ollama: UID 815 (was 818, collided with searxng) + loopback IPv4 bind

Kabuki94 · Kabuki94 · commit 9702d430d69a · 2026-05-11T12:17:29.000-04:00
Two compounding bugs both broke ollama on the operator's 2026-05-11
install:

1. automation/lib/globals.sh + globals.ps1 hardcoded MIOS_OLLAMA_UID
   to 818. usr/lib/sysusers.d/50-mios-services.conf reserves
   mios-ollama at 815 (818 is mios-searxng). The renderer exported
   MIOS_OLLAMA_UID=818 into 15-render-quadlets.sh's env, which then
   substituted the Quadlet's `User=${MIOS_OLLAMA_UID:-815}` template
   to literal `User=818`. ollama started as UID 818, host bind-mount
   /var/lib/ollama is chowned to UID 815 (mios-ollama per sysusers),
   container died with:
     Error: could not create directory
     mkdir /var/lib/ollama/.ollama: permission denied

2. After fixing UID, ollama bound `*:11434` -- AF_INET6 dual-stack,
   not AF_INET. WSL2 NAT-mode localhostForwarding only forwards
   AF_INET binds, so Windows-side 127.0.0.1:11434 still TIMED OUT.
   Same Go-net.Listen-upgrades-to-dual-stack pattern that hit
   mios-forge (gitea) earlier today.

Fix the UID in BOTH globals.sh and globals.ps1 so the renderer (bash)
and any PowerShell-side codepath both pick up 815. Switch ollama's
OLLAMA_HOST env to 127.0.0.1:N so Go's net.Listen takes the AF_INET
literal path. Verified live: TcpClient.ConnectAsync 127.0.0.1:11434
returns OK after both fixes.

7/7 MiOS service ports now reachable on Windows-side localhost:
  3000 forge / 3030 webui / 8080 ai / 8642 hermes /
  8888 searxng / 9090 cockpit / 11434 ollama

LAN-side reach for forge + ollama (the two loopback-only binds) is
the next follow-up -- both need the same socat AF_INET wildcard
bridge to AF_INET6 loopback that webui/ai/hermes/searxng already get
free via their native binds.
diff --git a/automation/lib/globals.ps1 b/automation/lib/globals.ps1
@@ -44,8 +44,12 @@ $script:MIOS_AI_UID       = if ($env:MIOS_AI_UID)       { [int]$env:MIOS_AI_UID
 $script:MIOS_AI_GID       = if ($env:MIOS_AI_GID)       { [int]$env:MIOS_AI_GID }  else { 817 }
 
 $script:MIOS_OLLAMA_USER  = if ($env:MIOS_OLLAMA_USER)  { $env:MIOS_OLLAMA_USER }  else { 'mios-ollama' }
-$script:MIOS_OLLAMA_UID   = if ($env:MIOS_OLLAMA_UID)   { [int]$env:MIOS_OLLAMA_UID } else { 818 }
-$script:MIOS_OLLAMA_GID   = if ($env:MIOS_OLLAMA_GID)   { [int]$env:MIOS_OLLAMA_GID } else { 818 }
+# 815 -- MUST match usr/lib/sysusers.d/50-mios-services.conf. Was 818
+# (typo, collided with mios-searxng). Caused ollama container to start
+# as UID 818 and `mkdir /var/lib/ollama/.ollama` -> permission denied
+# because the host bind-mount is chowned to UID 815 (mios-ollama).
+$script:MIOS_OLLAMA_UID   = if ($env:MIOS_OLLAMA_UID)   { [int]$env:MIOS_OLLAMA_UID } else { 815 }
+$script:MIOS_OLLAMA_GID   = if ($env:MIOS_OLLAMA_GID)   { [int]$env:MIOS_OLLAMA_GID } else { 815 }
 
 $script:MIOS_CEPH_USER    = if ($env:MIOS_CEPH_USER)    { $env:MIOS_CEPH_USER }    else { 'mios-ceph' }
 $script:MIOS_CEPH_UID     = if ($env:MIOS_CEPH_UID)     { [int]$env:MIOS_CEPH_UID }  else { 819 }
diff --git a/automation/lib/globals.sh b/automation/lib/globals.sh
@@ -63,8 +63,16 @@ export MIOS_VERSION
 : "${MIOS_AI_GID:=817}"
 
 : "${MIOS_OLLAMA_USER:=mios-ollama}"
-: "${MIOS_OLLAMA_UID:=818}"
-: "${MIOS_OLLAMA_GID:=818}"
+# UID/GID 815 -- MUST match usr/lib/sysusers.d/50-mios-services.conf
+# (`u mios-ollama 815:mios-ollama ...`). Was 818 by typo, which collided
+# with mios-searxng (also 818). The renderer exported MIOS_OLLAMA_UID=818
+# into 15-render-quadlets.sh's env, the Quadlet's `${MIOS_OLLAMA_UID:-815}`
+# template substituted to 818, the container started as UID 818 (searxng's
+# user), and `mkdir /var/lib/ollama/.ollama` failed with "permission
+# denied" because the host bind-mount /var/lib/ollama is chowned to
+# mios-ollama (UID 815). Operator-flagged 2026-05-11.
+: "${MIOS_OLLAMA_UID:=815}"
+: "${MIOS_OLLAMA_GID:=815}"
 
 : "${MIOS_CEPH_USER:=mios-ceph}"
 : "${MIOS_CEPH_UID:=819}"
diff --git a/usr/share/containers/systemd/ollama.container b/usr/share/containers/systemd/ollama.container
@@ -35,10 +35,16 @@ AutoUpdate=registry
 # missing-user issue).
 User=${MIOS_OLLAMA_UID:-815}
 Group=${MIOS_OLLAMA_GID:-815}
-# Bind 0.0.0.0 inside the container so the API is reachable from the
-# host LAN, sibling containers, and loopback. PublishPort with explicit
-# 0.0.0.0 on the host side makes the surface contract explicit.
-Environment=OLLAMA_HOST=0.0.0.0:${MIOS_PORT_OLLAMA:-11434}
+# 127.0.0.1, NOT 0.0.0.0. ollama (Go binary, same pattern as gitea)
+# calls net.Listen("tcp", $OLLAMA_HOST) which upgrades 0.0.0.0 to
+# AF_INET6 dual-stack (`*:N` in ss output); WSL2 NAT-mode
+# localhostForwarding only forwards AF_INET binds. Loopback v4 keeps
+# the API reachable on Windows-side 127.0.0.1:11434 (Open WebUI /
+# Hermes / Claude Code on Windows -- the common case). LAN-side
+# reach for phone / second laptop is handled by the same socat
+# 0.0.0.0:N -> 127.0.0.1:N bridge that mios-forge needs (tracked
+# as follow-up). Operator-flagged 2026-05-11.
+Environment=OLLAMA_HOST=127.0.0.1:${MIOS_PORT_OLLAMA:-11434}
 Environment=OLLAMA_ORIGINS=*
 # Point ollama at the writable runtime store. mios-ollama-firstboot.
 # service hardlink-copies the build-baked seed (/usr/share/ollama/
