#2143 `make srpm` step fails during `npm ci` in copr
Closed: Fixed 2 years ago by vashirov. Opened 2 years ago by vashirov.

We use make srpm method to build packages from our git repo on each commit:
https://copr.fedorainfracloud.org/coprs/g/389ds/389-ds-base-nightly/

After 2022-01-27 builds started to fail during srpm generation step, here's our Makefile:
https://github.com/389ds/389-ds-base/blob/master/.copr/Makefile

It fails during npm ci execution:

npm ERR! code EPERM
npm ERR! syscall spawn
npm ERR! errno -1
npm ERR! Error: spawn EPERM
npm ERR!     at ChildProcess.spawn (node:internal/child_process:413:11)
npm ERR!     at spawn (node:child_process:700:9)
npm ERR!     at /usr/lib/node_modules/npm/node_modules/@npmcli/promise-spawn/index.js:36:12
npm ERR!     at new Promise (<anonymous>)
npm ERR!     at promiseSpawnUid (/usr/lib/node_modules/npm/node_modules/@npmcli/promise-spawn/index.js:35:13)
npm ERR!     at promiseSpawn (/usr/lib/node_modules/npm/node_modules/@npmcli/promise-spawn/index.js:15:10)
npm ERR!     at runScriptPkg (/usr/lib/node_modules/npm/node_modules/@npmcli/run-script/lib/run-script-pkg.js:54:13)
npm ERR!     at runScript (/usr/lib/node_modules/npm/node_modules/@npmcli/run-script/lib/run-script.js:9:16)
npm ERR!     at Array.<anonymous> (/usr/lib/node_modules/npm/node_modules/@npmcli/arborist/lib/arborist/rebuild.js:320:17)
npm ERR!     at run (/usr/lib/node_modules/npm/node_modules/promise-call-limit/index.js:30:26)
npm ERR!  Error: spawn EPERM
npm ERR!     at ChildProcess.spawn (node:internal/child_process:413:11)
npm ERR!     at spawn (node:child_process:700:9)
npm ERR!     at /usr/lib/node_modules/npm/node_modules/@npmcli/promise-spawn/index.js:36:12
npm ERR!     at new Promise (<anonymous>)
npm ERR!     at promiseSpawnUid (/usr/lib/node_modules/npm/node_modules/@npmcli/promise-spawn/index.js:35:13)
npm ERR!     at promiseSpawn (/usr/lib/node_modules/npm/node_modules/@npmcli/promise-spawn/index.js:15:10)
npm ERR!     at runScriptPkg (/usr/lib/node_modules/npm/node_modules/@npmcli/run-script/lib/run-script-pkg.js:54:13)
npm ERR!     at runScript (/usr/lib/node_modules/npm/node_modules/@npmcli/run-script/lib/run-script.js:9:16)
npm ERR!     at Array.<anonymous> (/usr/lib/node_modules/npm/node_modules/@npmcli/arborist/lib/arborist/rebuild.js:320:17)
npm ERR!     at run (/usr/lib/node_modules/npm/node_modules/promise-call-limit/index.js:30:26) {
npm ERR!   errno: -1,
npm ERR!   code: 'EPERM',
npm ERR!   syscall: 'spawn'
npm ERR! }
npm ERR! 
npm ERR! The operation was rejected by your operating system.
npm ERR! It is likely you do not have the permissions to access this file as the current user
npm ERR! 
npm ERR! If you believe this might be a permissions issue, please double-check the
npm ERR! permissions of the file and its containing directories, or try running
npm ERR! the command again as root/Administrator.

As I don't have shell access to the copr builders, I've spinned a F35 VM with copr (via docker-compose) to troubleshoot further and get more logs, but to my surprise it worked there.

Same steps to generate srpm work on a clean F35 VM too.

Please help me to investigate this failure.
Thanks.


As I don't have shell access to the copr builders

Ping me on #buildsys-build, I can give you a testing machine.

I've spinned a F35 VM with copr (via docker-compose) to troubleshoot further and get more logs, but to my surprise it worked there.

The difference might be that our builders are VMs, that run mock with
systemd nspawn ON. When you run the task in container (compose), Mock automatically
fallbacks to --isolation=simple. It is weird (I would expect failure vice versa) but
I'm not sure what the EPERM actually means here ... and there can be any peculiarity.

Metadata Update from @praiskup:
- Issue tagged with: question

2 years ago

copr-rpmbuild executes mock with mock-source-build.cfg config that drops a lot of capabilities: https://pagure.io/copr/copr/blob/main/f/rpmbuild/mock-source-build.cfg#_9
I've installed bcc-tools and monitored npm ci with /usr/share/bcc/tools/capable to detect what capabilities they use. CAP_SETGID was the one that caused EPERM.

Turns out, this is a behaviour change in NPM since 7.x:
https://github.com/npm/cli/blob/latest/changelogs/CHANGELOG-7.md#all-lifecycle-scripts

The user, group, uid, gid, and unsafe-perms configurations are no longer relevant. When npm is run as root, scripts are always run with the effective uid and gid of the working directory owner.

Files had root:mockbuild ownership, so npm tried to set gid to mockbuild user and was denied.
I've added a line to our Makefile to always chown files in $CWD to root:root and now make srpm step works.

Metadata Update from @vashirov:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

2 years ago

Login to comment on this ticket.

Metadata