Skip to content

Comments

Containerfile: ensure that HOME can be used by any user ID#601

Merged
sjmonson merged 2 commits intovllm-project:mainfrom
kpouget:patch-1
Feb 17, 2026
Merged

Containerfile: ensure that HOME can be used by any user ID#601
sjmonson merged 2 commits intovllm-project:mainfrom
kpouget:patch-1

Conversation

@kpouget
Copy link
Contributor

@kpouget kpouget commented Feb 17, 2026
edited
Loading

OpenShift Pods can't use the cache otherwise

Resolves: 600

  • "I certify that all code in this PR is my own, except as noted below."

Use of AI

  • Includes AI-assisted code completion
  • Includes code generated by an AI application
  • Includes AI-generated tests (NOTE: AI written tests should have a docstring that includes ## WRITTEN BY AI ##)

@kpouget
Containerfile: ensure that HOME can be used by any user ID
c6607e2 
OpenShift Pods can't use the cache otherwise

Fix: 600

Signed-off-by: Kevin Pouget <kpouget@redhat.com>
@dbutenhof dbutenhof linked an issue Feb 17, 2026 that may be closed by this pull request
guidellm image doesn't work with a non-root user #600
Closed
dbutenhof
dbutenhof reviewed Feb 17, 2026
View reviewed changes
Copy link
Collaborator

@dbutenhof dbutenhof left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think I find the "can be used by any user" a bit misleading since this assumes we're running in GID 0 (setting $HOME group to 0 and copying user mode bits to group). That covers both the OpenShift and standalone container use cases, but the wording suggests something more universal. I think it's "interesting" that you're copying user mode bits rather than just assigning something "known good" like g=rwX; although it's probably safe to assume that the $HOME user mode bits are good by default ...

@kpouget
Copy link
Contributor Author

kpouget commented Feb 17, 2026
edited
Loading

the command and comment (s/any/arbitrary) comes from OpenShift documentation:

Support arbitrary user ids

By default, OpenShift Container Platform runs containers using an arbitrarily assigned user ID. This provides additional security against processes escaping the container due to a container engine vulnerability and thereby achieving escalated permissions on the host node.
For an image to support running as an arbitrary user, directories and files that are written to by processes in the image must be owned by the root group and be read/writable by that group. Files to be executed must also have group execute permissions.
Adding the following to your Dockerfile sets the directory and file permissions to allow users in the root group to access them in the built image:

@kpouget
Remove trailing space
73a0762 
Signed-off-by: Kevin Pouget <kpouget@redhat.com>
@dbutenhof
Copy link
Collaborator

dbutenhof commented Feb 17, 2026

the command and comment (s/any/arbitrary) comes from OpenShift documentation:

Support arbitrary user ids

Huh. Well, "arbitrary user in group 0", anyway; but if that's a quote from the documentation I guess I can't complain to you. 😆

@dbutenhof dbutenhof added the build Issues affecting CI, packaging, container builds label Feb 17, 2026
@dbutenhof dbutenhof added this to the v0.6.0 milestone Feb 17, 2026
@sjmonson sjmonson merged commit 4786a12 into vllm-project:main Feb 17, 2026
16 checks passed
@kpouget kpouget deleted the patch-1 branch February 17, 2026 17:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dbutenhof dbutenhof dbutenhof approved these changes

Assignees

@kpouget kpouget

Labels

build Issues affecting CI, packaging, container builds

Projects

None yet

Milestone

v0.6.0

Development

Successfully merging this pull request may close these issues.

guidellm image doesn't work with a non-root user

3 participants

@kpouget @dbutenhof @sjmonson