Merge branch 'ignore-nvidia-visible-devices' into 'master'

Ignore NVIDIA_VISIBLE_DEVICES for containers with insufficent privileges See merge request nvidia/container-toolkit/container-toolkit!25
2025-01-22 18:47:32 +00:00 · 2021-01-25 10:25:00 +00:00 · 2021-01-25 10:25:00 +00:00 · e8aa3cc8c3
commit e8aa3cc8c3
parent 97516467c0 fc408a32c7
3 changed files with 20 additions and 11 deletions
--- a/pkg/container_config.go
+++ b/pkg/container_config.go
@ -295,8 +295,8 @@ func getDevices(hookConfig *HookConfig, env map[string]string, mounts []Mount, p
 		return devices
 	}

-	// Error out otherwise
-	log.Panicln("insufficient privileges to read device list from NVIDIA_VISIBLE_DEVICES envvar")
+	configName := hookConfig.getConfigOption("AcceptEnvvarUnprivileged")
+	log.Printf("Ignoring devices specified in NVIDIA_VISIBLE_DEVICES (privileged=%v, %v=%v) ", privileged, configName, hookConfig.AcceptEnvvarUnprivileged)

 	return nil
 }
--- a/pkg/container_test.go
+++ b/pkg/container_test.go
@ -540,7 +540,6 @@ func TestDeviceListSourcePriority(t *testing.T) {
 		acceptUnprivileged bool
 		acceptMounts       bool
 		expectedDevices    *string
-		expectedPanic      bool
 	}{
 		{
 			description: "Mount devices, unprivileged, no accept unprivileged",
@ -567,7 +566,7 @@ func TestDeviceListSourcePriority(t *testing.T) {
 			privileged:         false,
 			acceptUnprivileged: false,
 			acceptMounts:       true,
-			expectedPanic:      true,
+			expectedDevices:    nil,
 		},
 		{
 			description:        "No mount devices, privileged, no accept unprivileged",
@ -621,7 +620,7 @@ func TestDeviceListSourcePriority(t *testing.T) {
 			privileged:         false,
 			acceptUnprivileged: false,
 			acceptMounts:       false,
-			expectedPanic:      true,
+			expectedDevices:    nil,
 		},
 	}
 	for _, tc := range tests {
@ -638,12 +637,6 @@ func TestDeviceListSourcePriority(t *testing.T) {
 				devices = getDevices(&hookConfig, env, tc.mountDevices, tc.privileged, false)
 			}

-			// For any tests that are expected to panic, make sure they do.
-			if tc.expectedPanic {
-				mustPanic(t, getDevices)
-				return
-			}
-
 			// For all other tests, just grab the devices and check the results
 			getDevices()
 			if !reflect.DeepEqual(devices, tc.expectedDevices) {
--- a/pkg/hook_config.go
+++ b/pkg/hook_config.go
@ -4,6 +4,7 @@ import (
 	"log"
 	"os"
 	"path"
+	"reflect"

 	"github.com/BurntSushi/toml"
 )
@ -86,3 +87,18 @@ func getHookConfig() (config HookConfig) {

 	return config
 }
+
+// getConfigOption returns the toml config option associated with the
+// specified struct field.
+func (c HookConfig) getConfigOption(fieldName string) string {
+	t := reflect.TypeOf(c)
+	f, ok := t.FieldByName(fieldName)
+	if !ok {
+		return fieldName
+	}
+	v, ok := f.Tag.Lookup("toml")
+	if !ok {
+		return fieldName
+	}
+	return v
+}