npm / cli

the package manager for JavaScript
https://docs.npmjs.com/cli/
Other
8.53k stars 3.2k forks source link

[BUG] Installing some packages in rootless containers causes TAR_ENTRY_ERROR since v9 #5998

Open vchernin opened 1 year ago

vchernin commented 1 year ago

Is there an existing issue for this?

This issue exists in the latest npm version

Current Behavior

The installation of some packages in either podman or docker rootless containers results in:

npm WARN tar TAR_ENTRY_ERROR EINVAL: invalid argument, fchown

In either podman or docker there is no warning when in rootful containers.

Note as far as I can tell with this warning npm has no behaviour changes, everything still seems to work, but I have no real assurances of this being an ignorable warning.

Expected Behavior

No extra warnings when installing packages with rootless containers.

Steps To Reproduce

docker run -it --rm --entrypoint sh docker.io/node:19.3.0-alpine -c \
'mkdir project && cd project && npm install -g npm@9.2.0 && npm install express@4.18.2'

This is only reproducible if you have a functional rootless container setup (default with podman, needs special installation with docker, see below documentation). Also this probably won't reproduce if you've added your user to the docker group (as your user can now create rootful containers).

The bug can be reproduced by swapping docker with podman.

To show the bug not occuring try prepend sudo to run a rootful container.

The first bad tag is 9.0.0-pre.6, and the same behaviour is seen in 9.2.0. This is likely a regression of the recent changes for https://github.com/npm/rfcs/issues/546, which seems intended at least in part to help fix issues in docker.

Curiously if installing e.g. @babel/core@7.20.7 instead of express@4.18.2 this bug doesn't occur, so the package contents affect this somehow.

This doesn't occur when installing packages in a non-container setup like by installing node through nvm on ubuntu.

Some documentation about rootless containers: https://docs.docker.com/engine/security/rootless/ https://github.com/containers/podman/blob/main/rootless.md

Environment

RobStaveley commented 1 year ago

I reproduce this with userns-remap. I have userns-remap set up for myusername (i.e. $USER) in /etc/docker/daemon.json:

{
  "userns-remap": "myusername"
}

I have /etc/subuid and /etc/subgid both with:

myusername:1000:1
myusername:100000:65536

My UID and GID is 1000.

nlf commented 1 year ago

https://github.com/npm/pacote/pull/261 should close this. the change in that pull request skips the fchown related code in tar

rbalet commented 1 year ago

@nlf Any news on that issue ? your linked issue didn't fix the problem for me.

Environment npm: 9.6.2 Node.js: 18.15.0

carlosrodfern commented 1 year ago

The fix has not been back-ported to 9: https://github.com/npm/pacote/commit/8f4e39c72e41c8a307db2cff4e7cf9f6e630e3e2 It is only in v15.x Is this just a warning message without actual consequences in the build?