-
-
Notifications
You must be signed in to change notification settings - Fork 4.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Composer 2.7.0 usage with root user leads to plugins not being loaded #11839
Comments
I don't quite understand how it breaks. Maybe if you shared the full output we'd know more.. Setting But it's just a guess.. And I'm not sure if it's appropriate or not for ElasticBeanstalk to run as root, nor if it is reasonable to allow plugins to run in this context. Anyway please report this to AWS, as they really should fix it if it breaks by default there. |
I had the same problem in
Online research shows, that this usually fails when Edit:
|
This |
Sorry, maybe I wrote it wrong. I meant, usually it is because of the But to be sure, I updated it in my project to the current version 2.4.4, and in the pipeline I checked that it was properly installing and also that it is in the But I still get the error message. When I add
to
Nothing fancy, I suppose. Currently on php:8.2 |
It's bitbucket pipelines running everything as root? Do you see a composer warning that plugins have been disabled because it's running as root? If so try setting the COMPOSER_ALLOW_SUPERUSER=1 environment variable, that's a more appropriate fix than downgrading |
Ah, brilliant, thank you @Seldaek !
This works without a problem and with composer v2.7.0. |
Ok, then i wonder what we can do to make the warning about plugins more visible / understandable.. |
Perhaps what had confused me is that I didn't change anything relevant from yesterday, but it just suddenly stopped working because of the implicit bump up in version from 2.6.6 to 2.7.0, but this was not visible anywhere, whilst the behavior changed. Perhaps something like adding Or perhaps make it default to stop on warnings, and adding an additional |
Hi @Seldaek , I guess you right, it's just about this: plugins are now disabled correctly when running as root. |
Can confirm. Using 2.6.6 or Some bakground: we are using gitlab-ci with Alpine Linux to install TYPO3 10.4.x which brings its own installer plugin ( I suspect this final security-fix commit before 2.7.0 was released: (I suggest changing the issue title to something more generic.) |
You're right, I edited the title and issue to add a clear explanation of what is going on and how to work around it and when it is ok to work around. IMO in CI this isn't a nasty workaround it's fine, although I don't really understand why these CI require you to run as root. I am working on some tweaks to hopefully highlight the problem a bit closer to where it causes things to break. |
… cause problems, fixes composer#11839
… cause problems, fixes composer#11839
… cause problems, fixes composer#11839
As 2.7 breaks some AWS Elastic Beanstalk production environments, maybe add a quick note to the changelogs of composer. As I read the changelogs but still encountered the issue. Something like:
|
Right, added it 👍🏻 |
IMHO, this is a breaking change introduced in a minor version but semver states: Now all my containerized symfony applications are failing to deploy, and I don't even use AWS ElasticBeanstalk. |
It's a security fix which tbh could have even been released in a patch release. Set the env var in your containers and move on? |
I am using export "COMPOSER_ALLOW_SUPERUSER=1 " and running "composer install" is still not working for me |
For security reasons, Composer now disables plugins when running as root. Unfortunately, this broke the build of the Docker image. Indeed Symfony wasn't generating the `vendor/autoload_runtime.php` file anymore and Bileto wasn't able to start. Reference: composer/composer#11839
I spent the entire morning debugging why at first, the web folder was not created by Drupal project scaffolding from my Docker image. Fatal error: Uncaught Error: Class "Drupal" not found in /var/www/html/vendor/drush/drush/src/Boot/DrupalBoot8.php:93 After reverting COMPOSER_ALLOW_SUPERUSER=1 and applying the composer self-update 2.6.6 solution, things restarted working as intended. This indicates to me that there's more to the solution than just setting COMPOSER_ALLOW_SUPERUSER |
@Arr-n-D if you're able to create a repeatable test case for the problem you're encountering, please open a new issue with these details. |
It seems like this change should have been update of major version. |
This is closed but I'll ask here because maybe somebody sees this. Today we also got lucky and took our productions site down. I'm wondering, shouldn't Composer return error code so Docker would not finish the build? I mean if it's not working properly under root, shouldn't it be more vocal? |
"not working" depends whether your project requires plugins to run to have something working. The core behavior of composer is still working. |
Eheh, i understand what you mean by "core behavior of composer is still working", but still running composer install one would expect to get a working codebase out of it, instead we got only 4 MB of code instead of the usual 200+MB of code we run in production. The issue was also quite hard to debug, because logs are quite verbose and also not colorful as in the screenshots up there. I think the safer way of doing such updates would be to return an error code, so that one would go and dig deeper in logs instead of getting a "green" deployment that is not working. Anyhow, glad we found this :) |
Not to beat a dead horse, but for anyone still watching this (or finding this), I'm still seeing issues and my profile seems a bit different. I'm dealing with Docker and both the initial install process and subsequent uses are often performed as root in our E2E testing environment. When I shell into the container as root and non-root, I get the following (w/ -vvv): Root:
Non-root:
I don't get any warning about plugins not running as root. I also see the
P.S. Making this even more preposterous. nothing I try will successfully downgrade composer
Update for posterity: |
Edit from @Seldaek: Here is an explanation and solution:
The problem stems from the fact that when running as root, for safety we now disable plugins. If running interactively Composer prompts you whether you want to enable them, but when non-interactive we just disable them and output a warning.
If you want to allow plugins to run you should set the
COMPOSER_ALLOW_SUPERUSER=1
environment variable. This will suppress the warning and let Composer run as usual even when running as root.However, you should IMO only do this if you can ensure you run trusted code, or if you are in a disposable environment/containerized CI that will get reset at the end of the run anyway. If you run composer with sudo in production machines however IMO you are likely doing something wrong and you should re-evaluate these processes instead of simply suppressing the errors.
See also https://getcomposer.org/doc/faqs/how-to-install-untrusted-packages-safely.md
Original issue text:
Our running platform is AWS ElasticBeanstalk.
The deployment process is failing when using composer 2.7.0 whereas success when using 2.6.6.
The problem is that AWS ElasticBeanstalk run
composer
asroot
(as I can see from logs).composer 2.7.0 is fixing CVE-2024-24821..
To solve the problem, I force the version of composer to version 2.6.6 :
composer self-upgrade 2.6.6
.I opened this issue to help other people to find a solution.
The text was updated successfully, but these errors were encountered: