Merge pull request #340 from elezar/cherry-pick-v1.14.5

Update dependencies for v1.14.5 release

.github/workflows/blossom-ci.yml

@@ -1,113 +0,0 @@
-# Copyright (c) 2020-2023, NVIDIA CORPORATION.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-# A workflow to trigger ci on hybrid infra (github + self hosted runner)
-name: Blossom-CI
-on:
-  issue_comment:
-    types: [created]
-  workflow_dispatch:
-      inputs:
-          platform:
-            description: 'runs-on argument'     
-            required: false
-          args:
-            description: 'argument'     
-            required: false
-jobs:
-  Authorization:
-    name: Authorization
-    runs-on: blossom 
-    outputs:
-      args: ${{ env.args }}
-     
-    # This job only runs for pull request comments
-    if: |
-         contains( '\
-         anstockatnv,\
-         rorajani,\
-         cdesiniotis,\
-         shivamerla,\
-         ArangoGutierrez,\
-         elezar,\
-         klueska,\
-         zvonkok,\
-         ', format('{0},', github.actor)) && 
-         github.event.comment.body == '/blossom-ci'  
-    steps:
-      - name: Check if comment is issued by authorized person
-        run: blossom-ci
-        env:
-          OPERATION: 'AUTH'
-          REPO_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          REPO_KEY_DATA: ${{ secrets.BLOSSOM_KEY }}
-      
-  Vulnerability-scan:
-    name: Vulnerability scan
-    needs: [Authorization]
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v2
-        with:
-          repository: ${{ fromJson(needs.Authorization.outputs.args).repo }}
-          ref: ${{ fromJson(needs.Authorization.outputs.args).ref }}
-          lfs: 'true'
-      
-      # repo specific steps 
-      #- name: Setup java
-      #  uses: actions/setup-java@v1
-      #  with:
-      #    java-version: 1.8
-      
-      # add blackduck properties https://synopsys.atlassian.net/wiki/spaces/INTDOCS/pages/631308372/Methods+for+Configuring+Analysis#Using-a-configuration-file
-      #- name: Setup blackduck properties
-      #  run: |
-      #       PROJECTS=$(mvn -am dependency:tree | grep maven-dependency-plugin | awk '{ out="com.nvidia:"$(NF-1);print out }' | grep rapids | xargs | sed -e 's/ /,/g')
-      #       echo detect.maven.build.command="-pl=$PROJECTS -am" >> application.properties
-      #       echo detect.maven.included.scopes=compile >> application.properties
-          
-      - name: Run blossom action
-        uses: NVIDIA/blossom-action@main
-        env:
-          REPO_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          REPO_KEY_DATA: ${{ secrets.BLOSSOM_KEY }}
-        with:
-          args1: ${{ fromJson(needs.Authorization.outputs.args).args1 }}
-          args2: ${{ fromJson(needs.Authorization.outputs.args).args2 }}
-          args3: ${{ fromJson(needs.Authorization.outputs.args).args3 }}
-          
-  Job-trigger:
-    name: Start ci job
-    needs: [Vulnerability-scan]
-    runs-on: blossom
-    steps:
-      - name: Start ci job
-        run: blossom-ci
-        env:
-          OPERATION: 'START-CI-JOB'
-          CI_SERVER: ${{ secrets.CI_SERVER }}
-          REPO_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-              
-  Upload-Log:
-    name: Upload log
-    runs-on: blossom
-    if : github.event_name == 'workflow_dispatch'
-    steps:
-      - name: Jenkins log for pull request ${{ fromJson(github.event.inputs.args).pr }} (click here)
-        run: blossom-ci
-        env:
-          OPERATION: 'POST-PROCESSING'
-          CI_SERVER: ${{ secrets.CI_SERVER }}
-          REPO_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.gitlab-ci.yml

@@ -138,24 +138,12 @@ package-centos7-x86_64:
     - .dist-centos7
     - .arch-x86_64
 
-package-centos8-aarch64:
-  extends:
-    - .package-build
-    - .dist-centos8
-    - .arch-aarch64
-
 package-centos8-ppc64le:
   extends:
     - .package-build
     - .dist-centos8
     - .arch-ppc64le
 
-package-centos8-x86_64:
-  extends:
-    - .package-build
-    - .dist-centos8
-    - .arch-x86_64
-
 package-ubuntu18.04-amd64:
   extends:
     - .package-build
@@ -238,8 +226,6 @@ image-packaging:
     - .package-artifacts
     - .dist-packaging
   needs:
-    - job: package-centos8-aarch64
-    - job: package-centos8-x86_64
     - job: package-ubuntu18.04-amd64
     - job: package-ubuntu18.04-arm64
     - job: package-amazonlinux2-aarch64

.gitmodules

@@ -1,4 +1,4 @@
 [submodule "third_party/libnvidia-container"]
 	path = third_party/libnvidia-container
 	url = https://gitlab.com/nvidia/container-toolkit/libnvidia-container.git
-	branch = main
+	branch = release-1.14

CHANGELOG.md

@@ -1,5 +1,24 @@
 # NVIDIA Container Toolkit Changelog
 
+## v1.14.5
+* Fix `nvidia-ctk runtime configure --cdi.enabled` for Docker. This was incorrectly setting `experimental = true` instead
+  of setting `features.cdi = true`.
+
+## v1.14.4
+* Include `nvidia/nvoptix.bin` in list of graphics mounts.
+* Include `vulkan/icd.d/nvidia_layers.json` in list of graphics mounts.
+* Fixed bug in `nvidia-ctk config` command when using `--set`. The types of applied config options are now applied correctly.
+* Log explicitly requested runtime mode.
+* Remove package dependency on libseccomp.
+* Added detection of libnvdxgdmal.so.1 on WSL2.
+* Fix bug in determining default nvidia-container-runtime.user config value on SUSE-based systems.
+* Add `crun` to the list of configured low-level runtimes.
+* Add `--cdi.enabled` option to `nvidia-ctk runtime configure` command to enable CDI in containerd.
+* Added support for `nvidia-ctk runtime configure --enable-cdi` for the `docker` runtime. Note that this requires Docker >= 25.
+
+* [toolkit-container] Bump CUDA base image version to 12.3.1.
+* [libnvidia-container] Added detection of libnvdxgdmal.so.1 on WSL2.
+
 ## v1.14.3
 * [toolkit-container] Bump CUDA base image version to 12.2.2.
 

DEVELOPMENT.md

@@ -19,7 +19,7 @@ where `TARGET` is a make target that is valid for each of the sub-components.
 
 These include:
 * `ubuntu18.04-amd64`
-* `centos8-x86_64`
+* `centos7-x86_64`
 
 If no `TARGET` is specified, all valid release targets are built.
 

build/container/Makefile

@@ -145,9 +145,7 @@ test-packaging:
 	@echo "Testing package image contents"
 	@$(DOCKER) run --rm $(IMAGE) test -d "/artifacts/packages/centos7/aarch64" || echo "Missing centos7/aarch64"
 	@$(DOCKER) run --rm $(IMAGE) test -d "/artifacts/packages/centos7/x86_64" || echo "Missing centos7/x86_64"
-	@$(DOCKER) run --rm $(IMAGE) test -d "/artifacts/packages/centos8/aarch64" || echo "Missing centos8/aarch64"
 	@$(DOCKER) run --rm $(IMAGE) test -d "/artifacts/packages/centos8/ppc64le" || echo "Missing centos8/ppc64le"
-	@$(DOCKER) run --rm $(IMAGE) test -d "/artifacts/packages/centos8/x86_64" || echo "Missing centos8/x86_64"
 	@$(DOCKER) run --rm $(IMAGE) test -d "/artifacts/packages/ubuntu18.04/amd64" || echo "Missing ubuntu18.04/amd64"
 	@$(DOCKER) run --rm $(IMAGE) test -d "/artifacts/packages/ubuntu18.04/arm64" || echo "Missing ubuntu18.04/arm64"
 	@$(DOCKER) run --rm $(IMAGE) test -d "/artifacts/packages/ubuntu18.04/ppc64le" || echo "Missing ubuntu18.04/ppc64le"

cmd/nvidia-ctk/cdi/generate/generate.go

@@ -22,14 +22,15 @@ import (
 	"path/filepath"
 	"strings"
 
+	"github.com/urfave/cli/v2"
+	"tags.cncf.io/container-device-interface/pkg/cdi"
+
 	"github.com/NVIDIA/nvidia-container-toolkit/internal/config"
 	"github.com/NVIDIA/nvidia-container-toolkit/internal/logger"
 	"github.com/NVIDIA/nvidia-container-toolkit/internal/platform-support/tegra/csv"
 	"github.com/NVIDIA/nvidia-container-toolkit/pkg/nvcdi"
 	"github.com/NVIDIA/nvidia-container-toolkit/pkg/nvcdi/spec"
 	"github.com/NVIDIA/nvidia-container-toolkit/pkg/nvcdi/transform"
-	"github.com/container-orchestrated-devices/container-device-interface/pkg/cdi"
-	"github.com/urfave/cli/v2"
 )
 
 const (

cmd/nvidia-ctk/cdi/list/list.go

@@ -19,9 +19,10 @@ package list
 import (
 	"fmt"
 
-	"github.com/NVIDIA/nvidia-container-toolkit/internal/logger"
-	"github.com/container-orchestrated-devices/container-device-interface/pkg/cdi"
 	"github.com/urfave/cli/v2"
+	"tags.cncf.io/container-device-interface/pkg/cdi"
+
+	"github.com/NVIDIA/nvidia-container-toolkit/internal/logger"
 )
 
 type command struct {

cmd/nvidia-ctk/cdi/transform/root/root.go

@@ -21,11 +21,12 @@ import (
 	"io"
 	"os"
 
+	"github.com/urfave/cli/v2"
+	"tags.cncf.io/container-device-interface/pkg/cdi"
+
 	"github.com/NVIDIA/nvidia-container-toolkit/internal/logger"
 	"github.com/NVIDIA/nvidia-container-toolkit/pkg/nvcdi/spec"
 	"github.com/NVIDIA/nvidia-container-toolkit/pkg/nvcdi/transform"
-	"github.com/container-orchestrated-devices/container-device-interface/pkg/cdi"
-	"github.com/urfave/cli/v2"
 )
 
 type loadSaver interface {

cmd/nvidia-ctk/config/config.go

@@ -19,14 +19,16 @@ package config
 import (
 	"errors"
 	"fmt"
+	"reflect"
 	"strconv"
 	"strings"
 
+	"github.com/urfave/cli/v2"
+
 	createdefault "github.com/NVIDIA/nvidia-container-toolkit/cmd/nvidia-ctk/config/create-default"
 	"github.com/NVIDIA/nvidia-container-toolkit/cmd/nvidia-ctk/config/flags"
 	"github.com/NVIDIA/nvidia-container-toolkit/internal/config"
 	"github.com/NVIDIA/nvidia-container-toolkit/internal/logger"
-	"github.com/urfave/cli/v2"
 )
 
 type command struct {
@@ -103,7 +105,7 @@ func run(c *cli.Context, opts *options) error {
 	}
 
 	for _, set := range opts.sets.Value() {
-		key, value, err := (*configToml)(cfgToml).setFlagToKeyValue(set)
+		key, value, err := setFlagToKeyValue(set)
 		if err != nil {
 			return fmt.Errorf("invalid --set option %v: %w", set, err)
 		}
@@ -126,50 +128,86 @@ func run(c *cli.Context, opts *options) error {
 	return nil
 }
 
-type configToml config.Toml
-
 var errInvalidConfigOption = errors.New("invalid config option")
+var errUndefinedField = errors.New("undefined field")
 var errInvalidFormat = errors.New("invalid format")
 
 // setFlagToKeyValue converts a --set flag to a key-value pair.
 // The set flag is of the form key[=value], with the value being optional if key refers to a
 // boolean config option.
-func (c *configToml) setFlagToKeyValue(setFlag string) (string, interface{}, error) {
-	if c == nil {
-		return "", nil, errInvalidConfigOption
-	}
-
+func setFlagToKeyValue(setFlag string) (string, interface{}, error) {
 	setParts := strings.SplitN(setFlag, "=", 2)
 	key := setParts[0]
 
-	v := (*config.Toml)(c).Get(key)
-	if v == nil {
-		return key, nil, errInvalidConfigOption
-	}
-	switch v.(type) {
-	case bool:
-		if len(setParts) == 1 {
-			return key, true, nil
-		}
+	field, err := getField(key)
+	if err != nil {
+		return key, nil, fmt.Errorf("%w: %w", errInvalidConfigOption, err)
 	}
 
+	kind := field.Kind()
 	if len(setParts) != 2 {
+		if kind == reflect.Bool {
+			return key, true, nil
+		}
 		return key, nil, fmt.Errorf("%w: expected key=value; got %v", errInvalidFormat, setFlag)
 	}
 
 	value := setParts[1]
-	switch vt := v.(type) {
-	case bool:
+	switch kind {
+	case reflect.Bool:
 		b, err := strconv.ParseBool(value)
 		if err != nil {
 			return key, value, fmt.Errorf("%w: %w", errInvalidFormat, err)
 		}
 		return key, b, err
-	case string:
+	case reflect.String:
 		return key, value, nil
-	case []string:
-		return key, strings.Split(value, ","), nil
-	default:
-		return key, nil, fmt.Errorf("unsupported type for %v (%v)", setParts, vt)
+	case reflect.Slice:
+		valueParts := strings.Split(value, ",")
+		switch field.Elem().Kind() {
+		case reflect.String:
+			return key, valueParts, nil
+		case reflect.Int:
+			var output []int64
+			for _, v := range valueParts {
+				vi, err := strconv.ParseInt(v, 10, 0)
+				if err != nil {
+					return key, nil, fmt.Errorf("%w: %w", errInvalidFormat, err)
+				}
+				output = append(output, vi)
+			}
+			return key, output, nil
+		}
 	}
+	return key, nil, fmt.Errorf("unsupported type for %v (%v)", setParts, kind)
+}
+
+func getField(key string) (reflect.Type, error) {
+	s, err := getStruct(reflect.TypeOf(config.Config{}), strings.Split(key, ".")...)
+	if err != nil {
+		return nil, err
+	}
+	return s.Type, err
+}
+
+func getStruct(current reflect.Type, paths ...string) (reflect.StructField, error) {
+	if len(paths) < 1 {
+		return reflect.StructField{}, fmt.Errorf("%w: no fields selected", errUndefinedField)
+	}
+	tomlField := paths[0]
+	for i := 0; i < current.NumField(); i++ {
+		f := current.Field(i)
+		v, ok := f.Tag.Lookup("toml")
+		if !ok {
+			continue
+		}
+		if v != tomlField {
+			continue
+		}
+		if len(paths) == 1 {
+			return f, nil
+		}
+		return getStruct(f.Type, paths[1:]...)
+	}
+	return reflect.StructField{}, fmt.Errorf("%w: %q", errUndefinedField, tomlField)
 }

cmd/nvidia-ctk/config/config_test.go

@@ -19,152 +19,109 @@ package config
 import (
 	"testing"
 
-	"github.com/NVIDIA/nvidia-container-toolkit/internal/config"
-	"github.com/pelletier/go-toml"
 	"github.com/stretchr/testify/require"
 )
 
 func TestSetFlagToKeyValue(t *testing.T) {
+	// TODO: We need to enable this test again since switching to reflect.
 	testCases := []struct {
 		description   string
-		config        map[string]interface{}
 		setFlag       string
 		expectedKey   string
 		expectedValue interface{}
 		expectedError error
 	}{
 		{
-			description:   "empty config returns an error",
-			setFlag:       "anykey=value",
-			expectedKey:   "anykey",
-			expectedError: errInvalidConfigOption,
-		},
-		{
-			description: "option not present returns an error",
-			config: map[string]interface{}{
-				"defined": "defined-value",
-			},
+			description:   "option not present returns an error",
 			setFlag:       "undefined=new-value",
 			expectedKey:   "undefined",
 			expectedError: errInvalidConfigOption,
 		},
 		{
-			description: "boolean option assumes true",
-			config: map[string]interface{}{
-				"boolean": false,
-			},
-			setFlag:       "boolean",
-			expectedKey:   "boolean",
+			description:   "undefined nexted option returns error",
+			setFlag:       "nvidia-container-cli.undefined",
+			expectedKey:   "nvidia-container-cli.undefined",
+			expectedError: errInvalidConfigOption,
+		},
+		{
+			description:   "boolean option assumes true",
+			setFlag:       "disable-require",
+			expectedKey:   "disable-require",
 			expectedValue: true,
 		},
 		{
-			description: "boolean option returns true",
-			config: map[string]interface{}{
-				"boolean": false,
-			},
-			setFlag:       "boolean=true",
-			expectedKey:   "boolean",
+			description:   "boolean option returns true",
+			setFlag:       "disable-require=true",
+			expectedKey:   "disable-require",
 			expectedValue: true,
 		},
 		{
-			description: "boolean option returns false",
-			config: map[string]interface{}{
-				"boolean": false,
-			},
-			setFlag:       "boolean=false",
-			expectedKey:   "boolean",
+			description:   "boolean option returns false",
+			setFlag:       "disable-require=false",
+			expectedKey:   "disable-require",
 			expectedValue: false,
 		},
 		{
-			description: "invalid boolean option returns error",
-			config: map[string]interface{}{
-				"boolean": false,
-			},
-			setFlag:       "boolean=something",
-			expectedKey:   "boolean",
+			description:   "invalid boolean option returns error",
+			setFlag:       "disable-require=something",
+			expectedKey:   "disable-require",
 			expectedValue: "something",
 			expectedError: errInvalidFormat,
 		},
 		{
-			description: "string option requires value",
-			config: map[string]interface{}{
-				"string": "value",
-			},
-			setFlag:       "string",
-			expectedKey:   "string",
+			description:   "string option requires value",
+			setFlag:       "swarm-resource",
+			expectedKey:   "swarm-resource",
 			expectedValue: nil,
 			expectedError: errInvalidFormat,
 		},
 		{
-			description: "string option returns value",
-			config: map[string]interface{}{
-				"string": "value",
-			},
-			setFlag:       "string=string-value",
-			expectedKey:   "string",
+			description:   "string option returns value",
+			setFlag:       "swarm-resource=string-value",
+			expectedKey:   "swarm-resource",
 			expectedValue: "string-value",
 		},
 		{
-			description: "string option returns value with equals",
-			config: map[string]interface{}{
-				"string": "value",
-			},
-			setFlag:       "string=string-value=more",
-			expectedKey:   "string",
+			description:   "string option returns value with equals",
+			setFlag:       "swarm-resource=string-value=more",
+			expectedKey:   "swarm-resource",
 			expectedValue: "string-value=more",
 		},
 		{
-			description: "string option treats bool value as string",
-			config: map[string]interface{}{
-				"string": "value",
-			},
-			setFlag:       "string=true",
-			expectedKey:   "string",
+			description:   "string option treats bool value as string",
+			setFlag:       "swarm-resource=true",
+			expectedKey:   "swarm-resource",
 			expectedValue: "true",
 		},
 		{
-			description: "string option treats int value as string",
-			config: map[string]interface{}{
-				"string": "value",
-			},
-			setFlag:       "string=5",
-			expectedKey:   "string",
+			description:   "string option treats int value as string",
+			setFlag:       "swarm-resource=5",
+			expectedKey:   "swarm-resource",
 			expectedValue: "5",
 		},
 		{
-			description: "[]string option returns single value",
-			config: map[string]interface{}{
-				"string": []string{"value"},
-			},
-			setFlag:       "string=string-value",
-			expectedKey:   "string",
+			description:   "[]string option returns single value",
+			setFlag:       "nvidia-container-cli.environment=string-value",
+			expectedKey:   "nvidia-container-cli.environment",
 			expectedValue: []string{"string-value"},
 		},
 		{
-			description: "[]string option returns multiple values",
-			config: map[string]interface{}{
-				"string": []string{"value"},
-			},
-			setFlag:       "string=first,second",
-			expectedKey:   "string",
+			description:   "[]string option returns multiple values",
+			setFlag:       "nvidia-container-cli.environment=first,second",
+			expectedKey:   "nvidia-container-cli.environment",
 			expectedValue: []string{"first", "second"},
 		},
 		{
-			description: "[]string option returns values with equals",
-			config: map[string]interface{}{
-				"string": []string{"value"},
-			},
-			setFlag:       "string=first=1,second=2",
-			expectedKey:   "string",
+			description:   "[]string option returns values with equals",
+			setFlag:       "nvidia-container-cli.environment=first=1,second=2",
+			expectedKey:   "nvidia-container-cli.environment",
 			expectedValue: []string{"first=1", "second=2"},
 		},
 	}
 
 	for _, tc := range testCases {
 		t.Run(tc.description, func(t *testing.T) {
-			tree, _ := toml.TreeFromMap(tc.config)
-			cfgToml := (*config.Toml)(tree)
-			k, v, err := (*configToml)(cfgToml).setFlagToKeyValue(tc.setFlag)
+			k, v, err := setFlagToKeyValue(tc.setFlag)
 			require.ErrorIs(t, err, tc.expectedError)
 			require.EqualValues(t, tc.expectedKey, k)
 			require.EqualValues(t, tc.expectedValue, v)

cmd/nvidia-ctk/runtime/configure/configure.go

@@ -20,13 +20,14 @@ import (
 	"fmt"
 	"path/filepath"
 
+	"github.com/urfave/cli/v2"
+
 	"github.com/NVIDIA/nvidia-container-toolkit/internal/logger"
 	"github.com/NVIDIA/nvidia-container-toolkit/pkg/config/engine"
 	"github.com/NVIDIA/nvidia-container-toolkit/pkg/config/engine/containerd"
 	"github.com/NVIDIA/nvidia-container-toolkit/pkg/config/engine/crio"
 	"github.com/NVIDIA/nvidia-container-toolkit/pkg/config/engine/docker"
 	"github.com/NVIDIA/nvidia-container-toolkit/pkg/config/ocihook"
-	"github.com/urfave/cli/v2"
 )
 
 const (
@@ -71,6 +72,11 @@ type config struct {
 		hookPath     string
 		setAsDefault bool
 	}
+
+	// cdi-specific options
+	cdi struct {
+		enabled bool
+	}
 }
 
 func (m command) build() *cli.Command {
@@ -141,6 +147,12 @@ func (m command) build() *cli.Command {
 			Usage:       "set the NVIDIA runtime as the default runtime",
 			Destination: &config.nvidiaRuntime.setAsDefault,
 		},
+		&cli.BoolFlag{
+			Name:        "cdi.enabled",
+			Aliases:     []string{"cdi.enable"},
+			Usage:       "Enable CDI in the configured runtime",
+			Destination: &config.cdi.enabled,
+		},
 	}
 
 	return &configure
@@ -175,6 +187,13 @@ func (m command) validateFlags(c *cli.Context, config *config) error {
 		}
 	}
 
+	if config.runtime != "containerd" && config.runtime != "docker" {
+		if config.cdi.enabled {
+			m.logger.Warningf("Ignoring cdi.enabled flag for %v", config.runtime)
+		}
+		config.cdi.enabled = false
+	}
+
 	return nil
 }
 
@@ -227,6 +246,11 @@ func (m command) configureConfigFile(c *cli.Context, config *config) error {
 		return fmt.Errorf("unable to update config: %v", err)
 	}
 
+	err = enableCDI(config, cfg)
+	if err != nil {
+		return fmt.Errorf("failed to enable CDI in %s: %w", config.runtime, err)
+	}
+
 	outputPath := config.getOuputConfigPath()
 	n, err := cfg.Save(outputPath)
 	if err != nil {
@@ -277,3 +301,17 @@ func (m *command) configureOCIHook(c *cli.Context, config *config) error {
 	}
 	return nil
 }
+
+// enableCDI enables the use of CDI in the corresponding container engine
+func enableCDI(config *config, cfg engine.Interface) error {
+	if !config.cdi.enabled {
+		return nil
+	}
+	switch config.runtime {
+	case "containerd":
+		return cfg.Set("enable_cdi", true)
+	case "docker":
+		return cfg.Set("features", map[string]bool{"cdi": true})
+	}
+	return fmt.Errorf("enabling CDI in %s is not supported", config.runtime)
+}

go.mod

@@ -4,9 +4,8 @@ go 1.20
 
 require (
 	github.com/NVIDIA/go-nvml v0.12.0-1
-	github.com/container-orchestrated-devices/container-device-interface v0.6.0
 	github.com/fsnotify/fsnotify v1.5.4
-	github.com/opencontainers/runtime-spec v1.1.0-rc.2
+	github.com/opencontainers/runtime-spec v1.1.0
 	github.com/pelletier/go-toml v1.9.4
 	github.com/sirupsen/logrus v1.9.0
 	github.com/stretchr/testify v1.8.1
@@ -14,6 +13,8 @@ require (
 	gitlab.com/nvidia/cloud-native/go-nvlib v0.0.0-20230818092907-09424fdc8884
 	golang.org/x/mod v0.5.0
 	golang.org/x/sys v0.7.0
+	tags.cncf.io/container-device-interface v0.6.2
+	tags.cncf.io/container-device-interface/specs-go v0.6.0
 )
 
 require (
@@ -21,7 +22,6 @@ require (
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/kr/pretty v0.3.1 // indirect
-	github.com/opencontainers/runc v1.1.6 // indirect
 	github.com/opencontainers/runtime-tools v0.9.1-0.20221107090550-2e043c6bd626 // indirect
 	github.com/opencontainers/selinux v1.11.0 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect

go.sum

@@ -3,8 +3,6 @@ github.com/NVIDIA/go-nvml v0.12.0-1 h1:6mdjtlFo+17dWL7VFPfuRMtf0061TF4DKls9pkSw6
 github.com/NVIDIA/go-nvml v0.12.0-1/go.mod h1:hy7HYeQy335x6nEss0Ne3PYqleRa6Ct+VKD9RQ4nyFs=
 github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM=
 github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ=
-github.com/container-orchestrated-devices/container-device-interface v0.6.0 h1:aWwcz/Ep0Fd7ZuBjQGjU/jdPloM7ydhMW13h85jZNvk=
-github.com/container-orchestrated-devices/container-device-interface v0.6.0/go.mod h1:OQlgtJtDrOxSQ1BWODC8OZK1tzi9W69wek+Jy17ndzo=
 github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
 github.com/cpuguy83/go-md2man/v2 v2.0.2 h1:p1EgwI/C7NhT0JmVkwCD2ZBK8j4aeHQX2pMHHBfMQ6w=
 github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
@@ -29,11 +27,9 @@ github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/mndrix/tap-go v0.0.0-20171203230836-629fa407e90b/go.mod h1:pzzDgJWZ34fGzaAZGFW22KVZDfyrYW+QABMrWnJBnSs=
 github.com/mrunalp/fileutils v0.5.0/go.mod h1:M1WthSahJixYnrXQl/DFQuteStB1weuxD2QJNHXfbSQ=
-github.com/opencontainers/runc v1.1.6 h1:XbhB8IfG/EsnhNvZtNdLB0GBw92GYEFvKlhaJk9jUgA=
-github.com/opencontainers/runc v1.1.6/go.mod h1:CbUumNnWCuTGFukNXahoo/RFBZvDAgRh/smNYNOhA50=
 github.com/opencontainers/runtime-spec v1.0.3-0.20220825212826-86290f6a00fb/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
-github.com/opencontainers/runtime-spec v1.1.0-rc.2 h1:ucBtEms2tamYYW/SvGpvq9yUN0NEVL6oyLEwDcTSrk8=
-github.com/opencontainers/runtime-spec v1.1.0-rc.2/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
+github.com/opencontainers/runtime-spec v1.1.0 h1:HHUyrt9mwHUjtasSbXSMvs4cyFxh+Bll4AjJ9odEGpg=
+github.com/opencontainers/runtime-spec v1.1.0/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
 github.com/opencontainers/runtime-tools v0.9.1-0.20221107090550-2e043c6bd626 h1:DmNGcqH3WDbV5k8OJ+esPWbqUOX5rMLR2PMvziDMJi0=
 github.com/opencontainers/runtime-tools v0.9.1-0.20221107090550-2e043c6bd626/go.mod h1:BRHJJd0E+cx42OybVYSgUvZmU0B8P9gZuRXlZUP7TKI=
 github.com/opencontainers/selinux v1.9.1/go.mod h1:2i0OySw99QjzBBQByd1Gr9gSjvuho1lHsJxIJ3gGbJI=
@@ -75,8 +71,6 @@ github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 h1:EzJWgHo
 github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ=
 github.com/xeipuuv/gojsonschema v1.2.0 h1:LhYJRs+L4fBtjZUfuSZIKGeVu0QRy8e5Xi7D17UxZ74=
 github.com/xeipuuv/gojsonschema v1.2.0/go.mod h1:anYRn/JVcOK2ZgGU+IjEV4nwlhoK5sQluxsYJ78Id3Y=
-gitlab.com/nvidia/cloud-native/go-nvlib v0.0.0-20230613182322-7663cf900f0a h1:lceJVurLqiWFdxK6KMDw+SIwrAsFW/af44XrNlbGw78=
-gitlab.com/nvidia/cloud-native/go-nvlib v0.0.0-20230613182322-7663cf900f0a/go.mod h1:KYZksBgh18o+uzgnpDazzG4LVYtnfB96VXHMXypEtik=
 gitlab.com/nvidia/cloud-native/go-nvlib v0.0.0-20230818092907-09424fdc8884 h1:V0LUbfm4kVA1CPG8FgG9AGZqa3ykE5U12Gd3PZgoItA=
 gitlab.com/nvidia/cloud-native/go-nvlib v0.0.0-20230818092907-09424fdc8884/go.mod h1:/x5Ky1ZJNyCjDkgSL1atII0EFKQF5WaIHKeP5nkaQfk=
 golang.org/x/mod v0.5.0 h1:UG21uOlmZabA4fW5i7ZX6bjw1xELEGg/ZLgZq9auk/Q=
@@ -98,3 +92,7 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 sigs.k8s.io/yaml v1.3.0 h1:a2VclLzOGrwOHDiV8EfBGhvjHvP46CtW5j6POvhYGGo=
 sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8=
+tags.cncf.io/container-device-interface v0.6.2 h1:dThE6dtp/93ZDGhqaED2Pu374SOeUkBfuvkLuiTdwzg=
+tags.cncf.io/container-device-interface v0.6.2/go.mod h1:Shusyhjs1A5Na/kqPVLL0KqnHQHuunol9LFeUNkuGVE=
+tags.cncf.io/container-device-interface/specs-go v0.6.0 h1:V+tJJN6dqu8Vym6p+Ru+K5mJ49WL6Aoc5SJFSY0RLsQ=
+tags.cncf.io/container-device-interface/specs-go v0.6.0/go.mod h1:hMAwAbMZyBLdmYqWgYcKH0F/yctNpV3P35f+/088A80=

internal/config/config.go

@@ -22,10 +22,11 @@ import (
 	"path/filepath"
 	"strings"
 
+	"tags.cncf.io/container-device-interface/pkg/cdi"
+
 	"github.com/NVIDIA/nvidia-container-toolkit/internal/config/image"
 	"github.com/NVIDIA/nvidia-container-toolkit/internal/logger"
 	"github.com/NVIDIA/nvidia-container-toolkit/internal/lookup"
-	"github.com/container-orchestrated-devices/container-device-interface/pkg/cdi"
 )
 
 const (
@@ -94,6 +95,7 @@ func GetDefault() (*Config, error) {
 		NVIDIAContainerCLIConfig: ContainerCLIConfig{
 			LoadKmods: true,
 			Ldconfig:  getLdConfigPath(),
+			User:      getUserGroup(),
 		},
 		NVIDIACTKConfig: CTKConfig{
 			Path: nvidiaCTKExecutable,
@@ -101,7 +103,7 @@ func GetDefault() (*Config, error) {
 		NVIDIAContainerRuntimeConfig: RuntimeConfig{
 			DebugFilePath: "/dev/null",
 			LogLevel:      "info",
-			Runtimes:      []string{"docker-runc", "runc"},
+			Runtimes:      []string{"docker-runc", "runc", "crun"},
 			Mode:          "auto",
 			Modes: modesConfig{
 				CSV: csvModeConfig{
@@ -128,24 +130,32 @@ func getLdConfigPath() string {
 	return "@/sbin/ldconfig"
 }
 
-// getCommentedUserGroup returns whether the nvidia-container-cli user and group config option should be commented.
-func getCommentedUserGroup() bool {
-	uncommentIf := map[string]bool{
+func getUserGroup() string {
+	if isSuse() {
+		return "root:video"
+	}
+	return ""
+}
+
+// isSuse returns whether a SUSE-based distribution was detected.
+func isSuse() bool {
+	suseDists := map[string]bool{
 		"suse":     true,
 		"opensuse": true,
 	}
 
 	idsLike := getDistIDLike()
 	for _, id := range idsLike {
-		if uncommentIf[id] {
-			return false
+		if suseDists[id] {
+			return true
 		}
 	}
-	return true
+	return false
 }
 
 // getDistIDLike returns the ID_LIKE field from /etc/os-release.
-func getDistIDLike() []string {
+// We can override this for testing.
+var getDistIDLike = func() []string {
 	releaseFile, err := os.Open("/etc/os-release")
 	if err != nil {
 		return nil

internal/config/config_test.go

@@ -48,6 +48,7 @@ func TestGetConfig(t *testing.T) {
 		contents        []string
 		expectedError   error
 		inspectLdconfig bool
+		distIdsLike     []string
 		expectedConfig  *Config
 	}{
 		{
@@ -64,7 +65,7 @@ func TestGetConfig(t *testing.T) {
 				NVIDIAContainerRuntimeConfig: RuntimeConfig{
 					DebugFilePath: "/dev/null",
 					LogLevel:      "info",
-					Runtimes:      []string{"docker-runc", "runc"},
+					Runtimes:      []string{"docker-runc", "runc", "crun"},
 					Mode:          "auto",
 					Modes: modesConfig{
 						CSV: csvModeConfig{
@@ -93,6 +94,7 @@ func TestGetConfig(t *testing.T) {
 				"nvidia-container-cli.root = \"/bar/baz\"",
 				"nvidia-container-cli.load-kmods = false",
 				"nvidia-container-cli.ldconfig = \"/foo/bar/ldconfig\"",
+				"nvidia-container-cli.user = \"foo:bar\"",
 				"nvidia-container-runtime.debug = \"/foo/bar\"",
 				"nvidia-container-runtime.discover-mode = \"not-legacy\"",
 				"nvidia-container-runtime.log-level = \"debug\"",
@@ -112,6 +114,7 @@ func TestGetConfig(t *testing.T) {
 					Root:      "/bar/baz",
 					LoadKmods: false,
 					Ldconfig:  "/foo/bar/ldconfig",
+					User:      "foo:bar",
 				},
 				NVIDIAContainerRuntimeConfig: RuntimeConfig{
 					DebugFilePath: "/foo/bar",
@@ -152,6 +155,7 @@ func TestGetConfig(t *testing.T) {
 				"root = \"/bar/baz\"",
 				"load-kmods = false",
 				"ldconfig = \"/foo/bar/ldconfig\"",
+				"user = \"foo:bar\"",
 				"[nvidia-container-runtime]",
 				"debug = \"/foo/bar\"",
 				"discover-mode = \"not-legacy\"",
@@ -176,6 +180,7 @@ func TestGetConfig(t *testing.T) {
 					Root:      "/bar/baz",
 					LoadKmods: false,
 					Ldconfig:  "/foo/bar/ldconfig",
+					User:      "foo:bar",
 				},
 				NVIDIAContainerRuntimeConfig: RuntimeConfig{
 					DebugFilePath: "/foo/bar",
@@ -207,10 +212,88 @@ func TestGetConfig(t *testing.T) {
 				},
 			},
 		},
+		{
+			description:     "suse config",
+			distIdsLike:     []string{"suse", "opensuse"},
+			inspectLdconfig: true,
+			expectedConfig: &Config{
+				AcceptEnvvarUnprivileged:    true,
+				SupportedDriverCapabilities: "compat32,compute,display,graphics,ngx,utility,video",
+				NVIDIAContainerCLIConfig: ContainerCLIConfig{
+					Root:      "",
+					LoadKmods: true,
+					Ldconfig:  "WAS_CHECKED",
+					User:      "root:video",
+				},
+				NVIDIAContainerRuntimeConfig: RuntimeConfig{
+					DebugFilePath: "/dev/null",
+					LogLevel:      "info",
+					Runtimes:      []string{"docker-runc", "runc", "crun"},
+					Mode:          "auto",
+					Modes: modesConfig{
+						CSV: csvModeConfig{
+							MountSpecPath: "/etc/nvidia-container-runtime/host-files-for-container.d",
+						},
+						CDI: cdiModeConfig{
+							DefaultKind:        "nvidia.com/gpu",
+							AnnotationPrefixes: []string{"cdi.k8s.io/"},
+							SpecDirs:           []string{"/etc/cdi", "/var/run/cdi"},
+						},
+					},
+				},
+				NVIDIAContainerRuntimeHookConfig: RuntimeHookConfig{
+					Path: "nvidia-container-runtime-hook",
+				},
+				NVIDIACTKConfig: CTKConfig{
+					Path: "nvidia-ctk",
+				},
+			},
+		},
+		{
+			description:     "suse config overrides user",
+			distIdsLike:     []string{"suse", "opensuse"},
+			inspectLdconfig: true,
+			contents: []string{
+				"nvidia-container-cli.user = \"foo:bar\"",
+			},
+			expectedConfig: &Config{
+				AcceptEnvvarUnprivileged:    true,
+				SupportedDriverCapabilities: "compat32,compute,display,graphics,ngx,utility,video",
+				NVIDIAContainerCLIConfig: ContainerCLIConfig{
+					Root:      "",
+					LoadKmods: true,
+					Ldconfig:  "WAS_CHECKED",
+					User:      "foo:bar",
+				},
+				NVIDIAContainerRuntimeConfig: RuntimeConfig{
+					DebugFilePath: "/dev/null",
+					LogLevel:      "info",
+					Runtimes:      []string{"docker-runc", "runc", "crun"},
+					Mode:          "auto",
+					Modes: modesConfig{
+						CSV: csvModeConfig{
+							MountSpecPath: "/etc/nvidia-container-runtime/host-files-for-container.d",
+						},
+						CDI: cdiModeConfig{
+							DefaultKind:        "nvidia.com/gpu",
+							AnnotationPrefixes: []string{"cdi.k8s.io/"},
+							SpecDirs:           []string{"/etc/cdi", "/var/run/cdi"},
+						},
+					},
+				},
+				NVIDIAContainerRuntimeHookConfig: RuntimeHookConfig{
+					Path: "nvidia-container-runtime-hook",
+				},
+				NVIDIACTKConfig: CTKConfig{
+					Path: "nvidia-ctk",
+				},
+			},
+		},
 	}
 
 	for _, tc := range testCases {
 		t.Run(tc.description, func(t *testing.T) {
+			defer setGetDistIDLikeForTest(tc.distIdsLike)()
 			reader := strings.NewReader(strings.Join(tc.contents, "\n"))
 
 			tomlCfg, err := loadConfigTomlFrom(reader)
@@ -236,3 +319,19 @@ func TestGetConfig(t *testing.T) {
 		})
 	}
 }
+
+// setGetDistIDsLikeForTest overrides the distribution IDs that would normally be read from the /etc/os-release file.
+func setGetDistIDLikeForTest(ids []string) func() {
+	if ids == nil {
+		return func() {}
+	}
+	original := getDistIDLike
+
+	getDistIDLike = func() []string {
+		return ids
+	}
+
+	return func() {
+		getDistIDLike = original
+	}
+}

internal/config/toml.go

@@ -204,7 +204,7 @@ func (t *Toml) commentDefaults() *Toml {
 }
 
 func shouldComment(key string, defaultValue interface{}, setTo interface{}) bool {
-	if key == "nvidia-container-cli.user" && !getCommentedUserGroup() {
+	if key == "nvidia-container-cli.user" && defaultValue == setTo && isSuse() {
 		return false
 	}
 	if key == "nvidia-container-runtime.debug" && setTo == "/dev/null" {

internal/config/toml_test.go

@@ -62,7 +62,7 @@ load-kmods = true
 #debug = "/var/log/nvidia-container-runtime.log"
 log-level = "info"
 mode = "auto"
-runtimes = ["docker-runc", "runc"]
+runtimes = ["docker-runc", "runc", "crun"]
 
 [nvidia-container-runtime.modes]
 

internal/discover/graphics.go

@@ -78,9 +78,11 @@ func NewGraphicsMountsDiscoverer(logger logger.Interface, driverRoot string, nvi
 		[]string{
 			"glvnd/egl_vendor.d/10_nvidia.json",
 			"vulkan/icd.d/nvidia_icd.json",
+			"vulkan/icd.d/nvidia_layers.json",
 			"vulkan/implicit_layer.d/nvidia_layers.json",
 			"egl/egl_external_platform.d/15_nvidia_gbm.json",
 			"egl/egl_external_platform.d/10_nvidia_wayland.json",
+			"nvidia/nvoptix.bin",
 		},
 	)
 

internal/discover/hooks.go

@@ -19,7 +19,7 @@ package discover
 import (
 	"path/filepath"
 
-	"github.com/container-orchestrated-devices/container-device-interface/pkg/cdi"
+	"tags.cncf.io/container-device-interface/pkg/cdi"
 )
 
 var _ Discover = (*Hook)(nil)

internal/edits/device.go

@@ -17,9 +17,10 @@
 package edits
 
 import (
+	"tags.cncf.io/container-device-interface/pkg/cdi"
+	"tags.cncf.io/container-device-interface/specs-go"
+
 	"github.com/NVIDIA/nvidia-container-toolkit/internal/discover"
-	"github.com/container-orchestrated-devices/container-device-interface/pkg/cdi"
-	"github.com/container-orchestrated-devices/container-device-interface/specs-go"
 )
 
 type device discover.Device

internal/edits/device_test.go

@@ -20,9 +20,10 @@ import (
 	"fmt"
 	"testing"
 
-	"github.com/NVIDIA/nvidia-container-toolkit/internal/discover"
-	"github.com/container-orchestrated-devices/container-device-interface/specs-go"
 	"github.com/stretchr/testify/require"
+	"tags.cncf.io/container-device-interface/specs-go"
+
+	"github.com/NVIDIA/nvidia-container-toolkit/internal/discover"
 )
 
 func TestDeviceToSpec(t *testing.T) {

internal/edits/edits.go

@@ -19,12 +19,13 @@ package edits
 import (
 	"fmt"
 
+	ociSpecs "github.com/opencontainers/runtime-spec/specs-go"
+	"tags.cncf.io/container-device-interface/pkg/cdi"
+	"tags.cncf.io/container-device-interface/specs-go"
+
 	"github.com/NVIDIA/nvidia-container-toolkit/internal/discover"
 	"github.com/NVIDIA/nvidia-container-toolkit/internal/logger"
 	"github.com/NVIDIA/nvidia-container-toolkit/internal/oci"
-	"github.com/container-orchestrated-devices/container-device-interface/pkg/cdi"
-	"github.com/container-orchestrated-devices/container-device-interface/specs-go"
-	ociSpecs "github.com/opencontainers/runtime-spec/specs-go"
 )
 
 type edits struct {

internal/edits/hook.go

@@ -17,9 +17,10 @@
 package edits
 
 import (
+	"tags.cncf.io/container-device-interface/pkg/cdi"
+	"tags.cncf.io/container-device-interface/specs-go"
+
 	"github.com/NVIDIA/nvidia-container-toolkit/internal/discover"
-	"github.com/container-orchestrated-devices/container-device-interface/pkg/cdi"
-	"github.com/container-orchestrated-devices/container-device-interface/specs-go"
 )
 
 type hook discover.Hook

internal/edits/mount.go

@@ -17,9 +17,10 @@
 package edits
 
 import (
+	"tags.cncf.io/container-device-interface/pkg/cdi"
+	"tags.cncf.io/container-device-interface/specs-go"
+
 	"github.com/NVIDIA/nvidia-container-toolkit/internal/discover"
-	"github.com/container-orchestrated-devices/container-device-interface/pkg/cdi"
-	"github.com/container-orchestrated-devices/container-device-interface/specs-go"
 )
 
 type mount discover.Mount

internal/info/auto.go

@@ -17,12 +17,13 @@
 package info
 
 import (
-	"github.com/NVIDIA/nvidia-container-toolkit/internal/config/image"
-	"github.com/NVIDIA/nvidia-container-toolkit/internal/logger"
-	cdi "github.com/container-orchestrated-devices/container-device-interface/pkg/parser"
 	"gitlab.com/nvidia/cloud-native/go-nvlib/pkg/nvlib/device"
 	"gitlab.com/nvidia/cloud-native/go-nvlib/pkg/nvlib/info"
 	"gitlab.com/nvidia/cloud-native/go-nvlib/pkg/nvml"
+	cdi "tags.cncf.io/container-device-interface/pkg/parser"
+
+	"github.com/NVIDIA/nvidia-container-toolkit/internal/config/image"
+	"github.com/NVIDIA/nvidia-container-toolkit/internal/logger"
 )
 
 // infoInterface provides an alias for mocking.
@@ -63,6 +64,7 @@ func ResolveAutoMode(logger logger.Interface, mode string, image image.CUDA) (rm
 // resolveMode determines the correct mode for the platform if set to "auto"
 func (r resolver) resolveMode(mode string, image image.CUDA) (rmode string) {
 	if mode != "auto" {
+		r.logger.Infof("Using requested mode '%s'", mode)
 		return mode
 	}
 	defer func() {

internal/modifier/cdi.go

@@ -20,12 +20,13 @@ import (
 	"fmt"
 	"strings"
 
+	"tags.cncf.io/container-device-interface/pkg/parser"
+
 	"github.com/NVIDIA/nvidia-container-toolkit/internal/config"
 	"github.com/NVIDIA/nvidia-container-toolkit/internal/config/image"
 	"github.com/NVIDIA/nvidia-container-toolkit/internal/logger"
 	"github.com/NVIDIA/nvidia-container-toolkit/internal/modifier/cdi"
 	"github.com/NVIDIA/nvidia-container-toolkit/internal/oci"
-	"github.com/container-orchestrated-devices/container-device-interface/pkg/parser"
 )
 
 type cdiModifier struct {

internal/modifier/cdi/builder.go

@@ -19,10 +19,11 @@ package cdi
 import (
 	"fmt"
 
+	"tags.cncf.io/container-device-interface/pkg/cdi"
+	"tags.cncf.io/container-device-interface/specs-go"
+
 	"github.com/NVIDIA/nvidia-container-toolkit/internal/logger"
 	"github.com/NVIDIA/nvidia-container-toolkit/internal/oci"
-	"github.com/container-orchestrated-devices/container-device-interface/pkg/cdi"
-	"github.com/container-orchestrated-devices/container-device-interface/specs-go"
 )
 
 type builder struct {

internal/modifier/cdi/registry.go

@@ -20,10 +20,11 @@ import (
 	"errors"
 	"fmt"
 
+	"github.com/opencontainers/runtime-spec/specs-go"
+	"tags.cncf.io/container-device-interface/pkg/cdi"
+
 	"github.com/NVIDIA/nvidia-container-toolkit/internal/logger"
 	"github.com/NVIDIA/nvidia-container-toolkit/internal/oci"
-	"github.com/container-orchestrated-devices/container-device-interface/pkg/cdi"
-	"github.com/opencontainers/runtime-spec/specs-go"
 )
 
 // fromRegistry represents the modifications performed using a CDI registry.

internal/modifier/cdi/spec.go

@@ -19,9 +19,10 @@ package cdi
 import (
 	"fmt"
 
-	"github.com/NVIDIA/nvidia-container-toolkit/internal/oci"
-	"github.com/container-orchestrated-devices/container-device-interface/pkg/cdi"
 	"github.com/opencontainers/runtime-spec/specs-go"
+	"tags.cncf.io/container-device-interface/pkg/cdi"
+
+	"github.com/NVIDIA/nvidia-container-toolkit/internal/oci"
 )
 
 // fromCDISpec represents the modifications performed from a raw CDI spec.

packaging/debian/control

@@ -10,7 +10,7 @@ Build-Depends: debhelper (>= 9)
 
 Package: nvidia-container-toolkit
 Architecture: any
-Depends: ${misc:Depends}, nvidia-container-toolkit-base (= @VERSION@), libnvidia-container-tools (>= @LIBNVIDIA_CONTAINER_TOOLS_VERSION@), libnvidia-container-tools (<< 2.0.0), libseccomp2
+Depends: ${misc:Depends}, nvidia-container-toolkit-base (= @VERSION@), libnvidia-container-tools (>= @LIBNVIDIA_CONTAINER_TOOLS_VERSION@), libnvidia-container-tools (<< 2.0.0)
 Breaks: nvidia-container-runtime (<= 3.5.0-1), nvidia-container-runtime-hook
 Replaces: nvidia-container-runtime (<= 3.5.0-1), nvidia-container-runtime-hook
 Description: NVIDIA Container toolkit

packaging/rpm/SPECS/nvidia-container-toolkit.spec

@@ -23,13 +23,6 @@ Provides: nvidia-container-runtime-hook
 Requires: libnvidia-container-tools >= %{libnvidia_container_tools_version}, libnvidia-container-tools < 2.0.0
 Requires: nvidia-container-toolkit-base == %{version}-%{release}
 
-%if 0%{?suse_version}
-Requires: libseccomp2
-Requires: libapparmor1
-%else
-Requires: libseccomp
-%endif
-
 %description
 Provides tools and utilities to enable GPU support in containers.
 

pkg/config/engine/api.go

@@ -20,6 +20,7 @@ package engine
 type Interface interface {
 	DefaultRuntime() string
 	AddRuntime(string, string, bool) error
+	Set(string, interface{}) error
 	RemoveRuntime(string) error
 	Save(string) (int64, error)
 }

pkg/config/engine/containerd/config_v1.go

@@ -19,8 +19,9 @@ package containerd
 import (
 	"fmt"
 
-	"github.com/NVIDIA/nvidia-container-toolkit/pkg/config/engine"
 	"github.com/pelletier/go-toml"
+
+	"github.com/NVIDIA/nvidia-container-toolkit/pkg/config/engine"
 )
 
 // ConfigV1 represents a version 1 containerd config
@@ -134,6 +135,14 @@ func (c *ConfigV1) RemoveRuntime(name string) error {
 	return nil
 }
 
+// Set sets the specified containerd option.
+func (c *ConfigV1) Set(key string, value interface{}) error {
+	config := *c.Tree
+	config.SetPath([]string{"plugins", "cri", "containerd", key}, value)
+	*c.Tree = config
+	return nil
+}
+
 // Save wrotes the config to a file
 func (c ConfigV1) Save(path string) (int64, error) {
 	return (Config)(c).Save(path)

pkg/config/engine/containerd/config_v2.go

@@ -90,6 +90,14 @@ func (c *Config) getRuntimeAnnotations(path []string) ([]string, error) {
 	return annotations, nil
 }
 
+// Set sets the specified containerd option.
+func (c *Config) Set(key string, value interface{}) error {
+	config := *c.Tree
+	config.SetPath([]string{"plugins", "io.containerd.grpc.v1.cri", key}, value)
+	*c.Tree = config
+	return nil
+}
+
 // DefaultRuntime returns the default runtime for the cri-o config
 func (c Config) DefaultRuntime() string {
 	if runtime, ok := c.GetPath([]string{"plugins", "io.containerd.grpc.v1.cri", "containerd", "default_runtime_name"}).(string); ok {

pkg/config/engine/crio/crio.go

@@ -99,6 +99,11 @@ func (c *Config) RemoveRuntime(name string) error {
 	return nil
 }
 
+// Set is not supported for cri-o configs.
+func (c *Config) Set(key string, value interface{}) error {
+	return fmt.Errorf("Set is not supported for crio configs")
+}
+
 // Save writes the config to the specified path
 func (c Config) Save(path string) (int64, error) {
 	config := (toml.Tree)(c)

pkg/config/engine/docker/docker.go

@@ -114,6 +114,12 @@ func (c *Config) RemoveRuntime(name string) error {
 	return nil
 }
 
+// Set sets the specified docker option
+func (c *Config) Set(key string, value interface{}) error {
+	(*c)[key] = value
+	return nil
+}
+
 // Save writes the config to the specified path
 func (c Config) Save(path string) (int64, error) {
 	output, err := json.MarshalIndent(c, "", "    ")

pkg/nvcdi/api.go

@@ -17,10 +17,11 @@
 package nvcdi
 
 import (
-	"github.com/NVIDIA/nvidia-container-toolkit/pkg/nvcdi/spec"
-	"github.com/container-orchestrated-devices/container-device-interface/pkg/cdi"
-	"github.com/container-orchestrated-devices/container-device-interface/specs-go"
 	"gitlab.com/nvidia/cloud-native/go-nvlib/pkg/nvlib/device"
+	"tags.cncf.io/container-device-interface/pkg/cdi"
+	"tags.cncf.io/container-device-interface/specs-go"
+
+	"github.com/NVIDIA/nvidia-container-toolkit/pkg/nvcdi/spec"
 )
 
 const (

pkg/nvcdi/driver-wsl.go

@@ -33,6 +33,7 @@ var requiredDriverStoreFiles = []string{
 	"libnvidia-ml.so.1",             /* Core library for nvml */
 	"libnvidia-ml_loader.so",        /* Core library for nvml on WSL */
 	"libdxcore.so",                  /* Core library for dxcore support */
+	"libnvdxgdmal.so.1",             /* dxgdmal library for cuda */
 	"nvcubins.bin",                  /* Binary containing GPU code for cuda */
 	"nvidia-smi",                    /* nvidia-smi binary*/
 }

pkg/nvcdi/full-gpu-nvml.go

@@ -22,14 +22,15 @@ import (
 	"path/filepath"
 	"strings"
 
+	"gitlab.com/nvidia/cloud-native/go-nvlib/pkg/nvlib/device"
+	"gitlab.com/nvidia/cloud-native/go-nvlib/pkg/nvml"
+	"tags.cncf.io/container-device-interface/pkg/cdi"
+	"tags.cncf.io/container-device-interface/specs-go"
+
 	"github.com/NVIDIA/nvidia-container-toolkit/internal/discover"
 	"github.com/NVIDIA/nvidia-container-toolkit/internal/edits"
 	"github.com/NVIDIA/nvidia-container-toolkit/internal/info/drm"
 	"github.com/NVIDIA/nvidia-container-toolkit/internal/logger"
-	"github.com/container-orchestrated-devices/container-device-interface/pkg/cdi"
-	"github.com/container-orchestrated-devices/container-device-interface/specs-go"
-	"gitlab.com/nvidia/cloud-native/go-nvlib/pkg/nvlib/device"
-	"gitlab.com/nvidia/cloud-native/go-nvlib/pkg/nvml"
 )
 
 // GetGPUDeviceSpecs returns the CDI device specs for the full GPU represented by 'device'.

pkg/nvcdi/gds.go

@@ -19,12 +19,13 @@ package nvcdi
 import (
 	"fmt"
 
+	"gitlab.com/nvidia/cloud-native/go-nvlib/pkg/nvlib/device"
+	"tags.cncf.io/container-device-interface/pkg/cdi"
+	"tags.cncf.io/container-device-interface/specs-go"
+
 	"github.com/NVIDIA/nvidia-container-toolkit/internal/discover"
 	"github.com/NVIDIA/nvidia-container-toolkit/internal/edits"
 	"github.com/NVIDIA/nvidia-container-toolkit/pkg/nvcdi/spec"
-	"github.com/container-orchestrated-devices/container-device-interface/pkg/cdi"
-	"github.com/container-orchestrated-devices/container-device-interface/specs-go"
-	"gitlab.com/nvidia/cloud-native/go-nvlib/pkg/nvlib/device"
 )
 
 type gdslib nvcdilib

pkg/nvcdi/lib-csv.go

@@ -19,13 +19,14 @@ package nvcdi
 import (
 	"fmt"
 
+	"gitlab.com/nvidia/cloud-native/go-nvlib/pkg/nvlib/device"
+	"tags.cncf.io/container-device-interface/pkg/cdi"
+	"tags.cncf.io/container-device-interface/specs-go"
+
 	"github.com/NVIDIA/nvidia-container-toolkit/internal/discover"
 	"github.com/NVIDIA/nvidia-container-toolkit/internal/edits"
 	"github.com/NVIDIA/nvidia-container-toolkit/internal/platform-support/tegra"
 	"github.com/NVIDIA/nvidia-container-toolkit/pkg/nvcdi/spec"
-	"github.com/container-orchestrated-devices/container-device-interface/pkg/cdi"
-	"github.com/container-orchestrated-devices/container-device-interface/specs-go"
-	"gitlab.com/nvidia/cloud-native/go-nvlib/pkg/nvlib/device"
 )
 
 type csvlib nvcdilib

pkg/nvcdi/lib-nvml.go

@@ -19,12 +19,13 @@ package nvcdi
 import (
 	"fmt"
 
-	"github.com/NVIDIA/nvidia-container-toolkit/internal/edits"
-	"github.com/NVIDIA/nvidia-container-toolkit/pkg/nvcdi/spec"
-	"github.com/container-orchestrated-devices/container-device-interface/pkg/cdi"
-	"github.com/container-orchestrated-devices/container-device-interface/specs-go"
 	"gitlab.com/nvidia/cloud-native/go-nvlib/pkg/nvlib/device"
 	"gitlab.com/nvidia/cloud-native/go-nvlib/pkg/nvml"
+	"tags.cncf.io/container-device-interface/pkg/cdi"
+	"tags.cncf.io/container-device-interface/specs-go"
+
+	"github.com/NVIDIA/nvidia-container-toolkit/internal/edits"
+	"github.com/NVIDIA/nvidia-container-toolkit/pkg/nvcdi/spec"
 )
 
 type nvmllib nvcdilib

pkg/nvcdi/lib-wsl.go

@@ -19,11 +19,12 @@ package nvcdi
 import (
 	"fmt"
 
+	"gitlab.com/nvidia/cloud-native/go-nvlib/pkg/nvlib/device"
+	"tags.cncf.io/container-device-interface/pkg/cdi"
+	"tags.cncf.io/container-device-interface/specs-go"
+
 	"github.com/NVIDIA/nvidia-container-toolkit/internal/edits"
 	"github.com/NVIDIA/nvidia-container-toolkit/pkg/nvcdi/spec"
-	"github.com/container-orchestrated-devices/container-device-interface/pkg/cdi"
-	"github.com/container-orchestrated-devices/container-device-interface/specs-go"
-	"gitlab.com/nvidia/cloud-native/go-nvlib/pkg/nvlib/device"
 )
 
 type wsllib nvcdilib

pkg/nvcdi/management.go

@@ -21,13 +21,14 @@ import (
 	"path/filepath"
 	"strings"
 
+	"gitlab.com/nvidia/cloud-native/go-nvlib/pkg/nvlib/device"
+	"tags.cncf.io/container-device-interface/pkg/cdi"
+	"tags.cncf.io/container-device-interface/specs-go"
+
 	"github.com/NVIDIA/nvidia-container-toolkit/internal/discover"
 	"github.com/NVIDIA/nvidia-container-toolkit/internal/edits"
 	"github.com/NVIDIA/nvidia-container-toolkit/internal/lookup/cuda"
 	"github.com/NVIDIA/nvidia-container-toolkit/pkg/nvcdi/spec"
-	"github.com/container-orchestrated-devices/container-device-interface/pkg/cdi"
-	"github.com/container-orchestrated-devices/container-device-interface/specs-go"
-	"gitlab.com/nvidia/cloud-native/go-nvlib/pkg/nvlib/device"
 )
 
 type managementlib nvcdilib

pkg/nvcdi/mig-device-nvml.go

@@ -19,14 +19,15 @@ package nvcdi
 import (
 	"fmt"
 
+	"gitlab.com/nvidia/cloud-native/go-nvlib/pkg/nvlib/device"
+	"gitlab.com/nvidia/cloud-native/go-nvlib/pkg/nvml"
+	"tags.cncf.io/container-device-interface/pkg/cdi"
+	"tags.cncf.io/container-device-interface/specs-go"
+
 	"github.com/NVIDIA/nvidia-container-toolkit/internal/discover"
 	"github.com/NVIDIA/nvidia-container-toolkit/internal/edits"
 	"github.com/NVIDIA/nvidia-container-toolkit/internal/logger"
 	"github.com/NVIDIA/nvidia-container-toolkit/internal/nvcaps"
-	"github.com/container-orchestrated-devices/container-device-interface/pkg/cdi"
-	"github.com/container-orchestrated-devices/container-device-interface/specs-go"
-	"gitlab.com/nvidia/cloud-native/go-nvlib/pkg/nvlib/device"
-	"gitlab.com/nvidia/cloud-native/go-nvlib/pkg/nvml"
 )
 
 // GetMIGDeviceSpecs returns the CDI device specs for the full GPU represented by 'device'.

pkg/nvcdi/mofed.go

@@ -19,12 +19,13 @@ package nvcdi
 import (
 	"fmt"
 
+	"gitlab.com/nvidia/cloud-native/go-nvlib/pkg/nvlib/device"
+	"tags.cncf.io/container-device-interface/pkg/cdi"
+	"tags.cncf.io/container-device-interface/specs-go"
+
 	"github.com/NVIDIA/nvidia-container-toolkit/internal/discover"
 	"github.com/NVIDIA/nvidia-container-toolkit/internal/edits"
 	"github.com/NVIDIA/nvidia-container-toolkit/pkg/nvcdi/spec"
-	"github.com/container-orchestrated-devices/container-device-interface/pkg/cdi"
-	"github.com/container-orchestrated-devices/container-device-interface/specs-go"
-	"gitlab.com/nvidia/cloud-native/go-nvlib/pkg/nvlib/device"
 )
 
 type mofedlib nvcdilib

pkg/nvcdi/spec/api.go

@@ -19,7 +19,7 @@ package spec
 import (
 	"io"
 
-	"github.com/container-orchestrated-devices/container-device-interface/specs-go"
+	"tags.cncf.io/container-device-interface/specs-go"
 )
 
 const (

pkg/nvcdi/spec/builder.go

@@ -20,9 +20,10 @@ import (
 	"fmt"
 	"os"
 
+	"tags.cncf.io/container-device-interface/pkg/cdi"
+	"tags.cncf.io/container-device-interface/specs-go"
+
 	"github.com/NVIDIA/nvidia-container-toolkit/pkg/nvcdi/transform"
-	"github.com/container-orchestrated-devices/container-device-interface/pkg/cdi"
-	"github.com/container-orchestrated-devices/container-device-interface/specs-go"
 )
 
 type builder struct {

pkg/nvcdi/spec/spec.go

@@ -22,8 +22,8 @@ import (
 	"os"
 	"path/filepath"
 
-	"github.com/container-orchestrated-devices/container-device-interface/pkg/cdi"
-	"github.com/container-orchestrated-devices/container-device-interface/specs-go"
+	"tags.cncf.io/container-device-interface/pkg/cdi"
+	"tags.cncf.io/container-device-interface/specs-go"
 )
 
 type spec struct {

pkg/nvcdi/transform/api.go

@@ -16,7 +16,7 @@
 
 package transform
 
-import "github.com/container-orchestrated-devices/container-device-interface/specs-go"
+import "tags.cncf.io/container-device-interface/specs-go"
 
 // Transformer defines the API for applying arbitrary transforms to a spec in-place
 type Transformer interface {

pkg/nvcdi/transform/deduplicate.go

@@ -17,7 +17,7 @@
 package transform
 
 import (
-	"github.com/container-orchestrated-devices/container-device-interface/specs-go"
+	"tags.cncf.io/container-device-interface/specs-go"
 )
 
 type dedupe struct{}

pkg/nvcdi/transform/deduplicate_test.go

@@ -19,8 +19,8 @@ package transform
 import (
 	"testing"
 
-	"github.com/container-orchestrated-devices/container-device-interface/specs-go"
 	"github.com/stretchr/testify/require"
+	"tags.cncf.io/container-device-interface/specs-go"
 )
 
 func TestDeduplicate(t *testing.T) {

pkg/nvcdi/transform/edits.go

@@ -20,7 +20,7 @@ package transform
 import (
 	"encoding/json"
 
-	"github.com/container-orchestrated-devices/container-device-interface/specs-go"
+	"tags.cncf.io/container-device-interface/specs-go"
 )
 
 type containerEdits specs.ContainerEdits

pkg/nvcdi/transform/merge.go

@@ -16,7 +16,7 @@
 
 package transform
 
-import "github.com/container-orchestrated-devices/container-device-interface/specs-go"
+import "tags.cncf.io/container-device-interface/specs-go"
 
 type merged []Transformer
 

pkg/nvcdi/transform/merged-device.go

@@ -19,9 +19,10 @@ package transform
 import (
 	"fmt"
 
+	"tags.cncf.io/container-device-interface/pkg/cdi"
+	"tags.cncf.io/container-device-interface/specs-go"
+
 	"github.com/NVIDIA/nvidia-container-toolkit/internal/edits"
-	"github.com/container-orchestrated-devices/container-device-interface/pkg/cdi"
-	"github.com/container-orchestrated-devices/container-device-interface/specs-go"
 )
 
 const (

pkg/nvcdi/transform/merged-device_test.go

@@ -20,8 +20,8 @@ import (
 	"fmt"
 	"testing"
 
-	"github.com/container-orchestrated-devices/container-device-interface/specs-go"
 	"github.com/stretchr/testify/require"
+	"tags.cncf.io/container-device-interface/specs-go"
 )
 
 func TestMergeDeviceSpecs(t *testing.T) {

pkg/nvcdi/transform/no-op.go

@@ -17,7 +17,7 @@
 package transform
 
 import (
-	"github.com/container-orchestrated-devices/container-device-interface/specs-go"
+	"tags.cncf.io/container-device-interface/specs-go"
 )
 
 type noop struct{}

pkg/nvcdi/transform/remove.go

@@ -19,7 +19,7 @@ package transform
 import (
 	"fmt"
 
-	"github.com/container-orchestrated-devices/container-device-interface/specs-go"
+	"tags.cncf.io/container-device-interface/specs-go"
 )
 
 type remove map[string]bool

pkg/nvcdi/transform/root.go

@@ -21,7 +21,7 @@ import (
 	"path/filepath"
 	"strings"
 
-	"github.com/container-orchestrated-devices/container-device-interface/specs-go"
+	"tags.cncf.io/container-device-interface/specs-go"
 )
 
 type rootTransformer struct {

pkg/nvcdi/transform/root_test.go

@@ -19,8 +19,8 @@ package transform
 import (
 	"testing"
 
-	"github.com/container-orchestrated-devices/container-device-interface/specs-go"
 	"github.com/stretchr/testify/require"
+	"tags.cncf.io/container-device-interface/specs-go"
 )
 
 func TestRootTransformer(t *testing.T) {

pkg/nvcdi/transform/simplify.go

@@ -19,7 +19,7 @@ package transform
 import (
 	"fmt"
 
-	"github.com/container-orchestrated-devices/container-device-interface/specs-go"
+	"tags.cncf.io/container-device-interface/specs-go"
 )
 
 type simplify struct{}

pkg/nvcdi/transform/simplify_test.go

@@ -19,8 +19,8 @@ package transform
 import (
 	"testing"
 
-	"github.com/container-orchestrated-devices/container-device-interface/specs-go"
 	"github.com/stretchr/testify/require"
+	"tags.cncf.io/container-device-interface/specs-go"
 )
 
 func TestSimplify(t *testing.T) {

pkg/nvcdi/transform/sorter.go

@@ -22,7 +22,7 @@ import (
 	"sort"
 	"strings"
 
-	"github.com/container-orchestrated-devices/container-device-interface/specs-go"
+	"tags.cncf.io/container-device-interface/specs-go"
 )
 
 type sorter struct{}

pkg/nvcdi/transform/sorter_test.go

@@ -19,8 +19,8 @@ package transform
 import (
 	"testing"
 
-	"github.com/container-orchestrated-devices/container-device-interface/specs-go"
 	"github.com/stretchr/testify/require"
+	"tags.cncf.io/container-device-interface/specs-go"
 )
 
 func TestSortSpec(t *testing.T) {

scripts/build-packages.sh

@@ -31,6 +31,8 @@ else
     targets=${all[@]}
 fi
 
+# Skip component updates on release branches
+SKIP_UPDATE_COMPONENTS=yes
 if [[ x"${SKIP_UPDATE_COMPONENTS}" != x"yes" ]]; then
     echo "Updating components"
     "${SCRIPTS_DIR}/update-components.sh"

test/release/docker/centos8/Dockerfile

@@ -25,7 +25,7 @@ RUN fpm -s empty \
     rm -f /tmp/docker.rpm
 
 
-RUN curl -s -L https://nvidia.github.io/libnvidia-container/centos8/libnvidia-container.repo \
+RUN curl -s -L https://nvidia.github.io/libnvidia-container/stable/rpm/libnvidia-container.repo \
     | tee /etc/yum.repos.d/nvidia-container-toolkit.repo
 
 COPY entrypoint.sh /

tools/container/toolkit/toolkit.go

@@ -23,13 +23,14 @@ import (
 	"path/filepath"
 	"strings"
 
-	"github.com/NVIDIA/nvidia-container-toolkit/internal/system/nvdevices"
-	"github.com/NVIDIA/nvidia-container-toolkit/pkg/nvcdi"
-	"github.com/NVIDIA/nvidia-container-toolkit/pkg/nvcdi/transform"
-	"github.com/container-orchestrated-devices/container-device-interface/pkg/cdi"
 	toml "github.com/pelletier/go-toml"
 	log "github.com/sirupsen/logrus"
 	"github.com/urfave/cli/v2"
+	"tags.cncf.io/container-device-interface/pkg/cdi"
+
+	"github.com/NVIDIA/nvidia-container-toolkit/internal/system/nvdevices"
+	"github.com/NVIDIA/nvidia-container-toolkit/pkg/nvcdi"
+	"github.com/NVIDIA/nvidia-container-toolkit/pkg/nvcdi/transform"
 )
 
 const (

vendor/github.com/container-orchestrated-devices/container-device-interface/specs-go/oci.go

@@ -1,113 +0,0 @@
-package specs
-
-import (
-	"errors"
-	"fmt"
-
-	spec "github.com/opencontainers/runtime-spec/specs-go"
-)
-
-// ApplyOCIEditsForDevice applies devices OCI edits, in other words
-// it finds the device in the CDI spec and applies the OCI patches that device
-// requires to the OCI specification.
-func ApplyOCIEditsForDevice(config *spec.Spec, cdi *Spec, dev string) error {
-	for _, d := range cdi.Devices {
-		if d.Name != dev {
-			continue
-		}
-
-		return ApplyEditsToOCISpec(config, &d.ContainerEdits)
-	}
-
-	return fmt.Errorf("CDI: device %q not found for spec %q", dev, cdi.Kind)
-}
-
-// ApplyOCIEdits applies the OCI edits the CDI spec declares globally
-func ApplyOCIEdits(config *spec.Spec, cdi *Spec) error {
-	return ApplyEditsToOCISpec(config, &cdi.ContainerEdits)
-}
-
-// ApplyEditsToOCISpec applies the specified edits to the OCI spec.
-func ApplyEditsToOCISpec(config *spec.Spec, edits *ContainerEdits) error {
-	if config == nil {
-		return errors.New("spec is nil")
-	}
-	if edits == nil {
-		return nil
-	}
-
-	if len(edits.Env) > 0 {
-		if config.Process == nil {
-			config.Process = &spec.Process{}
-		}
-		config.Process.Env = append(config.Process.Env, edits.Env...)
-	}
-
-	for _, d := range edits.DeviceNodes {
-		if config.Linux == nil {
-			config.Linux = &spec.Linux{}
-		}
-		config.Linux.Devices = append(config.Linux.Devices, d.ToOCI())
-	}
-
-	for _, m := range edits.Mounts {
-		config.Mounts = append(config.Mounts, m.ToOCI())
-	}
-
-	for _, h := range edits.Hooks {
-		if config.Hooks == nil {
-			config.Hooks = &spec.Hooks{}
-		}
-		switch h.HookName {
-		case "prestart":
-			config.Hooks.Prestart = append(config.Hooks.Prestart, h.ToOCI())
-		case "createRuntime":
-			config.Hooks.CreateRuntime = append(config.Hooks.CreateRuntime, h.ToOCI())
-		case "createContainer":
-			config.Hooks.CreateContainer = append(config.Hooks.CreateContainer, h.ToOCI())
-		case "startContainer":
-			config.Hooks.StartContainer = append(config.Hooks.StartContainer, h.ToOCI())
-		case "poststart":
-			config.Hooks.Poststart = append(config.Hooks.Poststart, h.ToOCI())
-		case "poststop":
-			config.Hooks.Poststop = append(config.Hooks.Poststop, h.ToOCI())
-		default:
-			fmt.Printf("CDI: Unknown hook %q\n", h.HookName)
-		}
-	}
-
-	return nil
-}
-
-// ToOCI returns the opencontainers runtime Spec Hook for this Hook.
-func (h *Hook) ToOCI() spec.Hook {
-	return spec.Hook{
-		Path:    h.Path,
-		Args:    h.Args,
-		Env:     h.Env,
-		Timeout: h.Timeout,
-	}
-}
-
-// ToOCI returns the opencontainers runtime Spec Mount for this Mount.
-func (m *Mount) ToOCI() spec.Mount {
-	return spec.Mount{
-		Source:      m.HostPath,
-		Destination: m.ContainerPath,
-		Options:     m.Options,
-		Type:        m.Type,
-	}
-}
-
-// ToOCI returns the opencontainers runtime Spec LinuxDevice for this DeviceNode.
-func (d *DeviceNode) ToOCI() spec.LinuxDevice {
-	return spec.LinuxDevice{
-		Path:     d.Path,
-		Type:     d.Type,
-		Major:    d.Major,
-		Minor:    d.Minor,
-		FileMode: d.FileMode,
-		UID:      d.UID,
-		GID:      d.GID,
-	}
-}

vendor/github.com/opencontainers/runc/NOTICE

@@ -1,17 +0,0 @@
-runc
-
-Copyright 2012-2015 Docker, Inc.
-
-This product includes software developed at Docker, Inc. (http://www.docker.com).
-
-The following is courtesy of our legal counsel:
-
-
-Use and transfer of Docker may be subject to certain restrictions by the
-United States and other governments.  
-It is your responsibility to ensure that your use and/or transfer does not
-violate applicable laws. 
-
-For more information, please see http://www.bis.doc.gov
-
-See also http://www.apache.org/dev/crypto.html and/or seek legal counsel.

vendor/github.com/opencontainers/runc/libcontainer/devices/device.go

@@ -1,174 +0,0 @@
-package devices
-
-import (
-	"fmt"
-	"os"
-	"strconv"
-)
-
-const (
-	Wildcard = -1
-)
-
-type Device struct {
-	Rule
-
-	// Path to the device.
-	Path string `json:"path"`
-
-	// FileMode permission bits for the device.
-	FileMode os.FileMode `json:"file_mode"`
-
-	// Uid of the device.
-	Uid uint32 `json:"uid"`
-
-	// Gid of the device.
-	Gid uint32 `json:"gid"`
-}
-
-// Permissions is a cgroupv1-style string to represent device access. It
-// has to be a string for backward compatibility reasons, hence why it has
-// methods to do set operations.
-type Permissions string
-
-const (
-	deviceRead uint = (1 << iota)
-	deviceWrite
-	deviceMknod
-)
-
-func (p Permissions) toSet() uint {
-	var set uint
-	for _, perm := range p {
-		switch perm {
-		case 'r':
-			set |= deviceRead
-		case 'w':
-			set |= deviceWrite
-		case 'm':
-			set |= deviceMknod
-		}
-	}
-	return set
-}
-
-func fromSet(set uint) Permissions {
-	var perm string
-	if set&deviceRead == deviceRead {
-		perm += "r"
-	}
-	if set&deviceWrite == deviceWrite {
-		perm += "w"
-	}
-	if set&deviceMknod == deviceMknod {
-		perm += "m"
-	}
-	return Permissions(perm)
-}
-
-// Union returns the union of the two sets of Permissions.
-func (p Permissions) Union(o Permissions) Permissions {
-	lhs := p.toSet()
-	rhs := o.toSet()
-	return fromSet(lhs | rhs)
-}
-
-// Difference returns the set difference of the two sets of Permissions.
-// In set notation, A.Difference(B) gives you A\B.
-func (p Permissions) Difference(o Permissions) Permissions {
-	lhs := p.toSet()
-	rhs := o.toSet()
-	return fromSet(lhs &^ rhs)
-}
-
-// Intersection computes the intersection of the two sets of Permissions.
-func (p Permissions) Intersection(o Permissions) Permissions {
-	lhs := p.toSet()
-	rhs := o.toSet()
-	return fromSet(lhs & rhs)
-}
-
-// IsEmpty returns whether the set of permissions in a Permissions is
-// empty.
-func (p Permissions) IsEmpty() bool {
-	return p == Permissions("")
-}
-
-// IsValid returns whether the set of permissions is a subset of valid
-// permissions (namely, {r,w,m}).
-func (p Permissions) IsValid() bool {
-	return p == fromSet(p.toSet())
-}
-
-type Type rune
-
-const (
-	WildcardDevice Type = 'a'
-	BlockDevice    Type = 'b'
-	CharDevice     Type = 'c' // or 'u'
-	FifoDevice     Type = 'p'
-)
-
-func (t Type) IsValid() bool {
-	switch t {
-	case WildcardDevice, BlockDevice, CharDevice, FifoDevice:
-		return true
-	default:
-		return false
-	}
-}
-
-func (t Type) CanMknod() bool {
-	switch t {
-	case BlockDevice, CharDevice, FifoDevice:
-		return true
-	default:
-		return false
-	}
-}
-
-func (t Type) CanCgroup() bool {
-	switch t {
-	case WildcardDevice, BlockDevice, CharDevice:
-		return true
-	default:
-		return false
-	}
-}
-
-type Rule struct {
-	// Type of device ('c' for char, 'b' for block). If set to 'a', this rule
-	// acts as a wildcard and all fields other than Allow are ignored.
-	Type Type `json:"type"`
-
-	// Major is the device's major number.
-	Major int64 `json:"major"`
-
-	// Minor is the device's minor number.
-	Minor int64 `json:"minor"`
-
-	// Permissions is the set of permissions that this rule applies to (in the
-	// cgroupv1 format -- any combination of "rwm").
-	Permissions Permissions `json:"permissions"`
-
-	// Allow specifies whether this rule is allowed.
-	Allow bool `json:"allow"`
-}
-
-func (d *Rule) CgroupString() string {
-	var (
-		major = strconv.FormatInt(d.Major, 10)
-		minor = strconv.FormatInt(d.Minor, 10)
-	)
-	if d.Major == Wildcard {
-		major = "*"
-	}
-	if d.Minor == Wildcard {
-		minor = "*"
-	}
-	return fmt.Sprintf("%c %s:%s %s", d.Type, major, minor, d.Permissions)
-}
-
-func (d *Rule) Mkdev() (uint64, error) {
-	return mkDev(d)
-}

vendor/github.com/opencontainers/runc/libcontainer/devices/device_unix.go

@@ -1,120 +0,0 @@
-//go:build !windows
-// +build !windows
-
-package devices
-
-import (
-	"errors"
-	"os"
-	"path/filepath"
-
-	"golang.org/x/sys/unix"
-)
-
-// ErrNotADevice denotes that a file is not a valid linux device.
-var ErrNotADevice = errors.New("not a device node")
-
-// Testing dependencies
-var (
-	unixLstat = unix.Lstat
-	osReadDir = os.ReadDir
-)
-
-func mkDev(d *Rule) (uint64, error) {
-	if d.Major == Wildcard || d.Minor == Wildcard {
-		return 0, errors.New("cannot mkdev() device with wildcards")
-	}
-	return unix.Mkdev(uint32(d.Major), uint32(d.Minor)), nil
-}
-
-// DeviceFromPath takes the path to a device and its cgroup_permissions (which
-// cannot be easily queried) to look up the information about a linux device
-// and returns that information as a Device struct.
-func DeviceFromPath(path, permissions string) (*Device, error) {
-	var stat unix.Stat_t
-	err := unixLstat(path, &stat)
-	if err != nil {
-		return nil, err
-	}
-
-	var (
-		devType   Type
-		mode      = stat.Mode
-		devNumber = uint64(stat.Rdev) //nolint:unconvert // Rdev is uint32 on e.g. MIPS.
-		major     = unix.Major(devNumber)
-		minor     = unix.Minor(devNumber)
-	)
-	switch mode & unix.S_IFMT {
-	case unix.S_IFBLK:
-		devType = BlockDevice
-	case unix.S_IFCHR:
-		devType = CharDevice
-	case unix.S_IFIFO:
-		devType = FifoDevice
-	default:
-		return nil, ErrNotADevice
-	}
-	return &Device{
-		Rule: Rule{
-			Type:        devType,
-			Major:       int64(major),
-			Minor:       int64(minor),
-			Permissions: Permissions(permissions),
-		},
-		Path:     path,
-		FileMode: os.FileMode(mode &^ unix.S_IFMT),
-		Uid:      stat.Uid,
-		Gid:      stat.Gid,
-	}, nil
-}
-
-// HostDevices returns all devices that can be found under /dev directory.
-func HostDevices() ([]*Device, error) {
-	return GetDevices("/dev")
-}
-
-// GetDevices recursively traverses a directory specified by path
-// and returns all devices found there.
-func GetDevices(path string) ([]*Device, error) {
-	files, err := osReadDir(path)
-	if err != nil {
-		return nil, err
-	}
-	var out []*Device
-	for _, f := range files {
-		switch {
-		case f.IsDir():
-			switch f.Name() {
-			// ".lxc" & ".lxd-mounts" added to address https://github.com/lxc/lxd/issues/2825
-			// ".udev" added to address https://github.com/opencontainers/runc/issues/2093
-			case "pts", "shm", "fd", "mqueue", ".lxc", ".lxd-mounts", ".udev":
-				continue
-			default:
-				sub, err := GetDevices(filepath.Join(path, f.Name()))
-				if err != nil {
-					return nil, err
-				}
-
-				out = append(out, sub...)
-				continue
-			}
-		case f.Name() == "console":
-			continue
-		}
-		device, err := DeviceFromPath(filepath.Join(path, f.Name()), "rwm")
-		if err != nil {
-			if errors.Is(err, ErrNotADevice) {
-				continue
-			}
-			if os.IsNotExist(err) {
-				continue
-			}
-			return nil, err
-		}
-		if device.Type == FifoDevice {
-			continue
-		}
-		out = append(out, device)
-	}
-	return out, nil
-}

vendor/github.com/opencontainers/runtime-spec/specs-go/config.go

@@ -33,6 +33,34 @@ type Spec struct {
 	ZOS *ZOS `json:"zos,omitempty" platform:"zos"`
 }
 
+// Scheduler represents the scheduling attributes for a process. It is based on
+// the Linux sched_setattr(2) syscall.
+type Scheduler struct {
+	// Policy represents the scheduling policy (e.g., SCHED_FIFO, SCHED_RR, SCHED_OTHER).
+	Policy LinuxSchedulerPolicy `json:"policy"`
+
+	// Nice is the nice value for the process, which affects its priority.
+	Nice int32 `json:"nice,omitempty"`
+
+	// Priority represents the static priority of the process.
+	Priority int32 `json:"priority,omitempty"`
+
+	// Flags is an array of scheduling flags.
+	Flags []LinuxSchedulerFlag `json:"flags,omitempty"`
+
+	// The following ones are used by the DEADLINE scheduler.
+
+	// Runtime is the amount of time in nanoseconds during which the process
+	// is allowed to run in a given period.
+	Runtime uint64 `json:"runtime,omitempty"`
+
+	// Deadline is the absolute deadline for the process to complete its execution.
+	Deadline uint64 `json:"deadline,omitempty"`
+
+	// Period is the length of the period in nanoseconds used for determining the process runtime.
+	Period uint64 `json:"period,omitempty"`
+}
+
 // Process contains information to start a specific application inside the container.
 type Process struct {
 	// Terminal creates an interactive terminal for the container.
@@ -60,8 +88,12 @@ type Process struct {
 	ApparmorProfile string `json:"apparmorProfile,omitempty" platform:"linux"`
 	// Specify an oom_score_adj for the container.
 	OOMScoreAdj *int `json:"oomScoreAdj,omitempty" platform:"linux"`
+	// Scheduler specifies the scheduling attributes for a process
+	Scheduler *Scheduler `json:"scheduler,omitempty" platform:"linux"`
 	// SelinuxLabel specifies the selinux context that the container process is run as.
 	SelinuxLabel string `json:"selinuxLabel,omitempty" platform:"linux"`
+	// IOPriority contains the I/O priority settings for the cgroup.
+	IOPriority *LinuxIOPriority `json:"ioPriority,omitempty" platform:"linux"`
 }
 
 // LinuxCapabilities specifies the list of allowed capabilities that are kept for a process.
@@ -79,6 +111,22 @@ type LinuxCapabilities struct {
 	Ambient []string `json:"ambient,omitempty" platform:"linux"`
 }
 
+// IOPriority represents I/O priority settings for the container's processes within the process group.
+type LinuxIOPriority struct {
+	Class    IOPriorityClass `json:"class"`
+	Priority int             `json:"priority"`
+}
+
+// IOPriorityClass represents an I/O scheduling class.
+type IOPriorityClass string
+
+// Possible values for IOPriorityClass.
+const (
+	IOPRIO_CLASS_RT   IOPriorityClass = "IOPRIO_CLASS_RT"
+	IOPRIO_CLASS_BE   IOPriorityClass = "IOPRIO_CLASS_BE"
+	IOPRIO_CLASS_IDLE IOPriorityClass = "IOPRIO_CLASS_IDLE"
+)
+
 // Box specifies dimensions of a rectangle. Used for specifying the size of a console.
 type Box struct {
 	// Height is the vertical dimension of a box.
@@ -789,3 +837,43 @@ type ZOSDevice struct {
 	// Gid of the device.
 	GID *uint32 `json:"gid,omitempty"`
 }
+
+// LinuxSchedulerPolicy represents different scheduling policies used with the Linux Scheduler
+type LinuxSchedulerPolicy string
+
+const (
+	// SchedOther is the default scheduling policy
+	SchedOther LinuxSchedulerPolicy = "SCHED_OTHER"
+	// SchedFIFO is the First-In-First-Out scheduling policy
+	SchedFIFO LinuxSchedulerPolicy = "SCHED_FIFO"
+	// SchedRR is the Round-Robin scheduling policy
+	SchedRR LinuxSchedulerPolicy = "SCHED_RR"
+	// SchedBatch is the Batch scheduling policy
+	SchedBatch LinuxSchedulerPolicy = "SCHED_BATCH"
+	// SchedISO is the Isolation scheduling policy
+	SchedISO LinuxSchedulerPolicy = "SCHED_ISO"
+	// SchedIdle is the Idle scheduling policy
+	SchedIdle LinuxSchedulerPolicy = "SCHED_IDLE"
+	// SchedDeadline is the Deadline scheduling policy
+	SchedDeadline LinuxSchedulerPolicy = "SCHED_DEADLINE"
+)
+
+// LinuxSchedulerFlag represents the flags used by the Linux Scheduler.
+type LinuxSchedulerFlag string
+
+const (
+	// SchedFlagResetOnFork represents the reset on fork scheduling flag
+	SchedFlagResetOnFork LinuxSchedulerFlag = "SCHED_FLAG_RESET_ON_FORK"
+	// SchedFlagReclaim represents the reclaim scheduling flag
+	SchedFlagReclaim LinuxSchedulerFlag = "SCHED_FLAG_RECLAIM"
+	// SchedFlagDLOverrun represents the deadline overrun scheduling flag
+	SchedFlagDLOverrun LinuxSchedulerFlag = "SCHED_FLAG_DL_OVERRUN"
+	// SchedFlagKeepPolicy represents the keep policy scheduling flag
+	SchedFlagKeepPolicy LinuxSchedulerFlag = "SCHED_FLAG_KEEP_POLICY"
+	// SchedFlagKeepParams represents the keep parameters scheduling flag
+	SchedFlagKeepParams LinuxSchedulerFlag = "SCHED_FLAG_KEEP_PARAMS"
+	// SchedFlagUtilClampMin represents the utilization clamp minimum scheduling flag
+	SchedFlagUtilClampMin LinuxSchedulerFlag = "SCHED_FLAG_UTIL_CLAMP_MIN"
+	// SchedFlagUtilClampMin represents the utilization clamp maximum scheduling flag
+	SchedFlagUtilClampMax LinuxSchedulerFlag = "SCHED_FLAG_UTIL_CLAMP_MAX"
+)

vendor/github.com/opencontainers/runtime-spec/specs-go/version.go

@@ -11,7 +11,7 @@ const (
 	VersionPatch = 0
 
 	// VersionDev indicates development branch. Releases will be empty string.
-	VersionDev = "-rc.2"
+	VersionDev = ""
 )
 
 // Version is the specification version that the package types support.

vendor/modules.txt

@@ -2,14 +2,6 @@
 ## explicit; go 1.15
 github.com/NVIDIA/go-nvml/pkg/dl
 github.com/NVIDIA/go-nvml/pkg/nvml
-# github.com/container-orchestrated-devices/container-device-interface v0.6.0
-## explicit; go 1.17
-github.com/container-orchestrated-devices/container-device-interface/internal/multierror
-github.com/container-orchestrated-devices/container-device-interface/internal/validation
-github.com/container-orchestrated-devices/container-device-interface/internal/validation/k8s
-github.com/container-orchestrated-devices/container-device-interface/pkg/cdi
-github.com/container-orchestrated-devices/container-device-interface/pkg/parser
-github.com/container-orchestrated-devices/container-device-interface/specs-go
 # github.com/cpuguy83/go-md2man/v2 v2.0.2
 ## explicit; go 1.11
 github.com/cpuguy83/go-md2man/v2/md2man
@@ -23,10 +15,7 @@ github.com/fsnotify/fsnotify
 ## explicit
 # github.com/kr/pretty v0.3.1
 ## explicit; go 1.12
-# github.com/opencontainers/runc v1.1.6
-## explicit; go 1.17
-github.com/opencontainers/runc/libcontainer/devices
-# github.com/opencontainers/runtime-spec v1.1.0-rc.2
+# github.com/opencontainers/runtime-spec v1.1.0
 ## explicit
 github.com/opencontainers/runtime-spec/specs-go
 # github.com/opencontainers/runtime-tools v0.9.1-0.20221107090550-2e043c6bd626
@@ -89,3 +78,13 @@ gopkg.in/yaml.v3
 # sigs.k8s.io/yaml v1.3.0
 ## explicit; go 1.12
 sigs.k8s.io/yaml
+# tags.cncf.io/container-device-interface v0.6.2
+## explicit; go 1.19
+tags.cncf.io/container-device-interface/internal/multierror
+tags.cncf.io/container-device-interface/internal/validation
+tags.cncf.io/container-device-interface/internal/validation/k8s
+tags.cncf.io/container-device-interface/pkg/cdi
+tags.cncf.io/container-device-interface/pkg/parser
+# tags.cncf.io/container-device-interface/specs-go v0.6.0
+## explicit; go 1.19
+tags.cncf.io/container-device-interface/specs-go

vendor/tags.cncf.io/container-device-interface/internal/validation/k8s/objectmeta.go

@@ -23,7 +23,7 @@ import (
 	"fmt"
 	"strings"
 
-	"github.com/container-orchestrated-devices/container-device-interface/internal/multierror"
+	"tags.cncf.io/container-device-interface/internal/multierror"
 )
 
 // TotalAnnotationSizeLimitB defines the maximum size of all annotations in characters.

vendor/tags.cncf.io/container-device-interface/internal/validation/validate.go

@@ -20,7 +20,7 @@ import (
 	"fmt"
 	"strings"
 
-	"github.com/container-orchestrated-devices/container-device-interface/internal/validation/k8s"
+	"tags.cncf.io/container-device-interface/internal/validation/k8s"
 )
 
 // ValidateSpecAnnotations checks whether spec annotations are valid.

vendor/tags.cncf.io/container-device-interface/pkg/cdi/annotations.go

@@ -21,7 +21,7 @@ import (
 	"fmt"
 	"strings"
 
-	"github.com/container-orchestrated-devices/container-device-interface/pkg/parser"
+	"tags.cncf.io/container-device-interface/pkg/parser"
 )
 
 const (

vendor/tags.cncf.io/container-device-interface/pkg/cdi/cache.go

@@ -26,10 +26,10 @@ import (
 	"strings"
 	"sync"
 
-	"github.com/container-orchestrated-devices/container-device-interface/internal/multierror"
-	cdi "github.com/container-orchestrated-devices/container-device-interface/specs-go"
 	"github.com/fsnotify/fsnotify"
 	oci "github.com/opencontainers/runtime-spec/specs-go"
+	"tags.cncf.io/container-device-interface/internal/multierror"
+	cdi "tags.cncf.io/container-device-interface/specs-go"
 )
 
 // Option is an option to change some aspect of default CDI behavior.
@@ -49,7 +49,7 @@ type Cache struct {
 }
 
 // WithAutoRefresh returns an option to control automatic Cache refresh.
-// By default auto-refresh is enabled, the list of Spec directories are
+// By default, auto-refresh is enabled, the list of Spec directories are
 // monitored and the Cache is automatically refreshed whenever a change
 // is detected. This option can be used to disable this behavior when a
 // manually refreshed mode is preferable.
@@ -203,7 +203,7 @@ func (c *Cache) refresh() error {
 // RefreshIfRequired triggers a refresh if necessary.
 func (c *Cache) refreshIfRequired(force bool) (bool, error) {
 	// We need to refresh if
-	// - it's forced by an explicitly call to Refresh() in manual mode
+	// - it's forced by an explicit call to Refresh() in manual mode
 	// - a missing Spec dir appears (added to watch) in auto-refresh mode
 	if force || (c.autoRefresh && c.watch.update(c.dirErrors)) {
 		return true, c.refresh()
@@ -244,7 +244,7 @@ func (c *Cache) InjectDevices(ociSpec *oci.Spec, devices ...string) ([]string, e
 
 	if unresolved != nil {
 		return unresolved, fmt.Errorf("unresolvable CDI devices %s",
-			strings.Join(devices, ", "))
+			strings.Join(unresolved, ", "))
 	}
 
 	if err := edits.Apply(ociSpec); err != nil {

vendor/tags.cncf.io/container-device-interface/pkg/cdi/container-edits.go

@@ -24,9 +24,9 @@ import (
 	"sort"
 	"strings"
 
-	"github.com/container-orchestrated-devices/container-device-interface/specs-go"
 	oci "github.com/opencontainers/runtime-spec/specs-go"
 	ocigen "github.com/opencontainers/runtime-tools/generate"
+	"tags.cncf.io/container-device-interface/specs-go"
 )
 
 const (

vendor/tags.cncf.io/container-device-interface/pkg/cdi/container-edits_unix.go

@@ -20,11 +20,42 @@
 package cdi
 
 import (
+	"errors"
 	"fmt"
 
-	runc "github.com/opencontainers/runc/libcontainer/devices"
+	"golang.org/x/sys/unix"
 )
 
+const (
+	blockDevice = "b"
+	charDevice  = "c" // or "u"
+	fifoDevice  = "p"
+)
+
+// deviceInfoFromPath takes the path to a device and returns its type,
+// major and minor device numbers.
+//
+// It was adapted from https://github.com/opencontainers/runc/blob/v1.1.9/libcontainer/devices/device_unix.go#L30-L69
+func deviceInfoFromPath(path string) (devType string, major, minor int64, _ error) {
+	var stat unix.Stat_t
+	err := unix.Lstat(path, &stat)
+	if err != nil {
+		return "", 0, 0, err
+	}
+	switch stat.Mode & unix.S_IFMT {
+	case unix.S_IFBLK:
+		devType = blockDevice
+	case unix.S_IFCHR:
+		devType = charDevice
+	case unix.S_IFIFO:
+		devType = fifoDevice
+	default:
+		return "", 0, 0, errors.New("not a device node")
+	}
+	devNumber := uint64(stat.Rdev) //nolint:unconvert // Rdev is uint32 on e.g. MIPS.
+	return devType, int64(unix.Major(devNumber)), int64(unix.Minor(devNumber)), nil
+}
+
 // fillMissingInfo fills in missing mandatory attributes from the host device.
 func (d *DeviceNode) fillMissingInfo() error {
 	if d.HostPath == "" {
@@ -35,22 +66,22 @@ func (d *DeviceNode) fillMissingInfo() error {
 		return nil
 	}
 
-	hostDev, err := runc.DeviceFromPath(d.HostPath, "rwm")
+	deviceType, major, minor, err := deviceInfoFromPath(d.HostPath)
 	if err != nil {
 		return fmt.Errorf("failed to stat CDI host device %q: %w", d.HostPath, err)
 	}
 
 	if d.Type == "" {
-		d.Type = string(hostDev.Type)
+		d.Type = deviceType
 	} else {
-		if d.Type != string(hostDev.Type) {
+		if d.Type != deviceType {
 			return fmt.Errorf("CDI device (%q, %q), host type mismatch (%s, %s)",
-				d.Path, d.HostPath, d.Type, string(hostDev.Type))
+				d.Path, d.HostPath, d.Type, deviceType)
 		}
 	}
 	if d.Major == 0 && d.Type != "p" {
-		d.Major = hostDev.Major
-		d.Minor = hostDev.Minor
+		d.Major = major
+		d.Minor = minor
 	}
 
 	return nil

vendor/tags.cncf.io/container-device-interface/pkg/cdi/device.go

@@ -19,10 +19,10 @@ package cdi
 import (
 	"fmt"
 
-	"github.com/container-orchestrated-devices/container-device-interface/internal/validation"
-	"github.com/container-orchestrated-devices/container-device-interface/pkg/parser"
-	cdi "github.com/container-orchestrated-devices/container-device-interface/specs-go"
 	oci "github.com/opencontainers/runtime-spec/specs-go"
+	"tags.cncf.io/container-device-interface/internal/validation"
+	"tags.cncf.io/container-device-interface/pkg/parser"
+	cdi "tags.cncf.io/container-device-interface/specs-go"
 )
 
 // Device represents a CDI device of a Spec.

vendor/tags.cncf.io/container-device-interface/pkg/cdi/doc.go

@@ -2,9 +2,9 @@
 // interacting with CDI and consuming CDI devices.
 //
 // For more information about Container Device Interface, please refer to
-// https://github.com/container-orchestrated-devices/container-device-interface
+// https://tags.cncf.io/container-device-interface
 //
-// Container Device Interface
+// # Container Device Interface
 //
 // Container Device Interface, or CDI for short, provides comprehensive
 // third party device support for container runtimes. CDI uses vendor
@@ -29,7 +29,7 @@
 // the vast majority of CDI consumers need. The API should be usable both
 // by OCI runtime clients and runtime implementations.
 //
-// CDI Registry
+// # CDI Registry
 //
 // The primary interface to interact with CDI devices is the Registry. It
 // is essentially a cache of all Specs and devices discovered in standard
@@ -37,34 +37,34 @@
 // injecting devices into an OCI Spec and refreshing the cache of CDI
 // Specs and devices.
 //
-// Device Injection
+// # Device Injection
 //
 // Using the Registry one can inject CDI devices into a container with code
 // similar to the following snippet:
 //
-//  import (
-//      "fmt"
-//      "strings"
+//	import (
+//	    "fmt"
+//	    "strings"
 //
-//      log "github.com/sirupsen/logrus"
+//	    log "github.com/sirupsen/logrus"
 //
-//      "github.com/container-orchestrated-devices/container-device-interface/pkg/cdi"
-//      oci "github.com/opencontainers/runtime-spec/specs-go"
-//  )
+//	    "tags.cncf.io/container-device-interface/pkg/cdi"
+//	    oci "github.com/opencontainers/runtime-spec/specs-go"
+//	)
 //
-//  func injectCDIDevices(spec *oci.Spec, devices []string) error {
-//      log.Debug("pristine OCI Spec: %s", dumpSpec(spec))
+//	func injectCDIDevices(spec *oci.Spec, devices []string) error {
+//	    log.Debug("pristine OCI Spec: %s", dumpSpec(spec))
 //
-//      unresolved, err := cdi.GetRegistry().InjectDevices(spec, devices)
-//      if err != nil {
-//          return fmt.Errorf("CDI device injection failed: %w", err)
-//      }
+//	    unresolved, err := cdi.GetRegistry().InjectDevices(spec, devices)
+//	    if err != nil {
+//	        return fmt.Errorf("CDI device injection failed: %w", err)
+//	    }
 //
-//      log.Debug("CDI-updated OCI Spec: %s", dumpSpec(spec))
-//      return nil
-//  }
+//	    log.Debug("CDI-updated OCI Spec: %s", dumpSpec(spec))
+//	    return nil
+//	}
 //
-// Cache Refresh
+// # Cache Refresh
 //
 // By default the CDI Spec cache monitors the configured Spec directories
 // and automatically refreshes itself when necessary. This behavior can be
@@ -85,42 +85,42 @@
 // CDI Spec cache is up to date before performing device injection.
 // A code snippet similar to the following accmplishes that:
 //
-//  import (
-//      "fmt"
-//      "strings"
+//	import (
+//	    "fmt"
+//	    "strings"
 //
-//      log "github.com/sirupsen/logrus"
+//	    log "github.com/sirupsen/logrus"
 //
-//      "github.com/container-orchestrated-devices/container-device-interface/pkg/cdi"
-//      oci "github.com/opencontainers/runtime-spec/specs-go"
-//  )
+//	    "tags.cncf.io/container-device-interface/pkg/cdi"
+//	    oci "github.com/opencontainers/runtime-spec/specs-go"
+//	)
 //
-//  func injectCDIDevices(spec *oci.Spec, devices []string) error {
-//      registry := cdi.GetRegistry()
+//	func injectCDIDevices(spec *oci.Spec, devices []string) error {
+//	    registry := cdi.GetRegistry()
 //
-//      if err := registry.Refresh(); err != nil {
-//          // Note:
-//          //   It is up to the implementation to decide whether
-//          //   to abort injection on errors. A failed Refresh()
-//          //   does not necessarily render the registry unusable.
-//          //   For instance, a parse error in a Spec file for
-//          //   vendor A does not have any effect on devices of
-//          //   vendor B...
-//          log.Warnf("pre-injection Refresh() failed: %v", err)
-//      }
+//	    if err := registry.Refresh(); err != nil {
+//	        // Note:
+//	        //   It is up to the implementation to decide whether
+//	        //   to abort injection on errors. A failed Refresh()
+//	        //   does not necessarily render the registry unusable.
+//	        //   For instance, a parse error in a Spec file for
+//	        //   vendor A does not have any effect on devices of
+//	        //   vendor B...
+//	        log.Warnf("pre-injection Refresh() failed: %v", err)
+//	    }
 //
-//      log.Debug("pristine OCI Spec: %s", dumpSpec(spec))
+//	    log.Debug("pristine OCI Spec: %s", dumpSpec(spec))
 //
-//      unresolved, err := registry.InjectDevices(spec, devices)
-//      if err != nil {
-//          return fmt.Errorf("CDI device injection failed: %w", err)
-//      }
+//	    unresolved, err := registry.InjectDevices(spec, devices)
+//	    if err != nil {
+//	        return fmt.Errorf("CDI device injection failed: %w", err)
+//	    }
 //
-//      log.Debug("CDI-updated OCI Spec: %s", dumpSpec(spec))
-//      return nil
-//  }
+//	    log.Debug("CDI-updated OCI Spec: %s", dumpSpec(spec))
+//	    return nil
+//	}
 //
-// Generated Spec Files, Multiple Directories, Device Precedence
+// # Generated Spec Files, Multiple Directories, Device Precedence
 //
 // It is often necessary to generate Spec files dynamically. On some
 // systems the available or usable set of CDI devices might change
@@ -149,7 +149,7 @@
 // '/etc/cdi' while all the dynamically generated Spec files, transient
 // or other, go into '/var/run/cdi'.
 //
-// Spec File Generation
+// # Spec File Generation
 //
 // CDI offers two functions for writing and removing dynamically generated
 // Specs from CDI Spec directories. These functions, WriteSpec() and
@@ -169,33 +169,35 @@
 // code snippet similar to the following:
 //
 // import (
-//     "fmt"
-//     ...
-//     "github.com/container-orchestrated-devices/container-device-interface/specs-go"
-//     "github.com/container-orchestrated-devices/container-device-interface/pkg/cdi"
+//
+//	"fmt"
+//	...
+//	"tags.cncf.io/container-device-interface/specs-go"
+//	"tags.cncf.io/container-device-interface/pkg/cdi"
+//
 // )
 //
-// func generateDeviceSpecs() error {
-//     registry := cdi.GetRegistry()
-//     spec := &specs.Spec{
-//         Version: specs.CurrentVersion,
-//         Kind:    vendor+"/"+class,
-//     }
+//	func generateDeviceSpecs() error {
+//	    registry := cdi.GetRegistry()
+//	    spec := &specs.Spec{
+//	        Version: specs.CurrentVersion,
+//	        Kind:    vendor+"/"+class,
+//	    }
 //
-//     for _, dev := range enumerateDevices() {
-//         spec.Devices = append(spec.Devices, specs.Device{
-//             Name: dev.Name,
-//             ContainerEdits: getContainerEditsForDevice(dev),
-//         })
-//     }
+//	    for _, dev := range enumerateDevices() {
+//	        spec.Devices = append(spec.Devices, specs.Device{
+//	            Name: dev.Name,
+//	            ContainerEdits: getContainerEditsForDevice(dev),
+//	        })
+//	    }
 //
-//     specName, err := cdi.GenerateNameForSpec(spec)
-//     if err != nil {
-//         return fmt.Errorf("failed to generate Spec name: %w", err)
-//     }
+//	    specName, err := cdi.GenerateNameForSpec(spec)
+//	    if err != nil {
+//	        return fmt.Errorf("failed to generate Spec name: %w", err)
+//	    }
 //
-//     return registry.SpecDB().WriteSpec(spec, specName)
-// }
+//	    return registry.SpecDB().WriteSpec(spec, specName)
+//	}
 //
 // Similarly, generating and later cleaning up transient Spec files can be
 // done with code fragments similar to the following. These transient Spec
@@ -204,53 +206,55 @@
 // and removed once that container is removed.
 //
 // import (
-//     "fmt"
-//     ...
-//     "github.com/container-orchestrated-devices/container-device-interface/specs-go"
-//     "github.com/container-orchestrated-devices/container-device-interface/pkg/cdi"
+//
+//	"fmt"
+//	...
+//	"tags.cncf.io/container-device-interface/specs-go"
+//	"tags.cncf.io/container-device-interface/pkg/cdi"
+//
 // )
 //
-// func generateTransientSpec(ctr Container) error {
-//     registry := cdi.GetRegistry()
-//     devices := getContainerDevs(ctr, vendor, class)
-//     spec := &specs.Spec{
-//         Version: specs.CurrentVersion,
-//         Kind:    vendor+"/"+class,
-//     }
+//	func generateTransientSpec(ctr Container) error {
+//	    registry := cdi.GetRegistry()
+//	    devices := getContainerDevs(ctr, vendor, class)
+//	    spec := &specs.Spec{
+//	        Version: specs.CurrentVersion,
+//	        Kind:    vendor+"/"+class,
+//	    }
 //
-//     for _, dev := range devices {
-//         spec.Devices = append(spec.Devices, specs.Device{
-//             // the generated name needs to be unique within the
-//             // vendor/class domain on the host/node.
-//             Name: generateUniqueDevName(dev, ctr),
-//             ContainerEdits: getEditsForContainer(dev),
-//         })
-//     }
+//	    for _, dev := range devices {
+//	        spec.Devices = append(spec.Devices, specs.Device{
+//	            // the generated name needs to be unique within the
+//	            // vendor/class domain on the host/node.
+//	            Name: generateUniqueDevName(dev, ctr),
+//	            ContainerEdits: getEditsForContainer(dev),
+//	        })
+//	    }
 //
-//     // transientID is expected to guarantee that the Spec file name
-//     // generated using <vendor, class, transientID> is unique within
-//     // the host/node. If more than one device is allocated with the
-//     // same vendor/class domain, either all generated Spec entries
-//     // should go to a single Spec file (like in this sample snippet),
-//     // or transientID should be unique for each generated Spec file.
-//     transientID := getSomeSufficientlyUniqueIDForContainer(ctr)
-//     specName, err := cdi.GenerateNameForTransientSpec(vendor, class, transientID)
-//     if err != nil {
-//         return fmt.Errorf("failed to generate Spec name: %w", err)
-//     }
+//	    // transientID is expected to guarantee that the Spec file name
+//	    // generated using <vendor, class, transientID> is unique within
+//	    // the host/node. If more than one device is allocated with the
+//	    // same vendor/class domain, either all generated Spec entries
+//	    // should go to a single Spec file (like in this sample snippet),
+//	    // or transientID should be unique for each generated Spec file.
+//	    transientID := getSomeSufficientlyUniqueIDForContainer(ctr)
+//	    specName, err := cdi.GenerateNameForTransientSpec(vendor, class, transientID)
+//	    if err != nil {
+//	        return fmt.Errorf("failed to generate Spec name: %w", err)
+//	    }
 //
-//     return registry.SpecDB().WriteSpec(spec, specName)
-// }
+//	    return registry.SpecDB().WriteSpec(spec, specName)
+//	}
 //
-// func removeTransientSpec(ctr Container) error {
-//     registry := cdi.GetRegistry()
-//     transientID := getSomeSufficientlyUniqueIDForContainer(ctr)
-//     specName := cdi.GenerateNameForTransientSpec(vendor, class, transientID)
+//	func removeTransientSpec(ctr Container) error {
+//	    registry := cdi.GetRegistry()
+//	    transientID := getSomeSufficientlyUniqueIDForContainer(ctr)
+//	    specName := cdi.GenerateNameForTransientSpec(vendor, class, transientID)
 //
-//     return registry.SpecDB().RemoveSpec(specName)
-// }
+//	    return registry.SpecDB().RemoveSpec(specName)
+//	}
 //
-// CDI Spec Validation
+// # CDI Spec Validation
 //
 // This package performs both syntactic and semantic validation of CDI
 // Spec file data when a Spec file is loaded via the registry or using

vendor/tags.cncf.io/container-device-interface/pkg/cdi/qualified-device.go

@@ -17,7 +17,7 @@
 package cdi
 
 import (
-	"github.com/container-orchestrated-devices/container-device-interface/pkg/parser"
+	"tags.cncf.io/container-device-interface/pkg/parser"
 )
 
 // QualifiedName returns the qualified name for a device.

vendor/tags.cncf.io/container-device-interface/pkg/cdi/registry.go

@@ -19,8 +19,8 @@ package cdi
 import (
 	"sync"
 
-	cdi "github.com/container-orchestrated-devices/container-device-interface/specs-go"
 	oci "github.com/opencontainers/runtime-spec/specs-go"
+	cdi "tags.cncf.io/container-device-interface/specs-go"
 )
 
 // Registry keeps a cache of all CDI Specs installed or generated on

vendor/tags.cncf.io/container-device-interface/pkg/cdi/spec.go

@@ -28,8 +28,8 @@ import (
 	oci "github.com/opencontainers/runtime-spec/specs-go"
 	"sigs.k8s.io/yaml"
 
-	"github.com/container-orchestrated-devices/container-device-interface/internal/validation"
-	cdi "github.com/container-orchestrated-devices/container-device-interface/specs-go"
+	"tags.cncf.io/container-device-interface/internal/validation"
+	cdi "tags.cncf.io/container-device-interface/specs-go"
 )
 
 const (

vendor/tags.cncf.io/container-device-interface/pkg/cdi/version.go

@@ -21,8 +21,8 @@ import (
 
 	"golang.org/x/mod/semver"
 
-	"github.com/container-orchestrated-devices/container-device-interface/pkg/parser"
-	cdi "github.com/container-orchestrated-devices/container-device-interface/specs-go"
+	"tags.cncf.io/container-device-interface/pkg/parser"
+	cdi "tags.cncf.io/container-device-interface/specs-go"
 )
 
 const (

vendor/tags.cncf.io/container-device-interface/specs-go/LICENSE

@@ -1,4 +1,3 @@
-
                                  Apache License
                            Version 2.0, January 2004
                         http://www.apache.org/licenses/
@@ -176,7 +175,18 @@
 
    END OF TERMS AND CONDITIONS
 
-   Copyright 2014 Docker, Inc.
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.