[CI/Build] Allow hermetic builds

[fabiendupont]

The current Dockerfile assumes that many build artifacts are available from public repositories and downloads them from these repositories, making it more difficult for downstream distributions to perform hermetic builds of vLLM container images.

This pull request introduces changes that should be backward compatible, while improving the situation for hermetic builds. Below is the list of changes:

• Build argument for the base images. Currently both the build and final images are based on NVIDIA CUDA devel images, but with different Ubuntu versions.
• Support for a mirror of the Deadsnakes PPA. This also requires installing the GPG key manually, as it's deprecated in add-apt-repository.
• Installation of pip from a pyz archive. This is an alternative to get-pip.py that allows using a private copy of the pip.pyz file.
• Alternative Python indexes. The {PIP,UV}_INDEX_URL and {PIP,UV}_EXTRA_INDEX_URL variables are native. Reusing the same naming convention for CUDA and CUDA nightly indexes.
• Custom URL and endpoint for sccache. The URL is for installation from an internal repository. The endpoint allows storing the cache in a non-AWS S3 backend.
• Custom FlashInfer installation. The change allows using package name+version, a Git URL or even a local .whl file.
• Add pip/uv authentication with keyring. The pip/uv command supports a {PIP,UV}_KEYRING_PROVIDER and it is set to disabled by default.

Co-authored-by: Elias Levy [email protected]

[github-actions]

👋 Hi! Thank you for contributing to the vLLM project.

💬 Join our developer Slack at https://slack.vllm.ai to discuss your PR in #pr-reviews, coordinate on features in #feat- channels, or join special interest groups in #sig- channels.

Just a reminder: PRs would not trigger full CI run by default. Instead, it would only run fastcheck CI which starts running only a small and essential subset of CI tests to quickly catch errors. You can run other CI tests on top of those by going to your fastcheck build on Buildkite UI (linked in the PR checks section) and unblock them. If you do not have permission to unblock, ping simon-mo or khluu to add you in our Buildkite org.

Once the PR is approved and ready to go, your PR reviewer(s) can run CI to test the changes comprehensively before merging.

To run CI, PR reviewers can either: Add ready label to the PR or enable auto-merge.

🚀

[tlrmchlsmth]

Is there any way to unit test this?

[tlrmchlsmth]

LGTM overall and makes sense. I am a little concerned about fragility -- it isn't clear from looking at the Dockerfile why these variables are factored out into arguments, so I could easily see someone breaking the hermetic builds. I suggest adding some inline comments.

@khluu could you please take a look as well?

[fabiendupont]

@tlrmchlsmth, that's a fair point. I have added comments for the build arguments.

Regarding unit testing, I'm not sure, unless we want to setup mirrors for the various artifacts. I have mostly focused on non-regression for the existing build system.

[mergify]

This pull request has merge conflicts that must be resolved before it can be
merged. Please rebase the PR, @fabiendupont.

https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/working-with-forks/syncing-a-fork

[DarkLight1337]

test_topk_topp_sampler.py and test_rejection_sampler.py are not failing on main, so I think it's related to this PR

[mergify]

This pull request has merge conflicts that must be resolved before it can be
merged. Please rebase the PR, @fabiendupont.

https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/working-with-forks/syncing-a-fork

[DarkLight1337]

You can merge from main after #18543 is merged to fix the CI

[mergify]

This pull request has merge conflicts that must be resolved before it can be
merged. Please rebase the PR, @fabiendupont.

https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/working-with-forks/syncing-a-fork

[simon-mo]

https://buildkite.com/vllm/ci/builds/22272/steps/table?sid=01978274-0ef8-4e19-81ea-2521eaaf40af

11.8 build failed, either due to rebase or parametrization.

[fabiendupont]

@simon-mo, I am not sure it's because of the parameterization. The CUDA 12.1 and 11.8 versions don't support the 10.0 capabilities, which were added in 12.4. So, maybe we should drop CUDA <= 12.4 on the main branch.

[aarnphm]

Can we make the base image for vllm-openai to be just the runtime cuda image, whereas we can maybe keep the devel image for test and CI.

[fabiendupont]

This PR is not meant to change the behaviour of the current build, only allow using internal URL for hermetic builds. Not saying it's a bad idea, only not the purpose, so it could be a follow-up PR.

[mergify]

This pull request has merge conflicts that must be resolved before it can be
merged. Please rebase the PR, @fabiendupont.

https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/working-with-forks/syncing-a-fork

[schulluk]

This merge request is a great move into the right direction.
Thanks for proposing this change, @fabiendupont!

There are additional repository definitions directly in the requirement files like --extra-index-url in ./requirements/cpu-build.txt or cloning external dependencies from github with cmake configurations in ./cmake/external_projects/ that we can address in a follow-up proposal 👍