cli icon indicating copy to clipboard operation
cli copied to clipboard
verified publisher icon npm

[BUG] Installing some packages in rootless containers causes TAR_ENTRY_ERROR since v9

Open vchernin opened this issue 3 years ago • 5 comments

Is there an existing issue for this?

  • [X] I have searched the existing issues

This issue exists in the latest npm version

  • [X] I am using the latest npm

Current Behavior

The installation of some packages in either podman or docker rootless containers results in:

npm WARN tar TAR_ENTRY_ERROR EINVAL: invalid argument, fchown

In either podman or docker there is no warning when in rootful containers.

Note as far as I can tell with this warning npm has no behaviour changes, everything still seems to work, but I have no real assurances of this being an ignorable warning.

Expected Behavior

No extra warnings when installing packages with rootless containers.

Steps To Reproduce

docker run -it --rm --entrypoint sh docker.io/node:19.3.0-alpine -c \
'mkdir project && cd project && npm install -g [email protected] && npm install [email protected]'

This is only reproducible if you have a functional rootless container setup (default with podman, needs special installation with docker, see below documentation). Also this probably won't reproduce if you've added your user to the docker group (as your user can now create rootful containers).

The bug can be reproduced by swapping docker with podman.

To show the bug not occuring try prepend sudo to run a rootful container.

The first bad tag is 9.0.0-pre.6, and the same behaviour is seen in 9.2.0. This is likely a regression of the recent changes for https://github.com/npm/rfcs/issues/546, which seems intended at least in part to help fix issues in docker.

Curiously if installing e.g. @babel/[email protected] instead of [email protected] this bug doesn't occur, so the package contents affect this somehow.

This doesn't occur when installing packages in a non-container setup like by installing node through nvm on ubuntu.

Some documentation about rootless containers: https://docs.docker.com/engine/security/rootless/ https://github.com/containers/podman/blob/main/rootless.md

Environment

  • npm: 9.2.0
  • Node.js: 19.3.0
  • OS Name: Docker/Podman
  • npm config:
; node bin location = /usr/local/bin/node
; node version = v19.3.0
; npm local prefix = /project
; npm version = 9.2.0
; cwd = /project
; HOME = /root
; Run `npm config ls -l` to show all defaults.

vchernin avatar Dec 26 '22 09:12 vchernin

I reproduce this with userns-remap. I have userns-remap set up for myusername (i.e. $USER) in /etc/docker/daemon.json:

{
  "userns-remap": "myusername"
}

I have /etc/subuid and /etc/subgid both with:

myusername:1000:1
myusername:100000:65536

My UID and GID is 1000.

RobStaveley avatar Jan 23 '23 18:01 RobStaveley

https://github.com/npm/pacote/pull/261 should close this. the change in that pull request skips the fchown related code in tar

nlf avatar Feb 16 '23 21:02 nlf

@nlf Any news on that issue ? your linked issue didn't fix the problem for me.

Environment npm: 9.6.2 Node.js: 18.15.0

rbalet avatar Mar 16 '23 16:03 rbalet

The fix has not been back-ported to 9: https://github.com/npm/pacote/commit/8f4e39c72e41c8a307db2cff4e7cf9f6e630e3e2 It is only in v15.x Is this just a warning message without actual consequences in the build?

carlosrodfern avatar May 19 '23 20:05 carlosrodfern

For any other folks (like myself) who are affected by this, here are some more implications and details I have hit.

Using npm 9 to install certain npm packages (e.g. npm install -g @vue/language-server) that are affected by this issue may be the cause of a container image no longer being pullable for rootless containers on some computers. Here's an example error message I hit after attempting a podman pull ...

... unpacking failed (error: exit status 1; output: potentially insufficient UIDs or GIDs available in user namespace (requested 1618591017:1876110778 for /usr/local/lib/node_modules/@vue/language-server/node_modules/character-parser/.npmignore): Check /etc/subuid and /etc/subgid if configured locally and run "podman system migrate": lchown /usr/local/lib/node_modules/@vue/language-server/node_modules/character-parser/.npmignore: invalid argument)

Details on this kind of pull failure are described in https://github.com/containers/podman/issues/12715 A work around on the puller's side is described in that podman issue. A high-quality summary and write up is available at https://access.redhat.com/solutions/7005221

~However, ideally, a container image can be built rootless (e.g. in GitLab CI) without becoming an image that requires the above mentioned workaround (which is rather drastic).~ (Correction: to be affected by this npm package issue, the container image must be built as root so that excessively high UIDs will be used. Building the image rootless will trigger the warning messages of this issue. But these warnings show the desirable effect of failing to set excessively high UIDs in the container image, which means pulling the built image will not fail for rootless clients.)

Recent Fedora releases have more recent npm versions and do not have this problem. I assume recent Ubuntu releases also have newer npm versions and do not have this problem.

However, it seems very possible that Debian 13 might not upgrade past npm 9. Debian 13.0 was npm 9.2 and so is the recent 13.1. Ubuntu 24.04 LTS is also on npm 9.2.

castedo avatar Nov 15 '25 02:11 castedo