UniqAI/nvidia-container-toolkit
1
0
Fork 0
mirror of https://github.com/NVIDIA/nvidia-container-toolkit synced 2024-11-22 08:18:32 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge branch 'fix-cdi-spec-permissions' into 'main'

Browse Source 
Generate CDI specifications with 644 permissions to allow non-root clients to consume them

See merge request nvidia/container-toolkit/container-toolkit!381
This commit is contained in:
Carlos Eduardo Arango Gutierrez 2023-05-02 19:36:40 +00:00
commit 6750df8e01
4 changed files with 25 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
CHANGELOG.md
View File

@ -4,6 +4,7 @@
* Add support for updating containerd configs to the `nvidia-ctk runtime configure` command. * Add support for updating containerd configs to the `nvidia-ctk runtime configure` command.
* Create file in `etc/ld.so.conf.d` with permissions `644` to support non-root containers. * Create file in `etc/ld.so.conf.d` with permissions `644` to support non-root containers.
* Generate CDI specification files with `644` permissions to allow rootless applications (e.g. podman)
## v1.13.1 ## v1.13.1

1
cmd/nvidia-ctk/cdi/generate/generate.go
View File

@ -251,6 +251,7 @@ func (m command) generateSpec(cfg *config) (spec.Interface, error) {
spec.WithDeviceSpecs(deviceSpecs), spec.WithDeviceSpecs(deviceSpecs),
spec.WithEdits(*commonEdits.ContainerEdits), spec.WithEdits(*commonEdits.ContainerEdits),
spec.WithFormat(cfg.format), spec.WithFormat(cfg.format),
spec.WithPermissions(0644),
) )
} }

13
pkg/nvcdi/spec/builder.go
View File

@ -18,6 +18,7 @@ package spec
import ( import (
"fmt" "fmt"
"os"
"github.com/NVIDIA/nvidia-container-toolkit/pkg/nvcdi/transform" "github.com/NVIDIA/nvidia-container-toolkit/pkg/nvcdi/transform"
"github.com/container-orchestrated-devices/container-device-interface/pkg/cdi" "github.com/container-orchestrated-devices/container-device-interface/pkg/cdi"
@ -33,6 +34,7 @@ type builder struct {
edits specs.ContainerEdits edits specs.ContainerEdits
format string format string
noSimplify bool noSimplify bool
permissions os.FileMode
} }
// newBuilder creates a new spec builder with the supplied options // newBuilder creates a new spec builder with the supplied options
@ -60,7 +62,9 @@ func newBuilder(opts ...Option) *builder {
if s.format == "" { if s.format == "" {
s.format = FormatYAML s.format = FormatYAML
} }
if s.permissions == 0 {
s.permissions = 0600
}
return s return s
} }
@ -157,3 +161,10 @@ func WithRawSpec(raw *specs.Spec) Option {
o.raw = raw o.raw = raw
} }
} }
// WithPermissions sets the permissions for the generated spec file
func WithPermissions(permissions os.FileMode) Option {
return func(o *builder) {
o.permissions = permissions
}
}

13
pkg/nvcdi/spec/spec.go
View File

@ -28,7 +28,8 @@ import (
type spec struct { type spec struct {
*specs.Spec *specs.Spec
format string format string
permissions os.FileMode
} }
var _ Interface = (*spec)(nil) var _ Interface = (*spec)(nil)
@ -51,7 +52,15 @@ func (s *spec) Save(path string) error {
cdi.WithSpecDirs(specDir), cdi.WithSpecDirs(specDir),
) )
return registry.SpecDB().WriteSpec(s.Raw(), filepath.Base(path)) if err := registry.SpecDB().WriteSpec(s.Raw(), filepath.Base(path)); err != nil {
return fmt.Errorf("failed to write spec: %w", err)
}
if err := os.Chmod(path, s.permissions); err != nil {
return fmt.Errorf("failed to set permissions on spec file: %w", err)
}
return nil
} }
// WriteTo writes the spec to the specified writer. // WriteTo writes the spec to the specified writer.