Description:
@rocket.chat/apps/deno-runtime is root owned and requires an in container chown for apps to start up without permissions errors.
Steps to reproduce:
- Install an app in v.8.4.x
- Update the docker image to v.8.5.x and run the container as a non root user
- View startup logs and see the deno permissions errors
Expected behavior:
Apps load successfully when the container runs as a non-root user, as in 8.4.x.
Actual behavior:
App compilation aborts at startup because the ephemeral Deno config is written into node_modules/@rocket.chat/apps/deno-runtime/, which is root-owned in the image. Every installed app fails with the same EACCES.
Server Setup Information:
- Version of Rocket.Chat Server: 8.5.1
- License Type: Starter
- Number of Users: 8
- Operating System: Ubuntu 24.04
- Deployment Method: docker
- Number of Running Instances: 1
- DB Replicaset Oplog: rs01
- NodeJS Version: v22.22.3
- MongoDB Version: 8.2.11
Client Setup Information
- Desktop App or Browser Version: Desktop app 4.14.1
- Operating System: Windows 11
Additional context
Workaround: docker compose exec -u 0 chown -R : .../@rocket.chat/apps/deno-runtime then restart. Confirms it's purely an ownership/write-location issue. Note the chown is lost on container recreation.
Relevant logs:
startup logs (repeats for every app installed)
...
Error while compiling the App "Tenor (ab4728ec-613e-472f-a24c-b48a77aacfff)":
Error: EACCES: permission denied, open '/app/bundle/programs/server/npm/node_modules/@rocket.chat/apps/deno-runtime/deno.runtime.jsonc'
at Object.writeFileSync (node:fs:2430:20)
at generateEphemeralDenoConfig (/app/bundle/programs/server/npm/node_modules/@rocket.chat/apps/dist/server/runtime/deno/AppsEngineDenoRuntime.js:120:8)
at new DenoRuntimeSubprocessController (/app/bundle/programs/server/npm/node_modules/@rocket.chat/apps/dist/server/runtime/deno/AppsEngineDenoRuntime.js:157:9)
at AppRuntimeManager.defaultRuntimeFactory [as runtimeFactory] (/app/bundle/programs/server/npm/node_modules/@rocket.chat/apps/dist/server/managers/AppRuntimeManager.js:5:69)
at AppRuntimeManager.startRuntimeForApp (/app/bundle/programs/server/npm/node_modules/@rocket.chat/apps/dist/server/managers/AppRuntimeManager.js:17:41)
at AppCompiler.toSandBox (/app/bundle/programs/server/npm/node_modules/@rocket.chat/apps/dist/server/compiler/AppCompiler.js:51:52)
at AppManager.load (/app/bundle/programs/server/npm/node_modules/@rocket.chat/apps/dist/server/AppManager.js:169:54)
at processTicksAndRejections (node:internal/process/task_queues:103:5)
at AppServerOrchestrator.load (ee/server/apps/orchestrator.js:195:3) {
errno: -13,
code: 'EACCES',
syscall: 'open',
path: '/app/bundle/programs/server/npm/node_modules/@rocket.chat/apps/deno-runtime/deno.runtime.jsonc'
}
...
Description:
@rocket.chat/apps/deno-runtimeis root owned and requires an in container chown for apps to start up without permissions errors.Steps to reproduce:
Expected behavior:
Apps load successfully when the container runs as a non-root user, as in 8.4.x.
Actual behavior:
App compilation aborts at startup because the ephemeral Deno config is written into node_modules/@rocket.chat/apps/deno-runtime/, which is root-owned in the image. Every installed app fails with the same EACCES.
Server Setup Information:
Client Setup Information
Additional context
Workaround: docker compose exec -u 0 chown -R : .../@rocket.chat/apps/deno-runtime then restart. Confirms it's purely an ownership/write-location issue. Note the chown is lost on container recreation.
Relevant logs:
startup logs (repeats for every app installed)