Docker root owned files

[Davincible]

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• This issue affects my Ory Network project.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Describe the bug

This happens for every clean build on latest

pandora-scraper-kratos-selfservice-ui-node-1  | > @ory/[email protected] serve
pandora-scraper-kratos-selfservice-ui-node-1  | > node lib/index.js
pandora-scraper-kratos-selfservice-ui-node-1  | 
pandora-scraper-kratos-selfservice-ui-node-1  | npm ERR! code EACCES
pandora-scraper-kratos-selfservice-ui-node-1  | npm ERR! syscall mkdir
pandora-scraper-kratos-selfservice-ui-node-1  | npm ERR! path /home/ory/.npm
pandora-scraper-kratos-selfservice-ui-node-1  | npm ERR! errno -13
pandora-scraper-kratos-selfservice-ui-node-1  | npm ERR! 
pandora-scraper-kratos-selfservice-ui-node-1  | npm ERR! Your cache folder contains root-owned files, due to a bug in
pandora-scraper-kratos-selfservice-ui-node-1  | npm ERR! previous versions of npm which has since been addressed.
pandora-scraper-kratos-selfservice-ui-node-1  | npm ERR! 
pandora-scraper-kratos-selfservice-ui-node-1  | npm ERR! To permanently fix this problem, please run:
pandora-scraper-kratos-selfservice-ui-node-1  | npm ERR!   sudo chown -R 10000:65533 "/home/ory/.npm"
pandora-scraper-kratos-selfservice-ui-node-1  | 
pandora-scraper-kratos-selfservice-ui-node-1  | npm ERR! Log files were not written due to an error writing to the directory: /home/ory/.npm/_logs
pandora-scraper-kratos-selfservice-ui-node-1  | npm ERR! You can rerun the command with `--loglevel=verbose` to see the logs in your terminal

Reproducing the bug

Run container

Relevant log output

No response

Relevant configuration

No response

Version

latest

On which operating system are you observing this issue?

None

In which environment are you deploying?

None

Additional Context

No response

[eest]

@Davincible what version of docker are you running in what OS? I too was seeing this message when trying to build a docker image for arm64. And in my case it seems I was having problems due to the /home/ory directory being owned by root:root after user creation in the Dockerfile, instead of being owned by the ory user.

In my case this seemed to be because of strange behaviour from the docker.io package on Ubuntu 22.04.3 LTS where the adduser command would create a properly owned directory, but this ownership would be lost in later RUN commands.

I opened a ticket for this upstream: moby/moby#46161

If you are in the same situation as me I would suggest trying to run an upstream version instead and see if the problem is still there.

[Davincible]

On Manjaro, Docker 24.

Fixed by creating a manual dockerfile:

FROM node:18.12.1-alpine

RUN mkdir -p /usr/src/app
WORKDIR /usr/src/app

ARG LINK=no

RUN adduser -S ory -D -u 10000 -s /bin/nologin
RUN chown -R 10000:65533 /home/ory

# COPY package.json .
# COPY package-lock.json .

RUN apk add git
RUN git clone https://github.com/ory/kratos-selfservice-ui-node /usr/src/app

RUN npm ci --fetch-timeout=600000

# COPY . /usr/src/app

RUN if [ "$LINK" == "true" ]; then (cd ./contrib/sdk/generated; rm -rf node_modules; npm ci; npm run build); \
    cp -r ./contrib/sdk/generated/* node_modules/@ory/kratos-client/; \
    fi

RUN npm run build

USER 10000

ENTRYPOINT ["/bin/sh", "-c"]
CMD ["npm run serve"]

EXPOSE 3000

[eest]

Hmm I see... I am curious how the RUN chown -R 10000:65533 /home/ory changes anything as if I use this diff:

-RUN adduser -S ory -D -u 10000 -s /bin/nologin
+RUN adduser -S ory -D -u 10000 -s /bin/nologin && ls -l /home && ls -la /home/ory

It shows the directory as properly owned and with nothing inside it:

#8 [ 4/10] RUN adduser -S ory -D -u 10000 -s /bin/nologin && ls -l /home && ls -la /home/ory
#8 0.271 total 8
#8 0.271 drwxr-sr-x    2 node     node          4096 Dec 12  2022 node
#8 0.271 drwxr-sr-x    2 ory      nogroup       4096 Aug  7 07:56 ory
#8 0.271 total 8
#8 0.271 drwxr-sr-x    2 ory      nogroup       4096 Aug  7 07:56 .
#8 0.271 drwxr-xr-x    1 root     root          4096 Aug  7 07:56 ..
#8 DONE 0.3s

After running a docker version that was able to persist such ownership things seemed to work with no changes (and it seems to be ubuntu-related: https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/2029564).

I guess it would be interesting to revert your changes to the default and inspect if the permissions are not correct after user creation as I guess this is what would make npm sad in the later steps.