From b9b24fbf94ba486259617c36f207fd4b45ee677c Mon Sep 17 00:00:00 2001 From: r3v5 Date: Mon, 21 Jul 2025 10:26:09 +0100 Subject: [PATCH] feat: make Distribution container images running be rootless in Llama Stack --- llama_stack/distribution/build_container.sh | 25 ++++++++++++++++----- 1 file changed, 19 insertions(+), 6 deletions(-) diff --git a/llama_stack/distribution/build_container.sh b/llama_stack/distribution/build_container.sh index 6985c1cd0..20eb372b7 100755 --- a/llama_stack/distribution/build_container.sh +++ b/llama_stack/distribution/build_container.sh @@ -259,6 +259,25 @@ fi RUN pip uninstall -y uv EOF +# Add non-root user setup before entrypoint +add_to_container << EOF + +# Create group with GID 1001 and user with UID 1001 +RUN groupadd -g 1001 appgroup && useradd -u 1001 -g appgroup -M appuser + +# Create necessary directories with appropriate permissions for UID 1001 +RUN mkdir -p /.llama /.cache && chown -R 1001:1001 /.llama /.cache && chmod -R 775 /.llama /.cache && chmod -R g+w /app + +# Set the Llama Stack config directory environment variable to use /.llama +ENV LLAMA_STACK_CONFIG_DIR=/.llama + +# This prevents dual storage while keeping /app as working directory for CI compatibility +ENV HOME=/ + +# Switch to non-root user (UID 1001 directly) +USER 1001 +EOF + # If a run config is provided, we use the --config flag if [[ -n "$run_config" ]]; then add_to_container << EOF @@ -271,12 +290,6 @@ ENTRYPOINT ["python", "-m", "llama_stack.distribution.server.server", "--templat EOF fi -# Add other require item commands genearic to all containers -add_to_container << EOF - -RUN mkdir -p /.llama /.cache && chmod -R g+rw /app /.llama /.cache -EOF - printf "Containerfile created successfully in %s/Containerfile\n\n" "$TEMP_DIR" cat "$TEMP_DIR"/Containerfile printf "\n"