Merge bdfaea4e9e into e33f15a128

cmd/nvidia-cdi-hook/chmod/chmod.go

@@ -113,7 +113,7 @@ func (m command) run(c *cli.Context, cfg *config) error {
 		return fmt.Errorf("failed to load container state: %v", err)
 	}
 
-	containerRoot, err := s.GetContainerRoot()
+	containerRoot, err := s.GetContainerRootDirPath()
 	if err != nil {
 		return fmt.Errorf("failed to determined container root: %v", err)
 	}
@@ -121,7 +121,7 @@ func (m command) run(c *cli.Context, cfg *config) error {
 		return fmt.Errorf("empty container root detected")
 	}
 
-	paths := m.getPaths(containerRoot, cfg.paths.Value(), cfg.mode)
+	paths := m.getPaths(string(containerRoot), cfg.paths.Value(), cfg.mode)
 	if len(paths) == 0 {
 		m.logger.Debugf("No paths specified; exiting")
 		return nil
@@ -140,6 +140,7 @@ func (m command) run(c *cli.Context, cfg *config) error {
 }
 
 // getPaths updates the specified paths relative to the root.
+// TODO(elezar): This function should be updated to make use of the oci.ContainerRoot type.
 func (m command) getPaths(root string, paths []string, desiredMode fs.FileMode) []string {
 	var pathsInRoot []string
 	for _, f := range paths {

cmd/nvidia-cdi-hook/commands/commands.go

@@ -20,6 +20,7 @@ import (
 	"github.com/urfave/cli/v2"
 
 	"github.com/NVIDIA/nvidia-container-toolkit/cmd/nvidia-cdi-hook/chmod"
+	soname "github.com/NVIDIA/nvidia-container-toolkit/cmd/nvidia-cdi-hook/create-soname-symlinks"
 	symlinks "github.com/NVIDIA/nvidia-container-toolkit/cmd/nvidia-cdi-hook/create-symlinks"
 	"github.com/NVIDIA/nvidia-container-toolkit/cmd/nvidia-cdi-hook/cudacompat"
 	ldcache "github.com/NVIDIA/nvidia-container-toolkit/cmd/nvidia-cdi-hook/update-ldcache"
@@ -34,5 +35,6 @@ func New(logger logger.Interface) []*cli.Command {
 		symlinks.NewCommand(logger),
 		chmod.NewCommand(logger),
 		cudacompat.NewCommand(logger),
+		soname.NewCommand(logger),
 	}
 }

cmd/nvidia-cdi-hook/create-soname-symlinks/soname-symlinks.go

@@ -0,0 +1,132 @@
+/**
+# Copyright (c) 2025, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+**/
+
+package soname
+
+import (
+	"errors"
+	"fmt"
+	"path/filepath"
+
+	"github.com/urfave/cli/v2"
+
+	"github.com/NVIDIA/nvidia-container-toolkit/internal/config"
+	"github.com/NVIDIA/nvidia-container-toolkit/internal/logger"
+	"github.com/NVIDIA/nvidia-container-toolkit/internal/oci"
+	safeexec "github.com/NVIDIA/nvidia-container-toolkit/internal/safe-exec"
+)
+
+type command struct {
+	logger logger.Interface
+	safeexec.Execer
+}
+
+type options struct {
+	folders       cli.StringSlice
+	ldconfigPath  string
+	containerSpec string
+}
+
+// NewCommand constructs an create-soname-symlinks command with the specified logger
+func NewCommand(logger logger.Interface) *cli.Command {
+	c := command{
+		logger: logger,
+		Execer: safeexec.New(logger),
+	}
+	return c.build()
+}
+
+// build the create-soname-symlinks command
+func (m command) build() *cli.Command {
+	cfg := options{}
+
+	// Create the 'create-soname-symlinks' command
+	c := cli.Command{
+		Name:  "create-soname-symlinks",
+		Usage: "Create soname symlinks for the specified folders using ldconfig -n -N",
+		Before: func(c *cli.Context) error {
+			return m.validateFlags(c, &cfg)
+		},
+		Action: func(c *cli.Context) error {
+			return m.run(c, &cfg)
+		},
+	}
+
+	c.Flags = []cli.Flag{
+		&cli.StringSliceFlag{
+			Name:        "folder",
+			Usage:       "Specify a folder to search for shared libraries for which soname symlinks need to be created",
+			Destination: &cfg.folders,
+		},
+		&cli.StringFlag{
+			Name:        "ldconfig-path",
+			Usage:       "Specify the path to the ldconfig program",
+			Destination: &cfg.ldconfigPath,
+			Value:       "/sbin/ldconfig",
+		},
+		&cli.StringFlag{
+			Name:        "container-spec",
+			Usage:       "Specify the path to the OCI container spec. If empty or '-' the spec will be read from STDIN",
+			Destination: &cfg.containerSpec,
+		},
+	}
+
+	return &c
+}
+
+func (m command) validateFlags(c *cli.Context, cfg *options) error {
+	if cfg.ldconfigPath == "" {
+		return errors.New("ldconfig-path must be specified")
+	}
+	return nil
+}
+
+func (m command) run(c *cli.Context, cfg *options) error {
+	s, err := oci.LoadContainerState(cfg.containerSpec)
+	if err != nil {
+		return fmt.Errorf("failed to load container state: %v", err)
+	}
+
+	containerRoot, err := s.GetContainerRootDirPath()
+	if err != nil {
+		return fmt.Errorf("failed to determined container root: %v", err)
+	}
+	if containerRoot == "" {
+		m.logger.Warningf("No container root detected")
+		return nil
+	}
+
+	dirs := cfg.folders.Value()
+	if len(dirs) == 0 {
+		return nil
+	}
+
+	ldconfigPath := config.ResolveLDConfigPathOnHost(cfg.ldconfigPath)
+	args := []string{filepath.Base(ldconfigPath)}
+
+	args = append(args,
+		// Specify the containerRoot to use.
+		"-r", string(containerRoot),
+		// Specify -n to only process the specified folders.
+		"-n",
+		// Explicitly disable updating the LDCache.
+		"-N",
+	)
+	// Explicitly specific the directories to add.
+	args = append(args, dirs...)
+
+	return m.Exec(ldconfigPath, args, nil)
+}

cmd/nvidia-cdi-hook/create-symlinks/create-symlinks.go

@@ -84,7 +84,7 @@ func (m command) run(c *cli.Context, cfg *config) error {
 		return fmt.Errorf("failed to load container state: %v", err)
 	}
 
-	containerRoot, err := s.GetContainerRoot()
+	containerRoot, err := s.GetContainerRootDirPath()
 	if err != nil {
 		return fmt.Errorf("failed to determined container root: %v", err)
 	}
@@ -100,7 +100,7 @@ func (m command) run(c *cli.Context, cfg *config) error {
 			return fmt.Errorf("invalid symlink specification %v", l)
 		}
 
-		err := m.createLink(containerRoot, parts[0], parts[1])
+		err := m.createLink(string(containerRoot), parts[0], parts[1])
 		if err != nil {
 			return fmt.Errorf("failed to create link %v: %w", parts, err)
 		}

cmd/nvidia-cdi-hook/cudacompat/container-root.go

@@ -1,76 +0,0 @@
-/**
-# Copyright (c) 2025, NVIDIA CORPORATION.  All rights reserved.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-**/
-
-package cudacompat
-
-import (
-	"os"
-	"path/filepath"
-
-	"github.com/moby/sys/symlink"
-)
-
-// A containerRoot represents the root filesystem of a container.
-type containerRoot string
-
-// hasPath checks whether the specified path exists in the root.
-func (r containerRoot) hasPath(path string) bool {
-	resolved, err := r.resolve(path)
-	if err != nil {
-		return false
-	}
-	if _, err := os.Stat(resolved); err != nil && os.IsNotExist(err) {
-		return false
-	}
-	return true
-}
-
-// globFiles matches the specified pattern in the root.
-// The files that match must be regular files.
-func (r containerRoot) globFiles(pattern string) ([]string, error) {
-	patternPath, err := r.resolve(pattern)
-	if err != nil {
-		return nil, err
-	}
-	matches, err := filepath.Glob(patternPath)
-	if err != nil {
-		return nil, err
-	}
-	var files []string
-	for _, match := range matches {
-		info, err := os.Lstat(match)
-		if err != nil {
-			return nil, err
-		}
-		// Ignore symlinks.
-		if info.Mode()&os.ModeSymlink != 0 {
-			continue
-		}
-		// Ignore directories.
-		if info.IsDir() {
-			continue
-		}
-		files = append(files, match)
-	}
-	return files, nil
-}
-
-// resolve returns the absolute path including root path.
-// Symlinks are resolved, but are guaranteed to resolve in the root.
-func (r containerRoot) resolve(path string) (string, error) {
-	absolute := filepath.Clean(filepath.Join(string(r), path))
-	return symlink.FollowSymlinkInScope(absolute, string(r))
-}

cmd/nvidia-cdi-hook/cudacompat/cudacompat.go

@@ -18,7 +18,6 @@ package cudacompat
 
 import (
 	"fmt"
-	"os"
 	"path/filepath"
 	"strconv"
 	"strings"
@@ -103,12 +102,12 @@ func (m command) run(_ *cli.Context, cfg *options) error {
 		return fmt.Errorf("failed to load container state: %w", err)
 	}
 
-	containerRootDir, err := s.GetContainerRoot()
+	containerRootDirPath, err := s.GetContainerRootDirPath()
 	if err != nil {
 		return fmt.Errorf("failed to determined container root: %w", err)
 	}
 
-	containerForwardCompatDir, err := m.getContainerForwardCompatDir(containerRoot(containerRootDir), cfg.hostDriverVersion)
+	containerForwardCompatDir, err := m.getContainerForwardCompatDirPathInContainer(containerRootDirPath, cfg.hostDriverVersion)
 	if err != nil {
 		return fmt.Errorf("failed to get container forward compat directory: %w", err)
 	}
@@ -116,40 +115,44 @@ func (m command) run(_ *cli.Context, cfg *options) error {
 		return nil
 	}
 
-	return m.createLdsoconfdFile(containerRoot(containerRootDir), cudaCompatLdsoconfdFilenamePattern, containerForwardCompatDir)
+	return containerRootDirPath.CreateLdsoconfdFile(cudaCompatLdsoconfdFilenamePattern, containerForwardCompatDir)
 }
 
-func (m command) getContainerForwardCompatDir(containerRoot containerRoot, hostDriverVersion string) (string, error) {
+// getContainerForwardCompatDirPathInContainer returns the path to the directory containing
+// the CUDA Forward Compatibility libraries in the container.
+func (m command) getContainerForwardCompatDirPathInContainer(containerRootDirPath oci.ContainerRoot, hostDriverVersion string) (string, error) {
 	if hostDriverVersion == "" {
 		m.logger.Debugf("Host driver version not specified")
 		return "", nil
 	}
-	if !containerRoot.hasPath(cudaCompatPath) {
+	if !containerRootDirPath.HasPath(cudaCompatPath) {
 		m.logger.Debugf("No CUDA forward compatibility libraries directory in container")
 		return "", nil
 	}
-	if !containerRoot.hasPath("/etc/ld.so.cache") {
+	if !containerRootDirPath.HasPath("/etc/ld.so.cache") {
 		m.logger.Debugf("The container does not have an LDCache")
 		return "", nil
 	}
 
-	libs, err := containerRoot.globFiles(filepath.Join(cudaCompatPath, "libcuda.so.*.*"))
+	cudaForwardCompatLibPaths, err := containerRootDirPath.GlobFiles(filepath.Join(cudaCompatPath, "libcuda.so.*.*"))
 	if err != nil {
 		m.logger.Warningf("Failed to find CUDA compat library: %w", err)
 		return "", nil
 	}
 
-	if len(libs) == 0 {
+	if len(cudaForwardCompatLibPaths) == 0 {
 		m.logger.Debugf("No CUDA forward compatibility libraries container")
 		return "", nil
 	}
 
-	if len(libs) != 1 {
-		m.logger.Warningf("Unexpected number of CUDA compat libraries in container: %v", libs)
+	if len(cudaForwardCompatLibPaths) != 1 {
+		m.logger.Warningf("Unexpected number of CUDA compat libraries in container: %v", cudaForwardCompatLibPaths)
 		return "", nil
 	}
 
-	compatDriverVersion := strings.TrimPrefix(filepath.Base(libs[0]), "libcuda.so.")
+	cudaForwardCompatLibPath := cudaForwardCompatLibPaths[0]
+
+	compatDriverVersion := strings.TrimPrefix(filepath.Base(cudaForwardCompatLibPath), "libcuda.so.")
 	compatMajor, err := extractMajorVersion(compatDriverVersion)
 	if err != nil {
 		return "", fmt.Errorf("failed to extract major version from %q: %v", compatDriverVersion, err)
@@ -165,53 +168,10 @@ func (m command) getContainerForwardCompatDir(containerRoot containerRoot, hostD
 		return "", nil
 	}
 
-	resolvedCompatDir := strings.TrimPrefix(filepath.Dir(libs[0]), string(containerRoot))
-	return resolvedCompatDir, nil
-}
+	cudaForwardCompatLibDirPath := filepath.Dir(cudaForwardCompatLibPath)
+	resolvedCompatDirPathInContainer := containerRootDirPath.ToContainerPath(cudaForwardCompatLibDirPath)
 
-// createLdsoconfdFile creates a file at /etc/ld.so.conf.d/ in the specified root.
-// The file is created at /etc/ld.so.conf.d/{{ .pattern }} using `CreateTemp` and
-// contains the specified directories on each line.
-func (m command) createLdsoconfdFile(in containerRoot, pattern string, dirs ...string) error {
-	if len(dirs) == 0 {
-		m.logger.Debugf("No directories to add to /etc/ld.so.conf")
-		return nil
-	}
-
-	ldsoconfdDir, err := in.resolve("/etc/ld.so.conf.d")
-	if err != nil {
-		return err
-	}
-	if err := os.MkdirAll(ldsoconfdDir, 0755); err != nil {
-		return fmt.Errorf("failed to create ld.so.conf.d: %w", err)
-	}
-
-	configFile, err := os.CreateTemp(ldsoconfdDir, pattern)
-	if err != nil {
-		return fmt.Errorf("failed to create config file: %w", err)
-	}
-	defer configFile.Close()
-
-	m.logger.Debugf("Adding directories %v to %v", dirs, configFile.Name())
-
-	added := make(map[string]bool)
-	for _, dir := range dirs {
-		if added[dir] {
-			continue
-		}
-		_, err = configFile.WriteString(fmt.Sprintf("%s\n", dir))
-		if err != nil {
-			return fmt.Errorf("failed to update config file: %w", err)
-		}
-		added[dir] = true
-	}
-
-	// The created file needs to be world readable for the cases where the container is run as a non-root user.
-	if err := configFile.Chmod(0644); err != nil {
-		return fmt.Errorf("failed to chmod config file: %w", err)
-	}
-
-	return nil
+	return resolvedCompatDirPathInContainer, nil
 }
 
 // extractMajorVersion parses a version string and returns the major version as an int.

cmd/nvidia-cdi-hook/cudacompat/cudacompat_test.go

@@ -24,6 +24,8 @@ import (
 
 	testlog "github.com/sirupsen/logrus/hooks/test"
 	"github.com/stretchr/testify/require"
+
+	"github.com/NVIDIA/nvidia-container-toolkit/internal/oci"
 )
 
 func TestCompatLibs(t *testing.T) {
@@ -130,53 +132,9 @@ func TestCompatLibs(t *testing.T) {
 			c := command{
 				logger: logger,
 			}
-			containerForwardCompatDir, err := c.getContainerForwardCompatDir(containerRoot(containerRootDir), tc.hostDriverVersion)
+			containerForwardCompatDir, err := c.getContainerForwardCompatDirPathInContainer(oci.ContainerRoot(containerRootDir), tc.hostDriverVersion)
 			require.NoError(t, err)
 			require.EqualValues(t, tc.expectedContainerForwardCompatDir, containerForwardCompatDir)
 		})
 	}
 }
-
-func TestUpdateLdconfig(t *testing.T) {
-	logger, _ := testlog.NewNullLogger()
-	testCases := []struct {
-		description      string
-		folders          []string
-		expectedContents string
-	}{
-		{
-			description: "no folders; have no contents",
-		},
-		{
-			description:      "single folder is added",
-			folders:          []string{"/usr/local/cuda/compat"},
-			expectedContents: "/usr/local/cuda/compat\n",
-		},
-	}
-
-	for _, tc := range testCases {
-		t.Run(tc.description, func(t *testing.T) {
-			containerRootDir := t.TempDir()
-			c := command{
-				logger: logger,
-			}
-			err := c.createLdsoconfdFile(containerRoot(containerRootDir), cudaCompatLdsoconfdFilenamePattern, tc.folders...)
-			require.NoError(t, err)
-
-			matches, err := filepath.Glob(filepath.Join(containerRootDir, "/etc/ld.so.conf.d/00-compat-*.conf"))
-			require.NoError(t, err)
-
-			if tc.expectedContents == "" {
-				require.Empty(t, matches)
-				return
-			}
-
-			require.Len(t, matches, 1)
-			contents, err := os.ReadFile(matches[0])
-			require.NoError(t, err)
-
-			require.EqualValues(t, tc.expectedContents, string(contents))
-		})
-	}
-
-}

cmd/nvidia-cdi-hook/update-ldcache/container-root.go

@@ -1,46 +0,0 @@
-/**
-# Copyright (c) 2025, NVIDIA CORPORATION.  All rights reserved.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-**/
-
-package ldcache
-
-import (
-	"os"
-	"path/filepath"
-
-	"github.com/moby/sys/symlink"
-)
-
-// A containerRoot represents the root filesystem of a container.
-type containerRoot string
-
-// hasPath checks whether the specified path exists in the root.
-func (r containerRoot) hasPath(path string) bool {
-	resolved, err := r.resolve(path)
-	if err != nil {
-		return false
-	}
-	if _, err := os.Stat(resolved); err != nil && os.IsNotExist(err) {
-		return false
-	}
-	return true
-}
-
-// resolve returns the absolute path including root path.
-// Symlinks are resolved, but are guaranteed to resolve in the root.
-func (r containerRoot) resolve(path string) (string, error) {
-	absolute := filepath.Clean(filepath.Join(string(r), path))
-	return symlink.FollowSymlinkInScope(absolute, string(r))
-}

cmd/nvidia-cdi-hook/update-ldcache/update-ldcache.go

@@ -19,15 +19,14 @@ package ldcache
 import (
 	"errors"
 	"fmt"
-	"os"
 	"path/filepath"
-	"strings"
 
 	"github.com/urfave/cli/v2"
 
 	"github.com/NVIDIA/nvidia-container-toolkit/internal/config"
 	"github.com/NVIDIA/nvidia-container-toolkit/internal/logger"
 	"github.com/NVIDIA/nvidia-container-toolkit/internal/oci"
+	safeexec "github.com/NVIDIA/nvidia-container-toolkit/internal/safe-exec"
 )
 
 const (
@@ -40,6 +39,7 @@ const (
 )
 
 type command struct {
+	safeexec.Execer
 	logger logger.Interface
 }
 
@@ -53,6 +53,7 @@ type options struct {
 func NewCommand(logger logger.Interface) *cli.Command {
 	c := command{
 		logger: logger,
+		Execer: safeexec.New(logger),
 	}
 	return c.build()
 }
@@ -108,16 +109,16 @@ func (m command) run(c *cli.Context, cfg *options) error {
 		return fmt.Errorf("failed to load container state: %v", err)
 	}
 
-	containerRootDir, err := s.GetContainerRoot()
-	if err != nil || containerRootDir == "" || containerRootDir == "/" {
+	containerRootDirPath, err := s.GetContainerRootDirPath()
+	if err != nil || containerRootDirPath == "" || containerRootDirPath == "/" {
 		return fmt.Errorf("failed to determined container root: %v", err)
 	}
 
-	ldconfigPath := m.resolveLDConfigPath(cfg.ldconfigPath)
+	ldconfigPath := config.ResolveLDConfigPathOnHost(cfg.ldconfigPath)
 	args := []string{
 		filepath.Base(ldconfigPath),
 		// Run ldconfig in the container root directory on the host.
-		"-r", containerRootDir,
+		"-r", string(containerRootDirPath),
 		// Explicitly specify using /etc/ld.so.conf since the host's ldconfig may
 		// be configured to use a different config file by default.
 		// Note that since we apply the `-r {{ .containerRootDir }}` argument, /etc/ld.so.conf is
@@ -125,9 +126,7 @@ func (m command) run(c *cli.Context, cfg *options) error {
 		"-f", "/etc/ld.so.conf",
 	}
 
-	containerRoot := containerRoot(containerRootDir)
-
-	if containerRoot.hasPath("/etc/ld.so.cache") {
+	if containerRootDirPath.HasPath("/etc/ld.so.cache") {
 		args = append(args, "-C", "/etc/ld.so.cache")
 	} else {
 		m.logger.Debugf("No ld.so.cache found, skipping update")
@@ -135,8 +134,8 @@ func (m command) run(c *cli.Context, cfg *options) error {
 	}
 
 	folders := cfg.folders.Value()
-	if containerRoot.hasPath("/etc/ld.so.conf.d") {
-		err := m.createLdsoconfdFile(containerRoot, ldsoconfdFilenamePattern, folders...)
+	if containerRootDirPath.HasPath("/etc/ld.so.conf.d") {
+		err := containerRootDirPath.CreateLdsoconfdFile(ldsoconfdFilenamePattern, folders...)
 		if err != nil {
 			return fmt.Errorf("failed to update ld.so.conf.d: %v", err)
 		}
@@ -144,57 +143,5 @@ func (m command) run(c *cli.Context, cfg *options) error {
 		args = append(args, folders...)
 	}
 
-	return m.SafeExec(ldconfigPath, args, nil)
-}
-
-// resolveLDConfigPath determines the LDConfig path to use for the system.
-// On systems such as Ubuntu where `/sbin/ldconfig` is a wrapper around
-// /sbin/ldconfig.real, the latter is returned.
-func (m command) resolveLDConfigPath(path string) string {
-	return strings.TrimPrefix(config.NormalizeLDConfigPath("@"+path), "@")
-}
-
-// createLdsoconfdFile creates a file at /etc/ld.so.conf.d/ in the specified root.
-// The file is created at /etc/ld.so.conf.d/{{ .pattern }} using `CreateTemp` and
-// contains the specified directories on each line.
-func (m command) createLdsoconfdFile(in containerRoot, pattern string, dirs ...string) error {
-	if len(dirs) == 0 {
-		m.logger.Debugf("No directories to add to /etc/ld.so.conf")
-		return nil
-	}
-
-	ldsoconfdDir, err := in.resolve("/etc/ld.so.conf.d")
-	if err != nil {
-		return err
-	}
-	if err := os.MkdirAll(ldsoconfdDir, 0755); err != nil {
-		return fmt.Errorf("failed to create ld.so.conf.d: %w", err)
-	}
-
-	configFile, err := os.CreateTemp(ldsoconfdDir, pattern)
-	if err != nil {
-		return fmt.Errorf("failed to create config file: %w", err)
-	}
-	defer configFile.Close()
-
-	m.logger.Debugf("Adding directories %v to %v", dirs, configFile.Name())
-
-	added := make(map[string]bool)
-	for _, dir := range dirs {
-		if added[dir] {
-			continue
-		}
-		_, err = configFile.WriteString(fmt.Sprintf("%s\n", dir))
-		if err != nil {
-			return fmt.Errorf("failed to update config file: %w", err)
-		}
-		added[dir] = true
-	}
-
-	// The created file needs to be world readable for the cases where the container is run as a non-root user.
-	if err := configFile.Chmod(0644); err != nil {
-		return fmt.Errorf("failed to chmod config file: %w", err)
-	}
-
-	return nil
+	return m.Exec(ldconfigPath, args, nil)
 }

cmd/nvidia-ctk-installer/container/toolkit/toolkit_test.go

@@ -95,6 +95,13 @@ containerEdits:
     - create-symlinks
     - --link
     - libcuda.so.1::/lib/x86_64-linux-gnu/libcuda.so
+  - hookName: createContainer
+    path: {{ .toolkitRoot }}/nvidia-cdi-hook
+    args:
+    - nvidia-cdi-hook
+    - create-soname-symlinks
+    - --folder
+    - /lib/x86_64-linux-gnu
   - hookName: createContainer
     path: {{ .toolkitRoot }}/nvidia-cdi-hook
     args:

cmd/nvidia-ctk/cdi/generate/generate_test.go

@@ -97,6 +97,13 @@ containerEdits:
     - nvidia-cdi-hook
     - enable-cuda-compat
     - --host-driver-version=999.88.77
+  - hookName: createContainer
+    path: /usr/bin/nvidia-cdi-hook
+    args:
+    - nvidia-cdi-hook
+    - create-soname-symlinks
+    - --folder
+    - /lib/x86_64-linux-gnu
   - hookName: createContainer
     path: /usr/bin/nvidia-cdi-hook
     args:

internal/config/cli.go

@@ -94,3 +94,10 @@ func (p ldconfigPath) normalize() ldconfigPath {
 func NormalizeLDConfigPath(path string) string {
 	return string(ldconfigPath(path).normalize())
 }
+
+// ResolveLDConfigPathOnHost determines the LDConfig path to use for the system.
+// The ldconfig path is normalized (i.e. /sbin/ldconfig or /sbin/ldconfig.real is used as required)
+// and is guaranteed to resolve on the host.
+func ResolveLDConfigPathOnHost(path string) string {
+	return strings.TrimPrefix(NormalizeLDConfigPath("@"+path), "@")
+}

internal/discover/ldconfig.go

@@ -50,16 +50,16 @@ func (d ldconfig) Hooks() ([]Hook, error) {
 	if err != nil {
 		return nil, fmt.Errorf("failed to discover mounts for ldcache update: %v", err)
 	}
-	h := CreateLDCacheUpdateHook(
+	hooks := CreateLDCacheUpdateHooks(
 		d.nvidiaCDIHookPath,
 		d.ldconfigPath,
 		getLibraryPaths(mounts),
 	)
-	return []Hook{h}, nil
+	return hooks, nil
 }
 
-// CreateLDCacheUpdateHook locates the NVIDIA Container Toolkit CLI and creates a hook for updating the LD Cache
-func CreateLDCacheUpdateHook(executable string, ldconfig string, libraries []string) Hook {
+// CreateLDCacheUpdateHooks locates the NVIDIA Container Toolkit CLI and creates a hook for updating the LD Cache
+func CreateLDCacheUpdateHooks(executable string, ldconfig string, libraries []string) []Hook {
 	var args []string
 
 	if ldconfig != "" {
@@ -70,13 +70,20 @@ func CreateLDCacheUpdateHook(executable string, ldconfig string, libraries []str
 		args = append(args, "--folder", f)
 	}
 
-	hook := CreateNvidiaCDIHook(
-		executable,
-		"update-ldcache",
-		args...,
-	)
+	hooks := []Hook{
+		CreateNvidiaCDIHook(
+			executable,
+			"create-soname-symlinks",
+			args...,
+		),
+		CreateNvidiaCDIHook(
+			executable,
+			"update-ldcache",
+			args...,
+		),
+	}
 
-	return hook
+	return hooks
 }
 
 // getLibraryPaths extracts the library dirs from the specified mounts

internal/discover/ldconfig_test.go

@@ -38,11 +38,22 @@ func TestLDCacheUpdateHook(t *testing.T) {
 		mounts        []Mount
 		mountError    error
 		expectedError error
-		expectedArgs  []string
+		expectedHooks []Hook
 	}{
 		{
-			description:  "empty mounts",
-			expectedArgs: []string{"nvidia-cdi-hook", "update-ldcache"},
+			description: "empty mounts",
+			expectedHooks: []Hook{
+				{
+					Lifecycle: "createContainer",
+					Path:      testNvidiaCDIHookPath,
+					Args:      []string{"nvidia-cdi-hook", "create-soname-symlinks"},
+				},
+				{
+					Lifecycle: "createContainer",
+					Path:      testNvidiaCDIHookPath,
+					Args:      []string{"nvidia-cdi-hook", "update-ldcache"},
+				},
+			},
 		},
 		{
 			description:   "mount error",
@@ -65,7 +76,18 @@ func TestLDCacheUpdateHook(t *testing.T) {
 					Path: "/usr/local/lib/libbar.so",
 				},
 			},
-			expectedArgs: []string{"nvidia-cdi-hook", "update-ldcache", "--folder", "/usr/local/lib", "--folder", "/usr/local/libother"},
+			expectedHooks: []Hook{
+				{
+					Lifecycle: "createContainer",
+					Path:      testNvidiaCDIHookPath,
+					Args:      []string{"nvidia-cdi-hook", "create-soname-symlinks", "--folder", "/usr/local/lib", "--folder", "/usr/local/libother"},
+				},
+				{
+					Lifecycle: "createContainer",
+					Path:      testNvidiaCDIHookPath,
+					Args:      []string{"nvidia-cdi-hook", "update-ldcache", "--folder", "/usr/local/lib", "--folder", "/usr/local/libother"},
+				},
+			},
 		},
 		{
 			description: "host paths are ignored",
@@ -75,12 +97,34 @@ func TestLDCacheUpdateHook(t *testing.T) {
 					Path:     "/usr/local/lib/libfoo.so",
 				},
 			},
-			expectedArgs: []string{"nvidia-cdi-hook", "update-ldcache", "--folder", "/usr/local/lib"},
+			expectedHooks: []Hook{
+				{
+					Lifecycle: "createContainer",
+					Path:      testNvidiaCDIHookPath,
+					Args:      []string{"nvidia-cdi-hook", "create-soname-symlinks", "--folder", "/usr/local/lib"},
+				},
+				{
+					Lifecycle: "createContainer",
+					Path:      testNvidiaCDIHookPath,
+					Args:      []string{"nvidia-cdi-hook", "update-ldcache", "--folder", "/usr/local/lib"},
+				},
+			},
 		},
 		{
 			description:  "explicit ldconfig path is passed",
 			ldconfigPath: testLdconfigPath,
-			expectedArgs: []string{"nvidia-cdi-hook", "update-ldcache", "--ldconfig-path", testLdconfigPath},
+			expectedHooks: []Hook{
+				{
+					Lifecycle: "createContainer",
+					Path:      testNvidiaCDIHookPath,
+					Args:      []string{"nvidia-cdi-hook", "create-soname-symlinks", "--ldconfig-path", testLdconfigPath},
+				},
+				{
+					Lifecycle: "createContainer",
+					Path:      testNvidiaCDIHookPath,
+					Args:      []string{"nvidia-cdi-hook", "update-ldcache", "--ldconfig-path", testLdconfigPath},
+				},
+			},
 		},
 	}
 
@@ -91,12 +135,6 @@ func TestLDCacheUpdateHook(t *testing.T) {
 					return tc.mounts, tc.mountError
 				},
 			}
-			expectedHook := Hook{
-				Path:      testNvidiaCDIHookPath,
-				Args:      tc.expectedArgs,
-				Lifecycle: "createContainer",
-			}
-
 			d, err := NewLDCacheUpdateHook(logger, mountMock, testNvidiaCDIHookPath, tc.ldconfigPath)
 			require.NoError(t, err)
 
@@ -110,9 +148,7 @@ func TestLDCacheUpdateHook(t *testing.T) {
 			}
 
 			require.NoError(t, err)
-			require.Len(t, hooks, 1)
-
-			require.EqualValues(t, hooks[0], expectedHook)
+			require.EqualValues(t, tc.expectedHooks, hooks)
 
 			devices, err := d.Devices()
 			require.NoError(t, err)

internal/oci/container-root.go

@@ -0,0 +1,134 @@
+/**
+# SPDX-FileCopyrightText: Copyright (c) 2025 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+**/
+
+package oci
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/moby/sys/symlink"
+)
+
+// A ContainerRoot represents the root directory of a container's filesystem.
+type ContainerRoot string
+
+// CreateLdsoconfdFile creates a file at /etc/ld.so.conf.d/ in the specified container root.
+// The file is created at /etc/ld.so.conf.d/{{ .pattern }} using `CreateTemp` and
+// contains the specified directories on each line.
+func (r ContainerRoot) CreateLdsoconfdFile(pattern string, dirs ...string) error {
+	if len(dirs) == 0 {
+		return nil
+	}
+
+	ldsoconfdDir, err := r.Resolve("/etc/ld.so.conf.d")
+	if err != nil {
+		return err
+	}
+	if err := os.MkdirAll(ldsoconfdDir, 0755); err != nil {
+		return fmt.Errorf("failed to create ld.so.conf.d: %w", err)
+	}
+
+	configFile, err := os.CreateTemp(ldsoconfdDir, pattern)
+	if err != nil {
+		return fmt.Errorf("failed to create config file: %w", err)
+	}
+	defer configFile.Close()
+
+	added := make(map[string]bool)
+	for _, dir := range dirs {
+		if added[dir] {
+			continue
+		}
+		_, err = configFile.WriteString(fmt.Sprintf("%s\n", dir))
+		if err != nil {
+			return fmt.Errorf("failed to update config file: %w", err)
+		}
+		added[dir] = true
+	}
+
+	// The created file needs to be world readable for the cases where the container is run as a non-root user.
+	if err := configFile.Chmod(0644); err != nil {
+		return fmt.Errorf("failed to chmod config file: %w", err)
+	}
+
+	return nil
+}
+
+// GlobFiles matches the specified pattern in the container root.
+// The files that match must be regular files. Symlinks and directories are ignored.
+func (r ContainerRoot) GlobFiles(pattern string) ([]string, error) {
+	patternPath, err := r.Resolve(pattern)
+	if err != nil {
+		return nil, err
+	}
+	matches, err := filepath.Glob(patternPath)
+	if err != nil {
+		return nil, err
+	}
+	var files []string
+	for _, match := range matches {
+		info, err := os.Lstat(match)
+		if err != nil {
+			return nil, err
+		}
+		// Ignore symlinks.
+		if info.Mode()&os.ModeSymlink != 0 {
+			continue
+		}
+		// Ignore directories.
+		if info.IsDir() {
+			continue
+		}
+		files = append(files, match)
+	}
+	return files, nil
+}
+
+// HasPath checks whether the specified path exists in the root.
+func (r ContainerRoot) HasPath(path string) bool {
+	resolved, err := r.Resolve(path)
+	if err != nil {
+		return false
+	}
+	if _, err := os.Stat(resolved); err != nil && os.IsNotExist(err) {
+		return false
+	}
+	return true
+}
+
+// Resolve returns the absolute path including root path.
+// Symlinks are resolved, but are guaranteed to resolve in the root.
+func (r ContainerRoot) Resolve(path string) (string, error) {
+	absolute := filepath.Clean(filepath.Join(string(r), path))
+	return symlink.FollowSymlinkInScope(absolute, string(r))
+}
+
+// ToContainerPath converts the specified path to a path in the container.
+// Relative paths and absolute paths that are in the container root are returned as is.
+func (r ContainerRoot) ToContainerPath(path string) string {
+	if !filepath.IsAbs(path) {
+		return path
+	}
+	if !strings.HasPrefix(path, string(r)) {
+		return path
+	}
+
+	return strings.TrimPrefix(path, string(r))
+}

internal/oci/container-root_test.go

@@ -0,0 +1,66 @@
+/**
+# Copyright (c) 2025, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+**/
+
+package oci
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestUpdateLdconfig(t *testing.T) {
+	testCases := []struct {
+		description      string
+		folders          []string
+		expectedContents string
+	}{
+		{
+			description: "no folders; have no contents",
+		},
+		{
+			description:      "single folder is added",
+			folders:          []string{"/usr/local/cuda/compat"},
+			expectedContents: "/usr/local/cuda/compat\n",
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.description, func(t *testing.T) {
+			containerRootDir := t.TempDir()
+			c := ContainerRoot(containerRootDir)
+			err := c.CreateLdsoconfdFile("00-test-*.conf", tc.folders...)
+			require.NoError(t, err)
+
+			matches, err := filepath.Glob(filepath.Join(containerRootDir, "/etc/ld.so.conf.d/00-test-*.conf"))
+			require.NoError(t, err)
+
+			if tc.expectedContents == "" {
+				require.Empty(t, matches)
+				return
+			}
+
+			require.Len(t, matches, 1)
+			contents, err := os.ReadFile(matches[0])
+			require.NoError(t, err)
+
+			require.EqualValues(t, tc.expectedContents, string(contents))
+		})
+	}
+
+}

internal/oci/state.go

@@ -72,9 +72,11 @@ func (s *State) LoadSpec() (*specs.Spec, error) {
 	return spec, nil
 }
 
-// GetContainerRoot returns the root for the container from the associated spec. If the spec is not yet loaded, it is
-// loaded and cached.
-func (s *State) GetContainerRoot() (string, error) {
+// GetContainerRootDirPath returns the root for the container from the associated spec.
+// If the spec is not yet loaded, it is loaded and cached.
+// The container root directory is the absolute path to the directory containing the root
+// of the container filesystem on the host.
+func (s *State) GetContainerRootDirPath() (ContainerRoot, error) {
 	spec, err := s.LoadSpec()
 	if err != nil {
 		return "", err
@@ -85,9 +87,9 @@ func (s *State) GetContainerRoot() (string, error) {
 		containerRoot = spec.Root.Path
 	}
 
-	if filepath.IsAbs(containerRoot) {
-		return containerRoot, nil
+	if !filepath.IsAbs(containerRoot) {
+		containerRoot = filepath.Join(s.Bundle, containerRoot)
 	}
 
-	return filepath.Join(s.Bundle, containerRoot), nil
+	return ContainerRoot(containerRoot), nil
 }

internal/safe-exec/safe-exec.go

@@ -0,0 +1,37 @@
+/**
+# Copyright (c) 2025, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+**/
+
+package safeexec
+
+import "github.com/NVIDIA/nvidia-container-toolkit/internal/logger"
+
+// An Execer implements an Exec function.
+type Execer interface {
+	Exec(string, []string, []string) error
+}
+
+// A safeExecer is used to Exec an application from a memfd to prevent possible
+// tampering.
+type safeExecer struct {
+	logger logger.Interface
+}
+
+// New creates a safe Execer with the specified logger.
+func New(logger logger.Interface) Execer {
+	return &safeExecer{
+		logger: logger,
+	}
+}

internal/safe-exec/safe-exec_linux.go

@@ -14,7 +14,7 @@
 # limitations under the License.
 **/
 
-package ldcache
+package safeexec
 
 import (
 	"fmt"
@@ -25,11 +25,11 @@ import (
 	"github.com/opencontainers/runc/libcontainer/dmz"
 )
 
-// SafeExec attempts to clone the specified binary (as an memfd, for example) before executing it.
-func (m command) SafeExec(path string, args []string, envv []string) error {
+// Exec attempts to clone the specified binary (as an memfd, for example) before executing it.
+func (s *safeExecer) Exec(path string, args []string, envv []string) error {
 	safeExe, err := cloneBinary(path)
 	if err != nil {
-		m.logger.Warningf("Failed to clone binary %q: %v; falling back to Exec", path, err)
+		s.logger.Warningf("Failed to clone binary %q: %v; falling back to Exec", path, err)
 		//nolint:gosec // TODO: Can we harden this so that there is less risk of command injection
 		return syscall.Exec(path, args, envv)
 	}

internal/safe-exec/safe-exec_other.go

@@ -17,13 +17,14 @@
 # limitations under the License.
 **/
 
-package ldcache
+package safeexec
 
 import "syscall"
 
-// SafeExec is not implemented on non-linux systems and forwards directly to the
+// Exec is not implemented on non-linux systems and forwards directly to the
 // Exec syscall.
-func (m *command) SafeExec(path string, args []string, envv []string) error {
+func (s *safeExecer) Exec(path string, args []string, envv []string) error {
+	s.logger.Warningf("Cloning binary not implemented for binary %q; falling back to Exec", path)
 	//nolint:gosec // TODO: Can we harden this so that there is less risk of command injection
 	return syscall.Exec(path, args, envv)
 }

tests/e2e/nvidia-container-toolkit_test.go

@@ -215,4 +215,26 @@ var _ = Describe("docker", Ordered, ContinueOnFailure, func() {
 			Expect(ldconfigOut).To(ContainSubstring("/usr/lib64"))
 		})
 	})
+
+	When("A container is run using CDI", Ordered, func() {
+		BeforeAll(func(ctx context.Context) {
+			_, _, err := r.Run("docker pull ubuntu")
+			Expect(err).ToNot(HaveOccurred())
+		})
+
+		It("should include libcuda.so in the ldcache", func(ctx context.Context) {
+			ldcacheOutput, _, err := r.Run("docker run --rm -i --runtime=nvidia -e NVIDIA_VISIBLE_DEVICES=runtime.nvidia.com/gpu=all ubuntu bash -c \"ldconfig -p | grep 'libcuda.so'\"")
+			Expect(err).ToNot(HaveOccurred())
+			Expect(ldcacheOutput).ToNot(BeEmpty())
+
+			ldcacheLines := strings.Split(ldcacheOutput, "\n")
+			var libs []string
+			for _, line := range ldcacheLines {
+				parts := strings.SplitN(line, " (", 2)
+				libs = append(libs, strings.TrimSpace(parts[0]))
+			}
+
+			Expect(libs).To(ContainElements([]string{"libcuda.so", "libcuda.so.1"}))
+		})
+	})
 })