Cannot write into node_modules directory

[wladimiiir]

When container starts up, we need to generate some additional code for specific library, that's located within node_modules (utilizing "prestart" script in package.json). After version 1.12.0, this is not possible as the directory does not seem writable for the running user. This used to work with version 1.11.0 and bellow.

After some debugging we have found out, that the ownership of the files have changed, which does not allow the running user to write into the directories.

This is output of id and ls -la /layers commands when using v1.11.0: uid=1000(cnb) gid=1000(cnb) groups=1000(cnb)

drwxr-xr-x 1 cnb  cnb  4096 Jan  1  1980 .
drwxr-xr-x 1 root root 4096 Mar 19 09:39 ..
drwxr-xr-x 2 cnb  root 4096 Jan  1  1980 config
drwxr-xr-x 3 cnb  root 4096 Jan  1  1980 paketo-buildpacks_ca-certificates
drwxr-xr-x 3 cnb  root 4096 Jan  1  1980 paketo-buildpacks_node-engine
drwxr-xr-x 3 cnb  root 4096 Jan  1  1980 paketo-buildpacks_npm-install
drwxr-xr-x 3 cnb  root 4096 Jan  1  1980 sbom

With v1.12.0 and above, we get the following output with different ownership (and uid of cnb user): uid=1002(cnb) gid=1000(cnb) groups=1000(cnb)

drwxr-xr-x 1 1001 cnb  4096 Jan  1  1980 .
drwxr-xr-x 1 root root 4096 Mar 19 09:34 ..
drwxr-xr-x 2 1001 root 4096 Jan  1  1980 config
drwxr-xr-x 3 1001 root 4096 Jan  1  1980 paketo-buildpacks_ca-certificates
drwxr-xr-x 3 1001 root 4096 Jan  1  1980 paketo-buildpacks_node-engine
drwxr-xr-x 3 1001 root 4096 Jan  1  1980 paketo-buildpacks_npm-install
drwxr-xr-x 3 1001 root 4096 Jan  1  1980 sbom

It seems that the related changes have been done as part of https://github.com/knative/func/pull/1911.

We have also tried to utilize KNative security context and "runAsUser": 1001, but didn't work either. Is this expected behaviour? Is there anything else we are missing in our configuration? Thanks.

[wladimiiir]

We have been able to use runAsUser: 1001 to workaround the issue. But I still think this might be unintentional behavior. Let me know you thoughts, thanks.

[lkingland]

This seems like unintended bahavior to me as well; adding it to our project board.

[wladimiiir]

Any updates here?

I think this has got even worse as the directories now have root as an owner in v1.14.0: ls -la /layers/

total 28
drwxr-xr-x 1 root root 4096 Jan  1  1980 .
drwxr-xr-x 1 root root 4096 Jun 17 08:42 ..
drwxr-xr-x 2 root root 4096 Jan  1  1980 config
drwxr-xr-x 3 root root 4096 Jan  1  1980 paketo-buildpacks_ca-certificates
drwxr-xr-x 3 root root 4096 Jan  1  1980 paketo-buildpacks_node-engine
drwxr-xr-x 3 root root 4096 Jan  1  1980 paketo-buildpacks_npm-install
drwxr-xr-x 3 root root 4096 Jan  1  1980 sbom

I would like to know if there is any way how to configure it, when building a KNative function (or during any other lifecycle step), so the owner stays as cnb. Thanks.

[github-actions[bot]]

This issue is stale because it has been open for 90 days with no activity. It will automatically close after 30 more days of inactivity. Reopen the issue with /reopen. Mark the issue as fresh by adding the comment /remove-lifecycle stale.