Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CDK CLI errors when run as a non-existent user #7937

Closed
jonathanmorley opened this issue May 12, 2020 · 10 comments · Fixed by #21018
Closed

CDK CLI errors when run as a non-existent user #7937

jonathanmorley opened this issue May 12, 2020 · 10 comments · Fixed by #21018
Assignees
Labels
bug This issue is a bug. effort/small Small work item – less than a day of effort p1 package/tools Related to AWS CDK Tools or CLI

Comments

@jonathanmorley
Copy link
Contributor

A regression in 1.37 means that the CDK CLI will error out if it is run by a user not in /etc/passwd

Reproduction Steps

npx cdk init app --language=typescript
npm install
docker run -u 502:502 -v $(pwd):/app -w /app node ./node_modules/.bin/cdk list

Error Log

SystemError [ERR_SYSTEM_ERROR]: A system error occurred: uv_os_get_passwd returned ENOENT (no such file or directory)
    at Object.userInfo (os.js:268:11)
    at cdkHomeDir (/app/node_modules/aws-cdk/lib/util/directories.ts:7:21)
    at Object.cdkCacheDir (/app/node_modules/aws-cdk/lib/util/directories.ts:11:20)
    at new AccountAccessKeyCache (/app/node_modules/aws-cdk/lib/api/aws-auth/account-cache.ts:25:44)
    at Object.<anonymous> (/app/node_modules/aws-cdk/lib/api/aws-auth/sdk.ts:38:42)
    at Module._compile (internal/modules/cjs/loader.js:1176:30)
    at Object.Module._extensions..js (internal/modules/cjs/loader.js:1196:10)
    at Module.load (internal/modules/cjs/loader.js:1040:32)
    at Function.Module._load (internal/modules/cjs/loader.js:929:14)
    at Module.require (internal/modules/cjs/loader.js:1080:19)

Environment

  • CLI Version : >= 1.37
  • Framework Version:
  • OS : Tested in Docker on MacOS
  • Language : Typescript

This is 🐛 Bug Report

@jonathanmorley jonathanmorley added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels May 12, 2020
@jonathanmorley
Copy link
Contributor Author

jonathanmorley commented May 12, 2020

The error goes away if you mount an /etc/passwd containing a user with UID 502

❯ docker run -it -u 502:502 -v $(pwd)/etc_passwd:/etc/passwd -v $(pwd):/app -w /app node ./node_modules/.bin/cdk list
CdkTempStack

or if you provide a CDK_HOME env var

❯ docker run -it -u 502:502 -v $(pwd):/app -e CDK_HOME=foo -w /app node ./node_modules/.bin/cdk list
CdkTempStack

@SomayaB SomayaB added the package/tools Related to AWS CDK Tools or CLI label May 12, 2020
@shivlaks
Copy link
Contributor

shivlaks commented May 12, 2020

@jonathanmorley I think this is because of the fix we introduced in #7674 which addressed the issue of a bug where CDK_HOME not being consistently honored.

Otherwise since this is an opportunistic cache, we also simply shouldn't fail if we can't create the dir. can you run your cdk command with -v to get to the point of failure?

I can't quite tell if this is expected or another bug just yet.

@shivlaks shivlaks added the p1 label May 12, 2020
@jonathanmorley
Copy link
Contributor Author

Running ./node_modules/.bin/cdk list -v returns the same stacktrace as above

SystemError [ERR_SYSTEM_ERROR]: A system error occurred: uv_os_get_passwd returned ENOENT (no such file or directory)
    at Object.userInfo (os.js:268:11)
    at cdkHomeDir (/app/node_modules/aws-cdk/lib/util/directories.ts:7:21)
    at Object.cdkCacheDir (/app/node_modules/aws-cdk/lib/util/directories.ts:11:20)
    at new AccountAccessKeyCache (/app/node_modules/aws-cdk/lib/api/aws-auth/account-cache.ts:25:44)
    at Object.<anonymous> (/app/node_modules/aws-cdk/lib/api/aws-auth/sdk.ts:38:42)
    at Module._compile (internal/modules/cjs/loader.js:1176:30)
    at Object.Module._extensions..js (internal/modules/cjs/loader.js:1196:10)
    at Module.load (internal/modules/cjs/loader.js:1040:32)
    at Function.Module._load (internal/modules/cjs/loader.js:929:14)
    at Module.require (internal/modules/cjs/loader.js:1080:19)

@jonathanmorley
Copy link
Contributor Author

expected behaviour is that it would be successful. We have not been setting CDK_HOME (or relying on any files in a 'HOME' directory)

@SomayaB SomayaB removed the needs-triage This issue or PR still needs to be triaged. label May 19, 2020
@mitchlloyd
Copy link
Contributor

mitchlloyd commented May 29, 2020

Just running into this error in a Jenkins build while upgrading from CDK 1.18 -> 1.42.

I've temporarily worked around this issue by setting the CDK_HOME environment variable in the Jenkins build.

@shivlaks shivlaks added the effort/small Small work item – less than a day of effort label Aug 21, 2020
@NGL321 NGL321 assigned rix0rrr and unassigned shivlaks Jan 25, 2021
@mb-dev
Copy link

mb-dev commented Sep 25, 2021

duplicate of #15415 ?

I am running into the same issue in jenkins / docker.

@dennispost
Copy link

Any news on this? Hit this error with CDK v2.12.0.

@mitchlloyd to which path did you set CDK_HOME?

@adambro
Copy link
Contributor

adambro commented Mar 18, 2022

As reported in #19401 it's just small function that needs change. By looking at code of safeUsername() function it's just used as part of RoleSessionName name. It could have a nice fallback to i.e. $USER env var or just predefined default value. The function is very simple:

function safeUsername() {
    return os.userInfo().username.replace(/[^\w+=,.@-]/g, '@');
}

@zhukovsd
Copy link

I had this problem while running CDK with Jenkins/Docker.

Jenkins runs the pipeline script inside of a Docker agent container with user id 1024. This user, by default, has no name, which causes the problem.

As a workaround, I created a user for id 1024:

echo "jenkins:x:1024:1024:default:/:/bin/bash" >> /etc/passwd

adambro added a commit to adambro/aws-cdk that referenced this issue May 3, 2022
In case user does not have entry in `/etc/passwd` the `os.userInfo()`
call will throw `SystemError` exception as documented:
https://nodejs.org/docs/latest-v16.x/api/os.html#osuserinfooptions

Fixes aws#19401 issue.

It can be tested inside Docker for ad-hoc 1234 user ID:
```sh
docker run -u 1234 -e CDK_HOME=/tmp npm run cdk diff
```

The `CDK_HOME=/tmp` is a workaround for aws#7937 issue, where CDK complains
that it can't write cached info in user homedir, because it does not
exists.

Once aws#7937 will be fixed then aws#19401 will most likely hit users. However
above workaround is a viable option. Hence those two issues are related,
but not duplicated.
mergify bot pushed a commit that referenced this issue May 27, 2022
In case user does not have entry in `/etc/passwd` the `os.userInfo()`
call will throw `SystemError` exception as documented:
https://nodejs.org/docs/latest-v16.x/api/os.html#osuserinfooptions

Fixes #19401 issue.

It can be tested inside Docker for ad-hoc 1234 user ID:
```sh
docker run -u 1234 -e CDK_HOME=/tmp npm run cdk diff
```

The `CDK_HOME=/tmp` is a workaround for #7937 issue, where CDK complains
that it can't write cached info in user homedir, because it does not
exists.

Once #7937 will be fixed then #19401 will most likely hit users. However
above workaround is a viable option. Hence those two issues are related,
but not duplicated.


----

### All Submissions:

* [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md)

Yes, followed the guide.

### Adding new Unconventional Dependencies:

* [x] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

No new dependencies.

### New Features

* [x] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/master/INTEGRATION_TESTS.md)?
	* [x] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

No, it's a bugfix, not a feature.

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@corymhall corymhall self-assigned this Jul 6, 2022
@mergify mergify bot closed this as completed in #21018 Jul 7, 2022
mergify bot pushed a commit that referenced this issue Jul 7, 2022
The CDK home directory was being created in the users home directory,
but this causes an error if for some reason the user does not have a
home directory.

This PR adds some fallback logic so that if the users home directory does not exist it will fall back to
creating a tmp directory.

fix #7937


----

### All Submissions:

* [ ] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)?
	* [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions
Copy link

github-actions bot commented Jul 7, 2022

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

daschaa pushed a commit to daschaa/aws-cdk that referenced this issue Jul 9, 2022
The CDK home directory was being created in the users home directory,
but this causes an error if for some reason the user does not have a
home directory.

This PR adds some fallback logic so that if the users home directory does not exist it will fall back to
creating a tmp directory.

fix aws#7937


----

### All Submissions:

* [ ] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)?
	* [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug This issue is a bug. effort/small Small work item – less than a day of effort p1 package/tools Related to AWS CDK Tools or CLI
Projects
None yet
Development

Successfully merging a pull request may close this issue.

10 participants