ECS Fargate 上的 EFS 安装 - Read/write 权限被拒绝非根用户
EFS mount on ECS Fargate - Read/write permissions denied for non root user
我有一个 ECS Fargate 容器运行使用非 root 权限的 nodejs 应用程序,并且还挂载到容器内 /.user_data 上的 EFS。
我遵循了 this AWS 教程。我的设置几乎相似。
这是 Docker 文件:
FROM node:12-buster-slim
RUN apt-get update && \
apt-get install -y build-essential \
wget \
python3 \
make \
gcc \
libc6-dev \
git
# delete old user
RUN userdel -r node
# Run as a non-root user
RUN addgroup "new_user_group" && \
useradd "new_user" --gid "new_user_group" \
--home-dir "/home/new_user"
RUN git clone https://github.com/test-app.git /home/new_user/app
RUN chown -R new_user:new_user_group /home/new_user
RUN mkdir -p /home/new_user/.user_data
RUN chown -R new_user:new_user_group /home/new_user/.user_data
RUN chmod -R 755 /home/new_user/
WORKDIR /home/new_user/app
RUN npm install
RUN npm run build
EXPOSE 1880
USER new_user
CMD [ "npm", "start" ]
当 Node 应用程序尝试写入 /.user_data 我收到读写权限被拒绝的错误。
如果我 运行 容器作为根应用程序能够 read/write 数据。
我尝试使用 UID 和权限向 EFS 添加访问点,但这也没有帮助。
请注意:Docker文件在我的本地机器上工作正常。
更新
阅读此博客 post - Developers guide to using Amazon EFS with Amazon ECS and AWS Fargate – Part 2 > POSIX permissions
可能与分配给 ECS 任务的 IAM 角色的 IAM 策略有关。
"...if the AWS policies do not allow the ClientRootAccess action, your user is going to be squashed to a pre-defined UID:GID that is 65534:65534. From this point on, standard POSIX permissions apply: what this user can do is determined by the POSIX file system permissions. For example, a folder owned by any UID:GID other than 65534:65534 that has 666 (rw for owner and rw for everyone) will allow this reserved user to create a file. However, a folder owned by any UID:GID other than 65534:65534 that has 644 (rw for owner and r for everyone) will NOT allow this squashed user to create a file."
确保您的根目录权限设置为 777。这样任何 UID 都可以 read/write 这个目录。
为了不那么宽松,将根目录设置为 755,默认设置为 see the docs。这为 root 用户提供 read-write-execute,为组提供 read-execute,为所有其他用户提供 read-execute。
如果没有对其父目录(目录)的读取权限,则用户 (UID) 无法访问(读取)子目录。
您可以使用 Docker 轻松测试它,这是一个简单的示例
创建一个Dockerfile-
FROM ubuntu:20.04
# Fetch values from ARGs that were declared at the top of this file
ARG APP_NAME
ARG APP_ARTIFACT_DIR
ARG APP_HOME_DIR="/app"
ARG APP_USER_NAME="appuser"
ARG APP_GROUP_ID="appgroup"
# Define workdir
ENV HOME="${APP_HOME_DIR}"
WORKDIR "${HOME}"
RUN apt-get update -y && apt-get install tree
# Define env vars
ENV PATH="${HOME}/.local/bin:${PATH}"
# Run as a non-root user
RUN addgroup "${APP_GROUP_ID}" && \
useradd "${APP_USER_NAME}" --gid "${APP_GROUP_ID}" --home-dir "${HOME}" && \
chown -R ${APP_USER_NAME} .
RUN mkdir -p rootdir && \
mkdir -p rootdir/subdir && \
touch rootdir/root.file rootdir/subdir/sub.file && \
chown -R root:root rootdir && \
chmod 600 rootdir rootdir/root.file && \
chmod -R 775 rootdir/subdir
你应该尝试 chmod 600 和 chmod -R 775,尝试不同的权限集,例如 777 和 644,看看是否有意义。
构建镜像,运行容器,测试权限-
docker build boyfromnorth .
docker run --rm -it boyfromnorth bash
root@e0f043d9884c:~$ su appuser
$ ls -la
total 12
drwxr-xr-x 1 appuser root 4096 Jan 30 12:23 .
drwxr-xr-x 1 root root 4096 Jan 30 12:33 ..
drw------- 3 root root 4096 Jan 30 12:23 rootdir
$ ls rootdir
ls: cannot open directory 'rootdir': Permission denied
我有一个 ECS Fargate 容器运行使用非 root 权限的 nodejs 应用程序,并且还挂载到容器内 /.user_data 上的 EFS。
我遵循了 this AWS 教程。我的设置几乎相似。
这是 Docker 文件:
FROM node:12-buster-slim
RUN apt-get update && \
apt-get install -y build-essential \
wget \
python3 \
make \
gcc \
libc6-dev \
git
# delete old user
RUN userdel -r node
# Run as a non-root user
RUN addgroup "new_user_group" && \
useradd "new_user" --gid "new_user_group" \
--home-dir "/home/new_user"
RUN git clone https://github.com/test-app.git /home/new_user/app
RUN chown -R new_user:new_user_group /home/new_user
RUN mkdir -p /home/new_user/.user_data
RUN chown -R new_user:new_user_group /home/new_user/.user_data
RUN chmod -R 755 /home/new_user/
WORKDIR /home/new_user/app
RUN npm install
RUN npm run build
EXPOSE 1880
USER new_user
CMD [ "npm", "start" ]
当 Node 应用程序尝试写入 /.user_data 我收到读写权限被拒绝的错误。
如果我 运行 容器作为根应用程序能够 read/write 数据。
我尝试使用 UID 和权限向 EFS 添加访问点,但这也没有帮助。
请注意:Docker文件在我的本地机器上工作正常。
更新
阅读此博客 post - Developers guide to using Amazon EFS with Amazon ECS and AWS Fargate – Part 2 > POSIX permissions
可能与分配给 ECS 任务的 IAM 角色的 IAM 策略有关。
"...if the AWS policies do not allow the ClientRootAccess action, your user is going to be squashed to a pre-defined UID:GID that is 65534:65534. From this point on, standard POSIX permissions apply: what this user can do is determined by the POSIX file system permissions. For example, a folder owned by any UID:GID other than 65534:65534 that has 666 (rw for owner and rw for everyone) will allow this reserved user to create a file. However, a folder owned by any UID:GID other than 65534:65534 that has 644 (rw for owner and r for everyone) will NOT allow this squashed user to create a file."
确保您的根目录权限设置为 777。这样任何 UID 都可以 read/write 这个目录。
为了不那么宽松,将根目录设置为 755,默认设置为 see the docs。这为 root 用户提供 read-write-execute,为组提供 read-execute,为所有其他用户提供 read-execute。
如果没有对其父目录(目录)的读取权限,则用户 (UID) 无法访问(读取)子目录。
您可以使用 Docker 轻松测试它,这是一个简单的示例
创建一个Dockerfile-
FROM ubuntu:20.04
# Fetch values from ARGs that were declared at the top of this file
ARG APP_NAME
ARG APP_ARTIFACT_DIR
ARG APP_HOME_DIR="/app"
ARG APP_USER_NAME="appuser"
ARG APP_GROUP_ID="appgroup"
# Define workdir
ENV HOME="${APP_HOME_DIR}"
WORKDIR "${HOME}"
RUN apt-get update -y && apt-get install tree
# Define env vars
ENV PATH="${HOME}/.local/bin:${PATH}"
# Run as a non-root user
RUN addgroup "${APP_GROUP_ID}" && \
useradd "${APP_USER_NAME}" --gid "${APP_GROUP_ID}" --home-dir "${HOME}" && \
chown -R ${APP_USER_NAME} .
RUN mkdir -p rootdir && \
mkdir -p rootdir/subdir && \
touch rootdir/root.file rootdir/subdir/sub.file && \
chown -R root:root rootdir && \
chmod 600 rootdir rootdir/root.file && \
chmod -R 775 rootdir/subdir
你应该尝试 chmod 600 和 chmod -R 775,尝试不同的权限集,例如 777 和 644,看看是否有意义。
构建镜像,运行容器,测试权限-
docker build boyfromnorth .
docker run --rm -it boyfromnorth bash
root@e0f043d9884c:~$ su appuser
$ ls -la
total 12
drwxr-xr-x 1 appuser root 4096 Jan 30 12:23 .
drwxr-xr-x 1 root root 4096 Jan 30 12:33 ..
drw------- 3 root root 4096 Jan 30 12:23 rootdir
$ ls rootdir
ls: cannot open directory 'rootdir': Permission denied