[CI/Build] Replace COPY scripts with bind mounts to reduce layers #29201
Conversation
|
👋 Hi! Thank you for contributing to the vLLM project. 💬 Join our developer Slack at https://slack.vllm.ai to discuss your PR in #pr-reviews, coordinate on features in #feat- channels, or join special interest groups in #sig- channels. Just a reminder: PRs would not trigger full CI run by default. Instead, it would only run You ask your reviewers to trigger select CI tests on top of Once the PR is approved and ready to go, your PR reviewer(s) can run CI to test the changes comprehensively before merging. To run CI, PR reviewers can either: Add If you have any questions, please reach out to us on Slack at https://slack.vllm.ai. 🚀 |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request aims to reduce Docker image layers by replacing COPY instructions with RUN --mount=type=bind. While this is a good practice, the implementation has a critical issue where a cache mount for the uv package manager was accidentally removed, which would regress build performance. I've also identified several places where the new bind mounts can be made read-only to improve security, and one instance of a redundant file removal command that should be deleted. My review includes suggestions to fix these issues.
| RUN --mount=type=bind,source=tools/install_deepgemm.sh,target=/tmp/install_deepgemm.sh \ | ||
| VLLM_DOCKER_BUILD_CONTEXT=1 TORCH_CUDA_ARCH_LIST="9.0a 10.0a" /tmp/install_deepgemm.sh --cuda-version "${CUDA_VERSION}" ${DEEPGEMM_GIT_REF:+--ref "$DEEPGEMM_GIT_REF"} |
There was a problem hiding this comment.
The previous RUN command included --mount=type=cache,target=/root/.cache/uv to leverage caching for the uv package manager. This cache mount was removed in the new RUN command, which will significantly slow down Docker builds by preventing uv from using its cache. The cache mount should be restored. Additionally, for better security, the bind mount for the script should be made read-only.
RUN --mount=type=cache,target=/root/.cache/uv \
--mount=type=bind,source=tools/install_deepgemm.sh,target=/tmp/install_deepgemm.sh,ro \
VLLM_DOCKER_BUILD_CONTEXT=1 TORCH_CUDA_ARCH_LIST="9.0a 10.0a" /tmp/install_deepgemm.sh --cuda-version "${CUDA_VERSION}" ${DEEPGEMM_GIT_REF:+--ref "$DEEPGEMM_GIT_REF"}
| RUN --mount=type=bind,source=tools/ep_kernels/install_python_libraries.sh,target=install_python_libraries.sh \ | ||
| export TORCH_CUDA_ARCH_LIST="${TORCH_CUDA_ARCH_LIST:-9.0a 10.0a+PTX}" \ | ||
| && bash install_python_libraries.sh |
There was a problem hiding this comment.
For better security and to follow the principle of least privilege, you should make the bind mount read-only using the ro option, since the script is only being executed and not modified.
RUN --mount=type=bind,source=tools/ep_kernels/install_python_libraries.sh,target=install_python_libraries.sh,ro \
export TORCH_CUDA_ARCH_LIST="${TORCH_CUDA_ARCH_LIST:-9.0a 10.0a+PTX}" \
&& bash install_python_libraries.sh
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
docker/Dockerfile
Outdated
| *) echo "Unsupported TARGETPLATFORM: ${TARGETPLATFORM}" >&2; exit 1 ;; \ | ||
| esac; \ | ||
| ./install_gdrcopy.sh "${GDRCOPY_OS_VERSION}" "${GDRCOPY_CUDA_VERSION}" "${UUARCH}"; \ | ||
| rm ./install_gdrcopy.sh |
There was a problem hiding this comment.
The new RUN --mount=type=bind,source=tools/install_gdrcopy.sh,target=install_gdrcopy.sh block still ends by running rm ./install_gdrcopy.sh, but bind mounts in BuildKit are read-only unless rw is specified. Under the set -e in this block, the rm now fails with a permission error, aborting the image build whenever this step runs. Because the script is only bind-mounted for the duration of the RUN, the cleanup is unnecessary and currently breaks the build.
Useful? React with 👍 / 👎.
mirzaim
force-pushed
the
refactor/dockerfile/install-scripts-bind-mount
branch
4 times, most recently
from
f470014 to
862a549
Compare
Signed-off-by: Morteza Mirzaei <[email protected]>
mirzaim
force-pushed
the
refactor/dockerfile/install-scripts-bind-mount
branch
from
862a549 to
cf2a6e1
Compare
1 participant
Replace COPY scripts with bind mounts to reduce layers. For full context, check #28648.
Purpose
Test Plan
CI
Test Result
Essential Elements of an Effective PR Description Checklist
supported_models.mdandexamplesfor a new model.