feat(ai): bake default model set into the image (qwen2.5-coder:7b + nomic-embed-text)

Kabuki94 · Kabuki94 · commit f49535d8be83 · 2026-05-03T18:31:21.000-04:00
Embed the global default models at build time and define the override
contract in the unified mios.toml dotfile. Tuned for the 12 GB system-
RAM baseline: CPU-only inference with ~8 GB available to the model.

Default model set (researched against the 8 GB resident envelope):
- qwen2.5-coder:7b   chat / code primary
                      Q4_K_M ~4.7 GB on disk, ~5-6 GB resident
                      Apache 2.0; 128K-token context
                      HumanEval ~88%; trained heavily on bash,
                      PowerShell, Containerfiles, systemd units, TOML
                      Strong filesystem-path reasoning
- nomic-embed-text   embeddings (v1.5)
                      ~270 MB Q4 GGUF; 768-dim; 8192-token context
                      OpenAI /v1/embeddings-shaped via LocalAI

automation/37-ollama-prep.sh -- rewritten as a real build-time baker
(was a no-op stub from the prior commit). Pulls the model set into
/usr/share/ollama/models on the immutable composefs surface (FHS-
correct for "architecture-independent immutable data files"). The
final /var cleanup at the end of the Containerfile RUN does NOT
touch /usr/share, so the seed survives into the deployed image.
- MIOS_OLLAMA_BAKE_MODELS=&lt;csv&gt; at build time overrides the default
  set; empty disables baking entirely (CI builds that just validate
  the pipeline can opt out).

automation/build.sh -- 37-ollama-prep.sh removed from
CONTAINERFILE_SCRIPTS so it runs as a regular pipeline step instead
of being orphaned.

usr/libexec/mios/ollama-firstboot.sh -- replaces the network-pull-
only first-boot path with a two-layer flow:
1. Hardlink-copy the build-baked seed (/usr/share/ollama/models) into
   /var/lib/ollama/models (the writable runtime store ollama uses
   via OLLAMA_MODELS). Hardlinks keep on-disk usage to a single copy
   until ollama mutates a manifest. cp -al falls back to plain cp -a
   on cross-FS boundaries (composefs /usr -&gt; ext4 /var).
2. Network pull only as a fallback for any model the seed did not
   include (e.g. operator overrides via /etc/mios/install.env).

usr/share/containers/systemd/ollama.container -- two volumes:
  /usr/share/ollama:/usr/share/ollama:ro,Z   immutable seed (RO)
  /var/lib/ollama:/var/lib/ollama:Z          runtime store (RW)
OLLAMA_MODELS=/var/lib/ollama/models so ollama itself reads/writes
the runtime path. The seed is reachable to firstboot via the RO
mount.

usr/lib/tmpfiles.d/mios-ollama.conf (new) -- declares
/var/lib/ollama and /var/lib/ollama/models with mios-ollama:
mios-ollama ownership. Architectural Law 2 -- /var paths are never
imperatively mkdir'd at build time.

Unified user-overrides dotfile (usr/share/mios/mios.toml + env.defaults):
the [ai] section grows four new keys with explicit semantics:
  bake_models    -- comma-separated build-time bake list
                    (-&gt; MIOS_OLLAMA_BAKE_MODELS)
  ram_floor_gb   -- recommended floor (informational; logged in
                    postcheck so operators see what they signed up for)
  seed_dir       -- /usr/share/ollama/models (immutable, build-baked)
  runtime_dir    -- /var/lib/ollama/models (writable, first-boot-seeded)
The [ai] section comment block enumerates the alternates considered
(qwen2.5-coder:14b for 24 GB+ systems, llama3.2:3b for low-RAM /
fast-response profiles) and their resource cost, so operators can
swap deliberately rather than guessing.

INDEX.md -- new section 2a documents the default set with disk /
resident sizing, license, and the build-baked / first-boot-seeded
flow so the model surface is discoverable next to the OpenAI API
endpoint table.
diff --git a/INDEX.md b/INDEX.md
@@ -35,6 +35,28 @@ the manifest at `/v1/mcp` is what MiOS agents read to populate that
 `tools` array. The `x-mios:` prefix is a documentation marker only --
 the served URL is `/v1/mcp`.
 
+### 2a. Default model set
+
+| Slot | Default | Quant | Disk | Resident | Notes |
+|---|---|---|---|---|---|
+| chat / code | `qwen2.5-coder:7b` | Q4_K_M | ~4.7 GB | ~5-6 GB | Apache 2.0; 128K context; HumanEval ~88%; multi-language including bash, PowerShell, Containerfiles, systemd units, TOML |
+| embeddings | `nomic-embed-text` (v1.5) | Q4 | ~270 MB | <1 GB | Apache 2.0; 768-dim; 8192-token context; OpenAI `/v1/embeddings`-shape via LocalAI |
+
+Sized for the 12 GB system-RAM baseline (CPU-only inference, ~8 GB
+available to the model). Build-baked into
+`/usr/share/ollama/models` (immutable composefs surface) by
+`automation/37-ollama-prep.sh`; first-boot service
+(`mios-ollama-firstboot.service`) hardlink-copies the seed into
+`/var/lib/ollama/models` (the writable `OLLAMA_MODELS` path).
+
+Override the build-time set with `MIOS_OLLAMA_BAKE_MODELS=<csv>` (e.g.
+`"qwen2.5-coder:14b,nomic-embed-text"` for 24 GB+ profiles). Override
+the runtime selection by editing `[ai].model` / `[ai].embed_model` in
+`/etc/mios/mios.toml` (host) or `~/.config/mios/mios.toml` (per-user)
+and restarting `mios-ollama.service`. The `[ai]` section in
+`usr/share/mios/mios.toml` documents the alternates considered and
+their resource cost.
+
 ## 3. Architectural laws (enforced; non-negotiable)
 
 | # | Law | Enforced by |
diff --git a/automation/37-ollama-prep.sh b/automation/37-ollama-prep.sh
@@ -1,27 +1,103 @@
 #!/bin/bash
-# 37-ollama-prep: DEPRECATED -- replaced by mios-ollama-firstboot.service.
+# 37-ollama-prep -- bake the default 'MiOS' model set into the image.
 #
-# This script tried to embed the default LLM model set into
-# /var/lib/ollama at build time, but bootc's image-commit step runs a
-# /var cleanup that removes everything except /var/{tmp,cache} (per
-# Architectural Law 2 -- NO-MKDIR-IN-VAR; /var is a mutable host
-# surface, not part of the immutable composefs layer). The pulled
-# models therefore never survive into the deployed image.
+# Models land in /usr/share/ollama/models (immutable composefs surface,
+# FHS-correct for "architecture-independent immutable data"). The
+# build-time /var cleanup at the end of the Containerfile RUN does NOT
+# touch /usr/share, so the seed survives into the deployed image.
 #
-# The work has moved to a runtime first-boot service that pulls the
-# default models AFTER the deploy, into the persistent /var/lib/ollama:
+# At first boot, mios-ollama-firstboot.service hardlink-copies the seed
+# into /var/lib/ollama/models (the writable runtime location ollama.
+# container reads/writes via OLLAMA_MODELS). Hardlinks keep the on-disk
+# footprint single-copy until ollama mutates a model file.
 #
-#   usr/lib/systemd/system/mios-ollama-firstboot.service
-#   usr/libexec/mios/ollama-firstboot.sh
+# Default model set (researched for the 12 GB RAM workstation baseline):
+#   qwen2.5-coder:7b   -- chat / code primary (~4.7 GB Q4_K_M)
+#                          best open-source coder in the 7B class as of
+#                          2026; 128K context; Apache 2.0
+#   nomic-embed-text   -- embedding (~270 MB Q4_K_M)
+#                          768-dim, 8192-token context, MTEB-competitive
 #
-# That service is sentinel-guarded (/var/lib/mios/.ollama-firstboot-
-# done) so it runs once per deploy, and the models survive
-# 'bootc upgrade' / 'bootc rollback' as ordinary /var state.
-#
-# The script is kept as an explicit no-op stub (rather than deleted)
-# so existing CONTAINERFILE_SCRIPTS references in automation/build.sh
-# don't break. Future cleanups can drop both this file and that
-# reference together.
+# Override the set with MIOS_OLLAMA_BAKE_MODELS=<csv> at build time --
+# e.g. MIOS_OLLAMA_BAKE_MODELS="qwen2.5-coder:14b,nomic-embed-text" for
+# the 24 GB+ profile. Empty value disables baking entirely (useful for
+# CI builds that only validate the pipeline).
 set -euo pipefail
-echo "[37-ollama-prep] deprecated -- model pull happens at first boot via mios-ollama-firstboot.service"
+
+# shellcheck source=lib/common.sh
+source "$(dirname "$0")/lib/common.sh"
+
+DEFAULT_MODELS="qwen2.5-coder:7b,nomic-embed-text"
+BAKE_MODELS="${MIOS_OLLAMA_BAKE_MODELS:-${DEFAULT_MODELS}}"
+BAKE_DIR="/usr/share/ollama/models"
+
+if [[ -z "$BAKE_MODELS" ]]; then
+    log "MIOS_OLLAMA_BAKE_MODELS empty -- skipping build-time model bake"
+    exit 0
+fi
+
+# Idempotency guard: if the seed dir already has manifests, assume a
+# previous bake step in this build already populated it.
+if [[ -d "${BAKE_DIR}/manifests" ]] && [[ -n "$(ls -A "${BAKE_DIR}/manifests" 2>/dev/null)" ]]; then
+    log "Seed models already present at ${BAKE_DIR}; skipping re-bake"
+    exit 0
+fi
+
+# ollama is installed as part of packages-ai (see usr/share/mios/PACKAGES.md).
+# If it's not on PATH the build context didn't include the AI pack -- skip
+# rather than fail so unrelated CI builds still pass.
+if ! command -v ollama >/dev/null 2>&1; then
+    log "ollama binary not found -- skipping bake (AI pack missing from this build)"
+    exit 0
+fi
+
+# Bake destination; OLLAMA_MODELS is the canonical override env var
+# the upstream binary respects.
+install -d -m 0755 "${BAKE_DIR}"
+export OLLAMA_MODELS="${BAKE_DIR}"
+
+# Start a temporary ollama serve instance just for the duration of the
+# pull. Detach it ourselves so we keep stable control over its lifetime.
+log "Starting transient ollama serve (host=127.0.0.1:11434, store=${BAKE_DIR})"
+OLLAMA_HOST="127.0.0.1:11434" ollama serve >/tmp/ollama-bake.log 2>&1 &
+OLLAMA_PID=$!
+
+# Wait up to 30 s for the API. If it never comes up, log + skip rather
+# than fail the build.
+for attempt in $(seq 1 15); do
+    if scurl -sf "http://127.0.0.1:11434/api/tags" >/dev/null 2>&1; then
+        break
+    fi
+    sleep 2
+done
+if ! scurl -sf "http://127.0.0.1:11434/api/tags" >/dev/null 2>&1; then
+    log "WARN: ollama serve never became reachable -- skipping bake"
+    kill "$OLLAMA_PID" 2>/dev/null || true
+    wait "$OLLAMA_PID" 2>/dev/null || true
+    exit 0
+fi
+
+# Pull each requested model. A failure on one model is non-fatal (build
+# continues; first-boot service catches up).
+failures=0
+IFS=',' read -ra MODELS <<< "$BAKE_MODELS"
+for raw_model in "${MODELS[@]}"; do
+    model="${raw_model// /}"
+    [[ -z "$model" ]] && continue
+    log "Pulling ${model} into ${BAKE_DIR}"
+    if OLLAMA_HOST="127.0.0.1:11434" ollama pull "$model"; then
+        log "  [ok] ${model}"
+    else
+        log "  [WARN] ${model} pull failed -- first-boot service will retry"
+        failures=$((failures + 1))
+    fi
+done
+
+# Stop the transient serve cleanly.
+kill "$OLLAMA_PID" 2>/dev/null || true
+wait "$OLLAMA_PID" 2>/dev/null || true
+
+# Report the on-disk size so build logs make the +N GB cost obvious.
+seed_size="$(du -sh "${BAKE_DIR}" 2>/dev/null | awk '{print $1}')"
+log "Bake complete -- ${BAKE_DIR} = ${seed_size:-?} (failures: ${failures})"
 exit 0
diff --git a/automation/build.sh b/automation/build.sh
@@ -176,7 +176,14 @@ if [[ ! -f "$PACKAGES_MD" ]]; then
 fi
 
 # ── Script classification ────────────────────────────────────────────────────
-CONTAINERFILE_SCRIPTS="08-system-files-overlay.sh 37-ollama-prep.sh 99-postcheck.sh"
+# CONTAINERFILE_SCRIPTS are explicitly skipped from the main loop because
+# they're invoked elsewhere in the build flow:
+#   08-system-files-overlay.sh -- called explicitly by the OCI overlay step
+#   99-postcheck.sh             -- called explicitly below after the loop
+# 37-ollama-prep.sh used to live here but was orphaned (never called).
+# It is now a regular pipeline step that bakes the default model set
+# into /usr/share/ollama/models, so it runs in the main loop.
+CONTAINERFILE_SCRIPTS="08-system-files-overlay.sh 99-postcheck.sh"
 
 NON_FATAL_SCRIPTS="
   05-enable-external-repos.sh
diff --git a/usr/lib/tmpfiles.d/mios-ollama.conf b/usr/lib/tmpfiles.d/mios-ollama.conf
@@ -0,0 +1,13 @@
+# /usr/lib/tmpfiles.d/mios-ollama.conf
+# Runtime state for the mios-ollama Quadlet.
+#
+# /var/lib/ollama is the writable model store ollama reads/writes via
+# OLLAMA_MODELS=/var/lib/ollama/models. mios-ollama-firstboot.service
+# seeds it at first boot from /usr/share/ollama/models (the build-time
+# bake on the immutable composefs surface).
+#
+# Architectural Law 2 (NO-MKDIR-IN-VAR): every /var path is declared
+# here, never imperatively mkdir'd at build time.
+
+d /var/lib/ollama         0755 mios-ollama mios-ollama -  -
+d /var/lib/ollama/models  0755 mios-ollama mios-ollama -  -
diff --git a/usr/libexec/mios/ollama-firstboot.sh b/usr/libexec/mios/ollama-firstboot.sh
@@ -1,56 +1,104 @@
 #!/usr/bin/env bash
 # usr/libexec/mios/ollama-firstboot.sh
 #
-# Pull the default 'MiOS' inference models on first boot. Run by
-# mios-ollama-firstboot.service after ollama.service is active. Models
-# land in /var/lib/ollama (mutable, persistent across bootc upgrades),
-# which is why this can't be done at build time -- the OCI build's
-# final /var cleanup would delete them.
+# First-boot model bootstrap for the mios-ollama Quadlet.
 #
-# Sentinel-guarded: writes /var/lib/mios/.ollama-firstboot-done so a
-# re-fire (after a bootc rollback or service restart) is a no-op.
-# Re-pulling specific models on demand is still possible via
-# 'podman exec mios-ollama ollama pull <model>'.
+# Build-time path (preferred): automation/37-ollama-prep.sh has already
+# baked the default model set into /usr/share/ollama/models on the
+# immutable composefs surface. This script hardlink-copies that seed
+# into /var/lib/ollama/models on first boot so ollama can both read
+# AND write models there (the writable runtime store), without paying
+# a second on-disk copy until ollama itself mutates a manifest.
 #
-# Default model set tracks the OpenAI-API-shaped surface advertised in
-# usr/share/mios/ai/v1/models.json; keep them in sync.
+# Network fallback: if the seed dir is empty (e.g. CI built the image
+# with MIOS_OLLAMA_BAKE_MODELS= to keep image size down), pull the
+# user-configured model set via 'podman exec mios-ollama ollama pull'.
+# The model list is read from /etc/mios/install.env (MIOS_AI_MODEL,
+# MIOS_AI_EMBED_MODEL) so the build's globally-defaulted set carries
+# through to runtime, with operator overrides taking precedence.
+#
+# Sentinel: /var/lib/mios/.ollama-firstboot-done -- delete to force
+# a re-run.
 set -euo pipefail
 # shellcheck source=/usr/lib/mios/paths.sh
 source /usr/lib/mios/paths.sh 2>/dev/null || true
 : "${MIOS_VAR_DIR:=/var/lib/mios}"
 
 SENTINEL="${MIOS_VAR_DIR}/.ollama-firstboot-done"
+SEED_DIR="/usr/share/ollama/models"
+RUNTIME_DIR="/var/lib/ollama/models"
 CONTAINER="mios-ollama"
-DEFAULT_MODELS=(
-    "qwen2.5-coder:7b"
-    "nomic-embed-text"
-)
 
 _log() { logger -t mios-ollama-firstboot "$*" 2>/dev/null || true; echo "[ollama-firstboot] $*" >&2; }
 
 if [[ -f "$SENTINEL" ]]; then
-    _log "sentinel exists ($SENTINEL); models already pulled -- nothing to do"
+    _log "sentinel exists ($SENTINEL); first-boot already done"
     exit 0
 fi
 
-# Wait for the ollama container to be running. The service unit has
-# After=ollama.service so it should be up, but the container may need
-# a few seconds to finish initializing the model store on first start.
+# ── Layer 1: hardlink-copy the build-baked seed into the runtime dir ──
+# 'cp -al' tries hardlinks first and falls back to a regular copy when
+# the source/destination cross filesystems. Models then occupy a single
+# inode-level copy until ollama mutates one of the manifest files.
+if [[ -d "$SEED_DIR" ]] && [[ -n "$(ls -A "$SEED_DIR" 2>/dev/null)" ]]; then
+    if [[ ! -d "$RUNTIME_DIR" ]] || [[ -z "$(ls -A "$RUNTIME_DIR" 2>/dev/null)" ]]; then
+        _log "Seeding $RUNTIME_DIR from $SEED_DIR (hardlink-copy)"
+        install -d -m 0755 "$RUNTIME_DIR"
+        # Two-pass: try hardlink first, fall back to plain copy if it
+        # crosses a filesystem boundary (likely between /usr composefs
+        # and /var ext4 on bootc deployments).
+        if cp -al "${SEED_DIR}/." "${RUNTIME_DIR}/" 2>/dev/null; then
+            _log "  [ok] hardlink-copy succeeded"
+        else
+            _log "  [info] hardlink crossed FS boundary; falling back to cp -a"
+            cp -a "${SEED_DIR}/." "${RUNTIME_DIR}/"
+        fi
+        chown -R mios-ollama:mios-ollama "$RUNTIME_DIR" 2>/dev/null || true
+    else
+        _log "Runtime dir $RUNTIME_DIR already populated; skipping seed copy"
+    fi
+else
+    _log "No build-baked seed at $SEED_DIR -- network pull fallback"
+fi
+
+# ── Layer 2: ensure the configured models are present, pulling any gaps ──
+# Read the runtime model selection from install.env so operators can
+# override the build-baked default without rebuilding the image.
+DEFAULT_CHAT="qwen2.5-coder:7b"
+DEFAULT_EMBED="nomic-embed-text"
+MIOS_AI_MODEL="$DEFAULT_CHAT"
+MIOS_AI_EMBED_MODEL="$DEFAULT_EMBED"
+if [[ -f /etc/mios/install.env ]]; then
+    # shellcheck disable=SC1091
+    source /etc/mios/install.env 2>/dev/null || true
+fi
+
+# Wait for the ollama container to be up. After=ollama.service in the
+# unit, but the model store may need a few seconds to settle on first
+# start.
 for attempt in 1 2 3 4 5 6 7 8 9 10; do
     if podman exec "$CONTAINER" ollama list >/dev/null 2>&1; then
         break
     fi
     _log "waiting for $CONTAINER (attempt $attempt/10)"
     sleep 5
 done
-
 if ! podman exec "$CONTAINER" ollama list >/dev/null 2>&1; then
-    _log "ERROR: $CONTAINER not reachable after 50s; aborting first-boot pull"
-    exit 1
+    _log "WARN: $CONTAINER not reachable after 50 s; skipping pull check"
+    install -d -m 0755 "$(dirname "$SENTINEL")"
+    touch "$SENTINEL"
+    exit 0
 fi
 
 failures=0
-for model in "${DEFAULT_MODELS[@]}"; do
+for model in "$MIOS_AI_MODEL" "$MIOS_AI_EMBED_MODEL"; do
+    [[ -z "$model" ]] && continue
+    # If 'ollama list' already shows it, skip the pull -- saves a long
+    # network round-trip when the build-baked seed already supplied it.
+    if podman exec "$CONTAINER" ollama list 2>/dev/null | awk 'NR>1{print $1}' | grep -qx "$model"; then
+        _log "  [present] $model"
+        continue
+    fi
     _log "pulling $model"
     if podman exec "$CONTAINER" ollama pull "$model" 2>&1 | logger -t mios-ollama-firstboot; then
         _log "  [ok] $model"
@@ -60,16 +108,15 @@ for model in "${DEFAULT_MODELS[@]}"; do
     fi
 done
 
-# Drop the sentinel even when some pulls failed -- we don't want every
-# boot to retry indefinitely. Operators can re-run by deleting the
-# sentinel: rm /var/lib/mios/.ollama-firstboot-done && systemctl start
-# mios-ollama-firstboot
+# Drop the sentinel even when some pulls fail -- avoid an indefinite
+# retry loop on every boot. Manual recovery: delete the sentinel and
+# restart mios-ollama-firstboot.service.
 install -d -m 0755 "$(dirname "$SENTINEL")"
 touch "$SENTINEL"
 
 if (( failures > 0 )); then
-    _log "first-boot pull complete with $failures failure(s)"
-    exit 0   # non-fatal so the boot doesn't degrade
+    _log "first-boot complete with $failures pull failure(s)"
+    exit 0   # non-fatal; don't degrade the boot
 fi
-_log "first-boot pull complete -- all models present"
+_log "first-boot complete -- model set ready at $RUNTIME_DIR"
 exit 0
diff --git a/usr/share/containers/systemd/ollama.container b/usr/share/containers/systemd/ollama.container
@@ -17,6 +17,20 @@ Group=mios-ollama
 # 0.0.0.0 on the host side makes the surface contract explicit.
 Environment=OLLAMA_HOST=0.0.0.0:11434
 Environment=OLLAMA_ORIGINS=*
+# Point ollama at the writable runtime store. mios-ollama-firstboot.
+# service hardlink-copies the build-baked seed (/usr/share/ollama/
+# models -- immutable composefs surface) into this path on first boot.
+# Subsequent 'ollama pull' commands write here too, so this is the
+# single source of truth ollama reads.
+Environment=OLLAMA_MODELS=/var/lib/ollama/models
+
+# Volumes (Architectural Law 2 -- /var paths declared via tmpfiles.d):
+#   /var/lib/ollama   writable runtime model store
+#   /usr/share/ollama immutable seed mounted RO so the firstboot service
+#                     and ollama itself can both reach it
+Volume=/var/lib/ollama:/var/lib/ollama:Z
+Volume=/usr/share/ollama:/usr/share/ollama:ro,Z
+
 PublishPort=0.0.0.0:11434:11434
 
 # OCI labels for Podman Desktop discovery. ollama is an alternate local
diff --git a/usr/share/mios/env.defaults b/usr/share/mios/env.defaults
@@ -48,11 +48,23 @@ MIOS_FORGE_HTTP_PORT="3000"
 MIOS_FORGE_SSH_PORT="2222"
 
 # ── AI inference (LAW 5: localhost OpenAI-compatible only) ────────────────────
+# Default model set researched for the 12 GB system-RAM workstation
+# baseline (CPU-only inference, ~8 GB available to the model):
+#   qwen2.5-coder:7b   primary chat/code (Q4_K_M ~4.7 GB on disk)
+#   nomic-embed-text   embeddings (~270 MB)
+# Both are baked into /usr/share/ollama/models at build time by
+# automation/37-ollama-prep.sh (override with MIOS_OLLAMA_BAKE_MODELS).
+# See [ai] in /usr/share/mios/mios.toml for the canonical reference and
+# the override semantics.
 MIOS_AI_ENDPOINT="http://localhost:8080/v1"
 MIOS_AI_MODEL="qwen2.5-coder:7b"
 MIOS_AI_EMBED_MODEL="nomic-embed-text"
 MIOS_AI_KEY=""
 MIOS_AI_PORT="8080"
+MIOS_AI_BAKE_MODELS="qwen2.5-coder:7b,nomic-embed-text"
+MIOS_AI_RAM_FLOOR_GB="12"
+MIOS_AI_SEED_DIR="/usr/share/ollama/models"
+MIOS_AI_RUNTIME_DIR="/var/lib/ollama/models"
 
 # ── Network ───────────────────────────────────────────────────────────────────
 MIOS_QUADLET_NETWORK="mios.network"
diff --git a/usr/share/mios/mios.toml b/usr/share/mios/mios.toml
