information, see the "runWith" property description at https://docs.aws.amazon.com/greengrass/v2/developerguide/create-deployments.html

AWS
dghz
answered 2 years ago
0

Inside the Dockerfile the user and group created was GID:1000 UID:1000, which is the same as my admin user on the host. I have changed the component to run as admin and the permission errors have gone away.

Phil Begg
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content