Closed rodibrin closed 1 year ago
Thank you for your comment.
We will update the mbtci-java8-node14 docker image Mid Jan 2023.
The new docker image version will install node into /usr/local folder directly, and will not left the unziped node folder in /opt/nodejs/node-v14.19.2-linux-x64/.
Is it OK for you? @rodibrin
@young-yang03
The issue is the userid 1001, NOT the location. The used id 1001 isn't defined in any of the associated images.
The node image defines the user node:1000 The mta image defines the user mta:1000 Where does 1001 come from?
Btw, mbtci-java11-node14 is affected too. I guess ALL images are affected.
@young-yang03
i have to add that a customer runs "npm install" of the package "hana-cli". "hana-cli" creates a link
npm link @sap/cds-dk --local
which fails due to missing write permissions since the target folder is owned by 1001.
npm WARN checkPermissions Missing write access to /opt/nodejs/node-v14.19.2-linux-x64/lib/node_modules
...
[2022-12-15T11:34:54.015Z] error mtaBuild - npm ERR! Failed at the hana-cli@3.202210.2 postinstall script.
Changing the owner to 1000 fixes the issue.
@rodibrin
This problem will be fixed in next sprint, Mid Jan 2023.
All other docker images will be fixed
@young-yang03 sorry for bothering you, any more precise date yet?
@rodibrin Sorry about reply late. Because of higher priority task, the feature is still in PR status, and we plan to publish it and the end of Jan.
@young-yang03 the MBT Java 8 Docker Image review makes me a bit insecure regarding this installation issue. Do you think it still solves this issue? Is there a test image available?
@young-yang03 the MBT Java 8 Docker Image review makes me a bit insecure regarding this installation issue. Do you think it still solves this issue? Is there a test image available?
You can test the image https://hub.docker.com/repository/docker/fraggle0/mbt-node14-java8-docker/general.
The Dockerfile code base is almost the same as the one in that repo, it does not integrate Go and UI5. But for node.js build testing, it's fine.
You can test the image https://hub.docker.com/repository/docker/fraggle0/mbt-node14-java8-docker/general.
i run the customer's package.json with image fraggle0/mbt-node14-java8-docker and got the following known error:
npm ERR! errno -13
npm ERR! Error: EACCES: permission denied, symlink '../lib/node_modules/@sap/cds-dk/bin/cds.js' -> '/usr/local/bin/cds'
npm ERR! [OperationalError: EACCES: permission denied, symlink '../lib/node_modules/@sap/cds-dk/bin/cds.js' -> '/usr/local/bin/cds'] {
npm ERR! cause: [Error: EACCES: permission denied, symlink '../lib/node_modules/@sap/cds-dk/bin/cds.js' -> '/usr/local/bin/cds'] {
npm ERR! errno: -13,
npm ERR! code: 'EACCES',
npm ERR! syscall: 'symlink',
npm ERR! path: '../lib/node_modules/@sap/cds-dk/bin/cds.js',
npm ERR! dest: '/usr/local/bin/cds'
npm ERR! },
npm ERR! errno: -13,
npm ERR! code: 'EACCES',
npm ERR! syscall: 'symlink',
npm ERR! path: '../lib/node_modules/@sap/cds-dk/bin/cds.js',
npm ERR! dest: '/usr/local/bin/cds'
npm ERR! }
Since /usr/local/bin/ is owned by root the creation of the link fails.
Instead, the image cobra217/mbtci-java8-node14:1.2.193 worked. The link was created in a directory owned by mta:
ls -ali /project/node_modules/hana-cli/node_modules/@sap/cds-dk
53480245575287349 lrwxrwxrwx 1 mta mta 53 Jan 19 10:41 /project/node_modules/hana-cli/node_modules/@sap/cds-dk -> ../../../../../usr/local/lib/node_modules/@sap/cds-dk
ls -ali /project/node_modules/hana-cli/node_modules/@sap/cds-dk 53480245575287349 lrwxrwxrwx 1 mta mta 53 Jan 19 10:41 /project/node_modules/hana-cli/node_modules/@sap/cds-dk -> ../../../../../usr/local/lib/node_modules/@sap/cds-dk
The permissions here are not acceptable by the SAP security policy that official docker images must follow.
I've made the test images follow: https://docs.npmjs.com/resolving-eacces-permissions-errors-when-installing-packages-globally#manually-change-npms-default-directory.
But I'm not sure the image should allow global npm package installation without using sudo.
Could you please retest it?
And could you please also use sudo
on the non working image?
Could you also please give us the exact command that is failing?
the image
repository: fraggle0/mbt-node14-java8-docker:latest
image id: 240ef34cbea7
created: 2 days ago
size: 670MB
succeeds processing the customers package.json.
...
> hana-cli@3.202301.1 postinstall /project/node_modules/hana-cli
> npm link @sap/cds-dk --local
npm WARN deprecated @npmcli/move-file@1.1.2: This functionality has been moved to @npmcli/fs
/home/mta/.npm-global/bin/cds -> /home/mta/.npm-global/lib/node_modules/@sap/cds-dk/bin/cds.js
/home/mta/.npm-global/bin/cds-ts -> /home/mta/.npm-global/lib/node_modules/@sap/cds-dk/bin/cds-ts.js
...
the installation complains about a failing update check:
┌───────────────────────────────────────────────────────┐
│ npm update check failed │
│ Try running with sudo or get access │
│ to the local update config store via │
│ sudo chown -R $USER:$(id -gn $USER) /home/mta/.config │
└───────────────────────────────────────────────────────┘
I wonder that the /home/mta/.config
isn't owned by mta
:
ls -ali /home/mta/
total 48
1985684 drwxrwxrwx 1 mta mta 4096 Jan 23 09:58 .
1985683 drwxr-xr-x 1 root root 4096 Jan 16 22:47 ..
1959794 -rw-r--r-- 1 mta mta 220 Mar 27 2022 .bash_logout
1959795 -rw-r--r-- 1 mta mta 3526 Mar 27 2022 .bashrc
1977714 drwx------ 3 root root 4096 Jan 20 15:42 .config
...
Be aware that the customer cannot use sudo
during the build process.
the image
repository: fraggle0/mbt-node14-java8-docker:latest image id: 240ef34cbea7 created: 2 days ago size: 670MB
succeeds processing the customers package.json.
Could you please test with the latest image pushed ?
latest version succeeds without npm update check failure. ownership fxed:
1985724 drwx------ 1 mta mta 4096 Jan 20 15:42 .config
MBT Version:
Cloud MTA Build Tool version 1.2.16
OS Version:Linux 3d21171b1f41 5.10.102.1-microsoft-standard-WSL2 #1 SMP Wed Mar 2 00:30:59 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
Node:v14.19.2
Docker Image:
The node installation uses the user id 1001
which is obviously unknown / unnamed.
It should be mta (1000)