feat: introduce execution entrypoint

Signed-off-by: thxCode <[email protected]>

Author: thxCode

gpustack_runtime/cmds/deployer.py

@@ -6,6 +6,7 @@
 import sys
 import time
 from argparse import REMAINDER
+from pathlib import Path
 from typing import TYPE_CHECKING
 
 from .. import envs
@@ -84,6 +85,7 @@ class CreateRunnerWorkloadSubCommand(SubCommand):
 
     backend: str
     device: str
+    entrypoint: str
     port: int
     host_network: bool
     check: bool
@@ -115,6 +117,12 @@ def register(parser: _SubParsersAction):
             default="all",
         )
 
+        deploy_parser.add_argument(
+            "--entrypoint-file",
+            type=str,
+            help="Path of entrypoint for the workload",
+        )
+
         deploy_parser.add_argument(
             "--port",
             type=int,
@@ -184,6 +192,13 @@ def __init__(self, args: Namespace):
             msg = "The name and volume arguments are required."
             raise ValueError(msg)
 
+        if args.entrypoint_file:
+            entrypoint_file = Path(args.entrypoint_file)
+            if not entrypoint_file.is_file():
+                msg = f"The entrypoint file '{entrypoint_file}' does not exist."
+                raise ValueError(msg)
+            self.entrypoint = entrypoint_file.read_text(encoding="utf-8").strip()
+
     def run(self):
         env = [
             ContainerEnv(
@@ -215,19 +230,20 @@ def run(self):
         ]
         execution = ContainerExecution(
             privileged=True,
+            entrypoint=self.entrypoint,
+            args=self.extra_args,
         )
-        if self.extra_args:
-            execution.command = self.extra_args
-        ports = None
-        if self.port:
-            ports = [
+        ports = (
+            [
                 ContainerPort(
                     internal=self.port,
                 ),
             ]
-        checks = None
-        if self.check and self.port:
-            checks = [
+            if self.port
+            else None
+        )
+        checks = (
+            [
                 ContainerCheck(
                     delay=60,
                     interval=10,
@@ -237,6 +253,9 @@ def run(self):
                     teardown=True,
                 ),
             ]
+            if self.check and self.port
+            else None
+        )
         plan = WorkloadPlan(
             name=self.name,
             namespace=self.namespace,
@@ -296,6 +315,7 @@ class CreateWorkloadSubCommand(SubCommand):
 
     backend: str
     device: str
+    entrypoint: str
     port: int
     host_network: bool
     check: bool
@@ -326,6 +346,12 @@ def register(parser: _SubParsersAction):
             default="all",
         )
 
+        deploy_parser.add_argument(
+            "--entrypoint-file",
+            type=str,
+            help="Path of entrypoint for the workload",
+        )
+
         deploy_parser.add_argument(
             "--port",
             type=int,
@@ -394,6 +420,13 @@ def __init__(self, args: Namespace):
             msg = "The name, image, and volume arguments are required."
             raise ValueError(msg)
 
+        if args.entrypoint_file:
+            entrypoint_file = Path(args.entrypoint_file)
+            if not entrypoint_file.is_file():
+                msg = f"The entrypoint file '{entrypoint_file}' does not exist."
+                raise ValueError(msg)
+            self.entrypoint = entrypoint_file.read_text(encoding="utf-8").strip()
+
     def run(self):
         env = [
             ContainerEnv(
@@ -425,19 +458,20 @@ def run(self):
         ]
         execution = ContainerExecution(
             privileged=True,
+            entrypoint=self.entrypoint,
+            args=self.extra_args,
         )
-        if self.extra_args:
-            execution.command = self.extra_args
-        ports = None
-        if self.port:
-            ports = [
+        ports = (
+            [
                 ContainerPort(
                     internal=self.port,
                 ),
             ]
-        checks = None
-        if self.check and self.port:
-            checks = [
+            if self.port
+            else None
+        )
+        checks = (
+            [
                 ContainerCheck(
                     delay=60,
                     interval=10,
@@ -447,6 +481,9 @@ def run(self):
                     teardown=True,
                 ),
             ]
+            if self.check and self.port
+            else None
+        )
         plan = WorkloadPlan(
             name=self.name,
             namespace=self.namespace,

gpustack_runtime/deployer/__types__.py

@@ -21,6 +21,7 @@
 )
 from .__utils__ import (
     correct_runner_image,
+    fnv1a_32_hex,
     fnv1a_64_hex,
     is_rfc1123_domain_name,
     safe_json,
@@ -169,6 +170,18 @@ class ContainerExecution(ContainerSecurity):
     Attributes:
         working_dir (str | None):
             Working directory for the container.
+        entrypoint (str | None):
+            Entrypoint content for the container,
+            only work if `readonly_rootfs` is False.
+            When it is set, it will override the `command` field.
+            For example,
+
+            ```
+                #!/bin/sh
+
+                echo "Hello, World!"
+                exec /path/to/bin "$@"
+            ```
         command (list[str] | None):
             Command to run in the container.
         args (list[str] | None):
@@ -191,6 +204,20 @@ class ContainerExecution(ContainerSecurity):
     """
     Working directory for the container.
     """
+    entrypoint: str | None = None
+    """
+    Entrypoint content for the container,
+    only work if `readonly_rootfs` is False.
+    When it is set, it will override the `command` field.
+    For example,
+
+    ```
+        #!/bin/sh
+
+        echo "Hello, World!"
+        exec /path/to/bin "$@"
+    ```
+    """
     command: list[str] | None = None
     """
     Command to run in the container.
@@ -974,6 +1001,22 @@ def validate_and_default(self):
                     c.restart_policy = ContainerRestartPolicyEnum.NEVER
             elif not c.restart_policy:
                 c.restart_policy = ContainerRestartPolicyEnum.ALWAYS
+            # Mutate container entrypoint.
+            if c.execution and c.execution.entrypoint:
+                if c.execution.readonly_rootfs:
+                    msg = f"Readonly rootfs Container '{c.name}' cannot have an entrypoint."
+                    raise ValueError(msg)
+                entrypoint_script_name = f"/gpustack-entrypoint-{fnv1a_32_hex(c.name)}"
+                entrypoint_file = ContainerFile(
+                    path=entrypoint_script_name,
+                    mode=0o755,
+                    content=c.execution.entrypoint,
+                )
+                if not c.files:
+                    c.files = []
+                c.files.append(entrypoint_file)
+                c.execution.command = [entrypoint_script_name]  # Override command.
+                c.execution.entrypoint = None
             # Add default registry if needed.
             if (
                 envs.GPUSTACK_RUNTIME_DEPLOY_DEFAULT_REGISTRY

gpustack_runtime/deployer/docker.py

@@ -600,16 +600,14 @@ def _create_pause_container(
             # TODO(thxCode): check if the container matches the spec
             return container
 
-        security_opt = [
-            "no-new-privileges",
-        ]
         privileged = any(
             c.execution.privileged
             for c in workload.containers
             if c.profile == ContainerProfileEnum.RUN and c.execution
         )
-        if privileged:
-            security_opt.append("label=disable")
+        security_opt = [
+            "no-new-privileges",
+        ]
 
         create_options: dict[str, Any] = {
             "name": container_name,

tests/gpustack_runtime/deployer/fixtures/test_nginx_entrypoint.sh

@@ -0,0 +1,49 @@
+#!/bin/sh
+# vim:sw=4:ts=4:et
+
+set -e
+
+entrypoint_log() {
+    if [ -z "${NGINX_ENTRYPOINT_QUIET_LOGS:-}" ]; then
+        echo "$@"
+    fi
+}
+
+if [ "$1" = "nginx" ] || [ "$1" = "nginx-debug" ]; then
+    if /usr/bin/find "/docker-entrypoint.d/" -mindepth 1 -maxdepth 1 -type f -print -quit 2>/dev/null | read v; then
+        entrypoint_log "$0: /docker-entrypoint.d/ is not empty, will attempt to perform configuration"
+
+        entrypoint_log "$0: Looking for shell scripts in /docker-entrypoint.d/"
+        find "/docker-entrypoint.d/" -follow -type f -print | sort -V | while read -r f; do
+            case "$f" in
+                *.envsh)
+                    if [ -x "$f" ]; then
+                        entrypoint_log "$0: Sourcing $f";
+                        . "$f"
+                    else
+                        # warn on shell scripts without exec bit
+                        entrypoint_log "$0: Ignoring $f, not executable";
+                    fi
+                    ;;
+                *.sh)
+                    if [ -x "$f" ]; then
+                        entrypoint_log "$0: Launching $f";
+                        "$f"
+                    else
+                        # warn on shell scripts without exec bit
+                        entrypoint_log "$0: Ignoring $f, not executable";
+                    fi
+                    ;;
+                *) entrypoint_log "$0: Ignoring $f";;
+            esac
+        done
+
+        entrypoint_log "$0: Configuration complete; ready for start up"
+    else
+        entrypoint_log "$0: No files found in /docker-entrypoint.d/, skipping configuration"
+    fi
+fi
+
+echo "Hello GPUStack Runtime Deployer!"
+
+exec "$@"