fix: Updating images so that they are able to run without root access

[jland-redhat]

What does this PR do?

Addresses issues where the container is unable to run as root. Gives write access to required folders.

(Closes #[1207])

Test Plan

I built locally and ran llama stack build --template remote-vllm --image-type container and validated I could see my changes in the output:

#11 1.186 Installed 11 packages in 61ms
#11 1.186  + llama-models==0.1.3
#11 1.186  + llama-stack==0.1.3
#11 1.186  + llama-stack-client==0.1.3
#11 1.186  + markdown-it-py==3.0.0
#11 1.186  + mdurl==0.1.2
#11 1.186  + prompt-toolkit==3.0.50
#11 1.186  + pyaml==25.1.0
#11 1.186  + pygments==2.19.1
#11 1.186  + rich==13.9.4
#11 1.186  + tiktoken==0.9.0
#11 1.186  + wcwidth==0.2.13
#11 DONE 1.6s

#12 [ 9/10] RUN mkdir -p /.llama /.cache
#12 DONE 0.3s

#13 [10/10] RUN chmod -R g+rw /app /.llama /.cache
#13 DONE 0.3s

#14 exporting to image
#14 exporting layers
#14 exporting layers 3.7s done
#14 writing image sha256:11cc8bd954db6d036037bcaf471b173ddd5261ac4b1e72074cccf85d18aefb96 done
#14 naming to docker.io/library/distribution-remote-vllm:0.1.3 done
#14 DONE 3.7s
+ set +x
Success!

This is what the resulting image looks like:

Also tagged the image as 0.1.3-test and pushed to quay (note there are a bunch of critical vulnerabilities we may want to look into)

And for good measure I deployed the resulting image on my Openshift environment using the default Security Context and validated that there were no issue with it coming up.

My validation was all done with the vllm-remote distribution, but if I am understanding everything correctly the other distributions are just different run.yaml configs.

Please let me know if there is anything else I need to do.

[facebook-github-bot]

Hi @jland-redhat!

Thank you for your pull request and welcome to our community.

Action Required

In order to merge any pull request (code, docs, etc.), we require contributors to sign our Contributor License Agreement, and we don't seem to have one on file for you.

Process

In order for us to review and merge your suggested changes, please sign at https://code.facebook.com/cla. If you are contributing on behalf of someone else (eg your employer), the individual CLA may not be sufficient and your employer may need to sign the corporate CLA.

Once the CLA is signed, our tooling will perform checks and validations. Afterwards, the pull request will be tagged with CLA signed. The tagging process may take up to 1 hour after signing. Please give it that time before contacting us about it.

If you have received this in error or have any questions, please contact us at [email protected]. Thanks!

[terrytangyuan]

Can you sign the individual CLA?

[ashwinb]

lgtm. will leave to @terrytangyuan to approve and merge.

[facebook-github-bot]

Thank you for signing our Contributor License Agreement. We can now accept your code for this (and any) Meta Open Source project. Thanks!

[terrytangyuan]

Closes #1207