Comments (7)
OrionTheGiant
commented on August 12, 2024
1
Thanks for digging into this!
Dropping the capability from the installer and adding the --allow-low-ports flag sound like good ways forward to me.
That node setting the capability as one of the prerequisites seems like it should cover most cases where no longer automatically setting the capability could potentially cause problems for people.
I would maybe also include a note referring to this issue or mention NODE_PATH wherever the --allow-low-ports flag is documented so people running the script can find their way back here if it turns out to cause problems for them.
from linux-installers.
dceejay
commented on August 12, 2024
Can't recall exactly - was way back before 2019 :-)... but I think it is to do with permissions to access ports below 1024. Without having extended capabilities nodes can't access any port below 1024 unless the system is run as root which we don't really want. This would affect many nodes like email, tcp, http etc so I don't think we would want to change the default right now unless we make it part of a major version bump.
I suppose we could add a flag to the installer (--no-low-ports or something ?) to install without it but not sure how useful that would be.
from linux-installers.
OrionTheGiant
commented on August 12, 2024
Thanks for the quick response! I totally understand that you can't fully recall why it was added. Whatever the original purpose, it seems odd that it's only needed on Broadcom CPUs.
You're right that it may not be a broad enough issue to need a flag on the installer but mentioning on the Raspberry Pi getting started page that it breaks the NODE_PATH and HOME environment variables in scripts run under node may be enough to help people that it would impact and set them on the right debugging path.
from linux-installers.
dceejay
commented on August 12, 2024
Hmm good point re broadcom/Pi... hmm now really scratching my brain as to why/if it's still needed... as we haven't had too many issues/complaints about port access on generic ubuntu installs etc.
from linux-installers.
dceejay
commented on August 12, 2024
Meanwhile back to the original issue - are you able to supply a small example flow that shows this inconsistency ? If I just echo $HOME or $NODE_PATH in an exec node (ie running under node env) I get /home/pi for $HOME and "" for NODE_PATH and likewise on my Mac I get /home/dcj and "" ...
from linux-installers.
OrionTheGiant
commented on August 12, 2024
Looking up the capabilities here says that CAP_NET_RAW is for transparent proxying and using RAW and PACKET sockets while CAP_NET_BIND_SERVICE is for binding to the lower 1024 ports anyhow. For better or worse, there are plenty of people who run into permission issues and the first thing they try is running it as root so maybe that's part of why there aren't many reported issues?
Printing the environment variables directly turned out not to be enough because the problem is from the module loader only allowing the use of "safe" environment variables. If you print out module.paths without the capability it will include the paths in NODE_PATH and HOME but with the capability set it won't.
Here's an example running from the node REPL
cl-admin@latitude:~$ echo $HOME $NODE_PATH
/home/cl-admin /usr/local/lib/npm/lib/node_modules:
cl-admin@latitude:~$ /sbin/getcap /usr/bin/node
cl-admin@latitude:~$ node
Welcome to Node.js v12.22.2.
> console.log(module.paths)
[
'/home/cl-admin/repl/node_modules',
'/home/cl-admin/node_modules',
'/home/node_modules',
'/node_modules',
'/usr/local/lib/npm/lib/node_modules',
'/home/cl-admin/.node_modules',
'/home/cl-admin/.node_libraries',
'/usr/lib/node'
]
>
cl-admin@latitude:~$ sudo /sbin/setcap cap_net_raw+eip /usr/bin/node
cl-admin@latitude:~$ /sbin/getcap /usr/bin/node
/usr/bin/node = cap_net_raw+eip
cl-admin@latitude:~$ node
Welcome to Node.js v12.22.2.
> console.log(module.paths)
[
'/home/cl-admin/repl/node_modules',
'/home/cl-admin/node_modules',
'/home/node_modules',
'/node_modules',
'/usr/lib/node'
]from linux-installers.
dceejay
commented on August 12, 2024
Hi @OrionTheGiant
ok I think we have worked out why it was set in the first place... It was because at the time the physical web and BLE was on trend and Pi was great for beacons... so things like noble and this https://www.npmjs.com/package/node-red-node-physical-web - needed raw sockets.
So - how do we back out of this position... ? I think we could maybe just drop it... as any existing installs will continue as they are (we aren't removing the permission). That node (above) in particular does explain the prereq and how to set it, so the fix is "discoverable".
I think we could also add a --allow-low-ports optional flag to enable cap_net_bind_service (across all platforms not just Pi) but default that to no not do anything. (or does the raw permission give access to port <1024 as well ? Thoughts ?
from linux-installers.
Related Issues (20)
- Update via parallel-ssh? HOT 2
- Install script for Raspberry Pi overwrites custom nodered.service HOT 2
- RPI install script wrong flag management HOT 4
- NPM v8 has depreciated `--global` HOT 1
- Installer bash script fails to install node-red V3.0.0 HOT 6
- Came across this today? Looks like the install script needs a slight tweak? HOT 3
- script with no sudo HOT 3
- update-nodejs-and-nodered messes up filesystem rights when --node16 or --node18 provided on armv6l HOT 6
- sed: can't read /lib/systemd/system/nodered.service.temp: No such file or directory HOT 1
- Install fails, finds no npm HOT 9
- Debian installer not working correctly with bookworm HOT 12
- No an issure, but i have no clue. HOT 1
- option --nodered-user is broken HOT 1
- script does not check or abort if user is not in sudoer group
- Bypass settings file initialisation HOT 2
- Script fails if sudo is last entry in group list HOT 1
- failing to install on GCP VM w/ Debian HOT 4
- typo in script update-nodejs-and-nodered - PR created HOT 2
- During influxdb configuration, adding tokens cannot be synchronized with web pages. After the token is modified in the flows.json file, Web pages do not take effect HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from linux-installers.