VSS Deploy
Purpose
Deploy any VSS profile (
,
,
,
,
,
) using a compose-centric workflow: build env overrides, generate resolved compose (dry-run), review, then deploy. This SKILL.md covers the cross-profile concerns (
profile routing,
prerequisites,
NGC,
GPU setup, and the deploy/teardown flow). Profile-specific service lists, sizing, env recipes, endpoints, and debugging live in per-profile reference docs — load the one that matches the user's intent.
Helper script:
run_script("scripts/normalize_resolved_yml.py", "<resolved.yml>")
normalizes a
dry-run dump for diff-friendly review during Step 3c. All other deployment work goes through
/
.
Available Scripts
| Script | Purpose | Arguments |
|---|
scripts/normalize_resolved_yml.py
| Strip optional entries for services filtered out of before deploy. | Path to |
Profile Routing
Match the user's request to a profile, then load that profile's reference for sizing, services, env recipes, and debugging.
| User says | Profile | Reference |
|---|
| "deploy vss" / "deploy base" | | |
| "deploy alerts" / "alert verification" / "real-time alerts" / "deploy for incident report" | | |
| "deploy lvs" / "video summarization" | | references/lvs-profile.md
|
| "deploy search" / "video search" | | |
| "deploy warehouse" / "warehouse blueprint" / "vss warehouse" | | |
| "debug warehouse" / "warehouse not working" / "warehouse FPS low" / "warehouse BEV out of sync" | (debug) | references/warehouse-debug.md
|
Edge hardware routing (DGX Spark, AGX/IGX Thor): see
. DGX Spark uses the Spark Nano 9B standalone local LLM on port
; AGX/IGX Thor uses the Edge 4B standalone vLLM fallback.
Each profile's reference owns its sizing table. Don't pick a deployment shape from this file — open the profile reference and check minimum GPU count for the host's hardware against the (mode × platform) matrix there.
Instructions
The deployment flow is always: copy
to
, apply overrides, dry-run compose into
, review, normalize, deploy, then wait for readiness.
bash
# 1. cp dev-profile-<profile>/.env dev-profile-<profile>/generated.env (clean copy)
# 2. Apply env overrides to generated.env (source .env stays untouched)
# 3. docker compose --env-file generated.env config > resolved.yml (dry-run)
# 4. Review resolved.yml
# 5. docker compose --env-file generated.env -f resolved.yml up -d
The source
is treated as
read-only defaults committed to the repo. The skill's per-deploy working copy is
— same pattern
uses internally. This keeps the checked-in
clean across iterations.
Prerequisites
- Repo path — find
video-search-and-summarization/
- NGC CLI & API key — see . Confirm is set.
- System prerequisites (GPU driver, Docker, NVIDIA Container Toolkit, kernel sysctls) — full checks in
references/prerequisites.md
Pre-flight check
Run before every deploy. The full system checklist and remediation steps live
in
references/prerequisites.md
.
For DGX Spark / IGX Thor / AGX Thor, also run the cache-cleaner check in
.
Detect sudo mode first. Several pre-flight remediations and the
edge cache-cleaner installer call
. If the host requires a
sudo password, those steps will silently no-op under
and
leave the deploy in a half-prepared state.
bash
if sudo -n true 2>/dev/null; then
echo "passwordless sudo — pre-flight will auto-install missing pieces"
else
echo "sudo requires password — pre-flight will NOT auto-install; hand commands to the user"
fi
When sudo needs a password, the skill
must not run privileged
installers itself. Surface the copy-pasteable command block from
references/prerequisites.md
to the user with a
"run this once and
confirm" handoff, then resume after the user replies.
Minimum smoke test (must succeed):
bash
nvidia-smi --query-gpu=index,name --format=csv,noheader
docker info 2>/dev/null | grep -qi runtimes \
&& docker run --rm --gpus all ubuntu:22.04 nvidia-smi >/dev/null 2>&1 \
&& echo "nvidia runtime OK"
If the smoke test fails, do not proceed; open
references/prerequisites.md
for the remediation tree.
Model Selection
- / if the user asks for remote
- (local NIMs) or (remote)
If no combination on this host satisfies the profile's sizing requirements, stop and report the blocker — don't silently pick another shape.
Edge shared mode is platform-specific. On DGX Spark, run
nvcr.io/nim/nvidia/nvidia-nemotron-nano-9b-v2-dgx-spark:1.0.0-variant
as a standalone local NIM on port
and point the agent at it with
. On AGX/IGX Thor, keep using the Edge 4B standalone vLLM fallback with
. Full recipes are in
.
Deployment Flow
Always follow this sequence. Never skip the dry-run.
Step 0 — Tear down any existing deployment + clear data volumes
If a deployment already exists, tear it down AND clear stale data volumes before redeploying.
Full procedure lives in
.
Step 0a — Credentials gate (run before any env mutation)
Validate every credential the chosen profile needs
before Step 1c copies
to
. A 401 here is a 30-second failure; the same 401 inside a NIM cold-start is a 10–20 min failure. Run the discovery and probe flow in
references/credentials.md
, then map the result against the chosen mode: missing or invalid required credentials are blockers, optional credentials are not.
Step 1 — Gather context
Before building env overrides, confirm:
| Value | How to determine |
|---|
| Profile | Match user intent to the routing table above. Default: |
| Repo path | Find video-search-and-summarization/
|
| Hardware | nvidia-smi --query-gpu=name,memory.total --format=csv,noheader
|
| LLM/VLM placement | Cross-reference available GPUs against the chosen profile's Minimum GPU count table |
| API keys | for local NIMs, for remote |
| hostname -I | awk '{print $1}'
|
| Browser-reachable host/IP. On Brev, use the secure-link domain (see ). |
| Browser-facing ingress port. Default ; ensure it is free. |
Before
, verify
,
,
, and
are populated with browser-reachable values. Otherwise the stack may appear healthy while UI/API/VST links 404 or loop through Cloudflare Access.
Step 1b — Prepare the data directory
Layout (asset paths, ownership, mount points, profile-specific subdirs) is documented in
references/data-directory.md
. Read that file before deploying for the first time on a host or when changing profiles.
FORBIDDEN: chown -R ubuntu:ubuntu $VSS_DATA_DIR
This is "good housekeeping" to a shell-admin instinct but is
the deploy-breaking command in this stack. You will observe a "healthy" deploy (containers Up, endpoints 200) while the video pipeline is silently broken. Use
on the specific subdirs documented in
— nothing else.
Step 1c — Initialize
The skill's per-deploy working copy. Always start from a fresh copy of the source
— never mutate the source.
bash
PROFILE=base
ENV_SRC=$REPO/deploy/docker/developer-profiles/dev-profile-$PROFILE/.env
ENV_GEN=$REPO/deploy/docker/developer-profiles/dev-profile-$PROFILE/generated.env
cp "$ENV_SRC" "$ENV_GEN"
All subsequent writes (Brev
, the env_overrides dict from Step 2) go to
.
is read-only from here on.
Step 1d — If deploying on Brev, set to the secure-link domain
Read
from
and write
into
(NOT
). Full secure-link behavior and troubleshooting are in
.
bash
brev_env_id=$(awk -F= '/^BREV_ENV_ID=/ {gsub(/"/, "", $2); print $2; exit}' /etc/environment)
sed -i "s|^EXTERNAL_IP=.*|EXTERNAL_IP=7777-${brev_env_id}.brevlab.com|" "$ENV_GEN"
Step 2 — Build env_overrides
Produce an
dict from the user request and the gathered context: choose remote/local LLM/VLM, set credentials, point at endpoints, set platform-specific flags. The full mapping (every override key, when it applies, defaults, profile-specific differences) lives in
references/env-overrides.md
. Each profile reference has worked examples for that profile's common scenarios.
Step 3 — Apply overrides + dry-run
Working env file: <repo>/deploy/docker/developer-profiles/dev-profile-<profile>/generated.env
(created in Step 1c).
Two env files, distinct roles.
- — read-only defaults, checked in. Don't mutate it from the skill.
- — the skill's per-deploy working copy. All overrides (the dict from Step 2, plus the Brev from Step 1d) land here. always points at this file. Post-deploy verifiers should also read from for the actually-deployed values — see Debugging a Deployment.
matches the convention
uses internally — it's a per-invocation scratchpad regenerated by
each run.
bash
# (Step 1c already ran: cp $ENV_SRC $ENV_GEN)
# Apply the env_overrides dict from Step 2 to generated.env
# (read lines, update matching keys, append new keys, write)
# Example:
# sed -i "s|^LLM_MODE=.*|LLM_MODE=remote|" "$ENV_GEN"
# sed -i "s|^LLM_BASE_URL=.*|LLM_BASE_URL=http://localhost:30081|" "$ENV_GEN"
# Resolve compose
cd $REPO/deploy/docker
docker compose --env-file $ENV_GEN config > resolved.yml
The resolved YAML is saved to
<repo>/deploy/docker/resolved.yml
.
Step 3b — Verify resolved.yml has no unexpanded ${...} tokens
Unexpanded
tokens in
mean compose did not see those env values. Diagnostic procedure and common culprits live in
references/troubleshooting.md
.
Step 3c — Strip dangling optional from resolved.yml
MUST run after Step 3, before Step 5. Skipping this aborts the deploy:
Normalize - drop optional dependencies for services filtered out from resolved.yml
bash
# From the repo root
uv run skills/vss-deploy-profile/scripts/normalize_resolved_yml.py "$REPO/deploy/docker/resolved.yml"
If
isn't on the host, install it once with
curl -LsSf https://astral.sh/uv/install.sh | sh
(no root needed).
Re-validate before
:
bash
docker compose -f "$REPO/deploy/docker/resolved.yml" config --quiet && echo "resolved.yml OK"
If validation still fails after the normalizer runs, capture the error and inspect — that's a different bug (a dependency that's not optional, or another schema violation), not the dangling-depends_on case.
Step 4 — Review
Show the user a summary of what will be deployed:
- Profile name and hardware
- LLM/VLM models and mode (local/remote/local_shared)
- Services that will start
- GPU device assignment
- Key endpoints (UI port, agent port)
Ask: "Looks good — deploy now?" and wait for confirmation before Step 5.
Exception — autonomous mode. If the user's request already asks you to run autonomously (e.g. "deploy X autonomously", "run without confirmation", "non-interactive"), skip the confirmation prompt and proceed straight to Step 5. This path exists so automated eval / CI invocations don't hang waiting for a human reply they'll never get. In all other cases, a human must approve.
Step 5 — Deploy
bash
cd $REPO/deploy/docker
docker compose --env-file $ENV_GEN -f resolved.yml up -d
is mandatory. Without the same
used in Step 3,
may be unset and
can exit 0 with zero selected services.
Do NOT use on retries. It destroys already-warm NIM containers, forcing another 3–5 min torch.compile + CUDA-graph capture per NIM. If the previous
partially failed, fix the root cause (usually perms or an env typo) and just re-run
— Docker will re-create only the containers whose config changed or that are down.
only creates containers; it does not wait for internal services to finish warming. Never declare deploy success until the readiness gates pass.
Step 5b — Wait until the stack is actually healthy
Gate 0 — container count must be > 0. Refuse to proceed past
until compose started the expected services:
bash
expected=$(docker compose --env-file $ENV_GEN -f resolved.yml config --services | wc -l)
actual=$(docker compose -f resolved.yml ps -q | wc -l)
[ "$actual" -gt 0 ] && [ "$actual" -ge "$expected" ] \
|| { echo "FAIL: expected $expected services, got $actual — re-check Step 5 --env-file"; exit 1; }
Cold deploys can take 10–20 min. The full readiness procedure lives in
, and each profile reference lists the required endpoints.
Never declare deploy done after ; only after every documented endpoint succeeds.Tear Down
bash
cd $REPO/deploy/docker
docker compose -f resolved.yml down
For switching profiles or recovering from a partial deploy, follow the full procedure in
.
Debugging a Deployment
Use this workflow when the user asks to "debug the deploy", "verify it's working", "why is the agent not responding", or similar. The goal is to confirm the full video-ingestion-to-agent-answer path, not just that containers are "Up".
Each profile reference has a Debugging section listing the exact commands and failure-mode table for that profile.
Quick checks (all profiles)
bash
# 1. All expected containers Up
docker ps --format 'table {{.Names}}\t{{.Status}}'
# 2. Agent API + UI responding
curl -sf http://localhost:8000/docs >/dev/null && echo "agent OK"
curl -sf http://localhost:3000/ >/dev/null && echo "ui OK"
# 3. VLM NIM responding (base/lvs profiles)
curl -sf http://localhost:30082/v1/models | python3 -m json.tool
# 4. LLM NIM responding
curl -sf http://localhost:30081/v1/models | python3 -m json.tool
End-to-end video sanity check
After the quick checks above pass, drive a real query through the agent — e.g. ask it over the REST API or UI to describe a video you've uploaded to VST. If the agent returns a non-empty answer, the upload → ingest → inference → reply path is healthy. If it fails,
shows which stage tripped.
Examples
- Base profile, remote models: route to , copy to , set / , dry-run, normalize, deploy, then verify and UI.
- Search profile on RTX: route to , follow for sizing and endpoints, seed videos, then run the search-profile readiness checks.
- Edge target: route through , then use the same → dry-run → normalize → deploy flow.
Limitations
- This skill deploys compose-based VSS profiles only; standalone microservice deployment belongs to the matching skill.
- Hardware sizing, model placement, and profile-specific readiness are owned by profile references; do not infer them from memory.
- Privileged host remediation requires user approval when passwordless sudo is unavailable.
Troubleshooting
Start with
references/agent-failure-modes.md
for cross-profile failures such as NIM cold-start timeouts, OOM, remote endpoint 5xx responses, missing
/
, unexpanded values in
etc.