mirror of
https://github.com/pewdiepie-archdaemon/odysseus.git
synced 2026-06-16 01:35:36 -04:00
RaresKeY
125 lines
4.7 KiB
Bash
125 lines
4.7 KiB
Bash
#!/bin/sh
|
|
# Entrypoint that fixes the #1 self-host footgun: a Docker container
|
|
# that runs as root writes root-owned files into bind-mounted host
|
|
# volumes, and the host user (or a non-root service user) then can't
|
|
# update them — silently breaking skill extraction, prefs saves, mail
|
|
# attachments, etc.
|
|
#
|
|
# Standard PUID/PGID pattern: pick the UID/GID we should drop to,
|
|
# chown the writable bind-mounts so existing root-owned content gets
|
|
# repaired on every start (idempotent), then exec the real command
|
|
# as that user via gosu.
|
|
set -e
|
|
|
|
PUID="${PUID:-1000}"
|
|
PGID="${PGID:-1000}"
|
|
GOSU_BIN="$(command -v gosu)"
|
|
PYTHON_BIN="$(command -v python)"
|
|
|
|
# Reuse an existing matching group/user if the host's UID/GID already
|
|
# corresponds to one in /etc/passwd (e.g. when the image is rebuilt
|
|
# and "odysseus" already exists at the same id). Otherwise create.
|
|
if ! getent group "$PGID" >/dev/null 2>&1; then
|
|
groupadd -g "$PGID" odysseus
|
|
fi
|
|
if ! getent passwd "$PUID" >/dev/null 2>&1; then
|
|
useradd -u "$PUID" -g "$PGID" -M -s /bin/sh -d /app odysseus
|
|
fi
|
|
|
|
mount_root_for() {
|
|
awk -v target="$1" '$5 == target { print $4; exit }' /proc/self/mountinfo 2>/dev/null || true
|
|
}
|
|
|
|
is_broad_mount_root() {
|
|
case "$1" in
|
|
/|/home|/srv|/var|/usr|/opt|/tmp|/mnt|/media)
|
|
return 0
|
|
;;
|
|
esac
|
|
return 1
|
|
}
|
|
|
|
repair_tree_ownership() {
|
|
dir="$1"
|
|
if [ -d "$dir" ]; then
|
|
find "$dir" -xdev -not -uid "$PUID" -print0 2>/dev/null \
|
|
| xargs -0 -r chown "$PUID:$PGID" 2>/dev/null || true
|
|
fi
|
|
}
|
|
|
|
repair_app_tree_ownership() {
|
|
if [ -d /app ]; then
|
|
find /app -xdev \
|
|
\( -path /app/data -o -path /app/logs -o -path /app/.ssh -o -path /app/.cache -o -path /app/.local \) -prune \
|
|
-o -not -uid "$PUID" -print0 2>/dev/null \
|
|
| xargs -0 -r chown "$PUID:$PGID" 2>/dev/null || true
|
|
fi
|
|
}
|
|
|
|
repair_bind_mount_ownership() {
|
|
dir="$1"
|
|
if [ ! -d "$dir" ]; then
|
|
return
|
|
fi
|
|
|
|
mount_root="$(mount_root_for "$dir")"
|
|
if is_broad_mount_root "$mount_root"; then
|
|
echo "Skipping recursive ownership repair for $dir because it maps to broad host path $mount_root" >&2
|
|
chown "$PUID:$PGID" "$dir" 2>/dev/null || true
|
|
return
|
|
fi
|
|
|
|
repair_tree_ownership "$dir"
|
|
}
|
|
|
|
# Repair image-owned writable paths without walking into bind-mounted host
|
|
# trees, then repair the app-owned mount roots separately.
|
|
repair_app_tree_ownership
|
|
for dir in /app/data /app/logs /app/.ssh /app/.cache/huggingface /app/.local; do
|
|
repair_bind_mount_ownership "$dir"
|
|
done
|
|
|
|
# Cookbook installs vllm/etc. via `pip install --user`, which pulls
|
|
# nvidia-cuda-* wheels into /app/.local but does not set CUDA_HOME or
|
|
# symlink /usr/local/cuda. vllm 0.22+ then crashes during engine init
|
|
# when FlashInfer tries to JIT a sampler kernel ("Could not find nvcc",
|
|
# then "CUDA compiler and toolkit headers are incompatible" on the
|
|
# mixed cuda-nvcc 13.3 / cuda-runtime 13.0 wheel combo).
|
|
#
|
|
# Auto-set CUDA_HOME if a pip-installed nvcc is present, and disable the
|
|
# FlashInfer JIT sampler — sampler only, no impact on attention path.
|
|
# No-op when vllm isn't installed.
|
|
#
|
|
# Checked layouts (all are real pip-wheel install paths):
|
|
# nvidia/cu13 — nvidia-nvcc-cu13 (CUDA 13.x wheel style)
|
|
# nvidia/cu12 — nvidia-nvcc-cu12 (CUDA 12.x wheel style)
|
|
# nvidia/cuda_nvcc — nvidia-cuda-nvcc-cu12 (older cu12 sub-package style)
|
|
for cu in \
|
|
/app/.local/lib/python*/site-packages/nvidia/cu13 \
|
|
/app/.local/lib/python*/site-packages/nvidia/cu12 \
|
|
/app/.local/lib/python*/site-packages/nvidia/cuda_nvcc; do
|
|
if [ -x "$cu/bin/nvcc" ]; then
|
|
export CUDA_HOME="$cu"
|
|
break
|
|
fi
|
|
done
|
|
# Disable the FlashInfer JIT sampler unconditionally — it is sampler-only
|
|
# and has no impact on the attention path, but requires nvcc + matching
|
|
# CUDA headers at startup. Without this, vLLM crashes with "Could not find
|
|
# nvcc" even when the GPU itself is fully visible to the container.
|
|
export VLLM_USE_FLASHINFER_SAMPLER="${VLLM_USE_FLASHINFER_SAMPLER:-0}"
|
|
|
|
# Make Cookbook-installed Python CLIs visible after `pip install --user`.
|
|
# vLLM and helper scripts land here because /app is the non-root user's HOME.
|
|
export PATH="/app/.local/bin:$PATH"
|
|
|
|
# Run first-time setup as the app user so data/ files get the right ownership.
|
|
# setup.py is idempotent — skips auth.json / .env if they already exist.
|
|
# || true so a setup failure never prevents the container from starting.
|
|
"$GOSU_BIN" "$PUID:$PGID" "$PYTHON_BIN" /app/setup.py || true
|
|
|
|
# Drop root and run the actual app. `gosu` is preferred over `su` /
|
|
# `sudo` because it cleans up the process tree (no extra shell layer)
|
|
# so signals (SIGTERM from `docker stop`) reach uvicorn directly.
|
|
exec "$GOSU_BIN" "$PUID:$PGID" "$@"
|