[BUG] npm silently fails when unable to write cache directory

[Hi-Fi]

Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

When running older official node image, npm works fine:

docker container run --rm -it -u nobody:nobody --entrypoint /bin/sh node:16.14-alpine -c "id && npm -v || echo Exit"
uid=65534(nobody) gid=65534(nobody)
8.5.0

With latest one, npm just silently exits:

docker container run --rm -it -u nobody:nobody --entrypoint /bin/sh node:16-alpine -c "id && npm -v || echo Exit"
uid=65534(nobody) gid=65534(nobody)

Exit

Custom image that updates NPM:

docker container run --rm -it -u nobody:nobody --entrypoint /bin/sh npm -c "id && npm -v || echo Exit"
uid=65534(nobody) gid=65534(nobody)

Exit
docker container run --rm -it -u node:node --entrypoint /bin/sh npm -c "id && npm -v || echo Exit"
uid=1000(node) gid=1000(node)
8.12.1

Expected Behavior

docker container run --rm -it -u nobody:nobody --entrypoint /bin/sh node:16-alpine -c "id && npm -v || echo Exit"
uid=65534(nobody) gid=65534(nobody)
8.11.0

Steps To Reproduce

With docker behavior steps can be used to reproduce. For newer version image creation is needed, as user can't be changed in shell to nobody.

Custom image created with Dockerfile:

FROM node:16-alpine

RUN npm i -g npm && npm -v

USER nobody

Environment

No response

[patchon]

The issue seems to be related to the creation of the "cache-directory".
Setting the npm_config_cache to a writable path (ie. /tmp/) works.

$ > npm --verbose ; echo $?

243

$ > npm_config_cache=/tmp/ npm --version ; echo $?
8.11.0
0

Above is from node:16-alpine-latest in an OpenShift environment (ie. where an arbitrary user id is used).

I traced it down to the following code,

# /usr/local/lib/node_modules/npm/lib/npm.js
243     // mkdir this separately since the logs dir can be set to
244     // a different location. an error here should be surfaced
245     // right away since it will error in cacache later
246     await this.time('npm:load:mkdirpcache', () =>
247       fs.mkdir(this.cache, { recursive: true, owner: 'inherit' }))

Unfortunately my nodejs skills stops here and I'm not really sure what the comment is referring to, nor why we don't see any output from any log.XX code. Adding a catch to above, makes the code work, however I'm not sure if that is the right approach, I'll leave that to someone else.

diff --git a/npm.js b/npm.js
index 2197f11..1b940be 100644
--- a/npm.js
+++ b/npm.js
@@ -244,7 +244,8 @@ class Npm extends EventEmitter {
     // a different location. an error here should be surfaced
     // right away since it will error in cacache later
     await this.time('npm:load:mkdirpcache', () =>
-      fs.mkdir(this.cache, { recursive: true, owner: 'inherit' }))
+      fs.mkdir(this.cache, { recursive: true, owner: 'inherit' })
+        .catch((e) => log.warn('cachedir', `could not create cache-dir: ${e}`)))

With the above patch you'll get something like,

$ > npm --version
npm WARN cachedir could not create cache-dir: Error: EACCES: permission denied, mkdir '/.npm'
npm WARN logfile could not create logs-dir: Error: EACCES: permission denied, mkdir '/.npm'
npm WARN logfile could not be created: Error: ENOENT: no such file or directory, open '/.npm/_logs/2022-06-08T14_58_12_496Z-debug-0.log'
8.11.0

At least that would have pointed us in the right direction from the start.

Sorry for the long post, here's a 🥔😄

¯\(ツ)/¯

[FelipeEmerim]

We use k8s with readOnlyRootFilesystem: true. We added an emptyDir volume mounted on /tmp and set the npm_config_cache env var to /tmp/npm/. Because the volume is mounted with 777 permissions it solved our problem without downgrading the node image.

[soulchild]

Wow! This just broke all of our applications on k8s and it took me half a day to figure out what's going on because there was no output whatsoever (Note to future self: Check npm issues first). Will this be treated as a bug which will be fixed or are we going to have to patch each and every one of our applications? 🙈

[chris-addison]

This made us lose two days of dev time. Took over a day to narrow the issue down to npm. Changing the alpine image back to 3.15 fixed it for us.

[XhmikosR]

Could this be related/the same as #4838?

[soulchild]

We use k8s with readOnlyRootFilesystem: true. We added an emptyDir volume mounted on /tmp and set the npm_config_cache env var to /tmp/npm/. Because the volume is mounted with 777 permissions it solved our problem without downgrading the node image.

I just realized we had securityContext.runAsUser and securityContext.runAsGroup set to an arbitrary user id in our k8s deployment. After changing this to uid/gid 1000, which is the node user that comes with the node:16-alpine base image, the problem went away.

[fritzy]

It looks like the exit-handler is not properly reporting ENOENT errors when lib/npm.js fails to create the cache directory.