search

SAP / cloud-mta-build-tool

Multi-Target Application (MTA) build tool for Cloud Applications https://sap.github.io/cloud-mta-build-tool
Apache License 2.0
139 stars 60 forks source link

image devxci/mbtci-java8-node14 - nodejs installation with userid 1001 #1018

Closed rodibrin closed 1 year ago

rodibrin commented 1 year ago

MBT Version: Cloud MTA Build Tool version 1.2.16 OS Version:Linux 3d21171b1f41 5.10.102.1-microsoft-standard-WSL2 #1 SMP Wed Mar 2 00:30:59 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux Node: v14.19.2

Docker Image:

latest: Pulling from devxci/mbtci-java8-node14
Digest: sha256:67299e33a50004c304fee030483acd3b23267e242a9f5862b4adc25858545879
Status: Image is up to date for devxci/mbtci-java8-node14:latest
docker.io/devxci/mbtci-java8-node14:latest

The node installation uses the user id 1001

mta@225b9e4f64c8:/project$ ll /opt/nodejs/node-v14.19.2-linux-x64/
total 792
drwxr-xr-x 6 1001 1001   4096 May  4  2022 ./
drwxr-xr-x 3 root root   4096 May 17  2022 ../
-rw-r--r-- 1 1001 1001 671030 May  4  2022 CHANGELOG.md
-rw-r--r-- 1 1001 1001  78908 May  4  2022 LICENSE
-rw-r--r-- 1 1001 1001  31797 May  4  2022 README.md
drwxr-xr-x 2 1001 1001   4096 May  4  2022 bin/
drwxr-xr-x 3 1001 1001   4096 May  4  2022 include/
drwxr-xr-x 3 1001 1001   4096 May  4  2022 lib/
drwxr-xr-x 5 1001 1001   4096 May  4  2022 share/
mta@225b9e4f64c8:/project$

which is obviously unknown / unnamed.

It should be mta (1000)

mta@3d21171b1f41:/project$ id
uid=1000(mta) gid=1000(mta) groups=1000(mta)
young-yang03 commented 1 year ago

Thank you for your comment.

We will update the mbtci-java8-node14 docker image Mid Jan 2023.

The new docker image version will install node into /usr/local folder directly, and will not left the unziped node folder in /opt/nodejs/node-v14.19.2-linux-x64/.

Is it OK for you? @rodibrin

rodibrin commented 1 year ago

@young-yang03

The issue is the userid 1001, NOT the location. The used id 1001 isn't defined in any of the associated images.

The node image defines the user node:1000 The mta image defines the user mta:1000 Where does 1001 come from?

Btw, mbtci-java11-node14 is affected too. I guess ALL images are affected.

rodibrin commented 1 year ago

@young-yang03

i have to add that a customer runs "npm install" of the package "hana-cli". "hana-cli" creates a link npm link @sap/cds-dk --local which fails due to missing write permissions since the target folder is owned by 1001.

npm WARN checkPermissions Missing write access to /opt/nodejs/node-v14.19.2-linux-x64/lib/node_modules
...
[2022-12-15T11:34:54.015Z] error mtaBuild - npm ERR! Failed at the hana-cli@3.202210.2 postinstall script.

Changing the owner to 1000 fixes the issue.

young-yang03 commented 1 year ago

@rodibrin

This problem will be fixed in next sprint, Mid Jan 2023.

All other docker images will be fixed

rodibrin commented 1 year ago

@young-yang03 sorry for bothering you, any more precise date yet?

young-yang03 commented 1 year ago

@rodibrin Sorry about reply late. Because of higher priority task, the feature is still in PR status, and we plan to publish it and the end of Jan.

rodibrin commented 1 year ago

@young-yang03 the MBT Java 8 Docker Image review makes me a bit insecure regarding this installation issue. Do you think it still solves this issue? Is there a test image available?

jerome-benoit commented 1 year ago

@young-yang03 the MBT Java 8 Docker Image review makes me a bit insecure regarding this installation issue. Do you think it still solves this issue? Is there a test image available?

You can test the image https://hub.docker.com/repository/docker/fraggle0/mbt-node14-java8-docker/general.

The Dockerfile code base is almost the same as the one in that repo, it does not integrate Go and UI5. But for node.js build testing, it's fine.

rodibrin commented 1 year ago

You can test the image https://hub.docker.com/repository/docker/fraggle0/mbt-node14-java8-docker/general.

i run the customer's package.json with image fraggle0/mbt-node14-java8-docker and got the following known error:

npm ERR! errno -13
npm ERR! Error: EACCES: permission denied, symlink '../lib/node_modules/@sap/cds-dk/bin/cds.js' -> '/usr/local/bin/cds'
npm ERR!  [OperationalError: EACCES: permission denied, symlink '../lib/node_modules/@sap/cds-dk/bin/cds.js' -> '/usr/local/bin/cds'] {
npm ERR!   cause: [Error: EACCES: permission denied, symlink '../lib/node_modules/@sap/cds-dk/bin/cds.js' -> '/usr/local/bin/cds'] {
npm ERR!     errno: -13,
npm ERR!     code: 'EACCES',
npm ERR!     syscall: 'symlink',
npm ERR!     path: '../lib/node_modules/@sap/cds-dk/bin/cds.js',
npm ERR!     dest: '/usr/local/bin/cds'
npm ERR!   },
npm ERR!   errno: -13,
npm ERR!   code: 'EACCES',
npm ERR!   syscall: 'symlink',
npm ERR!   path: '../lib/node_modules/@sap/cds-dk/bin/cds.js',
npm ERR!   dest: '/usr/local/bin/cds'
npm ERR! }

Since /usr/local/bin/ is owned by root the creation of the link fails.

Instead, the image cobra217/mbtci-java8-node14:1.2.193 worked. The link was created in a directory owned by mta: 

ls -ali /project/node_modules/hana-cli/node_modules/@sap/cds-dk
53480245575287349 lrwxrwxrwx 1 mta mta 53 Jan 19 10:41 /project/node_modules/hana-cli/node_modules/@sap/cds-dk -> ../../../../../usr/local/lib/node_modules/@sap/cds-dk
jerome-benoit commented 1 year ago

ls -ali /project/node_modules/hana-cli/node_modules/@sap/cds-dk 53480245575287349 lrwxrwxrwx 1 mta mta 53 Jan 19 10:41 /project/node_modules/hana-cli/node_modules/@sap/cds-dk -> ../../../../../usr/local/lib/node_modules/@sap/cds-dk

The permissions here are not acceptable by the SAP security policy that official docker images must follow.

I've made the test images follow: https://docs.npmjs.com/resolving-eacces-permissions-errors-when-installing-packages-globally#manually-change-npms-default-directory.

But I'm not sure the image should allow global npm package installation without using sudo.

Could you please retest it?

And could you please also use sudo on the non working image?

Could you also please give us the exact command that is failing?

rodibrin commented 1 year ago

the image 

repository: fraggle0/mbt-node14-java8-docker:latest  
image id: 240ef34cbea7   
created: 2 days ago
size: 670MB

succeeds processing the customers package.json.

...
> hana-cli@3.202301.1 postinstall /project/node_modules/hana-cli
> npm link @sap/cds-dk --local

npm WARN deprecated @npmcli/move-file@1.1.2: This functionality has been moved to @npmcli/fs
/home/mta/.npm-global/bin/cds -> /home/mta/.npm-global/lib/node_modules/@sap/cds-dk/bin/cds.js
/home/mta/.npm-global/bin/cds-ts -> /home/mta/.npm-global/lib/node_modules/@sap/cds-dk/bin/cds-ts.js
...

the installation complains about a failing update check:

┌───────────────────────────────────────────────────────┐
│                npm update check failed                │
│          Try running with sudo or get access          │
│         to the local update config store via          │
│ sudo chown -R $USER:$(id -gn $USER) /home/mta/.config │
└───────────────────────────────────────────────────────┘

I wonder that the /home/mta/.config isn't owned by mta:

ls -ali /home/mta/
total 48
1985684 drwxrwxrwx 1 mta  mta  4096 Jan 23 09:58 .
1985683 drwxr-xr-x 1 root root 4096 Jan 16 22:47 ..
1959794 -rw-r--r-- 1 mta  mta   220 Mar 27  2022 .bash_logout
1959795 -rw-r--r-- 1 mta  mta  3526 Mar 27  2022 .bashrc
1977714 drwx------ 3 root root 4096 Jan 20 15:42 .config
...

Be aware that the customer cannot use sudoduring the build process.

jerome-benoit commented 1 year ago

the image

repository: fraggle0/mbt-node14-java8-docker:latest  
image id: 240ef34cbea7   
created: 2 days ago
size: 670MB

succeeds processing the customers package.json.

Could you please test with the latest image pushed ?

rodibrin commented 1 year ago

latest version succeeds without npm update check failure. ownership fxed:

1985724 drwx------ 1 mta mta 4096 Jan 20 15:42 .config