client aborts if sample-shadow output file cannot be written, even if sample-shadow feature is disabled

[antoine-sac]

Describe the bug

The aws iot device client always tries to write a sample-shadow-output directory or file, even when sample shadow is disabled.

Our filesystem is read-only so the AWS IoT device client refuses to start.

To Reproduce

Steps to reproduce the behavior:

1. Make the shadow-output file unwritable for some reason (e.g. read-only fs, lack of permissions, etc)
2. aws iot device client will fail to launch

Expected behavior

The AWS IoT device client should not try to write a sample shadow output file if the sample shadow feature is disabled. Even if it did try to write it, it should not abort if the sample shadow feature is disabled.

Actual behavior

The aws iot device client fails with "Failed to access/create default directories: ~/.aws-iot-device-client/sample-shadow/ required for storage of shadow document".

Logs

Running /sbin/aws-iot-device-client --config-file /etc/aws-iot-device-client/aws-iot-device-client.conf

2024-03-25T13:53:05.421Z [WARN]  {FileUtils.cpp}: Permissions to given file/dir path '/etc/aws-iot-device-client/' is not set to recommended value... {Permissions: {desired: 745, actual: 755}}
2024-03-25T13:53:05.421Z [WARN]  {FileUtils.cpp}: Permissions to given file/dir path '/etc/aws-iot-device-client/aws-iot-device-client.conf' is not set to recommended value... {Permissions: {desired: 640, actual: 644}}
2024-03-25T13:53:05.422Z [INFO]  {Config.cpp}: Successfully fetched JSON config file: {
        "thing-name": "REDACTED",
        "endpoint": "REDACTED.amazonaws.com",
	"cert": "/data/secrets/device-certificate.pem.crt",
	"key": "/data/secrets/device-private.pem.key",
	"root-ca": "/usr/share/iot/CA/AmazonRootCA1.pem",
	"logging": {
		"level": "WARN",
		"type": "STDOUT",
                "enable-sdk-logging": false
	},
	"jobs": {
		"enabled": true,
		"handler-directory": "/usr/share/aws-iot-device-client/jobs"
	},
	"tunneling": {
		"enabled": true
	},
	"device-defender": {
		"enabled": false
	},
	"fleet-provisioning": {
		"enabled": false
	},
	"samples": {
		"pub-sub": {
			"enabled": false
		}
	},
	"config-shadow": {
		"enabled": false
	},
	"sample-shadow": {
		"enabled": false
	},
	"secure-element": {
		"enabled": false
	}
}

2024-03-25T13:53:05.422Z [ERROR] {FileUtils.cpp}: Failed to create directory /home/root/.aws-iot-device-client/sample-shadow/
2024-03-25T13:53:05.422Z [ERROR] {Config.cpp}: Failed to access/create default directories: ~/.aws-iot-device-client/sample-shadow/ required for storage of shadow document
2024-03-25T13:53:05.422Z [ERROR] {Main.cpp}: *** AWS IOT DEVICE CLIENT FATAL ERROR: AWS IoT Device Client must abort execution, reason: Invalid configuration ***
2024-03-25T13:53:05.422Z [DEBUG] {SharedCrtResourceManager.cpp}: Attempting to disconnect MQTT connection
AWS IoT Device Client must abort execution, reason: Invalid configuration
Please check the AWS IoT Device Client logs for more information

Environment :

• OS: Custom yocto image, using meta-aws
• Version: Linux 5.15.124-yocto-standard
• Architecture: armv7l
• Device Client version: v1.9.0-da10323

** Additional context **

We use this recipe to build the aws-iot-device-client in our yocto image : https://github.com/aws4embeddedlinux/meta-aws/blob/2550d80f70777303caeb5daa5195d3e36a772b66/recipes-iot/aws-iot-device-client/aws-iot-device-client_1.9.bb

[HarshGandhi-AWS]

Hello @antoine-sac , thank you for bringing up this issue. After taking a look at the code, I observed that we are creating shadow files while reading the CLI input from user over here.

To resolve this issue, we will have to move the shadow file creation logic to initialization method over here with the condition of shadow feature is enabled.

Meanwhile to unblock yourself, you can start your client with user permission to create the file and directory so that the device client will be able to create the shadow file and directory and will not terminate with the error you are seeing right now.

Another way of temporarily fixing the issue is to manually create the shadow output file and directory with correct permissions (700/S_IRWXU) and pass the the file path via config file so the device client will not try to create the file/directory. Your config file should look like this:

{
    ...
   "config-shadow": {
        "enabled": false
   },
   "sample-shadow": {
        "enabled": false,
        "shadow-output-file": "<replace_with_shadow_output_file_path>"
    }
    ...
}

Team will work on fixing the this issue, meanwhile I hope these workarounds unblocks you from using the device client.

Regards,
Harsh Gandhi

[antoine-sac]

Hello @HarshGandhi-AWS ,

Thanks for providing a possible workaround. Note that using a shadow-output-file in the config file doesn't work.

The only way to get around the problem (assuming the DEFAULT_SHADOW_OUTPUT_FILE is really not writeable) is to provide a --shadow-output-file in the CLI.

We have implemented this fix for now but would appreciate a proper resolution !

Best regards,
Antoine Sachet