Skip to content

Commit 040ae36

Browse files
miyunarimiyunari
authored
add README (#101)
Signed-off-by: Janine Olear <[email protected]>
1 parent 9008e87 commit 040ae36

File tree

1 file changed

+109
-0
lines changed

1 file changed

+109
-0
lines changed

clusters/homelab/apps/llm/vllm/README.md

Lines changed: 109 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,109 @@
1+
# vLLM
2+
3+
Deploy [vllm](https://github.com/vllm-project/vllm) with the [IBM Granite](https://huggingface.co/ibm-granite) model, signed by [Sigstore](https://www.sigstore.dev/) using the Sigstore [model transparency cli](https://github.com/sigstore/model-transparency/) and the [model validation operator](https://github.com/sigstore/model-validation-operator/).
4+
5+
## Model Validation CR
6+
7+
The Model Validation Operator will use the [demo Granite Validation CR](clusters/homelab/apps/llm/vllm/granite-validation.yaml). We need to provide an identity and issuer there.
8+
9+
Google example:
10+
- Identity "[email protected]"
11+
- Issuer "https://accounts.google.com"
12+
13+
Github example:
14+
- Identity "[email protected]"
15+
- Issuer "https://github.com/login/oauth"
16+
17+
```diff
18+
apiVersion: rhtas.redhat.com/v1alpha1
19+
kind: ModelValidation
20+
metadata:
21+
name: demo
22+
namespace: llm
23+
spec:
24+
config:
25+
sigstoreConfig:
26+
+ certificateIdentity: "[email protected]"
27+
+ certificateOidcIssuer: "https://accounts.google.com"
28+
...
29+
```
30+
31+
## Automatic Model Validation
32+
33+
When a pod spec provides the following label:
34+
```yaml
35+
labels:
36+
validation.rhtas.redhat.com/ml: "true"
37+
```
38+
The Model Validation Operator will patch the created workload with an init-container to validate the integrity of the model configured on the `demo` custom resource. Since `vllm` is labeld accordingly in this setup, restarting the workload will trigger another evaluation.
39+
40+
This can be achieved with the following command:
41+
```bash
42+
oc rollout restart deployment vllm
43+
```
44+
45+
Afterwards we will see the init-container in aciton. (Using `oc describe pod <podname>` we can inspect all the details).
46+
```bash
47+
$ oc get pods
48+
NAME READY STATUS RESTARTS AGE
49+
llamastack-5586bf4845-5vgfc 1/1 Running 0 5d22h
50+
llamastack-playground-57fd659797-wjchr 1/1 Running 1 (24h ago) 11d
51+
model-validation-debug-85848698fd-w9f25 1/1 Running 0 111m
52+
open-webui-657884dd87-bs2r2 1/1 Running 0 20h
53+
vllm-5ccc55f587-bf449 0/1 Init:0/1 0 4s <------
54+
```
55+
56+
To gain more insights with our validation work or why it failed, we can check the logs of the added `model-validation` container on our `vllm` pod.
57+
```bash
58+
$ oc logs vllm-5ccc55f587-bf449 -c model-validation
59+
Key 6f260089d5923daf20166ca657c543af618346ab971884a99962b01988bbe0c3 failed to verify root
60+
Key 22f4caec6d8e6f9555af66b3d4c3cb06a3bb23fdc7e39c916c61f462e6f52b06 failed to verify root
61+
Verification succeeded
62+
```
63+
64+
## Debug
65+
66+
Use the [model-validation-debug container](clusters/homelab/apps/llm/vllm/granite-validation-debug.yaml) to `sign`, `validate`, `delete signature`, `modify` and `restore` the IBM Granite model.
67+
```bash
68+
$ oc get pods
69+
NAME READY STATUS RESTARTS AGE
70+
llamastack-5586bf4845-5vgfc 1/1 Running 0 5d22h
71+
llamastack-playground-57fd659797-wjchr 1/1 Running 1 (23h ago) 11d
72+
model-validation-debug-85848698fd-w9f25 1/1 Running 0 73m
73+
open-webui-657884dd87-bs2r2 1/1 Running 0 20h
74+
vllm-69d4955fb9-fv92t 1/1 Running 0 28m
75+
```
76+
77+
### Sign Model
78+
79+
Run the following command to sign the model using the public available Sigstore instance. (Pod name may changes).
80+
81+
```bash
82+
oc exec -it model-validation-debug-85848698fd-w9f25 -- model_signing sign \
83+
sigstore /models/huggingface/hub/models--ibm-granite--granite-3.3-2b-instruct/blobs/ \
84+
--signature /models/huggingface/hub/models--ibm-granite--granite-3.3-2b-instruct/model.sig
85+
```
86+
87+
### Verify Model
88+
89+
The same debug container can be used to validate the model.
90+
91+
```bash
92+
oc exec -it model-validation-debug-85848698fd-w9f25 -- model_signing verify \
93+
sigstore /models/huggingface/hub/models--ibm-granite--granite-3.3-2b-instruct/blobs/ \
94+
--signature /models/huggingface/hub/models--ibm-granite--granite-3.3-2b-instruct/model.sig \
95+
--identity_provider "https://accounts.google.com" \
96+
--identity "<your-email>"
97+
```
98+
99+
### Modify and Restore Model
100+
101+
To simulate unwanted modifications, we can modify the model manually.
102+
```bash
103+
oc exec -it model-validation-debug-85848698fd-w9f25 -- echo "fake" > /models/huggingface/hub/models--ibm-granite--granite-3.3-2b-instruct/blob/b0d40f9bebc505fca54f7e1af51b6e755f2807a6
104+
```
105+
106+
The `custom-backup` folder contains a backup to restore the model.
107+
```bash
108+
oc exec -it model-validation-debug-85848698fd-w9f25 -- cp /models/huggingface/hub/models--ibm-granite--granite-3.3-2b-instruct/custom-backup/b0d40f9bebc505fca54f7e1af51b6e755f2807a6 /models/huggingface/hub/models--ibm-granite--granite-3.3-2b-instruct/blob/b0d40f9bebc505fca54f7e1af51b6e755f2807a6
109+
```

0 commit comments

Comments
 (0)