Instructions to deploy on Azure/Ubuntu LTS 18.04 fail

I did create new VM today on Azure and tried to deploy NodeRed per https://nodered.org/docs/getting-started/azure
The process broke on installation of node red with error in bcrypt.

I did use work-around to install unsafe, i.e. replace "sudo npm install -g node-red" with "sudo npm install -g --unsafe-perm node-red"

Question 1: can I recover from "unsafe" to safe somehow. What risks have I introduced to my installation?

Question 2: can someone review Azure installation instructions to make them "work out of the box"?

Relevant section from log

bcrypt@3.0.6 install /usr/lib/node_modules/node-red/node_modules/bcrypt
node-pre-gyp install --fallback-to-build

node-pre-gyp WARN Using request for node-pre-gyp https download

node-pre-gyp WARN Pre-built binaries not installable for bcrypt@3.0.6 and node@10.20.1 (node-v64 ABI, glibc) (falling back to source compile with node-gyp)

node-pre-gyp WARN Hit error EACCES: permission denied, mkdir '/usr/lib/node_modules/node-red/node_modules/bcrypt/lib'

Killed

pilot@bagxml-U18:~$ gyp WARN EACCES current user ("nobody") does not have permission to access the dev dir "/home/pilot/.cache/node-gyp/10.20.1"

What command did you type exactly to install it ?

First attempt: sudo npm install -g node-red
This one failed as illustrated in quote from log

Second attempt from Raspberry/Mac instructions: sudo npm install -g --unsafe-perm node-red
This one was successful

I try to understand impact of --unsafe-perm flag

Explanation on stackabuse.com (ultimate guide to configuring mom) does not speak to me. What is the impact of surpressing a switch in userID?

You realise this is written in the official docs?

And also there is a script to further simplify installation on rpi & Ubuntu

Hi Steve,
I am not a CLI hero so, yes, I rely a lot on documentation.
This time I am setting up an Azure instance with more attention to security than my usual RPI or "ubunto on old laptop" deployment.

The instructions in official doc for setting up on Azure failed on me.

That is why I opened this post, to understand security implementation of "--unsafe-perm"' (and to let someone with deep understanding look at Azure set-up instructions).

From here

I suppose that this isn’t ‘unsafe’ but it does force the package installer to never drop into user and group switching when installing apps. It’s possible then you may end up having the code run as ‘root’ when installing (which could then be considered ‘unsafe’);

So basically DONT run node-red as admin/sudo (which I am certain the docs say AND the installer script sorts out when it creates the service)

Regarding the docs - I guess you are asking if the docs should be updated...
image
...to say sudo npm install -g --unsafe-perm node-red

I dont know the answer to that but it would seem to be "Yes, docs need updating" based on what you posted.

Hopefully Dave or Nick can clarify.

As the quote you added indicates (sort of) - by default npm tries to be a good citizen - so when it is run as root... if it then calls out to other programs (like in our case node-gyp) in order to compile native code (we optionally want bcrypt) - then it drops all execution privileges just in case the 3rd party app wants to do something bad. If run as a non root user (without sudo) - it doesn't do this. So yes when we install as root then yes we do need the --unsafe-perm flag , which then stops it dropping privileges. I'll fix the docs.

1 Like

Thank you both for responses.
My understanding

  • npm install in default mode runs script under local permissions. Sometimes this gives a conflict of insufficient rights
  • npm install under sudo runs under root permission with risk to launch a script that can do damage
  • npm install --unsafe-perm runs all script under permissions of user

I have no clue why default way of working favours local permissions, but to run everything as "myself" does not feel as extraordinary risky.

Case closed :blush:

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.