Permissions Granted to Containers Running Functions
When a function you've deployed to OCI Functions is invoked, it runs inside a container. The operations that a container can perform are determined by the user ID (UID) and group ID (GID) specified when the container is started. If a UID or GID is not specified, the container runs processes as the root user, with all the default capabilities enabled.
When starting a container to run a function, OCI Functions always specifies a user named 'fn' with a UID of 1000, and a group name 'fn' with a GID of 1000. No privileges are granted to UID 1000 and GID 1000, so the container (and the function running inside it) does not acquire the default capabilities listed in the Docker documentation. In addition, the container is prevented from gaining privileges.
As a result, do not create and deploy functions that:
- depend on capabilities that are unavailable
- depend on privilege elevation (for example,
If you are using your own Dockerfile, include the following lines:
groupadd --gid 1000 fn && \ adduser --uid 1000 --gid fn fn
FROM oraclelinux:7-slim RUN yum -y install oracle-release-el7 oracle-nodejs-release-el7 && \ yum-config-manager --disable ol7_developer_EPEL && \ yum -y install oracle-instantclient19.3-basiclite nodejs && \ rm -rf /var/cache/yum && \ groupadd --gid 1000 fn && \ adduser --uid 1000 --gid fn fn WORKDIR /function ADD . /function/ RUN npm install CMD exec node func.js
Note that if you do not include the
adduser lines in the above example Dockerfile, you will see the following error message:
cx_Oracle.DatabaseError: ORA-12560: TNS:protocol adapter error