Unable to do npm install inside Ghost | sudo: you do not exist in the passwd database

saharshMMC commented 3 years ago

Using helm charts to deploy Ghost inside a k8s cluster on AWS EKS. By default it works fine but I need to install storage adapter to transfer my files to S3. Unable to do so without gaining more privilege.

Chart version :10.2.3

Describe the bug I am unable to to do npm install or even add a user when pod gets created via k8s/helm. I have to attach s3 storage adapter but failing as i cannot do anything other than running ghost basic commands.

Errors:

Logging few commands and the errors I get

Helm chart config

apiVersion: helm.fluxcd.io/v1
kind: HelmRelease
metadata:
    name: ghost
    namespace: website
    annotations:
        fluxcd.io/automated: "true"
spec:
    releaseName: ghost
    chart:
        repository: https://charts.bitnami.com/bitnami
        name: ghost
        version: 10.2.3
    values:
        livenessProbe:
            enabled: false
        readinessProbe:
            enabled: false
        allowEmptyPassword: false
        ghostHost: <redacted>
        ghostPath: /blog/
        ghostProtocol: https
        ghostUsername: <redacted>
        ghostPassword: <redacted>
        ghostEmail: <redacted>
        # External database to use
        externalDatabase:
            host: <redacted>
            port: 3306
            user: ghost
            password: <redacted>
            database: <redacted>
            # We use an external RDS database
        mariadb:
            enabled: false
        service:
            type: NodePort
            annotations:
                alb.ingress.kubernetes.io/healthcheck-path: /blog/
        smtpPort: 465
        smtpFromAddress: <redacted>
        smtpHost: smtp.sendgrid.net
        smtpUser: apikey
        smtpPassword: <redacted>
        smtpService: Sendgrid

ghost version

Ghost-CLI version: 1.15.2
Ghost version: 3.38.1 (at ~opt/bitnami/ghost)

npm install

I have no name!@ghost-5c48675b4c-fcrm8:/opt/bitnami/ghost$ npm install
npm ERR! correctMkdir failed to make directory /.npm/_locks
npm WARN enoent ENOENT: no such file or directory, open '/opt/bitnami/ghost/package.json'
npm WARN ghost No description
npm WARN ghost No repository field.
npm WARN ghost No README data
npm WARN ghost No license field.

npm ERR! code EACCES
npm ERR! syscall mkdir
npm ERR! path /.npm
npm ERR! errno -13
npm ERR! 
npm ERR! Your cache folder contains root-owned files, due to a bug in
npm ERR! previous versions of npm which has since been addressed.
npm ERR! 
npm ERR! To permanently fix this problem, please run:
npm ERR!   sudo chown -R 1001:0 "/.npm"
I have no name!@ghost-5c48675b4c-fcrm8:/opt/bitnami/ghost$

sudo npm install

1I have no name!@ghost-5c48675b4c-fcrm8:/opt/bitnami/ghost$ sudo npm install
sudo: you do not exist in the passwd database
I have no name!@ghost-5c48675b4c-fcrm8:/opt/bitnami/ghost$

sudo chown -R 1001:0 "/.npm"

I have no name!@ghost-5c48675b4c-fcrm8:/opt/bitnami/ghost$ sudo chown -R 1001:0 "/.npm"
sudo: you do not exist in the passwd database
I have no name!@ghost-5c48675b4c-fcrm8:/opt/bitnami/ghost$

cat /etc/passwd

I have no name!@ghost-5c48675b4c-fcrm8:/opt/bitnami/ghost$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
bitnami:x:1000:1000::/home/bitnami:/bin/bash
I have no name!@ghost-5c48675b4c-fcrm8:/opt/bitnami/ghost$

ghost ls

I have no name!@ghost-5c48675b4c-fcrm8:/opt/bitnami/ghost$ ghost ls
┌───────────────────┬────────────────────┬─────────┬──────────────────────┬─────────────────────────────────┬──────┬─────────────────┐
│ Name              │ Location           │ Version │ Status               │ URL                             │ Port │ Process Manager │
├───────────────────┼────────────────────┼─────────┼──────────────────────┼─────────────────────────────────┼──────┼─────────────────┤
│ <redacted>        │ ~opt/bitnami/ghost │ 3.38.1  │ running (production) │ <redacted>                      │ 2368 │ local           │
└───────────────────┴────────────────────┴─────────┴──────────────────────┴─────────────────────────────────┴──────┴─────────────────┘
I have no name!@ghost-5c48675b4c-fcrm8:/opt/bitnami/ghost$

ghost doctor

I have no name!@ghost-5c48675b4c-fcrm8:/opt/bitnami/ghost$ ghost doctor
✔ Checking system Node.js version
ℹ Ensuring user is not logged in as ghost user [skipped]
ℹ Checking if logged in user is directory owner [skipped]
✔ Checking current folder permissions
Instance is currently running
ℹ Validating config [skipped]
✔ Checking memory availability
✔ Checking binary dependencies
✔ Checking free space

To Reproduce Steps to reproduce the behavior:

Simply install the mentioned helm chart in k8s cluster
SSH into the pod and we can see ghost but other commands wont run
Try to update or install extra packages, sudo wouldn't work as well.

Expected behavior I should be able to install different packages for plugins. Atleast able to update the cli and npm packages

Version of Helm and Kubernetes:

Output of helm version:

version.BuildInfo{Version:"v3.2.4", GitCommit:"0ad800ef43d3b826f31a5ad8dfbb4fe05d143688", GitTreeState:"dirty", GoVersion:"go1.14.3"}

Output of kubectl version:

Client Version: version.Info{Major:"1", Minor:"18", GitVersion:"v1.18.6", GitCommit:"dff82dc0de47299ab66c83c626e08b245ab19037", GitTreeState:"clean", BuildDate:"2020-07-16T00:04:31Z", GoVersion:"go1.14.4", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"19+", GitVersion:"v1.19.8-eks-96780e", GitCommit:"96780e1b30acbf0a52c38b6030d7853e575bcdf3", GitTreeState:"clean", BuildDate:"2021-03-10T21:32:29Z", GoVersion:"go1.15.8", Compiler:"gc", Platform:"linux/amd64"}

Output of eksctl version
```
0.24.0
```

juan131 commented 3 years ago

Hi @saharshMMC

That's expected, please note that by default the chart runs the container with an unprivileged user for security reasons. You can learn more about the reasons to use non-root containers in our docs:

https://docs.bitnami.com/tutorials/work-with-non-root-containers

To add custom NPM packages and continue using the non-root container, you can extend the image and use your own customized Ghost container with a Dockerfile like the one below:

FROM bitnami/ghost

## Change user to perform privileged actions
USER 0
## Install NPM packages
RUN npm install ...
## Revert to the original non-root user
USER 1001

Then, you can install the Ghost chart using a values.yaml like the one below:

image:
  registry: YOUR-CUSTOM-REGISTY
  repository: YOUR-CUSTOM-IMAGE
  tag: YOUR-CUSTOM-TAG

Note: replace YOUR-CUSTOM-REGISTY, YOUR-CUSTOM-IMAGE, and YOUR-CUSTOM-TAG placeholder with the actual custom values you want to use.

That said, you can also run the container as "root" by modifying the containerSecurityContext and podSecurityContext in the values.yaml:

podSecurityContext:
  enabled: true
  fsGroup: 0
  runAsUser: 0
containerSecurityContext:
  enabled: false
  runAsUser: 0
  runAsNonRoot: false

When you do so, you can connect to the Ghost container and check that the container is actually run as root and the ghost process run as the ghost user:

$ kubectl exec -it GHOST_POD_NAME -- bash
root@GHOST_POD_NAME:/opt/bitnami/ghost# whoami
root
root@GHOST_POD_NAME:/opt/bitnami/ghost# # ps aux
USER         PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root           1  0.0  0.0   2280   760 ?        Ss   06:39   0:00 tini -- /run.sh
ghost        243  1.0  0.6 635900 50892 ?        Sl   06:41   0:01 ghost log
ghost        327  0.6  0.6 633768 48984 ?        Ssl  06:41   0:00 ghost run
ghost        356  5.2  1.8 971996 138552 ?       Sl   06:41   0:06 /opt/bitnami/node/bin/node current/index.js
root         391  0.0  0.0   4000  3096 pts/0    Ss   06:41   0:00 bash
root         398  0.0  0.0   7640  2756 pts/0    R+   06:43   0:00 ps aux

saharshMMC commented 3 years ago

Thanks a lot @juan131 for prompt reply. I get why we are using non root container. Will try to build custom container myself. Thanks again.

bitnami / charts

Unable to do npm install inside Ghost | sudo: you do not exist in the passwd database #6631