feat: Add xpu vllm docker

[zxue2]

Overview:
Add xpu vllm docker file and adjust build.sh to enable xpu on dynamo

Details:
Add --enable-xpu to container/build.sh
Create folder container/xpu and include xpu docker files, required patches, launch messages, etc.
It can generate dynamo-xpu docker image which can work with dynamo operator.

Where should the reviewer start?
From container/build.sh

Related Issues: #4652

Summary by CodeRabbit

• New Features

  • Added --enable-xpu build flag to enable XPU-specific container builds
  • Added XPU-specific Docker images for Dynamo runtime and vLLM framework
  • Added vLLM installation script with XPU support and configuration options

• Documentation

  • Added XPU runtime container documentation and launch messaging

• Chores

  • Refactored build script Dockerfile path handling for conditional image selection

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

[github-actions]

👋 Hi zxue2! Thank you for contributing to ai-dynamo/dynamo.

Just a reminder: The NVIDIA Test Github Validation CI runs an essential subset of the testing framework to quickly catch errors.Your PR reviewers may elect to test the changes comprehensively before approving your changes.

🚀

[zxue2]

@tmonty12 could you please review or involve related component reviewer?

[coderabbitai]

Walkthrough

The pull request adds Intel XPU support to the container build system by introducing a new --enable-xpu command-line flag, XPU-specific multi-stage Dockerfiles, an automated vLLM installation script, and runtime documentation. It refactors the build script to conditionally select XPU Dockerfiles and consolidates Dockerfile path handling through a new DOCKERFILE_BASE variable.

Changes

Cohort / File(s)	Summary
Build system configuration container/build.sh	Added --enable-xpu flag to enable XPU mode; refactored Dockerfile selection logic to use conditional paths (xpu/Dockerfile.xpu, xpu/Dockerfile.xpu.vllm) when XPU is enabled; introduced DOCKERFILE_BASE variable for centralized path management; updated all docker build commands to reference DOCKERFILE_BASE.
XPU container images container/xpu/Dockerfile.xpu, container/xpu/Dockerfile.xpu.vllm	Created comprehensive multi-stage Dockerfiles for XPU Dynamo stack and vLLM XPU framework; includes base image setup with Intel GPU runtime, UCX/NIXL compilation from source, wheel builder configuration, runtime assembly, and development tooling. vLLM variant adds framework-specific build and patching stages.
XPU installation automation container/xpu/deps/vllm/install_vllm.xpu.sh	New shell script automating vLLM and LMCache installation with options for editable mode, custom git references, architecture normalization, patch application, and conditional LMCache support (amd64 only).
Runtime documentation container/xpu/launch_message/runtime.xpu.txt	New file containing ASCII art, license headers, and runtime documentation with usage examples, service configuration notes, and Dynamo CLI interaction instructions.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

• Conditional build logic in build.sh — The Dockerfile selection pathway and variable refactoring require verification that both standard and XPU builds work correctly across BuildKit and non-BuildKit paths.
• Multi-stage Dockerfile complexity — Both XPU Dockerfiles contain dense, interconnected stages (base, wheel_builder, runtime, dev) with multiple source compilations (UCX, NIXL), artifact copying, and environment setup that demand careful inspection of layer dependencies and build correctness.
• XPU-specific patching — The vLLM installation script applies an external patch; its source and compatibility with different vLLM versions should be verified.
• Environment variable propagation — Numerous path variables (LD_LIBRARY_PATH, NIXL_LIB_DIR, etc.) are set across stages; their correctness and interaction require thorough tracing.

Poem

🐰 XPU dreams in Docker's fold,
Multi-stage builds, stories untold,
NIXL whispers, UCX compiles,
vLLM runs with heterogeneous smiles—
Intel and NVIDIA, together at last! 🚀

Pre-merge checks

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: adding XPU vLLM Docker support. It is concise, specific, and clearly references both the XPU feature and Docker components being added.
Description check	✅ Passed	The description follows the template structure with Overview, Details, Where should the reviewer start, and Related Issues sections. All required sections are present and adequately filled with specific information about changes.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (2)

container/build.sh (1)

547-553: Use proper bash quoting in conditional check.

Line 547 uses unquoted variable expansion in the conditional. While it may work, proper bash practice requires quoting for defensive programming.

-        if [  ! -z ${ENABLE_XPU} ]; then
+        if [ -n "${ENABLE_XPU}" ]; then

container/xpu/Dockerfile.xpu.vllm (1)

343-346: Clarify the purpose of pytorch-triton-xpu uninstall/reinstall.

The dev stage uninstalls and reinstalls pytorch-triton-xpu==3.4.0. This pattern is unusual and may indicate a version pinning requirement or workaround. A brief comment explaining why this is necessary would improve maintainability.

 RUN uv pip uninstall triton pytorch-triton-xpu && \ 
+    # Pin pytorch-triton-xpu to specific version for XPU compatibility
     uv pip install pytorch-triton-xpu==3.4.0 --extra-index-url=https://download.pytorch.org/whl/xpu && \

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between bd4366d and ad46747.

📒 Files selected for processing (5)

• container/build.sh (5 hunks)
• container/xpu/Dockerfile.xpu (1 hunks)
• container/xpu/Dockerfile.xpu.vllm (1 hunks)
• container/xpu/deps/vllm/install_vllm.xpu.sh (1 hunks)
• container/xpu/launch_message/runtime.xpu.txt (1 hunks)

🧰 Additional context used

🧠 Learnings (16)

📓 Common learnings

Learnt from: keivenchang
Repo: ai-dynamo/dynamo PR: 4657
File: container/Dockerfile.vllm:264-265
Timestamp: 2025-12-03T01:14:42.094Z
Learning: In container/Dockerfile.vllm, the recursive chmod -R g+w operation during early user setup (at lines 264-265, when creating the dynamo user and initializing /workspace, /home/dynamo, /opt/dynamo) is an intentional exception to the pattern of avoiding recursive operations, as it handles pre-existing paths and dotfiles created by useradd -m before bulk content is copied.

📚 Learning: 2025-08-30T20:43:49.632Z

Learnt from: keivenchang
Repo: ai-dynamo/dynamo PR: 2797
File: container/Dockerfile:437-449
Timestamp: 2025-08-30T20:43:49.632Z
Learning: In the dynamo project's devcontainer setup, the team prioritizes consistency across framework-specific Dockerfiles (like container/Dockerfile, container/Dockerfile.vllm, etc.) by mirroring their structure, even when individual optimizations might be possible, to maintain uniformity in the development environment setup.

Applied to files:

• container/xpu/Dockerfile.xpu.vllm
• container/build.sh
• container/xpu/Dockerfile.xpu
• container/xpu/launch_message/runtime.xpu.txt

📚 Learning: 2025-12-03T01:14:42.094Z

Learnt from: keivenchang
Repo: ai-dynamo/dynamo PR: 4657
File: container/Dockerfile.vllm:264-265
Timestamp: 2025-12-03T01:14:42.094Z
Learning: In container/Dockerfile.vllm, the recursive chmod -R g+w operation during early user setup (at lines 264-265, when creating the dynamo user and initializing /workspace, /home/dynamo, /opt/dynamo) is an intentional exception to the pattern of avoiding recursive operations, as it handles pre-existing paths and dotfiles created by useradd -m before bulk content is copied.

Applied to files:

• container/xpu/Dockerfile.xpu.vllm
• container/xpu/Dockerfile.xpu

📚 Learning: 2025-08-30T20:43:10.091Z

Learnt from: keivenchang
Repo: ai-dynamo/dynamo PR: 2797
File: .devcontainer/devcontainer.json:12-12
Timestamp: 2025-08-30T20:43:10.091Z
Learning: In the dynamo project, devcontainer.json files use templated container names (like "dynamo-vllm-devcontainer") that are automatically processed by the copy_devcontainer.sh script to generate framework-specific configurations with unique names, preventing container name collisions.

Applied to files:

• container/xpu/Dockerfile.xpu.vllm
• container/xpu/Dockerfile.xpu
• container/xpu/launch_message/runtime.xpu.txt

📚 Learning: 2025-08-30T20:43:10.091Z

Learnt from: keivenchang
Repo: ai-dynamo/dynamo PR: 2797
File: .devcontainer/devcontainer.json:12-12
Timestamp: 2025-08-30T20:43:10.091Z
Learning: In the dynamo project's devcontainer setup, hard-coded container names in devcontainer.json files serve as templates that are automatically processed by the copy_devcontainer.sh script to generate framework-specific configurations with unique names, preventing container name collisions.

Applied to files:

• container/xpu/Dockerfile.xpu.vllm

📚 Learning: 2025-09-03T01:10:12.599Z

Learnt from: keivenchang
Repo: ai-dynamo/dynamo PR: 2822
File: container/Dockerfile.vllm:343-352
Timestamp: 2025-09-03T01:10:12.599Z
Learning: In the dynamo project's local-dev Docker targets, USER_UID and USER_GID build args are intentionally left without default values to force explicit UID/GID mapping during build time, preventing file permission issues in local development environments where container users need to match host user permissions for mounted volumes.

Applied to files:

• container/xpu/Dockerfile.xpu.vllm
• container/xpu/Dockerfile.xpu

📚 Learning: 2025-12-03T01:04:32.053Z

Learnt from: keivenchang
Repo: ai-dynamo/dynamo PR: 4657
File: container/Dockerfile.sglang:216-223
Timestamp: 2025-12-03T01:04:32.053Z
Learning: In container/Dockerfile.sglang, the recursive chown -R and chmod -R operations during early user setup (when creating the dynamo user and initializing /sgl-workspace, /workspace, /home/dynamo, /opt/dynamo) are intentional exceptions to the pattern of avoiding recursive operations, as they handle pre-existing paths and dotfiles created by useradd -m.

Applied to files:

• container/xpu/Dockerfile.xpu.vllm
• container/xpu/Dockerfile.xpu

📚 Learning: 2025-12-02T18:13:40.065Z

Learnt from: PeaBrane
Repo: ai-dynamo/dynamo PR: 4698
File: .github/workflows/container-validation-dynamo.yml:68-68
Timestamp: 2025-12-02T18:13:40.065Z
Learning: In the ai-dynamo/dynamo repository, backend-specific tests (vllm, sglang, trtllm) are intentionally excluded from the container-validation-dynamo.yml workflow using "not (vllm or sglang or trtllm)" because they run in a separate container-validation-backends.yml workflow that has dedicated jobs for each backend. This separation keeps framework-agnostic tests separate from backend-specific tests.

Applied to files:

• container/xpu/Dockerfile.xpu.vllm
• container/xpu/launch_message/runtime.xpu.txt

📚 Learning: 2025-08-18T16:52:15.659Z

Learnt from: nnshah1
Repo: ai-dynamo/dynamo PR: 2489
File: container/deps/vllm/install_vllm.sh:151-152
Timestamp: 2025-08-18T16:52:15.659Z
Learning: The VLLM_PRECOMPILED_WHEEL_LOCATION environment variable, when exported, automatically triggers vLLM's build system to use the precompiled wheel instead of building from source, even when using standard `uv pip install .` commands in container/deps/vllm/install_vllm.sh.

Applied to files:

• container/xpu/deps/vllm/install_vllm.xpu.sh
• container/build.sh

📚 Learning: 2025-08-18T16:52:15.659Z

Learnt from: nnshah1
Repo: ai-dynamo/dynamo PR: 2489
File: container/deps/vllm/install_vllm.sh:151-152
Timestamp: 2025-08-18T16:52:15.659Z
Learning: The VLLM_PRECOMPILED_WHEEL_LOCATION environment variable is an official vLLM environment variable that, when exported, automatically triggers vLLM's build system to use the specified precompiled wheel instead of building from source. This works even with standard `uv pip install .` commands without requiring explicit reference to the variable in the install command. The vLLM build system internally detects and uses this environment variable.

Applied to files:

• container/xpu/deps/vllm/install_vllm.xpu.sh

📚 Learning: 2025-07-22T10:22:28.972Z

Learnt from: ptarasiewiczNV
Repo: ai-dynamo/dynamo PR: 2027
File: container/deps/vllm/install_vllm.sh:0-0
Timestamp: 2025-07-22T10:22:28.972Z
Learning: The `--torch-backend=auto` flag works with vLLM installations via uv pip install, even though it's not a standard pip option. This flag is processed by vLLM's build system during installation to automatically match PyTorch distribution with container CUDA versions.

Applied to files:

• container/xpu/deps/vllm/install_vllm.xpu.sh

📚 Learning: 2025-07-21T00:10:56.947Z

Learnt from: zaristei
Repo: ai-dynamo/dynamo PR: 2020
File: container/deps/vllm/install_vllm.sh:115-118
Timestamp: 2025-07-21T00:10:56.947Z
Learning: Graceful fallback for PyTorch wheel installation is broken on ARM architecture, so immediate exit on pinned version failure is preferred over fallback mechanisms in container/deps/vllm/install_vllm.sh for ARM64.

Applied to files:

• container/xpu/deps/vllm/install_vllm.xpu.sh

📚 Learning: 2025-05-28T22:54:46.875Z

Learnt from: grahamking
Repo: ai-dynamo/dynamo PR: 1177
File: container/Dockerfile.vllm:102-105
Timestamp: 2025-05-28T22:54:46.875Z
Learning: In Dockerfiles, when appending to environment variables that may not exist in the base image, Docker validation will fail if you reference undefined variables with ${VARIABLE} syntax. In such cases, setting the environment variable directly (e.g., ENV CPATH=/usr/include) rather than appending is the appropriate approach.

Applied to files:

• container/build.sh

📚 Learning: 2025-08-02T06:09:41.078Z

Learnt from: keivenchang
Repo: ai-dynamo/dynamo PR: 2255
File: .devcontainer/build-dev-image.sh:173-177
Timestamp: 2025-08-02T06:09:41.078Z
Learning: In bash scripts, SCRIPT_DIR="$(dirname "${BASH_SOURCE[0]}")" preserves the relative/absolute nature of how the script was invoked. When a script is run with a relative path like .devcontainer/build-dev-image.sh from the repo root, SCRIPT_DIR becomes .devcontainer (relative), making it valid for Docker COPY commands within the build context.

Applied to files:

• container/build.sh

📚 Learning: 2025-08-02T06:09:41.078Z

Learnt from: keivenchang
Repo: ai-dynamo/dynamo PR: 2255
File: .devcontainer/build-dev-image.sh:173-177
Timestamp: 2025-08-02T06:09:41.078Z
Learning: In bash scripts, SCRIPT_DIR="$(dirname "${BASH_SOURCE[0]}")" preserves the relative/absolute nature of how the script was invoked. When a script is run with a relative path like ./build-dev-image.sh or .devcontainer/build-dev-image.sh, SCRIPT_DIR becomes a relative path (.devcontainer), making it valid for Docker COPY commands within the build context.

Applied to files:

• container/build.sh

📚 Learning: 2025-09-16T17:16:07.820Z

Learnt from: keivenchang
Repo: ai-dynamo/dynamo PR: 3051
File: container/templates/Dockerfile.vllm.j2:221-233
Timestamp: 2025-09-16T17:16:07.820Z
Learning: In the dynamo project, when converting Dockerfiles to Jinja2 templates, the primary goal is backward compatibility - generated Dockerfiles must be identical to the originals. Security improvements or other enhancements that would change the generated output are out of scope for templating PRs and should be addressed separately.

Applied to files:

• container/xpu/Dockerfile.xpu

🧬 Code graph analysis (1)

container/xpu/deps/vllm/install_vllm.xpu.sh (1)

lib/runtime/src/compute/pool.rs (1)

• install (271-284)

🪛 Checkov (3.2.334)

container/xpu/Dockerfile.xpu

[high] 302-314: Ensure that certificate validation isn't disabled with wget

(CKV2_DOCKER_3)

🪛 GitHub Actions: Copyright Checks

container/xpu/deps/vllm/install_vllm.xpu.sh

[error] 1-1: Invalid/Missing Header: copyright header not found or invalid in this file per policy.

container/xpu/launch_message/runtime.xpu.txt

[error] 1-1: Invalid/Missing Header: copyright header not found or invalid in this file per policy.

🪛 GitHub Actions: Pre Merge Validation of (ai-dynamo/dynamo/refs/pull/4816/merge) by zxue2.

container/xpu/Dockerfile.xpu.vllm

[error] 1-1: pre-commit trailing-whitespace: Trailing whitespace detected and removed by the hook. Fix required (hook: trailing-whitespace).

---

[error] 1-1: pre-commit trailing-whitespace: Trailing whitespace detected and removed by the hook. Fix required (hook: trailing-whitespace).

container/xpu/Dockerfile.xpu

[error] 1-1: pre-commit trailing-whitespace: Trailing whitespace detected and removed by the hook. Fix required (hook: trailing-whitespace).

---

[error] 1-1: pre-commit trailing-whitespace: Trailing whitespace detected and removed by the hook. Fix required (hook: trailing-whitespace).

container/xpu/launch_message/runtime.xpu.txt

[error] 1-1: pre-commit trailing-whitespace: Trailing whitespace detected and removed by the hook. Fix required (hook: trailing-whitespace).

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Build and Test - dynamo

🔇 Additional comments (9)

container/build.sh (1)

308-310: XPU flag integration looks good.

The --enable-xpu flag is properly integrated into the argument parsing and help text, and the conditional Dockerfile selection for VLLM+XPU is correct. The refactoring of DOCKERFILE_BASE cleanly separates base image selection from framework-specific Dockerfiles.

Also applies to: 484-484

container/xpu/deps/vllm/install_vllm.xpu.sh (2)

77-81: Architecture handling and conditional LMCache installation are well-designed.

The script properly normalizes architecture strings (x86_64→amd64, aarch64→arm64) for consistency with Docker ARGs, and intelligently installs LMCache only for amd64 architecture with appropriate comments explaining the license origin.

Also applies to: 114-121

---

1-12: Fix copyright header format per repository policy.

The pipeline reports a copyright header validation failure. Verify the header format matches the repository's copyright requirements, similar to any validation applied to runtime.xpu.txt.

container/xpu/Dockerfile.xpu.vllm (2)

57-130: Framework stage properly integrates vLLM installation with XPU support.

The framework stage correctly:

• Sets vLLM-specific environment variables (VLLM_TARGET_DEVICE=xpu, VLLM_WORKER_MULTIPROC_METHOD=spawn)
• Mounts and executes the new install_vllm.xpu.sh script with appropriate arguments
• Integrates sccache for build optimization
• Maintains consistency with the learnings about VLLM installation practices

---

270-273: Launch banner integration is well-structured.

The runtime stage properly integrates the launch message file, strips comments, and appends to bashrc for display on container startup. This aligns with the documented runtime behavior.

container/xpu/Dockerfile.xpu (3)

47-242: Base stage properly integrates Intel GPU support, UCX, and NIXL.

The base stage correctly:

• Configures Intel GPU repositories and installs GPU runtime packages
• Installs comprehensive build dependencies for UCX and NIXL
• Builds UCX with XPU-specific patches and RDMA support
• Builds NIXL with proper library path configuration
• Sets up sccache integration for build optimization
• Uses proper manylinux environment

Based on learnings, the recursive library path operations and sccache configuration align with project practices.

---

257-374: Wheel builder stage correctly prepares manylinux environment for architecture-specific builds.

The wheel_builder stage:

• Uses appropriate manylinux base image with ARCH_ALT variable substitution
• Installs all necessary build dependencies from base stage
• Properly handles KVBM conditional compilation
• Uses auditwheel for wheel repair with NIXL library exclusions
• Integrates sccache for Rust/C/C++ compilation caching

---

380-468: Runtime and dev stages properly assemble and configure the final image.

Both stages correctly:

• Copy artifacts (wheels, libraries) from base and builder stages
• Set up virtual environment with proper Python version
• Install dependencies and launch banner
• Configure shell entrypoint for development workflow
• Handle ENABLE_KVBM conditional installation with error checking (lines 449-455)

container/xpu/launch_message/runtime.xpu.txt (1)

1-12: Fix copyright header format and trailing whitespace.

The pipeline is reporting a copyright header validation failure and trailing whitespace. These must be resolved before merge. Verify the copyright header format matches the repository's policy (likely requires specific SPDX header placement or format) and remove all trailing whitespace from the file.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Fix echo statement syntax issues.

Lines 87 and 102 have echo statement issues:

• Line 87: Uses literal \n which won't expand in standard echo
• Line 102: Missing closing quote

-echo "\n=== Configuration Summary ==="
+echo ""
+echo "=== Configuration Summary ==="

-echo "\n=== Installing vLLM"
+echo ""
+echo "=== Installing vLLM"

Also applies to: 102-102

🤖 Prompt for AI Agents

In container/xpu/deps/vllm/install_vllm.xpu.sh around lines 87 and 102, fix the
echo syntax: replace the literal "\n" echo with an expandable newline (use echo
-e "...\n" or better, use printf "...\n") on line 87 so the newline is
interpreted, and on line 102 close the missing quote and ensure the echo/printf
call is syntactically correct (or use printf for consistency across shells).

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Address security concern: wget certificate validation disabled.

Line 309 disables SSL certificate validation with --no-check-certificate, which creates a security vulnerability by allowing MITM attacks during protoc download. This should be removed to enable proper certificate validation.

-    wget --no-check-certificate --tries=3 --waitretry=5 -O /tmp/protoc.zip "https://github.com/protocolbuffers/protobuf/releases/download/v${PROTOC_VERSION}/${PROTOC_ZIP}"; \
+    wget --tries=3 --waitretry=5 -O /tmp/protoc.zip "https://github.com/protocolbuffers/protobuf/releases/download/v${PROTOC_VERSION}/${PROTOC_ZIP}"; \

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	RUN set -eux; \
	PROTOC_VERSION=25.3; \
	case "${ARCH_ALT}" in \
	x86_64) PROTOC_ZIP="protoc-${PROTOC_VERSION}-linux-x86_64.zip" ;; \
	aarch64) PROTOC_ZIP="protoc-${PROTOC_VERSION}-linux-aarch_64.zip" ;; \
	*) echo "Unsupported architecture: ${ARCH_ALT}" >&2; exit 1 ;; \
	esac; \
	wget --no-check-certificate --tries=3 --waitretry=5 -O /tmp/protoc.zip "https://github.com/protocolbuffers/protobuf/releases/download/v${PROTOC_VERSION}/${PROTOC_ZIP}"; \
	rm -f /usr/local/bin/protoc /usr/bin/protoc; \
	unzip -o /tmp/protoc.zip -d /usr/local bin/protoc include/*; \
	chmod +x /usr/local/bin/protoc; \
	ln -s /usr/local/bin/protoc /usr/bin/protoc; \
	protoc --version
	RUN set -eux; \
	PROTOC_VERSION=25.3; \
	case "${ARCH_ALT}" in \
	x86_64) PROTOC_ZIP="protoc-${PROTOC_VERSION}-linux-x86_64.zip" ;; \
	aarch64) PROTOC_ZIP="protoc-${PROTOC_VERSION}-linux-aarch_64.zip" ;; \
	*) echo "Unsupported architecture: ${ARCH_ALT}" >&2; exit 1 ;; \
	esac; \
	wget --tries=3 --waitretry=5 -O /tmp/protoc.zip "https://github.com/protocolbuffers/protobuf/releases/download/v${PROTOC_VERSION}/${PROTOC_ZIP}"; \
	rm -f /usr/local/bin/protoc /usr/bin/protoc; \
	unzip -o /tmp/protoc.zip -d /usr/local bin/protoc include/*; \
	chmod +x /usr/local/bin/protoc; \
	ln -s /usr/local/bin/protoc /usr/bin/protoc; \
	protoc --version

🧰 Tools

🪛 Checkov (3.2.334)

[high] 302-314: Ensure that certificate validation isn't disabled with wget

(CKV2_DOCKER_3)

🤖 Prompt for AI Agents

In container/xpu/Dockerfile.xpu around lines 302 to 314, remove the insecure
wget flag `--no-check-certificate` and ensure TLS verification is enabled when
downloading protoc; install/ensure CA certificates are present in the image
(e.g., apk/apt install ca-certificates or update-ca-certificates) before the
wget step, use wget (or curl) without disabling cert checks and keep existing
retry options, and optionally add a checksum or signature verification step
after download to validate the archive before unzipping.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Fix typo in protoc architecture name.

Line 306 has a typo: aarch_64 should be aarch64. The architecture name uses underscores for x86_64 but not for aarch64 in protobuf releases.

       x86_64) PROTOC_ZIP="protoc-${PROTOC_VERSION}-linux-x86_64.zip" ;; \
-      aarch64) PROTOC_ZIP="protoc-${PROTOC_VERSION}-linux-aarch_64.zip" ;; \
+      aarch64) PROTOC_ZIP="protoc-${PROTOC_VERSION}-linux-aarch64.zip" ;; \

🤖 Prompt for AI Agents

In container/xpu/Dockerfile.xpu around lines 304 to 308, the PROTOC_ZIP name for
aarch64 is incorrect ("aarch_64"); change the string to use "aarch64" so it
reads protoc-${PROTOC_VERSION}-linux-aarch64.zip, and ensure the case branch
uses the corrected filename (verify other architecture labels remain unchanged).