Uploaded image for project: 'AI Platform Core Components'
  1. AI Platform Core Components
  2. AIPCC-1125

konflux hermetic builds of RH AI images

XMLWordPrintable

    • True
    • Hide

      None

      Show
      None
    • False
    • 100% To Do, 0% In Progress, 0% Done
    • XL
    • Hide

      2025-10-01 Red

      Hermetic builds in Konflux depends on wheel hosting on Pulp instead of GitLab, rewrite of wheel installation with stable pip lockfile, stable+supported RPM lockfile tools, rewrite of base image build pipeline.

      Show
      2025-10-01 Red Hermetic builds in Konflux depends on wheel hosting on Pulp instead of GitLab, rewrite of wheel installation with stable pip lockfile, stable+supported RPM lockfile tools, rewrite of base image build pipeline.

      We are building RHELAI and RHAIIS without the flags that prevent the image build steps from accessing outside resources. We need to enable those to comply with build security requirements and ensure that all future shared images also build with the hermetic flag enable.

      There is likely to be work to do for both the CI/CD teams, to enable the flag, and the wheels team to make it possible to install wheel collections in that mode.

      Update 2025-10-01

      cheimes@redhat.com 

      Hermetic builds in Konflux are not supported. Neither the AIPCC base images nor the production images like RHAIIS can use hermetic sealed builds as of now. Due to technical limitations, internal design decisions, lack of resources, and other reasons, AIPP is not able to implement hermetic Konflux builds in the foreseeable future. It's going to require major redesigns and rewrites of our base images and wheel installations. I see a small chance to deliver hermetic builds by CY26Q1 or Q2, but even that comes with a big if.

      Our engineers are under immense pressure to deliver new features and versions in record time. Hermetic Konflux builds are just not as important as delivering new vLLM version, Torch version, or AI accelerator hardware support. (I'm a security engineer by heart and I agree that we need to implement hermetic Konflux pipelines eventually.)

      My comment from 2025-09-19 lists some some requirements. The summary:

      • Konflux does not have a stable, fully supported tool to generate RPM lock files. rpm-lockfile-prototype is still documented as proof-of-concept without any stability guarantees. Our products have very short release cycles and we are constantly missing our release dates. Even a delay by half a work day can through us of. We need a stable tool with SLAs.
      • Our base image builds are heavily parametrized and rely on build args, additional DNF repo args, scripts, and Renovate Bot. rpm-lockfile-prototype may be missing features to be as flexible as we need it to be.
      • Wheels for product images are currently hosted on GitLab. GitLab has technical limitations, which forces us to delete and replace wheel files. The approach is incompatible with pip lock files. We are currently moving away from GitLab to Pulp for Python wheels. Pulp may allow us to generate proper pip lock files.

              mdean@redhat.com Meirav Dean
              dhellman@redhat.com Doug Hellmann
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated: