UniqAI/nvidia-container-toolkit
1
0
Fork 0
mirror of https://github.com/NVIDIA/nvidia-container-toolkit synced 2024-11-25 21:39:10 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Include chmod hook for device subfolders in CDI spec generation

Browse Source 
This change generates one or more createContainer hooks for ensuring
that subfolders in /dev have the required permissions in the container.
As an example, a user requires read permissions to the /dev/nvidia-caps
in addition to including the specific caps devices under this folder.

Signed-off-by: Evan Lezar <elezar@nvidia.com>
This commit is contained in:
Evan Lezar 2022-10-21 13:29:21 +02:00
parent 4abdc2f35d
commit ae18c5d847
1 changed files with 53 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
cmd/nvidia-ctk/info/generate-cdi/generate-cdi.go
View File

@ -26,6 +26,7 @@ import (
"github.com/NVIDIA/nvidia-container-toolkit/internal/discover" "github.com/NVIDIA/nvidia-container-toolkit/internal/discover"
"github.com/NVIDIA/nvidia-container-toolkit/internal/ldcache" "github.com/NVIDIA/nvidia-container-toolkit/internal/ldcache"
"github.com/NVIDIA/nvidia-container-toolkit/internal/lookup" "github.com/NVIDIA/nvidia-container-toolkit/internal/lookup"
"github.com/container-orchestrated-devices/container-device-interface/pkg/cdi"
specs "github.com/container-orchestrated-devices/container-device-interface/specs-go" specs "github.com/container-orchestrated-devices/container-device-interface/specs-go"
"github.com/sirupsen/logrus" "github.com/sirupsen/logrus"
"github.com/urfave/cli/v2" "github.com/urfave/cli/v2"
@ -212,7 +213,12 @@ func (m command) generateSpec() (*specs.Spec, error) {
ldcacheUpdateHook := m.generateUpdateLdCacheHook(libraries) ldcacheUpdateHook := m.generateUpdateLdCacheHook(libraries)
spec.ContainerEdits.Hooks = []*specs.Hook{ldcacheUpdateHook} deviceFolderPermissionHooks, err := m.generateDeviceFolderPermissionHooks(ldcacheUpdateHook.Path, allDeviceNodes)
if err != nil {
return nil, fmt.Errorf("failed to generated permission hooks for device nodes: %v", err)
}
spec.ContainerEdits.Hooks = append([]*specs.Hook{ldcacheUpdateHook}, deviceFolderPermissionHooks...)
return &spec, nil return &spec, nil
} }
@ -384,3 +390,49 @@ func (m command) generateUpdateLdCacheHook(libraries []string) *specs.Hook {
Args: hook.Args, Args: hook.Args,
} }
} }
func (m command) generateDeviceFolderPermissionHooks(nvidiaCTKPath string, deviceNodes []*specs.DeviceNode) ([]*specs.Hook, error) {
var deviceFolders []string
seen := make(map[string]bool)
for _, dn := range deviceNodes {
if !strings.HasPrefix(dn.Path, "/dev") {
m.logger.Warningf("Skipping unexpected device folder path for device %v", dn.Path)
continue
}
for df := filepath.Dir(dn.Path); df != "/dev"; df = filepath.Dir(df) {
if seen[df] {
continue
}
deviceFolders = append(deviceFolders, df)
seen[df] = true
}
}
foldersByMode := make(map[string][]string)
for _, p := range deviceFolders {
info, err := os.Stat(p)
if err != nil {
return nil, fmt.Errorf("failed to get info for path %v: %v", p, err)
}
mode := fmt.Sprintf("%o", info.Mode().Perm())
foldersByMode[mode] = append(foldersByMode[mode], p)
}
var hooks []*specs.Hook
for mode, folders := range foldersByMode {
args := []string{filepath.Base(nvidiaCTKPath), "hook", "chmod", "--mode", mode}
for _, folder := range folders {
args = append(args, "--path", folder)
}
hook := specs.Hook{
HookName: cdi.CreateContainerHook,
Path: nvidiaCTKPath,
Args: args,
}
hooks = append(hooks, &hook)
}
return hooks, nil
}