使用AWS re:Post即您表示您同意 AWS re:Post 使用条款
AWS re:Postre:Post

"Operation not permitted" while deploying the Hello world comonent in AWS Greengrass device

0

We have followed the AWS documentation to deploy the Hello world python component on AWS greengrass which is running on a container.

**Note : I need to run the container with greengrass as a non-root user. **

**Workaround used in Dockerfile: **

RUN apt-get update -y && apt-get install sudo

RUN groupadd ggc_group && \
  useradd -m -G ggc_group ggc_user  && echo "ggc_user:ggc_user" | chpasswd && adduser ggc_user sudo

USER ggc_user

**Also when I do whoami inside the container, I get a random user such as u7777775emnfnppabnt3r7cpg5q instead of ggc_user **

I was able to deploy the greengrass cli without any issue. But the Hello world deployment is throwing the errors as shown below:

2021-12-13T09:45:32.066Z [ERROR] (pool-2-thread-23) com.aws.greengrass.lifecyclemanager.GenericExternalService: update-artifact-owner. Error updating service artifact owner. {serviceName=com.example.HelloWorld, currentState=STARTING, user=ggc_user, group=ggc_group}
java.nio.file.FileSystemException: /var/lib/veea/greengrasspv/app/greengrass/v2/packages/artifacts/com.example.HelloWorld/1.0.0/hello_world.py: Operation not permitted
	at java.base/sun.nio.fs.UnixException.translateToIOException(UnixException.java:100)
	at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:111)
	at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:116)
	at java.base/sun.nio.fs.UnixFileAttributeViews$Posix.setOwners(UnixFileAttributeViews.java:268)
	at java.base/sun.nio.fs.UnixFileAttributeViews$Posix.setOwner(UnixFileAttributeViews.java:290)
	at com.aws.greengrass.util.platforms.unix.UnixPlatform.setOwner(UnixPlatform.java:382)
	at com.aws.greengrass.util.platforms.Platform.lambda$setPermissions$1(Platform.java:147)
	at com.aws.greengrass.util.platforms.Platform$1.visitFile(Platform.java:178)
	at com.aws.greengrass.util.platforms.Platform$1.visitFile(Platform.java:167)
	at java.base/java.nio.file.Files.walkFileTree(Files.java:2725)
	at java.base/java.nio.file.Files.walkFileTree(Files.java:2797)
	at com.aws.greengrass.util.platforms.Platform.setPermissions(Platform.java:167)
	at com.aws.greengrass.util.platforms.Platform.setPermissions(Platform.java:109)
	at com.aws.greengrass.lifecyclemanager.RunWithPathOwnershipHandler.setPermissions(RunWithPathOwnershipHandler.java:91)
	at com.aws.greengrass.lifecyclemanager.RunWithPathOwnershipHandler.updateOwner(RunWithPathOwnershipHandler.java:74)
	at com.aws.greengrass.lifecyclemanager.GenericExternalService.updateComponentPathOwner(GenericExternalService.java:593)
	at com.aws.greengrass.lifecyclemanager.GenericExternalService.run(GenericExternalService.java:655)
	at com.aws.greengrass.lifecyclemanager.GenericExternalService.run(GenericExternalService.java:625)
	at com.aws.greengrass.lifecyclemanager.GenericExternalService.handleRunScript(GenericExternalService.java:444)
	at com.aws.greengrass.lifecyclemanager.GenericExternalService.startup(GenericExternalService.java:364)
	at com.aws.greengrass.lifecyclemanager.Lifecycle.lambda$handleStateTransitionStartingToRunningAsync$9(Lifecycle.java:531)
	at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
	at java.base/java.lang.Thread.run(Thread.java:829)

2021-12-13T09:45:32.075Z [ERROR] (pool-2-thread-23) com.aws.greengrass.lifecyclemanager.GenericExternalService: Service artifacts may not be accessible to user. {serviceName=com.example.HelloWorld, currentState=STARTING}
2021-12-13T09:45:32.094Z [INFO] (pool-2-thread-23) com.aws.greengrass.lifecyclemanager.GenericExternalService: service-report-state. {serviceName=com.example.HelloWorld, currentState=STARTING, newState=RUNNING}

**Kindly help me to resolve this user permissions issue. **

主题
物联网 (IoT)
标签
AWS IoT Greengrass
语言
English
Hariharnath Paduchuru
已提问 2 年前623 查看次数
2 回答
0

Thanks for the response. I do understand we need the root permissions but we have secure docker containers where root access is not allowed.

So I am looking for a workaround for a non-root user to run Greengrass components.

Is there a way that we can modify the source code of the Greengrass to avoid using sudo for running the components?

Also can you please let me know why it needs sudo only for custom components deployment and not for public components ?

Hariharnath Paduchuru
已回答 2 年前
  • MichaelDombrowski-AWS 专家
    2 年前

    Greengrass uses the sudo command in order to run your components as the user which they are configured to run as. If you do not want to use sudo then you must configure the components to run as the exact same user that Greengrass runs as. This is settable during the setup phase when you run Greengrass with --component-default-user.

    Note that running as root inside of a docker container is not the same as running as root outside of the container. The user is still confined in the docker container.

    Many Greengrass components run as plugins to the Greengrass Nucleus, therefore since they are not separate processes, they do not run as different users and therefore sudo isn't needed.

  • Hariharnath Paduchuru
    2 年前

    Thanks for your suggestion. The problem is solved when I tried to use Greengrass with --component-default-user with the current user

0

Hello,

Please see: https://github.com/aws-greengrass/aws-greengrass-docker to run Greengrass inside a container without issue.

Greengrass must run as root, the error that you are seeing is exactly because Greengrass isn't running with the appropriate permissions.

Cheers, Michael

AWS
专家
MichaelDombrowski-AWS
已回答 2 年前

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则

相关内容