fix: address review feedback on runner script

sozercan · sozercan · commit a8e31be58bd9 · 2026-03-10T16:07:55.000-07:00
- Add ca-certificates to runner dependencies for TLS verification
- Add --fail flag to curl downloads so HTTP errors (404/403) fail
  instead of silently writing error pages as model files
- Guard --model and --flag value parsing against missing arguments
  to avoid unbound variable errors with set -euo pipefail
- Use grep -qF (fixed-string) instead of grep -q (regex) for model
  cache validation to avoid false matches on dots in model IDs
diff --git a/pkg/aikit2llb/inference/runner.go b/pkg/aikit2llb/inference/runner.go
@@ -22,12 +22,13 @@ func isRunnerMode(c *config.InferenceConfig) bool {
 func installRunnerDependencies(_ *config.InferenceConfig, s llb.State, merge llb.State, platform specs.Platform) (llb.State, llb.State) {
 	savedState := s
 
-	// Install curl for HTTP/HTTPS downloads and python3 + pip for huggingface-cli.
+	// Install curl for HTTP/HTTPS downloads, ca-certificates for TLS verification,
+	// and python3 + pip for huggingface-cli.
 	// Some backends (diffusers/vllm) already install python, but llama-cpp does not,
 	// so we always install the minimal set here.
 	// Note: Runner mode is not supported for Apple Silicon (validated in build).
 	s = s.Run(
-		utils.Sh("apt-get update && apt-get install --no-install-recommends -y curl python3 python3-pip && (pip install --break-system-packages huggingface-hub[cli] 2>/dev/null || pip install huggingface-hub[cli]) && apt-get clean"),
+		utils.Sh("apt-get update && apt-get install --no-install-recommends -y curl ca-certificates python3 python3-pip && (pip install --break-system-packages huggingface-hub[cli] 2>/dev/null || pip install huggingface-hub[cli]) && apt-get clean"),
 		llb.WithCustomNamef("Installing runner dependencies for platform %s/%s", platform.OS, platform.Architecture),
 		llb.IgnoreCache,
 	).Root()
@@ -79,6 +80,7 @@ EXTRA_ARGS=()
 while [[ $# -gt 0 ]]; do
   case "$1" in
     --model)
+      [[ $# -ge 2 ]] || { echo "Error: --model requires a value"; exit 1; }
       MODEL="$2"
       shift 2
       ;;
@@ -91,8 +93,13 @@ while [[ $# -gt 0 ]]; do
       shift
       ;;
     --*)
-      EXTRA_ARGS+=("$1" "$2")
-      shift 2
+      if [[ $# -ge 2 ]]; then
+        EXTRA_ARGS+=("$1" "$2")
+        shift 2
+      else
+        EXTRA_ARGS+=("$1")
+        shift
+      fi
       ;;
     *)
       if [[ -z "$MODEL" ]]; then
@@ -179,7 +186,7 @@ else
     # Direct HTTP/HTTPS download
     echo "Downloading model from URL: $MODEL"
     FILENAME=$(basename "$MODEL")
-    curl -L --progress-bar -o "/models/$FILENAME" "$MODEL"
+    curl -fL --progress-bar -o "/models/$FILENAME" "$MODEL"
   else
     # HuggingFace repo - download GGUF files
     echo "Downloading GGUF files from HuggingFace: $MODEL"
@@ -217,7 +224,7 @@ fi
 func generateHFModelConfig(backend string) string {
 	return fmt.Sprintf(`# Check if model config matches the requested model (volume mount caching)
 MODEL_NAME=$(echo "$MODEL" | tr '/' '-')
-if [[ -f "/models/aikit-model.yaml" ]] && grep -q "model: ${MODEL}$" /models/aikit-model.yaml 2>/dev/null; then
+if [[ -f "/models/aikit-model.yaml" ]] && grep -qF "model: ${MODEL}" /models/aikit-model.yaml 2>/dev/null; then
   echo "Found existing model config matching $MODEL in /models, skipping setup"
 else
   if [[ -f "/models/aikit-model.yaml" ]]; then
diff --git a/pkg/aikit2llb/inference/runner_test.go b/pkg/aikit2llb/inference/runner_test.go
@@ -87,7 +87,7 @@ func TestGenerateRunnerScript(t *testing.T) {
 				`BACKEND="llama-cpp"`,
 				".aikit-model-ref",
 				"huggingface-cli",
-				"curl -L",
+				"curl -fL",
 				"exec /usr/bin/local-ai",
 			},
 			expectMissing: []string{
@@ -175,8 +175,10 @@ func TestGenerateRunnerScriptArgParser(t *testing.T) {
 	if !strings.Contains(script, `--*=*)`) {
 		t.Error("arg parser should handle --flag=value style arguments with single shift")
 	}
-	if !strings.Contains(script, "EXTRA_ARGS+=(\"$1\" \"$2\")") {
-		t.Error("arg parser should consume both --flag and its value argument")
+
+	// Should guard against trailing flags without values
+	if !strings.Contains(script, `[[ $# -ge 2 ]]`) {
+		t.Error("arg parser should guard against trailing flags without values")
 	}
 
 	// Should strip huggingface:// URI prefix for kubeairunway compatibility
@@ -269,8 +271,8 @@ func TestGenerateHFModelConfig(t *testing.T) {
 			script := generateHFModelConfig(tt.backend)
 
 			// Should verify cached config matches the requested model
-			if !strings.Contains(script, "grep -q") {
-				t.Error("should verify cached config matches requested model")
+			if !strings.Contains(script, "grep -qF") {
+				t.Error("should use fixed-string grep to verify cached config matches requested model")
 			}
 
 			// Should contain correct backend reference
