[BUG] npm run on a read-only filesystem does not work

[dynk]

Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

After upgrading the node version to my service (node: v18.5.0 to v18.6.0, npm: from 8.12.1 to 8.13.2), my service is not able to start up anymore:

`npm WARN logfile could not be created: Error: EROFS: read-only file system, open '/usr/src/app/.npm/_logs/2022-07-15T13_35_32_477Z-debug-0.log'

board-recording-service@1.0.0 start:prod
npm run db:migrate && node dist/src/main

npm ERR! code EROFS
npm ERR! syscall open
npm ERR! path /tmp/startprod65789232523.sh
npm ERR! errno -30
npm ERR! rofs EROFS: read-only file system, open '/tmp/startprod65789232523.sh'
npm ERR! rofs Often virtualized file systems, or other file systems
npm ERR! rofs that don't support symlinks, give this error.

npm ERR! Log files were not written due to an error writing to the directory: /usr/src/app/.npm/_logs
npm ERR! You can rerun the command with --loglevel=verbose to see the logs in your terminal`

This is due to recent changes in @npmcli/run-script which now writes scripts into the tmpdir(). (PR).
This is causing our service to break since it is running in a read-only filesystem.

Is this an expected behavior? If so what would be the recommendation to run our service now?

Expected Behavior

Able to run the service with newest npm and nove version in a read-only file system.

Steps To Reproduce

Sample of docker image with working node/npm version:

`FROM node:18.5.0-alpine as node_18_5_0
RUN apk add dumb-init

Creating non-root user to run the application

RUN addgroup -g 1001 -S app && mkdir -p /usr/src/app && adduser -u 1001 -S -G app -h /usr/src/app app
USER app
WORKDIR /usr/src/app
RUN echo $'{\n
"name": "npm-read-only-fs",\n
"version": "1.0.0",\n
"description": "",\n
"main": "index.js",\n
"scripts": {\n
"start": "echo 'some message'"\n
},\n
"author": "",\n
"license": "ISC",\n
"dependencies": {\n
},\n
"devDependencies": {\n
}\n
}\n
' >> package.json && npm install

Start the app

CMD ["dumb-init", "npm", "run", "start"]
`

Sample of docker image with broken node/npm version:

`
FROM node:18.6.0-alpine as node_18_6_0
RUN apk add dumb-init

Creating non-root user to run the application

RUN addgroup -g 1001 -S app && mkdir -p /usr/src/app && adduser -u 1001 -S -G app -h /usr/src/app app
USER app
WORKDIR /usr/src/app
RUN echo $'{\n
"name": "npm-read-only-fs",\n
"version": "1.0.0",\n
"description": "",\n
"main": "index.js",\n
"scripts": {\n
"start": "echo 'some message'"\n
},\n
"author": "",\n
"license": "ISC",\n
"dependencies": {\n
},\n
"devDependencies": {\n
}\n
}\n
' >> package.json && npm install

Start the app

CMD ["dumb-init", "npm", "run", "start"]
`

Running the last one will produce the same error as provided before

Environment

• npm: 8.13.2
• Node.js: v18.5.0
• OS Name: macOS Big Sur version 11.6.2

[KMatuszak]

I can't even start my app without read-only, reported this a few days ago on image issue tracker: nodejs/docker-node#1749

[wraithgar]

This is being tracked in #4838

[vojty]

I don't think #4838 solves this problem. I've just upgraded npm to 8.16.0 and getting this:

npm ERR! code EROFS
npm ERR! syscall open
npm ERR! path /tmp/start-09cff96e.sh
npm ERR! errno -30
npm ERR! rofs EROFS: read-only file system, open '/tmp/start-09cff96e.sh'
npm ERR! rofs Often virtualized file systems, or other file systems
npm ERR! rofs that don't support symlinks, give this error.

npm ERR! Log files were not written due to an error writing to the directory: /home/node/.npm/_logs
npm ERR! You can rerun the command with `--loglevel=verbose` to see the logs in your terminal

for any npm run <xy> command

[vojty]

@wraithgar shouldn't we reopen this issue?

[jjezek]

Having the same problem as @vojty with 8.16.0 ...

2022-08-09 10:00:38 npm ERR! code EROFS
2022-08-09 10:00:38 npm ERR! syscall open
2022-08-09 10:00:38 npm ERR! path /tmp/production-506ef698.sh
2022-08-09 10:00:38 npm ERR! errno -30
2022-08-09 10:00:38 npm ERR! rofs EROFS: read-only file system, open '/tmp/production-506ef698.sh'

[vojty]

I've found the workaround - basically don't use npm at all
Given package.json:

{
  ...
  "scripts": {
    "start": "NODE_ENV=production node ./dist/index.js
  }
  ...
}

So instead of CMD [ "npm", "run", "start" ] you can run the script directly:

CMD [ "sh", "-c", "NODE_ENV=production node ./dist/index.js" ]

[yashodgayashan]

@wraithgar This is a seperate issue. Even after using npm@8.15.1 this can be reproducible.

npm ERR! code EROFS
npm ERR! syscall open
npm ERR! path /tmp/prod-7da54d34.sh
npm ERR! errno -30
npm ERR! rofs EROFS: read-only file system, open '/tmp/prod-7da54d34.sh'
npm ERR! rofs Often virtualized file systems, or other file systems
npm ERR! rofs that don't support symlinks, give this error.

npm ERR! Log files were not written due to an error writing to the directory: /home/node/.npm/_logs
npm ERR! You can rerun the command with `--loglevel=verbose` to see the logs in your terminal

[balonik]

@wraithgar please re-open, this is not about the LOGS issue, but about the EROFS error.

[mhamann]

@wraithgar this is not fixed. Mercifully, we actually get logs from npm telling us what the problem is, but it still exits immediately, which means you can't run this in a production container environment. It's a major regression from the previous behavior, which was perfectly happy in a read-only filesystem.

#4838 seemed to fix the logging portion, but we still need a fix for the crash.

[marek5050]

Why does npm run need to save anything in a tmp file? how can I disable this functionality? it used to work with npm 4 and 6 it's only a problem after we upgraded to npm 8. -_- for security reasons we need to use a readonly root filesystem in our docker images.

Ironically we even downgraded from 8.15 for an identical problem down to 8.5 and now we're seeing it again :D

I was able to make it work slighlty better by adding --offline --logs-max=0 to the npm run command -_-
so now the startup cmd is npm run prod --offline --logs-max=0

[PRR24]

Probably related to this topic:
"npm run xxx" fills /tmp path with files /tmp/xxx-??????.sh and never cleans them up.
node 16.17.1, npm 8.15.0, Ubuntu.

[lukekarrys]

This was fixed in 8.17.0 by d0f5995.

I was able to create a dockerfile with:

FROM node:lts
COPY project /project
COPY npm-8.17.0.tgz /npm-8.17.0.tgz
RUN npm install /npm-8.17.0.tgz -g
RUN useradd -u 1234 npm
USER npm

and then run:

#/bin/bash

docker build -t npm-readonly .
ID=$(docker run -dit --rm --read-only npm-readonly)
docker exec -it "$ID" /bin/sh

In the shell the example script I created ran successfully:

$ npm --version
8.17.0
$ cd project
$ npm run console-log

> project@1.0.0 console-log
> node script.js

1

If I change the version to 8.16.0 it fails with:

> project@1.0.0 console-log
> node script.js

npm ERR! code EROFS
npm ERR! syscall open
npm ERR! path /tmp/console-log-16a0f356.sh
npm ERR! errno -30
npm ERR! rofs EROFS: read-only file system, open '/tmp/console-log-16a0f356.sh'
npm ERR! rofs Often virtualized file systems, or other file systems
npm ERR! rofs that don't support symlinks, give this error.

npm ERR! Log files were not written due to an error writing to the directory: /home/npm/.npm/_logs
npm ERR! You can rerun the command with `--loglevel=verbose` to see the logs in your terminal

[ck-delivery-admin-vn]

Hi @lukekarrys, npm with default config can't run on read-only env is an expected behavior? I still facing this in npm 10.x when running it in AWS lambda which only allows writing to /tmp folder.

ARG FUNCTION_DIR="/function"

FROM node:20-buster as build-image
ARG FUNCTION_DIR
RUN apt-get update && \
    apt-get install -y \
    g++ \
    make \
    cmake \
    unzip \
    libcurl4-openssl-dev \
    git

# npm can't run in read-only env (lambda)
# https://github.com/npm/cli/issues/5183
ENV NPM_CONFIG_CACHE=/tmp/.npm # <----------- need move cache to /tmp

# install lib
RUN mkdir -p ${FUNCTION_DIR}
COPY package.json package-lock.json ${FUNCTION_DIR}
WORKDIR ${FUNCTION_DIR}
RUN npm install
RUN npm install aws-lambda-ric

# copy code
COPY . ${FUNCTION_DIR}

ENTRYPOINT ["/usr/local/bin/npx", "aws-lambda-ric"]
CMD ["index.handler"]

The error will be like this

npm ERR! code EROFS
npm ERR! syscall mkdir
npm ERR! path /home/sbx_user1051
npm ERR! errno -30
npm ERR! rofs EROFS: read-only file system, mkdir '/home/sbx_user1051'
npm ERR! rofs Often virtualized file systems, or other file systems
npm ERR! rofs that don't support symlinks, give this error.
npm ERR! Log files were not written due to an error writing to the directory: /home/sbx_user1051/.npm/_logs 

[ShadabFaiz]

what is logic behind npm requiring access to tmp file ? I have docker image of a simple nestJS application facing same issue. However, The image was created in Jan. It was working fine till 15 Feb. On 16th Feb, When I ran image again, it started fail. Same image. It has multiple times on our ECS service. After deploy the image. It will work fine, then suddenly if we restart our ECS service, it may or may not show the issue. It is not even 100% guaranteed to show
My guess is npm may have some logic to write logfile during "npm start"

[programmerraja]

@ck-delivery-admin-vn I am also facing same issue can anyone help me to fix and explain why this happening