V1.0.0 - Securing Node-Red Issue after upgrade

I have an issue on a QNap Docker install, I've been using v0.20.7-v8 with no issues in-conjunction with HomeAssistant (also in a container).

I've now installed v1.0.0-12-amd64 but find I am unable to login to my instance, when I try the webpage it essentially locks up - i.e. no visible error but it doesn 't log in and I cannot re-attempt with different credentials.

In the container station on the Qnap I see the following error line (everything else looks fine):-

 Potentially unhandled rejection [1] Error: EACCES: permission denied, open '/data/.sessions.json'

If I force refresh the webpage and attempt again then the error line is repeated.

I've opened the .sessions.json file but there's nothing there that means anything to me unfortunately. However, if I comment out the adminAuth section of settings.js then everything works as expected.

I get the feeling I'm maybe missing something fundamental but I haven't a clue what that might be. Any advice on how to re-add this little bit of security to my setup would be gratefully received!

Ian

This will be a permissions issue - the file was created by one users in the old container, but the new container is trying to access it as a different user.

Need to get @RaymondMouthaan's advice on what has changed with the users between the old and new containers, and what fix is needed here. It should be a simple enough task to change the permissions on the /data files - we just need to figure out what permissions to change.

Very recently we found out about permission issues. The good news is that I have a fix for it .. a PR is coming asap.

Please follow the issue at github https://github.com/node-red/node-red-docker/issues/135

Hi @ianfretwell
Can you share the docker command used to start it ?
Can you see what permissions are on that volume currently ?

Hi,

Given that all I'm doing is pressing 'Start' in QNap's container station I might well have this wrong, however this is what's shown in the terminal window:-

node-red-docker@1.0.0 start /usr/src/node-red
node $NODE_OPTIONS node_modules/node-red/red.js -v $FLOWS "--userDir" "/data"

1 Oct 07:47:55 - [info]

Welcome to Node-RED

1 Oct 07:47:55 - [info] Node-RED version: v1.0.0
1 Oct 07:47:55 - [info] Node.js version: v12.10.0
1 Oct 07:47:55 - [info] Linux 4.14.24-qnap x64 LE
1 Oct 07:47:56 - [info] Loading palette nodes
1 Oct 07:47:58 - [info] Settings file : /data/settings.js

Permissions on which volume though, the entire volume that Container Station is sat on ?

well we want to find out what it thinks /data is (and who owns it) etc...

OK, bearing in mind I'm a lot more fluent in Windows than Linux...so I'm coming at this from whatever GUI options the Qnap is giving me.

Owner of that folder is 'admin' (i.e. the main admin account on the QNap itself).
Permissions wise:- read, write, execute are selected for Owner, Group & Others.

I'm not grasping how permissions is involved when if I just comment out the adminAuth section the whole thing works just fine - so surely its got access to the volume/folder anyway?

When the docker container starts it has to run under a User ID - this is typically set as part of the compose file for the docker image - or can be passed in on the command line

reading the last comment in this thread

It appears that some of the files are being owned by root:root rather than the Node-red user

If you bring up a shell on your QNAP and have a look at the permissions on the settings file you will probably find this is the case

However based on the Github discussion above it sounds like this is bigger issue in the current build - so it woul dmake more sense to pull down the latest image and see if this has been resolved (yet) by the author

Craig

And from the Docker image notes

Host Directory As Volume (Persistent)

To save your Node-RED user directory inside the container to a host directory outside the container, you can use the command below. But to allow access to this host directory, the node-red user (default uid=1000) inside the container must have the same uid as the owner of the host directory. To override the default uid and gid of the node-red user inside the the container you can use the option --user="<my_host_uid>:<my_host_gid>" :

$ docker run -it --user="<my_host_uid>:<my_host_gid>" -p 1880:1880 -v <host_directory>:/data --name mynodered nodered/node-red

Example:

  • Suppose you are running on a Raspberry PI with a user named 'pi' and group 'pi'.
$ whoami
  • With this user create a directory '~/.node-red'.
$ mkdir ~/.node-red
  • Verify newly created directory with:
$ ls -al ~/.node-red

This shows that user pi is owner of this directory:

ls -al ~/.node-red
total 8
drwxr-xr-x 2 pi pi 4096 May  7 20:55 .
drwxr-xr-x 8 pi pi 4096 May  7 20:42 ..
  • Now we want to have access to this '~/.node-red' directory with the container so that Node-RED can save user data to it. As we know we need to override the default uid (1000) of the node-red user inside the container with the uid of the pi user. For that we need to know the uid of user pi:
$ id pi
  • The uid and gid of user pi are:
uid=1000(pi) gid=1000(pi) [...]
  • So the final command becomes:
$ docker run -it --user="1000:1000" -p 1880:1880 -v ~/.node-red:/data --name mynodered nodered/node-red

Thanks for all that - and it all sounds very likely...but it's completely ignoring the fact that it all works just fine when I remove the adminAuth section...i.e. I can create new flows/edit flows/etc...and they are all being saved by node-red into that same folder which you seem to be telling me it hasn't got permissions to - but it must have...

What am I not following here ?

Also, Docker on the Qnap is all run through the Container Station app - so there is no command line for stopping and starting anything - at least not that I'm aware of.

Which suggests the permissions issue is on the .sessions.json file itself and not the folder as a whole.

You can safely delete that file and let NR recreate it next time you log in.

I can certainly give that a go, but it'll be six hours or so before I get the opportunity.

Thanks.

The ownership issue within the node-red images has been fixed yesterday. Unfortunately I did not have the time to respond earlier.

I would recommend the suggestion of @knolleary, to delete .sessions.json first and try again from the QNAP GUI.

If that didn't work please read on...

I don't have a QNAP NAS, but i do have a Synology. The Synology Docker UI does not have an option to set --user and from your reading this option isn't available either on a QNAP. This is only possible from command line. To gain access to the command line on a QNAP, follow the instructions on this page: https://www.qnap.com/en/how-to/knowledge-base/article/how-to-access-qnap-nas-by-ssh/.

If it did not work and you followed the steps from the QNAP website. And you are able to login via ssh to your QNAP. You can follow the next harmless steps:

ls -al <full_path_to_your_host_directory>

<full_path_to_your_host_directory> is the full path on your nas where your volume is binded. You should have set this from the QNAP GUI. On a Synology the full path is not been displayed, only partial and my guess this is also the case on a QNAP.

The red marked path is the partial path:

On a Synology the "base" path is /volume1 and might be the same on a QNAP. So concatenating those together the full path in my case becomes /volume1/docker/node-red-minimal.

now execute:

ls -al /volume1/docker/node-red-minimal

and:

ls -nal /volume1/docker/node-red-minimal

If you succeeded so far, please post the results of both commands, so I can help you further to identify the problem and fix it.

Regards,
Ray

1 Like

Good news (at least for me) - deleting the .sessions.json file fixed the issue and I now have working logins again.

I then created another container with the 1.00-1-12-amd64 version and all good there too.

Many thanks for all the help and suggestions - much appreciated.

2 Likes