I have installed Verdaccio as a Docker container with a docker-compose.yml
file:
├── docker-compose.yml
├── INSTALLATION.md
├── README.md
└── volumes
├── conf
│ ├── config.yaml
│ └── htpasswd
├── plugins
└── storage
which is:
version: "3.7"
services:
registry:
image: verdaccio/verdaccio
networks:
verdaccio:
hostname: verdaccio
ports:
- 4873:4873
volumes:
- ~/dev/docker/registries/verdaccio/volumes/conf:/verdaccio/conf
- ~/dev/docker/registries/verdaccio/volumes/plugins:/verdaccio/plugins
- ~/dev/docker/registries/verdaccio/volumes/storage:/verdaccio/storage
environment:
VERDACCIO_PORT: 4873
deploy:
replicas: 1
restart_policy:
condition: any
delay: 5s
max_attempts: 3
window: 30s
networks:
verdaccio:
name: verdaccio
and the file permissions:
sudo groupadd verdaccio;
sudo useradd -s /bin/false -d /dev/null -g verdaccio verdaccio;
sudo chown -R verdaccio:verdaccio ~/dev/docker/registries/verdaccio/volumes/
sudo chmod -R 755 ~/dev/docker/registries/verdaccio/volumes
I'm trying to publish an Angular library with the command:
npm publish lib-core-0.0.1.tgz
But I get the error:
npm ERR! code E403
npm ERR! 403 403 Forbidden - PUT http://verdaccio:4873/lib-core - user stephane is not allowed to publish package lib-core
npm ERR! 403 In most cases, you or one of your dependencies are requesting
npm ERR! 403 a package version that is forbidden by your security policy.
npm ERR! A complete log of this run can be found in:
npm ERR! /home/stephane/.npm/_logs/2020-05-10T05_40_47_153Z-debug.log
✔ ~/dev/js/projects/angular/lib-core/dist/lib-core [master|…1]
07:40 $ npm publish @stephane/lib-core-0.0.1.tgz
npm ERR! code E404
npm ERR! 404 Not Found - GET http://verdaccio:4873/@stephane%2flib-core-0.0.1.tgz - no such package available
npm ERR! 404
npm ERR! 404 '@stephane/lib-core-0.0.1.tgz@latest' is not in the npm registry.
npm ERR! 404 You should bug the author to publish it (or use the name yourself!)
npm ERR! 404
npm ERR! 404 Note that you can also install from a
npm ERR! 404 tarball, folder, http url, or git url.
npm ERR! A complete log of this run can be found in:
npm ERR! /home/stephane/.npm/_logs/2020-05-10T05_40_55_652Z-debug.log
The server log:
verdaccio-registry_registry.1.662e59l987fw@stephane-pc | http <-- 403, user: stephane(10.255.0.2), req: 'PUT /lib-core', error: user stephane is not allowed to publish package lib-core
verdaccio-registry_registry.1.662e59l987fw@stephane-pc | http <-- 403, user: stephane(10.255.0.2), req: 'PUT /lib-core', error: user stephane is not allowed to publish package lib-core
verdaccio-registry_registry.1.662e59l987fw@stephane-pc | http <-- 403, user: stephane(10.255.0.2), req: 'GET /npm', error: user stephane is not allowed to access package npm
verdaccio-registry_registry.1.662e59l987fw@stephane-pc | http <-- 403, user: stephane(10.255.0.2), req: 'GET /npm', error: user stephane is not allowed to access package npm
verdaccio-registry_registry.1.662e59l987fw@stephane-pc | http <-- 404, user: stephane(10.255.0.2), req: 'GET /@stephane%2flib-core-0.0.1.tgz', error: no such package available
verdaccio-registry_registry.1.662e59l987fw@stephane-pc | http <-- 404, user: stephane(10.255.0.2), req: 'GET /@stephane%2flib-core-0.0.1.tgz', error: no such package available
verdaccio-registry_registry.1.662e59l987fw@stephane-pc | http <-- 404, user: stephane(10.255.0.2), req: 'GET /@stephane%2flib-core-0.0.1.tgz', error: no such package available
verdaccio-registry_registry.1.662e59l987fw@stephane-pc | http <-- 404, user: stephane(10.255.0.2), req: 'GET /@stephane%2flib-core-0.0.1.tgz', error: no such package available
When I read this error, I understand the package is looked up in Verdaccio and not found (404). Wait.. Am I not trying to add a new package here ? So why is it looked up first ? Is there any other command I should type in before doing a publish ? The trouble is that before this PUT request is issued to the server, I can't see any POST request to add the package.
I also tried (and got the same error) with the scoped prefix:
npm publish @stephane/lib-core-0.0.1.tgz
I run Verdaccio with the configuration:
storage: /verdaccio/storage
plugins: /verdaccio/plugins
auth:
htpasswd:
file: /verdaccio/conf/htpasswd
security:
api:
jwt:
sign:
expiresIn: 360d
notBefore: 1
web:
sign:
expiresIn: 7d
packages:
'@*/*':
access: $all
publish: $all
proxy: npmjs
'@stephane/*':
access: $anonymous
publish: $anonymous
proxy: npmjs
The storage is still empty:
stephane@stephane-pc:~/dev/docker/registries/verdaccio$ ll volumes/storage/
total 0
Even if removing the packages:
configuration and restart the Verdaccio container, after a successful npm login
command, the publish command again fails with a 403 Forbidden
error:
~/dev/js/projects/angular/lib-core/dist/lib-core [master|…1]
08:04 $ npm publish lib-core-0.0.1.tgz
UPDATE: The whole issue was a host volumes permissions issue. I reverted the permissions to my regular host user, and assigned this user to the container when running it. I added in the docker-compose.yml
file the following user
property:
user: "${CURRENT_UID}:${CURRENT_GID}"
I also changed the packages configuration so as to allow authenticated users to access scoped packages:
packages:
'@*/*':
access: $all
publish: $authenticated
'**':
proxy: npmjs
The container now runs with the host user and the issue is gone.