UniqAI/nvidia-container-toolkit
1
0
Fork 0
mirror of https://github.com/NVIDIA/nvidia-container-toolkit synced 2025-04-19 13:45:19 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge branch 'ignore-nvidia-visible-devices' into 'master'

Browse Source 
Ignore NVIDIA_VISIBLE_DEVICES for containers with insufficent privileges

See merge request nvidia/container-toolkit/container-toolkit!25
This commit is contained in:
Kevin Klues 2021-01-25 10:25:00 +00:00
commit e8aa3cc8c3
3 changed files with 20 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
pkg/container_config.go
View File

@ -295,8 +295,8 @@ func getDevices(hookConfig *HookConfig, env map[string]string, mounts []Mount, p
return devices return devices
} }
// Error out otherwise configName := hookConfig.getConfigOption("AcceptEnvvarUnprivileged")
log.Panicln("insufficient privileges to read device list from NVIDIA_VISIBLE_DEVICES envvar") log.Printf("Ignoring devices specified in NVIDIA_VISIBLE_DEVICES (privileged=%v, %v=%v) ", privileged, configName, hookConfig.AcceptEnvvarUnprivileged)
return nil return nil
} }

11
pkg/container_test.go
View File

@ -540,7 +540,6 @@ func TestDeviceListSourcePriority(t *testing.T) {
acceptUnprivileged bool acceptUnprivileged bool
acceptMounts bool acceptMounts bool
expectedDevices *string expectedDevices *string
expectedPanic bool
}{ }{
{ {
description: "Mount devices, unprivileged, no accept unprivileged", description: "Mount devices, unprivileged, no accept unprivileged",
@ -567,7 +566,7 @@ func TestDeviceListSourcePriority(t *testing.T) {
privileged: false, privileged: false,
acceptUnprivileged: false, acceptUnprivileged: false,
acceptMounts: true, acceptMounts: true,
expectedPanic: true, expectedDevices: nil,
}, },
{ {
description: "No mount devices, privileged, no accept unprivileged", description: "No mount devices, privileged, no accept unprivileged",
@ -621,7 +620,7 @@ func TestDeviceListSourcePriority(t *testing.T) {
privileged: false, privileged: false,
acceptUnprivileged: false, acceptUnprivileged: false,
acceptMounts: false, acceptMounts: false,
expectedPanic: true, expectedDevices: nil,
}, },
} }
for _, tc := range tests { for _, tc := range tests {
@ -638,12 +637,6 @@ func TestDeviceListSourcePriority(t *testing.T) {
devices = getDevices(&hookConfig, env, tc.mountDevices, tc.privileged, false) devices = getDevices(&hookConfig, env, tc.mountDevices, tc.privileged, false)
} }
// For any tests that are expected to panic, make sure they do.
if tc.expectedPanic {
mustPanic(t, getDevices)
return
}
// For all other tests, just grab the devices and check the results // For all other tests, just grab the devices and check the results
getDevices() getDevices()
if !reflect.DeepEqual(devices, tc.expectedDevices) { if !reflect.DeepEqual(devices, tc.expectedDevices) {

16
pkg/hook_config.go
View File

@ -4,6 +4,7 @@ import (
"log" "log"
"os" "os"
"path" "path"
"reflect"
"github.com/BurntSushi/toml" "github.com/BurntSushi/toml"
) )
@ -86,3 +87,18 @@ func getHookConfig() (config HookConfig) {
return config return config
} }
// getConfigOption returns the toml config option associated with the
// specified struct field.
func (c HookConfig) getConfigOption(fieldName string) string {
t := reflect.TypeOf(c)
f, ok := t.FieldByName(fieldName)
if !ok {
return fieldName
}
v, ok := f.Tag.Lookup("toml")
if !ok {
return fieldName
}
return v
}