NPM running with incorrect uid/gid within container/failing to look up correct user/group to run scripts

[xthursdayx]

Expected Behavior

I built a docker image using this base image which runs a chat self-hosted chat server. You can see the docker repo here. After building the image, a cont-init.d script 50-config checks the container ENV variables, installs a downloadeed AdonisJS app using NPM, checks the database endpoint and migrates it (if necessary), and then serves the AdonisJS app.

Current Behavior

The container works fine on my unRAID server, but other users, both on unRAID and not, are running into problems where the NPM commands are not being run by the correct uid/gid. The NPM command should be run by base image uid/gid (911/911), however, the 50-config script is reporting the following errors for some users:

npm ERR! code EUIDLOOKUP
npm ERR! lifecycle could not get uid/gid
npm ERR! lifecycle [ 'nobody', 0 ]
npm ERR! lifecycle

npm ERR! Failed to look up the user/group for running scripts.

npm ERR! Try again with a different --user or --group settings, or
npm ERR! run with --unsafe-perm to execute scripts as root.

Container logs report that the uid/gid is 99/100 and the 10-adduser script runs without error.

This errors seems to be related to a conflict between the docker user nobody/users and the container user/group, but I'm not sure why this would be occurring, nor why I am not having the same issue when I build this container, either on unRAID or manually on my Macbook.

Steps to Reproduce

1. Build the the docker container using the template in unRAID Community Apps, with a docker run command, or with docker-compose using the variables listed in the Github repo.
2. See if the container initialization script 50-config runs correctly or not.

Environment

OS: unRAID and Ubuntu
CPU architecture: x86_64
How docker service was installed:

This issue been found by a user who installed my docker image via unRAID's Community Apps and by a user who installed it using a docker-compose.yaml.

Command used to create docker container (run/create/compose/screenshot)

docker run --name='ferdi-server' -e 'NODE_ENV'='development' -e 'DB_CONNECTION'='mysql' -e 'DB_HOST'='10.66.0.10' -e 'DB_PORT'='3306' -e 'DB_USER'='ferdi' -e 'DB_PASSWORD'='password' -e 'DB_DATABASE'='adonis' -e 'IS_CREATION_ENABLED'='true' -e 'CONNECT_WITH_FRANZ'='true' -p '3333:80' -v '/mnt/cache/appdata/ferdi-server/recipes':'/usr/src/app/recipes' -v '/mnt/cache/appdata/ferdi-server':'/config' -v '/mnt/cache/appdata/ferdi-server/database':'/usr/src/app/database' 'xthursdayx/ferdi-server-docker'

Docker logs

https://xbb.wl7r.com/woVe8/JOCoDOQEgO531.txt

[xthursdayx]

Upon further examination, this seems like might be an upstream issue related to running node in alpine itself.

See discussion here: https://stackoverflow.com/questions/52196518/could-not-get-uid-gid-when-building-node-docker

Check if this is linked to nodejs/docker-node issue 813:

Root cause seems to be: Thread stack size

The default stack size for new threads on glibc is determined based on the resource limit governing the main thread’s stack (RLIMIT_STACK).
It generally ends up being 2-10 MB.

There three possible solutions:

• Talk to Alpine teams to fix it. There were some discussions already
• Fix it in the node docker alpine image as follows
• Set default npm_config_unsafe_perm=true in the docker image as a workaround until it's fixed

For now I've tried the third solution and have added that code in my Dockerfile.

[xthursdayx]

Closing for now as this seems to be a Node issue not related specifically to the Linuxserver Alpine base image.

See also:
npm/npm#20861
npm/uid-number#7

[aptalca]

@xthursdayx
I haven't looked into it too much but at first glance, you're starting your app within the init file, without any users defined.

We use s6 as the supervisor. And we define the user the process should run as: https://github.com/linuxserver/docker-embystat/blob/master/root/etc/services.d/ombi/run#L5-L6
s6-setuidgid abc tells the supervisor to run it as abc ahich is the user we set the PUID/PGID for from env variables.

I recommend using an s6 service to start it, and doing something like exec s6-setuidgid abc node app.js

[xthursdayx]

Thanks a lot for this clarification @aptalca

I was confused about how S6 works I guess. Following the conventions of this base image, and other Linuxserver images, I have both 10-adduser and 50-config at /root/etc/cont-init.d/ in my image repo. I was under the impression that because 10-adduser sets the PGID/PUID as 911 and abc, then S6 would run 50-config as abc.

I'll add a services.d run script instead and see if this solves the problem some people are facing.

[aptalca]

No, all those init files (and service files) are run by s6 as root
You need to specify if you need a process to run as abc