docker-node: fails to invoke npm when used in run-scripts

Environment

Platform: MacOS
Docker Version: 20.10.16
Node.js Version: 16.15.1
Image Tag: node:16.15.1-alpine

Expected Behavior

Given the following package.json

{
  "name": "test",
  "scripts": {
    "ver": "npm --version"
  },
  "devDependencies": {
    "cowsay": "^1.5.0"
  }
}

$ npm run ver

> ver
> npm --version

8.12.1

The same behavior should be replicated within a container runtime

Current Behavior

When running within a container runtime, npm fails and returns 243 exit code

$ docker run --rm -v $PWD:/app --workdir /app --entrypoint npm node:16.15.1-alpine run ver

> ver
> npm --version


npm notice
npm notice New minor version of npm available! 8.11.0 -> 8.12.1
npm notice Changelog: <https://github.com/npm/cli/releases/tag/v8.12.1>
npm notice Run `npm install -g npm@8.12.1` to update!
npm notice

$ echo $?
243

When using a different image, it works as expected

$ docker run --rm -v $PWD:/app --workdir /app --entrypoint npm node:14-alpine run ver

> test@ ver /app
> npm --version

6.14.17

It works on on some images (note the --user node:node option)

$ docker run --rm -v $PWD:/app --workdir /app --entrypoint npm node:16.15.0-alpine3.15@sha256:bb776153f81d6e931211e3cadd7eef92c811e7086993b685d1f40242d486b9bb run ver

> ver
> npm --version

8.5.5
npm notice
npm notice New minor version of npm available! 8.5.5 -> 8.12.1
npm notice Changelog: <https://github.com/npm/cli/releases/tag/v8.12.1>
npm notice Run `npm install -g npm@8.12.1` to update!
npm notice

$ docker run --rm -v $PWD:/app --workdir /app --entrypoint npm --user node:node node:18-alpine run ver

> ver
> npm --version

8.11.0

when the node user is used, then there a permission issue when mount volumes are used.

$ docker run --rm -it -v $PWD:/src -v node_modules:/src/node_modules --workdir /src --user node:node --entrypoint /bin/sh node:lts-alpine -c 'npm install && npm run ver'
npm ERR! code EACCES
npm ERR! syscall mkdir
npm ERR! path /src/node_modules/ansi-regex
npm ERR! errno -13
npm ERR! Error: EACCES: permission denied, mkdir '/src/node_modules/ansi-regex'
npm ERR!  [Error: EACCES: permission denied, mkdir '/src/node_modules/ansi-regex'] {
npm ERR!   errno: -13,
npm ERR!   code: 'EACCES',
npm ERR!   syscall: 'mkdir',
npm ERR!   path: '/src/node_modules/ansi-regex'
npm ERR! }
npm ERR!
npm ERR! The operation was rejected by your operating system.
npm ERR! It is likely you do not have the permissions to access this file as the current user
npm ERR!
npm ERR! If you believe this might be a permissions issue, please double-check the
npm ERR! permissions of the file and its containing directories, or try running
npm ERR! the command again as root/Administrator.

npm ERR! A complete log of this run can be found in:
npm ERR!     /home/node/.npm/_logs/2022-06-09T07_10_27_665Z-debug-0.log

$ docker run --rm -it -v $PWD:/src -v node_modules:/src/node_modules --workdir /src --user root:root --entrypoint /bin/sh node:lts-alpine -c 'npm install && npm run ver'

added 41 packages, and audited 42 packages in 2s

3 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities
npm notice
npm notice New minor version of npm available! 8.11.0 -> 8.12.1
npm notice Changelog: https://github.com/npm/cli/releases/tag/v8.12.1
npm notice Run npm install -g npm@8.12.1 to update!
npm notice

> ver
> npm --version

Steps to Reproduce

Use the package.json configuration above and repeat the commands in this post.

About this issue

Original URL
State: open
Created 2 years ago
Reactions: 40
Comments: 32 (1 by maintainers)

Commits related to this issue

Hardcode node version to 16.15.0 in tests There seems to be an issue with version 16.15.1 which causes the npm install and npm scripts to exit with code 243 in some circumstances (https://github.com/... — committed to 7digital/mysql2-timeout by scooper91 2 years ago
Temporary fix for https://github.com/nodejs/docker-node/issues/1734 — committed to ideal-postcodes/postcodes.io by cblanc 2 years ago
Temporary fix for https://github.com/nodejs/docker-node/issues/1734 — committed to ideal-postcodes/postcodes.io by cblanc 2 years ago
Fix error 243 in GitHub Actions Caused by latest node lts? Pinning the version fixes the error. Ref: https://github.com/nodejs/docker-node/issues/1734 — committed to kdeloach/kdeloach.github.io by kdeloach 2 years ago

Most upvoted comments

Probably the same problem with docker image of 18.2-alpine, npm version 8.9.0.

{
  "name": "test-app",
  "version": "0.0.0",
  "scripts": {
    "test": "npm --version"
  },
  ...
}

The issue here seems npm doesnt want to run as root. Example when container is run as root and when switched to user node using su:

1aae0dcc8624:/workspace/app# whoami
root
1aae0dcc8624:/workspace/app# npm run test

> test-app@0.0.0 test
> npm --version


1aae0dcc8624:/workspace/app# su node
1aae0dcc8624:/workspace/app$ whoami
node
1aae0dcc8624:/workspace/app$ npm run test

> test-app@0.0.0 test
> npm --version

8.9.0
1aae0dcc8624:/workspace/app$

Running the container as node fixes the issue.

SmallhillCZ on Jun 29, 2022

The simple solution is to change the nodejs version. I was facing the same issue, i fixed it by changing node version from 16 to 14 and this worked

neon010 on Sep 14, 2022

we are facing the same issue.

on k8s we’re setting the pod security context to run with an arbitrary user id, after deleting this in the config the pod starts again.

we are setting the tag / sha of images to node:16.14 for now, to keep our pod settings.

also see https://github.com/npm/cli/issues/4996

parkwart on Jun 8, 2022

@foolioo NPM overrides uid if current user is root in the following line.

https://github.com/npm/cli/blob/9f94049f058687b916da726ea625b5fa68d0829d/node_modules/%40npmcli/promise-spawn/lib/index.js#L13

This was removed before, but reintroduced now.

npm/promise-spawn#6

yuki-js on Jul 10, 2022

Actually, this is not only an issue with run-scripts. node:16-alpine docker image is completely broken as a base build image in these cases:

Environments where image is run by root user.
Read-only root filesystem environments, e.g., Kubernetes container with readOnlyRootFilesystem: true.
Environments where one could not modify a running user, e.g., on Jenkins pipelines which by default run under Jenkins user and the UID is most probably not the same as UID 1000 which is used in the image.

The source of these issues is that npm_config_prefix is set to /usr/local and npm_config_userconfig is not set at all, so NPM is trying to use HOME folder which in the docker image is set to /. Again, that folder is not writable by any of the users except root, but remember, NPM ignores root user due to https://github.com/npm/cli/blob/37bf6d31bd2f68e661928744833b57dcabbb0d1a/node_modules/@npmcli/promise-spawn/lib/index.js#L13

The only way I found to fix this on Jenkins is set NPM_CONFIG_CACHE to something like /tmp/jenkins/.npm. GitLab/GitHub runners can be fixed in similar manner.

I guess the final fix should be to create .npm cache folder somewhere writable by any user on the docker image, so at least it works by default on CI pipelines. Maybe create some kind of documented folder specified via npm_config_userconfig so anyone can map it and modify the behaviour of a running user.

P.S. Why NPM tries to spawn a process according to permission on current folder in case it is run by the root user is still a mistery to me. It goes against all commons. Programs should not modify running user.

ViliusS on Oct 10, 2022

In my case, I use a docker-compose.yml as is:

version: "3"
services:
  npm:
    build: ./docker/node/16
    entrypoint: npm
    user: node
    volumes:
      - .:/home/node
    working_dir: /home/node

And I had this “243” error (which a few months ago with the exact same docker-compose setup I hadn’t).

First I tried to upgrade to node 18, but the error was the same. Then I tried to specify the group of the user from “node” to “node:node”. Same error.

Then I remembered sometimes on my local there would be an error about writing on the “.npm” folder because of lack of permissions. So I figured I’d had the volume so the npm script would not have to write it on the host folder system (the one on Github must have reduced folder permissions for security purposes).

version: "3"
services:
  npm:
    build: ./docker/node/16
    entrypoint: npm
    user: node:node
    volumes:
      - .:/home/node
      - ./docker-data/npm:/.npm # <--
    working_dir: /home/node

Then the CI on Github started to be more eloquent, this time it would not manage to write a log file on the “.npm/_logs” folder. Getting close:

npm WARN logfile could not be created: Error: EACCES: permission denied, open ‘/home/node/.npm/_logs/2022-07-14T09_18_36_207Z-debug-0.log’

So I decided to also create the “_logs” folder on my “docker-data/npm” folder, so the npm script would not have to create the folder as well. Here is my folder structure:

my-app/
├── docker/
│   └── 18/
│       └── Dockerfile
└── docker-data/
    ├── npm/
    │   └── _logs/
    │       └── .gitignore
    └── .gitignore

And I also had to remove the “user: node:node” by the way (not sure if I put it back it will still work):

version: "3"
services:
  npm:
    build: ./docker/node/16
    entrypoint: npm
    volumes:
      - .:/home/node
      - ./docker-data/npm:/.npm
    working_dir: /home/node

With this setup, running this command will work without 243 errors

docker-compose run --rm npm outdated

As well as installing dependencies:

docker-compose run --rm npm ci

But compiling my assets will fail (this uses Laravel Mix behind the scene)

Run docker-compose -f app/docker-compose.yml run npm run prod
  docker-compose -f app/docker-compose.yml run npm run prod
  shell: /usr/bin/bash -e {0}
Creating app_npm_run ... 
Creating app_npm_run ... done

> prod
> npm run production

npm notice 
npm notice New minor version of npm available! 8.12.1 -> 8.14.0
npm notice Changelog: <https://github.com/npm/cli/releases/tag/v8.14.0>
npm notice Run `npm install -g npm@8.14.0` to update!
npm notice 

Error: Process completed with exit code 243.

Edit

I managed to fix all permission issues by starting from Ubuntu:22.04 instead of Node:18-alpine on my Dockerfile

I recap for folks that want to do the same

docker-compose.yml

npm:
    build: ./docker/node/18
    entrypoint: npm
    volumes:
      - .:/home/node
    working_dir: /home/node

docker/node/18/Dockerfile

FROM ubuntu:22.04

RUN apt-get update && \
    apt-get upgrade --yes && \
    apt-get install --yes \ // Remove g++ and others dependencies if you don't need them, I needed them to compile some NPM deps
    g++ \
    make \
    curl \
    bash && \
    curl -fsSL https://deb.nodesource.com/setup_18.x | bash - && \
    apt-get install --yes nodejs

Now all theses commands on my CI works without perm issues

docker-compose run npm ci
docker-compose run npm run prod
docker-compose run npm outdated

khalyomede on Jul 14, 2022

@scooper91 I know, but unfortunately it doesn’t fit my use case.

yuki-js on Jul 10, 2022

For me, problems disappear when I add USER node command before invoking my npm run ... command inside my Dockerfile.

Example:

# Multi-stage dockerfile:
# https://docs.docker.com/develop/develop-images/multistage-build/

# Base stage
FROM node:16.15.1-slim AS base
EXPOSE 8080
RUN mkdir -p /app && chown -R node:node /app
WORKDIR /app
USER node

# Builder stage
FROM base AS builder
COPY --chown=node:node . .
RUN npm ci
RUN npm run build

# Prod stage
FROM base AS prod
COPY --from=builder --chown=node:node /app/dist ./dist
CMD ["node", "dist"]

jagu-sayan on Jul 10, 2022

@SmallhillCZ

Running the container as node fixes the issue.

Not fully correct. It depends whether you are using the container in conjunction with mount/data volumes as node_modules directory. When it is used, the user must be root in most cases (depends on the inner implementation of how mount volumes work across different operating systems)

electriquo on Jun 29, 2022

I’m having a similar issue. We’re seeing it when we try to do an npm install from the Docker command, when we set the user for the container. If you set the node cache to a non-existent path, it seems to work.

Can replicate it using a simple package.json file with a dependency. This example assumes the package.json is owned by user 1001.

> docker run --rm -it -v $PWD:/app -u=1001 -w /app node:16.15.1-alpine sh -c 'npm i'
> echo $?
243

When setting --cache=nope, the install works:

> docker run --rm -it -v $PWD:/app -u=1001 -w /app node:16.15.1-alpine sh -c 'npm i --cache=nope'
... added some packages
> echo $?
0

EDIT:

It appears (at least in part) to do with the home directory for the user it’s running as. Running as user 1001 (which doesn’t exist in the container) fails to run npm at all:

> docker run --rm -it -u 1001 node:16.15.1-alpine sh
> npm -v

> echo $?
243

If you add the user with that ID, it creates the home directory and works:

> docker run --rm -it node:16.15.1-alpine sh
> adduser -D -u 1001 test
> su test
> npm -v
8.11.0
> echo $?
0

If you add the user with that ID, but without the home directory, you get the same error:

> docker run --rm -it node:16.15.1-alpine sh
> adduser -D -H -u 1001 test
> su test
> npm -v

> echo $?
243

scooper91 on Jun 28, 2022

Facing the same issue.

Was using node:16-slim which brought in version 16.15.1-slim. So reverted back to previous minor version as a temporary fix by specifying node:16.14-slim

For us this was specifically with the 16.15.1 patch release, 16.15.0 works in our case.

cascornelissen on Jun 22, 2022

Seeing the same issue in my Jenkins pipeline with node:16.15-alpine3.15. I cannot reproduce the issue locally though.

alaney on Jun 7, 2022

@yuki-js Have you tried adding a user to match the mounted file permissions, and using that to use npm? Obviously it isn’t ideal, but it worked for our use case. (See my comment above). Can see how it works with our setup here: https://github.com/7digital/mysql2-timeout/blob/dbc820bcdd7a638e1f02bf983beb6bb52059d07f/docker-compose.yml#L12

scooper91 on Jul 10, 2022

Also seeing this issue, hard coding to node:16.15.0-alpine in the meantime.

reidja on Jun 8, 2022