nvidia-container-toolkit/pkg/nvcdi/workarounds-device-folder-permissions.go

/**
# Copyright (c) NVIDIA CORPORATION.  All rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
**/

package nvcdi

import (
	"fmt"
	"path/filepath"

	"github.com/NVIDIA/nvidia-container-toolkit/internal/discover"
	"github.com/NVIDIA/nvidia-container-toolkit/internal/logger"
)

type deviceFolderPermissions struct {
	logger            logger.Interface
	devRoot           string
	nvidiaCDIHookPath string
	devices           discover.Discover
}

var _ discover.Discover = (*deviceFolderPermissions)(nil)

// newDeviceFolderPermissionHookDiscoverer creates a discoverer that can be used to update the permissions for the parent folders of nested device nodes from the specified set of device specs.
// This works around an issue with rootless podman when using crun as a low-level runtime.
// See https://github.com/containers/crun/issues/1047
// The nested devices that are applicable to the NVIDIA GPU devices are:
//   - DRM devices at /dev/dri/*
//   - NVIDIA Caps devices at /dev/nvidia-caps/*
func newDeviceFolderPermissionHookDiscoverer(logger logger.Interface, devRoot string, nvidiaCDIHookPath string, devices discover.Discover) discover.Discover {
	d := &deviceFolderPermissions{
		logger:            logger,
		devRoot:           devRoot,
		nvidiaCDIHookPath: nvidiaCDIHookPath,
		devices:           devices,
	}

	return d
}

// Devices are empty for this discoverer
func (d *deviceFolderPermissions) Devices() ([]discover.Device, error) {
	return nil, nil
}

// Hooks returns a set of hooks that sets the file mode to 755 of parent folders for nested device nodes.
func (d *deviceFolderPermissions) Hooks() ([]discover.Hook, error) {
	folders, err := d.getDeviceSubfolders()
	if err != nil {
		return nil, fmt.Errorf("failed to get device subfolders: %v", err)
	}
	if len(folders) == 0 {
		return nil, nil
	}

	args := []string{"--mode", "755"}
	for _, folder := range folders {
		args = append(args, "--path", folder)
	}

	hook := discover.CreateNvidiaCDIHook(
		d.nvidiaCDIHookPath,
		"chmod",
		args...,
	)

	return []discover.Hook{hook}, nil
}

func (d *deviceFolderPermissions) getDeviceSubfolders() ([]string, error) {
	// For now we only consider the following special case paths
	allowedPaths := map[string]bool{
		"/dev/dri":         true,
		"/dev/nvidia-caps": true,
	}

	devices, err := d.devices.Devices()
	if err != nil {
		return nil, fmt.Errorf("failed to get devices: %v", err)
	}

	var folders []string
	seen := make(map[string]bool)
	for _, device := range devices {
		df := filepath.Dir(device.Path)
		if seen[df] {
			continue
		}
		// We only consider the special case paths
		if !allowedPaths[df] {
			continue
		}
		folders = append(folders, df)
		seen[df] = true
		if len(folders) == len(allowedPaths) {
			break
		}
	}

	return folders, nil
}

// Mounts are empty for this discoverer
func (d *deviceFolderPermissions) Mounts() ([]discover.Mount, error) {
	return nil, nil
}
Refactor nvidia-ctk cdi generate command This change refactors the generation of CDI specifications to use discoverers and generate the CDI specifications from these discoverers. This allows for better reuse. Signed-off-by: Evan Lezar <elezar@nvidia.com> 2022-11-23 15:29:18 +00:00			`/**`
			`# Copyright (c) NVIDIA CORPORATION. All rights reserved.`
			`#`
			`# Licensed under the Apache License, Version 2.0 (the "License");`
			`# you may not use this file except in compliance with the License.`
			`# You may obtain a copy of the License at`
			`#`
			`# http://www.apache.org/licenses/LICENSE-2.0`
			`#`
			`# Unless required by applicable law or agreed to in writing, software`
			`# distributed under the License is distributed on an "AS IS" BASIS,`
			`# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`# See the License for the specific language governing permissions and`
			`# limitations under the License.`
			`**/`

Generate nested device folder permission hooks per device This change generates device folder permission hooks per device instead of at a spec level. This ensures that the hook is not injected for a device that does not have any nested device nodes. Signed-off-by: Evan Lezar <elezar@nvidia.com> 2023-02-22 15:10:28 +00:00			`package nvcdi`
Refactor nvidia-ctk cdi generate command This change refactors the generation of CDI specifications to use discoverers and generate the CDI specifications from these discoverers. This allows for better reuse. Signed-off-by: Evan Lezar <elezar@nvidia.com> 2022-11-23 15:29:18 +00:00
			`import (`
Add nvcdi package with basic CDI generation API This change adds an nvcdi package that exposes a basic API for CDI spec generation. This is used from the nvidia-ctk cdi generate command and can be consumed by DRA implementations and the device plugin. Signed-off-by: Evan Lezar <elezar@nvidia.com> 2022-12-02 13:17:52 +00:00			`"fmt"`
Refactor nvidia-ctk cdi generate command This change refactors the generation of CDI specifications to use discoverers and generate the CDI specifications from these discoverers. This allows for better reuse. Signed-off-by: Evan Lezar <elezar@nvidia.com> 2022-11-23 15:29:18 +00:00			`"path/filepath"`

			`"github.com/NVIDIA/nvidia-container-toolkit/internal/discover"`
Define a basic logger interface Signed-off-by: Evan Lezar <elezar@nvidia.com> 2023-03-22 12:27:43 +00:00			`"github.com/NVIDIA/nvidia-container-toolkit/internal/logger"`
Refactor nvidia-ctk cdi generate command This change refactors the generation of CDI specifications to use discoverers and generate the CDI specifications from these discoverers. This allows for better reuse. Signed-off-by: Evan Lezar <elezar@nvidia.com> 2022-11-23 15:29:18 +00:00			`)`

			`type deviceFolderPermissions struct {`
Move nvidia-ctk hook command into own binary This change creates an nvidia-cdi-hook binary for implementing CDI hooks. This allows for these hooks to be separated from the nvidia-ctk command which may, for example, require libnvidia-ml to support other functionality. The nvidia-ctk hook subcommand is maintained as an alias for the time being to allow for existing CDI specifications referring to this path to work as expected. Signed-off-by: Avi Deitcher <avi@deitcher.net> 2024-04-24 08:47:45 +00:00			`logger logger.Interface`
			`devRoot string`
			`nvidiaCDIHookPath string`
			`devices discover.Discover`
Refactor nvidia-ctk cdi generate command This change refactors the generation of CDI specifications to use discoverers and generate the CDI specifications from these discoverers. This allows for better reuse. Signed-off-by: Evan Lezar <elezar@nvidia.com> 2022-11-23 15:29:18 +00:00			`}`

			`var _ discover.Discover = (*deviceFolderPermissions)(nil)`

Generate nested device folder permission hooks per device This change generates device folder permission hooks per device instead of at a spec level. This ensures that the hook is not injected for a device that does not have any nested device nodes. Signed-off-by: Evan Lezar <elezar@nvidia.com> 2023-02-22 15:10:28 +00:00			`// newDeviceFolderPermissionHookDiscoverer creates a discoverer that can be used to update the permissions for the parent folders of nested device nodes from the specified set of device specs.`
Refactor nvidia-ctk cdi generate command This change refactors the generation of CDI specifications to use discoverers and generate the CDI specifications from these discoverers. This allows for better reuse. Signed-off-by: Evan Lezar <elezar@nvidia.com> 2022-11-23 15:29:18 +00:00			`// This works around an issue with rootless podman when using crun as a low-level runtime.`
			`// See https://github.com/containers/crun/issues/1047`
Simplify device folder permission hook This simplifies the device folder permission hook to only handle /dev/dri and /dev/nvidia-caps folders. Signed-off-by: Evan Lezar <elezar@nvidia.com> 2022-12-01 16:21:14 +00:00			`// The nested devices that are applicable to the NVIDIA GPU devices are:`
			`// - DRM devices at /dev/dri/*`
			`// - NVIDIA Caps devices at /dev/nvidia-caps/*`
Move nvidia-ctk hook command into own binary This change creates an nvidia-cdi-hook binary for implementing CDI hooks. This allows for these hooks to be separated from the nvidia-ctk command which may, for example, require libnvidia-ml to support other functionality. The nvidia-ctk hook subcommand is maintained as an alias for the time being to allow for existing CDI specifications referring to this path to work as expected. Signed-off-by: Avi Deitcher <avi@deitcher.net> 2024-04-24 08:47:45 +00:00			`func newDeviceFolderPermissionHookDiscoverer(logger logger.Interface, devRoot string, nvidiaCDIHookPath string, devices discover.Discover) discover.Discover {`
Refactor nvidia-ctk cdi generate command This change refactors the generation of CDI specifications to use discoverers and generate the CDI specifications from these discoverers. This allows for better reuse. Signed-off-by: Evan Lezar <elezar@nvidia.com> 2022-11-23 15:29:18 +00:00			`d := &deviceFolderPermissions{`
Move nvidia-ctk hook command into own binary This change creates an nvidia-cdi-hook binary for implementing CDI hooks. This allows for these hooks to be separated from the nvidia-ctk command which may, for example, require libnvidia-ml to support other functionality. The nvidia-ctk hook subcommand is maintained as an alias for the time being to allow for existing CDI specifications referring to this path to work as expected. Signed-off-by: Avi Deitcher <avi@deitcher.net> 2024-04-24 08:47:45 +00:00			`logger: logger,`
			`devRoot: devRoot,`
			`nvidiaCDIHookPath: nvidiaCDIHookPath,`
			`devices: devices,`
Refactor nvidia-ctk cdi generate command This change refactors the generation of CDI specifications to use discoverers and generate the CDI specifications from these discoverers. This allows for better reuse. Signed-off-by: Evan Lezar <elezar@nvidia.com> 2022-11-23 15:29:18 +00:00			`}`

Generate nested device folder permission hooks per device This change generates device folder permission hooks per device instead of at a spec level. This ensures that the hook is not injected for a device that does not have any nested device nodes. Signed-off-by: Evan Lezar <elezar@nvidia.com> 2023-02-22 15:10:28 +00:00			`return d`
Refactor nvidia-ctk cdi generate command This change refactors the generation of CDI specifications to use discoverers and generate the CDI specifications from these discoverers. This allows for better reuse. Signed-off-by: Evan Lezar <elezar@nvidia.com> 2022-11-23 15:29:18 +00:00			`}`

			`// Devices are empty for this discoverer`
			`func (d *deviceFolderPermissions) Devices() ([]discover.Device, error) {`
			`return nil, nil`
			`}`

Simplify device folder permission hook This simplifies the device folder permission hook to only handle /dev/dri and /dev/nvidia-caps folders. Signed-off-by: Evan Lezar <elezar@nvidia.com> 2022-12-01 16:21:14 +00:00			`// Hooks returns a set of hooks that sets the file mode to 755 of parent folders for nested device nodes.`
Refactor nvidia-ctk cdi generate command This change refactors the generation of CDI specifications to use discoverers and generate the CDI specifications from these discoverers. This allows for better reuse. Signed-off-by: Evan Lezar <elezar@nvidia.com> 2022-11-23 15:29:18 +00:00			`func (d *deviceFolderPermissions) Hooks() ([]discover.Hook, error) {`
Generate nested device folder permission hooks per device This change generates device folder permission hooks per device instead of at a spec level. This ensures that the hook is not injected for a device that does not have any nested device nodes. Signed-off-by: Evan Lezar <elezar@nvidia.com> 2023-02-22 15:10:28 +00:00			`folders, err := d.getDeviceSubfolders()`
			`if err != nil {`
			`return nil, fmt.Errorf("failed to get device subfolders: %v", err)`
			`}`
			`if len(folders) == 0 {`
Simplify device folder permission hook This simplifies the device folder permission hook to only handle /dev/dri and /dev/nvidia-caps folders. Signed-off-by: Evan Lezar <elezar@nvidia.com> 2022-12-01 16:21:14 +00:00			`return nil, nil`
Refactor nvidia-ctk cdi generate command This change refactors the generation of CDI specifications to use discoverers and generate the CDI specifications from these discoverers. This allows for better reuse. Signed-off-by: Evan Lezar <elezar@nvidia.com> 2022-11-23 15:29:18 +00:00			`}`

Simplify device folder permission hook This simplifies the device folder permission hook to only handle /dev/dri and /dev/nvidia-caps folders. Signed-off-by: Evan Lezar <elezar@nvidia.com> 2022-12-01 16:21:14 +00:00			`args := []string{"--mode", "755"}`
Generate nested device folder permission hooks per device This change generates device folder permission hooks per device instead of at a spec level. This ensures that the hook is not injected for a device that does not have any nested device nodes. Signed-off-by: Evan Lezar <elezar@nvidia.com> 2023-02-22 15:10:28 +00:00			`for _, folder := range folders {`
Simplify device folder permission hook This simplifies the device folder permission hook to only handle /dev/dri and /dev/nvidia-caps folders. Signed-off-by: Evan Lezar <elezar@nvidia.com> 2022-12-01 16:21:14 +00:00			`args = append(args, "--path", folder)`
			`}`
Make handling of nvidia-ctk path consistent This change adds an --nvidia-ctk-path to the nvidia-ctk cdi generate command. This ensures that the executable path for the generated hooks can be specified consistently. Since the NVIDIA Container Runtime already allows for the executable path to be specified in the config the utility code to update the LDCache and create other nvidia-ctk hooks are also updated. Signed-off-by: Evan Lezar <elezar@nvidia.com> 2022-12-12 14:26:21 +00:00
Move nvidia-ctk hook command into own binary This change creates an nvidia-cdi-hook binary for implementing CDI hooks. This allows for these hooks to be separated from the nvidia-ctk command which may, for example, require libnvidia-ml to support other functionality. The nvidia-ctk hook subcommand is maintained as an alias for the time being to allow for existing CDI specifications referring to this path to work as expected. Signed-off-by: Avi Deitcher <avi@deitcher.net> 2024-04-24 08:47:45 +00:00			`hook := discover.CreateNvidiaCDIHook(`
			`d.nvidiaCDIHookPath,`
Simplify device folder permission hook This simplifies the device folder permission hook to only handle /dev/dri and /dev/nvidia-caps folders. Signed-off-by: Evan Lezar <elezar@nvidia.com> 2022-12-01 16:21:14 +00:00			`"chmod",`
			`args...,`
			`)`

			`return []discover.Hook{hook}, nil`
Refactor nvidia-ctk cdi generate command This change refactors the generation of CDI specifications to use discoverers and generate the CDI specifications from these discoverers. This allows for better reuse. Signed-off-by: Evan Lezar <elezar@nvidia.com> 2022-11-23 15:29:18 +00:00			`}`

Generate nested device folder permission hooks per device This change generates device folder permission hooks per device instead of at a spec level. This ensures that the hook is not injected for a device that does not have any nested device nodes. Signed-off-by: Evan Lezar <elezar@nvidia.com> 2023-02-22 15:10:28 +00:00			`func (d *deviceFolderPermissions) getDeviceSubfolders() ([]string, error) {`
			`// For now we only consider the following special case paths`
			`allowedPaths := map[string]bool{`
			`"/dev/dri": true,`
			`"/dev/nvidia-caps": true,`
			`}`

			`devices, err := d.devices.Devices()`
			`if err != nil {`
			`return nil, fmt.Errorf("failed to get devices: %v", err)`
			`}`

			`var folders []string`
			`seen := make(map[string]bool)`
			`for _, device := range devices {`
			`df := filepath.Dir(device.Path)`
			`if seen[df] {`
			`continue`
			`}`
			`// We only consider the special case paths`
			`if !allowedPaths[df] {`
			`continue`
			`}`
			`folders = append(folders, df)`
			`seen[df] = true`
			`if len(folders) == len(allowedPaths) {`
			`break`
			`}`
			`}`

			`return folders, nil`
			`}`

Refactor nvidia-ctk cdi generate command This change refactors the generation of CDI specifications to use discoverers and generate the CDI specifications from these discoverers. This allows for better reuse. Signed-off-by: Evan Lezar <elezar@nvidia.com> 2022-11-23 15:29:18 +00:00			`// Mounts are empty for this discoverer`
			`func (d *deviceFolderPermissions) Mounts() ([]discover.Mount, error) {`
			`return nil, nil`
			`}`