Allow Docker image to work with non-root users, Docker streamlining #323
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
npm commands run through the provided Docker image were failing to run when the files in the mounted /app folder weren't owned by root. This occurred from a confluence of two issues: * npm was switching the executed user away from root * nvm was inaccessible because /root is 700 npm spawns processes using the `@npmcli/promise-spawn` package. The current supported npm version, 8.9.14, uses a version of `@npmcli/promise-spawn` that will detect if npm is running as root. If root is detected, npm will use functionality from the `infer-owner` package to infer a non-root user through file ownership and ultimately execute the command with that user. This functionality is provided by the `infer-owner` package. This functionality was later removed from `@npmcli/promise-spawn` in <npm/promise-spawn@a8b21fc>. Separately, the provided Docker image is built and configured to run as root. As nvm defaults to installing in the current user's home directory, nvm was installed in `/root/.nvm`. Additionally, the Docker image's base, `ubuntu:20.04`, uses 700 permissions for `/root`. Therefore, user-inferred commands spawned by npm would not have permissions to run commands in non-globally accessible `/root/.nvm`. By moving nvm to a globally accessible location, npm is able to spawn user-inferred commands.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
npm commands run through the provided Docker image were failing to run when the files in the mounted /app folder weren't owned by root. This occurred from a confluence of two issues:
npm spawns processes using the
@npmcli/promise-spawnpackage. The current supported npm version, 8.9.14, uses a version of@npmcli/promise-spawnthat will detect if npm is running as root. If root is detected, npm will use functionality from theinfer-ownerpackage to infer a non-root user through file ownership and ultimately execute the command with that user. This functionality is provided by theinfer-ownerpackage. This functionality was later removed from@npmcli/promise-spawnin npm/promise-spawn@a8b21fc.Separately, the provided Docker image is built and configured to run as root. As nvm defaults to installing in the current user's home directory, nvm was installed in
/root/.nvm. Additionally, the Docker image's base,ubuntu:20.04, uses 700 permissions for/root.Therefore, user-inferred commands spawned by npm would not have permissions to run commands in non-globally accessible
/root/.nvm. By moving nvm to a globally accessible location, npm is able to spawnuser-inferred commands.
As part of this debugging, I streamlined the Dockerfile creation, which significantly sped up builds.