[Work in progress; do not merge] Make odh_ta_lmes_job build hermetically#562
Open
m-misiura wants to merge 1 commit into
Open
[Work in progress; do not merge] Make odh_ta_lmes_job build hermetically#562m-misiura wants to merge 1 commit into
m-misiura wants to merge 1 commit into
Conversation
Author
|
/build-konflux |
There was a problem hiding this comment.
Pull request overview
This PR updates the Konflux “odh_ta_lmes_job” container build to be hermetic by switching to an AIPCC base image and introducing pre-fetched, pinned dependency inputs (RPM + pip lockfiles) to avoid resolving dependencies during the build.
Changes:
- Replace the multi-stage Docker build with a single-stage AIPCC-based build that installs RPMs/pip deps from prefetch outputs and adjusts permissions for non-root execution.
- Add pinned pip lockfiles (CPU/CUDA + build tooling) and RPM lock/input files (skopeo) plus a UBI repo definition for RPM prefetching.
- Enable hermetic mode in the Tekton PipelineRun and configure
prefetch-inputfor pip + rpm.
Reviewed changes
Copilot reviewed 9 out of 11 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
Dockerfile.konflux.lmes-job |
Switches to AIPCC base image, installs skopeo via pre-fetched RPM repo, installs pinned pip deps, and configures runtime env/permissions. |
pyproject.toml |
Updates Python requirement to 3.12 and bumps/pins core + optional dependency versions. |
.tekton/odh-ta-lmes-job-pull-request.yaml |
Enables hermetic mode and adds prefetch inputs for pip requirements and RPMs. |
requirements/requirements-cpu.txt |
UV-compiled CPU lockfile for pinned Python dependencies. |
requirements/requirements-cuda.txt |
UV-compiled CUDA lockfile for pinned Python dependencies. |
requirements/requirements-build.in |
Build-tool input pins for lockfile generation (setuptools/wheel). |
requirements/requirements-build.txt |
UV-compiled build-tool lockfile. |
requirements/rpms.in.yaml |
Declares RPM inputs (skopeo) and repo/containerfile context for lock generation. |
requirements/rpms.lock.yaml |
Locked RPM URLs/checksums across architectures for hermetic RPM install. |
ubi.repo |
UBI9 BaseOS/AppStream repo definitions used for RPM prefetch/locking. |
.gitignore |
Ignores hermeto-related generated artifacts. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| fi | ||
|
|
||
| # Install the package | ||
| RUN pip install --no-cache-dir --no-deps -e . |
Comment on lines
+35
to
+38
| "sqlitedict==2.1.0", | ||
| "torch==2.6.0", | ||
| "tqdm-multiprocess==0.0.11", | ||
| "transformers==4.48.0", | ||
| "zstandard==0.23.0", | ||
| "dill==0.3.8", | ||
| "torch==2.11.0", | ||
| "transformers==4.57.6", | ||
| "zstandard==0.25.0", |
Author
|
/build-konflux |
2 similar comments
Author
|
/build-konflux |
Author
|
/build-konflux |
bb2f7a2 to
d5defca
Compare
d5defca to
1036f02
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Introduction
This PR attempts to deal with the following JIRA
Initial implementation
Dockerfile.konflux.lmes-job: single-stage build using AIPCC CPU base image, with:Requirements — three lockfiles compiled against AIPCC 3.5-EA2:
RPM — rpms.in.yaml + rpms.lock.yaml for skopeo across 4 arches
Assumed for the time being that
tqdm-multiprocessis not needed