UniqAI/nvidia-container-toolkit
1
0
Fork 0
mirror of https://github.com/NVIDIA/nvidia-container-toolkit synced 2025-06-26 18:18:24 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #1154 from elezar/switch-to-distroless

Browse Source 
Switch to distroless Base image
This commit is contained in:
Evan Lezar 2025-06-24 11:05:35 +02:00 committed by GitHub
commit 5bc2f50299
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
6 changed files with 40 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
.github/workflows/image.yaml vendored
View File

@ -79,8 +79,8 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
strategy: strategy:
matrix: matrix:
dist: target:
- ubi9 - application
- packaging - packaging
needs: packages needs: packages
steps: steps:
@ -117,4 +117,4 @@ jobs:
BUILD_MULTI_ARCH_IMAGES: ${{ inputs.build_multi_arch_images }} BUILD_MULTI_ARCH_IMAGES: ${{ inputs.build_multi_arch_images }}
run: | run: |
echo "${VERSION}" echo "${VERSION}"
make -f deployments/container/Makefile build-${{ matrix.dist }} make -f deployments/container/Makefile build-${{ matrix.target }}

38
deployments/container/Dockerfile
View File

@ -48,14 +48,18 @@ ARG VERSION="N/A"
ARG GIT_COMMIT="unknown" ARG GIT_COMMIT="unknown"
RUN make PREFIX=/artifacts/bin cmd-nvidia-ctk-installer RUN make PREFIX=/artifacts/bin cmd-nvidia-ctk-installer
# The packaging stage collects the deb and rpm packages built for supported # The packaging stage collects the deb and rpm packages built for
# architectures. # supported architectures.
FROM nvcr.io/nvidia/cuda:12.9.0-base-ubi9 AS packaging FROM nvcr.io/nvidia/distroless/go:v3.1.9-dev AS packaging
USER 0:0
SHELL ["/busybox/sh", "-c"]
RUN ln -s /busybox/sh /bin/sh
ARG ARTIFACTS_ROOT ARG ARTIFACTS_ROOT
COPY ${ARTIFACTS_ROOT} /artifacts/packages/ COPY ${ARTIFACTS_ROOT} /artifacts/packages/
WORKDIR /artifacts/packages WORKDIR /artifacts
# build-args are added to the manifest.txt file below. # build-args are added to the manifest.txt file below.
ARG PACKAGE_VERSION ARG PACKAGE_VERSION
@ -70,7 +74,14 @@ RUN echo "#IMAGE_EPOCH=$(date '+%s')" > /artifacts/manifest.txt && \
env | sed 's/^/#/g' >> /artifacts/manifest.txt && \ env | sed 's/^/#/g' >> /artifacts/manifest.txt && \
find /artifacts/packages -iname '*.deb' -o -iname '*.rpm' >> /artifacts/manifest.txt find /artifacts/packages -iname '*.deb' -o -iname '*.rpm' >> /artifacts/manifest.txt
RUN mkdir /licenses && mv /NGC-DL-CONTAINER-LICENSE /licenses/NGC-DL-CONTAINER-LICENSE LABEL name="NVIDIA Container Toolkit Packages"
LABEL vendor="NVIDIA"
LABEL version="${VERSION}"
LABEL release="N/A"
LABEL summary="deb and rpm packages for the NVIDIA Container Toolkit"
LABEL description="See summary"
COPY LICENSE /licenses/
# The debpackages stage is used to extract the contents of deb packages. # The debpackages stage is used to extract the contents of deb packages.
FROM nvcr.io/nvidia/cuda:12.9.0-base-ubuntu20.04 AS debpackages FROM nvcr.io/nvidia/cuda:12.9.0-base-ubuntu20.04 AS debpackages
@ -116,13 +127,19 @@ RUN set -eux; \
# - The extracted deb packages # - The extracted deb packages
# - The extracted rpm packages # - The extracted rpm packages
# - The nvidia-ctk-installer binary # - The nvidia-ctk-installer binary
FROM nvcr.io/nvidia/cuda:12.9.0-base-ubi9 AS artifacts FROM scratch AS artifacts
COPY --from=rpmpackages /artifacts/rpm /artifacts/rpm COPY --from=rpmpackages /artifacts/rpm /artifacts/rpm
COPY --from=debpackages /artifacts/deb /artifacts/deb COPY --from=debpackages /artifacts/deb /artifacts/deb
COPY --from=build /artifacts/bin /artifacts/build COPY --from=build /artifacts/bin /artifacts/build
FROM nvcr.io/nvidia/cuda:12.9.0-base-ubi9 # The application stage contains the application used as a GPU Operator
# operand.
FROM nvcr.io/nvidia/distroless/go:v3.1.9-dev AS application
USER 0:0
SHELL ["/busybox/sh", "-c"]
RUN ln -s /busybox/sh /bin/sh
ENV NVIDIA_DISABLE_REQUIRE="true" ENV NVIDIA_DISABLE_REQUIRE="true"
ENV NVIDIA_VISIBLE_DEVICES=void ENV NVIDIA_VISIBLE_DEVICES=void
@ -144,6 +161,11 @@ LABEL release="N/A"
LABEL summary="Automatically Configure your Container Runtime for GPU support." LABEL summary="Automatically Configure your Container Runtime for GPU support."
LABEL description="See summary" LABEL description="See summary"
RUN mkdir /licenses && mv /NGC-DL-CONTAINER-LICENSE /licenses/NGC-DL-CONTAINER-LICENSE COPY LICENSE /licenses/
ENTRYPOINT ["/work/nvidia-ctk-installer"] ENTRYPOINT ["/work/nvidia-ctk-installer"]
# The GPU Operator exec's nvidia-toolkit in its entrypoint.
# We create a symlink here to ensure compatibility with older
# GPU Operator versions.
RUN ln -s /work/nvidia-ctk-installer /work/nvidia-toolkit

4
deployments/container/Makefile
View File

@ -38,7 +38,7 @@ OUT_IMAGE_TAG = $(OUT_IMAGE_VERSION)
OUT_IMAGE = $(OUT_IMAGE_NAME):$(OUT_IMAGE_TAG) OUT_IMAGE = $(OUT_IMAGE_NAME):$(OUT_IMAGE_TAG)
##### Public rules ##### ##### Public rules #####
DEFAULT_PUSH_TARGET := ubi9 DEFAULT_PUSH_TARGET := application
DISTRIBUTIONS := $(DEFAULT_PUSH_TARGET) DISTRIBUTIONS := $(DEFAULT_PUSH_TARGET)
META_TARGETS := packaging META_TARGETS := packaging
@ -102,8 +102,6 @@ build: build-$(DEFAULT_PUSH_TARGET)
push: push-$(DEFAULT_PUSH_TARGET) push: push-$(DEFAULT_PUSH_TARGET)
# Test targets # Test targets
test-%: DIST = $(*)
TEST_CASES ?= docker crio containerd TEST_CASES ?= docker crio containerd
$(TEST_TARGETS): test-%: $(TEST_TARGETS): test-%:
TEST_CASES="$(TEST_CASES)" bash -x $(CURDIR)/test/container/main.sh run \ TEST_CASES="$(TEST_CASES)" bash -x $(CURDIR)/test/container/main.sh run \

4
hack/pull-packages.sh
View File

@ -53,6 +53,6 @@ docker run --rm \
-v $(pwd):$(pwd) \ -v $(pwd):$(pwd) \
-w $(pwd) \ -w $(pwd) \
-u $(id -u):$(id -g) \ -u $(id -u):$(id -g) \
--entrypoint="bash" \ --entrypoint="sh" \
${IMAGE} \ ${IMAGE} \
-c "cp --preserve=timestamps -R /artifacts/* ${DIST_DIR}" -c "cp -p -R /artifacts/* ${DIST_DIR}"

4
scripts/extract-packages.sh
View File

@ -70,9 +70,9 @@ function copy-file() {
-v "$(pwd):$(pwd)" \ -v "$(pwd):$(pwd)" \
-w "$(pwd)" \ -w "$(pwd)" \
-u "$(id -u):$(id -g)" \ -u "$(id -u):$(id -g)" \
--entrypoint="bash" \ --entrypoint="sh" \
"${image}" \ "${image}" \
-c "cp ${path_in_image} ${path_on_host}" -c "cp -p ${path_in_image} ${path_on_host}"
fi fi
} }

4
scripts/utils.sh
View File

@ -96,9 +96,9 @@ function copy_file() {
-v "$(pwd):$(pwd)" \ -v "$(pwd):$(pwd)" \
-w "$(pwd)" \ -w "$(pwd)" \
-u "$(id -u):$(id -g)" \ -u "$(id -u):$(id -g)" \
--entrypoint="bash" \ --entrypoint="sh" \
"${image}" \ "${image}" \
-c "cp ${path_in_image} ${path_on_host}" -c "cp -p ${path_in_image} ${path_on_host}"
fi fi
} }