dev-ml/ollama: a separate ollama user

[CreeperMain]

@vitaly-zdanevich Hello, I played around with the ollama package recently but i noticed that ollama serve in /etc/init.d/ollama (the daemon) ran that command as root. So i decided per the official documentation https://github.com/ollama/ollama/blob/main/docs/linux.md to implement a separate ollama user, my reasoning for this was for sandboxing's sake. Because I'm new to writing ebuilds and largely inexperienced please if you are in the position to check whether the user id I used is already used by anything, it's a simple change if its already is use by some other package.
PS: Yes this is my second pull request I messed up the first one

[CreeperMain]

i also recorded a quick demo in a vm

2024-07-10.00-53-38.mp4

[vitaly-zdanevich]

Hi, thanks for your contributions, I do not know these GROUP_ID stuff, but greping /var/db/repos/gentoo I found the same number in another package https://gitweb.gentoo.org/repo/gentoo.git/tree/acct-group/murmur/murmur-0-r3.ebuild#n8

[CreeperMain]

Thank you I'll take a looksie

[CreeperMain]

125 was free in both guru and gentoo, I checked also pentoo and a few others. But I'm unaware if there is a proper convention around user and group ids.

[vitaly-zdanevich]

@MrRoy hi, can you please help here?

[antecrescent]

I'm currently investigating this as part of a code review.

[MrRoy]

Nice catch @vitaly-zdanevich

Users and group IDs outside of the official ::gentoo repository need to use ID -1 to avoid collisions with ::gentoo. -1 will dynamically allocate a free UID/GID.
I can't seem to find a source for that in the dev manual, but this wiki page says:

An assignment to variable ACCT_USER_ID, specifying the preferred user ID. It can be set to -1 in alternative ebuild repositories to dynamically allocate the UID.

Looking at other guru ebuilds, we find that only -1 is used in all acct-{user,group} ebuilds:

guru/acct-group $ grep -rh "GROUP_ID" | uniq
ACCT_GROUP_ID=-1
guru/acct-user $ grep -rh "USER_ID" | uniq
ACCT_USER_ID=-1

[antecrescent]

Users and group IDs outside of the official ::gentoo repository need to use ID -1 to avoid collisions with ::gentoo. -1 will dynamically allocate a free UID/GID. I can't seem to find a source for that in the dev manual, but this wiki page says:

An assignment to variable ACCT_USER_ID, specifying the preferred user ID. It can be set to -1 in alternative ebuild repositories to dynamically allocate the UID.

It's written in the eclass documentations for acct-{user,group}:

Overlays should set [ACCT_USER/GROUP_ID] to -1 to dynamically allocate [UID/GID]. Using -1 in ::gentoo is prohibited by policy.

[CreeperMain]

I changed them, I'll now check if it still works as intended

[CreeperMain]

It seems to work as intended if there any other issues please tell me
PS: From what I understand, Im guessing that 122 is free so it picked that

2024-07-10.19-17-56.mp4

[vitaly-zdanevich]

ffprobe says

moov atom not found
video.mp4: Invalid data found when processing input

[vitaly-zdanevich]

Is it needed here?

[vitaly-zdanevich]

This use is for the ebuild, not for acct-group, right?

[CreeperMain]

Thanks I'll sort it out rn

[CreeperMain]

Should i change the description or no?

[CreeperMain]

Actually I'll drop the description, I took a look at the other acct-user/group packages they didn't use a description tag

[vitaly-zdanevich]

Ok, is it ready to merge?

[CreeperMain]

I think so everything works as intended

[antecrescent]

Thanks for the contribution! Commits to (official) Gentoo ebuild repositories should adhere to GLEP 66.
To do so without much headache, follow the GURU contribution guide (create an OpenPGP key, setup the repo's git config and commit via dev-util/pkgdev).
And please change one package per commit, i.e.

1. acct-group/ollama: new package
2. acct-user/ollama: new package
3. dev-ml/ollama: support unprivileged ollama user

[antecrescent]

Suggested change

	# Copyright 1999-2024 Gentoo Authors
	# Copyright 2024 Gentoo Authors

[antecrescent]

Remove the proxied attribute.

[antecrescent]

Remove this line in favor of the default /sbin/nologin.

[antecrescent]

Suggested change

	ACCT_USER_HOME_PERMS=0755
	ACCT_USER_HOME_PERMS=0700

Seems to work correctly and follows the principle of least privilege :)

[antecrescent]

Move this function below src_install to reflect the correct phase function order and edit it like this

Suggested change

	touch /var/log/ollama.log
	chown ollama:ollama /var/log/ollama.log
	touch /var/log/ollama.log || die
	fowners ollama:ollama /var/log/ollama.log

[antecrescent]

Move these dependencies to RDEPEND and also add them to IDEPEND (because of fowners in pkg_preinst).

[antecrescent]

Suggested change

	# Copyright 1999-2024 Gentoo Authors
	# Copyright 2024 Gentoo Authors

[antecrescent]

Suggested change

	<maintainer type="person" proxied="yes">
	<maintainer type="person">

This is not a proxy-maint package.

[antecrescent]

Remove the description, use and upstream tags. These belong to dev-ml/ollama, not to the user and group packages, like @vitaly-zdanevich pointed out.

[antecrescent]

Same applies here.

[vitaly-zdanevich]

Pushed, please review

6b22b60
0913afb

[vitaly-zdanevich]

f6b2371

[antecrescent]

@vitaly-zdanevich Thanks for (mostly) applying my suggestions. It would have been nice to give @CreeperMain a chance to author these changes, though ;)
Two remarks:

1. Please write more descriptive commit messages.
   dev-ml/ollama: fixes from from https://github.com/gentoo/guru/pull/210/files does not cut it.
   I gave an example of what the commit messages could look like earlier in this thread.
   Generally speaking, you should never paste an URL into the commit summary line.
2. You did not close the PR in the last commit. I did it when I fixed your changes in ec9321f.

[CreeperMain]

Thanks for the contribution! Commits to (official) Gentoo ebuild repositories should adhere to GLEP 66. To do so without much headache, follow the GURU contribution guide (create an OpenPGP key, setup the repo's git config and commit via dev-util/pkgdev). And please change one package per commit, i.e.

1. `acct-group/ollama: new package`

2. `acct-user/ollama: new package`

3. `dev-ml/ollama: support unprivileged ollama user`

Thank you I'll keep that in mind next time

[CreeperMain]

@vitaly-zdanevich Thanks for (mostly) applying my suggestions. It would have been nice to give @CreeperMain a chance to author these changes, though ;) Two remarks:

1. Please write more descriptive commit messages.
   `dev-ml/ollama: fixes from from https://github.com/gentoo/guru/pull/210/files` does not cut it.
   I gave an example of what the commit messages could look like [earlier in this thread](https://github.com/gentoo/guru/pull/210#pullrequestreview-2168933467).
   Generally speaking, you should never paste an URL into the commit summary line.

2. You did not close the PR in the last commit. I did it when I fixed your changes in [ec9321f](https://github.com/gentoo/guru/commit/ec9321fa791adba089e1c378427309c594587e31).

Alright than I'm glad that a nonprivileged user was implemented into this package, should I close this pull request now?

[antecrescent]

Alright than I'm glad that a nonprivileged user was implemented into this package, should I close this pull request now?

No need, it'll get closed automatically once ec9321f gets merged into master.