add --ngl to specify the number of gpu layers, and --keep-groups so podman has access to gpu

[khumarahn]

Hi. This follows an invitation to submit a PR in #655

I do not feel qualified to submit PRs to ramalama, but I tried to keep it as simple as possible, and to not change any defaults.

With these changes the following works on my system (gentoo linux, an ancient 1080ti with just 11gb of GPU memory):

ramalama --keep-groups --ngl 34 serve --name deepseek deepseek-r1:32b

I didn't touch the documentation yet, hope to get feedback first.

Summary by Sourcery

Add two new command-line options: --ngl to specify the number of GPU layers to use and --keep-groups to give podman access to the GPU.

New Features:

• Added --ngl option to control the number of GPU layers used by the model.
• Added --keep-groups option for podman to enable GPU access.

Summary by Sourcery

Add support for specifying the number of GPU layers to offload using the --ngl option, and allow keeping user groups when using podman with the --keep-groups flag.

New Features:

• Added --ngl option to specify the number of GPU layers to use.
• Added --keep-groups option to pass --group-add keep-groups to podman when launching the container. This is useful for enabling GPU access in some systems, but has security implications.

[sourcery-ai]

Reviewer's Guide by Sourcery

This pull request introduces two new command-line options: --ngl to specify the number of GPU layers to use and --keep-groups to give podman access to the GPU. The changes modify the way arguments are passed to the llama.cpp executables and to the container engine.

Sequence diagram for GPU layer configuration and container setup

sequenceDiagram
    participant User
    participant CLI
    participant Model
    participant Container

    User->>CLI: ramalama --keep-groups --ngl 34
    CLI->>Model: setup_container(args)
    alt Using podman
        Model->>Container: Add --group-add keep-groups
    end
    Model->>Model: gpu_args(args)
    Note over Model: Configure GPU layers
    Model->>Container: Execute with specified ngl value
    Container-->>User: Run model with GPU configuration

Loading

Class diagram showing updated Model class with GPU configuration

classDiagram
    class Model {
        +setup_container(args)
        +gpu_args(args, runner)
        +build_exec_args_perplexity(args, model_path)
        +build_exec_args_bench(args, model_path)
        +build_exec_args_run(args, model_path, prompt)
        +handle_runtime(args, exec_args, exec_model_path)
    }
    note for Model "Modified gpu_args to use args.ngl
Updated container setup for GPU access"

Loading

File-Level Changes

Change	Details	Files
Added the --ngl option to control the number of GPU layers used by the model.	Added a new --ngl argument to the CLI parser. Added a new ngl configuration option. Modified the gpu_args function to accept the args object and use the ngl value. Modified the build_exec_args_* functions to pass the ngl value to the llama.cpp executables. Added documentation for the new option.	ramalama/model.py ramalama/cli.py docs/ramalama.conf docs/ramalama.conf.5.md docs/ramalama.1.md
Added the --keep-groups option for podman to enable GPU access.	Added a new --keep-groups argument to the CLI parser. Added a new keep_groups configuration option. Modified the setup_container function to add the --group-add keep-groups argument to podman when the option is enabled. Added documentation for the new option.	ramalama/model.py ramalama/cli.py docs/ramalama.conf docs/ramalama.conf.5.md docs/ramalama.1.md

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!
• Generate a plan of action for an issue: Comment @sourcery-ai plan on
  an issue to generate a plan of action for it.

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey @khumarahn - I've reviewed your changes - here's some feedback:

Overall Comments:

• Please add documentation explaining the security implications of --keep-groups and when users should/shouldn't use this option
• Consider splitting this PR into two separate ones: one for --ngl and another for the security-sensitive --keep-groups feature

Here's what I looked at during the review

• 🟡 General issues: 1 issue found
• 🟢 Security: all looks good
• 🟢 Testing: all looks good
• 🟢 Complexity: all looks good
• 🟢 Documentation: all looks good

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[khumarahn]

@sourcery-ai review

[sourcery-ai]

Hey @khumarahn - I've reviewed your changes - here's some feedback:

Overall Comments:

• Please add input validation for the --ngl parameter to ensure it's a valid positive integer.
• The --keep-groups option needs more detailed documentation about its security implications and when it should/shouldn't be used.

Here's what I looked at during the review

• 🟡 General issues: 1 issue found
• 🟢 Security: all looks good
• 🟢 Testing: all looks good
• 🟢 Complexity: all looks good
• 🟢 Documentation: all looks good

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[khumarahn]

I added the docs, I think this is ready for a review

@sourcery-ai review

[ericcurtin]

@khumarahn changes look fine, CI failed around documentation man pages. You basically need to keep running this:

hack/xref-helpmsgs-manpages

and change things until it agrees you've done it right.

[rhatdan]

I would prefer to have RamaLama figure this out. or always set it when Podman is used in rootless mode.
Users are not going to understand when and when not to use this.

[khumarahn]

I think this should be a decision of maintainers...

I think that "keep-groups" should only be enabled when necessary, and I can't think of a bulletproof logic to determine when it is necessary. So keeping it as an option, off by default, seemed sensible.

[rhatdan]

The downside of using it all of the time is a leak of GIDs into the container when not necessary. Add option to allow users to disable it for security purposes, But I think we should enable it by default for rootless containers so that users will not stumble upon it.

[rhatdan]

Add function to detect, also option should be configurable in ramalama.conf file.

[khumarahn]

What is the right way to detect a rootless podman? I found how to detect podman by os.path.basename(args.engine) == "podman", but I'm not sure about rootless

[rhatdan]

There is something wrong with ubi9 images.

[rhatdan]

Please squash your commits.

[khumarahn]

@rhatdan I added the options to ramalama.conf.

I don't know how to detect if podman is running rootless to turn on keep-groups. Also, I'm not sure this is needed: it goes against the least privilege principle. And turning on this option would be the easiest thing to do for people running gpu in containers (e.g. with nvidia one has to first set up their container toolkit, and keep it updated with the drivers update)

[khumarahn]

Please squash your commits.

done

[khumarahn]

@sourcery-ai review

[sourcery-ai]

Hey @khumarahn - I've reviewed your changes - here's some feedback:

Overall Comments:

• Please add more detailed documentation about the security implications of using --keep-groups. What specific permissions are being granted and what are the potential risks?
• Consider adding validation to ensure the --ngl parameter is a positive integer

Here's what I looked at during the review

• 🟡 General issues: 3 issues found
• 🟡 Security: 2 issues found
• 🟢 Testing: all looks good
• 🟢 Complexity: all looks good
• 🟢 Documentation: all looks good

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[sourcery-ai]

🚨 suggestion (security): Elaborate on the security implications of --keep-groups.

What are the specific security implications of using this flag?

Suggested change

	#### **--keep-groups**
	pass --group-add keep-groups to podman (default: False)
	Needed to access the gpu on some systems, but has an impact on security, use with caution.
	#### **--keep-groups**
	pass --group-add keep-groups to podman (default: False)
	Needed to access the gpu on some systems, but has significant security implications:
	- Preserves the host user's supplementary group memberships inside the container
	- Could grant the container unnecessary elevated privileges through group memberships (e.g., disk, docker, sudo)
	- May allow container processes to access host system resources that share the same group permissions
	- Breaks container isolation principles by sharing host's security context
	Only use this flag if GPU access cannot be achieved through more secure methods like specific device mapping.

[ericcurtin]

I think these are great suggestions for documentation at least, dunno if you saw this bot comment @rhatdan @khumarahn

[rhatdan]

LGTM

[ericcurtin]

I don't think this PR is correct, on systems with integrated graphics we don't want to use GPU acceleration, it's typically much slower than CPU inferencing, practically unusable.

With the default being a static 999 this will always be the case now, which is not good. We should look at this again before we spin up a new release.

[ericcurtin]

We can have this option but the default being 999 is not good

[khumarahn]

I don't think I changed any existing logic here, I just added two options that allow ramalama to work on my system. The default of 999 layers is of course questionable

[ericcurtin]

It's the lack of VRAM on integrated graphics also, most of the time one will crash on one of these systems because of running out of VRAM

[khumarahn]

Sure, but somehow ramalama works on my laptop with no gpu without any configuration. This PR did not change the default behaviour of ramalama, unless I'm missing something

[ericcurtin]

We should try and figure out why 999 was or wasn't included on your system