# syntax=docker/dockerfile:1.10.0 # SPDX-FileCopyrightText: Copyright (c) 2024-2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved. # SPDX-License-Identifier: Apache-2.0 # # NOTE FOR dynamo_base AND wheel_builder STAGES: # # All changes to dynamo_base and wheel_builder stages should be replicated across # Dockerfile and Dockerfile. images.: # - Dockerfile # - Dockerfile.vllm # - Dockerfile.sglang # - Dockerfile.trtllm # This duplication was introduced purposely to quickly enable Docker layer caching and # deduplication. Please ensure these stages stay in sync until the duplication can be # addressed. # # Throughout this file, we make certain paths group-writable because this allows # both the dynamo user (UID 1000) and Dev Container users (UID != 1000) to work # properly without needing slow chown -R operations (which can add 2-10 extra # minutes). # # DEVELOPMENT PATHS THAT MUST BE GROUP-WRITABLE (for virtualenv containers): # /workspace - Users create/modify project files # /home/dynamo - Users create config/cache files # /opt/dynamo/venv - vLLM uses venv, so entire venv must be writable for pip install # # HOW TO ACHIEVE GROUP-WRITABLE PERMISSIONS: # 1. SHELL + /etc/profile.d - Login shell sources umask 002 globally for all RUN commands (775/664) # 2. COPY --chmod=775 - Sets permissions on copied children (not destination) # 3. chmod g+w (no -R) - Fixes destination dirs only (milliseconds vs minutes) ################################## ########## Build Arguments ######## ################################## # This section contains build arguments that are common and shared across various # Dockerfile., so they should NOT have a default. The source of truth is from build.sh. ARG BASE_IMAGE ARG BASE_IMAGE_TAG ARG PYTHON_VERSION ARG ENABLE_KVBM ARG ENABLE_MEDIA_NIXL ARG ENABLE_MEDIA_FFMPEG ARG CARGO_BUILD_JOBS # Define general architecture ARGs for supporting both x86 and aarch64 builds. # ARCH: Used for package suffixes (e.g., amd64, arm64) # ARCH_ALT: Used for Rust targets, manylinux suffix (e.g., x86_64, aarch64) # # Default values are for x86/amd64: # --build-arg ARCH=amd64 --build-arg ARCH_ALT=x86_64 # # For arm64/aarch64, build with: # --build-arg ARCH=arm64 --build-arg ARCH_ALT=aarch64 #TODO OPS-592: Leverage uname -m to determine ARCH instead of passing it as an arg ARG ARCH=amd64 ARG ARCH_ALT=x86_64 # SCCACHE configuration ARG USE_SCCACHE ARG SCCACHE_BUCKET="" ARG SCCACHE_REGION="" # NIXL configuration ARG NIXL_UCX_REF ARG NIXL_REF ARG NIXL_GDRCOPY_REF ARG NIXL_LIBFABRIC_REF ARG RUNTIME_IMAGE="nvcr.io/nvidia/cuda" ARG RUNTIME_IMAGE_TAG="12.9.0-runtime-ubuntu24.04" ARG CUDA_VERSION="12.9" # Make sure to update the dependency version in pyproject.toml when updating this ARG VLLM_REF="v0.12.0" # FlashInfer Ref used to install flashinfer-cubin and flashinfer-jit-cache ARG FLASHINF_REF="v0.5.3" # If left blank, then we will fallback to vLLM defaults ARG DEEPGEMM_REF="" ARG LMCACHE_REF="0.3.10" ################################## ########## Base Image ############ ################################## FROM ${BASE_IMAGE}:${BASE_IMAGE_TAG} AS dynamo_base ARG ARCH ARG ARCH_ALT USER root WORKDIR /opt/dynamo # Install uv package manager COPY --from=ghcr.io/astral-sh/uv:latest /uv /uvx /bin/ # Install NATS server ENV NATS_VERSION="v2.10.28" RUN --mount=type=cache,target=/var/cache/apt \ wget --tries=3 --waitretry=5 https://github.com/nats-io/nats-server/releases/download/${NATS_VERSION}/nats-server-${NATS_VERSION}-${ARCH}.deb && \ dpkg -i nats-server-${NATS_VERSION}-${ARCH}.deb && rm nats-server-${NATS_VERSION}-${ARCH}.deb # Install etcd ENV ETCD_VERSION="v3.5.21" RUN wget --tries=3 --waitretry=5 https://github.com/etcd-io/etcd/releases/download/$ETCD_VERSION/etcd-$ETCD_VERSION-linux-${ARCH}.tar.gz -O /tmp/etcd.tar.gz && \ mkdir -p /usr/local/bin/etcd && \ tar -xvf /tmp/etcd.tar.gz -C /usr/local/bin/etcd --strip-components=1 && \ rm /tmp/etcd.tar.gz ENV PATH=/usr/local/bin/etcd/:$PATH # Rust Setup # Rust environment setup ENV RUSTUP_HOME=/usr/local/rustup \ CARGO_HOME=/usr/local/cargo \ PATH=/usr/local/cargo/bin:$PATH \ RUST_VERSION=1.90.0 # Define Rust target based on ARCH_ALT ARG ARG RUSTARCH=${ARCH_ALT}-unknown-linux-gnu # Install Rust RUN wget --tries=3 --waitretry=5 "https://static.rust-lang.org/rustup/archive/1.28.1/${RUSTARCH}/rustup-init" && \ chmod +x rustup-init && \ ./rustup-init -y --no-modify-path --profile minimal --default-toolchain $RUST_VERSION --default-host ${RUSTARCH} && \ rm rustup-init && \ chmod -R a+w $RUSTUP_HOME $CARGO_HOME ################################## ##### Wheel Build Image ########## ################################## # Redeclare ARCH_ALT ARG so it's available for interpolation in the FROM instruction ARG ARCH_ALT FROM quay.io/pypa/manylinux_2_28_${ARCH_ALT} AS wheel_builder # Redeclare ARGs for this stage ARG ARCH ARG ARCH_ALT ARG CARGO_BUILD_JOBS WORKDIR /workspace # Copy CUDA from base stage COPY --from=dynamo_base /usr/local/cuda /usr/local/cuda COPY --from=dynamo_base /etc/ld.so.conf.d/hpcx.conf /etc/ld.so.conf.d/hpcx.conf # Set environment variables first so they can be used in COPY commands ENV CARGO_BUILD_JOBS=${CARGO_BUILD_JOBS:-16} \ RUSTUP_HOME=/usr/local/rustup \ CARGO_HOME=/usr/local/cargo \ CARGO_TARGET_DIR=/opt/dynamo/target \ PATH=/usr/local/cargo/bin:$PATH # Copy artifacts from base stage COPY --from=dynamo_base $RUSTUP_HOME $RUSTUP_HOME COPY --from=dynamo_base $CARGO_HOME $CARGO_HOME # Install system dependencies RUN yum groupinstall -y 'Development Tools' && \ dnf install -y almalinux-release-synergy && \ dnf config-manager --set-enabled powertools && \ dnf install -y \ # Build tools cmake \ ninja-build \ clang-devel \ # Install GCC toolset 14 (CUDA compatible, max version 14) gcc-toolset-14-gcc \ gcc-toolset-14-gcc-c++ \ gcc-toolset-14-binutils \ flex \ wget \ # Kernel module build dependencies dkms \ # Protobuf support protobuf-compiler \ # RDMA/InfiniBand support (required for UCX build with --with-verbs) libibverbs \ libibverbs-devel \ rdma-core \ rdma-core-devel \ libibumad \ libibumad-devel \ librdmacm-devel \ numactl-devel \ # Libfabric support hwloc \ hwloc-devel \ libcurl-devel \ openssl-devel \ libuuid-devel \ zlib-devel # Set GCC toolset 14 as the default compiler (CUDA requires GCC <= 14) ENV PATH="/opt/rh/gcc-toolset-14/root/usr/bin:${PATH}" \ LD_LIBRARY_PATH="/opt/rh/gcc-toolset-14/root/usr/lib64:${LD_LIBRARY_PATH}" \ CC="/opt/rh/gcc-toolset-14/root/usr/bin/gcc" \ CXX="/opt/rh/gcc-toolset-14/root/usr/bin/g++" # Ensure a modern protoc is available (required for --experimental_allow_proto3_optional) RUN set -eux; \ PROTOC_VERSION=25.3; \ case "${ARCH_ALT}" in \ x86_64) PROTOC_ZIP="protoc-${PROTOC_VERSION}-linux-x86_64.zip" ;; \ aarch64) PROTOC_ZIP="protoc-${PROTOC_VERSION}-linux-aarch_64.zip" ;; \ *) echo "Unsupported architecture: ${ARCH_ALT}" >&2; exit 1 ;; \ esac; \ wget --tries=3 --waitretry=5 -O /tmp/protoc.zip "https://github.com/protocolbuffers/protobuf/releases/download/v${PROTOC_VERSION}/${PROTOC_ZIP}"; \ rm -f /usr/local/bin/protoc /usr/bin/protoc; \ unzip -o /tmp/protoc.zip -d /usr/local bin/protoc include/*; \ chmod +x /usr/local/bin/protoc; \ ln -s /usr/local/bin/protoc /usr/bin/protoc; \ protoc --version # Point build tools explicitly at the modern protoc ENV PROTOC=/usr/local/bin/protoc ENV CUDA_PATH=/usr/local/cuda \ PATH=/usr/local/cuda/bin:$PATH \ LD_LIBRARY_PATH=/usr/local/cuda/lib64:/usr/local/lib:/usr/local/lib64:$LD_LIBRARY_PATH \ NVIDIA_DRIVER_CAPABILITIES=video,compute,utility # Create virtual environment for building wheels ARG PYTHON_VERSION ENV VIRTUAL_ENV=/workspace/.venv RUN uv venv ${VIRTUAL_ENV} --python $PYTHON_VERSION && \ uv pip install --upgrade meson pybind11 patchelf maturin[patchelf] ARG NIXL_UCX_REF ARG NIXL_REF ARG NIXL_GDRCOPY_REF # Build and install gdrcopy RUN git clone --depth 1 --branch ${NIXL_GDRCOPY_REF} https://github.com/NVIDIA/gdrcopy.git && \ cd gdrcopy/packages && \ CUDA=/usr/local/cuda ./build-rpm-packages.sh && \ rpm -Uvh gdrcopy-kmod-*.el8.noarch.rpm && \ rpm -Uvh gdrcopy-*.el8.${ARCH_ALT}.rpm && \ rpm -Uvh gdrcopy-devel-*.el8.noarch.rpm # Install SCCACHE if requested ARG USE_SCCACHE ARG SCCACHE_BUCKET ARG SCCACHE_REGION COPY container/use-sccache.sh /tmp/use-sccache.sh RUN if [ "$USE_SCCACHE" = "true" ]; then \ /tmp/use-sccache.sh install; \ fi # Set SCCACHE environment variables ENV SCCACHE_BUCKET=${USE_SCCACHE:+${SCCACHE_BUCKET}} \ SCCACHE_REGION=${USE_SCCACHE:+${SCCACHE_REGION}} # Build FFmpeg from source # Do not delete the source tarball for legal reasons ARG FFMPEG_VERSION=7.1 RUN --mount=type=secret,id=aws-key-id,env=AWS_ACCESS_KEY_ID \ --mount=type=secret,id=aws-secret-id,env=AWS_SECRET_ACCESS_KEY \ if [ "$ENABLE_MEDIA_FFMPEG" = "true" ]; then \ export SCCACHE_S3_KEY_PREFIX=${SCCACHE_S3_KEY_PREFIX:-${ARCH}} && \ if [ "$USE_SCCACHE" = "true" ]; then \ export CMAKE_C_COMPILER_LAUNCHER="sccache" && \ export CMAKE_CXX_COMPILER_LAUNCHER="sccache" && \ export RUSTC_WRAPPER="sccache"; \ fi && \ dnf install -y pkg-config && \ cd /tmp && \ curl -LO https://ffmpeg.org/releases/ffmpeg-${FFMPEG_VERSION}.tar.xz && \ tar xf ffmpeg-${FFMPEG_VERSION}.tar.xz && \ cd ffmpeg-${FFMPEG_VERSION} && \ ./configure \ --prefix=/usr/local \ --disable-gpl \ --disable-nonfree \ --disable-programs \ --disable-doc \ --disable-static \ --disable-x86asm \ --disable-postproc \ --disable-network \ --disable-encoders \ --disable-muxers \ --disable-bsfs \ --disable-devices \ --disable-libdrm \ --enable-shared && \ make -j$(nproc) && \ make install && \ /tmp/use-sccache.sh show-stats "FFMPEG" && \ ldconfig && \ mkdir -p /usr/local/src/ffmpeg && \ mv /tmp/ffmpeg-${FFMPEG_VERSION}* /usr/local/src/ffmpeg/; \ fi # Build and install UCX RUN --mount=type=secret,id=aws-key-id,env=AWS_ACCESS_KEY_ID \ --mount=type=secret,id=aws-secret-id,env=AWS_SECRET_ACCESS_KEY \ export SCCACHE_S3_KEY_PREFIX="${SCCACHE_S3_KEY_PREFIX:-${ARCH}}" && \ if [ "$USE_SCCACHE" = "true" ]; then \ export CMAKE_C_COMPILER_LAUNCHER="sccache" && \ export CMAKE_CXX_COMPILER_LAUNCHER="sccache" && \ export CMAKE_CUDA_COMPILER_LAUNCHER="sccache"; \ fi && \ cd /usr/local/src && \ git clone https://github.com/openucx/ucx.git && \ cd ucx && \ git checkout $NIXL_UCX_REF && \ ./autogen.sh && \ ./contrib/configure-release \ --prefix=/usr/local/ucx \ --enable-shared \ --disable-static \ --disable-doxygen-doc \ --enable-optimizations \ --enable-cma \ --enable-devel-headers \ --with-cuda=/usr/local/cuda \ --with-verbs \ --with-dm \ --with-gdrcopy=/usr/local \ --with-efa \ --enable-mt && \ make -j && \ make -j install-strip && \ /tmp/use-sccache.sh show-stats "UCX" && \ echo "/usr/local/ucx/lib" > /etc/ld.so.conf.d/ucx.conf && \ echo "/usr/local/ucx/lib/ucx" >> /etc/ld.so.conf.d/ucx.conf && \ ldconfig ARG NIXL_LIBFABRIC_REF RUN --mount=type=secret,id=aws-key-id,env=AWS_ACCESS_KEY_ID \ --mount=type=secret,id=aws-secret-id,env=AWS_SECRET_ACCESS_KEY \ export SCCACHE_S3_KEY_PREFIX="${SCCACHE_S3_KEY_PREFIX:-${ARCH}}" && \ if [ "$USE_SCCACHE" = "true" ]; then \ export CMAKE_C_COMPILER_LAUNCHER="sccache" && \ export CMAKE_CXX_COMPILER_LAUNCHER="sccache" && \ export CMAKE_CUDA_COMPILER_LAUNCHER="sccache"; \ fi && \ cd /usr/local/src && \ git clone https://github.com/ofiwg/libfabric.git && \ cd libfabric && \ git checkout $NIXL_LIBFABRIC_REF && \ ./autogen.sh && \ ./configure --prefix="/usr/local/libfabric" \ --disable-verbs \ --disable-psm3 \ --disable-opx \ --disable-usnic \ --disable-rstream \ --enable-efa \ --with-cuda=/usr/local/cuda \ --enable-cuda-dlopen \ --with-gdrcopy \ --enable-gdrcopy-dlopen && \ make -j$(nproc) && \ make install && \ /tmp/use-sccache.sh show-stats "LIBFABRIC" && \ echo "/usr/local/libfabric/lib" > /etc/ld.so.conf.d/libfabric.conf && \ ldconfig # Build and install AWS SDK C++ (required for NIXL OBJ backend / S3 support) ARG AWS_SDK_CPP_VERSION=1.11.581 RUN --mount=type=secret,id=aws-key-id,env=AWS_ACCESS_KEY_ID \ --mount=type=secret,id=aws-secret-id,env=AWS_SECRET_ACCESS_KEY \ export SCCACHE_S3_KEY_PREFIX="${SCCACHE_S3_KEY_PREFIX:-${ARCH}}" && \ git clone --recurse-submodules --depth 1 --branch ${AWS_SDK_CPP_VERSION} \ https://github.com/aws/aws-sdk-cpp.git /tmp/aws-sdk-cpp && \ mkdir -p /tmp/aws-sdk-cpp/build && \ cd /tmp/aws-sdk-cpp/build && \ cmake .. \ -DCMAKE_BUILD_TYPE=Release \ -DBUILD_ONLY="s3" \ -DENABLE_TESTING=OFF \ -DCMAKE_INSTALL_PREFIX=/usr/local \ -DBUILD_SHARED_LIBS=ON && \ make -j$(nproc) && \ make install && \ cd / && \ rm -rf /tmp/aws-sdk-cpp && \ ldconfig && \ /tmp/use-sccache.sh show-stats "AWS SDK C++" # build and install nixl RUN --mount=type=secret,id=aws-key-id,env=AWS_ACCESS_KEY_ID \ --mount=type=secret,id=aws-secret-id,env=AWS_SECRET_ACCESS_KEY \ export SCCACHE_S3_KEY_PREFIX="${SCCACHE_S3_KEY_PREFIX:-${ARCH}}" && \ if [ "$USE_SCCACHE" = "true" ]; then \ export CMAKE_C_COMPILER_LAUNCHER="sccache" && \ export CMAKE_CXX_COMPILER_LAUNCHER="sccache" && \ export CMAKE_CUDA_COMPILER_LAUNCHER="sccache"; \ fi && \ source ${VIRTUAL_ENV}/bin/activate && \ git clone --depth 1 --branch ${NIXL_REF} "https://github.com/ai-dynamo/nixl.git" && \ cd nixl && \ mkdir build && \ meson setup build/ --prefix=/opt/nvidia/nvda_nixl --buildtype=release \ -Dcudapath_lib="/usr/local/cuda/lib64" \ -Dcudapath_inc="/usr/local/cuda/include" \ -Ducx_path="/usr/local/ucx" \ -Dlibfabric_path="/usr/local/libfabric" && \ cd build && \ ninja && \ ninja install && \ /tmp/use-sccache.sh show-stats "NIXL" ENV NIXL_LIB_DIR=/opt/nvidia/nvda_nixl/lib64 \ NIXL_PLUGIN_DIR=/opt/nvidia/nvda_nixl/lib64/plugins \ NIXL_PREFIX=/opt/nvidia/nvda_nixl ENV LD_LIBRARY_PATH=${NIXL_LIB_DIR}:${NIXL_PLUGIN_DIR}:/usr/local/ucx/lib:/usr/local/ucx/lib/ucx:${LD_LIBRARY_PATH} RUN echo "$NIXL_LIB_DIR" > /etc/ld.so.conf.d/nixl.conf && \ echo "$NIXL_PLUGIN_DIR" >> /etc/ld.so.conf.d/nixl.conf && \ ldconfig RUN --mount=type=secret,id=aws-key-id,env=AWS_ACCESS_KEY_ID \ --mount=type=secret,id=aws-secret-id,env=AWS_SECRET_ACCESS_KEY \ export SCCACHE_S3_KEY_PREFIX="${SCCACHE_S3_KEY_PREFIX:-${ARCH}}" && \ if [ "$USE_SCCACHE" = "true" ]; then \ export CMAKE_C_COMPILER_LAUNCHER="sccache" && \ export CMAKE_CXX_COMPILER_LAUNCHER="sccache" && \ export CMAKE_CUDA_COMPILER_LAUNCHER="sccache"; \ fi && \ cd /workspace/nixl && \ uv build . --out-dir /opt/dynamo/dist/nixl --python $PYTHON_VERSION # Copy source code (order matters for layer caching) COPY pyproject.toml README.md LICENSE Cargo.toml Cargo.lock rust-toolchain.toml hatch_build.py /opt/dynamo/ COPY launch/ /opt/dynamo/launch/ COPY lib/ /opt/dynamo/lib/ COPY components/ /opt/dynamo/components/ # Build dynamo wheels ARG ENABLE_KVBM RUN --mount=type=secret,id=aws-key-id,env=AWS_ACCESS_KEY_ID \ --mount=type=secret,id=aws-secret-id,env=AWS_SECRET_ACCESS_KEY \ export SCCACHE_S3_KEY_PREFIX=${SCCACHE_S3_KEY_PREFIX:-${ARCH}} && \ if [ "$USE_SCCACHE" = "true" ]; then \ export CMAKE_C_COMPILER_LAUNCHER="sccache" && \ export CMAKE_CXX_COMPILER_LAUNCHER="sccache" && \ export RUSTC_WRAPPER="sccache"; \ fi && \ source ${VIRTUAL_ENV}/bin/activate && \ cd /opt/dynamo && \ uv build --wheel --out-dir /opt/dynamo/dist && \ cd /opt/dynamo/lib/bindings/python && \ FEATURES=""; \ if [ "$ENABLE_MEDIA_NIXL" = "true" ]; then \ FEATURES="$FEATURES dynamo-llm/media-nixl"; \ fi; \ if [ "$ENABLE_MEDIA_FFMPEG" = "true" ]; then \ FEATURES="$FEATURES media-ffmpeg"; \ fi; \ if [ -n "$FEATURES" ]; then \ maturin build --release --features "$FEATURES" --out /opt/dynamo/dist; \ else \ maturin build --release --out /opt/dynamo/dist; \ fi && \ if [ "$ENABLE_KVBM" == "true" ]; then \ cd /opt/dynamo/lib/bindings/kvbm && \ maturin build --release --out target/wheels && \ auditwheel repair \ --exclude libnixl.so \ --exclude libnixl_build.so \ --exclude libnixl_common.so \ --plat manylinux_2_28_${ARCH_ALT} \ --wheel-dir /opt/dynamo/dist \ target/wheels/*.whl; \ fi && \ /tmp/use-sccache.sh show-stats "Dynamo" ######################################################## ########## Framework Development Image ################ ######################################################## # # PURPOSE: Framework development and vLLM compilation # # This stage builds and compiles framework dependencies including: # - vLLM inference engine with CUDA support # - DeepGEMM and FlashInfer optimizations # - All necessary build tools and compilation dependencies # - Framework-level Python packages and extensions # # Use this stage when you need to: # - Build vLLM from source with custom modifications # - Develop or debug framework-level components # - Create custom builds with specific optimization flags # # Use dynamo base image (see /container/Dockerfile for more details) FROM ${BASE_IMAGE}:${BASE_IMAGE_TAG} AS framework COPY --from=dynamo_base /bin/uv /bin/uvx /bin/ ARG PYTHON_VERSION RUN apt-get update -y \ && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \ # Python runtime - CRITICAL for virtual environment to work python${PYTHON_VERSION}-dev \ build-essential \ # vLLM build dependencies cmake \ ibverbs-providers \ ibverbs-utils \ libibumad-dev \ libibverbs-dev \ libnuma-dev \ librdmacm-dev \ rdma-core \ && apt-get clean \ && rm -rf /var/lib/apt/lists/* # if libmlx5.so not shipped with 24.04 rdma-core packaging, CMAKE will fail when looking for # generic dev name .so so we symlink .s0.1 -> .so RUN ln -sf /usr/lib/aarch64-linux-gnu/libmlx5.so.1 /usr/lib/aarch64-linux-gnu/libmlx5.so || true # Create virtual environment RUN mkdir -p /opt/dynamo/venv && \ uv venv /opt/dynamo/venv --python $PYTHON_VERSION # Activate virtual environment ENV VIRTUAL_ENV=/opt/dynamo/venv \ PATH="/opt/dynamo/venv/bin:${PATH}" ARG ARCH # Install vllm - keep this early in Dockerfile to avoid # rebuilds from unrelated source code changes ARG VLLM_REF ARG VLLM_GIT_URL ARG DEEPGEMM_REF ARG FLASHINF_REF ARG LMCACHE_REF ARG CUDA_VERSION ARG MAX_JOBS=16 ENV MAX_JOBS=$MAX_JOBS ENV CUDA_HOME=/usr/local/cuda # Install VLLM and related dependencies RUN --mount=type=bind,source=./container/deps/,target=/tmp/deps \ --mount=type=cache,target=/root/.cache/uv \ cp /tmp/deps/vllm/install_vllm.sh /tmp/install_vllm.sh && \ chmod +x /tmp/install_vllm.sh && \ /tmp/install_vllm.sh \ --vllm-ref $VLLM_REF \ --max-jobs $MAX_JOBS \ --arch $ARCH \ --installation-dir /opt \ ${DEEPGEMM_REF:+--deepgemm-ref "$DEEPGEMM_REF"} \ ${FLASHINF_REF:+--flashinf-ref "$FLASHINF_REF"} \ ${LMCACHE_REF:+--lmcache-ref "$LMCACHE_REF"} \ --cuda-version $CUDA_VERSION ENV LD_LIBRARY_PATH=\ /opt/vllm/tools/ep_kernels/ep_kernels_workspace/nvshmem_install/lib:\ $LD_LIBRARY_PATH ################################################## ########## Runtime Image ######################## ################################################## # # PURPOSE: Production runtime environment # # This stage creates a lightweight production-ready image containing: # - Pre-compiled vLLM and framework dependencies # - Dynamo runtime libraries and Python packages # - Essential runtime dependencies and configurations # - Optimized for inference workloads and deployment # # Use this stage when you need: # - Production deployment of Dynamo with vLLM # - Minimal runtime footprint without build tools # - Ready-to-run inference server environment # - Base for custom application containers # FROM ${RUNTIME_IMAGE}:${RUNTIME_IMAGE_TAG} AS runtime WORKDIR /workspace ENV DYNAMO_HOME=/opt/dynamo ENV VIRTUAL_ENV=/opt/dynamo/venv ENV PATH="${VIRTUAL_ENV}/bin:${PATH}" # Set CUDA_DEVICE_ORDER to ensure CUDA logical device IDs match NVML physical device IDs # This fixes NVML InvalidArgument errors when CUDA_VISIBLE_DEVICES is set ENV CUDA_DEVICE_ORDER=PCI_BUS_ID # Copy CUDA development tools (nvcc, headers, dependencies, etc.) from base devel image COPY --from=dynamo_base /usr/local/cuda/bin/nvcc /usr/local/cuda/bin/nvcc COPY --from=dynamo_base /usr/local/cuda/bin/cudafe++ /usr/local/cuda/bin/cudafe++ COPY --from=dynamo_base /usr/local/cuda/bin/ptxas /usr/local/cuda/bin/ptxas COPY --from=dynamo_base /usr/local/cuda/bin/fatbinary /usr/local/cuda/bin/fatbinary COPY --from=dynamo_base /usr/local/cuda/include/ /usr/local/cuda/include/ COPY --from=dynamo_base /usr/local/cuda/nvvm /usr/local/cuda/nvvm COPY --from=dynamo_base /usr/local/cuda/lib64/libcudart.so* /usr/local/cuda/lib64/ RUN CUDA_VERSION_MAJOR="${CUDA_VERSION%%.*}" &&\ ln -s /usr/local/cuda/lib64/libcublas.so.${CUDA_VERSION_MAJOR} /usr/local/cuda/lib64/libcublas.so &&\ ln -s /usr/local/cuda/lib64/libcublasLt.so.${CUDA_VERSION_MAJOR} /usr/local/cuda/lib64/libcublasLt.so # DeepGemm runs nvcc for JIT kernel compilation, however the CUDA include path # is not properly set for complilation. Set CPATH to help nvcc find the headers. ENV CPATH=/usr/local/cuda/include ### COPY NATS & ETCD ### # Copy nats and etcd from dev image COPY --from=dynamo_base /usr/bin/nats-server /usr/bin/nats-server COPY --from=dynamo_base /usr/local/bin/etcd/ /usr/local/bin/etcd/ # Add ETCD and CUDA binaries to PATH so cicc and other CUDA tools are accessible ENV PATH=/usr/local/bin/etcd/:/usr/local/cuda/nvvm/bin:$PATH # Copy uv to system /bin COPY --from=dynamo_base /bin/uv /bin/uvx /bin/ # Create dynamo user with group 0 for OpenShift compatibility RUN userdel -r ubuntu > /dev/null 2>&1 || true \ && useradd -m -s /bin/bash -g 0 dynamo \ && [ `id -u dynamo` -eq 1000 ] \ && mkdir -p /home/dynamo/.cache /opt/dynamo \ # Non-recursive chown - only the directories themselves, not contents && chown dynamo:0 /home/dynamo /home/dynamo/.cache /opt/dynamo /workspace \ # No chmod needed: umask 002 handles new files, COPY --chmod handles copied content # Set umask globally for all subsequent RUN commands (must be done as root before USER dynamo) # NOTE: Setting ENV UMASK=002 does NOT work - umask is a shell builtin, not an environment variable && mkdir -p /etc/profile.d && echo 'umask 002' > /etc/profile.d/00-umask.sh ARG ARCH_ALT ARG PYTHON_VERSION # Install Python, build-essential and python3-dev as apt dependencies RUN apt-get update && \ CUDA_VERSION_MAJOR=${CUDA_VERSION%%.*} &&\ CUDA_VERSION_MINOR=$(echo "${CUDA_VERSION#*.}" | cut -d. -f1) && \ DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \ # Python runtime - CRITICAL for virtual environment to work python${PYTHON_VERSION}-dev \ build-essential \ # jq and curl for polling various endpoints and health checks jq \ git \ git-lfs \ curl \ # Libraries required by UCX to find RDMA devices libibverbs1 rdma-core ibverbs-utils libibumad3 \ libnuma1 librdmacm1 ibverbs-providers \ # JIT Kernel Compilation, flashinfer ninja-build \ g++ \ # prometheus dependencies ca-certificates \ # DeepGemm uses 'cuobjdump' which does not come with CUDA image cuda-command-line-tools-${CUDA_VERSION_MAJOR}-${CUDA_VERSION_MINOR} && \ rm -rf /var/lib/apt/lists/* USER dynamo ENV HOME=/home/dynamo # This picks up the umask 002 from the /etc/profile.d/00-umask.sh file for subsequent RUN commands SHELL ["/bin/bash", "-l", "-o", "pipefail", "-c"] ENV NIXL_PREFIX=/opt/nvidia/nvda_nixl ENV NIXL_LIB_DIR=$NIXL_PREFIX/lib/${ARCH_ALT}-linux-gnu ENV NIXL_PLUGIN_DIR=$NIXL_LIB_DIR/plugins ### VIRTUAL ENVIRONMENT SETUP ### # Copy entire virtual environment from framework container with correct ownership # Pattern: COPY --chmod=775 ; chmod g+w done later as root because COPY --chmod only affects /*, not COPY --chmod=775 --chown=dynamo:0 --from=framework ${VIRTUAL_ENV} ${VIRTUAL_ENV} # Copy vllm with correct ownership (read-only, no group-write needed) COPY --chown=dynamo:0 --from=framework /opt/vllm /opt/vllm # Copy UCX and NIXL to system directories (read-only, no group-write needed) COPY --from=wheel_builder /usr/local/ucx /usr/local/ucx COPY --chown=dynamo: --from=wheel_builder $NIXL_PREFIX $NIXL_PREFIX COPY --chown=dynamo: --from=wheel_builder /opt/nvidia/nvda_nixl/lib64/. ${NIXL_LIB_DIR}/ COPY --chown=dynamo: --from=wheel_builder /opt/dynamo/dist/nixl/ /opt/dynamo/wheelhouse/nixl/ COPY --chown=dynamo: --from=wheel_builder /workspace/nixl/build/src/bindings/python/nixl-meta/nixl-*.whl /opt/dynamo/wheelhouse/nixl/ # Copy AWS SDK C++ libraries (required for NIXL OBJ backend / S3 support) COPY --chown=dynamo: --from=wheel_builder /usr/local/lib64/libaws* /usr/local/lib/ COPY --chown=dynamo: --from=wheel_builder /usr/local/lib64/libs2n* /usr/local/lib/ COPY --chown=dynamo: --from=wheel_builder /usr/lib64/libcrypto.so.1.1* /usr/local/lib/ COPY --chown=dynamo: --from=wheel_builder /usr/lib64/libssl.so.1.1* /usr/local/lib/ ENV PATH=/usr/local/ucx/bin:$PATH # Copy ffmpeg RUN --mount=type=bind,from=wheel_builder,source=/usr/local/,target=/tmp/usr/local/ \ cp -rnL /tmp/usr/local/include/libav* /tmp/usr/local/include/libsw* /usr/local/include/; \ cp -nL /tmp/usr/local/lib/libav*.so /tmp/usr/local/lib/libsw*.so /usr/local/lib/; \ cp -nL /tmp/usr/local/lib/pkgconfig/libav*.pc /tmp/usr/local/lib/pkgconfig/libsw*.pc /usr/lib/pkgconfig/; \ cp -r /tmp/usr/local/src/ffmpeg /usr/local/src/; \ true # in case ffmpeg not enabled ENV LD_LIBRARY_PATH=\ /opt/vllm/tools/ep_kernels/ep_kernels_workspace/nvshmem_install/lib:\ $NIXL_LIB_DIR:\ $NIXL_PLUGIN_DIR:\ /usr/local/ucx/lib:\ /usr/local/ucx/lib/ucx:\ $LD_LIBRARY_PATH ENV NVIDIA_DRIVER_CAPABILITIES=video,compute,utility # Copy attribution files COPY --chmod=664 --chown=dynamo:0 ATTRIBUTION* LICENSE /workspace/ # Pattern: COPY --chmod=775 ; chmod g+w done later as root because COPY --chmod only affects /*, not COPY --chmod=775 --chown=dynamo:0 benchmarks/ /workspace/benchmarks/ # Install dynamo, NIXL, and dynamo-specific dependencies # Pattern: COPY --chmod=775 ; chmod g+w done later as root because COPY --chmod only affects /*, not ARG ENABLE_KVBM COPY --chmod=775 --chown=dynamo:0 --from=wheel_builder /opt/dynamo/dist/*.whl /opt/dynamo/wheelhouse/ RUN uv pip install \ /opt/dynamo/wheelhouse/ai_dynamo_runtime*.whl \ /opt/dynamo/wheelhouse/ai_dynamo*any.whl \ /opt/dynamo/wheelhouse/nixl/nixl*.whl && \ if [ "${ENABLE_KVBM}" = "true" ]; then \ KVBM_WHEEL=$(ls /opt/dynamo/wheelhouse/kvbm*.whl 2>/dev/null | head -1); \ if [ -z "$KVBM_WHEEL" ]; then \ echo "ERROR: ENABLE_KVBM is true but no KVBM wheel found in wheelhouse" >&2; \ exit 1; \ fi; \ uv pip install "$KVBM_WHEEL"; \ fi && \ cd /workspace/benchmarks && \ UV_GIT_LFS=1 uv pip install --no-cache . && \ # pip/uv bypasses umask when creating .egg-info files, but chmod -R is fast here (small directory) chmod -R g+w /workspace/benchmarks # Install common and test dependencies RUN --mount=type=bind,source=./container/deps/requirements.txt,target=/tmp/requirements.txt \ --mount=type=bind,source=./container/deps/requirements.test.txt,target=/tmp/requirements.test.txt \ UV_GIT_LFS=1 uv pip install \ --no-cache \ --requirement /tmp/requirements.txt \ --requirement /tmp/requirements.test.txt # Copy tests, deploy and components for CI with correct ownership # Pattern: COPY --chmod=775 ; chmod g+w done later as root because COPY --chmod only affects /*, not COPY --chmod=775 --chown=dynamo:0 tests /workspace/tests COPY --chmod=775 --chown=dynamo:0 examples /workspace/examples COPY --chmod=775 --chown=dynamo:0 deploy /workspace/deploy COPY --chmod=775 --chown=dynamo:0 recipes/ /workspace/recipes/ COPY --chmod=775 --chown=dynamo:0 components/ /workspace/components/ COPY --chmod=775 --chown=dynamo:0 lib/ /workspace/lib/ # Setup launch banner in common directory accessible to all users RUN --mount=type=bind,source=./container/launch_message/runtime.txt,target=/opt/dynamo/launch_message.txt \ sed '/^#\s/d' /opt/dynamo/launch_message.txt > /opt/dynamo/.launch_screen # Setup environment for all users USER root # Fix directory permissions: COPY --chmod only affects contents, not the directory itself RUN chmod g+w /workspace /workspace/* /opt/dynamo /opt/dynamo/* ${VIRTUAL_ENV} && \ chmod 755 /opt/dynamo/.launch_screen && \ echo 'source /opt/dynamo/venv/bin/activate' >> /etc/bash.bashrc && \ echo 'cat /opt/dynamo/.launch_screen' >> /etc/bash.bashrc # Fix library symlinks that Docker COPY dereferenced (COPY always follows symlinks) # This recreates proper symlinks to save space and suppress ldconfig warnings RUN cd /usr/local/lib && \ # libaws-c-common: .so.1 should symlink to .so.1.0.0 if [ -f libaws-c-common.so.1.0.0 ] && [ ! -L libaws-c-common.so.1 ]; then \ rm -f libaws-c-common.so.1 libaws-c-common.so && \ ln -s libaws-c-common.so.1.0.0 libaws-c-common.so.1 && \ ln -s libaws-c-common.so.1 libaws-c-common.so; \ fi && \ # libaws-c-s3: .so.0unstable should symlink to .so.1.0.0 if [ -f libaws-c-s3.so.1.0.0 ] && [ ! -L libaws-c-s3.so.0unstable ]; then \ rm -f libaws-c-s3.so.0unstable libaws-c-s3.so && \ ln -s libaws-c-s3.so.1.0.0 libaws-c-s3.so.0unstable && \ ln -s libaws-c-s3.so.0unstable libaws-c-s3.so; \ fi && \ # libs2n: .so.1 should symlink to .so.1.0.0 if [ -f libs2n.so.1.0.0 ] && [ ! -L libs2n.so.1 ]; then \ rm -f libs2n.so.1 libs2n.so && \ ln -s libs2n.so.1.0.0 libs2n.so.1 && \ ln -s libs2n.so.1 libs2n.so; \ fi && \ # OpenSSL 1.1: check for versioned files (e.g., .so.1.1.1k) for lib in libcrypto libssl; do \ versioned=$(ls -1 ${lib}.so.1.1.* 2>/dev/null | head -1); \ if [ -n "$versioned" ] && [ ! -L "${lib}.so.1.1" ]; then \ rm -f "${lib}.so.1.1" && \ ln -s "$(basename "$versioned")" "${lib}.so.1.1"; \ fi; \ done && \ ldconfig USER dynamo ARG DYNAMO_COMMIT_SHA ENV DYNAMO_COMMIT_SHA=$DYNAMO_COMMIT_SHA ENTRYPOINT ["/opt/nvidia/nvidia_entrypoint.sh"] CMD [] ########################################################### ########## Development (run.sh, runs as root user) ######## ########################################################### # # PURPOSE: Local development environment for use with run.sh (not Dev Container plug-in) # # This stage runs as root and provides: # - Development tools and utilities for local debugging # - Support for vscode/cursor development outside the Dev Container plug-in # # Use this stage if you need a full-featured development environment with extra tools, # but do not use it with the Dev Container plug-in. FROM runtime AS dev # Don't want ubuntu to be editable, just change uid and gid. ARG WORKSPACE_DIR=/workspace USER root # Install utilities as root RUN apt-get update -y && \ apt-get install -y --no-install-recommends \ # Install utilities nvtop \ wget \ tmux \ vim \ git \ openssh-client \ iproute2 \ rsync \ zip \ unzip \ htop \ # Build Dependencies autoconf \ automake \ cmake \ libtool \ meson \ net-tools \ pybind11-dev \ # Rust build dependencies clang \ libclang-dev \ protobuf-compiler \ pkg-config && \ rm -rf /var/lib/apt/lists/* # Set umask for group-writable files in dev stage (runs as root) RUN mkdir -p /etc/profile.d && echo 'umask 002' > /etc/profile.d/00-umask.sh SHELL ["/bin/bash", "-l", "-o", "pipefail", "-c"] # Set workspace directory variable ENV WORKSPACE_DIR=${WORKSPACE_DIR} \ DYNAMO_HOME=${WORKSPACE_DIR} \ RUSTUP_HOME=/usr/local/rustup \ CARGO_HOME=/usr/local/cargo \ CARGO_TARGET_DIR=/workspace/target \ VIRTUAL_ENV=/opt/dynamo/venv \ PATH=/usr/local/cargo/bin:$PATH # Copy rust installation from dynamo_base to avoid duplication efforts # Pattern: COPY --chmod=775 ; chmod g+w because COPY --chmod only affects /*, not COPY --from=dynamo_base --chmod=775 /usr/local/rustup /usr/local/rustup COPY --from=dynamo_base --chmod=775 /usr/local/cargo /usr/local/cargo RUN chmod g+w /usr/local/rustup /usr/local/cargo # Install maturin, for maturin develop # Editable install of dynamo COPY --chown=dynamo:0 --chmod=664 pyproject.toml README.md hatch_build.py /workspace/ RUN uv pip install maturin[patchelf] && \ uv pip install --no-deps -e . ENTRYPOINT ["/opt/nvidia/nvidia_entrypoint.sh"] CMD []