Ignore NVIDIA_VISIBLE_DEVICES for containers with insufficent privileges

This change ignores the value of NVIDIA_VISIBLE_DEVICES instead of raising an error when launching a container with insufficient permissions. This changes the behaviour under the following conditions: NVIDIA_VISIBLE_DEVICES is set and accept-nvidia-visible-devices-envvar-when-unprivileged = false (default: true) or privileged = false (default: false) This means that a user need not explicitly clear the NVIDIA_VISIBLE_DEVICES environment variable if no GPUs are to be used in unprivileged containers. Note that this envvar is set to 'all' by default in many CUDA images that are used as base images. Signed-off-by: Evan Lezar <elezar@nvidia.com>
2024-11-22 00:08:11 +00:00 · 2021-01-22 14:21:16 +01:00 · 2021-01-22 14:21:16 +01:00 · f6b1b1afad
commit f6b1b1afad
parent 97516467c0
2 changed files with 3 additions and 11 deletions
--- a/pkg/container_config.go
+++ b/pkg/container_config.go
@ -295,8 +295,7 @@ func getDevices(hookConfig *HookConfig, env map[string]string, mounts []Mount, p
 		return devices
 	}

-	// Error out otherwise
-	log.Panicln("insufficient privileges to read device list from NVIDIA_VISIBLE_DEVICES envvar")
+	log.Printf("Ignoring devices specified in NVIDIA_VISIBLE_DEVICES (privileged=%v, config.accept-nvidia-visible-devices-envvar-when-unprivileged=%v) ", privileged, hookConfig.AcceptEnvvarUnprivileged)

 	return nil
 }
--- a/pkg/container_test.go
+++ b/pkg/container_test.go
@ -540,7 +540,6 @@ func TestDeviceListSourcePriority(t *testing.T) {
 		acceptUnprivileged bool
 		acceptMounts       bool
 		expectedDevices    *string
-		expectedPanic      bool
 	}{
 		{
 			description: "Mount devices, unprivileged, no accept unprivileged",
@ -567,7 +566,7 @@ func TestDeviceListSourcePriority(t *testing.T) {
 			privileged:         false,
 			acceptUnprivileged: false,
 			acceptMounts:       true,
-			expectedPanic:      true,
+			expectedDevices:    nil,
 		},
 		{
 			description:        "No mount devices, privileged, no accept unprivileged",
@ -621,7 +620,7 @@ func TestDeviceListSourcePriority(t *testing.T) {
 			privileged:         false,
 			acceptUnprivileged: false,
 			acceptMounts:       false,
-			expectedPanic:      true,
+			expectedDevices:    nil,
 		},
 	}
 	for _, tc := range tests {
@ -638,12 +637,6 @@ func TestDeviceListSourcePriority(t *testing.T) {
 				devices = getDevices(&hookConfig, env, tc.mountDevices, tc.privileged, false)
 			}

-			// For any tests that are expected to panic, make sure they do.
-			if tc.expectedPanic {
-				mustPanic(t, getDevices)
-				return
-			}
-
 			// For all other tests, just grab the devices and check the results
 			getDevices()
 			if !reflect.DeepEqual(devices, tc.expectedDevices) {