[BUG] Installing some packages in rootless containers causes TAR_ENTRY_ERROR since v9

vchernin commented 1 year ago

Is there an existing issue for this?

[X] I have searched the existing issues

This issue exists in the latest npm version

[X] I am using the latest npm

Current Behavior

The installation of some packages in either podman or docker rootless containers results in:

npm WARN tar TAR_ENTRY_ERROR EINVAL: invalid argument, fchown

In either podman or docker there is no warning when in rootful containers.

Note as far as I can tell with this warning npm has no behaviour changes, everything still seems to work, but I have no real assurances of this being an ignorable warning.

Expected Behavior

No extra warnings when installing packages with rootless containers.

Steps To Reproduce

docker run -it --rm --entrypoint sh docker.io/node:19.3.0-alpine -c \
'mkdir project && cd project && npm install -g npm@9.2.0 && npm install express@4.18.2'

This is only reproducible if you have a functional rootless container setup (default with podman, needs special installation with docker, see below documentation). Also this probably won't reproduce if you've added your user to the docker group (as your user can now create rootful containers).

The bug can be reproduced by swapping docker with podman.

To show the bug not occuring try prepend sudo to run a rootful container.

The first bad tag is 9.0.0-pre.6, and the same behaviour is seen in 9.2.0. This is likely a regression of the recent changes for https://github.com/npm/rfcs/issues/546, which seems intended at least in part to help fix issues in docker.

Curiously if installing e.g. @babel/core@7.20.7 instead of express@4.18.2 this bug doesn't occur, so the package contents affect this somehow.

This doesn't occur when installing packages in a non-container setup like by installing node through nvm on ubuntu.

Some documentation about rootless containers: https://docs.docker.com/engine/security/rootless/ https://github.com/containers/podman/blob/main/rootless.md

Environment

npm: 9.2.0
Node.js: 19.3.0
OS Name: Docker/Podman

npm config:

; node bin location = /usr/local/bin/node
; node version = v19.3.0
; npm local prefix = /project
; npm version = 9.2.0
; cwd = /project
; HOME = /root
; Run `npm config ls -l` to show all defaults.

RobStaveley commented 1 year ago

I reproduce this with userns-remap. I have userns-remap set up for myusername (i.e. $USER) in /etc/docker/daemon.json:

{
  "userns-remap": "myusername"
}

I have /etc/subuid and /etc/subgid both with:

myusername:1000:1
myusername:100000:65536

My UID and GID is 1000.

nlf commented 1 year ago

https://github.com/npm/pacote/pull/261 should close this. the change in that pull request skips the fchown related code in tar

rbalet commented 1 year ago

@nlf Any news on that issue ? your linked issue didn't fix the problem for me.

Environment npm: 9.6.2 Node.js: 18.15.0

carlosrodfern commented 1 year ago

The fix has not been back-ported to 9: https://github.com/npm/pacote/commit/8f4e39c72e41c8a307db2cff4e7cf9f6e630e3e2 It is only in v15.x Is this just a warning message without actual consequences in the build?

npm / cli