Running SageMaker ProcessingJob as non root user - amazon-web-services

Files copied by SageMaker from s3 to docker inside ProcessingJob have root ownership and permissions which do not allow non owner users (non root) to write to them.
I'd like to run the docker container as non root user and be able to write to folders created by SageMaker, so the Dockerfile looks like this:
FROM base
...
USER nonroot
Exemplary permissions and ownership of folders copied from s3 to SageMaker's docker container:
2022-11-30T10:20:13.567+01:00 + ls -la /opt/ml/processing
2022-11-30T10:20:13.567+01:00 total 24
2022-11-30T10:20:13.567+01:00 drwxr-xr-x 6 root root 4096 Nov 30 09:20 .
2022-11-30T10:20:13.567+01:00 drwxr-xr-x 5 root root 4096 Nov 30 09:20 ..
2022-11-30T10:20:13.567+01:00 drwxr-xr-x 2 root root 4096 Nov 30 09:20 data
2022-11-30T10:20:13.568+01:00 drwxr-xr-x 2 root root 4096 Nov 30 09:20 output
I'd expect these folders to either has nonroot user ownership.
I've checked the documentation but no luck there. If there's any obvious way to achieve this that I missed, please let me know. Thanks!

Related

Synbolik link to aws EFS on web server doesn't work?

I have static folder serving the files on uwsgi.
/user/app/static/
lrwxrwxrwx 1 root root 23 Oct 13 09:40 _out -> /usr/src/app/_mat/_out/
drwxr-xr-x 8 root root 4096 Oct 13 09:49 assets
drwxr-xr-x 8 root root 4096 Oct 13 09:40 pages
in this case, the imagefiles under assets can be appeared correctly,
however the image files under _out can not be accessed.(404 error occurs)
static/assets/test.png is ok
static/_out/test.png returns 404 error
/usr/src/app/_mat/ are on the aws EFS.
I checked the permissions.
Generally speaking, does symbolic link work under web server?

AWS CodeBuild not pausing on breakpoint

Using steps provided here, I kicked off a CodeBuild with the following advanced options checked:
Enable session connection
Allow AWS CodeBuild to modify this service role so it can be used with this build project
The buildspec included a codebuild-breakpoint:
version: 0.2
phases:
pre_build:
commands:
- ls -al
- codebuild-breakpoint
- cd "${SERVICE_NAME}"
- ls -al
- $(aws ecr get-login)
- TAG="$SERVICE_NAME"
build:
commands:
- docker build --tag "${REPOSITORY_URI}:${TAG}" .
post_build:
commands:
- docker push "${REPOSITORY_URI}:${TAG}"
- printf '{"tag":"%s"}' $TAG > ../build.json
artifacts:
files: build.json
The build started and produced the following logs without pausing:
[Container] 2022/02/28 13:49:03 Entering phase PRE_BUILD
[Container] 2022/02/28 13:49:03 Running command ls -al
total 148
drwxr-xr-x 2 root root 4096 Feb 28 13:49 .
drwxr-xr-x 3 root root 4096 Feb 28 13:49 ..
-rw-rw-rw- 1 root root 1818 Feb 28 10:54 user-manager\Dockerfile
-rw-rw-rw- 1 root root 140 Feb 28 10:34 user-manager\body.json
-rw-rw-rw- 1 root root 0 Feb 28 10:54 user-manager\shared-modules\
-rw-rw-rw- 1 root root 4822 Feb 21 14:52 user-manager\shared-modules\config-helper\config.js
-rw-rw-rw- 1 root root 2125 Feb 21 14:52 user-manager\shared-modules\config-helper\config\default.json
-rw-rw-rw- 1 root root 366 Feb 21 14:52 user-manager\shared-modules\config-helper\package.json
-rw-rw-rw- 1 root root 9713 Feb 21 14:52 user-manager\shared-modules\dynamodb-helper\dynamodb-helper.js
-rw-rw-rw- 1 root root 399 Feb 21 14:52 user-manager\shared-modules\dynamodb-helper\package.json
-rw-rw-rw- 1 root root 451 Feb 21 14:52 user-manager\shared-modules\token-manager\package.json
-rw-rw-rw- 1 root root 13885 Feb 21 14:52 user-manager\shared-modules\token-manager\token-manager.js
-rw-rw-rw- 1 root root 44372 Feb 28 10:34 user-manager\src\cognito-user.js
-rw-rw-rw- 1 root root 706 Feb 28 10:34 user-manager\src\package.json
-rw-rw-rw- 1 root root 32734 Feb 28 10:34 user-manager\src\server.js
[Container] 2022/02/28 13:49:03 Running command codebuild-breakpoint
2022/02/28 13:49:03 Build is paused temporarily and you can use codebuild-resume command in the session to resume this build
[Container] 2022/02/28 13:49:03 Running command cd "${SERVICE_NAME}"
/codebuild/output/tmp/script.sh: 4: cd: can't cd to user-manager
My primary question is: Why didn't the build pause and session manager link become available?
Side-quest: The reason I'm trying to debug the session is to try to determine why the process can't CD to the user-manager folder (which clearly exists). Any ideas why?
TLDR: The image on the build machine was too old.
Main quest
The template specified aws/codebuild/ubuntu-base:14.04 as the CodeBuild image. Presumably that image pre-dated the Session Manager functionality (which requires a specific version of the SSM agent to be installed).
I update the agent to aws/codebuild/standard:5.0 and was able to successfully pause on the breakpoint and connect to the session.
Side quest
Once I connected I was able to investigate the cause of the inability to CD to the folder. I can confirm that Tim's shot in the dark was correct! All the entries were in fact files - no folders.
This QuickStart is the gift that keeps on giving! When/if I get all the issues resolved I'll submit a PR to update the project. Those interested in the cause of the file/folder issue can follow up there.
Side quest update
The strange flattening behaviour was due to creating the zip file on a Windows machine and unzipping it on a unix machine (the build agent uses an Ubuntu image). Just zipped it using 7-Zip and that did the job.

Elastic beanstalk not copying single container logs

I'm trying to sync a folder, full of folders which have log files in, from a single docker container instance deployed on AWS elastic beanstalk. I've used the logging directive as shown here https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/single-container-docker-configuration.html but when I request the full logs none of my logs are downloaded
Dockerrun.aws.json
{
"AWSEBDockerrunVersion": "1",
"Image": {
~snip~
"Update": "true"
},
"Ports": [
{
"ContainerPort": 80
}
],
"Logging": "/var/log/applogs"
}
Container structure:
bash-4.2# ls -la /var/log/applogs/
total 8
drwxr-xr-x 2 root root 4096 Dec 5 15:35 .
drwxr-xr-x 12 root root 4096 Dec 5 15:35 ..
lrwxrwxrwx 1 root root 34 Dec 5 15:35 app -> /var/www/html/app/storage/logs
lrwxrwxrwx 1 root root 14 Dec 5 15:35 httpd -> /var/log/httpd
lrwxrwxrwx 1 root root 16 Dec 5 15:35 php-fpm -> /var/log/php-fpm
It was my impression that the logging directive would recursively include (And also follow symlinks) all log files in the directory specified, but it's not bringing anything across. Am I wrong about that or just doing something wrong here?
I solved this by symlinking the individual log files in the container, not ideal but it will have to do

What is the default user that codedeploy runs the hook scripts as?

Background: I am facing this error AWS codedeploy deployment throwing "[stderr] Could not open input file" while trying to invoke a php file from the sh file at afterInstall step
In the afterInstall step, I am trying to run a php file from the afterInstall.sh file and I am getting this error - unable to open php file.
I am not sure what exactly to do. Thought of trying to manually check if I could run the file as that user.
The CodeDeploy agent default user is root.
The directory listing below shows the ownership of the deployed files in their destination folder, /tmp, after a successful deployment.
ubuntu#ip-10-0-xx-xx:~$ ls -l /tmp
total 36
-rw-r--r-- 1 root root 85 Aug 2 05:04 afterInstall.php
-rw-r--r-- 1 root root 78 Aug 2 05:04 afterInstall.sh
-rw-r--r-- 1 root root 1397 Aug 2 05:04 appspec.yml
-rw------- 1 root root 3189 Aug 2 05:07 codedeploy-agent.update.log
drwx------ 2 root root 16384 Aug 2 03:01 lost+found
-rw-r--r-- 1 root root 63 Aug 2 05:04 out.log
runas is an optional filed in the AppSpec file. The user to impersonate when running the script. By default, this is the AWS CodeDeploy agent running on the instance(If you don't specify a non-root user, it will be root).
To run host agent as a non-root user, the environment variable CODEDEPLOY_USER needs to be set, as the link to the host agent source code show. The env variable can be set to whatever user you want the host agent to run as.

AWS Block Devices name doesn't match with CentOS SoftLink

On AWS EC2 Block Device is identified as /dev/sda, /dev/sdf and /dev/sdg, but inside EC2 CentOS instance when I do ll /dev/sd* it gives following:
lrwxrwxrwx. 1 root root 4 Feb 17 03:10 /dev/sda -> xvde
lrwxrwxrwx. 1 root root 4 Feb 17 03:10 /dev/sdj -> xvdj
lrwxrwxrwx. 1 root root 4 Feb 17 03:10 /dev/sdk -> xvdk
lrwxrwxrwx. 1 root root 5 Feb 17 03:10 /dev/sdk1 -> xvdk1
When I run ec2-describe-instances --aws-access-key xxxxxx<MyKey>xxx --aws-secret-key xxxxxx<MyKey>xxx --region us-east-1 ``curl -s http://169.254.169.254/latest/meta-data/instance-id`` | grep -i BLOCKDEVICE output is as follow:
/dev/sda
/dev/sdf
/dev/sdg
I am wondering how to link these two: AWS GUI Console's Block Devices and within EC2 instance Block Devices?
Thanks,
This is a device mapping alias problem. You can see more details with a solution here:
https://forums.aws.amazon.com/message.jspa?messageID=255240
Make sure you take backups of everything before making any changes!