-
Notifications
You must be signed in to change notification settings - Fork 3.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] Using npm run-script to call npm install or npm ci in ephemeral environment fails with EACCES #4451
Comments
Arborist behavior under root is pretty aggressive in trying to prevent file access issues. Issues related to this behavior most often comes up in container use cases due to the practice of using root. |
Is there something I should be doing differently? Currently, my workaround is to create /tmp/.npm, chown it to uid/gid 900, map .npmrc to /tmp/.npmrc and then pass |
In a termux environment,minyami can be installed using nodejs-lts/npm8.11.0 or nodejs/npm7.24.2. |
I just spent most of yesterday trying to answer this same question, as I have a remarkably similar scenario where my primary build spawns a sibling
After I observed:
I finally came to the realization that I could workaround these issues by simply not running NPM as root in the container. I realized that the Node images ship with a regular user called Finally I realized that - as long as I wasn't attempting to install anything globally in the container - I could simply run the container using My final working command line looks like: docker run --rm --user node --volume ${PWD}:/app --volume ${PWD}/target:/home/node/logs -w /app node:16 \
/bin/bash -c 'mkdir ~/.npm && ln -s ~/logs ~/.npm/_logs && npm version && npm ci && npm run test' I believe the equivalent command line from this issue's description would be: docker run --rm --user node -v $PWD:/app -v ~/.npmrc:/home/node/.npmrc -w /app node:16 sh -c 'npm run-script build' Addendum: |
i'm going to close this as npm@9 no longer attempts to change the ownership of any files. if there are aspects of this that are still broken for folks after updating, please feel free to open a new issue. |
Is there an existing issue for this?
This issue exists in the latest npm version
Current Behavior
In our build environment, we use docker to perform specific build steps without needing to manage an endless amount of tools on our build agents. The build agents and the steps they execute do not run as root. However, when executing
docker run
, the user within the ephemeral container is typicallyroot
(normal for Docker). We usenpm run-script
to execute a series ofnpm
commands as part of the build.The build agent executes
docker run --rm -v $PWD:/app -v ~/.npmrc:/root/.npmrc -w /app node:16 sh -c 'npm run-script build'
$PWD contains the checked-out contents from source. We also pass a pre-configured .npmrc shared across all our builds. The contents of $PWD and .npmrc are owned by a non-root uid/gid.
build.sh:
When
npm run-script
is first executed within thenode:16
container, it is running as root (normal for Docker). Once the entrypoint script determines it isn't a node command,npm run-script
checks for the existence of the cache folder, which it obviously doesn't find and so creates it (owned by the current user, root) at /root/.npm.npm
then executesbuild.sh
whose first task is to executenpm install
(we also triednpm ci
). The first thingnpm install
does is change the user context to the owner of the working directory (/app), which is the non-root user the build agent is using.npm
then checks to see if it can access /root/.npmrc and /root/.npm, which it cannot because the user context has changed.This user does not exist in
node:16
's passwd file obviously, so the uid/gid numbers are shown in the error.This behavior is not observed in versions earlier than
node:16
.node:16
comes withnpm
8.3.1, but this behavior is still observed when upgradingnpm
to 8.5.1.Expected Behavior
Either:
npm run-script
shouldn't be messing with .npmrc or the cache directory since it doesn't need itor
npm run-script
should be following the same user context switching code path thatnpm install
andnpm ci
are following.Steps To Reproduce
package.json:
build.sh (+x):
node
user withinnode:16
.docker run --rm -v $PWD:/app -w /app node:16 sh -c 'npm -v; node -v; npm config ls; echo -----------; npm run-script build'
Output:
Output with npm upgrade to 8.5.1:
Environment
node:16
), but we tried 8.5.1 as wellThe text was updated successfully, but these errors were encountered: