search

node-red / node-red-docker

Repository for all things Node-RED and Docker related
Apache License 2.0
469 stars 382 forks source link

Wrong UUID from latest #345

Closed thalesmaoa closed 1 year ago

thalesmaoa commented 1 year ago

According to the wiki, user id 1000 and group id 1000 is applicable to all Node-RED Docker images.

However, latest uses 100999.

$ ls -n ~/docker/nodered/
total 4
drwxr-xr-x 2 1000 1000 4096 jan 25 19:54 data

$ docker run -it -p 1881:1880 --rm -v ~/docker/nodered/data:/data nodered/node-red
node:internal/fs/utils:345
    throw err;
    ^

Error: EACCES: permission denied, copyfile '/usr/src/node-red/node_modules/node-red/settings.js' -> '/data/settings.js'
    at Object.copyFileSync (node:fs:2817:3)
    at copyFile (/usr/src/node-red/node_modules/fs-extra/lib/copy/copy-sync.js:73:6)
    at onFile (/usr/src/node-red/node_modules/fs-extra/lib/copy/copy-sync.js:59:25)
    at getStats (/usr/src/node-red/node_modules/fs-extra/lib/copy/copy-sync.js:51:44)
    at handleFilterAndCopy (/usr/src/node-red/node_modules/fs-extra/lib/copy/copy-sync.js:36:10)
    at Object.copySync (/usr/src/node-red/node_modules/fs-extra/lib/copy/copy-sync.js:29:10)
    at Object.<anonymous> (/usr/src/node-red/node_modules/node-red/red.js:129:20)
    at Module._compile (node:internal/modules/cjs/loader:1105:14)
    at Object.Module._extensions..js (node:internal/modules/cjs/loader:1159:10)
    at Module.load (node:internal/modules/cjs/loader:981:32) {
  errno: -13,
  syscall: 'copyfile',
  code: 'EACCES',
  path: '/usr/src/node-red/node_modules/node-red/settings.js',
  dest: '/data/settings.js'
}

$ sudo chown 100999:100999 nodered/ -R

$ docker run -it -p 1881:1880 --rm -v ~/docker/nodered/data:/data nodered/node-red
25 Jan 22:57:22 - [info] 

Welcome to Node-RED
===================

25 Jan 22:57:22 - [info] Node-RED version: v3.0.2
25 Jan 22:57:22 - [info] Node.js  version: v16.16.0
25 Jan 22:57:22 - [info] Linux 5.15.84-v7+ arm LE
25 Jan 22:57:24 - [info] Loading palette nodes
25 Jan 22:57:27 - [info] Settings file  : /data/settings.js
25 Jan 22:57:27 - [info] Context store  : 'default' [module=memory]
25 Jan 22:57:27 - [info] User directory : /data
25 Jan 22:57:27 - [warn] Projects disabled : editorTheme.projects.enabled=false
25 Jan 22:57:27 - [info] Flows file     : /data/flows.json
25 Jan 22:57:27 - [info] Creating new flow file
25 Jan 22:57:27 - [warn] 

---------------------------------------------------------------------
Your flow credentials file is encrypted using a system-generated key.

If the system-generated key is lost for any reason, your credentials
file will not be recoverable, you will have to delete it and re-enter
your credentials.

You should set your own key using the 'credentialSecret' option in
your settings file. Node-RED will then re-encrypt your credentials
file using your chosen key the next time you deploy a change.
---------------------------------------------------------------------

25 Jan 22:57:27 - [info] Server now running at http://127.0.0.1:1880/
25 Jan 22:57:27 - [warn] Encrypted credentials not found
25 Jan 22:57:27 - [info] Starting flows
25 Jan 22:57:27 - [info] Started flows
25 Jan 22:57:32 - [info] Stopping flows
25 Jan 22:57:32 - [info] Stopped flows
hardillb commented 1 year ago

The uid inside the container for the node-red user is 1000 and this maps correctly on to a mounted volume.

I have pulled the latest and it is still definitely 1000, this can be proved by running

docker exec it <name of running container> id

e.g.

hardillb@x-wing:~/temp/nr$ docker ps
CONTAINER ID   IMAGE              COMMAND             CREATED         STATUS                   PORTS                                                   NAMES
87774931f0f9   nodered/node-red   "./entrypoint.sh"   5 minutes ago   Up 5 minutes (healthy)   1880/tcp, 0.0.0.0:18830->1883/tcp, :::18830->1883/tcp   epic_robinson
hardillb@x-wing:~/temp/nr$ docker exec -it epic_robinson id
uid=1000(node-red) gid=1000(node-red) groups=1000(node-red)
hardillb@x-wing:~/temp/nr$

I suspect there is something different about your environment.

thalesmaoa commented 1 year ago

Indeed, something is really odd.

Following your steps, I get the same results. Can you try mine?

Performing as you presented:

$ docker pull nodered/node-red:latest
latest: Pulling from nodered/node-red
Digest: sha256:524316b9b84cb5bbfe006c117f3dad31ee806804b12e4b866047a65e2080e92d
Status: Image is up to date for nodered/node-red:latest
docker.io/nodered/node-red:latest

$ docker --version
Docker version 20.10.23, build 7155243

$ uname -a
Linux greenrock 5.15.84-v7+ #1613 SMP Thu Jan 5 11:59:48 GMT 2023 armv7l GNU/Linux

$ cat /etc/os-release 
PRETTY_NAME="Raspbian GNU/Linux 11 (bullseye)"
NAME="Raspbian GNU/Linux"
VERSION_ID="11"
VERSION="11 (bullseye)"
VERSION_CODENAME=bullseye
ID=raspbian
ID_LIKE=debian
HOME_URL="http://www.raspbian.org/"
SUPPORT_URL="http://www.raspbian.org/RaspbianForums"
BUG_REPORT_URL="http://www.raspbian.org/RaspbianBugs"

$ docker run -d nodered/node-red
736ef607acf8339a1693df1c9d790eb5e1b7bc59b6f5e4b3d17736f2daffcf41

$ docker ps
CONTAINER ID   IMAGE              COMMAND             CREATED          STATUS                    PORTS      NAMES
736ef607acf8   nodered/node-red   "./entrypoint.sh"   35 seconds ago   Up 34 seconds (healthy)   1880/tcp   recursing_torvalds

$ docker exec -it recursing_torvalds id
uid=1000(node-red) gid=1000(node-red) groups=1000(node-red)

Steps to reach my result:

$ pwd
/home/thales/docker/nodered

$ ls -n
total 4
drwxr-xr-x 3 1000 1000 4096 jan 25 22:20 data

$ docker run -it -p 1880:1880 --name nodered -v /home/thales/docker/nodered/data:/data nodered/node-red

node:internal/fs/utils:345
    throw err;
    ^

Error: EACCES: permission denied, copyfile '/usr/src/node-red/node_modules/node-red/settings.js' -> '/data/settings.js'
    at Object.copyFileSync (node:fs:2817:3)
    at copyFile (/usr/src/node-red/node_modules/fs-extra/lib/copy/copy-sync.js:73:6)
    at onFile (/usr/src/node-red/node_modules/fs-extra/lib/copy/copy-sync.js:59:25)
    at getStats (/usr/src/node-red/node_modules/fs-extra/lib/copy/copy-sync.js:51:44)
    at handleFilterAndCopy (/usr/src/node-red/node_modules/fs-extra/lib/copy/copy-sync.js:36:10)
    at Object.copySync (/usr/src/node-red/node_modules/fs-extra/lib/copy/copy-sync.js:29:10)
    at Object.<anonymous> (/usr/src/node-red/node_modules/node-red/red.js:129:20)
    at Module._compile (node:internal/modules/cjs/loader:1105:14)
    at Object.Module._extensions..js (node:internal/modules/cjs/loader:1159:10)
    at Module.load (node:internal/modules/cjs/loader:981:32) {
  errno: -13,
  syscall: 'copyfile',
  code: 'EACCES',
  path: '/usr/src/node-red/node_modules/node-red/settings.js',
  dest: '/data/settings.js'
}
thalesmaoa commented 1 year ago

It seems that 

--volume fullpath:/data

Is the source of problem.

MinChoul0 commented 1 year ago

did it solve it? I have the same problem...

thalesmaoa commented 1 year ago

No. If you follow the last line of wiki, the problem arise. Full path is the problem. Use docker volume doesn't through the error.

hardillb commented 1 year ago

I had mounted a local directory for my test last night and did not see the problem.

I am looking for a Bullseyes build of Raspberry Pi to test on, but nothing has changed in the containers for many years.

@MinChoul0 Please supply the details I asked for earlier about the environment you are seeing the problem in so we can see if there are any common factors.

I suspect a change in the behaviour of docker, but until we can reliably reproduce this or see a common thread then we don't have enough information to pin it down.

hardillb commented 1 year ago 
pi@cluster:~ $ mkdir -p temp/data
pi@cluster:~ $ sudo chown 1000:1000 temp/data
pi@cluster:~ $ docker run -d -v /home/pi/temp/data:/data -p 1880:1880 nodered/node-red
2b1e870cabcb26ffb7abae3ac309fc00a23107811bcd4741cd67a91217375a25
pi@cluster:~ $ docker ps -a
CONTAINER ID   IMAGE                              COMMAND                  CREATED          STATUS                             PORTS                            NAMES
2b1e870cabcb   nodered/node-red                   "./entrypoint.sh"        17 seconds ago   Up 12 seconds (health: starting)   0.0.0.0:1880->1880/tcp           quirky_shaw
5b5136863716   smallstep/step-ca                  "/bin/bash /entrypoi…"   7 weeks ago      Up 7 weeks (unhealthy)             0.0.0.0:9000->9000/tcp           step-ca
069f183360d3   ghcr.io/helm/chartmuseum:v0.15.0   "/chartmuseum"           2 months ago     Up 8 weeks                         0.0.0.0:8095->8095/tcp           chartmuseum
39be6cbba294   docker-registry-ui                 "/docker-entrypoint.…"   2 months ago     Up 8 weeks                         80/tcp, 0.0.0.0:8080->8080/tcp   docker-ui
a72eaf71533f   registry                           "/entrypoint.sh /etc…"   2 months ago     Up 7 weeks                         0.0.0.0:5000->5000/tcp           registry
pi@cluster:~ $ docker exec -it quirky_shaw id
uid=1000(node-red) gid=1000(node-red)
pi@cluster:~ $ ls -lh temp/data
total 36K
drwxr-xr-x 3 pi pi 4.0K Jan 26 13:38 lib
drwxr-xr-x 2 pi pi 4.0K Jan 26 13:38 node_modules
-rw-r--r-- 1 pi pi  120 Jan 26 13:38 package.json
-rw-r--r-- 1 pi pi  23K Jan 26 13:38 settings.js
pi@cluster:~ $ ls -lnh temp/data
total 36K
drwxr-xr-x 3 1000 1000 4.0K Jan 26 13:38 lib
drwxr-xr-x 2 1000 1000 4.0K Jan 26 13:38 node_modules
-rw-r--r-- 1 1000 1000  120 Jan 26 13:38 package.json
-rw-r--r-- 1 1000 1000  23K Jan 26 13:38 settings.js
pi@cluster:~ $ docker --version
Docker version 20.10.5+dfsg1, build 55c4c88

Still can't reproduce this on RPiOS Bullseye

@thalesmaoa what is the numerical uid of your user on the pi (output of id)

thalesmaoa commented 1 year ago

Here is the output:

$ id
uid=1000(thales) gid=1000(thales) grupos=1000(thales),4(adm),20(dialout),24(cdrom),27(sudo),29(audio),44(video),46(plugdev),60(games),100(users),104(input),106(render),108(netdev),117(lpadmin),995(docker),997(gpio),998(i2c),999(spi)

If I run the same command as yours, I get different results:

thales@greenrock:~ $ mkdir -p temp/data
thales@greenrock:~ $ sudo chown 1000:1000 temp/data
thales@greenrock:~ $ docker run -it --rm -v /home/thales/temp/data:/data -p 1881:1880 nodered/node-red
node:internal/fs/utils:345
    throw err;
    ^

Error: EACCES: permission denied, copyfile '/usr/src/node-red/node_modules/node-red/settings.js' -> '/data/settings.js'
    at Object.copyFileSync (node:fs:2817:3)
    at copyFile (/usr/src/node-red/node_modules/fs-extra/lib/copy/copy-sync.js:73:6)
    at onFile (/usr/src/node-red/node_modules/fs-extra/lib/copy/copy-sync.js:59:25)
    at getStats (/usr/src/node-red/node_modules/fs-extra/lib/copy/copy-sync.js:51:44)
    at handleFilterAndCopy (/usr/src/node-red/node_modules/fs-extra/lib/copy/copy-sync.js:36:10)
    at Object.copySync (/usr/src/node-red/node_modules/fs-extra/lib/copy/copy-sync.js:29:10)
    at Object.<anonymous> (/usr/src/node-red/node_modules/node-red/red.js:129:20)
    at Module._compile (node:internal/modules/cjs/loader:1105:14)
    at Object.Module._extensions..js (node:internal/modules/cjs/loader:1159:10)
    at Module.load (node:internal/modules/cjs/loader:981:32) {
  errno: -13,
  syscall: 'copyfile',
  code: 'EACCES',
  path: '/usr/src/node-red/node_modules/node-red/settings.js',
  dest: '/data/settings.js'
}

Is it poossible that, during container creation, it is trying to cp folder content before it finishes to chown /data?

# Add node-red user so we aren't running as root.
RUN useradd --home-dir /usr/src/node-red --no-create-home node-red \
    && chown -R node-red:node-red /data \
    && chown -R node-red:node-red /usr/src/node-red

I couldn't find docker file in the main branch. Any suggestion to debug it? Is there a way to add a sleep in between?

thalesmaoa commented 1 year ago

You are probably correct, it doesn't happen when using root user:

$ sudo docker run -it -v /home/thales/docker/nodered/data:/data -p 1881:1880 nodered/node-red

hardillb commented 1 year ago

The commands in the dockerfile are executed at build time not at run time, they just produce the filesystem within the container before it is run.

There is no possibility of a race condition here.

The only remaining difference is the docker version, you are on a slightly newer version by the look (20.10.23, build 7155243 vs 20.10.5+dfsg1, build 55c4c88)

But if this the cause of the problem then it is a bug in docker

The Dockerfile for the standard shipped containers is here https://github.com/node-red/node-red-docker/blob/master/.docker/Dockerfile.alpine

hardillb commented 1 year ago

How did you install docker? Did you use the pre-packaged version in the raspberry pi os repo or direct from Docker?

hardillb commented 1 year ago

Are you running docker desktop?

This issue appears to be releated: https://github.com/docker/desktop-linux/issues/31

I am running Docker CE not Docker Desktop which could explain the difference

thalesmaoa commented 1 year ago

You gave me a perfect hint.

I've installed using:

curl -sSL https://get.docker.com | sh

After that (https://docs.docker.com/engine/security/rootless/):

dockerd-rootless-setuptool.sh uninstall

But, there is a short note after nstallation:

export PATH=/home/jack/bin:$PATH
Some applications may require the following environment variable too:  <-- It seems to be the case of this docker container.
export DOCKER_HOST=unix:///run/user/1000/docker.sock

And here is the sad part.

I'm used to install docker, and I've used this rootless script without noticing. I've just erase it. Added my user to docker group, and everything seems to work.

Your help was crucial to understand it. Thank you!