Environment
- Platform: Linux
- Docker Version: Docker Engine v29 (but can be replicated with older versions)
- Node.js Version: LTS 24 and 22 (can be replicated with all versions from v16)
- Image Tag: 22.22.2-alpine
Expected Behavior
Unmodified Node.js Docker image should be runnable without root privileges.
Current Behavior
The image is completely broken as a base build image in environments where one could not modify a running user, e.g., on Jenkins pipelines which by default run under Jenkins user and the UID is most probably not the same as UID 1000 which is used in the image. The same issue can be observed on the free GitHub Actions runners.
It is also broken as a base runtime image on read-only root filesystem environments, e.g., Kubernetes containers with readOnlyRootFilesystem: true.
The source of these issues is that npm_config_prefix is set to /usr/local and npm_config_userconfig is not set at all, so NPM is trying to use HOME folder which in the docker image is set to /. That folder is not writable by any of the users except root.
The only workaround on Jenkins is to set NPM_CONFIG_CACHE to something like /tmp/jenkins/.npm. GitLab/GitHub runners can be fixed in similar manner.
Possible Solution
The real fix should be to create .npm cache folder somewhere writable by any user on the docker image, so at least it works by default on CI pipelines. Maybe create some kind of documented folder specified via npm_config_userconfig so anyone can map it and modify the behaviour of a running user.
Steps to Reproduce
Create a Jenkins pipeline for any Node.js project using NPM and try to build it:
pipeline {
agent {
docker {
image 'node:22.22.2'
}
}
stages {
stage('Build and publish') {
steps {
sh "npm ci"
sh "npm run build"
sh "npm publish"
}
}
}
}
12:51:45 npm error code EACCES
12:51:45 npm error syscall mkdir
12:51:45 npm error path /.npm
12:51:45 npm error errno EACCES
12:51:45 npm error
12:51:45 npm error Your cache folder contains root-owned files, due to a bug in
12:51:45 npm error previous versions of npm which has since been addressed.
12:51:45 npm error
12:51:45 npm error To permanently fix this problem, please run:
12:51:45 npm error sudo chown -R 1002:1002 "/.npm"
Additional Information
As evident from the past, considering cryptic and sometimes incorrect error messages coming from NPM, people constantly struggle to understand why it doesn't work for them in one way or another:
#1734
npm/cli#3910
I know that there are best practices documentation how to run this image without root user, but that's not the point of this ticket. It can be fixed at the source of this image without the need to use all those workarounds.
Environment
Expected Behavior
Unmodified Node.js Docker image should be runnable without root privileges.
Current Behavior
The image is completely broken as a base build image in environments where one could not modify a running user, e.g., on Jenkins pipelines which by default run under Jenkins user and the UID is most probably not the same as UID 1000 which is used in the image. The same issue can be observed on the free GitHub Actions runners.
It is also broken as a base runtime image on read-only root filesystem environments, e.g., Kubernetes containers with
readOnlyRootFilesystem: true.The source of these issues is that
npm_config_prefixis set to/usr/localandnpm_config_userconfigis not set at all, so NPM is trying to use HOME folder which in the docker image is set to/. That folder is not writable by any of the users except root.The only workaround on Jenkins is to set
NPM_CONFIG_CACHEto something like/tmp/jenkins/.npm. GitLab/GitHub runners can be fixed in similar manner.Possible Solution
The real fix should be to create .npm cache folder somewhere writable by any user on the docker image, so at least it works by default on CI pipelines. Maybe create some kind of documented folder specified via
npm_config_userconfigso anyone can map it and modify the behaviour of a running user.Steps to Reproduce
Create a Jenkins pipeline for any Node.js project using NPM and try to build it:
Additional Information
As evident from the past, considering cryptic and sometimes incorrect error messages coming from NPM, people constantly struggle to understand why it doesn't work for them in one way or another:
#1734
npm/cli#3910
I know that there are best practices documentation how to run this image without root user, but that's not the point of this ticket. It can be fixed at the source of this image without the need to use all those workarounds.