refactor: remove "dev" stage from Dockerfile.* and centralize them into Dockerfile.dev (#5050)

Signed-off-by: Keiven Chang <keivenchang@users.noreply.github.com>
Co-authored-by: Keiven Chang <keivenchang@users.noreply.github.com>

.github/filters.yaml

@@ -69,6 +69,7 @@ core:
   - 'container/build.sh'
   - 'container/Dockerfile'
   - '.dockerignore'
+  - 'container/dev/**'
   - 'container/deps/*'
   - '.cargo/config.toml'
   - 'lib/**'

.github/workflows/container-validation-dynamo.yml

@@ -65,7 +65,7 @@ jobs:
       - name: Define Image Tag
         id: define_image_tag
         run: |
-          echo "image_tag=dynamo:latest" >> $GITHUB_OUTPUT
+          echo "image_tag=dynamo:latest-dev" >> $GITHUB_OUTPUT
       - name: Build image
         env:
           GITHUB_TOKEN: ${{ secrets.CI_TOKEN }}

container/Dockerfile

@@ -438,14 +438,19 @@ RUN --mount=type=secret,id=aws-key-id,env=AWS_ACCESS_KEY_ID \
 FROM base AS runtime
 
 ARG ARCH_ALT
+ARG PYTHON_VERSION
 
 # Create dynamo user with group 0 for OpenShift compatibility
 RUN userdel -r ubuntu > /dev/null 2>&1 || true \
     && useradd -m -s /bin/bash -g 0 dynamo \
     && [ `id -u dynamo` -eq 1000 ] \
-    && mkdir -p /home/dynamo/.cache \
-    && chown -R dynamo: /opt/dynamo /home/dynamo /workspace \
-    && chmod -R g+w /opt/dynamo /home/dynamo/.cache /workspace
+    && mkdir -p /home/dynamo/.cache /opt/dynamo \
+    # Non-recursive chown - only the directories themselves, not contents
+    && chown dynamo:0 /home/dynamo /home/dynamo/.cache /opt/dynamo /workspace \
+    # No chmod needed: umask 002 handles new files, COPY --chmod handles copied content
+    # Set umask globally for all subsequent RUN commands (must be done as root before USER dynamo)
+    # NOTE: Setting ENV UMASK=002 does NOT work - umask is a shell builtin, not an environment variable
+    && mkdir -p /etc/profile.d && echo 'umask 002' > /etc/profile.d/00-umask.sh
 
 # NIXL environment variables
 ENV NIXL_PREFIX=/opt/nvidia/nvda_nixl \
@@ -472,55 +477,30 @@ RUN --mount=type=bind,from=wheel_builder,source=/usr/local/,target=/tmp/usr/loca
 COPY --chown=dynamo: --from=wheel_builder $CARGO_TARGET_DIR $CARGO_TARGET_DIR
 COPY --chown=dynamo: --from=wheel_builder /opt/dynamo/dist/*.whl /opt/dynamo/wheelhouse/
 
-##############################################
-########## Dev entrypoint image ##############
-##############################################
-
-FROM runtime AS dev
-
-# Application environment variables
-RUN apt-get update -y \
-    && apt-get install -y --no-install-recommends \
-        # required for AIC perf files
-        git \
-        git-lfs \
-        # rust build packages
-        clang \
-        libclang-dev \
-        protobuf-compiler \
-        pkg-config \
-        # sudo for dev stage
-        sudo \
-    && apt-get clean \
-    && rm -rf /var/lib/apt/lists/* \
-    # Add sudo privileges to dynamo user
-    && echo "dynamo ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/dynamo \
-    && chmod 0440 /etc/sudoers.d/dynamo
+# Install Python for framework=none runtime (cuda-dl-base doesn't include Python)
+# This is needed to create venv and install dynamo packages
+ARG PYTHON_VERSION
+RUN apt-get update && \
+    DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
+        python${PYTHON_VERSION}-dev \
+        python${PYTHON_VERSION}-venv && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/* && \
+    ln -sf /usr/bin/python${PYTHON_VERSION} /usr/bin/python3
 
-# Switch to dynamo user
+# Switch to dynamo user and create virtual environment
 USER dynamo
-ENV HOME=/home/dynamo \
-    DYNAMO_HOME=/opt/dynamo \
-    CARGO_TARGET_DIR=/opt/dynamo/target
-ENV LD_LIBRARY_PATH=${NIXL_LIB_DIR}:${NIXL_PLUGIN_DIR}:/usr/local/ucx/lib:/usr/local/ucx/lib/ucx:/usr/local/cuda/compat/lib.real:${LD_LIBRARY_PATH}
+ENV HOME=/home/dynamo
 
 # Create and activate virtual environment
-ARG PYTHON_VERSION
-RUN uv venv /opt/dynamo/venv --python $PYTHON_VERSION
+# Use login shell to pick up umask 002 from /etc/profile.d/00-umask.sh for group-writable files
+SHELL ["/bin/bash", "-l", "-o", "pipefail", "-c"]
+RUN uv venv /opt/dynamo/venv --python ${PYTHON_VERSION}
 
 ENV VIRTUAL_ENV=/opt/dynamo/venv \
     PATH="/opt/dynamo/venv/bin:${PATH}"
 
-# Install common and test dependencies
-RUN --mount=type=bind,source=./container/deps/requirements.txt,target=/tmp/requirements.txt \
-    --mount=type=bind,source=./container/deps/requirements.test.txt,target=/tmp/requirements.test.txt \
-    UV_GIT_LFS=1 uv pip install \
-        --no-cache \
-        --requirement /tmp/requirements.txt \
-        --requirement /tmp/requirements.test.txt
-
-COPY --chown=dynamo: ./ /workspace/
-
+# Install dynamo wheels (runtime packages only, no test dependencies)
 ARG ENABLE_KVBM
 RUN uv pip install \
     /opt/dynamo/wheelhouse/ai_dynamo_runtime*.whl \
@@ -533,25 +513,11 @@ RUN uv pip install \
             exit 1; \
         fi; \
         uv pip install "$KVBM_WHEEL"; \
-    fi && \
-    cd /workspace/benchmarks && \
-    UV_GIT_LFS=1 uv pip install --no-cache .
-
-# Setup launch banner in common directory accessible to all users
-RUN --mount=type=bind,source=./container/launch_message/runtime.txt,target=/opt/dynamo/launch_message.txt \
-    sed '/^#\s/d' /opt/dynamo/launch_message.txt > /opt/dynamo/.launch_screen
-
-# Setup environment for all users
-USER root
-RUN chmod 755 /opt/dynamo/.launch_screen && \
-    echo 'source /opt/dynamo/venv/bin/activate' >> /etc/bash.bashrc && \
-    echo 'cat /opt/dynamo/.launch_screen' >> /etc/bash.bashrc
+    fi
 
 ARG DYNAMO_COMMIT_SHA
 ENV DYNAMO_COMMIT_SHA=$DYNAMO_COMMIT_SHA
 
-USER dynamo
-
 ENTRYPOINT ["/opt/nvidia/nvidia_entrypoint.sh"]
 CMD []
 
@@ -651,4 +617,4 @@ RUN chmod 755 /opt/dynamo/.launch_screen && \
 USER dynamo
 
 ENTRYPOINT ["/epp"]
-CMD ["/bin/bash"]
\ No newline at end of file
+CMD ["/bin/bash"]

container/Dockerfile.local_dev

-# syntax=docker/dockerfile:1.10.0
-# SPDX-FileCopyrightText: Copyright (c) 2024-2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
-# SPDX-License-Identifier: Apache-2.0
-
-# This Dockerfile creates a local development environment for Dev Container plug-in use.
-# It takes a BASE image (typically the dev target) and adds local-dev specific configurations
-# including additional developer utilities and tools.
-#
-# Usage:
-# - Dev Container IDE Extension: Use directly with VS Code/Cursor Dev Container extension
-# - Command line: run.sh --image <local-dev-image> --mount-workspace ...
-#   where the ubuntu user inside the container is mapped to your local user login
-
-ARG DEV_BASE=""
-FROM ${DEV_BASE} AS local-dev
-
-# Switch to root for package installation (dev stage ends as dynamo user)
-USER root
-# Reset SHELL to non-login bash (dev stage uses login shell)
-SHELL ["/bin/bash", "-c"]
-
-# Update package lists and install developer utilities. Some of these may exist in the base image,
-# but to ensure consistency across all dev images, we explicitly list all required dev tools here.
-RUN apt-get update && apt-get install -y \
-    # Development utilities
-    curl wget git vim nano less \
-    # System utilities
-    htop nvtop tmux screen \
-    # Network utilities
-    net-tools iproute2 iputils-ping \
-    # Archive utilities
-    zip unzip rsync \
-    # Build tools
-    build-essential cmake autoconf automake libtool \
-    # Debug and analysis tools
-    gdb valgrind strace ltrace \
-    # Text processing
-    jq yq grep sed \
-    # File utilities
-    tree fd-find ripgrep \
-    # Shell utilities
-    zsh fish bash-completion \
-    # User management
-    sudo gnupg2 gnupg1
-
-# Install awk separately with fault tolerance
-# awk is a virtual package with multiple implementations (gawk, mawk, original-awk).
-# Separated because TensorRT-LLM builds failed on awk package conflicts.
-# This prevents main package installation failures due to awk availability issues.
-RUN (apt-get install -y gawk || \
-     apt-get install -y mawk || \
-     apt-get install -y original-awk || \
-     echo "Warning: Could not install any awk implementation") && \
-    (which awk && echo "awk successfully installed: $(which awk)" || echo "awk not available")
-
-
-# Don't want dynamo to be editable, just change uid and gid.
-ENV USERNAME=dynamo
-ARG USER_UID
-ARG USER_GID
-ARG WORKSPACE_DIR=/workspace
-ARG ARCH=amd64
-
-# Add NVIDIA devtools repository and install development tools
-RUN wget -qO - https://developer.download.nvidia.com/devtools/repos/ubuntu2404/${ARCH}/nvidia.pub | gpg --dearmor -o /etc/apt/keyrings/nvidia-devtools.gpg && \
-    echo "deb [signed-by=/etc/apt/keyrings/nvidia-devtools.gpg] https://developer.download.nvidia.com/devtools/repos/ubuntu2404/${ARCH} /" | tee /etc/apt/sources.list.d/nvidia-devtools.list && \
-    apt-get update && \
-    apt-get install -y nsight-systems-2025.5.1
-
-# https://code.visualstudio.com/remote/advancedcontainers/add-nonroot-user
-# Configure user with sudo access for Dev Container workflows
-RUN echo "$USERNAME ALL=(root) NOPASSWD:ALL" > /etc/sudoers.d/$USERNAME \
-    && chmod 0440 /etc/sudoers.d/$USERNAME \
-    && mkdir -p /home/$USERNAME \
-    # Handle GID conflicts: if target GID exists and it's not our group, remove it
-    && (getent group $USER_GID | grep -v "^$USERNAME:" && groupdel $(getent group $USER_GID | cut -d: -f1) || true) \
-    # Create group if it doesn't exist, otherwise modify existing group
-    && (getent group $USERNAME > /dev/null 2>&1 && groupmod -g $USER_GID $USERNAME || groupadd -g $USER_GID $USERNAME) \
-    && usermod -u $USER_UID -g $USER_GID -G 0 $USERNAME \
-    && chown $USERNAME:$USER_GID /home/$USERNAME \
-    && chsh -s /bin/bash $USERNAME
-
-
-# Clean up package lists at the end
-RUN rm -rf /var/lib/apt/lists/*
-
-# Set workspace directory variable
-ENV WORKSPACE_DIR=${WORKSPACE_DIR}
-
-# Development environment variables for the local-dev target
-# Path configuration notes:
-# - DYNAMO_HOME: Main project directory (workspace mount point)
-# - CARGO_TARGET_DIR: Build artifacts in workspace/target for persistence
-# - PATH: Includes cargo binaries for rust tool access
-ENV HOME=/home/$USERNAME
-ENV DYNAMO_HOME=${WORKSPACE_DIR}
-ENV CARGO_TARGET_DIR=${WORKSPACE_DIR}/target
-# NOTE: CARGO_HOME and RUSTUP_HOME are already inherited from dev stage (Dockerfile.sglang|trtllm|vllm)
-ENV PATH=${CARGO_HOME}/bin:$PATH
-
-# Switch to dynamo user (dev stage has umask 002, so files should already be group-writable)
-USER $USERNAME
-WORKDIR $HOME
-
-# https://code.visualstudio.com/remote/advancedcontainers/persist-bash-history
-RUN SNIPPET="export PROMPT_COMMAND='history -a' && export HISTFILE=$HOME/.commandhistory/.bash_history" \
-    && mkdir -p $HOME/.commandhistory \
-    && chmod g+w $HOME/.commandhistory \
-    && touch $HOME/.commandhistory/.bash_history \
-    && echo "$SNIPPET" >> "$HOME/.bashrc"
-
-RUN mkdir -p /home/$USERNAME/.cache/ \
-    && chmod g+w /home/$USERNAME/.cache/
-
-ENTRYPOINT ["/opt/nvidia/nvidia_entrypoint.sh"]
-CMD []

container/Dockerfile.sglang

@@ -561,120 +561,6 @@ USER dynamo
 ARG DYNAMO_COMMIT_SHA
 ENV DYNAMO_COMMIT_SHA=${DYNAMO_COMMIT_SHA}
 
-
-###########################################################
-########## Development (run.sh, runs as root user) ########
-###########################################################
-#
-# PURPOSE: Local development environment for use with run.sh (not Dev Container plug-in)
-#
-# This stage runs as root and provides:
-# - Development tools and utilities for local debugging
-# - Support for vscode/cursor development outside the Dev Container plug-in
-#
-# Use this stage if you need a full-featured development environment with extra tools,
-# but do not use it with the Dev Container plug-in.
-
-FROM runtime AS dev
-
-# Don't want ubuntu to be editable, just change uid and gid.
-ARG WORKSPACE_DIR=/workspace
-
-USER root
-# Install utilities as root
-RUN apt-get update -y && \
-    apt-get install -y --no-install-recommends  \
-    # Install utilities
-    nvtop \
-    wget \
-    tmux \
-    vim \
-    git \
-    openssh-client \
-    iproute2 \
-    rsync \
-    zip \
-    unzip \
-    htop \
-    # Build Dependencies
-    autoconf \
-    automake \
-    cmake \
-    libtool \
-    meson \
-    net-tools \
-    pybind11-dev \
-    # Rust build dependencies
-    clang \
-    libclang-dev \
-    protobuf-compiler \
-    pkg-config && \
-    rm -rf /var/lib/apt/lists/*
-
-# Set umask for group-writable files in dev stage (runs as root)
-RUN mkdir -p /etc/profile.d && echo 'umask 002' > /etc/profile.d/00-umask.sh
-SHELL ["/bin/bash", "-l", "-o", "pipefail", "-c"]
-
-# Set workspace directory variable
-ENV WORKSPACE_DIR=${WORKSPACE_DIR} \
-    DYNAMO_HOME=${WORKSPACE_DIR} \
-    RUSTUP_HOME=/usr/local/rustup \
-    CARGO_HOME=/usr/local/cargo \
-    CARGO_TARGET_DIR=/workspace/target \
-    PATH=/usr/local/cargo/bin:$PATH
-
-# Copy rust installation from dynamo_base to avoid duplication efforts
-# Pattern: COPY --chmod=775 <path>; chmod g+w <path> because COPY --chmod only affects <path>/*, not <path>
-COPY --from=dynamo_base --chmod=775 /usr/local/rustup /usr/local/rustup
-COPY --from=dynamo_base --chmod=775 /usr/local/cargo /usr/local/cargo
-RUN chmod g+w /usr/local/rustup /usr/local/cargo
-
-ARG ARCH
-ARG ARCH_ALT
-
-# Copy UCX and NIXL libraries for dev stage compilation
-# The upstream SGLang runtime image doesn't include NIXL, but cargo build needs to link against
-# -lnixl, -lnixl_build, and -lnixl_common. Runtime stage doesn't need this since it uses pre-built
-# wheels, but dev stage needs it for maturin develop and cargo build from source.
-COPY --from=wheel_builder /usr/local/ucx /usr/local/ucx
-COPY --from=wheel_builder /opt/nvidia/nvda_nixl /opt/nvidia/nvda_nixl
-COPY --from=wheel_builder /opt/nvidia/nvda_nixl/lib64/. /opt/nvidia/nvda_nixl/lib/${ARCH_ALT}-linux-gnu/
-
-# Set NIXL environment variables for compilation
-ENV NIXL_PREFIX=/opt/nvidia/nvda_nixl \
-    NIXL_LIB_DIR=/opt/nvidia/nvda_nixl/lib/${ARCH_ALT}-linux-gnu \
-    NIXL_PLUGIN_DIR=/opt/nvidia/nvda_nixl/lib/${ARCH_ALT}-linux-gnu/plugins
-
-# Update LD_LIBRARY_PATH to include NIXL libraries for the linker
-ENV LD_LIBRARY_PATH=\
-${NIXL_LIB_DIR}:\
-${NIXL_PLUGIN_DIR}:\
-/usr/local/ucx/lib:\
-/usr/local/ucx/lib/ucx:\
-${LD_LIBRARY_PATH}
-
-# Create virtual environment for maturin develop (required by maturin develop command)
-# Use --system-site-packages to inherit sglang, torch, etc. from upstream
-RUN mkdir -p /opt/dynamo/venv && \
-    python3 -m venv --system-site-packages /opt/dynamo/venv
-
-ENV VIRTUAL_ENV=/opt/dynamo/venv \
-    PATH="/opt/dynamo/venv/bin:${PATH}"
-
-# Copy all packages from runtime stage system site-packages into venv
-# This includes ai-dynamo-runtime, kubernetes, and all other dependencies
-# Use --no-preserve=mode so copied files inherit umask 002 (group-writable)
-RUN cp -r --no-preserve=mode /usr/local/lib/python3.12/dist-packages/* \
-          /opt/dynamo/venv/lib/python3.12/site-packages/
-
-# Install maturin and uv into venv for development
-# Uninstall broken maturin from upstream, then reinstall properly into venv
-COPY --from=dynamo_base /bin/uv /opt/dynamo/venv/bin/uv
-RUN pip install --ignore-installed maturin[patchelf]
-
-# Editable install of dynamo components
-COPY --chown=dynamo:0 --chmod=664 pyproject.toml README.md hatch_build.py /workspace/
-RUN pip install --no-deps -e .
-
 ENTRYPOINT ["/opt/nvidia/nvidia_entrypoint.sh"]
 CMD []
+

container/Dockerfile.trtllm

@@ -827,82 +827,3 @@ ENV DYNAMO_COMMIT_SHA=$DYNAMO_COMMIT_SHA
 
 ENTRYPOINT ["/opt/nvidia/nvidia_entrypoint.sh"]
 CMD []
-
-###########################################################
-########## Development (run.sh, runs as root user) ########
-###########################################################
-#
-# PURPOSE: Local development environment for use with run.sh (not Dev Container plug-in)
-#
-# This stage runs as root and provides:
-# - Development tools and utilities for local debugging
-# - Support for vscode/cursor development outside the Dev Container plug-in
-#
-# Use this stage if you need a full-featured development environment with extra tools,
-# but do not use it with the Dev Container plug-in.
-
-FROM runtime AS dev
-
-# Don't want ubuntu to be editable, just change uid and gid.
-ARG WORKSPACE_DIR=/workspace
-
-# Switch to root for system package installation
-USER root
-
-# Install utilities as root
-RUN apt-get update -y && \
-    apt-get install -y --no-install-recommends  \
-        # Install utilities
-        nvtop \
-        wget \
-        tmux \
-        vim \
-        git \
-        iproute2 \
-        rsync \
-        zip \
-        unzip \
-        htop \
-        # Build Dependencies
-        autoconf \
-        automake \
-        cmake \
-        libtool \
-        meson \
-        net-tools \
-        pybind11-dev \
-        # Rust build dependencies
-        clang \
-        libclang-dev \
-        protobuf-compiler \
-        pkg-config && \
-    apt-get clean && \
-    rm -rf /var/lib/apt/lists/*
-
-# Set umask for group-writable files in dev stage (runs as root)
-RUN mkdir -p /etc/profile.d && echo 'umask 002' > /etc/profile.d/00-umask.sh
-SHELL ["/bin/bash", "-l", "-o", "pipefail", "-c"]
-
-# Set workspace directory variable
-ENV WORKSPACE_DIR=${WORKSPACE_DIR} \
-    DYNAMO_HOME=${WORKSPACE_DIR} \
-    RUSTUP_HOME=/usr/local/rustup \
-    CARGO_HOME=/usr/local/cargo \
-    CARGO_TARGET_DIR=/workspace/target \
-    VIRTUAL_ENV=/opt/dynamo/venv \
-    PATH=/usr/local/cargo/bin:$PATH
-
-# Copy rust installation from dynamo_base to avoid duplication efforts
-# Pattern: COPY --chmod=775 <path>; chmod g+w <path> because COPY --chmod only affects <path>/*, not <path>
-COPY --from=dynamo_base --chmod=775 /usr/local/rustup /usr/local/rustup
-COPY --from=dynamo_base --chmod=775 /usr/local/cargo /usr/local/cargo
-RUN chmod g+w /usr/local/rustup /usr/local/cargo
-
-# Install maturin, for maturin develop
-RUN uv pip install --no-cache maturin[patchelf]
-
-# Editable install of dynamo
-COPY --chown=dynamo:0 --chmod=664 pyproject.toml README.md hatch_build.py /workspace/
-RUN uv pip install --no-cache --no-deps -e .
-
-CMD []

container/Dockerfile.vllm

@@ -806,80 +806,3 @@ ENV DYNAMO_COMMIT_SHA=$DYNAMO_COMMIT_SHA
 
 ENTRYPOINT ["/opt/nvidia/nvidia_entrypoint.sh"]
 CMD []
-
-###########################################################
-########## Development (run.sh, runs as root user) ########
-###########################################################
-#
-# PURPOSE: Local development environment for use with run.sh (not Dev Container plug-in)
-#
-# This stage runs as root and provides:
-# - Development tools and utilities for local debugging
-# - Support for vscode/cursor development outside the Dev Container plug-in
-#
-# Use this stage if you need a full-featured development environment with extra tools,
-# but do not use it with the Dev Container plug-in.
-
-FROM runtime AS dev
-
-# Don't want ubuntu to be editable, just change uid and gid.
-ARG WORKSPACE_DIR=/workspace
-
-USER root
-# Install utilities as root
-RUN apt-get update -y && \
-    apt-get install -y --no-install-recommends  \
-    # Install utilities
-    nvtop \
-    wget \
-    tmux \
-    vim \
-    git \
-    openssh-client \
-    iproute2 \
-    rsync \
-    zip \
-    unzip \
-    htop \
-    # Build Dependencies
-    autoconf \
-    automake \
-    cmake \
-    libtool \
-    meson \
-    net-tools \
-    pybind11-dev \
-    # Rust build dependencies
-    clang \
-    libclang-dev \
-    protobuf-compiler \
-    pkg-config && \
-    rm -rf /var/lib/apt/lists/*
-
-# Set umask for group-writable files in dev stage (runs as root)
-RUN mkdir -p /etc/profile.d && echo 'umask 002' > /etc/profile.d/00-umask.sh
-SHELL ["/bin/bash", "-l", "-o", "pipefail", "-c"]
-
-# Set workspace directory variable
-ENV WORKSPACE_DIR=${WORKSPACE_DIR} \
-    DYNAMO_HOME=${WORKSPACE_DIR} \
-    RUSTUP_HOME=/usr/local/rustup \
-    CARGO_HOME=/usr/local/cargo \
-    CARGO_TARGET_DIR=/workspace/target \
-    VIRTUAL_ENV=/opt/dynamo/venv \
-    PATH=/usr/local/cargo/bin:$PATH
-
-# Copy rust installation from dynamo_base to avoid duplication efforts
-# Pattern: COPY --chmod=775 <path>; chmod g+w <path> because COPY --chmod only affects <path>/*, not <path>
-COPY --from=dynamo_base --chmod=775 /usr/local/rustup /usr/local/rustup
-COPY --from=dynamo_base --chmod=775 /usr/local/cargo /usr/local/cargo
-RUN chmod g+w /usr/local/rustup /usr/local/cargo
-
-# Install maturin, for maturin develop
-# Editable install of dynamo
-COPY --chown=dynamo:0 --chmod=664 pyproject.toml README.md hatch_build.py /workspace/
-RUN uv pip install maturin[patchelf] && \
-    uv pip install --no-deps -e .
-
-ENTRYPOINT ["/opt/nvidia/nvidia_entrypoint.sh"]
-CMD []

container/README.md

@@ -54,9 +54,22 @@ Below is a summary of the general file structure for the framework Dockerfile st
 |  /opt/dynamo/venv/ | COPY from framework |
 |  /opt/vllm/ | COPY from framework |
 |  /workspace/{tests,examples,deploy}/ |COPY from build context |
-| **STAGE: dev** | **FROM runtime** |
-|  /usr/local/rustup/ | COPY from dynamo_base |
-|  /usr/local/cargo/ | COPY from dynamo_base |
+| **STAGE: dev** | **FROM runtime (via dev/Dockerfile.dev)** |
+|  /usr/bin/, /usr/lib/, etc. | COPY from dynamo_tools (dev utilities, git, sudo, etc.) |
+|  /usr/local/rustup/ | COPY from dynamo_tools |
+|  /usr/local/cargo/ | COPY from dynamo_tools |
+|  /usr/local/bin/maturin | COPY from dynamo_tools |
+|  /opt/dynamo/venv/ | For SGLang: created with --system-site-packages, includes uv and maturin |
+|  /workspace/ | Full source code copied from build context with editable install |
+|  **💡 Recommendation** | **Use --mount-workspace with run.sh** for live editing (bind mount overrides baked-in code) |
+|  PATH | Includes /opt/dynamo/venv/bin:/usr/local/cargo/bin |
+|  umask 002 | Login shell sources /etc/profile.d/00-umask.sh for group-writable files |
+| **STAGE: local-dev** | **FROM dev (via dev/Dockerfile.dev)** |
+|  /home/dynamo/.rustup/ | COPY from /usr/local/rustup (user-writable) |
+|  USER | dynamo (UID/GID remapped to match host user) |
+|  **💡 Recommendation** | **Use --mount-workspace with run.sh** for live editing (bind mount overrides baked-in code) |
+|  RUSTUP_HOME | /home/dynamo/.rustup |
+|  CARGO_HOME | /home/dynamo/.cargo |
 </details>
 
 ### Why Containerization?
@@ -85,12 +98,12 @@ The `build.sh` and `run.sh` scripts are convenience wrappers that simplify commo
 | **Usage** | Benchmarking inference and deployments, non-root | Development, compilation, testing locally | Legacy workflows, root user, use with caution |
 | **User** | dynamo (UID 1000) | dynamo (UID=host user) with sudo | root (UID 0, use with caution) |
 | **Home Directory** | `/home/dynamo` | `/home/dynamo` | `/root` |
-| **Working Directory** | `/workspace` (in-container or mounted) | `/workspace` (must be mounted w/ `--mount-workspace`) | `/workspace` (must be mounted w/ `--mount-workspace`) |
+| **Working Directory** | `/workspace` (in-container or mounted) | `/workspace` (baked-in, optionally mounted w/ `--mount-workspace`) | `/workspace` (baked-in, optionally mounted w/ `--mount-workspace`) |
 | **Rust Toolchain** | None (uses pre-built wheels) | System install (`/usr/local/rustup`, `/usr/local/cargo`) | System install (`/usr/local/rustup`, `/usr/local/cargo`) |
 | **Cargo Target** | None | `/workspace/target` | `/workspace/target` |
-| **Python Env** | venv (`/opt/dynamo/venv`) for vllm/trtllm, system site-packages for sglang | venv (`/opt/dynamo/venv`) for vllm/trtllm, system site-packages for sglang | venv (`/opt/dynamo/venv`) for vllm/trtllm, system site-packages for sglang |
+| **Python Env** | venv (`/opt/dynamo/venv`) for vllm/trtllm, system site-packages for sglang | venv (`/opt/dynamo/venv`) for all frameworks (with --system-site-packages for sglang) | venv (`/opt/dynamo/venv`) for all frameworks (with --system-site-packages for sglang) |
 
-**Note (SGLang)**: SGLang runtime uses system site-packages, but the `dev` image creates `/opt/dynamo/venv` (and `local-dev` inherits it from `dev`) for build tooling like `maturin`.
+**Note (SGLang)**: SGLang runtime uses system site-packages, but the `dev` and `local-dev` images create `/opt/dynamo/venv` with `--system-site-packages` for build tooling like `maturin` and `uv`.
 
 ## Usage Guidelines
 
@@ -133,17 +146,31 @@ The `build.sh` script is responsible for building Docker images for different AI
 **Key Features:**
 - **Framework Support**: vLLM (default when --framework not specified), TensorRT-LLM, SGLang, or NONE
 - **Multi-stage Builds**: Build process with base images
-- **Development Targets**: Supports `dev` target and `local-dev` target
+- **Development Targets**: Supports `dev`, `runtime`, and `local-dev` targets via `build.sh`.
 - **Build Caching**: Docker layer caching and sccache support
 - **GPU Optimization**: CUDA, EFA, and NIXL support
 
+**How `dev` / `local-dev` builds work:**
+- `dev` and `local-dev` targets are defined in `container/dev/Dockerfile.dev`.
+- The framework Dockerfiles (`Dockerfile.vllm`, `Dockerfile.trtllm`, `Dockerfile.sglang`, `Dockerfile`) define shared stages used by `Dockerfile.dev` (e.g. `runtime`, `dynamo_base`, `wheel_builder`).
+- To build a single coherent Dockerfile, `build.sh` generates a temporary Dockerfile that is a literal concatenation of:
+  - the selected framework Dockerfile, then
+  - `container/dev/Dockerfile.dev`
+  `build.sh` then continues building normally using the temp Dockerfile path.
+
+**Requirements and debugging:**
+- By default the temp Dockerfile is deleted at the end of `build.sh`. To keep it for inspection, set `KEEP_DEV_DOCKERFILE_TEMP=1`.
+
+> **💡 Tip**: The `dev` and `local-dev` images have source code baked in, but **using `--mount-workspace` with `run.sh` is recommended for development** to bind mount your local workspace for live editing.
+
 **Common Usage Examples:**
 
 ```bash
-# Build vLLM dev image called dynamo:latest-vllm (default). This runs as root and is fine to use for inferencing/benchmarking, etc.
+# Build vLLM dev image called dynamo:latest-vllm (default). This runs as root and is for development.
 ./build.sh
 
-# Build both development and local-dev images (integrated into build.sh). While the dev image runs as root, the local-dev image will run as dynamo user with UID/GID matched to your host user, which is useful when mounting partitions. It will also contain development tools.
+# Build a local-dev image. The local-dev image will run as `dynamo` with UID/GID matched to your host user,
+# which is useful when mounting partitions for development.
 ./build.sh --framework vllm --target local-dev
 
 # Build TensorRT-LLM development image called dynamo:latest-trtllm
@@ -328,10 +355,11 @@ See Docker documentation for custom network creation and management.
 
 ### Development Workflow
 ```bash
-# 1. Build local-dev image (creates both dynamo:latest-vllm and dynamo:latest-vllm-local-dev)
+# 1. Build local-dev image (builds runtime, then dev as intermediate, then local-dev as final image)
 ./build.sh --framework vllm --target local-dev
 
 # 2. Run development container using the local-dev image
+# RECOMMENDED: --mount-workspace for live editing in dev and local-dev images
 ./run.sh --image dynamo:latest-vllm-local-dev --mount-workspace -v $HOME/.cache:/home/dynamo/.cache -it
 
 # 3. Inside container, run inference (requires both frontend and backend)

container/build.sh

@@ -583,65 +583,6 @@ BUILD_ARGS+=" --build-arg NIXL_LIBFABRIC_REF=${NIXL_LIBFABRIC_REF} "
 # Add EFA_VERSION as a build argument
 BUILD_ARGS+=" --build-arg EFA_VERSION=${EFA_VERSION} "
 
-# Function to build local-dev image
-build_local_dev_with_header() {
-    local dev_base_image="$1"
-    local tags="$2"
-    local success_msg="$3"
-    local header_title="$4"
-
-    # Get user info right before using it
-    USER_UID=${CUSTOM_UID:-$(id -u)}
-    USER_GID=${CUSTOM_GID:-$(id -g)}
-
-    # Set up dockerfile path
-    DOCKERFILE_LOCAL_DEV="${SOURCE_DIR}/Dockerfile.local_dev"
-
-    if [[ ! -f "$DOCKERFILE_LOCAL_DEV" ]]; then
-        echo "ERROR: Dockerfile.local_dev not found at: $DOCKERFILE_LOCAL_DEV"
-        exit 1
-    fi
-
-    echo ""
-    echo "Now building new local-dev image from: $dev_base_image"
-    echo "User 'dynamo' will have UID: $USER_UID, GID: $USER_GID"
-
-    # Show the docker command being executed if not in dry-run mode
-    if [ -z "$RUN_PREFIX" ]; then
-        set -x
-    fi
-
-    $RUN_PREFIX docker build \
-        --build-arg DEV_BASE="$dev_base_image" \
-        --build-arg USER_UID="$USER_UID" \
-        --build-arg USER_GID="$USER_GID" \
-        --build-arg ARCH="$ARCH" \
-        --file "$DOCKERFILE_LOCAL_DEV" \
-        $tags \
-        "$SOURCE_DIR" || {
-        { set +x; } 2>/dev/null
-        echo "ERROR: Failed to build local_dev image"
-        exit 1
-    }
-
-    { set +x; } 2>/dev/null
-    echo "$success_msg"
-
-    # Show usage instructions
-    echo ""
-    echo "To run the local-dev image as the local user ($USER_UID/$USER_GID):"
-    # Extract the first tag from the tags string (the full version tag, not the latest tag)
-    last_tag=$(echo "$tags" | grep -o -- '--tag [^ ]*' | head -1 | cut -d' ' -f2)
-    # Calculate relative path to run.sh from current working directory
-    # Get the directory where build.sh is located
-    build_dir="$(dirname "${BASH_SOURCE[0]}")"
-    # Get the absolute path to run.sh (in the same directory as build.sh)
-    run_abs_path="$(realpath "$build_dir/run.sh")"
-    # Calculate relative path from current PWD to run.sh
-    run_path="$(python3 -c "import os; print(os.path.relpath('$run_abs_path', '$PWD'))")"
-    echo "  $run_path --image $last_tag --mount-workspace ..."
-}
-
 # Function to build AWS EFA images from base runtime or dev images
 build_aws_with_header() {
     local base_image="$1"
@@ -683,14 +624,6 @@ build_aws_with_header() {
 }
 
 
-# Handle local-dev target
-if [[ $TARGET == "local-dev" ]]; then
-    LOCAL_DEV_BUILD=true
-    TARGET_STR="--target dev"
-fi
-
-# BUILD DEV IMAGE
-
 BUILD_ARGS+=" --build-arg BASE_IMAGE=$BASE_IMAGE --build-arg BASE_IMAGE_TAG=$BASE_IMAGE_TAG"
 
 if [ -n "${GITHUB_TOKEN}" ]; then
@@ -946,11 +879,73 @@ if [[ "$PLATFORM" == *"linux/arm64"* && "${FRAMEWORK}" == "SGLANG" ]]; then
     # Add arguments required for sglang blackwell build
     BUILD_ARGS+=" --build-arg GRACE_BLACKWELL=true --build-arg BUILD_TYPE=blackwell_aarch64"
 fi
+
+# Dev/local-dev targets: build from a concatenated Dockerfile:
+#   <framework Dockerfile> + container/dev/Dockerfile.dev
+if [[ -z "${TARGET:-}" || "${TARGET:-}" == "dev" || "${TARGET:-}" == "local-dev" ]]; then
+    _gen_dev_dockerfile_temp() {
+        local fw_df dev_df out
+        fw_df="$1"
+        dev_df="${SOURCE_DIR}/dev/Dockerfile.dev"
+        if [[ ! -f "${fw_df}" ]]; then
+            error "ERROR:" "Framework Dockerfile not found: ${fw_df}"
+        fi
+        if [[ ! -f "${dev_df}" ]]; then
+            error "ERROR:" "Dev Dockerfile not found: ${dev_df}"
+        fi
+
+        out="$(mktemp -t dynamo-dev-combined.XXXXXX.Dockerfile)"
+        cat "${fw_df}" "${dev_df}" > "${out}"
+        printf '\n' >> "${out}"
+
+        if [[ ! -s "${out}" ]]; then
+            rm -f "${out}"
+            error "ERROR:" "Temp Dockerfile was generated but is empty"
+        fi
+        printf '%s\n' "${out}"
+    }
+
+    DOCKERFILE="$(_gen_dev_dockerfile_temp "${DOCKERFILE}")"
+
+    # Ensure we clean up the temp Dockerfile (opt-out with KEEP_DEV_DOCKERFILE_TEMP=1 for debugging).
+    if [[ "${KEEP_DEV_DOCKERFILE_TEMP:-}" != "1" ]]; then
+        trap 'rm -f "${DOCKERFILE}" 2>/dev/null || true' EXIT
+    fi
+
+    # Dockerfile.dev expects a lowercase framework string.
+    BUILD_ARGS+=" --build-arg FRAMEWORK=${FRAMEWORK,,} "
+
+    # Preserve historical tagging behavior for dev/local-dev (build.sh used to delegate out).
+    base="${TAG#--tag }"
+    base="${base%-runtime}"
+    base="${base%-local-dev}"
+    base="${base%-dev}"
+    if [[ -z "${TARGET:-}" || "${TARGET}" == "dev" ]]; then
+        TAG="--tag ${base}-dev"
+    else
+        TAG="--tag ${base}-local-dev"
+        # Default UID/GID behavior: current user if not specified.
+        if [[ -z "${CUSTOM_UID:-}" ]]; then
+            CUSTOM_UID="$(id -u)"
+        fi
+        if [[ -z "${CUSTOM_GID:-}" ]]; then
+            CUSTOM_GID="$(id -g)"
+        fi
+        BUILD_ARGS+=" --build-arg USER_UID=${CUSTOM_UID} --build-arg USER_GID=${CUSTOM_GID} "
+    fi
+fi
+
 LATEST_TAG=""
 if [ -z "${NO_TAG_LATEST}" ]; then
-    LATEST_TAG="--tag dynamo:latest-${FRAMEWORK,,}"
-    if [ -n "${TARGET}" ] && [ "${TARGET}" != "local-dev" ]; then
-        LATEST_TAG="${LATEST_TAG}-${TARGET}"
+    if [[ -z "${TARGET:-}" || "${TARGET}" == "dev" ]]; then
+        LATEST_TAG="--tag dynamo:latest-${FRAMEWORK,,}"
+    elif [[ "${TARGET}" == "local-dev" ]]; then
+        LATEST_TAG="--tag dynamo:latest-${FRAMEWORK,,}-local-dev"
+    else
+        LATEST_TAG="--tag dynamo:latest-${FRAMEWORK,,}"
+        if [ -n "${TARGET}" ] && [ "${TARGET}" != "local-dev" ]; then
+            LATEST_TAG="${LATEST_TAG}-${TARGET}"
+        fi
     fi
 fi
 
@@ -1053,46 +1048,4 @@ if [[ "${MAKE_EFA:-}" == "true" ]]; then
     build_aws_with_header "$BASE_IMAGE_FOR_EFA" "$AWS_TAGS" "$EFA_STAGE" "Successfully built ${EFA_STAGE} image"
 fi
 
-# Handle local-dev build
-if [[ "${LOCAL_DEV_BUILD:-}" == "true" ]]; then
-    if [[ "${MAKE_EFA:-}" == "true" ]]; then
-        # With EFA: build local-dev-aws from dev-aws
-        DEV_AWS_IMAGE=$(echo "$AWS_TAGS" | grep -o -- '--tag [^ ]*' | head -1 | cut -d' ' -f2)
-
-        LOCAL_DEV_AWS_TAGS=""
-        if [[ -n "$TAG" ]]; then
-            TAG_NAME=$(echo "$TAG" | sed 's/--tag //')
-            LOCAL_DEV_AWS_TAGS+=" --tag ${TAG_NAME}-local-dev-aws"
-        fi
-        if [[ -n "$LATEST_TAG" ]]; then
-            LATEST_TAG_NAME=$(echo "$LATEST_TAG" | sed 's/--tag //')
-            LOCAL_DEV_AWS_TAGS+=" --tag ${LATEST_TAG_NAME}-local-dev-aws"
-        fi
-
-        build_local_dev_with_header "$DEV_AWS_IMAGE" "$LOCAL_DEV_AWS_TAGS" "Successfully built local-dev-aws image" "Building Local-Dev-AWS Image"
-    else
-        # Without EFA: build regular local-dev from dev
-        if [[ -n "$TAG" ]]; then
-            DEV_IMAGE=$(echo "$TAG" | sed 's/--tag //')
-        else
-            DEV_IMAGE="dynamo:latest-${FRAMEWORK,,}"
-        fi
-
-        LOCAL_DEV_TAGS=""
-        if [[ -n "$TAG" ]]; then
-            TAG_NAME=$(echo "$TAG" | sed 's/--tag //')
-            LOCAL_DEV_TAGS+=" --tag ${TAG_NAME}-local-dev"
-        fi
-        if [[ -n "$LATEST_TAG" ]]; then
-            LATEST_TAG_NAME=$(echo "$LATEST_TAG" | sed 's/--tag //')
-            LOCAL_DEV_TAGS+=" --tag ${LATEST_TAG_NAME}-local-dev"
-        fi
-
-        # Extract first tag for success message
-        FIRST_TAG=$(echo "$LOCAL_DEV_TAGS" | grep -o -- '--tag [^ ]*' | head -1 | cut -d' ' -f2)
-        build_local_dev_with_header "$DEV_IMAGE" "$LOCAL_DEV_TAGS" "Successfully built $FIRST_TAG" "Building Local-Dev Image"
-    fi
-fi
-
-
 { set +x; } 2>/dev/null

container/dev/50-framework-paths.sh

+#!/bin/bash
+# SPDX-FileCopyrightText: Copyright (c) 2024-2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+#
+# Framework-specific environment variables and paths
+# Only add paths that exist to avoid cluttering environment
+
+# TensorRT-LLM specific variables
+if [ -d /usr/local/tensorrt/targets ]; then
+    export TENSORRT_LIB_DIR=/usr/local/tensorrt/targets/$(uname -m)-linux-gnu/lib
+    [ -d "$TENSORRT_LIB_DIR" ] && export LD_LIBRARY_PATH="${TENSORRT_LIB_DIR}:${LD_LIBRARY_PATH}"
+fi
+
+if [ -d /opt/hpcx/ompi ]; then
+    export OPAL_PREFIX=/opt/hpcx/ompi
+    export OMPI_MCA_coll_ucc_enable=0
+    export PATH="/opt/hpcx/ompi/bin:${PATH}"
+    export LD_LIBRARY_PATH="/opt/hpcx/ompi/lib:${LD_LIBRARY_PATH}"
+fi
+
+[ -d /opt/hpcx/ucc/lib ] && export LD_LIBRARY_PATH="/opt/hpcx/ucc/lib:${LD_LIBRARY_PATH}"
+[ -f /etc/shinit_v2 ] && export ENV="${ENV:-/etc/shinit_v2}"
+[ -d /usr/local/ucx/bin ] && export PATH="/usr/local/ucx/bin:${PATH}"
+[ -d /usr/local/cuda/bin ] && export PATH="/usr/local/cuda/bin:${PATH}"
+[ -d /usr/local/cuda/nvvm/bin ] && export PATH="/usr/local/cuda/nvvm/bin:${PATH}"
+
+# vLLM nvshmem
+[ -d /opt/vllm/tools/ep_kernels/ep_kernels_workspace/nvshmem_install/lib ] && \
+    export LD_LIBRARY_PATH="/opt/vllm/tools/ep_kernels/ep_kernels_workspace/nvshmem_install/lib:${LD_LIBRARY_PATH}"
+
+# System nvshmem (TRT-LLM)
+ARCH_ALT=$(uname -m | sed 's/aarch64/aarch64/;s/x86_64/x86_64/')
+[ -d "/usr/lib/${ARCH_ALT}-linux-gnu/nvshmem/13" ] && \
+    export LD_LIBRARY_PATH="/usr/lib/${ARCH_ALT}-linux-gnu/nvshmem/13:${LD_LIBRARY_PATH}"
+
+# PyTorch libraries (TRT-LLM)
+PYTHON_VERSION=${PYTHON_VERSION:-3.12}
+[ -d "/opt/dynamo/venv/lib/python${PYTHON_VERSION}/site-packages/torch/lib" ] && \
+    export LD_LIBRARY_PATH="/opt/dynamo/venv/lib/python${PYTHON_VERSION}/site-packages/torch/lib:${LD_LIBRARY_PATH}"
+[ -d "/opt/dynamo/venv/lib/python${PYTHON_VERSION}/site-packages/torch_tensorrt/lib" ] && \
+    export LD_LIBRARY_PATH="/opt/dynamo/venv/lib/python${PYTHON_VERSION}/site-packages/torch_tensorrt/lib:${LD_LIBRARY_PATH}"