Skip to content

[WIP] hermetic build: Non binary #858

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
raptorsun wants to merge 1 commit into
base: main
Choose a base branch
from
Open

[WIP] hermetic build: Non binary #858

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 35 additions & 1 deletion .tekton/lightspeed-stack-pull-request.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,9 +34,41 @@ spec:
- name: build-source-image
value: 'true'
- name: prefetch-input
value: '[{"type": "rpm", "path": "."}, {"type": "pip", "path": ".", "allow_binary": "true", "requirements_files": ["requirements.x86_64.txt", "requirements.aarch64.txt", "requirements.hermetic.txt", "requirements.torch.txt"]}]'
value: |
[
{
"type": "rpm",
"path": "."
},
{
"type": "pip",
"path": ".",
"requirements_files": [
"requirements.x86_64.txt",
"requirements.aarch64.txt",
"requirements.hermetic.txt",
"requirements.torch.txt",
"requirements.binary.txt"
],
"requirements_build_files": [
"requirements-build.txt"
],
"binary": {
"os": "linux",
"arch": "x86_64,aarch64",
"py_version": "312",
"packages": "torch,faiss-cpu"
}
},
{
"type": "generic",
"path": "."
}
]
- name: hermetic
value: 'true'
- name: hermeto-mode
value: 'permissive'
- name: dockerfile
value: Containerfile
pipelineSpec:
Expand Down Expand Up @@ -195,6 +227,8 @@ spec:
value: $(params.output-image).prefetch
- name: ociArtifactExpiresAfter
value: $(params.image-expires-after)
- name: mode
value: $(params.hermeto-mode)
runAfter:
- clone-repository
taskRef:
Expand Down
36 changes: 35 additions & 1 deletion .tekton/lightspeed-stack-push.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,9 +31,41 @@ spec:
- name: build-source-image
value: 'true'
- name: prefetch-input
value: '[{"type": "rpm", "path": "."}, {"type": "pip", "path": ".", "allow_binary": "true", "requirements_files": ["requirements.x86_64.txt", "requirements.aarch64.txt", "requirements.hermetic.txt", "requirements.torch.txt"]}]'
value: |
[
{
"type": "rpm",
"path": "."
},
{
"type": "pip",
"path": ".",
"requirements_files": [
"requirements.x86_64.txt",
"requirements.aarch64.txt",
"requirements.hermetic.txt",
"requirements.torch.txt",
"requirements.binary.txt"
],
"requirements_build_files": [
"requirements-build.txt"
],
"binary": {
"os": "linux",
"arch": "x86_64,aarch64",
"py_version": "312",
"packages": "torch,faiss-cpu"
}
},
{
"type": "generic",
"path": "."
}
]
- name: hermetic
value: 'true'
- name: hermeto-mode
value: 'permissive'
- name: dockerfile
value: Containerfile
pipelineSpec:
Expand Down Expand Up @@ -186,6 +218,8 @@ spec:
value: $(params.output-image).prefetch
- name: ociArtifactExpiresAfter
value: $(params.image-expires-after)
- name: mode
value: $(params.hermeto-mode)
runAfter:
- clone-repository
taskRef:
Expand Down
16 changes: 14 additions & 2 deletions Containerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ USER root

# Install gcc - required by polyleven python package on aarch64
# (dependency of autoevals, no pre-built binary wheels for linux on aarch64)
RUN dnf install -y --nodocs --setopt=keepcache=0 --setopt=tsflags=nodocs gcc
RUN dnf install -y --nodocs --setopt=keepcache=0 --setopt=tsflags=nodocs gcc cmake

# Install uv package manager
RUN pip3.12 install "uv>=0.8.15"
Expand All @@ -25,13 +25,25 @@ RUN pip3.12 install "uv>=0.8.15"
COPY ${LSC_SOURCE_DIR}/src ./src
COPY ${LSC_SOURCE_DIR}/pyproject.toml ${LSC_SOURCE_DIR}/LICENSE ${LSC_SOURCE_DIR}/README.md ${LSC_SOURCE_DIR}/uv.lock ${LSC_SOURCE_DIR}/requirements.*.txt ./

# Extract generic dependencies from artifacts.lock.yaml and install them
RUN if [ -f /cachi2/cachi2.env ]; then \
tar -xzf /cachi2/output/deps/generic/googletest-release-1.12.1.tar.gz -C /tmp && \
cd /tmp/googletest-release-1.12.1 && \
cmake . && \
make && \
make install; \
fi

# Bundle additional dependencies for library mode.
# Source cachi2 environment for hermetic builds if available, otherwise use normal installation
# cachi2.env has these env vars:
# PIP_FIND_LINKS=/cachi2/output/deps/pip
# PIP_NO_INDEX=true
RUN if [ -f /cachi2/cachi2.env ]; then \
. /cachi2/cachi2.env && uv venv --seed --no-index --find-links ${PIP_FIND_LINKS} && . .venv/bin/activate && pip install --no-index --find-links ${PIP_FIND_LINKS} -r requirements.$(uname -m).txt -r requirements.torch.txt; \
. /cachi2/cachi2.env && \
uv venv --seed --no-index --find-links ${PIP_FIND_LINKS} && \
. .venv/bin/activate && \
pip install --no-index --find-links ${PIP_FIND_LINKS} --no-binary :all: -r requirements.$(uname -m).txt && pip install --no-index --find-links ${PIP_FIND_LINKS} -r requirements-binary.txt -r requirements.torch.txt; \
else \
uv sync --locked --no-dev --group llslibdev; \
fi
Comment on lines 42 to 49
Copy link
Contributor

@coderabbitai coderabbitai bot Dec 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check all references to requirements binary files
echo "=== References to requirements-binary (hyphen) ==="
rg "requirements-binary" -n

echo -e "\n=== References to requirements\.binary (dot) ==="
rg "requirements\.binary" -n

echo -e "\n=== All requirements files in repo ==="
fd "requirements" -t f

echo -e "\n=== Containerfile content (lines 20-55) ==="
if [ -f "Containerfile" ]; then
  sed -n '20,55p' Containerfile | cat -n
fi

Repository: lightspeed-core/lightspeed-stack

Length of output: 2899

Critical: Filename mismatch will cause build failure.

Line 46 references requirements-binary.txt (with hyphen), but the actual file in the repository is requirements.binary.txt (with dot). The pip install command will fail because the file won't be found.

The COPY directive on line 26 correctly uses the requirements.*.txt glob pattern, which matches requirements.binary.txt, but the subsequent pip install command references the non-existent requirements-binary.txt.

Fix by changing line 46:

-    pip install --no-index --find-links ${PIP_FIND_LINKS} -r requirements-binary.txt -r requirements.torch.txt; \
+    pip install --no-index --find-links ${PIP_FIND_LINKS} -r requirements.binary.txt -r requirements.torch.txt; \
🤖 Prompt for AI Agents 
In Containerfile around lines 42 to 49, the pip install command references a
non-existent file name `requirements-binary.txt` (hyphen) while the repository
contains `requirements.binary.txt` (dot); update the referenced filename in the
RUN command to `requirements.binary.txt` so pip can find and install that
requirements file (ensure both occurrences in the line are corrected if
duplicated).

Expand Down
7 changes: 5 additions & 2 deletions Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,8 @@ PYTHON_REGISTRY = pypi

# PyTorch version
TORCH_VERSION := 2.7.1

# Faiss version
FAISS_VERSION := 1.13.0

run: ## Run the service locally
uv run src/lightspeed_stack.py
Expand Down Expand Up @@ -113,7 +114,9 @@ konflux-requirements: ## generate hermetic requirements.*.txt file for konflux b
uv pip compile pyproject.toml -o requirements.aarch64.txt --generate-hashes --group llslibdev --python-platform aarch64-unknown-linux-gnu --torch-backend cpu --python-version 3.12 --refresh
./scripts/remove_torch_deps.sh requirements.x86_64.txt
./scripts/remove_torch_deps.sh requirements.aarch64.txt
echo "torch==${TORCH_VERSION}" | uv pip compile - -o requirements.torch.txt --generate-hashes --python-version 3.12 --torch-backend cpu --emit-index-url --no-deps --index-url https://download.pytorch.org/whl/cpu --refresh
echo "torch==${TORCH_VERSION}" | uv pip compile - -o requirements.torch.txt --generate-hashes --python-version 3.12 --torch-backend cpu --emit-index-url --no-deps --index-url https://download.pytorch.org/whl/cpu --refresh
echo "faiss-cpu==${FAISS_VERSION}" | uv pip compile - -o requirements.binary.txt --generate-hashes --python-version 3.12 --no-deps --universal
Copy link
Contributor

@coderabbitai coderabbitai bot Dec 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

uv pip compile --universal flag documentation behavior

💡 Result:

Short answer — uv pip compile --universal tells uv to perform a universal (platform‑independent) resolution and emit a requirements-style output with environment markers (and possibly multiple entries per package for different platforms). Universal resolution is more constrained than platform-specific resolution, may include markers on lines, and can produce multiple versions/URLs for the same project to cover different platforms. Known caveats: it can be stricter (fail when a package’s python-requires is incompatible across targets) and there are open/closed issues about marker handling and python-version interactions. (glama.ai)

If you want docs/links to read: uv universal resolution docs and related GitHub issues above. (glama.ai)

Citations:

🌐 Web query:

faiss-cpu wheel distribution universal wheels support

💡 Result:

Short answer: faiss-cpu does NOT provide "universal" (pure‑Python none‑any / py2.py3) wheels. The project publishes platform‑specific binary wheels (manylinux/musllinux macOS Windows; CPython ABI tags or abi3 where applicable) built with cibuildwheel, so you must install the wheel that matches your Python version and platform (or build from source). (pypi.org)

Citations:

🌐 Web query:

pip compile --universal vs --python-version conflict

💡 Result:

Short answer
--universal tells pip-compile to produce a requirements file that is valid across Python versions by preserving PEP 508 markers instead of resolving/installing for the current interpreter. --python-version (or using a different Python to run pip-compile) affects which Python environment the resolver actually uses when picking compatible package versions. That mismatch can make the resolver either (a) emit markers that will never be installable for the specified python version, or (b) fail because a dependency's python_requires makes no compatible release available for the environment used to resolve. [1][2][3]

Why the conflict happens (concise)

  • pip-compile resolves dependencies using the Python interpreter/environment it runs in (and pip-tools documents that results can differ by OS/Python). If you ask for a “universal” output but you run resolution with a different Python version, pip-compile will either (i) keep markers (so the produced lines are conditional and might not actually install under the target interpreter), or (ii) fail if the resolver finds no compatible package versions for the interpreter it used. [1][2][3]

What to do

  • Run pip-compile with the actual target Python version (e.g., run it inside that interpreter/venv). This avoids the mismatch. [1][3]
  • If you need one file for many Pythons, use a tool that compiles per-Python and merges results (e.g., pip-compile-universal) or generate separate requirements files per Python and merge carefully. [4][2]
  • Use explicit PEP 508 environment markers in your inputs so pip-compile can keep correct conditional requirements rather than trying to force-resolve incompatible releases. [1]

Sources

  • pip-tools documentation (behavior and cross-environment note). [1]
  • pip-tools GitHub issues describing lack of support for pip "--python-version" and cross-compile problems. [2][3]
  • pip-compile-universal (tool that compiles per-Python and merges). [4]

Remove --universal flag; faiss-cpu requires platform-specific wheels tied to Python version.

The --universal flag is incompatible with faiss-cpu, which distributes only platform-specific binary wheels (manylinux/musllinux/macOS/Windows) built for specific Python versions and platforms. Using --universal alongside --python-version 3.12 creates a semantic conflict: universal resolution produces cross-Python environment markers, but faiss-cpu binary wheels are strictly version-locked and platform-specific. Use only --python-version 3.12 without --universal to ensure the resolver generates the correct binary wheel specification.

🤖 Prompt for AI Agents 
In Makefile around line 111, the command uses the incompatible --universal flag
with faiss-cpu; remove the --universal flag from the uv pip compile invocation
and keep --python-version 3.12 (and other flags) so the resolver produces
platform-specific binary wheel spec for faiss-cpu.

uv run pybuild-deps compile --output-file=requirements-build.txt requirements.aarch64.txt requirements.x86_64.txt requirements.hermetic.txt

help: ## Show this help screen
@echo 'Usage: make <OPTIONS> ... <TARGETS>'
Expand Down
7 changes: 7 additions & 0 deletions artifacts.lock.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
---
metadata:
version: "1.0"
artifacts:
- download_url: "https://github.com/google/googletest/archive/refs/tags/release-1.12.1.tar.gz"
checksum: "sha256:81964fe578e9bd7c94dfdb09c8e4d6e6759e19967e397dbea48d1c10e45d0df2"
filename: "googletest-release-1.12.1.tar.gz"
2 changes: 2 additions & 0 deletions pyproject.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -122,6 +122,8 @@ dev = [
"openapi-to-md>=0.1.0b2",
"pytest-subtests>=0.14.2",
"bandit>=1.8.6",
"pybuild-deps==0.5.0",
"pip==24.3.1",
]
llslibdev = [
# To check llama-stack API provider dependecies:
Expand Down
Loading
Loading