Merge branch 'fix-cdi-spec-permissions' into 'main'

Generate CDI specifications with 644 permissions to allow non-root clients to consume them See merge request nvidia/container-toolkit/container-toolkit!381
2025-06-26 18:18:24 +00:00 · 2023-05-02 19:36:40 +00:00 · 2023-05-02 19:36:40 +00:00 · 6750df8e01
commit 6750df8e01
parent 8736d1e78f 3056428eda
4 changed files with 25 additions and 3 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -4,6 +4,7 @@

 * Add support for updating containerd configs to the `nvidia-ctk runtime configure` command.
 * Create file in `etc/ld.so.conf.d` with permissions `644` to support non-root containers.
+* Generate CDI specification files with `644` permissions to allow rootless applications (e.g. podman)

 ## v1.13.1

--- a/cmd/nvidia-ctk/cdi/generate/generate.go
+++ b/cmd/nvidia-ctk/cdi/generate/generate.go
@ -251,6 +251,7 @@ func (m command) generateSpec(cfg *config) (spec.Interface, error) {
 		spec.WithDeviceSpecs(deviceSpecs),
 		spec.WithEdits(*commonEdits.ContainerEdits),
 		spec.WithFormat(cfg.format),
+		spec.WithPermissions(0644),
 	)
 }

--- a/pkg/nvcdi/spec/builder.go
+++ b/pkg/nvcdi/spec/builder.go
@ -18,6 +18,7 @@ package spec

 import (
 	"fmt"
+	"os"

 	"github.com/NVIDIA/nvidia-container-toolkit/pkg/nvcdi/transform"
 	"github.com/container-orchestrated-devices/container-device-interface/pkg/cdi"
@ -33,6 +34,7 @@ type builder struct {
 	edits       specs.ContainerEdits
 	format      string
 	noSimplify  bool
+	permissions os.FileMode
 }

 // newBuilder creates a new spec builder with the supplied options
@ -60,7 +62,9 @@ func newBuilder(opts ...Option) *builder {
 	if s.format == "" {
 		s.format = FormatYAML
 	}
-
+	if s.permissions == 0 {
+		s.permissions = 0600
+	}
 	return s
 }

@ -157,3 +161,10 @@ func WithRawSpec(raw *specs.Spec) Option {
 		o.raw = raw
 	}
 }
+
+// WithPermissions sets the permissions for the generated spec file
+func WithPermissions(permissions os.FileMode) Option {
+	return func(o *builder) {
+		o.permissions = permissions
+	}
+}
--- a/pkg/nvcdi/spec/spec.go
+++ b/pkg/nvcdi/spec/spec.go
@ -29,6 +29,7 @@ import (
 type spec struct {
 	*specs.Spec
 	format      string
+	permissions os.FileMode
 }

 var _ Interface = (*spec)(nil)
@ -51,7 +52,15 @@ func (s *spec) Save(path string) error {
 		cdi.WithSpecDirs(specDir),
 	)

-	return registry.SpecDB().WriteSpec(s.Raw(), filepath.Base(path))
+	if err := registry.SpecDB().WriteSpec(s.Raw(), filepath.Base(path)); err != nil {
+		return fmt.Errorf("failed to write spec: %w", err)
+	}
+
+	if err := os.Chmod(path, s.permissions); err != nil {
+		return fmt.Errorf("failed to set permissions on spec file: %w", err)
+	}
+
+	return nil
 }

 // WriteTo writes the spec to the specified writer.