2024-04-11 07:19:24 +00:00
package cli
import (
2025-11-12 19:48:56 +00:00
"context"
2024-04-11 07:19:24 +00:00
"encoding/json"
2024-07-10 11:18:32 +00:00
"errors"
2024-04-11 07:19:24 +00:00
"fmt"
2024-06-23 08:24:36 +00:00
cliContext "github.com/mudler/LocalAI/core/cli/context"
2024-06-24 15:32:12 +00:00
"github.com/mudler/LocalAI/core/config"
2026-03-29 22:47:27 +00:00
"github.com/mudler/LocalAI/core/services/galleryop"
feat(llama.cpp): Totally decentralized, private, distributed, p2p inference (#2343)
* feat(llama.cpp): Enable decentralized, distributed inference
As https://github.com/mudler/LocalAI/pull/2324 introduced distributed inferencing thanks to
@rgerganov implementation in https://github.com/ggerganov/llama.cpp/pull/6829 in upstream llama.cpp, now
it is possible to distribute the workload to remote llama.cpp gRPC server.
This changeset now uses mudler/edgevpn to establish a secure, distributed network between the nodes using a shared token.
The token is generated automatically when starting the server with the `--p2p` flag, and can be used by starting the workers
with `local-ai worker p2p-llama-cpp-rpc` by passing the token via environment variable (TOKEN) or with args (--token).
As per how mudler/edgevpn works, a network is established between the server and the workers with dht and mdns discovery protocols,
the llama.cpp rpc server is automatically started and exposed to the underlying p2p network so the API server can connect on.
When the HTTP server is started, it will discover the workers in the network and automatically create the port-forwards to the service locally.
Then llama.cpp is configured to use the services.
This feature is behind the "p2p" GO_FLAGS
Signed-off-by: Ettore Di Giacinto <mudler@localai.io>
* go mod tidy
Signed-off-by: Ettore Di Giacinto <mudler@localai.io>
* ci: add p2p tag
Signed-off-by: Ettore Di Giacinto <mudler@localai.io>
* better message
Signed-off-by: Ettore Di Giacinto <mudler@localai.io>
---------
Signed-off-by: Ettore Di Giacinto <mudler@localai.io>
2024-05-20 17:17:59 +00:00
2024-06-24 15:32:12 +00:00
"github.com/mudler/LocalAI/core/gallery"
2025-07-24 13:03:41 +00:00
"github.com/mudler/LocalAI/core/startup"
2024-06-23 08:24:36 +00:00
"github.com/mudler/LocalAI/pkg/downloader"
2025-08-28 17:11:02 +00:00
"github.com/mudler/LocalAI/pkg/model"
2025-08-14 17:38:26 +00:00
"github.com/mudler/LocalAI/pkg/system"
2025-12-21 18:33:13 +00:00
"github.com/mudler/xlog"
2024-04-11 07:19:24 +00:00
"github.com/schollz/progressbar/v3"
)
type ModelsCMDFlags struct {
2025-06-27 16:25:44 +00:00
Galleries string ` env:"LOCALAI_GALLERIES,GALLERIES" help:"JSON list of galleries" group:"models" default:"$ { galleries}" `
BackendGalleries string ` env:"LOCALAI_BACKEND_GALLERIES,BACKEND_GALLERIES" help:"JSON list of backend galleries" group:"backends" default:"$ { backends}" `
ModelsPath string ` env:"LOCALAI_MODELS_PATH,MODELS_PATH" type:"path" default:"$ { basepath}/models" help:"Path containing models used for inferencing" group:"storage" `
BackendsPath string ` env:"LOCALAI_BACKENDS_PATH,BACKENDS_PATH" type:"path" default:"$ { basepath}/backends" help:"Path containing backends used for inferencing" group:"storage" `
2024-04-11 07:19:24 +00:00
}
type ModelsList struct {
ModelsCMDFlags ` embed:"" `
}
type ModelsInstall struct {
2025-06-27 16:25:44 +00:00
DisablePredownloadScan bool ` env:"LOCALAI_DISABLE_PREDOWNLOAD_SCAN" help:"If true, disables the best-effort security scanner before downloading any files." group:"hardening" default:"false" `
feat(gallery): verify backend OCI images with keyless cosign (#9823)
* feat(gallery): verify backend OCI images with keyless cosign
Close a trust gap where a registry compromise or MITM could silently
replace a backend image: the gallery YAML tells LocalAI which image to
pull, but until now nothing verified the bytes came from our CI.
Consumer (pkg/oci/cosignverify):
- New package using sigstore-go to verify keyless-cosign signatures.
- OCI 1.1 referrers API + new bundle format (no legacy :tag.sig).
- Policy fields: Issuer / IssuerRegex / Identity / IdentityRegex /
NotBefore. NotBefore is the revocation lever — keyless Fulcio certs
are ephemeral so revocation is policy-side; advancing not_before in
the gallery YAML invalidates every signature predating the cutoff.
- TUF trusted root cached process-wide so N backends from one gallery
do 1 fetch, not N.
Plumbing:
- pkg/downloader: ImageVerifier interface + WithImageVerifier option
threaded through DownloadFileWithContext. Verification runs between
oci.GetImage and oci.ExtractOCIImage, with digest pinning via
pinnedImageRef to close the TOCTOU window. Skips the verifier's HEAD
when the ref is already digest-pinned.
- core/config: Gallery.Verification YAML block.
- core/gallery: backendDownloadOptions builds the verifier from the
policy; applied on initial URI, mirrors, and tag fallbacks.
- core/gallery/upgrade: the upgrade path now routes through the same
options builder. A regression Ginkgo spec pins this contract —
without it, UpgradeBackend silently bypassed verification.
- core/cli: --require-backend-integrity (LOCALAI_REQUIRE_BACKEND_INTEGRITY)
escalates missing policy / empty SHA256 from warn to hard-fail.
Producer (.github/workflows/backend_merge.yml):
- id-token: write at job scope (PR-fork-safe via existing event gate).
- sigstore/cosign-installer@v3 pinned to v2.4.1.
- After each docker buildx imagetools create, resolve the manifest
list digest and run cosign sign --recursive --new-bundle-format
--registry-referrers-mode=oci-1-1 against repo@digest. --recursive
signs the index and every per-arch entry, matching how the consumer
resolves a tag to a platform-specific manifest before verifying.
Rollout: backend/index.yaml has no `verification:` block yet, so this
PR is backward-compatible — installs proceed with a warning until the
gallery is populated. Strict mode is opt-in.
Assisted-by: claude-code:claude-opus-4-7 [Bash] [Edit] [Read] [Write] [WebSearch] [WebFetch]
Signed-off-by: Richard Palethorpe <io@richiejp.com>
* refactor(gallery): plumb RequireBackendIntegrity through config instead of env
The previous implementation re-exported the --require-backend-integrity
CLI flag into LOCALAI_REQUIRE_BACKEND_INTEGRITY via os.Setenv, then
re-read it in core/gallery via os.Getenv. This leaked process state
into the gallery package and made the flag impossible to override
per-call or test without touching the env.
Add RequireBackendIntegrity to ApplicationConfig (with a matching
WithRequireBackendIntegrity AppOption) and thread the bool through
every install/upgrade path: InstallBackend, InstallBackendFromGallery,
UpgradeBackend, InstallModelFromGallery, InstallExternalBackend,
ApplyGalleryFromString/File, startup.InstallModels. Worker subcommands
gain the same env-bound flag on WorkerFlags so distributed-worker
installs honor it consistently with the worker daemon path.
Add a forbidigo lint rule against os.Getenv / os.LookupEnv / os.Environ
to keep the env-leak pattern from creeping back. Existing offenders
(p2p, config loaders, etc.) are baseline-grandfathered by the existing
new-from-merge-base: origin/master setting; targeted path exclusions
cover the legitimate cases — kong CLI entry points, backend
subprocesses, system capability probes, gRPC AUTH_TOKEN inheritance,
test gating env vars.
Assisted-by: claude-code:claude-opus-4-7
Signed-off-by: Richard Palethorpe <io@richiejp.com>
---------
Signed-off-by: Richard Palethorpe <io@richiejp.com>
2026-05-18 06:02:20 +00:00
RequireBackendIntegrity bool ` env:"LOCALAI_REQUIRE_BACKEND_INTEGRITY,REQUIRE_BACKEND_INTEGRITY" help:"If true, reject backend installs without a configured signature verification policy (OCI URIs) or SHA256 (tarball/HTTP URIs)." group:"hardening" default:"false" `
2025-06-27 16:25:44 +00:00
AutoloadBackendGalleries bool ` env:"LOCALAI_AUTOLOAD_BACKEND_GALLERIES" help:"If true, automatically loads backend galleries" group:"backends" default:"true" `
ModelArgs [ ] string ` arg:"" optional:"" name:"models" help:"Model configuration URLs to load" `
2024-04-11 07:19:24 +00:00
ModelsCMDFlags ` embed:"" `
}
type ModelsCMD struct {
2024-04-22 04:34:59 +00:00
List ModelsList ` cmd:"" help:"List the models available in your galleries" default:"withargs" `
2024-04-11 07:19:24 +00:00
Install ModelsInstall ` cmd:"" help:"Install a model from the gallery" `
}
feat(llama.cpp): Totally decentralized, private, distributed, p2p inference (#2343)
* feat(llama.cpp): Enable decentralized, distributed inference
As https://github.com/mudler/LocalAI/pull/2324 introduced distributed inferencing thanks to
@rgerganov implementation in https://github.com/ggerganov/llama.cpp/pull/6829 in upstream llama.cpp, now
it is possible to distribute the workload to remote llama.cpp gRPC server.
This changeset now uses mudler/edgevpn to establish a secure, distributed network between the nodes using a shared token.
The token is generated automatically when starting the server with the `--p2p` flag, and can be used by starting the workers
with `local-ai worker p2p-llama-cpp-rpc` by passing the token via environment variable (TOKEN) or with args (--token).
As per how mudler/edgevpn works, a network is established between the server and the workers with dht and mdns discovery protocols,
the llama.cpp rpc server is automatically started and exposed to the underlying p2p network so the API server can connect on.
When the HTTP server is started, it will discover the workers in the network and automatically create the port-forwards to the service locally.
Then llama.cpp is configured to use the services.
This feature is behind the "p2p" GO_FLAGS
Signed-off-by: Ettore Di Giacinto <mudler@localai.io>
* go mod tidy
Signed-off-by: Ettore Di Giacinto <mudler@localai.io>
* ci: add p2p tag
Signed-off-by: Ettore Di Giacinto <mudler@localai.io>
* better message
Signed-off-by: Ettore Di Giacinto <mudler@localai.io>
---------
Signed-off-by: Ettore Di Giacinto <mudler@localai.io>
2024-05-20 17:17:59 +00:00
func ( ml * ModelsList ) Run ( ctx * cliContext . Context ) error {
2024-06-24 15:32:12 +00:00
var galleries [ ] config . Gallery
2024-04-11 07:19:24 +00:00
if err := json . Unmarshal ( [ ] byte ( ml . Galleries ) , & galleries ) ; err != nil {
2025-12-21 18:33:13 +00:00
xlog . Error ( "unable to load galleries" , "error" , err )
2024-04-11 07:19:24 +00:00
}
2025-08-14 17:38:26 +00:00
systemState , err := system . GetSystemState (
system . WithModelPath ( ml . ModelsPath ) ,
system . WithBackendPath ( ml . BackendsPath ) ,
)
if err != nil {
return err
}
models , err := gallery . AvailableGalleryModels ( galleries , systemState )
2024-04-11 07:19:24 +00:00
if err != nil {
return err
}
for _ , model := range models {
if model . Installed {
fmt . Printf ( " * %s@%s (installed)\n" , model . Gallery . Name , model . Name )
} else {
fmt . Printf ( " - %s@%s\n" , model . Gallery . Name , model . Name )
}
}
return nil
}
feat(llama.cpp): Totally decentralized, private, distributed, p2p inference (#2343)
* feat(llama.cpp): Enable decentralized, distributed inference
As https://github.com/mudler/LocalAI/pull/2324 introduced distributed inferencing thanks to
@rgerganov implementation in https://github.com/ggerganov/llama.cpp/pull/6829 in upstream llama.cpp, now
it is possible to distribute the workload to remote llama.cpp gRPC server.
This changeset now uses mudler/edgevpn to establish a secure, distributed network between the nodes using a shared token.
The token is generated automatically when starting the server with the `--p2p` flag, and can be used by starting the workers
with `local-ai worker p2p-llama-cpp-rpc` by passing the token via environment variable (TOKEN) or with args (--token).
As per how mudler/edgevpn works, a network is established between the server and the workers with dht and mdns discovery protocols,
the llama.cpp rpc server is automatically started and exposed to the underlying p2p network so the API server can connect on.
When the HTTP server is started, it will discover the workers in the network and automatically create the port-forwards to the service locally.
Then llama.cpp is configured to use the services.
This feature is behind the "p2p" GO_FLAGS
Signed-off-by: Ettore Di Giacinto <mudler@localai.io>
* go mod tidy
Signed-off-by: Ettore Di Giacinto <mudler@localai.io>
* ci: add p2p tag
Signed-off-by: Ettore Di Giacinto <mudler@localai.io>
* better message
Signed-off-by: Ettore Di Giacinto <mudler@localai.io>
---------
Signed-off-by: Ettore Di Giacinto <mudler@localai.io>
2024-05-20 17:17:59 +00:00
func ( mi * ModelsInstall ) Run ( ctx * cliContext . Context ) error {
2025-08-14 17:38:26 +00:00
systemState , err := system . GetSystemState (
system . WithModelPath ( mi . ModelsPath ) ,
system . WithBackendPath ( mi . BackendsPath ) ,
)
if err != nil {
return err
}
2026-03-29 22:47:27 +00:00
galleryService := galleryop . NewGalleryService ( & config . ApplicationConfig {
2025-12-27 10:10:28 +00:00
SystemState : systemState ,
} , model . NewModelLoader ( systemState ) )
2025-11-12 19:48:56 +00:00
err = galleryService . Start ( context . Background ( ) , config . NewModelConfigLoader ( mi . ModelsPath ) , systemState )
if err != nil {
return err
}
2024-06-24 15:32:12 +00:00
var galleries [ ] config . Gallery
2024-06-13 14:12:46 +00:00
if err := json . Unmarshal ( [ ] byte ( mi . Galleries ) , & galleries ) ; err != nil {
2025-12-21 18:33:13 +00:00
xlog . Error ( "unable to load galleries" , "error" , err )
2024-06-13 14:12:46 +00:00
}
2024-06-18 20:43:43 +00:00
2025-06-27 16:25:44 +00:00
var backendGalleries [ ] config . Gallery
if err := json . Unmarshal ( [ ] byte ( mi . BackendGalleries ) , & backendGalleries ) ; err != nil {
2025-12-21 18:33:13 +00:00
xlog . Error ( "unable to load backend galleries" , "error" , err )
2025-06-27 16:25:44 +00:00
}
2024-06-12 22:47:16 +00:00
for _ , modelName := range mi . ModelArgs {
2024-04-11 07:19:24 +00:00
2024-06-12 22:47:16 +00:00
progressBar := progressbar . NewOptions (
1000 ,
progressbar . OptionSetDescription ( fmt . Sprintf ( "downloading model %s" , modelName ) ) ,
progressbar . OptionShowBytes ( false ) ,
progressbar . OptionClearOnFinish ( ) ,
)
progressCallback := func ( fileName string , current string , total string , percentage float64 ) {
v := int ( percentage * 10 )
err := progressBar . Set ( v )
if err != nil {
2025-12-21 18:33:13 +00:00
xlog . Error ( "error while updating progress bar" , "error" , err , "filename" , fileName , "value" , v )
2024-06-12 22:47:16 +00:00
}
}
2024-06-13 14:12:46 +00:00
//startup.InstallModels()
2025-08-14 17:38:26 +00:00
models , err := gallery . AvailableGalleryModels ( galleries , systemState )
2024-04-29 13:11:42 +00:00
if err != nil {
2024-06-12 22:47:16 +00:00
return err
}
2024-08-02 18:06:25 +00:00
modelURI := downloader . URI ( modelName )
if ! modelURI . LooksLikeOCI ( ) {
2025-08-14 17:38:26 +00:00
model := gallery . FindGalleryElement ( models , modelName )
2024-06-22 06:17:41 +00:00
if model == nil {
2025-12-21 18:33:13 +00:00
xlog . Error ( "model not found" , "model" , modelName )
2024-06-22 06:17:41 +00:00
return err
}
2024-06-12 22:47:16 +00:00
2024-07-10 11:18:32 +00:00
err = gallery . SafetyScanGalleryModel ( model )
if err != nil && ! errors . Is ( err , downloader . ErrNonHuggingFaceFile ) {
return err
}
2024-06-22 06:17:41 +00:00
}
2024-07-10 11:18:32 +00:00
2025-12-12 11:28:38 +00:00
modelLoader := model . NewModelLoader ( systemState )
feat(gallery): verify backend OCI images with keyless cosign (#9823)
* feat(gallery): verify backend OCI images with keyless cosign
Close a trust gap where a registry compromise or MITM could silently
replace a backend image: the gallery YAML tells LocalAI which image to
pull, but until now nothing verified the bytes came from our CI.
Consumer (pkg/oci/cosignverify):
- New package using sigstore-go to verify keyless-cosign signatures.
- OCI 1.1 referrers API + new bundle format (no legacy :tag.sig).
- Policy fields: Issuer / IssuerRegex / Identity / IdentityRegex /
NotBefore. NotBefore is the revocation lever — keyless Fulcio certs
are ephemeral so revocation is policy-side; advancing not_before in
the gallery YAML invalidates every signature predating the cutoff.
- TUF trusted root cached process-wide so N backends from one gallery
do 1 fetch, not N.
Plumbing:
- pkg/downloader: ImageVerifier interface + WithImageVerifier option
threaded through DownloadFileWithContext. Verification runs between
oci.GetImage and oci.ExtractOCIImage, with digest pinning via
pinnedImageRef to close the TOCTOU window. Skips the verifier's HEAD
when the ref is already digest-pinned.
- core/config: Gallery.Verification YAML block.
- core/gallery: backendDownloadOptions builds the verifier from the
policy; applied on initial URI, mirrors, and tag fallbacks.
- core/gallery/upgrade: the upgrade path now routes through the same
options builder. A regression Ginkgo spec pins this contract —
without it, UpgradeBackend silently bypassed verification.
- core/cli: --require-backend-integrity (LOCALAI_REQUIRE_BACKEND_INTEGRITY)
escalates missing policy / empty SHA256 from warn to hard-fail.
Producer (.github/workflows/backend_merge.yml):
- id-token: write at job scope (PR-fork-safe via existing event gate).
- sigstore/cosign-installer@v3 pinned to v2.4.1.
- After each docker buildx imagetools create, resolve the manifest
list digest and run cosign sign --recursive --new-bundle-format
--registry-referrers-mode=oci-1-1 against repo@digest. --recursive
signs the index and every per-arch entry, matching how the consumer
resolves a tag to a platform-specific manifest before verifying.
Rollout: backend/index.yaml has no `verification:` block yet, so this
PR is backward-compatible — installs proceed with a warning until the
gallery is populated. Strict mode is opt-in.
Assisted-by: claude-code:claude-opus-4-7 [Bash] [Edit] [Read] [Write] [WebSearch] [WebFetch]
Signed-off-by: Richard Palethorpe <io@richiejp.com>
* refactor(gallery): plumb RequireBackendIntegrity through config instead of env
The previous implementation re-exported the --require-backend-integrity
CLI flag into LOCALAI_REQUIRE_BACKEND_INTEGRITY via os.Setenv, then
re-read it in core/gallery via os.Getenv. This leaked process state
into the gallery package and made the flag impossible to override
per-call or test without touching the env.
Add RequireBackendIntegrity to ApplicationConfig (with a matching
WithRequireBackendIntegrity AppOption) and thread the bool through
every install/upgrade path: InstallBackend, InstallBackendFromGallery,
UpgradeBackend, InstallModelFromGallery, InstallExternalBackend,
ApplyGalleryFromString/File, startup.InstallModels. Worker subcommands
gain the same env-bound flag on WorkerFlags so distributed-worker
installs honor it consistently with the worker daemon path.
Add a forbidigo lint rule against os.Getenv / os.LookupEnv / os.Environ
to keep the env-leak pattern from creeping back. Existing offenders
(p2p, config loaders, etc.) are baseline-grandfathered by the existing
new-from-merge-base: origin/master setting; targeted path exclusions
cover the legitimate cases — kong CLI entry points, backend
subprocesses, system capability probes, gRPC AUTH_TOKEN inheritance,
test gating env vars.
Assisted-by: claude-code:claude-opus-4-7
Signed-off-by: Richard Palethorpe <io@richiejp.com>
---------
Signed-off-by: Richard Palethorpe <io@richiejp.com>
2026-05-18 06:02:20 +00:00
err = startup . InstallModels ( context . Background ( ) , galleryService , galleries , backendGalleries , systemState , modelLoader , ! mi . DisablePredownloadScan , mi . AutoloadBackendGalleries , mi . RequireBackendIntegrity , progressCallback , modelName )
2024-06-12 22:47:16 +00:00
if err != nil {
return err
2024-04-29 13:11:42 +00:00
}
2024-04-11 07:19:24 +00:00
}
return nil
}
