I did create new VM today on Azure and tried to deploy NodeRed per Running on Microsoft Azure : Node-RED
The process broke on installation of node red with error in bcrypt.
I did use work-around to install unsafe, i.e. replace "sudo npm install -g node-red" with "sudo npm install -g --unsafe-perm node-red"
Question 1: can I recover from "unsafe" to safe somehow. What risks have I introduced to my installation?
Question 2: can someone review Azure installation instructions to make them "work out of the box"?
node-pre-gyp WARN Using request for node-pre-gyp https download
node-pre-gyp WARN Pre-built binaries not installable for bcrypt@3.0.6 and node@10.20.1 (node-v64 ABI, glibc) (falling back to source compile with node-gyp)
node-pre-gyp WARN Hit error EACCES: permission denied, mkdir '/usr/lib/node_modules/node-red/node_modules/bcrypt/lib'
Killed
pilot@bagxml-U18:~$ gyp WARN EACCES current user ("nobody") does not have permission to access the dev dir "/home/pilot/.cache/node-gyp/10.20.1"
Hi Steve,
I am not a CLI hero so, yes, I rely a lot on documentation.
This time I am setting up an Azure instance with more attention to security than my usual RPI or "ubunto on old laptop" deployment.
The instructions in official doc for setting up on Azure failed on me.
That is why I opened this post, to understand security implementation of "--unsafe-perm"' (and to let someone with deep understanding look at Azure set-up instructions).
I suppose that this isn’t ‘unsafe’ but it does force the package installer to never drop into user and group switching when installing apps. It’s possible then you may end up having the code run as ‘root’ when installing (which could then be considered ‘unsafe’);
So basically DONT run node-red as admin/sudo (which I am certain the docs say AND the installer script sorts out when it creates the service)
Regarding the docs - I guess you are asking if the docs should be updated...
...to say sudo npm install -g --unsafe-perm node-red
I dont know the answer to that but it would seem to be "Yes, docs need updating" based on what you posted.
As the quote you added indicates (sort of) - by default npm tries to be a good citizen - so when it is run as root... if it then calls out to other programs (like in our case node-gyp) in order to compile native code (we optionally want bcrypt) - then it drops all execution privileges just in case the 3rd party app wants to do something bad. If run as a non root user (without sudo) - it doesn't do this. So yes when we install as root then yes we do need the --unsafe-perm flag , which then stops it dropping privileges. I'll fix the docs.