Open dewijones92 opened 7 months ago
The way the image is build, you need to allow read/write/execute permssions for the "other" group for the ngrams
and fasttext
folders.
Though, this reminds me that I always wanted to implement an alternative mode that runs everything as unprivliged user, does not chown anything, and does not switch users to run the LT process. If done right, it could even work with a read-only container filesystem.
Sorry, I am confused. Could you please suggest how I can get this working? Thanks
On Tue, Mar 26, 2024, 19:18 meyayl @.***> wrote:
The way the image is build, you to allow read/write/execute pessions for the "other" group for the folders.
Though, this reminds me that I always wanted to implement an alternative mode that runs everything as unprivliged user, does not chown anything, and does not switch users to run the LT process. If done right, it could even work with a read-only container filesystem.
— Reply to this email directly, view it on GitHub https://github.com/meyayl/docker-languagetool/issues/28#issuecomment-2021284221, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAFBCNYEBLGHXQOTWVJNH33Y2G3YRAVCNFSM6AAAAABFJJX5JOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAMRRGI4DIMRSGE . You are receiving this because you authored the thread.Message ID: @.***>
chmod 777 fasttext
chmod 777 ngrams
Did it solve your problem? If so, can this issue be closed?
Your suggestion solved it Thanks
On Sat, Mar 30, 2024, 18:19 meyayl @.***> wrote:
Did it solve your problem? If so, can this issue be closed?
— Reply to this email directly, view it on GitHub https://github.com/meyayl/docker-languagetool/issues/28#issuecomment-2028421395, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAFBCN2RYS3CYW55ZUYPCJTY23X3VAVCNFSM6AAAAABFJJX5JOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAMRYGQZDCMZZGU . You are receiving this because you authored the thread.Message ID: @.***>
I am glad I stumbled upon this issue as I was struggling with the same problem. I am wondering though, what is the point of letting languagetool run as MAP_UID and MAP_GID when it needs chmod 777 anyway?
Great question! In theory 700 should be enough, as root should be able to change permissions even for folders owned by a different user. Though, in the alpine image, 700 doesn't seem to be enough, as root is considered "other" group. I can not reproduce the containers behavior in a Linux vm.
The easiest way would be to rewrite the Dockerfile to start as unprivileged user and not use chmod
and chown
in the entrypoint script at all. I am quite sure this will make other users unhappy. So if you have a suggestion for an all in solution, I am all ears!
I can't offer a solution, I'm just an end-user.
But I am wondering why you mentioned “root” - where does root come into play?
I thought by using MAP_UID and MAP_GID everything in this container was running with those permissions so my older containing the ngrams is owned by MAP_UID:MAP_GID (chown -R MAP_UID:MAP_GID) and “treated” with chmod -R 770 as nobody else has any business accessing that folder.
Is there a way to opt out of having this container try changing any permission or ownership? I'd very much prefer to download my own ngrams and fasttext lib, set ownership to MAP_UID:MAP_GID, apply a chmod -R 770 and be done with it.
But I am wondering why you mentioned “root” - where does root come into play?
Every(!) image that provides user mapping through environment parameters start the container as roots, but executes the main process with the provided uid and gid. This is used for end user convinience.
Is there a way to opt out of having this container try changing any permission or ownership? Not with the currently released image. You can wait until I implement it (will take some time, as I won't be ablefind time the next days), you can modify the entrypoint script, build your own image and use it, or you can use one of the other existing images that matches your requirement.
Thanks for clarifying. I'll be living with the chmod 777 for now. I just wanted to understand the reason behind this behaviour.
docker logs
script:
I added the MAP_UID & MAP_GID but still get the same error. Could you help please? :) thanks