v4.2.2: yarn using incorrect user for plugin installs

[decentral1se]

Describe the current behavior

On a chocobozzz/peertube:v4.2.2-bullseye docker deployment, I don't understand why all of a sudden the plugin install command (called from the admin web UI) is trying to run commands in /root/.config/yarn instead of /home/peertube/.config/yarn? I haven't changed my config as far as I know.

Config is here: https://git.coopcloud.tech/coop-cloud/peertube/src/branch/main/compose.yml

warn[27/09/2022, 12:08:14] Cannot install plugin peertube-plugin-auth-openid-connect.

{
  "err": {
    "err": {
      "stack": "Error: Command failed: yarn add peertube-plugin-auth-openid-connect@0.1.0\nError: EACCES: permission denied, open '/root/.config/yarn'\n    at Object.openSync (node:fs:594:3)\n    at readFileSync (node:fs:462:35)\n    at /opt/yarn-v1.22.19/lib/cli.js:97395:58\n    at Array.map (<anonymous>)\n    at parseRcPaths (/opt/yarn-v1.22.19/lib/cli.js:97393:78)\n    at Object.findRc (/opt/yarn-v1.22.19/lib/cli.js:97407:10)\n    at getRcConfigForCwd (/opt/yarn-v1.22.19/lib/cli.js:56965:74)\n    at /opt/yarn-v1.22.19/lib/cli.js:88756:56\n    at Generator.next (<anonymous>)\n    at step (/opt/yarn-v1.22.19/lib/cli.js:310:30)\n\n    at ChildProcess.exithandler (node:child_process:400:12)\n    at ChildProcess.emit (node:events:513:28)\n    at ChildProcess.emit (node:domain:489:12)\n    at maybeClose (node:internal/child_process:1093:16)\n    at Process.ChildProcess._handle.onexit (node:internal/child_process:302:5)",
      "message": "Command failed: yarn add peertube-plugin-auth-openid-connect@0.1.0\nError: EACCES: permission denied, open '/root/.config/yarn'\n    at Object.openSync (node:fs:594:3)\n    at readFileSync (node:fs:462:35)\n    at /opt/yarn-v1.22.19/lib/cli.js:97395:58\n    at Array.map (<anonymous>)\n    at parseRcPaths (/opt/yarn-v1.22.19/lib/cli.js:97393:78)\n    at Object.findRc (/opt/yarn-v1.22.19/lib/cli.js:97407:10)\n    at getRcConfigForCwd (/opt/yarn-v1.22.19/lib/cli.js:56965:74)\n    at /opt/yarn-v1.22.19/lib/cli.js:88756:56\n    at Generator.next (<anonymous>)\n    at step (/opt/yarn-v1.22.19/lib/cli.js:310:30)\n",
      "code": 1,
      "killed": false,
      "signal": null,
      "cmd": "yarn add peertube-plugin-auth-openid-connect@0.1.0"
    },
    "stdout": "",
    "stderr": "Error: EACCES: permission denied, open '/root/.config/yarn'\n    at Object.openSync (node:fs:594:3)\n    at readFileSync (node:fs:462:35)\n    at /opt/yarn-v1.22.19/lib/cli.js:97395:58\n    at Array.map (<anonymous>)\n    at parseRcPaths (/opt/yarn-v1.22.19/lib/cli.js:97393:78)\n    at Object.findRc (/opt/yarn-v1.22.19/lib/cli.js:97407:10)\n    at getRcConfigForCwd (/opt/yarn-v1.22.19/lib/cli.js:56965:74)\n    at /opt/yarn-v1.22.19/lib/cli.js:88756:56\n    at Generator.next (<anonymous>)\n    at step (/opt/yarn-v1.22.19/lib/cli.js:310:30)\n"
  }
}

Steps to reproduce

1. Use the chocobozzz/peertube:v4.2.2-bullseye docker image
2. Install a plugin from the web UI

Describe the expected behavior

Plugin is installed.

Additional information

• PeerTube instance:
  • URL: https://tv.lumbung.space
  • Version: chocobozzz/peertube:v4.2.2-bullseye
  • NodeJS version: v16.17.0
  • Ffmpeg version: 4.3.4-0+deb11u1

[decentral1se]

I ran into this while trying to upgrade to 4.3 but ran into #5303 and then when I downgraded, this was still the case so I am quite confused as to why this is happening. Since the app invokes the install commands I wouldn't imagine anything in my volumes or app state would be interfeering with this... 🤔

[decentral1se]

Oh shiet, this made it work 😱

diff --git a/compose.yml b/compose.yml
index 1ba11d7..b0a56f9 100644
--- a/compose.yml
+++ b/compose.yml
@@ -48,6 +48,7 @@ services:
 
   app:
     image: chocobozzz/peertube:v4.2.2-bullseye
+    user: peertube
     environment:
       - PEERTUBE_ADMIN_EMAIL
       - PEERTUBE_CONTACT_FORM_ENABLED
@@ -107,7 +108,7 @@ services:
       retries: 10

But as I understand it, the image should be run under the root user?

PeerTube/support/docker/production/Dockerfile.bullseye

Line 27 in 4a9de87

USER root

I suspect something happened with the way yarn is invoked?

[Chocobozzz]

But as I understand it, the image should be run under the root user?

No, it's just to build the image. The container should be started using the peertube user with https://github.com/Chocobozzz/PeerTube/blob/develop/support/docker/production/entrypoint.sh#L14
May be the source of your bug?

[decentral1se]

@Chocobozzz thanks for looking into it.

If I run:

$ docker run -it chocobozzz/peertube:v4.3.0-bullseye whoami
root

Then I am confused. If it was just the build user then it should return peertube? This is the case for other images.

Is this a bug in implementing https://docs.docker.com/build/building/multi-stage/ where the second USER root is overriding the user which is running commands?

If we're saying the container should be run with the peertube user then can't we just set USER peertube in the Dockerfile for the runtime?

Also what is also confusing is that this was not an issue for maintaining the instance without setting user: peertube for over a year and now it is. I don't know why that is the case now...

[decentral1se]

Perhaps something changes in the relationship between exec gosu peertube "$0" "$@" and USER root? I probably don't understand Docker well enough and sorry if I'm confusing the concepts of which users are running what... trying to piece this together myself mostly...

[Chocobozzz]

We use an entrypoint in the dockerfile: https://github.com/Chocobozzz/PeerTube/blob/develop/support/docker/production/Dockerfile.bullseye#L40
And a CMD: https://github.com/Chocobozzz/PeerTube/blob/develop/support/docker/production/Dockerfile.bullseye#L46

The goal of our entrypoint is to run the process using the peertube user when the container is started with the root user with a node parameter (gosu command). You can check this behaviour by running docker run -it chocobozzz/peertube:v4.3.0-bullseye node -e 'console.log(require("os").userInfo())'

Try to run our entrypoint with node dist/server arguments.