UniqAI/nvidia-container-toolkit
1
0
Fork 0
mirror of https://github.com/NVIDIA/nvidia-container-toolkit synced 2024-11-22 08:18:32 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Ignore NVIDIA_VISIBLE_DEVICES for containers with insufficent privileges

Browse Source 
This change ignores the value of NVIDIA_VISIBLE_DEVICES instead of
raising an error when launching a container with insufficient permissions.

This changes the behaviour under the following conditions:

NVIDIA_VISIBLE_DEVICES is set
and

accept-nvidia-visible-devices-envvar-when-unprivileged = false (default: true)

or

privileged = false (default: false)

This means that a user need not explicitly clear the NVIDIA_VISIBLE_DEVICES
environment variable if no GPUs are to be used in unprivileged containers.
Note that this envvar is set to 'all' by default in many CUDA images that
are used as base images.

Signed-off-by: Evan Lezar <elezar@nvidia.com>
This commit is contained in:
Evan Lezar 2021-01-22 14:21:16 +01:00
parent 97516467c0
commit f6b1b1afad
2 changed files with 3 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
pkg/container_config.go
View File

@ -295,8 +295,7 @@ func getDevices(hookConfig *HookConfig, env map[string]string, mounts []Mount, p
return devices return devices
} }
// Error out otherwise log.Printf("Ignoring devices specified in NVIDIA_VISIBLE_DEVICES (privileged=%v, config.accept-nvidia-visible-devices-envvar-when-unprivileged=%v) ", privileged, hookConfig.AcceptEnvvarUnprivileged)
log.Panicln("insufficient privileges to read device list from NVIDIA_VISIBLE_DEVICES envvar")
return nil return nil
} }

11
pkg/container_test.go
View File

@ -540,7 +540,6 @@ func TestDeviceListSourcePriority(t *testing.T) {
acceptUnprivileged bool acceptUnprivileged bool
acceptMounts bool acceptMounts bool
expectedDevices *string expectedDevices *string
expectedPanic bool
}{ }{
{ {
description: "Mount devices, unprivileged, no accept unprivileged", description: "Mount devices, unprivileged, no accept unprivileged",
@ -567,7 +566,7 @@ func TestDeviceListSourcePriority(t *testing.T) {
privileged: false, privileged: false,
acceptUnprivileged: false, acceptUnprivileged: false,
acceptMounts: true, acceptMounts: true,
expectedPanic: true, expectedDevices: nil,
}, },
{ {
description: "No mount devices, privileged, no accept unprivileged", description: "No mount devices, privileged, no accept unprivileged",
@ -621,7 +620,7 @@ func TestDeviceListSourcePriority(t *testing.T) {
privileged: false, privileged: false,
acceptUnprivileged: false, acceptUnprivileged: false,
acceptMounts: false, acceptMounts: false,
expectedPanic: true, expectedDevices: nil,
}, },
} }
for _, tc := range tests { for _, tc := range tests {
@ -638,12 +637,6 @@ func TestDeviceListSourcePriority(t *testing.T) {
devices = getDevices(&hookConfig, env, tc.mountDevices, tc.privileged, false) devices = getDevices(&hookConfig, env, tc.mountDevices, tc.privileged, false)
} }
// For any tests that are expected to panic, make sure they do.
if tc.expectedPanic {
mustPanic(t, getDevices)
return
}
// For all other tests, just grab the devices and check the results // For all other tests, just grab the devices and check the results
getDevices() getDevices()
if !reflect.DeepEqual(devices, tc.expectedDevices) { if !reflect.DeepEqual(devices, tc.expectedDevices) {