I am relatively new to Linux and Node Red and have been trying to find a guide on configuring the Linux (Debian 9) file system for use with Node-Red. I am trying to secure the Node-Red system using the Node-Red-Admin tools as per the user guide using sudo (https://nodered.org/docs/user-guide/node-red-admin), but it is throwing permission denied errors. I suspect I will also run into errors when I install SQLITE and try to create a database.
I am using a single board Linux box (not a Pi) using a named user with sudo priveledges, not root.
Is there a guide anypone kinows of on how the file structure should be setup including permissionins to allow seamless operation of Node-Red without turning off all security?
You will need to share the errors. Running as sudo shouldn't give any permission errors since, by definition, you are taking on the persona of "root". It isn't impossible for root to be denied access but it implies a fairly messed up installation if you do.
The only things you should install with sudo in regard to Node-RED is anything that you really need to install globally. For example, if using npm install -g .... That should only be Node-RED itself and node-red-admin.
A good way to see the best configuration for a "standard" install is to look at Dave's script for the Pi. In fact, as you are using Debian, there is a very good chance that his script will work for you anyway. Though it would install some Pi specific nodes that you don't really need. It also assumes that you are using the user pi as well I think, you could always just temporarily create the pi user I guess.
Other than the two global installs, you should install everything else as the user you want to run Node-RED. If using systemd to run on boot, you will also need to specify the user in the start script.
Otherwise, Node-RED runs happily in user space with standard permissions. You will need to add your user to any special groups like wheel for hardware access but that is all.
actually the script asks if you want the Pi nodes or not - and it also runs as the user you run it as and modifies the service start file to suit - so it should run just fine on debian as any user. It will ask for sudo password to install node.js and the core of Node-RED as root.
I did use the debian install script and declined the Pi nodes option. The issue I am running into is around the node-red-admin install for the security guide: sudo npm install -g node-red-admin
I am getting the following output:
sudo npm install -g node-red-admin
/usr/bin/node-red-admin -> /usr/lib/node_modules/node-red-admin/node-red-admin.js
> firstname.lastname@example.org install /usr/lib/node_modules/node-red-admin/node_modules/bcrypt
> node-pre-gyp install --fallback-to-build
node-pre-gyp WARN Using request for node-pre-gyp https download
node-pre-gyp WARN Pre-built binaries not installable for email@example.com and firstname.lastname@example.org (node-v72 ABI, glibc) (falling back to source compile with node-gyp)
node-pre-gyp WARN Hit error EACCES: permission denied, mkdir '/usr/lib/node_modules/node-red-admin/node_modules/bcrypt/lib'
gyp WARN EACCES current user ("nobody") does not have permission to access the dev dir "/root/.cache/node-gyp/12.13.1"
gyp WARN EACCES attempting to reinstall using temporary dev dir "/usr/lib/node_modules/node-red-admin/node_modules/bcrypt/.node-gyp"
gyp WARN install got an error, rolling back install
gyp WARN install got an error, rolling back install
gyp ERR! configure error
gyp ERR! stack Error: EACCES: permission denied, mkdir '/usr/lib/node_modules/node-red-admin/node_modules/bcrypt/.node-gyp'
gyp ERR! System Linux 4.4.0-cip-uc8100+
gyp ERR! command "/usr/bin/node" "/usr/lib/node_modules/npm/node_modules/node-gyp/bin/node-gyp.js" "configure" "--fallback-to-build" "--module=/usr/lib/node_modules/node-red-admin/node_modules/bcrypt/lib/binding/bcrypt_lib.node" "--module_name=bcrypt_lib" "--module_path=/usr/lib/node_modules/node-red-admin/node_modules/bcrypt/lib/binding" "--napi_version=5" "--node_abi_napi=napi" "--napi_build_version=0" "--node_napi_label=node-v72"
gyp ERR! cwd /usr/lib/node_modules/node-red-admin/node_modules/bcrypt
gyp ERR! node -v v12.13.1
gyp ERR! node-gyp -v v5.0.5
gyp ERR! not ok
node-pre-gyp ERR! build error
node-pre-gyp ERR! stack Error: Failed to execute '/usr/bin/node /usr/lib/node_modules/npm/node_modules/node-gyp/bin/node-gyp.js configure --fallback-to-build --module=/usr/lib/node_modules/node-red-admin/node_modules/bcrypt/lib/binding/bcrypt_lib.node --module_name=bcrypt_lib --module_path=/usr/lib/node_modules/node-red-admin/node_modules/bcrypt/lib/binding --napi_version=5 --node_abi_napi=napi --napi_build_version=0 --node_napi_label=node-v72' (1)
node-pre-gyp ERR! stack at ChildProcess.<anonymous> (/usr/lib/node_modules/node-red-admin/node_modules/node-pre-gyp/lib/util/compile.js:83:29)
node-pre-gyp ERR! stack at ChildProcess.emit (events.js:210:5)
node-pre-gyp ERR! stack at maybeClose (internal/child_process.js:1021:16)
node-pre-gyp ERR! stack at Process.ChildProcess._handle.onexit (internal/child_process.js:283:5)
node-pre-gyp ERR! System Linux 4.4.0-cip-uc8100+
node-pre-gyp ERR! command "/usr/bin/node" "/usr/lib/node_modules/node-red-admin/node_modules/.bin/node-pre-gyp" "install" "--fallback-to-build"
node-pre-gyp ERR! cwd /usr/lib/node_modules/node-red-admin/node_modules/bcrypt
node-pre-gyp ERR! node -v v12.13.1
node-pre-gyp ERR! node-pre-gyp -v v0.13.0
node-pre-gyp ERR! not ok
Failed to execute '/usr/bin/node /usr/lib/node_modules/npm/node_modules/node-gyp/bin/node-gyp.js configure --fallback-to-build --module=/usr/lib/node_modules/node-red-admin/node_modules/bcrypt/lib/binding/bcrypt_lib.node --module_name=bcrypt_lib --module_path=/usr/lib/node_modules/node-red-admin/node_modules/bcrypt/lib/binding --napi_version=5 --node_abi_napi=napi --napi_build_version=0 --node_napi_label=node-v72' (1)
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: email@example.com (node_modules/node-red-admin/node_modules/bcrypt):
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: firstname.lastname@example.org install: `node-pre-gyp install --fallback-to-build`
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: Exit status 1
updated 1 package in 65.314s
Part of securing the interface is generating the password hash which they recommend using the node-red-admin command line tool.
When I ran the install, I sawe a whole heap of errors and assumed that it had failed, but as you have pointed out, it did install and does work
My concern now is the error being thrown for file access permissions. Really I am chasing feedback as to whether I need to cange permissions on any of the folders to allow installtion of any additional modules or allow a node-red flow to create files (i.e. SQLite DB). By the sounds of it, I should be OK??
I am now running into issues with SQLite insrtallation which I need to search the forum for answers.