From d9c7ec97147d42d2ccc07739ee7446c04dee84ef Mon Sep 17 00:00:00 2001
From: Evan Lezar <elezar@nvidia.com>
Date: Wed, 18 Jun 2025 12:04:50 +0200
Subject: [PATCH 1/5] [no-relnote] Don't refer to target image distribution

Signed-off-by: Evan Lezar <elezar@nvidia.com>
---
 .github/workflows/image.yaml   | 6 +++---
 deployments/container/Makefile | 4 +---
 2 files changed, 4 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/image.yaml b/.github/workflows/image.yaml
index ed423ff8..c4feb648 100644
--- a/.github/workflows/image.yaml
+++ b/.github/workflows/image.yaml
@@ -79,8 +79,8 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        dist:
-          - ubi9
+        target:
+          - application
           - packaging
     needs: packages
     steps:
@@ -117,4 +117,4 @@ jobs:
           BUILD_MULTI_ARCH_IMAGES: ${{ inputs.build_multi_arch_images }}
         run: |
           echo "${VERSION}"
-          make -f deployments/container/Makefile build-${{ matrix.dist }}
+          make -f deployments/container/Makefile build-${{ matrix.target }}
diff --git a/deployments/container/Makefile b/deployments/container/Makefile
index 6120b0f1..4e3373a2 100644
--- a/deployments/container/Makefile
+++ b/deployments/container/Makefile
@@ -38,7 +38,7 @@ OUT_IMAGE_TAG = $(OUT_IMAGE_VERSION)
 OUT_IMAGE = $(OUT_IMAGE_NAME):$(OUT_IMAGE_TAG)
 
 ##### Public rules #####
-DEFAULT_PUSH_TARGET := ubi9
+DEFAULT_PUSH_TARGET := application
 DISTRIBUTIONS := $(DEFAULT_PUSH_TARGET)
 
 META_TARGETS := packaging
@@ -102,8 +102,6 @@ build: build-$(DEFAULT_PUSH_TARGET)
 push: push-$(DEFAULT_PUSH_TARGET)
 
 # Test targets
-test-%: DIST = $(*)
-
 TEST_CASES ?= docker crio containerd
 $(TEST_TARGETS): test-%:
 	TEST_CASES="$(TEST_CASES)" bash -x $(CURDIR)/test/container/main.sh run \

From 28ddc1454c2a0708a34329e1de15beb9a1e11028 Mon Sep 17 00:00:00 2001
From: Evan Lezar <elezar@nvidia.com>
Date: Wed, 18 Jun 2025 12:06:00 +0200
Subject: [PATCH 2/5] Switch to golang distroless image

Signed-off-by: Evan Lezar <elezar@nvidia.com>
---
 deployments/container/Dockerfile | 32 +++++++++++++++++++++++---------
 1 file changed, 23 insertions(+), 9 deletions(-)

diff --git a/deployments/container/Dockerfile b/deployments/container/Dockerfile
index 6263a4d6..9aa190ab 100644
--- a/deployments/container/Dockerfile
+++ b/deployments/container/Dockerfile
@@ -48,14 +48,18 @@ ARG VERSION="N/A"
 ARG GIT_COMMIT="unknown"
 RUN make PREFIX=/artifacts/bin cmd-nvidia-ctk-installer
 
-# The packaging stage collects the deb and rpm packages built for supported
-# architectures.
-FROM nvcr.io/nvidia/cuda:12.9.0-base-ubi9 AS packaging
+# The packaging stage collects the deb and rpm packages built for
+# supported architectures.
+FROM nvcr.io/nvidia/distroless/go:v3.1.9-dev AS packaging
+
+USER 0:0
+SHELL ["/busybox/sh", "-c"]
+RUN ln -s /busybox/sh /bin/sh
 
 ARG ARTIFACTS_ROOT
 COPY ${ARTIFACTS_ROOT} /artifacts/packages/
 
-WORKDIR /artifacts/packages
+WORKDIR /artifacts
 
 # build-args are added to the manifest.txt file below.
 ARG PACKAGE_VERSION
@@ -70,7 +74,12 @@ RUN echo "#IMAGE_EPOCH=$(date '+%s')" > /artifacts/manifest.txt && \
     env | sed 's/^/#/g' >> /artifacts/manifest.txt && \
     find /artifacts/packages -iname '*.deb' -o -iname '*.rpm' >> /artifacts/manifest.txt
 
-RUN mkdir /licenses && mv /NGC-DL-CONTAINER-LICENSE /licenses/NGC-DL-CONTAINER-LICENSE
+LABEL name="NVIDIA Container Toolkit Packages"
+LABEL vendor="NVIDIA"
+LABEL version="${VERSION}"
+LABEL release="N/A"
+LABEL summary="deb and rpm packages for the NVIDIA Container Toolkit"
+LABEL description="See summary"
 
 # The debpackages stage is used to extract the contents of deb packages.
 FROM nvcr.io/nvidia/cuda:12.9.0-base-ubuntu20.04 AS debpackages
@@ -116,13 +125,19 @@ RUN set -eux; \
 # - The extracted deb packages
 # - The extracted rpm packages
 # - The nvidia-ctk-installer binary
-FROM nvcr.io/nvidia/cuda:12.9.0-base-ubi9 AS artifacts
+FROM scratch AS artifacts
 
 COPY --from=rpmpackages /artifacts/rpm /artifacts/rpm
 COPY --from=debpackages /artifacts/deb /artifacts/deb
 COPY --from=build /artifacts/bin /artifacts/build
 
-FROM nvcr.io/nvidia/cuda:12.9.0-base-ubi9
+# The application stage contains the application used as a GPU Operator
+# operand.
+FROM nvcr.io/nvidia/distroless/go:v3.1.9-dev AS application
+
+USER 0:0
+SHELL ["/busybox/sh", "-c"]
+RUN ln -s /busybox/sh /bin/sh
 
 ENV NVIDIA_DISABLE_REQUIRE="true"
 ENV NVIDIA_VISIBLE_DEVICES=void
@@ -131,6 +146,7 @@ ENV NVIDIA_DRIVER_CAPABILITIES=utility
 COPY --from=artifacts /artifacts/rpm /artifacts/rpm
 COPY --from=artifacts /artifacts/deb /artifacts/deb
 COPY --from=artifacts /artifacts/build /work
+COPY --from=artifacts /NGC-DL-CONTAINER-LICENSE /licenses/NGC-DL-CONTAINER-LICENSE
 
 WORKDIR /work
 ENV PATH=/work:$PATH
@@ -144,6 +160,4 @@ LABEL release="N/A"
 LABEL summary="Automatically Configure your Container Runtime for GPU support."
 LABEL description="See summary"
 
-RUN mkdir /licenses && mv /NGC-DL-CONTAINER-LICENSE /licenses/NGC-DL-CONTAINER-LICENSE
-
 ENTRYPOINT ["/work/nvidia-ctk-installer"]

From 7abf5fa6a45321af21e322a43b660f1d6d98f867 Mon Sep 17 00:00:00 2001
From: Evan Lezar <elezar@nvidia.com>
Date: Wed, 18 Jun 2025 12:18:38 +0200
Subject: [PATCH 3/5] Use Apache license for images

This change removes the NGC-DL-CONTAINER-LICENSE (since this
is not available in the distroless images) and includes the
repo's Apache LICENSE file in the image.

Signed-off-by: Evan Lezar <elezar@nvidia.com>
---
 deployments/container/Dockerfile | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/deployments/container/Dockerfile b/deployments/container/Dockerfile
index 9aa190ab..9109d931 100644
--- a/deployments/container/Dockerfile
+++ b/deployments/container/Dockerfile
@@ -81,6 +81,8 @@ LABEL release="N/A"
 LABEL summary="deb and rpm packages for the NVIDIA Container Toolkit"
 LABEL description="See summary"
 
+COPY LICENSE /licenses/
+
 # The debpackages stage is used to extract the contents of deb packages.
 FROM nvcr.io/nvidia/cuda:12.9.0-base-ubuntu20.04 AS debpackages
 
@@ -146,7 +148,6 @@ ENV NVIDIA_DRIVER_CAPABILITIES=utility
 COPY --from=artifacts /artifacts/rpm /artifacts/rpm
 COPY --from=artifacts /artifacts/deb /artifacts/deb
 COPY --from=artifacts /artifacts/build /work
-COPY --from=artifacts /NGC-DL-CONTAINER-LICENSE /licenses/NGC-DL-CONTAINER-LICENSE
 
 WORKDIR /work
 ENV PATH=/work:$PATH
@@ -160,4 +161,6 @@ LABEL release="N/A"
 LABEL summary="Automatically Configure your Container Runtime for GPU support."
 LABEL description="See summary"
 
+COPY LICENSE /licenses/
+
 ENTRYPOINT ["/work/nvidia-ctk-installer"]

From 69b0f0ba61eac210295a171ac0f318d4a86ca451 Mon Sep 17 00:00:00 2001
From: Evan Lezar <elezar@nvidia.com>
Date: Wed, 18 Jun 2025 15:42:28 +0200
Subject: [PATCH 4/5] [no-relnote] Update release scripts for distroless

Signed-off-by: Evan Lezar <elezar@nvidia.com>
---
 hack/pull-packages.sh       | 4 ++--
 scripts/extract-packages.sh | 4 ++--
 scripts/utils.sh            | 4 ++--
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/hack/pull-packages.sh b/hack/pull-packages.sh
index f39bd675..ed2c1e05 100755
--- a/hack/pull-packages.sh
+++ b/hack/pull-packages.sh
@@ -53,6 +53,6 @@ docker run --rm \
     -v $(pwd):$(pwd) \
     -w $(pwd) \
     -u $(id -u):$(id -g) \
-    --entrypoint="bash" \
+    --entrypoint="sh" \
         ${IMAGE} \
-        -c "cp --preserve=timestamps -R /artifacts/* ${DIST_DIR}"
+        -c "cp -p -R /artifacts/* ${DIST_DIR}"
diff --git a/scripts/extract-packages.sh b/scripts/extract-packages.sh
index be288de2..d6f6fa90 100755
--- a/scripts/extract-packages.sh
+++ b/scripts/extract-packages.sh
@@ -70,9 +70,9 @@ function copy-file() {
         -v "$(pwd):$(pwd)" \
         -w "$(pwd)" \
         -u "$(id -u):$(id -g)" \
-        --entrypoint="bash" \
+        --entrypoint="sh" \
             "${image}" \
-            -c "cp ${path_in_image} ${path_on_host}"
+            -c "cp -p ${path_in_image} ${path_on_host}"
     fi
 }
 
diff --git a/scripts/utils.sh b/scripts/utils.sh
index 532b9caf..7300011e 100644
--- a/scripts/utils.sh
+++ b/scripts/utils.sh
@@ -96,9 +96,9 @@ function copy_file() {
         -v "$(pwd):$(pwd)" \
         -w "$(pwd)" \
         -u "$(id -u):$(id -g)" \
-        --entrypoint="bash" \
+        --entrypoint="sh" \
             "${image}" \
-            -c "cp ${path_in_image} ${path_on_host}"
+            -c "cp -p ${path_in_image} ${path_on_host}"
     fi
 }
 

From 60706815a53fff4b44419c6f6c6a3c741ea800d1 Mon Sep 17 00:00:00 2001
From: Evan Lezar <elezar@nvidia.com>
Date: Thu, 19 Jun 2025 10:23:09 +0200
Subject: [PATCH 5/5] Create /work/nvidia-toolkit symlink

This change ensures that a symlink from /work/nvidia-toolkit to
/work/nvidia-ctk-installer exists to allow GPU Operator versions
that override the entrypoint and assume nvidia-toolkit as the
original entrypoint.

Signed-off-by: Evan Lezar <elezar@nvidia.com>
---
 deployments/container/Dockerfile | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/deployments/container/Dockerfile b/deployments/container/Dockerfile
index 9109d931..36892279 100644
--- a/deployments/container/Dockerfile
+++ b/deployments/container/Dockerfile
@@ -164,3 +164,8 @@ LABEL description="See summary"
 COPY LICENSE /licenses/
 
 ENTRYPOINT ["/work/nvidia-ctk-installer"]
+
+# The GPU Operator exec's nvidia-toolkit in its entrypoint.
+# We create a symlink here to ensure compatibility with older
+# GPU Operator versions.
+RUN ln -s /work/nvidia-ctk-installer /work/nvidia-toolkit