Closed jasonterando closed 1 year ago
Hi @jasonterando,
Good afternoon.
I'm unsure how AWS .NET Extensions CLI tooling would handle that scenario since it delegates the process to Docker daemon, which by default runs with the root privilege. I came across article Run Docker as a non-root user that proposes some workaround to mitigate your scenario. Please check. Kindly test the steps in a non-prod environment, AWS team is not responsible for any side-effects to the system, the referenced article is just provided for guidance purposes.
Thanks, Ashish
Hi, @ashishdhingra, I took a look at the article and, unfortunately, it doesn't really provide a mechanism to override the default user when launching a Docker run, it still has to be specified on the CLI when executing the run.
There ends up being another problem, as well. By default, the .NET Docker container builds out .NET and NuGet in the /.dotnet and /.local. This also ends up breaking when running as non-root. Fortunately, somebody figured out how to get around this by setting environment variables, see GitHub dotnet issue 7868
So, I've taken a stab at fixing this. I'll outline the approach below, along with a link to a GitHub fork of aws-extensions-for-dotnet-cli that implements the approach. If this is something that you guys think is worth including, I can submit a pull request. The footprint of all updates is in the Amazon.Common.DotNetCli.Tools namespace. Nothing should change for Windows users.
dotnet.lambda
is being run in Linux or MacOS.id
command available in Linux and MacOS using System.DiagnosticsProcess. Inject these values using "-u UID:GID" in the generated Docker run command (DockerCLIWrapper).The fork is here. The update to Run in DockerCLIWrapper .cs starts around line 165. The code to get the Unix/MacOS user is in PosixUserHelper.cs.
Given that this is a CLI executable as opposed to a reusable library, I made PosixUserHelper a static class. If your coding standards need this refactored to a non-static class, implementing an interface, etc. I can do that. I also took the liberty of implementing a List
I realize in the giant list of things you guys have on your list, this is probably trivial, so if this is not something you can do near-term, no problem, I can switch to Windows for development. My guess is that eventually, though, you'll probably end up needing to do something like this, especially if people are leveraging this tool in CI/CD pipelines where they don't want to run Docker as root.
Hi, bump-ing this. I'd like to continue using Linux for development, and I would be surprised if I'm the only one running into this. If I do a PR for this, would somebody be able to take a look? Thanks
Hey @jasonterando ! Sorry, I've been meaning to look into this and reproduce it myself, but have been busy with other things. I will definitely look at a PR if you can provide one, we would appreciate that very much! Although, I'm not actually an owner of this repo and wouldn't be able to merge it myself, but can try to find the right person. It definitely seems like an issue that we want to fix.
Closing now that PR has been released as part of version 5.6.3 of Amazon.Lambda.Tools
Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.
Thanks for shepherding this through
Thanks for your contribution!
Describe the bug
When executing
dotnet lambda deploy-function
in Linux as a non-root user, it executes Docker, which creates directories using the root account. Subsequently the .zip command fails (outside of the Docker container) because the current user does not have write to the bin/Release folder, which was created by the Docker's root user.As a workaround, I could install dotnet and execute builds as root, but for security considerations, this isn't ideal.
Expected Behavior
dotnet lambda deploy-function
should run successfully without error as a non-root userCurrent Behavior
Trail of tears:
Reproduction Steps
In Linux, logged in as a non-root user:
Possible Solution
On Linux (and maybe MacOS?) use
id
to get the current user and group IDs, and launch Docker using the -u and -g parameters containing these IDs (other changes may have to be made to the Docker image to allow access to directories like ./dotnet)Additional Information/Context
No response
Targeted .NET platform
.NET 7
CLI extension version
Environment details (OS name and version, etc.)
Linux (Mint, Ubuntu)