By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Dir owner 'nobody' and group 'root' after mounting container volume with `addGroupOwner` set to true.

0

When running a lambda function component in Greengrass v2.12.2 the mounted volume does not seem to have the correct owner.

For the host dir I have the following owner, group and permissions: drwxr-xr-x root root.

Greengrass is installed with --component-default-user ggc_user:ggc_group which I can confirm in the effective config as posixUser: "ggc_user:ggc_group"

My lambda configuration is as follows

{
  "lambdaFunction": {
    ...
    "componentLambdaParameters": {
      "pinned": true,
      ...
      "linuxProcessParams": {
        ...
        "containerParams": {
          "volumes": [
            {
              "sourcePath": "/host/dir",
              "destinationPath": "/dir",
              "addGroupOwner": true,
              "permission": "rw"
            }
          ]
        }
      }
    }
  }
}

And in my lambda the owner I get is nobody and group is root while the posix permisssions for the mounted directory are drwxr-xr-x.

Also neithrer addGroupOwner nor permission seem to make a difference in my case; it's always drwxr-xr-x nobody root.

(Just in case it is relevant I fetch the owner programmatically in Kotlin/Java with Files.getOwner(path) and group with Files.getAttribute(this, "posix:group", NOFOLLOW_LINKS))

I was expecting the group to be ggc_group and owner to be ggc_user. Am I missing something?

My ultimate goal is to be able to create a file in the mounted volume but I get permission denied not surprisingly.

Topics
Internet of Things (IoT)ServerlessComputeContainers
Tags
AWS IoT GreengrassAWS LambdaContainers
Language
English
George H
asked 2 months ago171 views
1 Answer
1
Accepted Answer

Hello,

When using local resources the local resources must not be owned by root, or else only root can access those resources. Please use a directory that you have permission to write to. Lambdas are always started with a current working directory which is writable, you can write to .; the current working directory without any other changes.

You are migrating from Greengrass V1, what was the exact configuration of your lambda in Greengrass V1? That same configuration should be used with Greengrass v2.

AddGroupOwner would mean that your lambda is execute with the group ID which owns the volume. Your lambda cannot run as the root group, so this has no effect as root owns the volume. Using the default path that Greengrass gives you will work without needing to mount anything. File permissions are not changed by this setting.

If you still need assistance please enable DEBUG level logs in the Greengrass Nucleus component configuration and provide the debug logs from the lambda component. They will show what is happening.

Regards,

Michael

AWS
EXPERT
MichaelDombrowski-AWS
answered 2 months ago
profile picture
EXPERT
Oleksii Bebych
reviewed a month ago
  • George H
    2 months ago

    Changing owner to ggc_user:ggc_group for the relevant dir worked indeed.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content