Add private OCI OKE cookbook for Llama Nemotron Nano 8B

[fede-kamel]

Summary

• add a Nemotron-specific OCI cookbook for nvidia/Llama-3.1-Nemotron-Nano-8B-v1
• document a validated private-only OKE deployment in us-phoenix-1 with no public control-plane endpoint, no public worker IPs, and no public inference endpoint
• add a checked-in Terraform wrapper for the private Phoenix OKE infrastructure using Oracle's official OKE module plus OCI Bastion service
• include a known-good vLLM values file for a single VM.GPU.A10.1 node
• surface the new OCI cookbook in the root README and cookbook index

Validation

Validated against a live Phoenix OKE deployment of nvidia/Llama-3.1-Nemotron-Nano-8B-v1 using a private cluster plus OCI Bastion/tunnel access:

• terraform plan
• terraform apply
• private OKE cluster active
• OCI Bastion service active
• CPU node pool active
• GPU node pool active in PHX-AD-2
• /health
• /v1/models
• chat completion
• tool calling
• streaming
• async concurrent requests

Notes

• this contribution is intentionally Nemotron-specific and OCI-specific
• the deployment guidance is private-only and does not use public IPs for the Kubernetes API or inference endpoint
• the OCI path is documented as a reproducible option comparable to common AWS GPU/Kubernetes deployment patterns, without claiming repo-local AWS Terraform already exists in this repo
• the Bastion resource is the OCI Bastion service, not a public bastion VM

[fede-kamel]

@chrisalexiuk-nvidia @anushapant @shashank3959 — Friendly follow-up! This PR adds an OCI OKE deployment cookbook for Llama Nemotron Nano 8B. Would love to get a review when you get a chance. Thanks!

[fede-kamel]

Hey team 👋 — just checking in on this one. Happy to address any feedback or make adjustments to scope if that helps move things along. Let me know if there's anything I can do on my end! @chrisalexiuk-nvidia @anushapant @shashank3959

[fede-kamel]

✅ Cross-validated with NeMo Agent Toolkit OCI integration

This OKE deployment is now serving as the live inference backend for NVIDIA/NeMo-Agent-Toolkit#1804, which adds first-class OCI Generative AI support to the Agent Toolkit.

The full Agent Toolkit OCI test suite — 11/11 tests pass — was validated against the nvidia/Llama-3.1-Nemotron-Nano-8B-v1 endpoint running on this exact private OKE infrastructure in us-phoenix-1. Both PRs together deliver a complete story: reproducible OCI deployment (this PR) powering a production-ready LLM provider and LangChain integration (Toolkit PR).

[fede-kamel]

@chrisalexiuk-nvidia @anushapant @shashank3959 — Quick update — we just used this exact OKE deployment to validate the full OCI integration for NeMo Agent Toolkit! 🚀

The nvidia/Llama-3.1-Nemotron-Nano-8B-v1 model running on the private Phoenix cluster documented in this cookbook passed 11/11 tests as the live inference backend for NVIDIA/NeMo-Agent-Toolkit#1804 — covering the OCI provider, LangChain wrapper, and an end-to-end agent workflow.

Really exciting to see both pieces come together: this PR provides the reproducible OCI deployment, and the Toolkit PR builds on top of it with a first-class integration. Two repos, one Nemotron story on OCI. Looking forward to your review!

[fede-kamel]

Hey @chrisalexiuk-nvidia @anushapant @shashank3959 @chtruong814 — wanted to check in and see if any of you have had a chance to take a look at this one.

This PR is part of the broader NVIDIA × OCI partnership effort — it provides a reproducible OKE deployment for Nemotron Nano 8B on Oracle Cloud, and has already been validated as the live backend for the OCI integration in NeMo Agent Toolkit. Would love to get it across the finish line when bandwidth allows.

No pressure — just want to make sure it's on your radar. Happy to address any feedback!

[chrisalexiuk-nvidia]

Hey - I wasn't getting pings on these, I've fixed this up.

This LGTM - would love to merge it in!

[fede-kamel]

Nice!. Are you able to help on moving this one forward? Thank you.

[chrisalexiuk-nvidia]

Yessir! Will get the review going and let's go from there!

[chrisalexiuk-nvidia]

/claude review.

[claude]

This cookbook is documented as a "validated" / "known-good" configuration, but using tag: "latest" means anyone deploying later will get a different vLLM version than what was actually validated. This could silently break the deployment (e.g., tool-calling behavior, memory profile, chat template paths).

Consider pinning to the specific vLLM tag that was validated.

[fede-kamel]

Good catch — fixed in d863095. Pinned to v0.14.0, which is the vLLM release that was current when this cookbook was validated on the live OKE cluster (Jan 22 2026).

[fede-kamel]

Correction on the version — confirmed by exec'ing into the running Nemotron pod on the live private OKE cluster: vllm.__version__ reports 0.17.1. Updated the pin to v0.17.1 in 0d8eeeb.

[fede-kamel]

Final update — upgraded the live OKE cluster to vLLM v0.19.0 (latest) and re-validated. Pinned to v0.19.0 in c984916. All endpoints (health, models, chat completion) confirmed working through both engine and router.

[fede-kamel]

@chrisalexiuk-nvidia — all commits are signed off and the PR is ready for review. Thanks!

[fede-kamel]

Updated in a3363ae:

• Appendix A — jump-host VM alternative to OCI Bastion. OCI Bastion port-forwarding sessions close immediately after publickey auth when the client is OpenSSH 10.x (shipped with macOS 15+ and recent Linux distros). Appendix A replaces Step 4 and the bastion-session block inside Step 6 with a public-IP jump host and a plain ssh -L tunnel.
• Step 7b — soft-reset each node after the filesystem expansion in Step 7. The in-place systemctl restart kubelet in Step 7 does not refresh Node.Capacity.ephemeral-storage (kubelet caches it at startup; the restart is also killed by SIGKILL when containerd bounces mid-exec). Without Step 7b the engine pod is evicted repeatedly mid image pull for disk-pressure, despite df showing the expanded filesystem. Step 7b drains, soft-resets, waits for Ready, uncordons, and gates on a capacity-verification snippet before Step 8.
• Step 5 AD picker — replaces the hardcoded data[1].name with a loop that queries gpu-a10-count availability per AD and selects the first with non-zero capacity.
• Appendix A.1 — nc -z wait on port 22 before the first SSH, to avoid the cloud-init race between VM RUNNING and authorized_keys being installed.
• Two new troubleshooting entries covering the symptoms above.

Validated end-to-end against nvidia/Llama-3.1-Nemotron-Nano-8B-v1 on a fresh private OKE cluster: /health returns 200, /v1/models lists the served model, chat completion returns the expected sentinel, tool calling yields finish_reason: tool_calls with the correct function selected.

Ready for review.

[fede-kamel]

@chrisalexiuk-nvidia DCO is green and I just ran the updated cookbook end-to-end in one uninterrupted pass on a fresh private OKE cluster in us-phoenix-1. Step 12 results:

• /health → {"status":"healthy"}
• /v1/models → nvidia/Llama-3.1-Nemotron-Nano-8B-v1
• chat completion → {"content":"NEMOTRON_OK","finish_reason":"stop"}
• tool call → {"finish_reason":"tool_calls","tool_calls":[{"name":"get_utc_time"}]}

Kubelet capacity after Step 7b: 198 GiB on the GPU node (VM.GPU.A10.1, 200 GB boot volume), 89 GiB on the CPU node (100 GB boot volume). The expansion took effect, no pod evictions for disk-pressure during the Helm deploy.

Two signed-off commits on this branch:

• a7a1fab — OpenSSH 10.x workaround (Appendix A: jump-host VM alternative to OCI Bastion) + Step 7b (VM soft-reset so kubelet re-reads Node.Capacity.ephemeral-storage) + AD capacity-aware picker in Step 5 + nc -z cloud-init race guard in A.1.
• 8a22372 — Step 7b instance-OCID lookup via .spec.providerID. The earlier oci ce node-pool list query returned empty because list does not populate the nested nodes array; providerID is a reliable one-liner.

Ready for review.

[fede-kamel]

Hey @chrisalexiuk-nvidia @anushapant @shashank3959 @chtruong814 — quick update: the companion PR NVIDIA/NeMo-Agent-Toolkit#1804 ("Add OCI LangChain support for hosted Nemotron workflows") was merged on April 14 ✅

That PR's OCI integration was validated end-to-end against the exact private OKE deployment documented in this cookbook (11/11 tests pass on nvidia/Llama-3.1-Nemotron-Nano-8B-v1 running in us-phoenix-1), so the two pieces are tightly coupled: the Toolkit ships the provider, this PR ships the reproducible deployment that backs it.

On this PR's side everything is green — DCO passing, signed-off, end-to-end re-validated on a fresh cluster after the OpenSSH 10.x / Step 7b updates (8a22372). Would love to get this across the line so the OCI + Nemotron story can be announced as a single coordinated drop alongside the Toolkit release. What's needed from my end to land it?

Thanks!

[fede-kamel]

Hey @chrisalexiuk-nvidia — friendly nudge on this one. Last word from you was an LGTM on Apr 9; since then the cookbook's been re-validated end-to-end on a fresh OKE cluster, the branch is rebased clean on main (13 ahead, 0 behind), DCO is green, and the companion NeMo-Agent-Toolkit PR (#1804) merged on Apr 14.

Anything blocking on your side, or is it just an Approve click away? Happy to address anything else if needed.