为什么crond无法在高山linux上运行非root用户的crontab? [英] Why is crond failing to run a non-root crontab on alpine linux?
问题描述
我在Alpine Linux上运行非root的crontab文件时感到很烦.
I am having a nasty time running a non-root crontab file on Alpine Linux.
我读过另外两篇有关cron的文章,但没有答案:
I've been through two other cron related posts and I don't have an answer:
https://askubuntu.com/questions/23009/why-crontab-scripts -不工作
https://serverfault .com/questions/449651/为什么我的crontab无法正常工作,以及如何对其进行故障排除
这是设置.
我的crontab看起来像这样:
My crontab looks like this:
PATH=/usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/sbin:/opt/aws/bin:/home/ec2-user/bin
SHELL=/bin/bash
* * * * * /opt/monitor/monitor.sh >> /var/log/monitor.log 2>&1
0 3 * * * /opt/monitor/monitor-log-clean.sh >> /var/log/monitor.log 2>&1
我的Dockerfile现在有点混乱,但这仅仅是因为我一直在拼命地试图解决这个问题.看起来像这样.简而言之,我为crontab -e添加了SUID以与其他用户一起工作,创建了我的用户,导入了我的crontab文件,然后为我能想到的所有内容提供了权限.
My Dockerfile is a little messy now, but only because I have been desperately trying to resolve this. It looks something like this. In short, I add SUID for crontab -e to work as other users, I create my user, I import my crontab file, and then I provide permissions to everything I can think of.
FROM alpine:3.5
# DEPENDENCY TO ALLOW USERS TO RUN crontab -e
RUN apk add --update busybox-suid
# I LIKE BASH
RUN apk --no-cache add bash bash-doc
RUN apk --no-cache add util-linux pciutils usbutils coreutils binutils findutils grep
#... lots of custom stuff ...
# CREATE USER
RUN adduser -S robuser && \
mkdir -p /home/robuser
# ADD ENTRY POINT
ADD src/entrypoint.sh /home/robuser/entrypoint.sh
# GIVE MY USER ACCESS
RUN mkdir /etc/cron.d
RUN echo "robuser" > /etc/cron.allow
RUN echo "" >> /etc/cron.allow
RUN chmod -R 644 /etc/cron.d
# ADD MY CRONTAB
RUN mkdir -p /var/spool/cron/crontabs
ADD ./src/crontab.conf /tmp/cloudwatch/crontab.conf
RUN crontab -u robuser /tmp/cloudwatch/crontab.conf
# DEBUG... GIVE MY USER ACCESS TO EVERYTHING
RUN chown -R robuser /etc/cron.d
RUN chmod -R 755 /etc/cron.d
RUN chown -R robuser /var/spool/cron
RUN chmod -R 744 /var/spool/cron
RUN chown robuser /var/spool/cron/crontabs
RUN chmod 744 /var/spool/cron/crontabs
RUN chown -R robuser /etc/crontabs
RUN chmod -R 744 /etc/crontabs
RUN chown robuser /etc/crontabs/robuser
RUN chmod -R 744 /etc/crontabs/robuser
RUN chmod 600 /var/spool/cron/crontabs/robuser
# ADD MY MONITORING PROGRAM
RUN mkdir -p /opt/monitor
ADD src/monitor /opt/monitor
RUN mkdir -p /opt/monitor/.tmp && \
chown -R robuser /opt/monitor && \
chmod -R 700 /opt/monitor
RUN touch /var/log/entrypoint.log && \
touch /var/log/monitor.log && \
touch /var/log/cron.log && \
touch /var/log/awslogs.log && \
chown -R robuser /var/log
USER robuser
ENTRYPOINT /home/robuser/entrypoint.sh
同时,我的entrypoint.sh里面有这个.我将cron守护程序作为后台服务启动,并详细登录到cron.log.我还尝试指定-d 0来进行更多调试,但是并没有真正在输出中添加任何内容.
meanwhile, my entrypoint.sh has this somewhere in it. I start the cron daemon as a background service and log to cron.log verbosely. I've also tried specifying -d 0 to get even more debug, but the didn't really add anything to the output.
#!/bin/bash
crond -b -l 0 -L /var/log/cron.log
#... lots of other startup stuff ...
重要的一点:如果我不切换到 robuser ,一切都可以以root身份运行.
An important point: If I don't switch to robuser, everything works okay as root.
如果我查看 cron.log ,则它非常空:
If I check the cron.log, its pretty empty:
crond: crond (busybox 1.25.1) started, log level 0
crond: wakeup dt=45
crond: wakeup dt=60
crond: wakeup dt=60
与此同时,/var/log/monitor.log完全为空(请参阅文章开头的crontab).
Meanwhile, /var/log/monitor.log is completely empty (see crontab at the beginning of the post).
因此crond不会打印任何错误.
So crond is not printing any errors.
我已经尽力想调试一下.没有错误信息.它只是运行并且从不打印.一个很好的建议是简单地设置我的crontab ..但这也行不通:
I've tried everything i can think of to debug this. There's no error message. It simply runs and never prints. A good suggestion was to simply my crontab.. but this also did not work:
PATH=/usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/sbin:/opt/aws/bin:/home/ec2-user/bin
SHELL=/bin/bash
* * * * * touch /tmp/test.txt
我尝试搜索其他使用非root cron的高山容器,但是大多数人不会遇到让其高山容器运行非root的麻烦.
I've tried searching for other alpine containers who use non-root cron, but most people don't go through the trouble of getting their alpine containers to run non-root.
有人有进一步的建议来帮助调试吗?
Does anyone have any further suggestions to help debug this?
推荐答案
cron本身应以root身份运行,无论您要使用哪个用户来运行作业.
cron itself should run as root, regardless of which user you want to use to run the jobs.
的确,当您运行时:
RUN crontab -u robuser /tmp/cloudwatch/crontab.conf
这将为用户robuser安装一个crontab.当cron从该特定crontab执行作业时,它将自动将用户切换到robuser. 但是,如果cron不是以root运行,则无法像这样切换用户,这就是为什么您需要以root用户身份运行cron的原因.
This will install a crontab for user robuser. When cron executes jobs from this particular crontab, it will automatically switch users to robuser. However, cron can't switch users like that if it's not running as root, which is why you need to be running cron as root.
因此,要使cron在这里工作,您需要从Dockerfile中删除此指令:
So, to make cron work here, you'll need to remove this directive from your Dockerfile:
USER robuser
请注意,一旦解决此问题,您可能就不会走出困境:如果您正在使用环境变量将AWS凭证传递到监视脚本(似乎您在这里使用的是AWS),则不会无法工作,因为cron会在切换用户之前将其删除.这在很大程度上是cron中的一项安全功能,以避免环境变量泄漏给非特权用户.
Note that you probably won't be out of the woods once you fix this issue: if you're using environment variables to pass AWS credentials to your monitoring scripts (it seems you're using AWS here), this won't work, because cron will remove those prior to switching users. This is largely a security feature in cron to avoid env-variable leakage to unprivileged users.
顺便说一句:我写了一个开源crontab运行程序, Supercronic ,专门为容器设计用例,它可以解决此问题(您可以以无特权的用户身份运行它).如果您对常规的cron感到沮丧,可以随时尝试一下.
As an aside: I wrote an open-source crontab runner, Supercronic, specifically designed for container use cases, which fixes that (and you can run it as an unprivileged user just fine). If you get frustrated with regular cron, you could always give a shot.
这篇关于为什么crond无法在高山linux上运行非root用户的crontab?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
