diff --git a/.github/workflows/unified-docker.yml b/.github/workflows/unified-docker.yml index c1021f0d..c5fbf189 100644 --- a/.github/workflows/unified-docker.yml +++ b/.github/workflows/unified-docker.yml @@ -68,6 +68,13 @@ jobs: fail-fast: false matrix: backend: ${{ fromJSON(needs.setup.outputs.matrix) }} + variant: + - name: root + uid: "0" + suffix: "" + - name: rootless + uid: "10001" + suffix: "-rootless" steps: - name: Checkout code uses: actions/checkout@v4 @@ -99,14 +106,15 @@ jobs: username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - - name: Build unified Docker image (${{ matrix.backend }}) + - name: Build unified Docker image (${{ matrix.backend }}, ${{ matrix.variant.name }}) env: LLAMA_REF: ${{ inputs.llama_cpp_ref || 'master' }} WHISPER_REF: ${{ inputs.whisper_ref || 'master' }} SD_REF: ${{ inputs.sd_ref || 'master' }} IK_LLAMA_REF: ${{ inputs.ik_llama_ref || 'main' }} LS_VERSION: ${{ inputs.llama_swap_version || 'main' }} - DOCKER_IMAGE_TAG: ghcr.io/mostlygeek/llama-swap:unified-${{ matrix.backend }} + RUN_UID: ${{ matrix.variant.uid }} + DOCKER_IMAGE_TAG: ghcr.io/mostlygeek/llama-swap:unified-${{ matrix.backend }}${{ matrix.variant.suffix }} # When running under act, use the local builder that has warm ccache. # On GitHub Actions, BUILDX_BUILDER is unset so docker uses the builder # created by setup-buildx-action above. @@ -118,7 +126,8 @@ jobs: - name: Push to GitHub Container Registry if: ${{ !env.ACT }} run: | - docker push ghcr.io/mostlygeek/llama-swap:unified-${{ matrix.backend }} + TAG="ghcr.io/mostlygeek/llama-swap:unified-${{ matrix.backend }}${{ matrix.variant.suffix }}" + docker push "${TAG}" DATE_TAG=$(date -u +%Y-%m-%d) - docker tag ghcr.io/mostlygeek/llama-swap:unified-${{ matrix.backend }} ghcr.io/mostlygeek/llama-swap:unified-${{ matrix.backend }}-${DATE_TAG} - docker push ghcr.io/mostlygeek/llama-swap:unified-${{ matrix.backend }}-${DATE_TAG} + docker tag "${TAG}" "${TAG}-${DATE_TAG}" + docker push "${TAG}-${DATE_TAG}" diff --git a/docker/unified/Dockerfile b/docker/unified/Dockerfile index 04e9dce0..98a39352 100644 --- a/docker/unified/Dockerfile +++ b/docker/unified/Dockerfile @@ -145,15 +145,20 @@ ARG LLAMA_COMMIT_HASH=unknown ARG WHISPER_COMMIT_HASH=unknown ARG SD_COMMIT_HASH=unknown ARG IK_LLAMA_COMMIT_HASH=unknown +ARG RUN_UID=0 RUN apt-get update && apt-get install -y --no-install-recommends \ python3-numpy python3-sentencepiece \ && rm -rf /var/lib/apt/lists/* -# Create llama-swap user and config directory -RUN useradd --system --create-home --shell /sbin/nologin llama-swap && \ +# Create non-root user when RUN_UID != 0 +RUN if [ "$RUN_UID" != "0" ]; then \ + groupadd --system --gid $RUN_UID llama-swap && \ + useradd --system --uid $RUN_UID --gid $RUN_UID \ + --home /app --shell /sbin/nologin llama-swap; \ + fi && \ mkdir -p /etc/llama-swap/config && \ - chown -R llama-swap:llama-swap /etc/llama-swap + chown -R ${RUN_UID}:${RUN_UID} /etc/llama-swap WORKDIR /app @@ -191,7 +196,8 @@ RUN echo "llama.cpp: ${LLAMA_COMMIT_HASH}" > /versions.txt && \ echo "backend: ${BACKEND}" >> /versions.txt && \ echo "build_timestamp: $(date -u +%Y-%m-%dT%H:%M:%SZ)" >> /versions.txt +RUN mkdir -p /models && chown ${RUN_UID}:${RUN_UID} /models WORKDIR /models -USER llama-swap +USER ${RUN_UID} ENTRYPOINT ["llama-swap"] CMD ["-config", "/etc/llama-swap/config/config.yaml", "-listen", "0.0.0.0:8080"] diff --git a/docker/unified/build-image.sh b/docker/unified/build-image.sh index 22bd5649..e03cbbe7 100755 --- a/docker/unified/build-image.sh +++ b/docker/unified/build-image.sh @@ -201,6 +201,7 @@ BUILD_ARGS=( --build-arg "SD_COMMIT_HASH=${SD_HASH}" --build-arg "IK_LLAMA_COMMIT_HASH=${IK_LLAMA_HASH}" --build-arg "LS_VERSION=${LS_HASH}" + --build-arg "RUN_UID=${RUN_UID:-0}" -t "${DOCKER_IMAGE_TAG}" -f "${SCRIPT_DIR}/Dockerfile" )