From b063fa40b1a027a779fcf1039065726967ce3f18 Mon Sep 17 00:00:00 2001 From: Carlos Eduardo Arango Gutierrez Date: Tue, 2 May 2023 19:36:40 +0000 Subject: [PATCH] Merge branch 'fix-cdi-spec-permissions' into 'main' Generate CDI specifications with 644 permissions to allow non-root clients to consume them See merge request nvidia/container-toolkit/container-toolkit!381 --- CHANGELOG.md | 2 ++ cmd/nvidia-ctk/cdi/generate/generate.go | 1 + pkg/nvcdi/spec/builder.go | 13 ++++++++++++- pkg/nvcdi/spec/spec.go | 13 +++++++++++-- 4 files changed, 26 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9bdf7452..907baf19 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,8 @@ ## v1.13.3 +* Generate CDI specification files with `644` permissions to allow rootless applications (e.g. podman). + * [toolkit-container] Allow same envars for all runtime configs ## v1.13.2 diff --git a/cmd/nvidia-ctk/cdi/generate/generate.go b/cmd/nvidia-ctk/cdi/generate/generate.go index 6ab27b00..a81f41a5 100644 --- a/cmd/nvidia-ctk/cdi/generate/generate.go +++ b/cmd/nvidia-ctk/cdi/generate/generate.go @@ -251,6 +251,7 @@ func (m command) generateSpec(cfg *config) (spec.Interface, error) { spec.WithDeviceSpecs(deviceSpecs), spec.WithEdits(*commonEdits.ContainerEdits), spec.WithFormat(cfg.format), + spec.WithPermissions(0644), ) } diff --git a/pkg/nvcdi/spec/builder.go b/pkg/nvcdi/spec/builder.go index 6379ad0f..32b27f8d 100644 --- a/pkg/nvcdi/spec/builder.go +++ b/pkg/nvcdi/spec/builder.go @@ -18,6 +18,7 @@ package spec import ( "fmt" + "os" "github.com/NVIDIA/nvidia-container-toolkit/pkg/nvcdi/transform" "github.com/container-orchestrated-devices/container-device-interface/pkg/cdi" @@ -33,6 +34,7 @@ type builder struct { edits specs.ContainerEdits format string noSimplify bool + permissions os.FileMode } // newBuilder creates a new spec builder with the supplied options @@ -60,7 +62,9 @@ func newBuilder(opts ...Option) *builder { if s.format == "" { s.format = FormatYAML } - + if s.permissions == 0 { + s.permissions = 0600 + } return s } @@ -157,3 +161,10 @@ func WithRawSpec(raw *specs.Spec) Option { o.raw = raw } } + +// WithPermissions sets the permissions for the generated spec file +func WithPermissions(permissions os.FileMode) Option { + return func(o *builder) { + o.permissions = permissions + } +} diff --git a/pkg/nvcdi/spec/spec.go b/pkg/nvcdi/spec/spec.go index 2bb26a71..999220b7 100644 --- a/pkg/nvcdi/spec/spec.go +++ b/pkg/nvcdi/spec/spec.go @@ -28,7 +28,8 @@ import ( type spec struct { *specs.Spec - format string + format string + permissions os.FileMode } var _ Interface = (*spec)(nil) @@ -51,7 +52,15 @@ func (s *spec) Save(path string) error { cdi.WithSpecDirs(specDir), ) - return registry.SpecDB().WriteSpec(s.Raw(), filepath.Base(path)) + if err := registry.SpecDB().WriteSpec(s.Raw(), filepath.Base(path)); err != nil { + return fmt.Errorf("failed to write spec: %w", err) + } + + if err := os.Chmod(path, s.permissions); err != nil { + return fmt.Errorf("failed to set permissions on spec file: %w", err) + } + + return nil } // WriteTo writes the spec to the specified writer.