obscura/vllm
2
0
Fork 0
mirror of https://github.com/vllm-project/vllm.git synced 2026-06-06 00:16:14 +00:00
Code Issues Packages Projects Releases Wiki Activity

[Docker] Non-root support for vllm-openai; add opt-in vllm-openai-nonroot target (#40275)

Browse Source 
Signed-off-by: TheDuyIT <nduy250299@gmail.com>
Signed-off-by: dtnguyen <dtnguyen@nvidia.com>
Co-authored-by: Claude <noreply@anthropic.com>
This commit is contained in:
Nguyễn Thế Duy
2026-05-25 12:45:31 +07:00
committed by GitHub
parent 1b26fa361e
commit 3df1c7c43e
7 changed files with 577 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files
docs/assets/contributing/dockerfile-stages-dependency.png
BIN
View File
Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 371 KiB

After

Width:  |  Height:  |  Size: 388 KiB

docs/deployment/docker.md
+58
View File
@@ -8,6 +8,64 @@ toc_depth: 2
--8<-- "docs/getting_started/installation/gpu.md:pre-built-images"
## Run as a non-root user
The CUDA `vllm/vllm-openai` image runs as root by default for backward
compatibility. It is also prepared to run as the built-in `vllm` user
(UID 2000, GID 0):
```bash
docker run --rm --gpus all \
--user 2000:0 \
-p 8000:8000 \
vllm/vllm-openai:latest \
meta-llama/Llama-3.1-8B-Instruct
```
When mounting model or cache volumes for a non-root container, mount writable
paths under `/home/vllm` instead of `/root`. For example, mount the Hugging
Face cache at `/home/vllm/.cache/huggingface` and make the mounted directory
writable by group 0.
```bash
docker run --rm --gpus all \
--user 2000:0 \
-v ~/.cache/huggingface:/home/vllm/.cache/huggingface \
-p 8000:8000 \
vllm/vllm-openai:latest \
meta-llama/Llama-3.1-8B-Instruct
```
To build an image that defaults to the non-root `vllm` user, use the opt-in
`vllm-openai-nonroot` target:
```bash
docker build --target vllm-openai-nonroot \
-t vllm-openai-nonroot:local \
-f docker/Dockerfile .
docker run --rm --gpus all \
-p 8000:8000 \
vllm-openai-nonroot:local \
meta-llama/Llama-3.1-8B-Instruct
```
The `vllm-openai-nonroot` target also supports OpenShift-style arbitrary UIDs
when the runtime UID is a member of group 0. In Kubernetes manifests, set the
container security context accordingly and keep mounted cache/model paths
writable by group 0:
```yaml
securityContext:
runAsNonRoot: true
runAsUser: 1000540000
runAsGroup: 0
fsGroup: 0
```
Runtime UIDs outside group 0 are not part of the documented support matrix
because they may be unable to write to `/home/vllm` or `/opt/uv/cache`.
## Build image from source
--8<-- "docs/getting_started/installation/gpu.md:build-image-from-source"