fix: Permissions and pymilvus conflict

.github/workflows/docker-build.yml

@@ -35,7 +35,7 @@
         run: echo "Repository owner is trusted."
 
       - name: Log in to Quay
         uses: docker/login-action@v3
         with:
           registry: quay.io
           username: ${{ secrets.QUAY_ROBOT_USERNAME }}
@@ -47,7 +47,10 @@
           USE_COPY_NOT_MOUNT=true LLAMA_STACK_DIR=. uv run llama stack build \
             --config trustyai-distribution/build.yaml \
             --image-type container \
-            --image-name quay.io/trustyai/llama-stack:latest
+            --image-name llama-stack-trustyai
+
+          # Tag the built image with the full registry path
+          docker tag llama-stack-trustyai:dev quay.io/trustyai/llama-stack:latest
 
           # Also tag with commit SHA for versioning
           docker tag quay.io/trustyai/llama-stack:latest quay.io/trustyai/llama-stack:${{ github.sha }}

llama_stack/distribution/build_container.sh

@@ -145,6 +145,8 @@ WORKDIR /app
 # We install the Python 3.12 dev headers and build tools so that any
 # C-extension wheels (e.g. polyleven, faiss-cpu) can compile successfully.
 
+USER root
+
 RUN dnf -y update && dnf install -y iputils git net-tools wget \
     vim-minimal python3.12 python3.12-pip python3.12-wheel \
     python3.12-setuptools python3.12-devel gcc make && \
@@ -324,6 +326,16 @@ fi
 RUN pip uninstall -y uv
 EOF
 
+# Create directories and set permissions as root before switching to non-root user
+add_to_container << EOF
+RUN mkdir -p /.llama /.cache && chmod -R g+rw /app /.llama /.cache
+EOF
+
+# Switch to non-root user after all package installations and directory setup
+add_to_container << EOF
+USER 1001
+EOF
+
 # If a run config is provided, we use the --config flag
 if [[ -n "$run_config" ]]; then
   add_to_container << EOF
@@ -336,12 +348,6 @@ ENTRYPOINT ["python", "-m", "llama_stack.distribution.server.server", "--templat
 EOF
 fi
 
-# Add other require item commands genearic to all containers
-add_to_container << EOF
-
-RUN mkdir -p /.llama /.cache && chmod -R g+rw /app /.llama /.cache
-EOF
-
 printf "Containerfile created successfully in %s/Containerfile\n\n" "$TEMP_DIR"
 cat "$TEMP_DIR"/Containerfile
 printf "\n"

llama_stack/providers/registry/vector_io.py

@@ -521,7 +521,7 @@ def available_providers() -> list[ProviderSpec]:
             Api.vector_io,
             AdapterSpec(
                 adapter_type="milvus",
-                pip_packages=["pymilvus>=2.4.10"],
+                pip_packages=["pymilvus"],
                 module="llama_stack.providers.remote.vector_io.milvus",
                 config_class="llama_stack.providers.remote.vector_io.milvus.MilvusVectorIOConfig",
                 description="""
@@ -634,7 +634,7 @@ def available_providers() -> list[ProviderSpec]:
         InlineProviderSpec(
             api=Api.vector_io,
             provider_type="inline::milvus",
-            pip_packages=["pymilvus>=2.4.10"],
+            pip_packages=["pymilvus"],
             module="llama_stack.providers.inline.vector_io.milvus",
             config_class="llama_stack.providers.inline.vector_io.milvus.MilvusVectorIOConfig",
             api_dependencies=[Api.inference],

pyproject.toml

@@ -88,7 +88,7 @@ unit = [
     "sqlalchemy[asyncio]>=2.0.41",
     "blobfile",
     "faiss-cpu",
-    "pymilvus>=2.5.12",
+    "pymilvus",
     "litellm",
     "together",
     "coverage",
@@ -113,7 +113,7 @@ test = [
     "sqlalchemy",
     "sqlalchemy[asyncio]>=2.0.41",
     "requests",
-    "pymilvus>=2.5.12",
+    "pymilvus",
     "reportlab",
 ]
 docs = [

trustyai-distribution/Containerfile

@@ -4,6 +4,8 @@
 FROM registry.access.redhat.com/ubi9/python-312:latest
 WORKDIR /opt/app-root
 
+# Switch to root for package installation
+USER root
 RUN pip install sqlalchemy # somehow sqlalchemy[asyncio] is not sufficient
 RUN pip install \
     aiosqlite \
@@ -28,7 +30,7 @@ RUN pip install \
     pandas \
     pillow \
     psycopg2-binary \
-    pymilvus>=2.4.10 \
+    pymilvus \
     pymongo \
     pypdf \
     redis \
@@ -43,6 +45,9 @@ RUN pip install \
 RUN pip install --index-url https://download.pytorch.org/whl/cpu torch torchvision
 RUN pip install --no-deps sentence-transformers
 RUN pip install --no-cache llama-stack==0.2.16
+
+# Switch back to non-root user
+USER 1001
 RUN mkdir -p ${HOME}/.llama/providers.d ${HOME}/.cache
 COPY trustyai-distribution/run.yaml ${APP_ROOT}/run.yaml
 COPY trustyai-distribution/providers.d/ ${HOME}/.llama/providers.d/

trustyai-distribution/Containerfile.in

@@ -1,9 +1,14 @@
 FROM registry.access.redhat.com/ubi9/python-312:latest
 WORKDIR /opt/app-root
 
+# Switch to root for package installation
+USER root
 RUN pip install sqlalchemy # somehow sqlalchemy[asyncio] is not sufficient
 {dependencies}
 RUN pip install --no-cache llama-stack==0.2.16
+
+# Switch back to non-root user
+USER 1001
 RUN mkdir -p ${{HOME}}/.llama/providers.d ${{HOME}}/.cache
 COPY trustyai-distribution/run.yaml ${{APP_ROOT}}/run.yaml
 COPY trustyai-distribution/providers.d/ ${{HOME}}/.llama/providers.d/

trustyai-distribution/build.yaml

@@ -28,7 +28,7 @@ distribution_spec:
     - provider_type: remote::tavily-search
     - provider_type: inline::rag-runtime
     - provider_type: remote::model-context-protocol
-  container_image: registry.redhat.io/ubi9/python-312:latest
+  container_image: registry.access.redhat.com/ubi9/python-312:latest
 additional_pip_packages:
 - aiosqlite
 - sqlalchemy[asyncio]