downloaded bundle has the wrong owner

Question

downloaded bundle has the wrong owner

j-licht opened this issue 3 years ago · 12 comments

The downloaded bund is saved with the owner root:rauc-hawkbit-updater and permissions 644.
rauc-hawkbit-updater is running by the systemd service file.
So the updater fails to delete the old bundle either to download a new one.

Answer 1 · 2021-09-17T14:20:41.000Z

I think to owner is changing in the update process by the rauc tool running as root.
So what's the correct way to run rauc-hawkbit-updater as unprivileged user?

Answer 2 · 2021-09-20T08:24:13.000Z

If the download directory belongs to the rauc-hawkbit-updater user, it should be able to delete the bundle.

Answer 3 · 2021-09-20T08:38:22.000Z

The example config uses /tmp/bundle.raucb.
So should be the right way to use a subfolder of /tmp?

Answer 4 · 2021-09-20T08:43:37.000Z

The proper location depends on your expected bundle sizes and where you have enough temporary space for the download.

Answer 5 · 2021-09-20T09:37:50.000Z

OK. I have a readonly rootfs and the /tmp dir is a tmpfs.
As I see rauc-hawkbit-updater doesn't create the tmp dir, so should I add a mkdir to the service file?

Answer 6 · 2021-09-23T20:58:23.000Z

Seems like the correct approach for your use case.

Answer 7 · 2021-10-04T13:34:25.000Z

@j-licht Did that work out for you? Is there anything that would have made figuring it out easier (like a comment in the docs)?

Answer 8 · 2021-10-05T09:16:38.000Z

I'm not quite sure in which scenario the default config with download location /tmp/bundlle.rauc and default service file running rauc-hawkbit-updater as unprivileged user is working at all.
My suggestion is to change the default config and service file to use a subfolder of /tmp, or I missed something?
I can open a PR if this helps.

Answer 9 · 2021-10-05T12:04:32.000Z

RAUC only takes ownership of plain format bundles. If you use verity format bundles (the recommended format), the example download location works as is.

Since we are talking about the example location here, I'd like to keep this separate from the systemd service file. I could imagine an exemplary suggestion for a systemd drop-in to cover plain bundle cases though.

Answer 10 · 2021-10-07T11:10:39.000Z

OK, I understood.
Yeah than I would suggest a notice in the README or FAQ or common pitfalls.

Answer 11 · 2022-04-04T13:28:30.000Z

I have noticed that when we use ExecStartPre to create the tmp folder, it will cleaned up after 10 days by systemd-tmpfiles-clean. So I think the better way is to use a config file in /etc/tmpfiles.d/ :

d /tmp/rauc-hawkbit-updater     - rauc-hawkbit rauc-hawkbit - -

Answer 12 · 2022-04-04T16:48:28.000Z

@j-licht Right, would you care to create a PR to change the bit in the documentation?