3

I have installed Verdaccio as a Docker container with a docker-compose.yml file:

├── docker-compose.yml
├── INSTALLATION.md
├── README.md
└── volumes
    ├── conf
    │   ├── config.yaml
    │   └── htpasswd
    ├── plugins
    └── storage

which is:

version: "3.7"
services:
  registry:
    image: verdaccio/verdaccio
    networks:
      verdaccio:
    hostname: verdaccio
    ports:
      - 4873:4873
    volumes:
      - ~/dev/docker/registries/verdaccio/volumes/conf:/verdaccio/conf
      - ~/dev/docker/registries/verdaccio/volumes/plugins:/verdaccio/plugins
      - ~/dev/docker/registries/verdaccio/volumes/storage:/verdaccio/storage
    environment:
      VERDACCIO_PORT: 4873
    deploy:
      replicas: 1
      restart_policy:
        condition: any
        delay: 5s
        max_attempts: 3
        window: 30s
networks:
  verdaccio:
    name: verdaccio

and the file permissions:

sudo groupadd verdaccio;
sudo useradd -s /bin/false -d /dev/null -g verdaccio verdaccio;
sudo chown -R verdaccio:verdaccio ~/dev/docker/registries/verdaccio/volumes/
sudo chmod -R 755 ~/dev/docker/registries/verdaccio/volumes

I'm trying to publish an Angular library with the command:

npm publish lib-core-0.0.1.tgz

But I get the error:

npm ERR! code E403
npm ERR! 403 403 Forbidden - PUT http://verdaccio:4873/lib-core - user stephane is not allowed to publish package lib-core
npm ERR! 403 In most cases, you or one of your dependencies are requesting
npm ERR! 403 a package version that is forbidden by your security policy.

npm ERR! A complete log of this run can be found in:
npm ERR!     /home/stephane/.npm/_logs/2020-05-10T05_40_47_153Z-debug.log
✔ ~/dev/js/projects/angular/lib-core/dist/lib-core [master|…1] 
07:40 $ npm publish @stephane/lib-core-0.0.1.tgz
npm ERR! code E404
npm ERR! 404 Not Found - GET http://verdaccio:4873/@stephane%2flib-core-0.0.1.tgz - no such package available
npm ERR! 404 
npm ERR! 404  '@stephane/lib-core-0.0.1.tgz@latest' is not in the npm registry.
npm ERR! 404 You should bug the author to publish it (or use the name yourself!)
npm ERR! 404 
npm ERR! 404 Note that you can also install from a
npm ERR! 404 tarball, folder, http url, or git url.

npm ERR! A complete log of this run can be found in:
npm ERR!     /home/stephane/.npm/_logs/2020-05-10T05_40_55_652Z-debug.log

The server log:

verdaccio-registry_registry.1.662e59l987fw@stephane-pc    |  http <-- 403, user: stephane(10.255.0.2), req: 'PUT /lib-core', error: user stephane is not allowed to publish package lib-core
verdaccio-registry_registry.1.662e59l987fw@stephane-pc    |  http <-- 403, user: stephane(10.255.0.2), req: 'PUT /lib-core', error: user stephane is not allowed to publish package lib-core
verdaccio-registry_registry.1.662e59l987fw@stephane-pc    |  http <-- 403, user: stephane(10.255.0.2), req: 'GET /npm', error: user stephane is not allowed to access package npm
verdaccio-registry_registry.1.662e59l987fw@stephane-pc    |  http <-- 403, user: stephane(10.255.0.2), req: 'GET /npm', error: user stephane is not allowed to access package npm
verdaccio-registry_registry.1.662e59l987fw@stephane-pc    |  http <-- 404, user: stephane(10.255.0.2), req: 'GET /@stephane%2flib-core-0.0.1.tgz', error: no such package available
verdaccio-registry_registry.1.662e59l987fw@stephane-pc    |  http <-- 404, user: stephane(10.255.0.2), req: 'GET /@stephane%2flib-core-0.0.1.tgz', error: no such package available
verdaccio-registry_registry.1.662e59l987fw@stephane-pc    |  http <-- 404, user: stephane(10.255.0.2), req: 'GET /@stephane%2flib-core-0.0.1.tgz', error: no such package available
verdaccio-registry_registry.1.662e59l987fw@stephane-pc    |  http <-- 404, user: stephane(10.255.0.2), req: 'GET /@stephane%2flib-core-0.0.1.tgz', error: no such package available

When I read this error, I understand the package is looked up in Verdaccio and not found (404). Wait.. Am I not trying to add a new package here ? So why is it looked up first ? Is there any other command I should type in before doing a publish ? The trouble is that before this PUT request is issued to the server, I can't see any POST request to add the package.

I also tried (and got the same error) with the scoped prefix:

npm publish @stephane/lib-core-0.0.1.tgz

I run Verdaccio with the configuration:

storage: /verdaccio/storage
plugins: /verdaccio/plugins

auth:
  htpasswd:
    file: /verdaccio/conf/htpasswd
security:
  api:
    jwt:
      sign:
        expiresIn: 360d
        notBefore: 1
  web:
    sign:
      expiresIn: 7d

packages:
  '@*/*':
    access: $all
    publish: $all
    proxy: npmjs

  '@stephane/*':
    access: $anonymous
    publish: $anonymous
    proxy: npmjs

The storage is still empty:

stephane@stephane-pc:~/dev/docker/registries/verdaccio$ ll volumes/storage/
total 0

Even if removing the packages: configuration and restart the Verdaccio container, after a successful npm login command, the publish command again fails with a 403 Forbidden error:

~/dev/js/projects/angular/lib-core/dist/lib-core [master|…1] 
08:04 $ npm publish lib-core-0.0.1.tgz

UPDATE: The whole issue was a host volumes permissions issue. I reverted the permissions to my regular host user, and assigned this user to the container when running it. I added in the docker-compose.yml file the following user property:

user: "${CURRENT_UID}:${CURRENT_GID}"

I also changed the packages configuration so as to allow authenticated users to access scoped packages:

packages:
  '@*/*':
    access: $all
    publish: $authenticated
  '**':
    proxy: npmjs

The container now runs with the host user and the issue is gone.

Stephane
  • 8,110
  • 16
  • 85
  • 135

0 Answers0