Merge pull request lightspeed-core#852 from raptorsun/hermetic-arm-bis

LCORE-858: hermetic build with CPU torch

Author: radofuchs

.tekton/lightspeed-stack-pull-request.yaml

@@ -30,6 +30,13 @@ spec:
   - name: build-platforms
     value:
     - linux/x86_64
+    - linux-c6gd2xlarge/arm64
+  - name: build-source-image
+    value: 'true'
+  - name: prefetch-input
+    value: '[{"type": "rpm", "path": "."}, {"type": "pip", "path": ".", "allow_binary": "true", "requirements_files": ["requirements.x86_64.txt", "requirements.aarch64.txt", "requirements.hermetic.txt", "requirements.torch.txt"]}]'
+  - name: hermetic
+    value: 'true'
   - name: dockerfile
     value: Containerfile
   pipelineSpec:
@@ -625,6 +632,9 @@ spec:
       optional: true
     - name: netrc
       optional: true
+  timeouts:
+    pipeline: 4h
+    tasks: 4h
   taskRunTemplate:
     serviceAccountName: build-pipeline-lightspeed-stack
   workspaces:

.tekton/lightspeed-stack-push.yaml

@@ -27,6 +27,13 @@ spec:
   - name: build-platforms
     value:
     - linux/x86_64
+    - linux-c6gd2xlarge/arm64
+  - name: build-source-image
+    value: 'true'
+  - name: prefetch-input
+    value: '[{"type": "rpm", "path": "."}, {"type": "pip", "path": ".", "allow_binary": "true", "requirements_files": ["requirements.x86_64.txt", "requirements.aarch64.txt", "requirements.hermetic.txt", "requirements.torch.txt"]}]'
+  - name: hermetic
+    value: 'true'
   - name: dockerfile
     value: Containerfile
   pipelineSpec:
@@ -622,6 +629,9 @@ spec:
       optional: true
     - name: netrc
       optional: true
+  timeouts:
+    pipeline: 4h
+    tasks: 4h
   taskRunTemplate:
     serviceAccountName: build-pipeline-lightspeed-stack
   workspaces:

Containerfile

@@ -22,10 +22,18 @@ RUN pip3.12 install "uv==0.8.15"
 # Add explicit files and directories
 # (avoid accidental inclusion of local directories or env files or credentials)
 COPY ${LSC_SOURCE_DIR}/src ./src
-COPY ${LSC_SOURCE_DIR}/pyproject.toml ${LSC_SOURCE_DIR}/LICENSE ${LSC_SOURCE_DIR}/README.md ${LSC_SOURCE_DIR}/uv.lock ./
+COPY ${LSC_SOURCE_DIR}/pyproject.toml ${LSC_SOURCE_DIR}/LICENSE ${LSC_SOURCE_DIR}/README.md ${LSC_SOURCE_DIR}/uv.lock ${LSC_SOURCE_DIR}/requirements.*.txt ./
 
 # Bundle additional dependencies for library mode.
-RUN uv sync --locked --no-dev --group llslibdev
+# Source cachi2 environment for hermetic builds if available, otherwise use normal installation
+# cachi2.env has these env vars:
+# PIP_FIND_LINKS=/cachi2/output/deps/pip
+# PIP_NO_INDEX=true
+RUN if [ -f /cachi2/cachi2.env ]; then \
+    . /cachi2/cachi2.env && uv venv --seed --no-index --find-links ${PIP_FIND_LINKS} && . .venv/bin/activate && pip install --no-index --find-links ${PIP_FIND_LINKS} -r requirements.$(uname -m).txt -r requirements.torch.txt; \
+    else \
+    uv sync --locked --no-dev --group llslibdev; \
+    fi
 
 # Explicitly remove some packages to mitigate some CVEs
 # - GHSA-wj6h-64fc-37mp: python-ecdsa package won't fix it upstream.

Makefile

@@ -4,6 +4,9 @@ PATH_TO_PLANTUML := ~/bin
 # Python registry to where the package should be uploaded
 PYTHON_REGISTRY = pypi
 
+# PyTorch version
+TORCH_VERSION := 2.7.1
+
 
 run: ## Run the service locally
 	uv run src/lightspeed_stack.py
@@ -98,6 +101,13 @@ distribution-archives:	## Generate distribution archives to be uploaded into Pyt
 upload-distribution-archives:	## Upload distribution archives into Python registry
 	uv run python -m twine upload --repository ${PYTHON_REGISTRY} dist/*
 
+konflux-requirements:	## generate hermetic requirements.*.txt file for konflux build
+	uv pip compile pyproject.toml -o requirements.x86_64.txt --generate-hashes --group llslibdev --python-platform x86_64-unknown-linux-gnu --torch-backend cpu  --python-version 3.12
+	uv pip compile pyproject.toml -o requirements.aarch64.txt --generate-hashes --group llslibdev --python-platform aarch64-unknown-linux-gnu --torch-backend cpu --python-version 3.12
+	./scripts/remove_torch_deps.sh requirements.x86_64.txt
+	./scripts/remove_torch_deps.sh requirements.aarch64.txt
+	echo "torch==${TORCH_VERSION}" | uv pip compile  - -o requirements.torch.txt --generate-hashes  --python-version 3.12 --torch-backend cpu --emit-index-url  --no-deps --index-url https://download.pytorch.org/whl/cpu
+
 help: ## Show this help screen
 	@echo 'Usage: make <OPTIONS> ... <TARGETS>'
 	@echo ''

README.md

@@ -9,12 +9,14 @@
 [![Tag](https://img.shields.io/github/v/tag/lightspeed-core/lightspeed-stack)](https://github.com/lightspeed-core/lightspeed-stack/releases/tag/0.3.0)
 
 Lightspeed Core Stack (LCS) is an AI-powered assistant that provides answers to product questions using backend LLM services, agents, and RAG databases.
- 
+
 The service includes comprehensive user data collection capabilities for various types of user interaction data, which can be exported to Red Hat's Dataverse for analysis using the companion [lightspeed-to-dataverse-exporter](https://github.com/lightspeed-core/lightspeed-to-dataverse-exporter) service.
 
 
 <!-- vim-markdown-toc GFM -->
 
+* [lightspeed-stack](#lightspeed-stack)
+    * [About The Project](#about-the-project)
 * [Architecture](#architecture)
 * [Prerequisites](#prerequisites)
 * [Installation](#installation)
@@ -87,6 +89,11 @@ The service includes comprehensive user data collection capabilities for various
         * [Query endpoint REST API handler](#query-endpoint-rest-api-handler)
     * [Streaming query endpoint REST API handler](#streaming-query-endpoint-rest-api-handler)
     * [Versioning](#versioning)
+* [Konflux](#konflux)
+    * [Updating Dependencies for Hermetic Builds](#updating-dependencies-for-hermetic-builds)
+        * [When to Update Dependency Files](#when-to-update-dependency-files)
+        * [Updating Python Dependencies](#updating-python-dependencies)
+        * [Updating RPM Dependencies](#updating-rpm-dependencies)
 
 <!-- vim-markdown-toc -->
 
@@ -121,7 +128,7 @@ Lightspeed Core Stack is based on the FastAPI framework (Uvicorn). The service i
 
   You will need an API key from one of these providers to run LightSpeed Stack.
 
-  For example, if you choose to use OpenAI: 
+  For example, if you choose to use OpenAI:
 
   1. **Create an account** at [platform.openai.com](https://platform.openai.com)
   2. **Add payment information** (new accounts receive free trial credits)
@@ -141,7 +148,7 @@ Installation steps depends on operation system. Please look at instructions for
 
 # Run LCS locally
 
-To quickly get hands on LCS, we can run it using the default configurations provided in this repository: 
+To quickly get hands on LCS, we can run it using the default configurations provided in this repository:
 0. install dependencies using [uv](https://docs.astral.sh/uv/getting-started/installation/) `uv sync --group dev --group llslibdev`
 1. check Llama stack settings in [run.yaml](run.yaml), make sure we can access the provider and the model, the server shoud listen to port 8321.
 2. export the LLM token env var that Llama stack requires. for OpenAI, we set the env var by `export OPENAI_API_KEY=sk-xxxxx`
@@ -156,7 +163,7 @@ To quickly get hands on LCS, we can run it using the default configurations prov
 
 ## LLM Compatibility
 
-Lightspeed Core Stack (LCS) supports the large language models from the providers listed below. 
+Lightspeed Core Stack (LCS) supports the large language models from the providers listed below.
 
 | Provider | Model                                          | Tool Calling | provider_type  | Example                                                                    |
 | -------- | ---------------------------------------------- | ------------ | -------------- | -------------------------------------------------------------------------- |
@@ -177,7 +184,7 @@ For details of OpenAI model capabilities, please refer to https://platform.opena
 
 The LLM provider and model are set in the configuration file for Llama Stack. This repository has a Llama stack configuration file [run.yaml](examples/run.yaml) that can serve as a good example.
 
-The LLM providers are set in the section `providers.inference`. This example adds a inference provider "openai" to the llama stack. To use environment variables as configuration values, we can use the syntax `${env.ENV_VAR_NAME}`. 
+The LLM providers are set in the section `providers.inference`. This example adds a inference provider "openai" to the llama stack. To use environment variables as configuration values, we can use the syntax `${env.ENV_VAR_NAME}`.
 
 For more details, please refer to [llama stack documentation](https://llama-stack.readthedocs.io/en/latest/distributions/configuration.html#providers). Here is a list of llamastack supported providers and their configuration details: [llama stack providers](https://llama-stack.readthedocs.io/en/latest/providers/inference/index.html#providers)
 
@@ -847,7 +854,7 @@ the following form:
 [testpypi]
   username = __token__
   password = pypi-{your-API-token}
- 
+
 [pypi]
   username = __token__
   password = pypi-{your-API-token}
@@ -969,3 +976,51 @@ The version X.Y.Z indicates:
 * X is the major version (backward-incompatible),
 * Y is the minor version (backward-compatible), and
 * Z is the patch version (backward-compatible bug fix).
+
+# Konflux
+
+The official image of Lightspeed Core Stack is built on [Konflux](https://konflux-ui.apps.kflux-prd-rh02.0fk9.p1.openshiftapps.com/ns/lightspeed-core-tenant/applications/lightspeed-stack).
+We have both x86_64 and ARM64 images.
+
+## Updating Dependencies for Hermetic Builds
+
+Konflux builds run in **hermetic mode** (air-gapped from the internet), so all dependencies must be prefetched and locked. When you add or update dependencies, you need to regenerate the lock files.
+
+### When to Update Dependency Files
+
+Update these files when you:
+- Add/remove/update Python packages in the project
+- Add/remove/update RPM packages in the Containerfile
+- Change the base image version
+
+### Updating Python Dependencies
+
+**Quick command:**
+```shell
+make konflux-requirements
+```
+
+This generates three platform-specific requirements files:
+- `requirements.x86_64.txt` - x86_64 packages (excludes torch)
+- `requirements.aarch64.txt` - ARM64 packages (excludes torch)
+- `requirements.torch.txt` - CPU variant of torch (shared by both platforms)
+
+### Updating RPM Dependencies
+
+**Prerequisites:** Install [rpm-lockfile-prototype](https://github.com/konflux-ci/rpm-lockfile-prototype?tab=readme-ov-file#installation)
+
+**Steps:**
+
+1. **List your RPM packages** in `rpms.in.yaml` under the `packages` field
+
+2. **If you changed the base image**, extract its repo file:
+```shell
+podman run -it $BASE_IMAGE cat /etc/yum.repos.d/ubi.repo > ubi.repo
+```
+
+3. **Generate the lock file**:
+```shell
+rpm-lockfile-prototype --image $BASE_IMAGE rpms.in.yaml
+```
+
+This creates `rpms.lock.yaml` with pinned RPM versions.

pyproject.toml

@@ -87,8 +87,11 @@ Issues = "https://github.com/lightspeed-core/lightspeed-stack/issues"
 name = "pytorch-cpu"
 url = "https://download.pytorch.org/whl/cpu"
 explicit = true
+
 [tool.uv.sources]
-torch = [{ index = "pytorch-cpu" }]
+torch = [
+    { index = "pytorch-cpu", group = "llslibdev" },
+]
 
 [dependency-groups]
 dev = [