From d944193f064b964b208c29c6a3053e6f37610c6a Mon Sep 17 00:00:00 2001 From: "ryan.steed.usa" Date: Sun, 26 Oct 2025 22:08:14 -0600 Subject: [PATCH 1/2] refactor: update Containerfile to support non-root user execution and improve security - Updated LS_VER argument from 89 to 170 to use the latest version - Added UID/GID arguments with default values of 0 (root) for backward compatibility - Added USER_HOME environment variable set to /root - Implemented conditional user/group creation logic that only runs when UID/GID are not 0 - Created necessary directory structure with proper ownership using mkdir and chown commands - Switched to non-root user execution for improved security posture - Updated COPY instruction to use --chown flag for proper file ownership --- docker/llama-swap.Containerfile | 28 +++++++++++++++++++++++++--- 1 file changed, 25 insertions(+), 3 deletions(-) diff --git a/docker/llama-swap.Containerfile b/docker/llama-swap.Containerfile index 53ea82a1..16219654 100644 --- a/docker/llama-swap.Containerfile +++ b/docker/llama-swap.Containerfile @@ -2,7 +2,29 @@ ARG BASE_TAG=server-cuda FROM ghcr.io/ggml-org/llama.cpp:${BASE_TAG} # has to be after the FROM -ARG LS_VER=89 +ARG LS_VER=170 + +# Set default UID/GID arguments +ARG UID=0 +ARG GID=0 +ARG USER_HOME=/root + +# Add user/group +ENV HOME=$USER_HOME +RUN if [ $UID -ne 0 ]; then \ + if [ $GID -ne 0 ]; then \ + addgroup --system --gid $GID app; \ + fi; \ + adduser --system --no-create-home --uid $UID --gid $GID \ + --home $USER_HOME app; \ + fi + +# Handle paths +RUN mkdir --parents $HOME /app +RUN chown --recursive $UID:$GID $HOME /app + +# Switch user +USER $UID:$GID WORKDIR /app RUN \ @@ -10,7 +32,7 @@ RUN \ tar -zxf llama-swap_"${LS_VER}"_linux_amd64.tar.gz && \ rm llama-swap_"${LS_VER}"_linux_amd64.tar.gz -COPY config.example.yaml /app/config.yaml +COPY --chown=$UID:$GID config.example.yaml /app/config.yaml HEALTHCHECK CMD curl -f http://localhost:8080/ || exit 1 -ENTRYPOINT [ "/app/llama-swap", "-config", "/app/config.yaml" ] \ No newline at end of file +ENTRYPOINT [ "/app/llama-swap", "-config", "/app/config.yaml" ] From 7b9b4dd774b3e7009af6fb5c5007fc008bfcb986 Mon Sep 17 00:00:00 2001 From: "ryan.steed.usa" Date: Fri, 31 Oct 2025 17:29:47 -0600 Subject: [PATCH 2/2] chore: update containerfile to use non-root user with proper UID/GID - Changed default UID and GID from 0 (root) to 10001 for security best practices - Updated USER_HOME from /root to /app to avoid running as root user --- docker/llama-swap.Containerfile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docker/llama-swap.Containerfile b/docker/llama-swap.Containerfile index 16219654..6be50035 100644 --- a/docker/llama-swap.Containerfile +++ b/docker/llama-swap.Containerfile @@ -5,9 +5,9 @@ FROM ghcr.io/ggml-org/llama.cpp:${BASE_TAG} ARG LS_VER=170 # Set default UID/GID arguments -ARG UID=0 -ARG GID=0 -ARG USER_HOME=/root +ARG UID=10001 +ARG GID=10001 +ARG USER_HOME=/app # Add user/group ENV HOME=$USER_HOME