Docker PHP: Npm permission denied problem occurs in 8.1.1-fpm-alpine3.15

Question

When I try to start my service via docker-compose, I receive the following error message:

service_frontend | npm error! Code 128

service_frontend | npm error! An unknown git error occurred

service_frontend | npm error! Command git --no-replace-objects clone -b feature/WHITELABEL-212-sculpts-während-der-lad https://bjoernme:***@bitbucket.org/faaren/faaren-ui.git /root/. npm/_cacache/tmp/git-cloneBmjHnf --recurse-submodules --depth=1

service_frontend | npm error! FATAL: Unable to create lead directory for '/root/.npm/_cacache/tmp/git-cloneBmjHnf': Permission denied

Service front end|

service_frontend | npm error! The full log of this run can be found at:

service_frontend | npm error! /root/.npm/_logs/2022-06-24T13_42_41_376Z-debug.log

service_frontend exited with code 128

I tried multiple constellations as user properties in docker-compose.yml, starting with root, root:root, node:node, 1000:1000, UID:GID (the variables were set to inject my local user ID and Group ID.

Relevant parts from my docker-compose.yml:

service_frontend:
    build:
      context: /workspace/faaren-services/frontend
      dockerfile: Dockerfile
      args:
        dev: "true"
    command: bash -c "npm install --save-dev chokidar@3.5.2 && composer install && php artisan octane:start --server=swoole --host=0.0.0.0 --port=8080 --watch"
    user: root
    volumes:
      - /workspace/faaren-services/frontend:/var/www/html
      - ./docker-conf/supervisor/supervisord.conf:/etc/supervisor/conf.d/supervisord.conf
      - ./docker-conf/php/debugger.ini:/usr/local/etc/php/conf.d/debugger.ini

This is my local docker image:

FROM eu.gcr.io/faaren-prod/frontend-base-image:latest
COPY . /var/www/html
ARG dev=false
RUN if [ ${dev} = "true" ] ; then 
        set -ex 
        && apk add --no-cache npm 
        && mkdir -p /.npm 
        && mkdir -p /root/.npm/_cacache/tmp/ 
        && chmod 777 -R "/root/.npm/_cacache/tmp/" 
        && chmod 777 -R "/.npm" 
    fi ;

This is our internal base image (based on php:8.1.1-fpm-alpine3.15 image:

FROM php:8.1.1-fpm-alpine3.15
WORKDIR /var/www/html/

RUN apk add --no-cache --update git 
    npm 

RUN mkdir /.npm 
RUN mkdir /.cache
RUN chown -R 1000:1001 "/.npm"
RUN chown -R 1000:1001 "/.cache"

Answer 1

After digging into the issue, I discovered that in Node 16.15.1, all commands in npm tasks are run as the user who owns the current working directory. Therefore, even when running npm i as the root subcommand, git clone will be run as the user that the current working directory belongs to.

In my case, /var/www/html/ belongs to user:group 33333:33333. npm i Run as root. For some git clone commands, these commands are run as user 33333. Therefore, user 33333 is not allowed to access the default cached npm folder under /root/.npm because that folder belongs to user root.

I solved the problem by:

• Create a cache directory outside the root directorymkdir /var/www/.npm/cache
• Change ownership to 333333: chown -R 33333:33333 /var/www/.npm/cache
• Set the new directory as the npm cache directory: npm config set cache /var/www/.npm/cache --global