[WIP] konflux: use RHAI base image

[raptorsun]

Description

use RHAI base image, that comes with dependant libraries such as openMPI already installed.

Type of change

• Refactor
• New feature
• Bug fix
• CVE fix
• Optimization
• Documentation Update
• Configuration Update
• Bump-up service version
• Bump-up dependent library
• Bump-up library or tool used for development (does not change the final image)
• CI configuration change
• Konflux configuration change
• Unit tests improvement
• Integration tests improvement
• End to end tests improvement

Tools used to create PR

Identify any AI code assistants used in this PR (for transparency and review context)

• Assisted-by: (e.g., Claude, CodeRabbit, Ollama, etc., N/A if not used)
• Generated by: (e.g., tool name and version; N/A if not used)

Related Tickets & Documents

• Related Issue #
• Closes #

Checklist before requesting a review

• I have performed a self-review of my code.
• PR has passed all pre-merge test jobs.
• If it is a core feature, I have added thorough tests.

Testing

• Please provide detailed steps to perform tests related to this code change.
• How were the fix/results from this change verified? Please provide relevant screenshots or results.

Summary by CodeRabbit

• Chores
  • Added a new build-args-file parameter and wired it into the build matrix to support extra build arguments.
  • Made builder/runtime base images and package-manager commands configurable for hermetic builds.
  • Switched package sources and lock metadata from UBI to RHEL/EUS endpoints and removed legacy UBI repo definitions.
  • Updated package lists and dependency hashes (adds/removals and some version bumps), including adding jiter and gcc-c++ and adjusting Python metadata to 3.12.

[coderabbitai]

Walkthrough

Adds a build-args-file Tekton pipeline parameter and wires it into build matrices; parameterizes Containerfile builder/runtime base images and package manager commands via ARGs and a config file; replaces UBI repo usage with RHEL/EUS repo definitions and updates rpm manifests/locks and Python requirement hashes.

Changes

Cohort / File(s)	Summary
Tekton pipelines .tekton/lightspeed-stack-pull-request.yaml, .tekton/lightspeed-stack-push.yaml	Added build-args-file pipeline parameter (default build-args-konflux.conf) and bound it into the build matrix as BUILD_ARGS_FILE; minor package list formatting edits and removal of huggingface-hub in push pipeline.
Container build Containerfile, build-args-konflux.conf	Made builder/runtime base images and DNF commands configurable via ARGs; added build-time ENV flags, explicit copy/chown, PATH adjustments, non-root USER, EXPOSE/ENTRYPOINT, LABEL metadata; build-args-konflux.conf provides default ARG values.
RPM repo manifests redhat.repo, ubi.repo	Removed ubi.repo; added multiple RHEL/EUS repository stanzas in redhat.repo (several enabled, some disabled).
RPM package lists / lockfile rpms.in.yaml, rpms.lock.yaml	Switched contentOrigin repofile to redhat.repo; added gcc-c++, removed several image-related libs; migrated many lockfile entries from UBI to RHEL/EUS endpoints with updated EVR, repoid, URLs, sizes, and checksums.
Python requirements & hashes requirements-build.txt, requirements.hashes.source.txt, requirements.hashes.wheel.txt, requirements.overrides.txt	Updated Python comment (3.13→3.12), bumped/added packages (litellm, tqdm, trl, huggingface-hub, proto-plus, polyleven, jiter), inserted large source-hash blocks and removed corresponding wheel hashes; added jiter to overrides.
Other redhat.repo (large new additions)	Inserted multiple RHEL/EUS repository definitions used by hermetic builds (codeready, BaseOS, AppStream, OpenShift-related repos).

Sequence Diagram(s)

sequenceDiagram
    autonumber
    participant Dev as Developer / CI
    participant Tekton as Tekton Pipeline
    participant Build as Build Task / Container build
    participant Repo as RPM Repos (redhat.repo / rpms.lock)
    participant Registry as Image Registry

    Dev->>Tekton: start pipeline (params include build-args-file)
    Tekton->>Build: trigger build task with matrix (BUILD_ARGS_FILE)
    Build->>Repo: resolve RPMs using redhat.repo and rpms.lock
    Build->>Build: apply Containerfile ARGs (BUILDER_BASE_IMAGE, RUNTIME_BASE_IMAGE, DNF commands)
    Build->>Registry: push built image
    Registry-->>Dev: image available / build completed

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• konflux: use wheels from RHOAI index #994 — Modifies the same Tekton pipeline YAMLs and hermetic wheel/source requirements flow; strong overlap with pipeline and requirements changes.
• LCORE-497, LCORE-498, LCORE-499: Bundle most of ansible, assist-installer, default run.yaml dependencies, with pytorch and libs that depends on it. #292 — Overlaps Containerfile changes where base images and runtime/python environment were adjusted; related to base-image parameterization.
• LCORE-651: using rhoai lls image #517 — Also changes Containerfile base image usage; related to introducing ARG-backed base images and build-args config.

Suggested labels

ok-to-test

Suggested reviewers

• radofuchs
• tisnik

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title '[WIP] konflux: use RHAI base image' directly corresponds to the main objective of switching Konflux to use the RHAI base image, as confirmed by the PR description and file changes.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

Containerfile (1)

57-85: Add ARG RUNTIME_DNF_COMMAND to the final stage to fix empty variable expansion.

ARGs declared before the first FROM (line 3) have global scope but are not automatically available inside build stages. At line 85, ${RUNTIME_DNF_COMMAND} expands to empty, causing the command to fail with install: invalid option -- 'y'. Re-declare the ARG in the final stage.

Fix

 FROM ${RUNTIME_BASE_IMAGE}
+ARG RUNTIME_DNF_COMMAND
 ARG APP_ROOT=/app-root
 WORKDIR /app-root

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

Containerfile (1)

59-87: ⚠️ Potential issue | 🔴 Critical

Critical: Same ARG scoping issue in the runtime stage.

RUNTIME_DNF_COMMAND is undefined after FROM ${RUNTIME_BASE_IMAGE}. This will cause the same pipeline failure at line 87.

🐛 Proposed fix to re-declare ARG in runtime stage

 FROM ${RUNTIME_BASE_IMAGE}
+ARG RUNTIME_DNF_COMMAND=microdnf
 ARG APP_ROOT=/app-root
 WORKDIR /app-root

🤖 Fix all issues with AI agents

In `@Containerfile`:
- Around line 2-7: The build ARGs declared before the first FROM (ARG
BUILDER_BASE_IMAGE, ARG BUILDER_DNF_COMMAND, ARG RUNTIME_BASE_IMAGE, ARG
RUNTIME_DNF_COMMAND) are not available inside the builder stage, causing
${BUILDER_DNF_COMMAND} to be empty; re-declare the required ARGs immediately
after the corresponding FROM lines (e.g., after "FROM ${BUILDER_BASE_IMAGE} AS
builder" add "ARG BUILDER_DNF_COMMAND" and any other builder ARGs you need) so
RUN steps that reference ${BUILDER_DNF_COMMAND} resolve correctly, and likewise
re-declare runtime ARGs after the runtime FROM if used in that stage.

[raptorsun]

/retest

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@rpms.lock.yaml`:
- Around line 7-178: The repoids listed in rpms.lock.yaml
(rhel-9-for-aarch64-appstream-eus-rpms, rhel-9-for-aarch64-baseos-eus-rpms,
rhel-9-for-x86_64-appstream-eus-rpms, rhel-9-for-x86_64-baseos-eus-rpms) are
missing from redhat.repo; add matching repository stanzas for each repoid in
redhat.repo using the correct id names, set appropriate baseurl or mirrorlist
(pointing to the EUS CDN or internal mirror), enable=1, gpgcheck and gpgkey
settings consistent with other RHEL 9 repos, and ensure the
enabled/priority/gpgkey values mirror the existing appstream/baseos entries so
the packages in rpms.lock.yaml can be resolved.

[coderabbitai]

Actionable comments posted: 3

🤖 Fix all issues with AI agents

In `@requirements.hashes.source.txt`:
- Around line 951-953: The new trl 0.27.2 removes the warnings_issued attribute
and changes SFTTrainer init behavior (for transformers < v5) and DPO
preprocessing EOS handling; search the codebase for any use of warnings_issued
and replace it with an alternative (e.g., use Python's warnings module or trl's
current API for tracking warnings), verify SFTTrainer instantiation code
(references to SFTTrainer) to match the updated constructor semantics for older
transformers or pin trl to a prior version if you rely on the old behavior, and
check any DPO preprocessing code that assumes extra EOS tokens and update it to
the corrected preprocessing logic; run tests after making these changes.
- Around line 586-670: The requirements.hashes.source.txt entry lists a
nonexistent version "polyleven==0.10.0"; either replace it with the valid PyPI
release "polyleven==0.9.0" and regenerate/replace the corresponding --hash
lines, or remove the entire polyleven block if the package is not required (note
requirements-build.txt has "#   polyleven" commented), and ensure any references
to "polyleven==0.10.0" are updated/removed consistently.
- Around line 302-304: The requirements entry pins a non-existent package
version "litellm==1.81.7" which will break installs; update the line in
requirements.hashes.source.txt to the valid release "litellm==1.81.6" and update
or recompute the associated --hash values accordingly, or if you intended a
pre-release/nightly specify the exact source/tag (e.g., v1.81.7-nightly) and
point to that index or VCS URL so the installer can resolve it.

🧹 Nitpick comments (2)

Containerfile (1)

2-5: Consider aligning default base-image ARGs with the new RHAI config.

Right now local builds without a build-args file will still default to UBI images. If that’s not desired, consider updating defaults to match the Konflux build-args file so local and CI builds behave consistently.

🔧 Optional diff to align defaults

-ARG BUILDER_BASE_IMAGE=registry.access.redhat.com/ubi9/python-312
-ARG BUILDER_DNF_COMMAND=dnf
-ARG RUNTIME_BASE_IMAGE=registry.access.redhat.com/ubi9/python-312-minimal
-ARG RUNTIME_DNF_COMMAND=microdnf
+ARG BUILDER_BASE_IMAGE=registry.redhat.io/rhai/base-image-cpu-rhel9:3.2
+ARG BUILDER_DNF_COMMAND=dnf
+ARG RUNTIME_BASE_IMAGE=registry.redhat.io/rhai/base-image-cpu-rhel9:3.2
+ARG RUNTIME_DNF_COMMAND=dnf

requirements.hashes.source.txt (1)

180-182: huggingface-hub 0.36.1 is secure but significantly outdated.

Version 0.36.1 has no known security vulnerabilities (the historical vulnerability affecting versions < 0.13.4 was patched long ago). However, the latest stable release is 1.3.7 (Feb 2, 2026), with major version 1.0.0 released in October 2025. Since this file is auto-generated by uv pip compile, the pinned version is likely a transitive dependency constraint; verify whether the underlying requirements should be updated to allow newer versions.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

litellm 1.81.7 release notes changelog

💡 Result:

I couldn’t find any LiteLLM v1.81.7 release/tag or release notes.

• PyPI currently shows the latest litellm package release as 1.81.6 (uploaded Feb 1, 2026), not 1.81.7. [1]
• GitHub tags likewise show v1.81.6-nightly (Feb 1, 2026) and do not list any v1.81.7 tag. [2]
• The official Release Notes index also lists v1.81.6 and does not include v1.81.7. [3]

If you meant a different variant (e.g., v1.81.7-stable, -nightly, -rc, or a Docker image tag), tell me the exact tag string and where you saw it, and I’ll track down the corresponding changelog.

Sources: [1] [2] [3]

---

litellm 1.81.7 does not exist—correct the version to 1.81.6 or clarify the intended version.

PyPI shows litellm 1.81.6 (released Feb 1, 2026) as the latest available version. Version 1.81.7 is not present in PyPI, GitHub tags, or official release notes. The current specification will fail during dependency installation. If you intend to pin the latest stable version, use 1.81.6 instead. If targeting a specific pre-release or nightly build, provide the exact tag (e.g., v1.81.7-nightly or similar) and its source.

🤖 Prompt for AI Agents

In `@requirements.hashes.source.txt` around lines 302 - 304, The requirements
entry pins a non-existent package version "litellm==1.81.7" which will break
installs; update the line in requirements.hashes.source.txt to the valid release
"litellm==1.81.6" and update or recompute the associated --hash values
accordingly, or if you intended a pre-release/nightly specify the exact
source/tag (e.g., v1.81.7-nightly) and point to that index or VCS URL so the
installer can resolve it.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

polyleven Python package latest version and security vulnerabilities

💡 Result:

• Latest version (PyPI): polyleven 0.9.0, released Feb 26, 2025. [1]
• Known security vulnerabilities: Safety’s vulnerability database reports no known vulnerabilities for polyleven (and indicates the latest non-vulnerable version is 0.9.0). [2]

Sources: [1] [2]

---

🏁 Script executed:

# Check the codebase for context about polyleven dependency
# Look in pyproject.toml and requirements files
find . -type f \( -name "pyproject.toml" -o -name "requirements*.txt" \) | head -20

Repository: lightspeed-core/lightspeed-stack

Length of output: 239

---

🏁 Script executed:

# Check pyproject.toml for polyleven dependency
cat ./pyproject.toml | head -100

Repository: lightspeed-core/lightspeed-stack

Length of output: 2811

---

🏁 Script executed:

# Check requirements-build.txt for polyleven
grep -n "polyleven" ./requirements-build.txt

Repository: lightspeed-core/lightspeed-stack

Length of output: 97

---

🏁 Script executed:

# Check if 0.10.0 is mentioned elsewhere in requirements files
grep -r "polyleven" . --include="*.txt" --include="*.toml"

Repository: lightspeed-core/lightspeed-stack

Length of output: 171

---

Incorrect package version: polyleven 0.10.0 does not exist on PyPI.

The version 0.10.0 listed in requirements.hashes.source.txt is invalid. PyPI's latest version is 0.9.0 (released Feb 26, 2025), and no version 0.10.0 exists. Additionally, the package is only commented out in requirements-build.txt (# polyleven at line 127), suggesting it should not be an active dependency. Verify whether this entry should be removed or updated to a valid version.

🤖 Prompt for AI Agents

In `@requirements.hashes.source.txt` around lines 586 - 670, The
requirements.hashes.source.txt entry lists a nonexistent version
"polyleven==0.10.0"; either replace it with the valid PyPI release
"polyleven==0.9.0" and regenerate/replace the corresponding --hash lines, or
remove the entire polyleven block if the package is not required (note
requirements-build.txt has "#   polyleven" commented), and ensure any references
to "polyleven==0.10.0" are updated/removed consistently.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🌐 Web query:

trl 0.27.2 release notes changelog

💡 Result:

Hugging Face TRL v0.27.2 (released Feb 3, 2026) — changelog (github.com)

• Removed access to warnings_issued (PR #4960) (github.com)
• Fixed SFTTrainer init logic: only remove TrainingArguments.push_to_hub_token for transformers < v5 (PR #4942) (github.com)
• Fixed an extra EOS token being appended in DPO preprocessing for conversational data (PR #4908) (github.com)

Citations:

• 1: https://github.com/huggingface/trl/releases
• 2: https://github.com/huggingface/trl/releases
• 3: https://github.com/huggingface/trl/releases
• 4: https://github.com/huggingface/trl/releases

---

Aware of the breaking API change in trl 0.27.2.

This patch (released Feb 3, 2026) contains bug fixes but no security updates: it removes access to warnings_issued, fixes SFTTrainer init logic for transformers < v5, and fixes an extra EOS token issue in DPO preprocessing. Ensure any code using warnings_issued from trl is updated.

🤖 Prompt for AI Agents

In `@requirements.hashes.source.txt` around lines 951 - 953, The new trl 0.27.2
removes the warnings_issued attribute and changes SFTTrainer init behavior (for
transformers < v5) and DPO preprocessing EOS handling; search the codebase for
any use of warnings_issued and replace it with an alternative (e.g., use
Python's warnings module or trl's current API for tracking warnings), verify
SFTTrainer instantiation code (references to SFTTrainer) to match the updated
constructor semantics for older transformers or pin trl to a prior version if
you rely on the old behavior, and check any DPO preprocessing code that assumes
extra EOS tokens and update it to the corrected preprocessing logic; run tests
after making these changes.

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

requirements-build.txt (1)

31-48: ⚠️ Potential issue | 🟠 Major

Conflicting hatchling versions indicate unresolvable dependency constraint.

The file contains both hatchling==1.26.3 (line 31) and hatchling==1.28.0 (line 36) required by different transitive dependencies. Notably, hatch-fancy-pypi-readme depends on both versions, making this an unresolvable conflict. While the file is autogenerated by pip-compile, this state indicates a dependency graph problem upstream that prevents successful installation—pip cannot satisfy both constraints simultaneously.

🤖 Fix all issues with AI agents

In `@requirements.overrides.txt`:
- Line 17: The pinned jiter version is inconsistent: requirements.overrides.txt
contains "jiter==0.12" while requirements.hashes.wheel.txt uses "jiter==0.12.0";
pick one canonical form and make both files match (either change "jiter==0.12"
to "jiter==0.12.0" or vice versa) so the two requirement files use the exact
same version string and avoid confusion.

🧹 Nitpick comments (1)

Containerfile (1)

86-89: Consider cleaning DNF cache after installation.

The runtime stage installs packages but doesn't clean the DNF cache afterward. While --setopt=keepcache=0 prevents caching downloaded packages, the DNF metadata may still consume space.

♻️ Optional: Clean DNF cache to reduce image size

 USER root

 # Additional tools for derived images
-RUN ${RUNTIME_DNF_COMMAND} install -y --nodocs --setopt=keepcache=0 --setopt=tsflags=nodocs jq patch
+RUN ${RUNTIME_DNF_COMMAND} install -y --nodocs --setopt=keepcache=0 --setopt=tsflags=nodocs jq patch && \
+    ${RUNTIME_DNF_COMMAND} clean all

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

# First, examine the requirements.overrides.txt file structure and header
head -20 requirements.overrides.txt

Repository: lightspeed-core/lightspeed-stack

Length of output: 474

---

🏁 Script executed:

# Check for jiter mentions in the codebase
rg -n 'jiter' --glob '*.yaml' --glob '*.txt' --glob '*.md'

Repository: lightspeed-core/lightspeed-stack

Length of output: 166

---

🏁 Script executed:

# Examine the tekton pipeline file context around line 50
cat -n .tekton/lightspeed-stack-push.yaml | sed -n '40,60p'

Repository: lightspeed-core/lightspeed-stack

Length of output: 1967

---

🏁 Script executed:

# Check the requirements.overrides.txt full content to understand its purpose
cat -n requirements.overrides.txt

Repository: lightspeed-core/lightspeed-stack

Length of output: 593

---

Ensure version consistency: jiter is pinned as 0.12 in requirements.overrides.txt but as 0.12.0 in requirements.hashes.wheel.txt.

These version formats are equivalent in Python packaging but should be aligned across requirement files to avoid confusion. Update one file to match the other's format.

🤖 Prompt for AI Agents

In `@requirements.overrides.txt` at line 17, The pinned jiter version is
inconsistent: requirements.overrides.txt contains "jiter==0.12" while
requirements.hashes.wheel.txt uses "jiter==0.12.0"; pick one canonical form and
make both files match (either change "jiter==0.12" to "jiter==0.12.0" or vice
versa) so the two requirement files use the exact same version string and avoid
confusion.