From 367a30827fec9ab0b8f18e7b42a4aa87e9104e20 Mon Sep 17 00:00:00 2001 From: Evan Lezar Date: Tue, 2 May 2023 16:27:50 +0200 Subject: [PATCH 1/2] Allow spec file permisions to be specified Signed-off-by: Evan Lezar --- pkg/nvcdi/spec/builder.go | 13 ++++++++++++- pkg/nvcdi/spec/spec.go | 13 +++++++++++-- 2 files changed, 23 insertions(+), 3 deletions(-) diff --git a/pkg/nvcdi/spec/builder.go b/pkg/nvcdi/spec/builder.go index 6379ad0f..32b27f8d 100644 --- a/pkg/nvcdi/spec/builder.go +++ b/pkg/nvcdi/spec/builder.go @@ -18,6 +18,7 @@ package spec import ( "fmt" + "os" "github.com/NVIDIA/nvidia-container-toolkit/pkg/nvcdi/transform" "github.com/container-orchestrated-devices/container-device-interface/pkg/cdi" @@ -33,6 +34,7 @@ type builder struct { edits specs.ContainerEdits format string noSimplify bool + permissions os.FileMode } // newBuilder creates a new spec builder with the supplied options @@ -60,7 +62,9 @@ func newBuilder(opts ...Option) *builder { if s.format == "" { s.format = FormatYAML } - + if s.permissions == 0 { + s.permissions = 0600 + } return s } @@ -157,3 +161,10 @@ func WithRawSpec(raw *specs.Spec) Option { o.raw = raw } } + +// WithPermissions sets the permissions for the generated spec file +func WithPermissions(permissions os.FileMode) Option { + return func(o *builder) { + o.permissions = permissions + } +} diff --git a/pkg/nvcdi/spec/spec.go b/pkg/nvcdi/spec/spec.go index 2bb26a71..999220b7 100644 --- a/pkg/nvcdi/spec/spec.go +++ b/pkg/nvcdi/spec/spec.go @@ -28,7 +28,8 @@ import ( type spec struct { *specs.Spec - format string + format string + permissions os.FileMode } var _ Interface = (*spec)(nil) @@ -51,7 +52,15 @@ func (s *spec) Save(path string) error { cdi.WithSpecDirs(specDir), ) - return registry.SpecDB().WriteSpec(s.Raw(), filepath.Base(path)) + if err := registry.SpecDB().WriteSpec(s.Raw(), filepath.Base(path)); err != nil { + return fmt.Errorf("failed to write spec: %w", err) + } + + if err := os.Chmod(path, s.permissions); err != nil { + return fmt.Errorf("failed to set permissions on spec file: %w", err) + } + + return nil } // WriteTo writes the spec to the specified writer. From 3056428edafa2294a39703e917e0f4eb6cd373ce Mon Sep 17 00:00:00 2001 From: Evan Lezar Date: Tue, 2 May 2023 16:28:03 +0200 Subject: [PATCH 2/2] Generate spec file with 644 permissions Signed-off-by: Evan Lezar --- CHANGELOG.md | 1 + cmd/nvidia-ctk/cdi/generate/generate.go | 1 + 2 files changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 757130f1..40eaaaa9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,7 @@ * Add support for updating containerd configs to the `nvidia-ctk runtime configure` command. * Create file in `etc/ld.so.conf.d` with permissions `644` to support non-root containers. +* Generate CDI specification files with `644` permissions to allow rootless applications (e.g. podman) ## v1.13.1 diff --git a/cmd/nvidia-ctk/cdi/generate/generate.go b/cmd/nvidia-ctk/cdi/generate/generate.go index 6ab27b00..a81f41a5 100644 --- a/cmd/nvidia-ctk/cdi/generate/generate.go +++ b/cmd/nvidia-ctk/cdi/generate/generate.go @@ -251,6 +251,7 @@ func (m command) generateSpec(cfg *config) (spec.Interface, error) { spec.WithDeviceSpecs(deviceSpecs), spec.WithEdits(*commonEdits.ContainerEdits), spec.WithFormat(cfg.format), + spec.WithPermissions(0644), ) }