phoenix-oss/llama-stack-mirror
0
0
Fork 1
mirror of https://github.com/meta-llama/llama-stack.git synced 2025-07-25 21:57:45 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat: allow Distribution container images running rootlessly in Llama Stack

Browse source
This commit is contained in:
r3v5 2025-07-21 10:26:09 +01:00
parent 6ab5760a1b
commit ecdcfb28ca
No known key found for this signature in database
GPG key ID: 7758B9F272DE67D9
1 changed files with 22 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

29
llama_stack/distribution/build_container.sh
View file

@ -20,7 +20,7 @@ UV_HTTP_TIMEOUT=${UV_HTTP_TIMEOUT:-500}
USE_COPY_NOT_MOUNT=${USE_COPY_NOT_MOUNT:-}
# Mount command for cache container .cache, can be overridden by the user if needed
MOUNT_CACHE=${MOUNT_CACHE:-"--mount=type=cache,id=llama-stack-cache,target=/root/.cache"}
MOUNT_CACHE=${MOUNT_CACHE:-"--mount=type=cache,id=llama-stack-cache,target=~/.cache"}
# Path to the run.yaml file in the container
RUN_CONFIG_PATH=/app/run.yaml
@ -259,6 +259,27 @@ fi
RUN pip uninstall -y uv
EOF
# Add non-root user setup before entrypoint
add_to_container << EOF
# Create group with GID 1001 and user with UID 1001
RUN groupadd -g 1001 1001 && useradd -u 1001 -g 1001 -M 1001
# Create necessary directories with appropriate permissions for UID 1001
# Set SELinux context to allow access by non-root user (if SELinux is supported)
RUN mkdir -p /.llama /.cache && chown -R 1001:1001 /.llama /.cache && chmod -R 775 /.llama /.cache && chmod -R g+w /app && \
(command -v chcon >/dev/null 2>&1 && touch /tmp/selinux_test && chcon -t container_file_t /tmp/selinux_test 2>/dev/null && chcon -R -t container_file_t /.llama /.cache 2>/dev/null && rm -f /tmp/selinux_test || true)
# Set the Llama Stack config directory environment variable to use /.llama
ENV LLAMA_STACK_CONFIG_DIR=/.llama
# This prevents dual storage while keeping /app as working directory for CI compatibility
ENV HOME=/
# Switch to non-root user (UID 1001 directly)
USER 1001
EOF
# If a run config is provided, we use the --config flag
if [[ -n "$run_config" ]]; then
add_to_container << EOF
@ -271,12 +292,6 @@ ENTRYPOINT ["python", "-m", "llama_stack.distribution.server.server", "--templat
EOF
fi
# Add other require item commands genearic to all containers
add_to_container << EOF
RUN mkdir -p /.llama /.cache && chmod -R g+rw /app /.llama /.cache
EOF
printf "Containerfile created successfully in %s/Containerfile\n\n" "$TEMP_DIR"
cat "$TEMP_DIR"/Containerfile
printf "\n"