AWS Elastic Beanstalk - User Permission Problems

2019-04-08 10:03发布

问题:

I am trying to configure our Node.js application to be deployed with Amazon Elastic Beanstalk.

Actually I did a few configuration files inside .ebextensions to enable Websockets, doing yum installs for several modules and to install some custom software we need.

So far the App deployment works and all configured software is installed by Beanstalk.

The Problem I have is that the nodejs user wich runs the node application, doesnt have permission to execute the commandline tools installed by our beanstalk custom config.

To be more concrete:

  1. The app supports user file uploads and the uploaded files are saved to some temp folder on the instance (that works like it should).

  2. Then the app does a commandline execution to convert the uploaded file in to a custom file format, whats executing something like /home/ec2-user/converter/bin convert filename output filename.

At this point I get this error: { [Error: spawn EACCES] code: 'EACCES', errno: 'EACCES', syscall: 'spawn' }

Overall the app requires several commandline tools for such conversion tasks to run correctly. Actually they all have the same problem. Even tools installed by yum, such as Imagemagick, are not beeing executed by the app.

Manually, by using the ec2-user account, I am able to execute all these, all files are in place at the right system paths and they work fine. So all installations seem to work right.

I already tried to grant permissions to the user nodejs manually and did chmod the files, but this doesnt seem to take any effect here.

Big question is.. how can I grant the required permissions to the nodejs user or as alternative how to use a defined User to execute node.js?

回答1:

I believe that the nodejs user doesn't have privileges to use the shell:

[ec2-user@host ~]$ cat /etc/passwd
....
nodejs:x:497:497::/tmp:/sbin/nologin

According to the docs, node runs the command in a shell and returns it.

I also tried:

[ec2-user@host ~]$ pwd
/home/ec2-user
[ec2-user@host ~]$ cat test.js 
#!/opt/elasticbeanstalk/node-install/node-v0.10.31-linux-x64/bin/node
require('child_process').exec('/usr/bin/whoami', function (err, data) {
    console.log(data);
});
[ec2-user@host ~]$ ls -l
total 4
-rwxrwxrwx 1 ec2-user ec2-user 169 Nov  3 21:49 test.js
[ec2-user@host ~]$ sudo -u nodejs /home/ec2-user/test.js 
sudo: unable to execute /home/ec2-user/test.js: Permission denied

I will say that this works, which im confused about (maybe someone can chime in to clarify):

$ sudo -u nodejs /usr/bin/whoami
nodejs

HOWEVER, as an outside observer it seems more like Beanstalk isn't a good fit for you. Generally, Beanstalk is a hands-off fully managed abstraction by design and messing around with the file system permissions and user permissions is over-stepping those boundaries.

As an aside, maybe you want to consider moving to OpsWorks instead. From http://aws.amazon.com/opsworks/faqs/:

Q: How is AWS OpsWorks different than AWS Elastic Beanstalk?

AWS OpsWorks and AWS Elastic Beanstalk both focus on operations, but with very different orientations. AWS Elastic Beanstalk seeks to automatically provide key operations activities so that developers can maximize the time they spend on development and minimize the time they spend on operations. In contrast, AWS OpsWorks delivers integrated experiences for IT administrators and ops-minded developers who want a high degree of productivity and control over operations.



回答2:

I finally found the solution:

Beanstalk is using the ec2-user account to run bash commands. So everything installed by commandline cannot be executed by the nodejs user account because of permission conflicts.

Solution was to copy all installed tools in to /usr/local/bin, where they can be executed by any user.

07_myprogram:
        command: sudo cp bin/* /usr/local/bin
        cwd: /home/ec2-user/myprogram
        ignoreErrors: true