Skip to content

feat(runtimes): KEP-2442-jax-runtime #2878

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
mahdikhashan wants to merge 46 commits into from
Closed

feat(runtimes): KEP-2442-jax-runtime #2878

Show file tree
Hide file tree
Changes from 32 commits
Commits
Show all changes
46 commits
Select commit Hold shift + click to select a range
32cb4cd
setup jax plugin
mahdikhashan Oct 5, 2025
30411f7
autogenerated files
mahdikhashan Oct 5, 2025
cc896d2
update jax dockerfile base image version
mahdikhashan Oct 5, 2025
afe56ca
fix dockerfile
mahdikhashan Oct 5, 2025
cd51833
fix ci
mahdikhashan Oct 5, 2025
feccb57
fix
mahdikhashan Oct 5, 2025
828e55f
add jax_distributed.yaml to runtimes
mahdikhashan Oct 5, 2025
65d84cc
wip: jax plugin
mahdikhashan Oct 5, 2025
e7beb80
downgrade jax image version
mahdikhashan Oct 6, 2025
a249d1d
wip: jax plugin
mahdikhashan Oct 6, 2025
cb51c95
fix tests
mahdikhashan Oct 6, 2025
1bf5e03
wip: fix ci
mahdikhashan Oct 6, 2025
8c2e746
wip: fix go tests
mahdikhashan Oct 6, 2025
51e709b
pass tests
mahdikhashan Oct 18, 2025
9836a7d
chore(ci): Enable Kubernetes API Linter (#2858)
astefanutti Oct 17, 2025
f8bfb05
feat(cache): KEP-2655 - Add build pipeline and address vulnerabilitie…
akshaychitneni Oct 18, 2025
3d695cc
setup jax plugin
mahdikhashan Oct 5, 2025
b98e7b9
wip: jax plugin
mahdikhashan Oct 5, 2025
86f3065
remove duplicate component
mahdikhashan Dec 29, 2025
1d90a48
remove pointers
mahdikhashan Dec 29, 2025
f31f57b
add jax to registry
mahdikhashan Dec 29, 2025
0a5b2f9
build jax image
mahdikhashan Dec 29, 2025
1e23994
add jax plugin
mahdikhashan Dec 29, 2025
c0be33a
fix version.sh filepath
mahdikhashan Dec 29, 2025
b161972
update api
mahdikhashan Dec 29, 2025
fc0c5e7
fix fmt
mahdikhashan Dec 29, 2025
14ab32f
fix tests
mahdikhashan Dec 29, 2025
660ff1b
fix lint error
mahdikhashan Dec 29, 2025
76842d3
fix lint error
mahdikhashan Dec 29, 2025
a761a28
fix lint error
mahdikhashan Dec 29, 2025
a255feb
fix lint errors
mahdikhashan Dec 29, 2025
1f3bbb5
update api
mahdikhashan Dec 29, 2025
b17a223
Merge branch 'kubeflow:master' into jax-runtime-impl
mahdikhashan Dec 29, 2025
9839e3e
add jax e2e-tests
mahdikhashan Dec 29, 2025
c864c14
update dockerfile
mahdikhashan Dec 29, 2025
9fd682e
fix image order
mahdikhashan Jan 6, 2026
5c19e97
remove gitkeep
mahdikhashan Jan 6, 2026
fc78b9c
update dockerfile
mahdikhashan Jan 6, 2026
25fd59e
use latest nvidia-jax image version
mahdikhashan Jan 12, 2026
ad957d2
remove validation block
mahdikhashan Jan 12, 2026
9b3f6c6
remove extra check
mahdikhashan Jan 12, 2026
c7f23cc
remove code
mahdikhashan Jan 12, 2026
15cdd84
update jax plugin
mahdikhashan Jan 12, 2026
60d1efb
update tests
mahdikhashan Jan 12, 2026
1262f40
remove tests
mahdikhashan Jan 12, 2026
d9f6359
remove jax from core tests for validation
mahdikhashan Jan 12, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions .github/workflows/build-and-push-images.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,9 @@ jobs:
- component-name: data-cache
dockerfile: cmd/data_cache/Dockerfile
platforms: linux/amd64,linux/arm64
- component-name: jax-runtime
dockerfile: cmd/runtimes/jax/Dockerfile
platforms: linux/amd64,linux/arm64
Copy link
Member

@andreyvelich andreyvelich Jan 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please can you keep the order of image types, and move it after mlx-runtime?

steps:
- name: Checkout
uses: actions/checkout@v6
Expand Down
20 changes: 20 additions & 0 deletions api/openapi-spec/swagger.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 3 additions & 1 deletion api/python_api/kubeflow_trainer_api/models/trainer_v1alpha1_ml_policy.py
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 3 additions & 1 deletion api/python_api/kubeflow_trainer_api/models/trainer_v1alpha1_ml_policy_source.py
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 3 additions & 0 deletions charts/kubeflow-trainer/crds/trainer.kubeflow.org_clustertrainingruntimes.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,9 @@ spec:
description: mlPolicy provides the ML-specific parameters for the
model training.
properties:
jax:
description: jax defines the configuration for the JAX Runtime
type: object
mpi:
description: mpi defines the configuration for the MPI Runtime.
properties:
Expand Down
3 changes: 3 additions & 0 deletions charts/kubeflow-trainer/crds/trainer.kubeflow.org_trainingruntimes.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,9 @@ spec:
description: mlPolicy provides the ML-specific parameters for the
model training.
properties:
jax:
description: jax defines the configuration for the JAX Runtime
type: object
mpi:
description: mpi defines the configuration for the MPI Runtime.
properties:
Expand Down
54 changes: 54 additions & 0 deletions cmd/runtimes/jax/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
FROM ghcr.io/nvidia/jax:jax as gpu-base
Copy link
Member

@andreyvelich andreyvelich Jan 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we use released version of this image (e.g. 2026-01-04)?
https://github.com/NVIDIA/JAX-Toolbox/pkgs/container/jax/629563383?tag=jax-2026-01-04

ENV DEBIAN_FRONTEND=noninteractive

RUN apt-get update && \
Copy link
Member

@andreyvelich andreyvelich Jan 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess, you can use apt directly, like in DeepSpeed since apt-get is deprecated.

apt-get install -y --no-install-recommends \
build-essential \
cmake \
git \
curl \
Copy link
Member

@andreyvelich andreyvelich Jan 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you need curl?

libgoogle-glog-dev \
libgflags-dev \
libprotobuf-dev \
protobuf-compiler \
python3-dev \
python3-pip \
python3-setuptools && \
rm -rf /var/lib/apt/lists/*
Copy link
Member

@andreyvelich andreyvelich Jan 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you need to link python, like here:

trainer/cmd/runtimes/deepspeed/Dockerfile

Line 8 in c864c14

python3-dev pip && rm -f /usr/bin/python && ln -s /usr/bin/python3 /usr/bin/python && rm -rf /var/lib/apt/lists/*

That should allow you to use python instead of python3 as an entrypoint.


RUN pip install --no-cache-dir --upgrade pip && \
pip install --no-cache-dir \
numpy \
jax \
jaxlib \
"jax[cuda12_pip]" -f https://storage.googleapis.com/jax-releases/jax_cuda_releases.html
Copy link

Copilot AI Dec 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The Dockerfile uses a base image from ghcr.io/nvidia/jax:jax, but then reinstalls JAX packages (lines 19-24). This could lead to version conflicts or redundant installations. Consider either using a minimal base image (like python:3.x or nvidia/cuda:x.x-base) and installing JAX explicitly, or use the NVIDIA JAX image without reinstalling packages. Additionally, the base image tag :jax is ambiguous and could change unexpectedly - consider using a specific version tag.

Copilot uses AI. Check for mistakes.
Copy link

Copilot AI Dec 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These pip install commands pull third-party Python packages (numpy, jax, jaxlib, jax[cuda12_pip]) from external indexes without pinning versions or verifying hashes. If any of these packages or their transitive dependencies are compromised (e.g., maintainer account takeover or registry poisoning), a malicious update would be automatically trusted at build time and executed with full privileges in this runtime image. To reduce supply-chain risk, pin each dependency to immutable versions or hashes (e.g., via a locked requirements file or hash-checking) and use only trusted package indexes.

Copilot uses AI. Check for mistakes.

FROM gpu-base as tpu-base

RUN pip install --no-cache-dir "jax[tpu]" -f https://storage.googleapis.com/jax-releases/libtpu_releases.html || \
echo "TPU support not available" && \
pip install --no-cache-dir libtpu-nightly || \
echo "libtpu-nightly not available"
Comment on lines +20 to +23
Copy link

Copilot AI Dec 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The TPU installation logic (lines 28-31) uses || with echo statements, which means if the first pip install fails, it will echo a message and then try the second install. However, if the second install also fails, the build will continue without error. This masks installation failures. Consider using explicit error handling or removing the || echo patterns to ensure build failures are visible.

Suggested change
RUN pip install --no-cache-dir "jax[tpu]" -f https://storage.googleapis.com/jax-releases/libtpu_releases.html || \
echo "TPU support not available" && \
pip install --no-cache-dir libtpu-nightly || \
echo "libtpu-nightly not available"
RUN set -e; \
if ! pip install --no-cache-dir "jax[tpu]" -f https://storage.googleapis.com/jax-releases/libtpu_releases.html; then \
echo "TPU support not available, attempting to install libtpu-nightly"; \
pip install --no-cache-dir libtpu-nightly; \
fi

Copilot uses AI. Check for mistakes.
Comment on lines +20 to +23
Copy link

Copilot AI Dec 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This pip install pipeline installs jax[tpu] and then falls back to libtpu-nightly from external indexes, again without pinning versions or verifying hashes. A compromised release of these TPU-related packages would be automatically pulled during image builds and executed with high privileges, enabling a supply-chain compromise of workloads using this runtime. Mitigate this by pinning to specific, vetted versions (or hashes) and using a controlled package index or mirror for these artifacts.

Copilot uses AI. Check for mistakes.

FROM tpu-base as gloo-base

RUN git clone https://github.com/facebookincubator/gloo.git \
&& cd gloo \
&& git checkout 43b7acbf372cdce14075f3526e39153b7e433b53 \
&& mkdir build \
&& cd build \
&& cmake ../ \
&& make \
&& make install
Comment on lines +27 to +34
Copy link
Member

@andreyvelich andreyvelich Jan 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do we need gloo ?
Do you know if this image can support GPU, CPU, and TPU workloads at the same time?
ghcr.io/nvidia/jax:jax

Copy link
Member Author

@mahdikhashan mahdikhashan Jan 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i don't know what you mean, shall i simplify image to only GPU?


RUN pip install --no-cache-dir absl-py kubernetes
Copy link

Copilot AI Dec 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This pip install of absl-py and kubernetes uses unpinned versions from external package indexes, which introduces supply-chain risk for this production runtime image. If an attacker publishes a malicious version of one of these packages (or a dependency), future image builds will automatically incorporate and execute the malicious code with the container's privileges. Pin these dependencies to immutable versions or hashes and fetch them from a trusted, controlled index to limit this attack surface.

Copilot uses AI. Check for mistakes.
Copy link
Member

@andreyvelich andreyvelich Jan 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do we need kubernetes and absl-py?


FROM gloo-base as production

WORKDIR /workspace

COPY cmd/runtimes/jax/version.sh /version.sh
RUN chmod +x /version.sh

ENTRYPOINT ["/bin/bash", "-c", "/version.sh && exec \"$@\"", "--"]
CMD ["/bin/bash"]
51 changes: 51 additions & 0 deletions cmd/runtimes/jax/version.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
#!/bin/bash

echo "=== VERSION INFORMATION ==="
echo "Python version: $(python3 --version)"
echo "Pip version: $(pip --version)"
echo ""

echo "=== JAX Information ==="
python3 -c "import jax; print(f'JAX version: {jax.__version__}')"
python3 -c "import jaxlib; print(f'JAXLib version: {jaxlib.__version__}')"
echo ""

echo "=== NCCL Information ==="
if dpkg -l | grep -q libnccl2; then
echo "NCCL version: $(dpkg -l | grep libnccl2 | awk '{print $3}')"
else
echo "NCCL: Not available via package manager"
fi
if command -v nvcc &> /dev/null; then
echo "CUDA version: $(nvcc --version | grep 'release' | awk '{print $5}')"
fi
echo ""

echo "=== TPU Information ==="
python3 -c "
try:
import jax
devices = jax.devices()
tpu_devices = [d for d in devices if d.platform == 'tpu']
if tpu_devices:
print(f'TPU devices found: {len(tpu_devices)}')
for d in tpu_devices:
print(f' - {d}')
else:
print('No TPU devices found')
except Exception as e:
print(f'Error checking TPU devices: {e}')
"
echo ""

echo "=== Gloo Information ==="
echo "Gloo: Built from source (commit 43b7acbf372cdce14075f3526e39153b7e433b53)"
if [ -f /usr/local/lib/libgloo.a ]; then
echo "Gloo library: Found at /usr/local/lib/libgloo.so"
Copy link

Copilot AI Dec 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The version.sh script checks for /usr/local/lib/libgloo.a (static library) but reports finding /usr/local/lib/libgloo.so (shared library). This inconsistency could cause confusion when debugging. The condition should check for the same library file being reported, or both variants should be checked.

Suggested change
echo "Gloo library: Found at /usr/local/lib/libgloo.so"
echo "Gloo library: Found static library at /usr/local/lib/libgloo.a"
elif [ -f /usr/local/lib/libgloo.so ]; then
echo "Gloo library: Found shared library at /usr/local/lib/libgloo.so"

Copilot uses AI. Check for mistakes.
else
echo "Gloo library: Not found"
fi
echo ""

echo "=== Installed Python Packages ==="
pip list
Empty file added examples/jax/.gitkeep
View file
Open in desktop
Copy link
Member

@andreyvelich andreyvelich Jan 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you can remove it

Empty file.
3 changes: 3 additions & 0 deletions manifests/base/crds/trainer.kubeflow.org_clustertrainingruntimes.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,9 @@ spec:
description: mlPolicy provides the ML-specific parameters for the
model training.
properties:
jax:
description: jax defines the configuration for the JAX Runtime
type: object
mpi:
description: mpi defines the configuration for the MPI Runtime.
properties:
Expand Down
3 changes: 3 additions & 0 deletions manifests/base/crds/trainer.kubeflow.org_trainingruntimes.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,9 @@ spec:
description: mlPolicy provides the ML-specific parameters for the
model training.
properties:
jax:
description: jax defines the configuration for the JAX Runtime
type: object
mpi:
description: mpi defines the configuration for the MPI Runtime.
properties:
Expand Down
24 changes: 24 additions & 0 deletions manifests/base/runtimes/jax_distributed.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
apiVersion: trainer.kubeflow.org/v1alpha1
kind: ClusterTrainingRuntime
metadata:
name: jax-distributed
labels:
trainer.kubeflow.org/framework: jax
spec:
mlPolicy:
numNodes: 1
jax: {}
template:
spec:
replicatedJobs:
- name: node
template:
metadata:
labels:
trainer.kubeflow.org/trainjob-ancestor-step: trainer
spec:
template:
spec:
containers:
- name: node
image: ghcr.io/kubeflow/trainer/jax-runtime
1 change: 1 addition & 0 deletions manifests/base/runtimes/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,5 +3,6 @@ kind: Kustomization
resources:
- deepspeed_distributed.yaml
- mlx_distributed.yaml
- jax_distributed.yaml
- torch_distributed.yaml
- torchtune
2 changes: 2 additions & 0 deletions manifests/overlays/runtimes/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,3 +15,5 @@ images:
newTag: latest
- name: ghcr.io/kubeflow/trainer/deepspeed-runtime
newTag: latest
- name: ghcr.io/kubeflow/trainer/jax-runtime
newTag: latest
7 changes: 7 additions & 0 deletions pkg/apis/trainer/v1alpha1/trainingruntime_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -194,6 +194,10 @@ type MLPolicySource struct {
// mpi defines the configuration for the MPI Runtime.
// +optional
MPI *MPIMLPolicySource `json:"mpi,omitempty"`

// jax defines the configuration for the JAX Runtime
// +optional
JAX *JAXMLPolicySource `json:"jax,omitempty"`
}

// TorchMLPolicySource represents a PyTorch runtime configuration.
Expand Down Expand Up @@ -239,6 +243,9 @@ type TorchElasticPolicy struct {
Metrics []autoscalingv2.MetricSpec `json:"metrics,omitempty"`
}

// JAXMLPolicySource represents a jax runtime configuration.
type JAXMLPolicySource struct{}

// MPIMLPolicySource represents a MPI runtime configuration.
type MPIMLPolicySource struct {
// numProcPerNode is the number of processes per node.
Expand Down
21 changes: 21 additions & 0 deletions pkg/apis/trainer/v1alpha1/zz_generated.deepcopy.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

28 changes: 26 additions & 2 deletions pkg/apis/trainer/v1alpha1/zz_generated.openapi.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading
Loading