wget: can't open '/ngrams/ngrams-en.zip': Permission denied

[dewijones92]

docker logs

INFO: Group "languagetool" already has gid 1000.
INFO: Fixing ownership for ngrams base folder if necessary.
INFO: Fixing ownership for fasttext model file if necessary.
INFO: Downloading "en" ngrams.
Connecting to languagetool.org (172.64.151.199:443)
wget: can't open '/ngrams/ngrams-en.zip': Permission denied
INFO: User "languagetool" alread has has uid 1000.
INFO: Group "languagetool" already has gid 1000.
INFO: Fixing ownership for ngrams base folder if necessary.
INFO: Fixing ownership for fasttext model file if necessary.
INFO: Downloading "en" ngrams.
Connecting to languagetool.org (172.64.151.199:443)
wget: can't open '/ngrams/ngrams-en.zip': Permission denied
INFO: User "languagetool" alread has has uid 1000.
INFO: Group "languagetool" already has gid 1000.
INFO: Fixing ownership for ngrams base folder if necessary.
INFO: Fixing ownership for fasttext model file if necessary.
INFO: Downloading "en" ngrams.
Connecting to languagetool.org (172.64.151.199:443)
wget: can't open '/ngrams/ngrams-en.zip': Permission denied
INFO: User "languagetool" alread has has uid 1000.
INFO: Group "languagetool" already has gid 1000.
INFO: Fixing ownership for ngrams base folder if necessary.
INFO: Fixing ownership for fasttext model file if necessary.
INFO: Downloading "en" ngrams.
Connecting to languagetool.org (172.64.151.199:443)
wget: can't open '/ngrams/ngrams-en.zip': Permission denied
INFO: User "languagetool" alread has has uid 1000.
INFO: Group "languagetool" already has gid 1000.
INFO: Fixing ownership for ngrams base folder if necessary.
INFO: Fixing ownership for fasttext model file if necessary.
INFO: Downloading "en" ngrams.
Connecting to languagetool.org (172.64.151.199:443)
wget: can't open '/ngrams/ngrams-en.zip': Permission denied
(base) dewi@DewiJones:~/code/grammer_checker_example$

script:

(base) dewi@DewiJones:~/code/grammer_checker_example$ bash go.sh
INFO: Setting uid for user "languagetool" to 1000.
INFO: Setting gid for group "languagetool" to 1000.
INFO: Fixing ownership for ngrams base folder if necessary.
INFO: Fixing ownership for fasttext model file if necessary.
INFO: Downloading "en" ngrams.
Connecting to languagetool.org (172.64.151.199:443)
wget: can't open '/ngrams/ngrams-en.zip': Permission denied
(base) dewi@DewiJones:~/code/grammer_checker_example$ cat
fasttext/ go.sh     ngrams/
(base) dewi@DewiJones:~/code/grammer_checker_example$ cat go.sh
docker run \
  --name languagetool \
  --restart always \
  --cap-drop ALL \
  --cap-add CAP_SETUID \
  --cap-add CAP_SETGID \
  --cap-add CAP_CHOWN \
  --security-opt no-new-privileges \
  --publish 8010:8010 \
  --env download_ngrams_for_langs=en \
  --env langtool_languageModel=/ngrams \
  --env langtool_fasttextModel=/fasttext/lid.176.bin \
  --env MAP_UID=1000 \
  --env MAP_GID=1000 \
  --volume $PWD/ngrams:/ngrams \
  --volume $PWD/fasttext:/fasttext \
  meyay/languagetool:latest
(base) dewi@DewiJones:~/code/grammer_checker_example$ find
.
./ngrams
./fasttext
./go.sh
(base) dewi@DewiJones:~/code/grammer_checker_example$ ls -alR
.:
total 20K
drwxr-xr-x 34 dewi dewi 4.0K Mar 26 16:27 ..
drwxr-xr-x  2 dewi dewi 4.0K Mar 26 16:36 ngrams
drwxr-xr-x  2 dewi dewi 4.0K Mar 26 16:36 fasttext
-rw-r--r--  1 dewi dewi  491 Mar 26 16:41 go.sh
drwxr-xr-x  4 dewi dewi 4.0K Mar 26 16:41 .

./ngrams:
total 8.0K
drwxr-xr-x 2 dewi dewi 4.0K Mar 26 16:36 .
drwxr-xr-x 4 dewi dewi 4.0K Mar 26 16:41 ..

./fasttext:
total 8.0K
drwxr-xr-x 2 dewi dewi 4.0K Mar 26 16:36 .
drwxr-xr-x 4 dewi dewi 4.0K Mar 26 16:41 ..
(base) dewi@DewiJones:~/code/grammer_checker_example$ id
uid=1000(dewi) gid=1000(dewi) groups=1000(dewi),4(adm),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),116(netdev),1001(docker)
(base) dewi@DewiJones:~/code/grammer_checker_example$

I added the MAP_UID & MAP_GID but still get the same error. Could you help please? :) thanks

[meyayl]

The way the image is build, you need to allow read/write/execute permssions for the "other" group for the ngrams and fasttext folders.

Though, this reminds me that I always wanted to implement an alternative mode that runs everything as unprivliged user, does not chown anything, and does not switch users to run the LT process. If done right, it could even work with a read-only container filesystem.

[dewijones92]

Sorry, I am confused. Could you please suggest how I can get this working? Thanks

On Tue, Mar 26, 2024, 19:18 meyayl @.***> wrote:

The way the image is build, you to allow read/write/execute pessions for the "other" group for the folders.

Though, this reminds me that I always wanted to implement an alternative mode that runs everything as unprivliged user, does not chown anything, and does not switch users to run the LT process. If done right, it could even work with a read-only container filesystem.

— Reply to this email directly, view it on GitHub https://github.com/meyayl/docker-languagetool/issues/28#issuecomment-2021284221, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAFBCNYEBLGHXQOTWVJNH33Y2G3YRAVCNFSM6AAAAABFJJX5JOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAMRRGI4DIMRSGE . You are receiving this because you authored the thread.Message ID: @.***>

[meyayl]

chmod 777 fasttext
chmod 777 ngrams

[meyayl]

Did it solve your problem? If so, can this issue be closed?

[dewijones92]

Your suggestion solved it Thanks

On Sat, Mar 30, 2024, 18:19 meyayl @.***> wrote:

Did it solve your problem? If so, can this issue be closed?

— Reply to this email directly, view it on GitHub https://github.com/meyayl/docker-languagetool/issues/28#issuecomment-2028421395, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAFBCN2RYS3CYW55ZUYPCJTY23X3VAVCNFSM6AAAAABFJJX5JOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAMRYGQZDCMZZGU . You are receiving this because you authored the thread.Message ID: @.***>

[ovizii]

I am glad I stumbled upon this issue as I was struggling with the same problem. I am wondering though, what is the point of letting languagetool run as MAP_UID and MAP_GID when it needs chmod 777 anyway?

[meyayl]

Great question! In theory 700 should be enough, as root should be able to change permissions even for folders owned by a different user. Though, in the alpine image, 700 doesn't seem to be enough, as root is considered "other" group. I can not reproduce the containers behavior in a Linux vm.

The easiest way would be to rewrite the Dockerfile to start as unprivileged user and not use chmod and chown in the entrypoint script at all. I am quite sure this will make other users unhappy. So if you have a suggestion for an all in solution, I am all ears!

[ovizii]

I can't offer a solution, I'm just an end-user.

But I am wondering why you mentioned “root” - where does root come into play?

I thought by using MAP_UID and MAP_GID everything in this container was running with those permissions so my older containing the ngrams is owned by MAP_UID:MAP_GID (chown -R MAP_UID:MAP_GID) and “treated” with chmod -R 770 as nobody else has any business accessing that folder.

Is there a way to opt out of having this container try changing any permission or ownership? I'd very much prefer to download my own ngrams and fasttext lib, set ownership to MAP_UID:MAP_GID, apply a chmod -R 770 and be done with it.

[meyayl]

But I am wondering why you mentioned “root” - where does root come into play?

Every(!) image that provides user mapping through environment parameters start the container as roots, but executes the main process with the provided uid and gid. This is used for end user convinience.

Is there a way to opt out of having this container try changing any permission or ownership? Not with the currently released image. You can wait until I implement it (will take some time, as I won't be ablefind time the next days), you can modify the entrypoint script, build your own image and use it, or you can use one of the other existing images that matches your requirement.

[ovizii]

Thanks for clarifying. I'll be living with the chmod 777 for now. I just wanted to understand the reason behind this behaviour.