为什么 crond 无法在 alpine linux 上运行非 root crontab? [英] Why is crond failing to run a non-root crontab on alpine linux?
问题描述
我在 Alpine Linux 上运行非根 crontab 文件时遇到了麻烦.
I am having a nasty time running a non-root crontab file on Alpine Linux.
我已经阅读了另外两个与 cron 相关的帖子,但我没有答案:
I've been through two other cron related posts and I don't have an answer:
https://askubuntu.com/questions/23009/why-crontab-scripts-不工作
https://serverfault.com/questions/449651/why-is-my-crontab-not-working-and-how-can-i-troubleshoot-it
这是设置.
我的 crontab 看起来像这样:
My crontab looks like this:
PATH=/usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/sbin:/opt/aws/bin:/home/ec2-user/bin
SHELL=/bin/bash
* * * * * /opt/monitor/monitor.sh >> /var/log/monitor.log 2>&1
0 3 * * * /opt/monitor/monitor-log-clean.sh >> /var/log/monitor.log 2>&1
我的 Dockerfile 现在有点乱,但这只是因为我一直在拼命尝试解决这个问题.它看起来像这样.简而言之,我为 crontab -e 添加 SUID 以作为其他用户工作,我创建我的用户,我导入我的 crontab 文件,然后我为我能想到的所有内容提供权限.
My Dockerfile is a little messy now, but only because I have been desperately trying to resolve this. It looks something like this. In short, I add SUID for crontab -e to work as other users, I create my user, I import my crontab file, and then I provide permissions to everything I can think of.
FROM alpine:3.5
# DEPENDENCY TO ALLOW USERS TO RUN crontab -e
RUN apk add --update busybox-suid
# I LIKE BASH
RUN apk --no-cache add bash bash-doc
RUN apk --no-cache add util-linux pciutils usbutils coreutils binutils findutils grep
#... lots of custom stuff ...
# CREATE USER
RUN adduser -S robuser &&
mkdir -p /home/robuser
# ADD ENTRY POINT
ADD src/entrypoint.sh /home/robuser/entrypoint.sh
# GIVE MY USER ACCESS
RUN mkdir /etc/cron.d
RUN echo "robuser" > /etc/cron.allow
RUN echo "" >> /etc/cron.allow
RUN chmod -R 644 /etc/cron.d
# ADD MY CRONTAB
RUN mkdir -p /var/spool/cron/crontabs
ADD ./src/crontab.conf /tmp/cloudwatch/crontab.conf
RUN crontab -u robuser /tmp/cloudwatch/crontab.conf
# DEBUG... GIVE MY USER ACCESS TO EVERYTHING
RUN chown -R robuser /etc/cron.d
RUN chmod -R 755 /etc/cron.d
RUN chown -R robuser /var/spool/cron
RUN chmod -R 744 /var/spool/cron
RUN chown robuser /var/spool/cron/crontabs
RUN chmod 744 /var/spool/cron/crontabs
RUN chown -R robuser /etc/crontabs
RUN chmod -R 744 /etc/crontabs
RUN chown robuser /etc/crontabs/robuser
RUN chmod -R 744 /etc/crontabs/robuser
RUN chmod 600 /var/spool/cron/crontabs/robuser
# ADD MY MONITORING PROGRAM
RUN mkdir -p /opt/monitor
ADD src/monitor /opt/monitor
RUN mkdir -p /opt/monitor/.tmp &&
chown -R robuser /opt/monitor &&
chmod -R 700 /opt/monitor
RUN touch /var/log/entrypoint.log &&
touch /var/log/monitor.log &&
touch /var/log/cron.log &&
touch /var/log/awslogs.log &&
chown -R robuser /var/log
USER robuser
ENTRYPOINT /home/robuser/entrypoint.sh
与此同时,我的 entrypoint.sh 中有这个.我将 cron 守护进程作为后台服务启动并详细记录到 cron.log.我还尝试指定 -d 0 以获得更多调试,但并没有真正向输出添加任何内容.
meanwhile, my entrypoint.sh has this somewhere in it. I start the cron daemon as a background service and log to cron.log verbosely. I've also tried specifying -d 0 to get even more debug, but the didn't really add anything to the output.
#!/bin/bash
crond -b -l 0 -L /var/log/cron.log
#... lots of other startup stuff ...
重要的一点:如果我不切换到 robuser,root 下一切正常.
An important point: If I don't switch to robuser, everything works okay as root.
如果我检查 cron.log,它非常空:
If I check the cron.log, its pretty empty:
crond: crond (busybox 1.25.1) started, log level 0
crond: wakeup dt=45
crond: wakeup dt=60
crond: wakeup dt=60
与此同时,/var/log/monitor.log 完全是空的(参见文章开头的 crontab).
Meanwhile, /var/log/monitor.log is completely empty (see crontab at the beginning of the post).
所以 crond 没有打印任何错误.
So crond is not printing any errors.
我已经尝试了所有我能想到的方法来调试它.没有错误信息.它只是运行,从不打印.一个很好的建议是简化我的 crontab .. 但这也不起作用:
I've tried everything i can think of to debug this. There's no error message. It simply runs and never prints. A good suggestion was to simply my crontab.. but this also did not work:
PATH=/usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/sbin:/opt/aws/bin:/home/ec2-user/bin
SHELL=/bin/bash
* * * * * touch /tmp/test.txt
我试过寻找其他使用非 root cron 的 alpine 容器,但大多数人不会遇到让他们的 alpine 容器非 root 运行的麻烦.
I've tried searching for other alpine containers who use non-root cron, but most people don't go through the trouble of getting their alpine containers to run non-root.
有人有任何进一步的建议来帮助调试吗?
Does anyone have any further suggestions to help debug this?
推荐答案
cron 本身应该以 root 的身份运行,无论您想使用哪个用户来运行作业.
cron itself should run as root, regardless of which user you want to use to run the jobs.
确实,当您运行时:
RUN crontab -u robuser /tmp/cloudwatch/crontab.conf
这将为用户 robuser 安装一个 crontab.当cron 从这个特定的crontab 执行作业时,它会自动将用户切换到robuser.但是,如果cron 不是以root 身份运行,则它无法像这样切换用户,这就是为什么您需要运行cron以根用户身份.
This will install a crontab for user robuser. When cron executes jobs from this particular crontab, it will automatically switch users to robuser. However, cron can't switch users like that if it's not running as root, which is why you need to be running cron as root.
因此,要使 cron 在这里工作,您需要从 Dockerfile 中删除此指令:
So, to make cron work here, you'll need to remove this directive from your Dockerfile:
USER robuser
<小时>
请注意,一旦解决此问题,您可能不会摆脱困境:如果您使用环境变量将 AWS 凭证传递给您的监控脚本(似乎您在这里使用的是 AWS),这将不会't 工作,因为 cron 将在切换用户之前删除那些.这主要是 cron 中的一项安全功能,可避免环境变量泄露给非特权用户.
Note that you probably won't be out of the woods once you fix this issue: if you're using environment variables to pass AWS credentials to your monitoring scripts (it seems you're using AWS here), this won't work, because cron will remove those prior to switching users. This is largely a security feature in cron to avoid env-variable leakage to unprivileged users.
顺便说一句:我写了一个开源 crontab runner,Supercronic,专为容器使用而设计案例,它解决了这个问题(你可以作为非特权用户运行它就好了).如果您对常规的 cron 感到沮丧,您可以随时尝试.
As an aside: I wrote an open-source crontab runner, Supercronic, specifically designed for container use cases, which fixes that (and you can run it as an unprivileged user just fine). If you get frustrated with regular cron, you could always give a shot.
这篇关于为什么 crond 无法在 alpine linux 上运行非 root crontab?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
