docker/unified: derive rootless image from root container (#644)
Build the root image once, then derive the rootless variant from it using a small inline Dockerfile that adds the non-root user and chowns the writable directories. This halves the number of CI jobs (4 → 2) and eliminates the redundant full CUDA compilation for the rootless variant. - remove RUN_UID build arg from build-image.sh - derive rootless image inline after root build completes - collapse variant matrix out of unified-docker.yml - push both root and rootless tags in a single CI job Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -68,13 +68,6 @@ jobs:
|
|||||||
fail-fast: false
|
fail-fast: false
|
||||||
matrix:
|
matrix:
|
||||||
backend: ${{ fromJSON(needs.setup.outputs.matrix) }}
|
backend: ${{ fromJSON(needs.setup.outputs.matrix) }}
|
||||||
variant:
|
|
||||||
- name: root
|
|
||||||
uid: "0"
|
|
||||||
suffix: ""
|
|
||||||
- name: rootless
|
|
||||||
uid: "10001"
|
|
||||||
suffix: "-rootless"
|
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout code
|
- name: Checkout code
|
||||||
uses: actions/checkout@v4
|
uses: actions/checkout@v4
|
||||||
@@ -106,15 +99,14 @@ jobs:
|
|||||||
username: ${{ github.actor }}
|
username: ${{ github.actor }}
|
||||||
password: ${{ secrets.GITHUB_TOKEN }}
|
password: ${{ secrets.GITHUB_TOKEN }}
|
||||||
|
|
||||||
- name: Build unified Docker image (${{ matrix.backend }}, ${{ matrix.variant.name }})
|
- name: Build unified Docker image (${{ matrix.backend }})
|
||||||
env:
|
env:
|
||||||
LLAMA_REF: ${{ inputs.llama_cpp_ref || 'master' }}
|
LLAMA_REF: ${{ inputs.llama_cpp_ref || 'master' }}
|
||||||
WHISPER_REF: ${{ inputs.whisper_ref || 'master' }}
|
WHISPER_REF: ${{ inputs.whisper_ref || 'master' }}
|
||||||
SD_REF: ${{ inputs.sd_ref || 'master' }}
|
SD_REF: ${{ inputs.sd_ref || 'master' }}
|
||||||
IK_LLAMA_REF: ${{ inputs.ik_llama_ref || 'main' }}
|
IK_LLAMA_REF: ${{ inputs.ik_llama_ref || 'main' }}
|
||||||
LS_VERSION: ${{ inputs.llama_swap_version || 'main' }}
|
LS_VERSION: ${{ inputs.llama_swap_version || 'main' }}
|
||||||
RUN_UID: ${{ matrix.variant.uid }}
|
DOCKER_IMAGE_TAG: ghcr.io/mostlygeek/llama-swap:unified-${{ matrix.backend }}
|
||||||
DOCKER_IMAGE_TAG: ghcr.io/mostlygeek/llama-swap:unified-${{ matrix.backend }}${{ matrix.variant.suffix }}
|
|
||||||
# When running under act, use the local builder that has warm ccache.
|
# When running under act, use the local builder that has warm ccache.
|
||||||
# On GitHub Actions, BUILDX_BUILDER is unset so docker uses the builder
|
# On GitHub Actions, BUILDX_BUILDER is unset so docker uses the builder
|
||||||
# created by setup-buildx-action above.
|
# created by setup-buildx-action above.
|
||||||
@@ -126,8 +118,14 @@ jobs:
|
|||||||
- name: Push to GitHub Container Registry
|
- name: Push to GitHub Container Registry
|
||||||
if: ${{ !env.ACT }}
|
if: ${{ !env.ACT }}
|
||||||
run: |
|
run: |
|
||||||
TAG="ghcr.io/mostlygeek/llama-swap:unified-${{ matrix.backend }}${{ matrix.variant.suffix }}"
|
BASE_TAG="ghcr.io/mostlygeek/llama-swap:unified-${{ matrix.backend }}"
|
||||||
docker push "${TAG}"
|
|
||||||
DATE_TAG=$(date -u +%Y-%m-%d)
|
DATE_TAG=$(date -u +%Y-%m-%d)
|
||||||
docker tag "${TAG}" "${TAG}-${DATE_TAG}"
|
|
||||||
docker push "${TAG}-${DATE_TAG}"
|
docker push "${BASE_TAG}"
|
||||||
|
docker tag "${BASE_TAG}" "${BASE_TAG}-${DATE_TAG}"
|
||||||
|
docker push "${BASE_TAG}-${DATE_TAG}"
|
||||||
|
|
||||||
|
ROOTLESS_TAG="${BASE_TAG}-rootless"
|
||||||
|
docker push "${ROOTLESS_TAG}"
|
||||||
|
docker tag "${ROOTLESS_TAG}" "${ROOTLESS_TAG}-${DATE_TAG}"
|
||||||
|
docker push "${ROOTLESS_TAG}-${DATE_TAG}"
|
||||||
|
|||||||
@@ -201,7 +201,6 @@ BUILD_ARGS=(
|
|||||||
--build-arg "SD_COMMIT_HASH=${SD_HASH}"
|
--build-arg "SD_COMMIT_HASH=${SD_HASH}"
|
||||||
--build-arg "IK_LLAMA_COMMIT_HASH=${IK_LLAMA_HASH}"
|
--build-arg "IK_LLAMA_COMMIT_HASH=${IK_LLAMA_HASH}"
|
||||||
--build-arg "LS_VERSION=${LS_HASH}"
|
--build-arg "LS_VERSION=${LS_HASH}"
|
||||||
--build-arg "RUN_UID=${RUN_UID:-0}"
|
|
||||||
-t "${DOCKER_IMAGE_TAG}"
|
-t "${DOCKER_IMAGE_TAG}"
|
||||||
-f "${SCRIPT_DIR}/Dockerfile"
|
-f "${SCRIPT_DIR}/Dockerfile"
|
||||||
)
|
)
|
||||||
@@ -255,12 +254,33 @@ if [[ "$BACKEND" == "cuda" ]]; then
|
|||||||
fi
|
fi
|
||||||
echo "All expected binaries verified: ${VERIFIED_LIST}"
|
echo "All expected binaries verified: ${VERIFIED_LIST}"
|
||||||
|
|
||||||
|
echo ""
|
||||||
|
echo "=========================================="
|
||||||
|
echo "Building rootless image..."
|
||||||
|
echo "=========================================="
|
||||||
|
echo ""
|
||||||
|
|
||||||
|
ROOTLESS_TAG="${DOCKER_IMAGE_TAG}-rootless"
|
||||||
|
docker buildx build --load -t "${ROOTLESS_TAG}" - <<EOF
|
||||||
|
FROM ${DOCKER_IMAGE_TAG}
|
||||||
|
USER root
|
||||||
|
RUN groupadd --system --gid 10001 llama-swap && \\
|
||||||
|
useradd --system --uid 10001 --gid 10001 \\
|
||||||
|
--home /app --shell /sbin/nologin llama-swap && \\
|
||||||
|
chown -R 10001:10001 /etc/llama-swap /models
|
||||||
|
USER 10001
|
||||||
|
EOF
|
||||||
|
|
||||||
|
echo "Rootless image built: ${ROOTLESS_TAG}"
|
||||||
|
|
||||||
echo ""
|
echo ""
|
||||||
echo "=========================================="
|
echo "=========================================="
|
||||||
echo "Build complete!"
|
echo "Build complete!"
|
||||||
echo "=========================================="
|
echo "=========================================="
|
||||||
echo ""
|
echo ""
|
||||||
echo "Image tag: ${DOCKER_IMAGE_TAG}"
|
echo "Image tags:"
|
||||||
|
echo " ${DOCKER_IMAGE_TAG}"
|
||||||
|
echo " ${ROOTLESS_TAG}"
|
||||||
echo ""
|
echo ""
|
||||||
echo "Built with:"
|
echo "Built with:"
|
||||||
echo " llama.cpp: ${LLAMA_HASH}"
|
echo " llama.cpp: ${LLAMA_HASH}"
|
||||||
|
|||||||
Reference in New Issue
Block a user