Merge pull request #1157 from NVIDIA/dependabot/docker/deployments/container/release-1.17/nvidia/cuda-12.9.1-base-ubuntu20.04

Bump nvidia/cuda from 12.9.0-base-ubuntu20.04 to 12.9.1-base-ubuntu20.04 in /deployments/container

.common-ci.yml

@@ -178,10 +178,13 @@ test-packaging:
     OUT_IMAGE_VERSION: "${CI_COMMIT_SHORT_SHA}"
   before_script:
     - !reference [.regctl-setup, before_script]
-    # We ensure that the components of the output image are set:
-    - 'echo Image Name: ${OUT_IMAGE_NAME} ; [[ -n "${OUT_IMAGE_NAME}" ]] || exit 1'
+
+    # We ensure that the OUT_IMAGE_VERSION is set
     - 'echo Version: ${OUT_IMAGE_VERSION} ; [[ -n "${OUT_IMAGE_VERSION}" ]] || exit 1'
 
+    # In the case where we are deploying a different version to the CI_COMMIT_SHA, we
+    # need to tag the image.
+    # Note: a leading 'v' is stripped from the version if present
     - apk add --no-cache make bash
   script:
     # Log in to the "output" registry, tag the image and push the image
@@ -201,10 +204,10 @@ test-packaging:
   extends:
     - .release
   variables:
-    OUT_REGISTRY_USER: "${NGC_REGISTRY_USER}"
-    OUT_REGISTRY_TOKEN: "${NGC_REGISTRY_TOKEN}"
-    OUT_REGISTRY: "${NGC_REGISTRY}"
-    OUT_IMAGE_NAME: "${NGC_REGISTRY_STAGING_IMAGE_NAME}"
+    OUT_REGISTRY_USER: "${CI_REGISTRY_USER}"
+    OUT_REGISTRY_TOKEN: "${CI_REGISTRY_PASSWORD}"
+    OUT_REGISTRY: "${CI_REGISTRY}"
+    OUT_IMAGE_NAME: "${CI_REGISTRY_IMAGE}/staging/container-toolkit"
 
 # Define an external release step that pushes an image to an external repository.
 # This includes a devlopment image off main.

.github/copy-pr-bot.yaml

@@ -1,3 +0,0 @@
-# https://docs.gha-runners.nvidia.com/apps/copy-pr-bot/#configuration
-
-enabled: true

.github/workflows/e2e.yaml

@@ -70,25 +70,20 @@ jobs:
 
       - name: Run e2e tests
         env:
-          E2E_INSTALL_CTK: "true"
-          E2E_IMAGE_NAME: ghcr.io/nvidia/container-toolkit
-          E2E_IMAGE_TAG: ${{ inputs.version }}-ubuntu20.04
+          IMAGE_NAME: ghcr.io/nvidia/container-toolkit
+          VERSION: ${{ inputs.version }}
+          SSH_KEY: ${{ secrets.AWS_SSH_KEY }}
           E2E_SSH_USER: ${{ secrets.E2E_SSH_USER }}
           E2E_SSH_HOST: ${{ steps.holodeck_public_dns_name.outputs.result }}
+          E2E_INSTALL_CTK: "true"
         run: |
           e2e_ssh_key=$(mktemp)
-          echo "${{ secrets.AWS_SSH_KEY }}" > "$e2e_ssh_key"
+          echo "$SSH_KEY" > "$e2e_ssh_key"
           chmod 600 "$e2e_ssh_key"
           export E2E_SSH_KEY="$e2e_ssh_key"
 
           make -f tests/e2e/Makefile test
 
-      - name: Archive Ginkgo logs
-        uses: actions/upload-artifact@v4
-        with:
-          name: ginkgo-logs
-          path: ginkgo.json
-          retention-days: 15
       - name: Send Slack alert notification
         if: ${{ failure() }}
         uses: slackapi/slack-github-action@v2.1.0
@@ -99,5 +94,5 @@ jobs:
             channel: ${{ secrets.SLACK_CHANNEL_ID }}
             text: |
               :x: On repository ${{ github.repository }}, the Workflow *${{ github.workflow }}* has failed.
-
+      
               Details: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}

.github/workflows/golang.yaml

@@ -30,73 +30,54 @@ jobs:
     steps:
     - uses: actions/checkout@v4
       name: Checkout code
-
     - name: Get Golang version
       id: vars
       run: |
         GOLANG_VERSION=$(./hack/golang-version.sh)
         echo "GOLANG_VERSION=${GOLANG_VERSION##GOLANG_VERSION := }" >> $GITHUB_ENV
-
     - name: Install Go
       uses: actions/setup-go@v5
       with:
         go-version: ${{ env.GOLANG_VERSION }}
-
     - name: Lint
-      uses: golangci/golangci-lint-action@v8
+      uses: golangci/golangci-lint-action@v6
       with:
         version: latest
         args: -v --timeout 5m
         skip-cache: true
-
     - name: Check golang modules
       run: | 
         make check-vendor
         make -C deployments/devel check-modules
-
   test:
     name: Unit test
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
-
       - name: Get Golang version
         id: vars
         run: |
           GOLANG_VERSION=$(./hack/golang-version.sh)
           echo "GOLANG_VERSION=${GOLANG_VERSION##GOLANG_VERSION := }" >> $GITHUB_ENV
-
       - name: Install Go
         uses: actions/setup-go@v5
         with:
           go-version: ${{ env.GOLANG_VERSION }}
-      
-      - name: Run unit tests and generate coverage report
-        run: make coverage
-
-      - name: Upload to Coveralls
-        uses: coverallsapp/github-action@v2
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          file: coverage.out
-
+      - run: make test
   build:
     name: Build
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
-
       - name: Get Golang version
         id: vars
         run: |
           GOLANG_VERSION=$(./hack/golang-version.sh)
           echo "GOLANG_VERSION=${GOLANG_VERSION##GOLANG_VERSION ?= }" >> $GITHUB_ENV
-
       - name: Install Go
         uses: actions/setup-go@v5
         with:
           go-version: ${{ env.GOLANG_VERSION }}
-
       - run: make build

.github/workflows/image.yaml

@@ -27,7 +27,7 @@ on:
 
 jobs:
   packages:
-    runs-on: ubuntu-latest
+    runs-on: linux-amd64-cpu4
     strategy:
       matrix:
         target:
@@ -49,7 +49,7 @@ jobs:
           - ispr: true
             target: centos8-ppc64le
       fail-fast: false
-
+      
     steps:
       - uses: actions/checkout@v4
         name: Check out code
@@ -76,7 +76,7 @@ jobs:
           path: ${{ github.workspace }}/dist/*
 
   image:
-    runs-on: ubuntu-latest
+    runs-on: linux-amd64-cpu4
     strategy:
       matrix:
         dist:

.gitignore

@@ -1,11 +1,13 @@
-/dist
-/artifacts
+dist
+artifacts
 *.swp
 *.swo
 /coverage.out*
 /tests/output/
-/nvidia-*
+/nvidia-container-runtime
+/nvidia-container-runtime.*
+/nvidia-container-runtime-hook
+/nvidia-container-toolkit
+/nvidia-ctk
 /shared-*
-/release-*
-/bin
-/toolkit-test
+/release-*

.gitlab-ci.yml

@@ -176,6 +176,12 @@ image-packaging:
       optional: true
 
 # Define publish test helpers
+.test:toolkit:
+  extends:
+    - .integration
+  variables:
+    TEST_CASES: "toolkit"
+
 .test:docker:
   extends:
     - .integration

.golangci.yml

@@ -1,72 +1,43 @@
-# SPDX-FileCopyrightText: Copyright (c) 2025 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+run:
+  timeout: 10m
 
-version: "2"
 linters:
   enable:
     - contextcheck
     - gocritic
-    - gosec
-    - misspell
-    - unconvert
-  exclusions:
-    generated: lax
-    presets:
-      - comments
-      - common-false-positives
-      - legacy
-      - std-error-handling
-    rules:
-      # Exclude the gocritic dupSubExpr issue for cgo files.
-      - linters:
-          - gocritic
-        path: internal/dxcore/dxcore.go
-        text: dupSubExpr
-      # Exclude the checks for usage of returns to config.Delete(Path) in the
-      # crio and containerd config packages.
-      - linters:
-          - errcheck
-        path: pkg/config/engine/
-        text: config.Delete
-      # RENDERD refers to the Render Device and not the past tense of render.
-      - linters:
-          - misspell
-        path: .*.go
-        text: '`RENDERD` is a misspelling of `RENDERED`'
-      # The legacy hook relies on spec.Hooks.Prestart, which is deprecated as of
-      # the v1.2.0 OCI runtime spec.
-      - path: (.+)\.go$
-        text: SA1019:(.+).Prestart is deprecated(.+)
-      # TODO: We should address each of the following integer overflows.
-      - path: (.+)\.go$
-        text: 'G115: integer overflow conversion(.+)'
-    paths:
-      - third_party$
-      - builtin$
-      - examples$
-formatters:
-  enable:
     - gofmt
     - goimports
-  settings:
-    goimports:
-      local-prefixes:
-        - github.com/NVIDIA/nvidia-container-toolkit
-  exclusions:
-    generated: lax
-    paths:
-      - third_party$
-      - builtin$
-      - examples$
+    - gosec
+    - gosimple
+    - govet
+    - ineffassign
+    - misspell
+    - staticcheck
+    - unconvert
+
+linters-settings:
+  goimports:
+    local-prefixes: github.com/NVIDIA/nvidia-container-toolkit
+
+issues:
+  exclude:
+  # The legacy hook relies on spec.Hooks.Prestart, which is deprecated as of the v1.2.0 OCI runtime spec.
+  - "SA1019:(.+).Prestart is deprecated(.+)"
+  # TODO: We should address each of the following integer overflows.
+  - "G115: integer overflow conversion(.+)"
+  exclude-rules:
+  # Exclude the gocritic dupSubExpr issue for cgo files.
+  - path: internal/dxcore/dxcore.go
+    linters:
+    - gocritic
+    text: dupSubExpr
+  # Exclude the checks for usage of returns to config.Delete(Path) in the crio and containerd config packages.
+  - path: pkg/config/engine/
+    linters:
+    - errcheck
+    text: config.Delete
+  # RENDERD refers to the Render Device and not the past tense of render.
+  - path: .*.go
+    linters:
+    - misspell
+    text: "`RENDERD` is a misspelling of `RENDERED`"

.nvidia-ci.yml

@@ -204,6 +204,23 @@ release:packages:kitmaker:
   extends:
     - .release:packages
 
+release:archive:
+  extends:
+    - .release:external
+  needs:
+    - image-packaging
+  variables:
+    VERSION: "${CI_COMMIT_SHORT_SHA}"
+    PACKAGE_REGISTRY: "${CI_REGISTRY}"
+    PACKAGE_REGISTRY_USER: "${CI_REGISTRY_USER}"
+    PACKAGE_REGISTRY_TOKEN: "${CI_REGISTRY_PASSWORD}"
+    PACKAGE_IMAGE_NAME: "${CI_REGISTRY_IMAGE}/container-toolkit"
+    PACKAGE_IMAGE_TAG: "${CI_COMMIT_SHORT_SHA}-packaging"
+    PACKAGE_ARCHIVE_ARTIFACTORY_REPO: "${ARTIFACTORY_REPO_BASE}-generic-local/${PACKAGE_ARCHIVE_RELEASE_FOLDER}"
+  script:
+    - apk add --no-cache bash git
+    - ./scripts/archive-packages.sh "${PACKAGE_ARCHIVE_ARTIFACTORY_REPO}"
+
 release:staging-ubuntu20.04:
   extends:
     - .release:staging

CHANGELOG.md

@@ -1,5 +1,61 @@
 # NVIDIA Container Toolkit Changelog
 
+## v1.17.8
+
+- Updated the ordering of Mounts in CDI to have a deterministic output. This makes testing more consistent.
+- Added NVIDIA_CTK_DEBUG envvar to hooks.
+
+### Changes in libnvidia-container
+
+- Fixed bug in setting default for `--cuda-compat-mode` flag. This caused failures in use cases invoking the `nvidia-container-cli` directly.
+- Added additional logging to the `nvidia-container-cli`.
+- Fixed variable initialisation when updating the ldcache. This caused failures on Arch linux or other platforms where the `nvidia-container-cli` was built from source.
+
+## v1.17.7
+
+- Fix mode detection on Thor-based systems. This correctly resolves `auto` mode to `csv`.
+- Fix resolution of libs in LDCache on ARM. This fixes CDI spec generation on ARM-based systems using NVML.
+- Run update-ldcache hook in isolated namespaces.
+
+### Changes in the Toolkit Container
+
+- Bump CUDA base image version to 12.9.0
+
+### Changes in libnvidia-container
+
+- Add `--cuda-compat-mode` flag to the `nvidia-container-cli configure` command.
+
+## v1.17.6
+
+### Changes in the Toolkit Container
+
+- Allow container runtime executable path to be specified when configuring containerd.
+- Bump CUDA base image version to 12.8.1
+
+### Changes in libnvidia-container
+
+- Skip files when user has insufficient permissions. This prevents errors when discovering IPC sockets when the `nvidia-container-cli` is run as a non-root user.
+- Fix building with Go 1.24
+- Fix some typos in text.
+
+## v1.17.5
+
+- Allow the `enabled-cuda-compat` hook to be skipped when generating CDI specifications. This improves compatibility with older NVIDIA Container Toolkit installations. The hook is explicitly ignored for management CDI specifications.
+- Add IMEX binaries to CDI discovery. This includes the IMEX Daemon and IMEX Control binaries in containers.
+- Fix bug that may overwrite docker feature flags when configuring CDI from the `nvidia-ctk runtime configure` command.
+- Remove the unused `Set()` function from engine config API.
+- Add an `EnableCDI()` method to engine config API.
+- Add an `ignore-imex-channel-requests` feature flag. This ensures that the NVIDIA Container Runtime can be configured to ignore IMEX channel requests when these should be managed by another component.
+- Update the `update-ldcache` hook to run the host `ldconfig` from a MEMFD.
+- Add support for CUDA Forward Compatibility (removed by default in v1.17.4) using a dedicated `enable-cuda-compat` hook.  This can be disabled using a `disable-cuda-compat-lib-hook` feature flag.
+- Disable nvsandboxutils in the `nvcdi` API. This prevents a segmentation violation with NVIDIA GPU Drivers from the 565 branch.
+- Fix a bug where `cdi` mode would not work with the `--gpus` flag even if the NVIDIA Container Runtime was used.
+
+### Changes in the Toolkit Container
+
+- Enable CDI in container engine (Containerd, Cri-o, Docker) if CDI_ENABLED is set.
+- Bump CUDA base image version to 12.8.0
+
 ## v1.17.4
 - Disable mounting of compat libs from container by default
 - Add allow-cuda-compat-libs-from-container feature flag

Makefile

@@ -90,43 +90,24 @@ goimports:
 lint:
 	golangci-lint run ./...
 
-vendor:  | mod-tidy mod-vendor mod-verify
-
-mod-tidy:
-	@for mod in $$(find . -name go.mod -not -path "./testdata/*" -not -path "./third_party/*"); do \
-	    echo "Tidying $$mod..."; ( \
-	        cd $$(dirname $$mod) && go mod tidy \
-            ) || exit 1; \
-	done
-
-mod-vendor:
-	@for mod in $$(find . -name go.mod -not -path "./testdata/*" -not -path "./third_party/*" -not -path "./deployments/*"); do \
-		echo "Vendoring $$mod..."; ( \
-			cd $$(dirname $$mod) && go mod vendor \
-			) || exit 1; \
-	done
-
-mod-verify:
-	@for mod in $$(find . -name go.mod -not -path "./testdata/*" -not -path "./third_party/*"); do \
-	    echo "Verifying $$mod..."; ( \
-	        cd $$(dirname $$mod) && go mod verify | sed 's/^/  /g' \
-	    ) || exit 1; \
-	done
-
+vendor:
+	go mod tidy
+	go mod vendor
+	go mod verify
 
 check-vendor: vendor
-	git diff --exit-code HEAD -- go.mod go.sum vendor
+	git diff --quiet HEAD -- go.mod go.sum vendor
 
 licenses:
 	go-licenses csv $(MODULE)/...
 
 COVERAGE_FILE := coverage.out
 test: build cmds
-	go test -coverprofile=$(COVERAGE_FILE).with-mocks $(MODULE)/...
+	go test -coverprofile=$(COVERAGE_FILE) $(MODULE)/...
 
 coverage: test
-	cat $(COVERAGE_FILE).with-mocks | grep -v "_mock.go" > $(COVERAGE_FILE)
-	go tool cover -func=$(COVERAGE_FILE)
+	cat $(COVERAGE_FILE) | grep -v "_mock.go" > $(COVERAGE_FILE).no-mocks
+	go tool cover -func=$(COVERAGE_FILE).no-mocks
 
 generate:
 	go generate $(MODULE)/...

SECURITY.md

@@ -1,24 +0,0 @@
-# Security
-
-NVIDIA is dedicated to the security and trust of our software products and services, including all source code repositories managed through our organization.
-
-If you need to report a security issue, please use the appropriate contact points outlined below. **Please do not report security vulnerabilities through GitHub.**
-
-## Reporting Potential Security Vulnerability in an NVIDIA Product
-
-To report a potential security vulnerability in any NVIDIA product:
-- Web: [Security Vulnerability Submission Form](https://www.nvidia.com/object/submit-security-vulnerability.html)
-- E-Mail: psirt@nvidia.com
-    - We encourage you to use the following PGP key for secure email communication: [NVIDIA public PGP Key for communication](https://www.nvidia.com/en-us/security/pgp-key)
-    - Please include the following information:
-        - Product/Driver name and version/branch that contains the vulnerability
-     - Type of vulnerability (code execution, denial of service, buffer overflow, etc.)
-        - Instructions to reproduce the vulnerability
-        - Proof-of-concept or exploit code
-        - Potential impact of the vulnerability, including how an attacker could exploit the vulnerability
-
-While NVIDIA currently does not have a bug bounty program, we do offer acknowledgement when an externally reported security issue is addressed under our coordinated vulnerability disclosure policy. Please visit our [Product Security Incident Response Team (PSIRT)](https://www.nvidia.com/en-us/security/psirt-policies/) policies page for more information.
-
-## NVIDIA Product Security
-
-For all security-related concerns, please visit NVIDIA's Product Security portal at https://www.nvidia.com/en-us/security

cmd/nvidia-cdi-hook/commands/commands.go

@@ -22,7 +22,6 @@ import (
 	"github.com/NVIDIA/nvidia-container-toolkit/cmd/nvidia-cdi-hook/chmod"
 	symlinks "github.com/NVIDIA/nvidia-container-toolkit/cmd/nvidia-cdi-hook/create-symlinks"
 	"github.com/NVIDIA/nvidia-container-toolkit/cmd/nvidia-cdi-hook/cudacompat"
-	disabledevicenodemodification "github.com/NVIDIA/nvidia-container-toolkit/cmd/nvidia-cdi-hook/disable-device-node-modification"
 	ldcache "github.com/NVIDIA/nvidia-container-toolkit/cmd/nvidia-cdi-hook/update-ldcache"
 	"github.com/NVIDIA/nvidia-container-toolkit/internal/logger"
 )
@@ -35,19 +34,5 @@ func New(logger logger.Interface) []*cli.Command {
 		symlinks.NewCommand(logger),
 		chmod.NewCommand(logger),
 		cudacompat.NewCommand(logger),
-		disabledevicenodemodification.NewCommand(logger),
-	}
-}
-
-// IssueUnsupportedHookWarning logs a warning that no hook or an unsupported
-// hook has been specified.
-// This happens if a subcommand is provided that does not match one of the
-// subcommands that has been explicitly specified.
-func IssueUnsupportedHookWarning(logger logger.Interface, c *cli.Context) {
-	args := c.Args().Slice()
-	if len(args) == 0 {
-		logger.Warningf("No CDI hook specified")
-	} else {
-		logger.Warningf("Unsupported CDI hook: %v", args[0])
 	}
 }

cmd/nvidia-cdi-hook/cudacompat/cudacompat.go

@@ -199,7 +199,7 @@ func (m command) createLdsoconfdFile(in containerRoot, pattern string, dirs ...s
 		if added[dir] {
 			continue
 		}
-		_, err = fmt.Fprintf(configFile, "%s\n", dir)
+		_, err = configFile.WriteString(fmt.Sprintf("%s\n", dir))
 		if err != nil {
 			return fmt.Errorf("failed to update config file: %w", err)
 		}

cmd/nvidia-cdi-hook/disable-device-node-modification/disable-device-node-modification.go

@@ -1,144 +0,0 @@
-/**
-# SPDX-FileCopyrightText: Copyright (c) 2025 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-**/
-
-package disabledevicenodemodification
-
-import (
-	"bufio"
-	"bytes"
-	"errors"
-	"fmt"
-	"io"
-	"os"
-	"strings"
-
-	"github.com/urfave/cli/v2"
-
-	"github.com/NVIDIA/nvidia-container-toolkit/internal/logger"
-	"github.com/NVIDIA/nvidia-container-toolkit/internal/oci"
-)
-
-const (
-	nvidiaDriverParamsPath = "/proc/driver/nvidia/params"
-)
-
-type options struct {
-	containerSpec string
-}
-
-// NewCommand constructs an disable-device-node-modification subcommand with the specified logger
-func NewCommand(logger logger.Interface) *cli.Command {
-	cfg := options{}
-
-	c := cli.Command{
-		Name:  "disable-device-node-modification",
-		Usage: "Ensure that the /proc/driver/nvidia/params file present in the container does not allow device node modifications.",
-		Before: func(c *cli.Context) error {
-			return validateFlags(c, &cfg)
-		},
-		Action: func(c *cli.Context) error {
-			return run(c, &cfg)
-		},
-	}
-
-	c.Flags = []cli.Flag{
-		&cli.StringFlag{
-			Name:        "container-spec",
-			Hidden:      true,
-			Usage:       "Specify the path to the OCI container spec. If empty or '-' the spec will be read from STDIN",
-			Destination: &cfg.containerSpec,
-		},
-	}
-
-	return &c
-}
-
-func validateFlags(c *cli.Context, cfg *options) error {
-	return nil
-}
-
-func run(_ *cli.Context, cfg *options) error {
-	modifiedParamsFileContents, err := getModifiedNVIDIAParamsContents()
-	if err != nil {
-		return fmt.Errorf("failed to get modified params file contents: %w", err)
-	}
-	if len(modifiedParamsFileContents) == 0 {
-		return nil
-	}
-
-	s, err := oci.LoadContainerState(cfg.containerSpec)
-	if err != nil {
-		return fmt.Errorf("failed to load container state: %w", err)
-	}
-
-	containerRootDirPath, err := s.GetContainerRoot()
-	if err != nil {
-		return fmt.Errorf("failed to determined container root: %w", err)
-	}
-
-	return createParamsFileInContainer(containerRootDirPath, modifiedParamsFileContents)
-}
-
-func getModifiedNVIDIAParamsContents() ([]byte, error) {
-	hostNvidiaParamsFile, err := os.Open(nvidiaDriverParamsPath)
-	if errors.Is(err, os.ErrNotExist) {
-		return nil, nil
-	}
-	if err != nil {
-		return nil, fmt.Errorf("failed to load params file: %w", err)
-	}
-	defer hostNvidiaParamsFile.Close()
-
-	modifiedContents, err := getModifiedParamsFileContentsFromReader(hostNvidiaParamsFile)
-	if err != nil {
-		return nil, fmt.Errorf("failed to get modfied params file contents: %w", err)
-	}
-
-	return modifiedContents, nil
-}
-
-// getModifiedParamsFileContentsFromReader returns the contents of a modified params file from the specified reader.
-func getModifiedParamsFileContentsFromReader(r io.Reader) ([]byte, error) {
-	var modified bytes.Buffer
-	scanner := bufio.NewScanner(r)
-
-	var requiresModification bool
-	for scanner.Scan() {
-		line := scanner.Text()
-		if strings.HasPrefix(line, "ModifyDeviceFiles: ") {
-			if line == "ModifyDeviceFiles: 0" {
-				return nil, nil
-			}
-			if line == "ModifyDeviceFiles: 1" {
-				line = "ModifyDeviceFiles: 0"
-				requiresModification = true
-			}
-		}
-		if _, err := modified.WriteString(line + "\n"); err != nil {
-			return nil, fmt.Errorf("failed to create output buffer: %w", err)
-		}
-	}
-	if err := scanner.Err(); err != nil {
-		return nil, fmt.Errorf("failed to read params file: %w", err)
-	}
-
-	if !requiresModification {
-		return nil, nil
-	}
-
-	return modified.Bytes(), nil
-}

cmd/nvidia-cdi-hook/disable-device-node-modification/disable-device-node-modification_test.go

@@ -1,91 +0,0 @@
-/**
-# SPDX-FileCopyrightText: Copyright (c) 2025 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-**/
-
-package disabledevicenodemodification
-
-import (
-	"bytes"
-	"testing"
-
-	"github.com/stretchr/testify/require"
-)
-
-func TestGetModifiedParamsFileContentsFromReader(t *testing.T) {
-	testCases := map[string]struct {
-		contents         []byte
-		expectedError    error
-		expectedContents []byte
-	}{
-		"no contents": {
-			contents:         nil,
-			expectedError:    nil,
-			expectedContents: nil,
-		},
-		"other contents are ignored": {
-			contents: []byte(`# Some other content
-			that we don't care about
-			`),
-			expectedError:    nil,
-			expectedContents: nil,
-		},
-		"already zero requires no modification": {
-			contents:         []byte("ModifyDeviceFiles: 0"),
-			expectedError:    nil,
-			expectedContents: nil,
-		},
-		"leading spaces require no modification": {
-			contents: []byte("  ModifyDeviceFiles: 1"),
-		},
-		"Trailing spaces require no modification": {
-			contents: []byte("ModifyDeviceFiles: 1  "),
-		},
-		"Not 1 require no modification": {
-			contents: []byte("ModifyDeviceFiles: 11"),
-		},
-		"single line requires modification": {
-			contents:         []byte("ModifyDeviceFiles: 1"),
-			expectedError:    nil,
-			expectedContents: []byte("ModifyDeviceFiles: 0\n"),
-		},
-		"single line with trailing newline requires modification": {
-			contents:         []byte("ModifyDeviceFiles: 1\n"),
-			expectedError:    nil,
-			expectedContents: []byte("ModifyDeviceFiles: 0\n"),
-		},
-		"other content is maintained": {
-			contents: []byte(`ModifyDeviceFiles: 1
-			other content
-			that
-			is maintained`),
-			expectedError: nil,
-			expectedContents: []byte(`ModifyDeviceFiles: 0
-			other content
-			that
-			is maintained
-`),
-		},
-	}
-
-	for description, tc := range testCases {
-		t.Run(description, func(t *testing.T) {
-			contents, err := getModifiedParamsFileContentsFromReader(bytes.NewReader(tc.contents))
-			require.EqualValues(t, tc.expectedError, err)
-			require.EqualValues(t, string(tc.expectedContents), string(contents))
-		})
-	}
-
-}

cmd/nvidia-cdi-hook/disable-device-node-modification/params_linux.go

@@ -1,63 +0,0 @@
-//go:build linux
-
-/**
-# SPDX-FileCopyrightText: Copyright (c) 2025 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-**/
-
-package disabledevicenodemodification
-
-import (
-	"fmt"
-	"os"
-	"path/filepath"
-
-	"github.com/opencontainers/runc/libcontainer/utils"
-	"golang.org/x/sys/unix"
-)
-
-func createParamsFileInContainer(containerRootDirPath string, contents []byte) error {
-	tmpRoot, err := os.MkdirTemp("", "nvct-empty-dir*")
-	if err != nil {
-		return fmt.Errorf("failed to create temp root: %w", err)
-	}
-
-	if err := createTmpFs(tmpRoot, len(contents)); err != nil {
-		return fmt.Errorf("failed to create tmpfs mount for params file: %w", err)
-	}
-
-	modifiedParamsFile, err := os.OpenFile(filepath.Join(tmpRoot, "nvct-params"), os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0444)
-	if err != nil {
-		return fmt.Errorf("failed to open modified params file: %w", err)
-	}
-	defer modifiedParamsFile.Close()
-
-	if _, err := modifiedParamsFile.Write(contents); err != nil {
-		return fmt.Errorf("failed to write temporary params file: %w", err)
-	}
-
-	err = utils.WithProcfd(containerRootDirPath, nvidiaDriverParamsPath, func(nvidiaDriverParamsFdPath string) error {
-		return unix.Mount(modifiedParamsFile.Name(), nvidiaDriverParamsFdPath, "", unix.MS_BIND|unix.MS_RDONLY|unix.MS_NODEV|unix.MS_PRIVATE|unix.MS_NOSYMFOLLOW, "")
-	})
-	if err != nil {
-		return fmt.Errorf("failed to mount modified params file: %w", err)
-	}
-
-	return nil
-}
-
-func createTmpFs(target string, size int) error {
-	return unix.Mount("tmpfs", target, "tmpfs", 0, fmt.Sprintf("size=%d", size))
-}

cmd/nvidia-cdi-hook/disable-device-node-modification/params_other.go

@@ -1,27 +0,0 @@
-//go:build !linux
-// +build !linux
-
-/**
-# SPDX-FileCopyrightText: Copyright (c) 2025 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-**/
-
-package disabledevicenodemodification
-
-import "fmt"
-
-func createParamsFileInContainer(containerRootDirPath string, contents []byte) error {
-	return fmt.Errorf("not supported")
-}

cmd/nvidia-cdi-hook/main.go

@@ -51,18 +51,6 @@ func main() {
 	c.Usage = "Command to structure files for usage inside a container, called as hooks from a container runtime, defined in a CDI yaml file"
 	c.Version = info.GetVersionString()
 
-	// We set the default action for the `nvidia-cdi-hook` command to issue a
-	// warning and exit with no error.
-	// This means that if an unsupported hook is run, a container will not fail
-	// to launch. An unsupported hook could be the result of a CDI specification
-	// referring to a new hook that is not yet supported by an older NVIDIA
-	// Container Toolkit version or a hook that has been removed in newer
-	// version.
-	c.Action = func(ctx *cli.Context) error {
-		commands.IssueUnsupportedHookWarning(logger, ctx)
-		return nil
-	}
-
 	// Setup the flags for this command
 	c.Flags = []cli.Flag{
 		&cli.BoolFlag{

cmd/nvidia-cdi-hook/update-ldcache/safe-exec_linux.go

@@ -24,7 +24,7 @@ import (
 	"strconv"
 	"syscall"
 
-	"github.com/opencontainers/runc/libcontainer/exeseal"
+	"github.com/opencontainers/runc/libcontainer/dmz"
 )
 
 // SafeExec attempts to clone the specified binary (as an memfd, for example) before executing it.
@@ -54,5 +54,5 @@ func cloneBinary(path string) (*os.File, error) {
 	}
 	size := stat.Size()
 
-	return exeseal.CloneBinary(exe, size, path, os.TempDir())
+	return dmz.CloneBinary(exe, size, path, os.TempDir())
 }

cmd/nvidia-container-runtime-hook/container_config.go

@@ -13,6 +13,10 @@ import (
 	"github.com/NVIDIA/nvidia-container-toolkit/internal/config/image"
 )
 
+const (
+	capSysAdmin = "CAP_SYS_ADMIN"
+)
+
 type nvidiaConfig struct {
 	Devices            []string
 	MigConfigDevices   string
@@ -99,9 +103,9 @@ func loadSpec(path string) (spec *Spec) {
 	return
 }
 
-func (s *Spec) GetCapabilities() []string {
-	if s == nil || s.Process == nil || s.Process.Capabilities == nil {
-		return nil
+func isPrivileged(s *Spec) bool {
+	if s.Process.Capabilities == nil {
+		return false
 	}
 
 	var caps []string
@@ -114,22 +118,67 @@ func (s *Spec) GetCapabilities() []string {
 		if err != nil {
 			log.Panicln("could not decode Process.Capabilities in OCI spec:", err)
 		}
-		return caps
+		for _, c := range caps {
+			if c == capSysAdmin {
+				return true
+			}
+		}
+		return false
 	}
 
 	// Otherwise, parse s.Process.Capabilities as:
 	// github.com/opencontainers/runtime-spec/blob/v1.0.0/specs-go/config.go#L30-L54
-	capabilities := specs.LinuxCapabilities{}
-	err := json.Unmarshal(*s.Process.Capabilities, &capabilities)
+	process := specs.Process{
+		Env: s.Process.Env,
+	}
+
+	err := json.Unmarshal(*s.Process.Capabilities, &process.Capabilities)
 	if err != nil {
 		log.Panicln("could not decode Process.Capabilities in OCI spec:", err)
 	}
 
-	return image.OCISpecCapabilities(capabilities).GetCapabilities()
+	fullSpec := specs.Spec{
+		Version: *s.Version,
+		Process: &process,
+	}
+
+	return image.IsPrivileged(&fullSpec)
 }
 
-func isPrivileged(s *Spec) bool {
-	return image.IsPrivileged(s)
+func getDevicesFromEnvvar(containerImage image.CUDA, swarmResourceEnvvars []string) []string {
+	// We check if the image has at least one of the Swarm resource envvars defined and use this
+	// if specified.
+	for _, envvar := range swarmResourceEnvvars {
+		if containerImage.HasEnvvar(envvar) {
+			return containerImage.DevicesFromEnvvars(swarmResourceEnvvars...).List()
+		}
+	}
+
+	return containerImage.VisibleDevicesFromEnvVar()
+}
+
+func (hookConfig *hookConfig) getDevices(image image.CUDA, privileged bool) []string {
+	// If enabled, try and get the device list from volume mounts first
+	if hookConfig.AcceptDeviceListAsVolumeMounts {
+		devices := image.VisibleDevicesFromMounts()
+		if len(devices) > 0 {
+			return devices
+		}
+	}
+
+	// Fallback to reading from the environment variable if privileges are correct
+	devices := getDevicesFromEnvvar(image, hookConfig.getSwarmResourceEnvvars())
+	if len(devices) == 0 {
+		return nil
+	}
+	if privileged || hookConfig.AcceptEnvvarUnprivileged {
+		return devices
+	}
+
+	configName := hookConfig.getConfigOption("AcceptEnvvarUnprivileged")
+	log.Printf("Ignoring devices specified in NVIDIA_VISIBLE_DEVICES (privileged=%v, %v=%v) ", privileged, configName, hookConfig.AcceptEnvvarUnprivileged)
+
+	return nil
 }
 
 func getMigConfigDevices(i image.CUDA) *string {
@@ -176,6 +225,7 @@ func (hookConfig *hookConfig) getDriverCapabilities(cudaImage image.CUDA, legacy
 	// We use the default driver capabilities by default. This is filtered to only include the
 	// supported capabilities
 	supportedDriverCapabilities := image.NewDriverCapabilities(hookConfig.SupportedDriverCapabilities)
+
 	capabilities := supportedDriverCapabilities.Intersection(image.DefaultDriverCapabilities)
 
 	capsEnvSpecified := cudaImage.HasEnvvar(image.EnvVarNvidiaDriverCapabilities)
@@ -201,7 +251,7 @@ func (hookConfig *hookConfig) getDriverCapabilities(cudaImage image.CUDA, legacy
 func (hookConfig *hookConfig) getNvidiaConfig(image image.CUDA, privileged bool) *nvidiaConfig {
 	legacyImage := image.IsLegacy()
 
-	devices := image.VisibleDevices()
+	devices := hookConfig.getDevices(image, privileged)
 	if len(devices) == 0 {
 		// empty devices means this is not a GPU container.
 		return nil
@@ -256,25 +306,20 @@ func (hookConfig *hookConfig) getContainerConfig() (config containerConfig) {
 
 	s := loadSpec(path.Join(b, "config.json"))
 
-	privileged := isPrivileged(s)
-
-	i, err := image.New(
+	image, err := image.New(
 		image.WithEnv(s.Process.Env),
 		image.WithMounts(s.Mounts),
-		image.WithPrivileged(privileged),
 		image.WithDisableRequire(hookConfig.DisableRequire),
-		image.WithAcceptDeviceListAsVolumeMounts(hookConfig.AcceptDeviceListAsVolumeMounts),
-		image.WithAcceptEnvvarUnprivileged(hookConfig.AcceptEnvvarUnprivileged),
-		image.WithPreferredVisibleDevicesEnvVars(hookConfig.getSwarmResourceEnvvars()...),
 	)
 	if err != nil {
 		log.Panicln(err)
 	}
 
+	privileged := isPrivileged(s)
 	return containerConfig{
 		Pid:    h.Pid,
 		Rootfs: s.Root.Path,
-		Image:  i,
-		Nvidia: hookConfig.getNvidiaConfig(i, privileged),
+		Image:  image,
+		Nvidia: hookConfig.getNvidiaConfig(image, privileged),
 	}
 }

cmd/nvidia-container-runtime-hook/container_config_test.go

@@ -1,8 +1,10 @@
 package main
 
 import (
+	"path/filepath"
 	"testing"
 
+	"github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/stretchr/testify/require"
 
 	"github.com/NVIDIA/nvidia-container-toolkit/internal/config"
@@ -477,10 +479,7 @@ func TestGetNvidiaConfig(t *testing.T) {
 		t.Run(tc.description, func(t *testing.T) {
 			image, _ := image.New(
 				image.WithEnvMap(tc.env),
-				image.WithPrivileged(tc.privileged),
-				image.WithPreferredVisibleDevicesEnvVars(tc.hookConfig.getSwarmResourceEnvvars()...),
 			)
-
 			// Wrap the call to getNvidiaConfig() in a closure.
 			var cfg *nvidiaConfig
 			getConfig := func() {
@@ -519,6 +518,340 @@ func TestGetNvidiaConfig(t *testing.T) {
 	}
 }
 
+func TestDeviceListSourcePriority(t *testing.T) {
+	var tests = []struct {
+		description        string
+		mountDevices       []specs.Mount
+		envvarDevices      string
+		privileged         bool
+		acceptUnprivileged bool
+		acceptMounts       bool
+		expectedDevices    []string
+	}{
+		{
+			description: "Mount devices, unprivileged, no accept unprivileged",
+			mountDevices: []specs.Mount{
+				{
+					Source:      "/dev/null",
+					Destination: filepath.Join(image.DeviceListAsVolumeMountsRoot, "GPU0"),
+				},
+				{
+					Source:      "/dev/null",
+					Destination: filepath.Join(image.DeviceListAsVolumeMountsRoot, "GPU1"),
+				},
+			},
+			envvarDevices:      "GPU2,GPU3",
+			privileged:         false,
+			acceptUnprivileged: false,
+			acceptMounts:       true,
+			expectedDevices:    []string{"GPU0", "GPU1"},
+		},
+		{
+			description:        "No mount devices, unprivileged, no accept unprivileged",
+			mountDevices:       nil,
+			envvarDevices:      "GPU0,GPU1",
+			privileged:         false,
+			acceptUnprivileged: false,
+			acceptMounts:       true,
+			expectedDevices:    nil,
+		},
+		{
+			description:        "No mount devices, privileged, no accept unprivileged",
+			mountDevices:       nil,
+			envvarDevices:      "GPU0,GPU1",
+			privileged:         true,
+			acceptUnprivileged: false,
+			acceptMounts:       true,
+			expectedDevices:    []string{"GPU0", "GPU1"},
+		},
+		{
+			description:        "No mount devices, unprivileged, accept unprivileged",
+			mountDevices:       nil,
+			envvarDevices:      "GPU0,GPU1",
+			privileged:         false,
+			acceptUnprivileged: true,
+			acceptMounts:       true,
+			expectedDevices:    []string{"GPU0", "GPU1"},
+		},
+		{
+			description: "Mount devices, unprivileged, accept unprivileged, no accept mounts",
+			mountDevices: []specs.Mount{
+				{
+					Source:      "/dev/null",
+					Destination: filepath.Join(image.DeviceListAsVolumeMountsRoot, "GPU0"),
+				},
+				{
+					Source:      "/dev/null",
+					Destination: filepath.Join(image.DeviceListAsVolumeMountsRoot, "GPU1"),
+				},
+			},
+			envvarDevices:      "GPU2,GPU3",
+			privileged:         false,
+			acceptUnprivileged: true,
+			acceptMounts:       false,
+			expectedDevices:    []string{"GPU2", "GPU3"},
+		},
+		{
+			description: "Mount devices, unprivileged, no accept unprivileged, no accept mounts",
+			mountDevices: []specs.Mount{
+				{
+					Source:      "/dev/null",
+					Destination: filepath.Join(image.DeviceListAsVolumeMountsRoot, "GPU0"),
+				},
+				{
+					Source:      "/dev/null",
+					Destination: filepath.Join(image.DeviceListAsVolumeMountsRoot, "GPU1"),
+				},
+			},
+			envvarDevices:      "GPU2,GPU3",
+			privileged:         false,
+			acceptUnprivileged: false,
+			acceptMounts:       false,
+			expectedDevices:    nil,
+		},
+	}
+	for _, tc := range tests {
+		t.Run(tc.description, func(t *testing.T) {
+			// Wrap the call to getDevices() in a closure.
+			var devices []string
+			getDevices := func() {
+				image, _ := image.New(
+					image.WithEnvMap(
+						map[string]string{
+							image.EnvVarNvidiaVisibleDevices: tc.envvarDevices,
+						},
+					),
+					image.WithMounts(tc.mountDevices),
+				)
+				defaultConfig, _ := config.GetDefault()
+				cfg := &hookConfig{defaultConfig}
+				cfg.AcceptEnvvarUnprivileged = tc.acceptUnprivileged
+				cfg.AcceptDeviceListAsVolumeMounts = tc.acceptMounts
+				devices = cfg.getDevices(image, tc.privileged)
+			}
+
+			// For all other tests, just grab the devices and check the results
+			getDevices()
+
+			require.Equal(t, tc.expectedDevices, devices)
+		})
+	}
+}
+
+func TestGetDevicesFromEnvvar(t *testing.T) {
+	envDockerResourceGPUs := "DOCKER_RESOURCE_GPUS"
+	gpuID := "GPU-12345"
+	anotherGPUID := "GPU-67890"
+	thirdGPUID := "MIG-12345"
+
+	var tests = []struct {
+		description          string
+		swarmResourceEnvvars []string
+		env                  map[string]string
+		expectedDevices      []string
+	}{
+		{
+			description: "empty env returns nil for non-legacy image",
+		},
+		{
+			description: "blank NVIDIA_VISIBLE_DEVICES returns nil for non-legacy image",
+			env: map[string]string{
+				image.EnvVarNvidiaVisibleDevices: "",
+			},
+		},
+		{
+			description: "'void' NVIDIA_VISIBLE_DEVICES returns nil for non-legacy image",
+			env: map[string]string{
+				image.EnvVarNvidiaVisibleDevices: "void",
+			},
+		},
+		{
+			description: "'none' NVIDIA_VISIBLE_DEVICES returns empty for non-legacy image",
+			env: map[string]string{
+				image.EnvVarNvidiaVisibleDevices: "none",
+			},
+			expectedDevices: []string{""},
+		},
+		{
+			description: "NVIDIA_VISIBLE_DEVICES set returns value for non-legacy image",
+			env: map[string]string{
+				image.EnvVarNvidiaVisibleDevices: gpuID,
+			},
+			expectedDevices: []string{gpuID},
+		},
+		{
+			description: "NVIDIA_VISIBLE_DEVICES set returns value for legacy image",
+			env: map[string]string{
+				image.EnvVarNvidiaVisibleDevices: gpuID,
+				image.EnvVarCudaVersion:          "legacy",
+			},
+			expectedDevices: []string{gpuID},
+		},
+		{
+			description: "empty env returns all for legacy image",
+			env: map[string]string{
+				image.EnvVarCudaVersion: "legacy",
+			},
+			expectedDevices: []string{"all"},
+		},
+		// Add the `DOCKER_RESOURCE_GPUS` envvar and ensure that this is ignored when
+		// not enabled
+		{
+			description: "missing NVIDIA_VISIBLE_DEVICES returns nil for non-legacy image",
+			env: map[string]string{
+				envDockerResourceGPUs: anotherGPUID,
+			},
+		},
+		{
+			description: "blank NVIDIA_VISIBLE_DEVICES returns nil for non-legacy image",
+			env: map[string]string{
+				image.EnvVarNvidiaVisibleDevices: "",
+				envDockerResourceGPUs:            anotherGPUID,
+			},
+		},
+		{
+			description: "'void' NVIDIA_VISIBLE_DEVICES returns nil for non-legacy image",
+			env: map[string]string{
+				image.EnvVarNvidiaVisibleDevices: "void",
+				envDockerResourceGPUs:            anotherGPUID,
+			},
+		},
+		{
+			description: "'none' NVIDIA_VISIBLE_DEVICES returns empty for non-legacy image",
+			env: map[string]string{
+				image.EnvVarNvidiaVisibleDevices: "none",
+				envDockerResourceGPUs:            anotherGPUID,
+			},
+			expectedDevices: []string{""},
+		},
+		{
+			description: "NVIDIA_VISIBLE_DEVICES set returns value for non-legacy image",
+			env: map[string]string{
+				image.EnvVarNvidiaVisibleDevices: gpuID,
+				envDockerResourceGPUs:            anotherGPUID,
+			},
+			expectedDevices: []string{gpuID},
+		},
+		{
+			description: "NVIDIA_VISIBLE_DEVICES set returns value for legacy image",
+			env: map[string]string{
+				image.EnvVarNvidiaVisibleDevices: gpuID,
+				envDockerResourceGPUs:            anotherGPUID,
+				image.EnvVarCudaVersion:          "legacy",
+			},
+			expectedDevices: []string{gpuID},
+		},
+		{
+			description: "empty env returns all for legacy image",
+			env: map[string]string{
+				envDockerResourceGPUs:   anotherGPUID,
+				image.EnvVarCudaVersion: "legacy",
+			},
+			expectedDevices: []string{"all"},
+		},
+		// Add the `DOCKER_RESOURCE_GPUS` envvar and ensure that this is selected when
+		// enabled
+		{
+			description:          "empty env returns nil for non-legacy image",
+			swarmResourceEnvvars: []string{envDockerResourceGPUs},
+		},
+		{
+			description:          "blank DOCKER_RESOURCE_GPUS returns nil for non-legacy image",
+			swarmResourceEnvvars: []string{envDockerResourceGPUs},
+			env: map[string]string{
+				envDockerResourceGPUs: "",
+			},
+		},
+		{
+			description:          "'void' DOCKER_RESOURCE_GPUS returns nil for non-legacy image",
+			swarmResourceEnvvars: []string{envDockerResourceGPUs},
+			env: map[string]string{
+				envDockerResourceGPUs: "void",
+			},
+		},
+		{
+			description:          "'none' DOCKER_RESOURCE_GPUS returns empty for non-legacy image",
+			swarmResourceEnvvars: []string{envDockerResourceGPUs},
+			env: map[string]string{
+				envDockerResourceGPUs: "none",
+			},
+			expectedDevices: []string{""},
+		},
+		{
+			description:          "DOCKER_RESOURCE_GPUS set returns value for non-legacy image",
+			swarmResourceEnvvars: []string{envDockerResourceGPUs},
+			env: map[string]string{
+				envDockerResourceGPUs: gpuID,
+			},
+			expectedDevices: []string{gpuID},
+		},
+		{
+			description:          "DOCKER_RESOURCE_GPUS set returns value for legacy image",
+			swarmResourceEnvvars: []string{envDockerResourceGPUs},
+			env: map[string]string{
+				envDockerResourceGPUs:   gpuID,
+				image.EnvVarCudaVersion: "legacy",
+			},
+			expectedDevices: []string{gpuID},
+		},
+		{
+			description:          "DOCKER_RESOURCE_GPUS is selected if present",
+			swarmResourceEnvvars: []string{envDockerResourceGPUs},
+			env: map[string]string{
+				envDockerResourceGPUs: anotherGPUID,
+			},
+			expectedDevices: []string{anotherGPUID},
+		},
+		{
+			description:          "DOCKER_RESOURCE_GPUS overrides NVIDIA_VISIBLE_DEVICES if present",
+			swarmResourceEnvvars: []string{envDockerResourceGPUs},
+			env: map[string]string{
+				image.EnvVarNvidiaVisibleDevices: gpuID,
+				envDockerResourceGPUs:            anotherGPUID,
+			},
+			expectedDevices: []string{anotherGPUID},
+		},
+		{
+			description:          "DOCKER_RESOURCE_GPUS_ADDITIONAL overrides NVIDIA_VISIBLE_DEVICES if present",
+			swarmResourceEnvvars: []string{"DOCKER_RESOURCE_GPUS_ADDITIONAL"},
+			env: map[string]string{
+				image.EnvVarNvidiaVisibleDevices:  gpuID,
+				"DOCKER_RESOURCE_GPUS_ADDITIONAL": anotherGPUID,
+			},
+			expectedDevices: []string{anotherGPUID},
+		},
+		{
+			description:          "All available swarm resource envvars are selected and override NVIDIA_VISIBLE_DEVICES if present",
+			swarmResourceEnvvars: []string{"DOCKER_RESOURCE_GPUS", "DOCKER_RESOURCE_GPUS_ADDITIONAL"},
+			env: map[string]string{
+				image.EnvVarNvidiaVisibleDevices:  gpuID,
+				"DOCKER_RESOURCE_GPUS":            thirdGPUID,
+				"DOCKER_RESOURCE_GPUS_ADDITIONAL": anotherGPUID,
+			},
+			expectedDevices: []string{thirdGPUID, anotherGPUID},
+		},
+		{
+			description:          "DOCKER_RESOURCE_GPUS_ADDITIONAL or DOCKER_RESOURCE_GPUS override NVIDIA_VISIBLE_DEVICES if present",
+			swarmResourceEnvvars: []string{"DOCKER_RESOURCE_GPUS", "DOCKER_RESOURCE_GPUS_ADDITIONAL"},
+			env: map[string]string{
+				image.EnvVarNvidiaVisibleDevices:  gpuID,
+				"DOCKER_RESOURCE_GPUS_ADDITIONAL": anotherGPUID,
+			},
+			expectedDevices: []string{anotherGPUID},
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.description, func(t *testing.T) {
+			image, _ := image.New(
+				image.WithEnvMap(tc.env),
+			)
+			devices := getDevicesFromEnvvar(image, tc.swarmResourceEnvvars)
+			require.EqualValues(t, tc.expectedDevices, devices)
+		})
+	}
+}
+
 func TestGetDriverCapabilities(t *testing.T) {
 
 	supportedCapabilities := "compute,display,utility,video"

cmd/nvidia-container-runtime-hook/hook_config.go

@@ -88,7 +88,7 @@ func (c hookConfig) getConfigOption(fieldName string) string {
 
 // getSwarmResourceEnvvars returns the swarm resource envvars for the config.
 func (c *hookConfig) getSwarmResourceEnvvars() []string {
-	if c == nil || c.SwarmResource == "" {
+	if c.SwarmResource == "" {
 		return nil
 	}
 

cmd/nvidia-container-runtime-hook/hook_config_test.go

@@ -85,7 +85,7 @@ func TestGetHookConfig(t *testing.T) {
 				configflag = &filename
 
 				for _, line := range tc.lines {
-					_, err := fmt.Fprintf(configFile, "%s\n", line)
+					_, err := configFile.WriteString(fmt.Sprintf("%s\n", line))
 					require.NoError(t, err)
 				}
 			}

cmd/nvidia-container-runtime/README.md

@@ -21,8 +21,8 @@ The `runtimes` config option allows for the low-level runtime to be specified. T
 The default value for this setting is:
 ```toml
 runtimes = [
+    "docker-runc",
     "runc",
-    "crun",
 ]
 ```
 

cmd/nvidia-ctk-installer/main_test.go

@@ -1,455 +0,0 @@
-/**
-# Copyright (c) 2022, NVIDIA CORPORATION.  All rights reserved.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-**/
-
-package main
-
-import (
-	"os"
-	"path/filepath"
-	"strings"
-	"testing"
-
-	testlog "github.com/sirupsen/logrus/hooks/test"
-	"github.com/stretchr/testify/require"
-
-	"github.com/NVIDIA/nvidia-container-toolkit/internal/test"
-)
-
-func TestApp(t *testing.T) {
-	t.Setenv("__NVCT_TESTING_DEVICES_ARE_FILES", "true")
-	logger, _ := testlog.NewNullLogger()
-
-	moduleRoot, err := test.GetModuleRoot()
-	require.NoError(t, err)
-
-	artifactRoot := filepath.Join(moduleRoot, "testdata", "installer", "artifacts")
-	hostRoot := filepath.Join(moduleRoot, "testdata", "lookup", "rootfs-1")
-
-	testCases := []struct {
-		description           string
-		args                  []string
-		expectedToolkitConfig string
-		expectedRuntimeConfig string
-	}{
-		{
-			description: "no args",
-			expectedToolkitConfig: `accept-nvidia-visible-devices-as-volume-mounts = false
-accept-nvidia-visible-devices-envvar-when-unprivileged = true
-disable-require = false
-supported-driver-capabilities = "compat32,compute,display,graphics,ngx,utility,video"
-swarm-resource = ""
-
-[nvidia-container-cli]
-  debug = ""
-  environment = []
-  ldcache = ""
-  ldconfig = "@/run/nvidia/driver/sbin/ldconfig"
-  load-kmods = true
-  no-cgroups = false
-  path = "{{ .toolkitRoot }}/toolkit/nvidia-container-cli"
-  root = "/run/nvidia/driver"
-  user = ""
-
-[nvidia-container-runtime]
-  debug = "/dev/null"
-  log-level = "info"
-  mode = "auto"
-  runtimes = ["runc", "crun"]
-
-  [nvidia-container-runtime.modes]
-
-    [nvidia-container-runtime.modes.cdi]
-      annotation-prefixes = ["cdi.k8s.io/"]
-      default-kind = "nvidia.com/gpu"
-      spec-dirs = ["/etc/cdi", "/var/run/cdi"]
-
-    [nvidia-container-runtime.modes.csv]
-      mount-spec-path = "/etc/nvidia-container-runtime/host-files-for-container.d"
-
-    [nvidia-container-runtime.modes.legacy]
-      cuda-compat-mode = "ldconfig"
-
-[nvidia-container-runtime-hook]
-  path = "{{ .toolkitRoot }}/toolkit/nvidia-container-runtime-hook"
-  skip-mode-detection = true
-
-[nvidia-ctk]
-  path = "{{ .toolkitRoot }}/toolkit/nvidia-ctk"
-`,
-			expectedRuntimeConfig: `{
-    "default-runtime": "nvidia",
-    "runtimes": {
-        "nvidia": {
-            "args": [],
-            "path": "{{ .toolkitRoot }}/toolkit/nvidia-container-runtime"
-        },
-        "nvidia-cdi": {
-            "args": [],
-            "path": "{{ .toolkitRoot }}/toolkit/nvidia-container-runtime.cdi"
-        },
-        "nvidia-legacy": {
-            "args": [],
-            "path": "{{ .toolkitRoot }}/toolkit/nvidia-container-runtime.legacy"
-        }
-    }
-}`,
-		},
-		{
-			description: "CDI enabled enables CDI in docker",
-			args:        []string{"--cdi-enabled", "--create-device-nodes=none"},
-			expectedToolkitConfig: `accept-nvidia-visible-devices-as-volume-mounts = false
-accept-nvidia-visible-devices-envvar-when-unprivileged = true
-disable-require = false
-supported-driver-capabilities = "compat32,compute,display,graphics,ngx,utility,video"
-swarm-resource = ""
-
-[nvidia-container-cli]
-  debug = ""
-  environment = []
-  ldcache = ""
-  ldconfig = "@/run/nvidia/driver/sbin/ldconfig"
-  load-kmods = true
-  no-cgroups = false
-  path = "{{ .toolkitRoot }}/toolkit/nvidia-container-cli"
-  root = "/run/nvidia/driver"
-  user = ""
-
-[nvidia-container-runtime]
-  debug = "/dev/null"
-  log-level = "info"
-  mode = "auto"
-  runtimes = ["runc", "crun"]
-
-  [nvidia-container-runtime.modes]
-
-    [nvidia-container-runtime.modes.cdi]
-      annotation-prefixes = ["cdi.k8s.io/"]
-      default-kind = "nvidia.com/gpu"
-      spec-dirs = ["/etc/cdi", "/var/run/cdi"]
-
-    [nvidia-container-runtime.modes.csv]
-      mount-spec-path = "/etc/nvidia-container-runtime/host-files-for-container.d"
-
-    [nvidia-container-runtime.modes.legacy]
-      cuda-compat-mode = "ldconfig"
-
-[nvidia-container-runtime-hook]
-  path = "{{ .toolkitRoot }}/toolkit/nvidia-container-runtime-hook"
-  skip-mode-detection = true
-
-[nvidia-ctk]
-  path = "{{ .toolkitRoot }}/toolkit/nvidia-ctk"
-`,
-			expectedRuntimeConfig: `{
-    "default-runtime": "nvidia",
-    "features": {
-        "cdi": true
-    },
-    "runtimes": {
-        "nvidia": {
-            "args": [],
-            "path": "{{ .toolkitRoot }}/toolkit/nvidia-container-runtime"
-        },
-        "nvidia-cdi": {
-            "args": [],
-            "path": "{{ .toolkitRoot }}/toolkit/nvidia-container-runtime.cdi"
-        },
-        "nvidia-legacy": {
-            "args": [],
-            "path": "{{ .toolkitRoot }}/toolkit/nvidia-container-runtime.legacy"
-        }
-    }
-}`,
-		},
-		{
-			description: "--enable-cdi-in-runtime=false overrides --cdi-enabled in Docker",
-			args:        []string{"--cdi-enabled", "--create-device-nodes=none", "--enable-cdi-in-runtime=false"},
-			expectedToolkitConfig: `accept-nvidia-visible-devices-as-volume-mounts = false
-accept-nvidia-visible-devices-envvar-when-unprivileged = true
-disable-require = false
-supported-driver-capabilities = "compat32,compute,display,graphics,ngx,utility,video"
-swarm-resource = ""
-
-[nvidia-container-cli]
-  debug = ""
-  environment = []
-  ldcache = ""
-  ldconfig = "@/run/nvidia/driver/sbin/ldconfig"
-  load-kmods = true
-  no-cgroups = false
-  path = "{{ .toolkitRoot }}/toolkit/nvidia-container-cli"
-  root = "/run/nvidia/driver"
-  user = ""
-
-[nvidia-container-runtime]
-  debug = "/dev/null"
-  log-level = "info"
-  mode = "auto"
-  runtimes = ["runc", "crun"]
-
-  [nvidia-container-runtime.modes]
-
-    [nvidia-container-runtime.modes.cdi]
-      annotation-prefixes = ["cdi.k8s.io/"]
-      default-kind = "nvidia.com/gpu"
-      spec-dirs = ["/etc/cdi", "/var/run/cdi"]
-
-    [nvidia-container-runtime.modes.csv]
-      mount-spec-path = "/etc/nvidia-container-runtime/host-files-for-container.d"
-
-    [nvidia-container-runtime.modes.legacy]
-      cuda-compat-mode = "ldconfig"
-
-[nvidia-container-runtime-hook]
-  path = "{{ .toolkitRoot }}/toolkit/nvidia-container-runtime-hook"
-  skip-mode-detection = true
-
-[nvidia-ctk]
-  path = "{{ .toolkitRoot }}/toolkit/nvidia-ctk"
-`,
-			expectedRuntimeConfig: `{
-    "default-runtime": "nvidia",
-    "runtimes": {
-        "nvidia": {
-            "args": [],
-            "path": "{{ .toolkitRoot }}/toolkit/nvidia-container-runtime"
-        },
-        "nvidia-cdi": {
-            "args": [],
-            "path": "{{ .toolkitRoot }}/toolkit/nvidia-container-runtime.cdi"
-        },
-        "nvidia-legacy": {
-            "args": [],
-            "path": "{{ .toolkitRoot }}/toolkit/nvidia-container-runtime.legacy"
-        }
-    }
-}`,
-		},
-		{
-			description: "CDI enabled enables CDI in containerd",
-			args:        []string{"--cdi-enabled", "--runtime=containerd"},
-			expectedToolkitConfig: `accept-nvidia-visible-devices-as-volume-mounts = false
-accept-nvidia-visible-devices-envvar-when-unprivileged = true
-disable-require = false
-supported-driver-capabilities = "compat32,compute,display,graphics,ngx,utility,video"
-swarm-resource = ""
-
-[nvidia-container-cli]
-  debug = ""
-  environment = []
-  ldcache = ""
-  ldconfig = "@/run/nvidia/driver/sbin/ldconfig"
-  load-kmods = true
-  no-cgroups = false
-  path = "{{ .toolkitRoot }}/toolkit/nvidia-container-cli"
-  root = "/run/nvidia/driver"
-  user = ""
-
-[nvidia-container-runtime]
-  debug = "/dev/null"
-  log-level = "info"
-  mode = "auto"
-  runtimes = ["runc", "crun"]
-
-  [nvidia-container-runtime.modes]
-
-    [nvidia-container-runtime.modes.cdi]
-      annotation-prefixes = ["cdi.k8s.io/"]
-      default-kind = "nvidia.com/gpu"
-      spec-dirs = ["/etc/cdi", "/var/run/cdi"]
-
-    [nvidia-container-runtime.modes.csv]
-      mount-spec-path = "/etc/nvidia-container-runtime/host-files-for-container.d"
-
-    [nvidia-container-runtime.modes.legacy]
-      cuda-compat-mode = "ldconfig"
-
-[nvidia-container-runtime-hook]
-  path = "{{ .toolkitRoot }}/toolkit/nvidia-container-runtime-hook"
-  skip-mode-detection = true
-
-[nvidia-ctk]
-  path = "{{ .toolkitRoot }}/toolkit/nvidia-ctk"
-`,
-			expectedRuntimeConfig: `version = 2
-
-[plugins]
-
-  [plugins."io.containerd.grpc.v1.cri"]
-    enable_cdi = true
-
-    [plugins."io.containerd.grpc.v1.cri".containerd]
-      default_runtime_name = "nvidia"
-
-      [plugins."io.containerd.grpc.v1.cri".containerd.runtimes]
-
-        [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.nvidia]
-          privileged_without_host_devices = false
-          runtime_engine = ""
-          runtime_root = ""
-          runtime_type = "io.containerd.runc.v2"
-
-          [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.nvidia.options]
-            BinaryName = "{{ .toolkitRoot }}/toolkit/nvidia-container-runtime"
-
-        [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.nvidia-cdi]
-          privileged_without_host_devices = false
-          runtime_engine = ""
-          runtime_root = ""
-          runtime_type = "io.containerd.runc.v2"
-
-          [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.nvidia-cdi.options]
-            BinaryName = "{{ .toolkitRoot }}/toolkit/nvidia-container-runtime.cdi"
-
-        [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.nvidia-legacy]
-          privileged_without_host_devices = false
-          runtime_engine = ""
-          runtime_root = ""
-          runtime_type = "io.containerd.runc.v2"
-
-          [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.nvidia-legacy.options]
-            BinaryName = "{{ .toolkitRoot }}/toolkit/nvidia-container-runtime.legacy"
-`,
-		},
-		{
-			description: "--enable-cdi-in-runtime=false overrides --cdi-enabled in containerd",
-			args:        []string{"--cdi-enabled", "--create-device-nodes=none", "--enable-cdi-in-runtime=false", "--runtime=containerd"},
-			expectedToolkitConfig: `accept-nvidia-visible-devices-as-volume-mounts = false
-accept-nvidia-visible-devices-envvar-when-unprivileged = true
-disable-require = false
-supported-driver-capabilities = "compat32,compute,display,graphics,ngx,utility,video"
-swarm-resource = ""
-
-[nvidia-container-cli]
-  debug = ""
-  environment = []
-  ldcache = ""
-  ldconfig = "@/run/nvidia/driver/sbin/ldconfig"
-  load-kmods = true
-  no-cgroups = false
-  path = "{{ .toolkitRoot }}/toolkit/nvidia-container-cli"
-  root = "/run/nvidia/driver"
-  user = ""
-
-[nvidia-container-runtime]
-  debug = "/dev/null"
-  log-level = "info"
-  mode = "auto"
-  runtimes = ["runc", "crun"]
-
-  [nvidia-container-runtime.modes]
-
-    [nvidia-container-runtime.modes.cdi]
-      annotation-prefixes = ["cdi.k8s.io/"]
-      default-kind = "nvidia.com/gpu"
-      spec-dirs = ["/etc/cdi", "/var/run/cdi"]
-
-    [nvidia-container-runtime.modes.csv]
-      mount-spec-path = "/etc/nvidia-container-runtime/host-files-for-container.d"
-
-    [nvidia-container-runtime.modes.legacy]
-      cuda-compat-mode = "ldconfig"
-
-[nvidia-container-runtime-hook]
-  path = "{{ .toolkitRoot }}/toolkit/nvidia-container-runtime-hook"
-  skip-mode-detection = true
-
-[nvidia-ctk]
-  path = "{{ .toolkitRoot }}/toolkit/nvidia-ctk"
-`,
-			expectedRuntimeConfig: `version = 2
-
-[plugins]
-
-  [plugins."io.containerd.grpc.v1.cri"]
-
-    [plugins."io.containerd.grpc.v1.cri".containerd]
-      default_runtime_name = "nvidia"
-
-      [plugins."io.containerd.grpc.v1.cri".containerd.runtimes]
-
-        [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.nvidia]
-          privileged_without_host_devices = false
-          runtime_engine = ""
-          runtime_root = ""
-          runtime_type = "io.containerd.runc.v2"
-
-          [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.nvidia.options]
-            BinaryName = "{{ .toolkitRoot }}/toolkit/nvidia-container-runtime"
-
-        [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.nvidia-cdi]
-          privileged_without_host_devices = false
-          runtime_engine = ""
-          runtime_root = ""
-          runtime_type = "io.containerd.runc.v2"
-
-          [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.nvidia-cdi.options]
-            BinaryName = "{{ .toolkitRoot }}/toolkit/nvidia-container-runtime.cdi"
-
-        [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.nvidia-legacy]
-          privileged_without_host_devices = false
-          runtime_engine = ""
-          runtime_root = ""
-          runtime_type = "io.containerd.runc.v2"
-
-          [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.nvidia-legacy.options]
-            BinaryName = "{{ .toolkitRoot }}/toolkit/nvidia-container-runtime.legacy"
-`,
-		},
-	}
-
-	for _, tc := range testCases {
-		t.Run(tc.description, func(t *testing.T) {
-			testRoot := t.TempDir()
-
-			cdiOutputDir := filepath.Join(testRoot, "/var/run/cdi")
-			runtimeConfigFile := filepath.Join(testRoot, "config.file")
-
-			toolkitRoot := filepath.Join(testRoot, "toolkit-test")
-			toolkitConfigFile := filepath.Join(toolkitRoot, "toolkit/.config/nvidia-container-runtime/config.toml")
-
-			app := NewApp(logger)
-
-			testArgs := []string{
-				"nvidia-ctk-installer",
-				"--toolkit-install-dir=" + toolkitRoot,
-				"--no-daemon",
-				"--cdi-output-dir=" + cdiOutputDir,
-				"--config=" + runtimeConfigFile,
-				"--create-device-nodes=none",
-				"--driver-root-ctr-path=" + hostRoot,
-				"--pid-file=" + filepath.Join(testRoot, "toolkit.pid"),
-				"--restart-mode=none",
-				"--source-root=" + filepath.Join(artifactRoot, "deb"),
-			}
-
-			err := app.Run(append(testArgs, tc.args...))
-
-			require.NoError(t, err)
-
-			require.FileExists(t, toolkitConfigFile)
-			toolkitConfigFileContents, err := os.ReadFile(toolkitConfigFile)
-			require.NoError(t, err)
-			require.EqualValues(t, strings.ReplaceAll(tc.expectedToolkitConfig, "{{ .toolkitRoot }}", toolkitRoot), string(toolkitConfigFileContents))
-
-			require.FileExists(t, runtimeConfigFile)
-			runtimeConfigFileContents, err := os.ReadFile(runtimeConfigFile)
-			require.NoError(t, err)
-			require.EqualValues(t, strings.ReplaceAll(tc.expectedRuntimeConfig, "{{ .toolkitRoot }}", toolkitRoot), string(runtimeConfigFileContents))
-		})
-	}
-
-}

cmd/nvidia-ctk-installer/toolkit/installer/artifact-root.go

@@ -1,85 +0,0 @@
-/**
-# SPDX-FileCopyrightText: Copyright (c) 2025 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-**/
-
-package installer
-
-import (
-	"fmt"
-	"path/filepath"
-
-	"github.com/NVIDIA/nvidia-container-toolkit/internal/logger"
-	"github.com/NVIDIA/nvidia-container-toolkit/internal/lookup"
-)
-
-// An artifactRoot is used as a source for installed artifacts.
-// It is refined by a directory path, a library locator, and an executable locator.
-type artifactRoot struct {
-	path        string
-	libraries   lookup.Locator
-	executables lookup.Locator
-}
-
-func newArtifactRoot(logger logger.Interface, rootDirectoryPath string) (*artifactRoot, error) {
-	relativeLibrarySearchPaths := []string{
-		"/usr/lib64",
-		"/usr/lib/x86_64-linux-gnu",
-		"/usr/lib/aarch64-linux-gnu",
-	}
-	var librarySearchPaths []string
-	for _, l := range relativeLibrarySearchPaths {
-		librarySearchPaths = append(librarySearchPaths, filepath.Join(rootDirectoryPath, l))
-	}
-
-	a := artifactRoot{
-		path: rootDirectoryPath,
-		libraries: lookup.NewLibraryLocator(
-			lookup.WithLogger(logger),
-			lookup.WithCount(1),
-			lookup.WithSearchPaths(librarySearchPaths...),
-		),
-		executables: lookup.NewExecutableLocator(
-			logger,
-			rootDirectoryPath,
-		),
-	}
-
-	return &a, nil
-}
-
-func (r *artifactRoot) findLibrary(name string) (string, error) {
-	candidates, err := r.libraries.Locate(name)
-	if err != nil {
-		return "", fmt.Errorf("error locating library: %w", err)
-	}
-	if len(candidates) == 0 {
-		return "", fmt.Errorf("library %v not found", name)
-	}
-
-	return candidates[0], nil
-}
-
-func (r *artifactRoot) findExecutable(name string) (string, error) {
-	candidates, err := r.executables.Locate(name)
-	if err != nil {
-		return "", fmt.Errorf("error locating executable: %w", err)
-	}
-	if len(candidates) == 0 {
-		return "", fmt.Errorf("executable %v not found", name)
-	}
-
-	return candidates[0], nil
-}

cmd/nvidia-ctk-installer/toolkit/installer/directory.go

@@ -1,47 +0,0 @@
-/**
-# SPDX-FileCopyrightText: Copyright (c) 2025 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-**/
-
-package installer
-
-import (
-	"fmt"
-	"os"
-
-	"github.com/NVIDIA/nvidia-container-toolkit/internal/logger"
-)
-
-type createDirectory struct {
-	logger logger.Interface
-}
-
-func (t *toolkitInstaller) createDirectory() Installer {
-	return &createDirectory{
-		logger: t.logger,
-	}
-}
-
-func (d *createDirectory) Install(dir string) error {
-	if dir == "" {
-		return nil
-	}
-	d.logger.Infof("Creating directory '%v'", dir)
-	err := os.MkdirAll(dir, 0755)
-	if err != nil {
-		return fmt.Errorf("error creating directory: %v", err)
-	}
-	return nil
-}

cmd/nvidia-ctk-installer/toolkit/installer/executables.go

@@ -1,184 +0,0 @@
-/**
-# SPDX-FileCopyrightText: Copyright (c) 2025 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-**/
-
-package installer
-
-import (
-	"bytes"
-	"fmt"
-	"html/template"
-	"io"
-	"path/filepath"
-	"strings"
-
-	log "github.com/sirupsen/logrus"
-
-	"github.com/NVIDIA/nvidia-container-toolkit/cmd/nvidia-ctk-installer/container/operator"
-)
-
-type executable struct {
-	requiresKernelModule bool
-	path                 string
-	symlink              string
-	args                 []string
-	env                  map[string]string
-}
-
-func (t *toolkitInstaller) collectExecutables(destDir string) ([]Installer, error) {
-	configHome := filepath.Join(destDir, ".config")
-	configDir := filepath.Join(configHome, "nvidia-container-runtime")
-	configPath := filepath.Join(configDir, "config.toml")
-
-	executables := []executable{
-		{
-			path: "nvidia-ctk",
-		},
-		{
-			path: "nvidia-cdi-hook",
-		},
-	}
-	for _, runtime := range operator.GetRuntimes() {
-		e := executable{
-			path:                 runtime.Path,
-			requiresKernelModule: true,
-			env: map[string]string{
-				"XDG_CONFIG_HOME": configHome,
-			},
-		}
-		executables = append(executables, e)
-	}
-	executables = append(executables,
-		executable{
-			path: "nvidia-container-cli",
-			env:  map[string]string{"LD_LIBRARY_PATH": destDir + ":$LD_LIBRARY_PATH"},
-		},
-	)
-
-	executables = append(executables,
-		executable{
-			path:    "nvidia-container-runtime-hook",
-			symlink: "nvidia-container-toolkit",
-			args:    []string{fmt.Sprintf("-config %s", configPath)},
-		},
-	)
-
-	var installers []Installer
-	for _, executable := range executables {
-		executablePath, err := t.artifactRoot.findExecutable(executable.path)
-		if err != nil {
-			if t.ignoreErrors {
-				log.Errorf("Ignoring error: %v", err)
-				continue
-			}
-			return nil, err
-		}
-
-		wrappedExecutableFilename := filepath.Base(executablePath)
-		dotRealFilename := wrappedExecutableFilename + ".real"
-
-		w := &wrapper{
-			Source:            executablePath,
-			WrappedExecutable: dotRealFilename,
-			CheckModules:      executable.requiresKernelModule,
-			Args:              executable.args,
-			Envvars: map[string]string{
-				"PATH": strings.Join([]string{destDir, "$PATH"}, ":"),
-			},
-		}
-		for k, v := range executable.env {
-			w.Envvars[k] = v
-		}
-
-		installers = append(installers, w)
-
-		if executable.symlink == "" {
-			continue
-		}
-		link := symlink{
-			linkname: executable.symlink,
-			target:   filepath.Base(executablePath),
-		}
-		installers = append(installers, link)
-	}
-
-	return installers, nil
-
-}
-
-type wrapper struct {
-	Source            string
-	Envvars           map[string]string
-	WrappedExecutable string
-	CheckModules      bool
-	Args              []string
-}
-
-type render struct {
-	*wrapper
-	DestDir string
-}
-
-func (w *wrapper) Install(destDir string) error {
-	// Copy the executable with a .real extension.
-	mode, err := installFile(w.Source, filepath.Join(destDir, w.WrappedExecutable))
-	if err != nil {
-		return err
-	}
-
-	// Create a wrapper file.
-	r := render{
-		wrapper: w,
-		DestDir: destDir,
-	}
-	content, err := r.render()
-	if err != nil {
-		return fmt.Errorf("failed to render wrapper: %w", err)
-	}
-	wrapperFile := filepath.Join(destDir, filepath.Base(w.Source))
-	return installContent(content, wrapperFile, mode|0111)
-}
-
-func (w *render) render() (io.Reader, error) {
-	wrapperTemplate := `#! /bin/sh
-{{- if (.CheckModules) }}
-cat /proc/modules | grep -e "^nvidia " >/dev/null 2>&1
-if [ "${?}" != "0" ]; then
-	echo "nvidia driver modules are not yet loaded, invoking runc directly"
-	exec runc "$@"
-fi
-{{- end }}
-{{- range $key, $value := .Envvars }}
-{{$key}}={{$value}} \
-{{- end }}
-	{{ .DestDir }}/{{ .WrappedExecutable }} \
-{{- range $arg := .Args }}
-		{{$arg}} \
-{{- end }}
-		"$@"
-`
-
-	var content bytes.Buffer
-	tmpl, err := template.New("wrapper").Parse(wrapperTemplate)
-	if err != nil {
-		return nil, err
-	}
-	if err := tmpl.Execute(&content, w); err != nil {
-		return nil, err
-	}
-
-	return &content, nil
-}

cmd/nvidia-ctk-installer/toolkit/installer/executables_test.go

@@ -1,104 +0,0 @@
-/**
-# SPDX-FileCopyrightText: Copyright (c) 2025 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-**/
-
-package installer
-
-import (
-	"bytes"
-	"testing"
-
-	"github.com/stretchr/testify/require"
-)
-
-func TestWrapperRender(t *testing.T) {
-	testCases := []struct {
-		description string
-		w           *wrapper
-		expected    string
-	}{
-		{
-			description: "executable is added",
-			w: &wrapper{
-				WrappedExecutable: "some-runtime",
-			},
-			expected: `#! /bin/sh
-	/dest-dir/some-runtime \
-		"$@"
-`,
-		},
-		{
-			description: "module check is added",
-			w: &wrapper{
-				WrappedExecutable: "some-runtime",
-				CheckModules:      true,
-			},
-			expected: `#! /bin/sh
-cat /proc/modules | grep -e "^nvidia " >/dev/null 2>&1
-if [ "${?}" != "0" ]; then
-	echo "nvidia driver modules are not yet loaded, invoking runc directly"
-	exec runc "$@"
-fi
-	/dest-dir/some-runtime \
-		"$@"
-`,
-		},
-		{
-			description: "environment is added",
-			w: &wrapper{
-				WrappedExecutable: "some-runtime",
-				Envvars: map[string]string{
-					"PATH": "/foo/bar/baz",
-				},
-			},
-			expected: `#! /bin/sh
-PATH=/foo/bar/baz \
-	/dest-dir/some-runtime \
-		"$@"
-`,
-		},
-		{
-			description: "args are added",
-			w: &wrapper{
-				WrappedExecutable: "some-runtime",
-				Args:              []string{"--config foo", "bar"},
-			},
-			expected: `#! /bin/sh
-	/dest-dir/some-runtime \
-		--config foo \
-		bar \
-		"$@"
-`,
-		},
-	}
-
-	for _, tc := range testCases {
-		t.Run(tc.description, func(t *testing.T) {
-			r := render{
-				wrapper: tc.w,
-				DestDir: "/dest-dir",
-			}
-			reader, err := r.render()
-			require.NoError(t, err)
-
-			var content bytes.Buffer
-			_, err = content.ReadFrom(reader)
-			require.NoError(t, err)
-
-			require.Equal(t, tc.expected, content.String())
-		})
-	}
-}

cmd/nvidia-ctk-installer/toolkit/installer/file-installer_mock.go

@@ -1,188 +0,0 @@
-// Code generated by moq; DO NOT EDIT.
-// github.com/matryer/moq
-
-package installer
-
-import (
-	"io"
-	"os"
-	"sync"
-)
-
-// Ensure, that fileInstallerMock does implement fileInstaller.
-// If this is not the case, regenerate this file with moq.
-var _ fileInstaller = &fileInstallerMock{}
-
-// fileInstallerMock is a mock implementation of fileInstaller.
-//
-//	func TestSomethingThatUsesfileInstaller(t *testing.T) {
-//
-//		// make and configure a mocked fileInstaller
-//		mockedfileInstaller := &fileInstallerMock{
-//			installContentFunc: func(reader io.Reader, s string, v os.FileMode) error {
-//				panic("mock out the installContent method")
-//			},
-//			installFileFunc: func(s1 string, s2 string) (os.FileMode, error) {
-//				panic("mock out the installFile method")
-//			},
-//			installSymlinkFunc: func(s1 string, s2 string) error {
-//				panic("mock out the installSymlink method")
-//			},
-//		}
-//
-//		// use mockedfileInstaller in code that requires fileInstaller
-//		// and then make assertions.
-//
-//	}
-type fileInstallerMock struct {
-	// installContentFunc mocks the installContent method.
-	installContentFunc func(reader io.Reader, s string, v os.FileMode) error
-
-	// installFileFunc mocks the installFile method.
-	installFileFunc func(s1 string, s2 string) (os.FileMode, error)
-
-	// installSymlinkFunc mocks the installSymlink method.
-	installSymlinkFunc func(s1 string, s2 string) error
-
-	// calls tracks calls to the methods.
-	calls struct {
-		// installContent holds details about calls to the installContent method.
-		installContent []struct {
-			// Reader is the reader argument value.
-			Reader io.Reader
-			// S is the s argument value.
-			S string
-			// V is the v argument value.
-			V os.FileMode
-		}
-		// installFile holds details about calls to the installFile method.
-		installFile []struct {
-			// S1 is the s1 argument value.
-			S1 string
-			// S2 is the s2 argument value.
-			S2 string
-		}
-		// installSymlink holds details about calls to the installSymlink method.
-		installSymlink []struct {
-			// S1 is the s1 argument value.
-			S1 string
-			// S2 is the s2 argument value.
-			S2 string
-		}
-	}
-	lockinstallContent sync.RWMutex
-	lockinstallFile    sync.RWMutex
-	lockinstallSymlink sync.RWMutex
-}
-
-// installContent calls installContentFunc.
-func (mock *fileInstallerMock) installContent(reader io.Reader, s string, v os.FileMode) error {
-	if mock.installContentFunc == nil {
-		panic("fileInstallerMock.installContentFunc: method is nil but fileInstaller.installContent was just called")
-	}
-	callInfo := struct {
-		Reader io.Reader
-		S      string
-		V      os.FileMode
-	}{
-		Reader: reader,
-		S:      s,
-		V:      v,
-	}
-	mock.lockinstallContent.Lock()
-	mock.calls.installContent = append(mock.calls.installContent, callInfo)
-	mock.lockinstallContent.Unlock()
-	return mock.installContentFunc(reader, s, v)
-}
-
-// installContentCalls gets all the calls that were made to installContent.
-// Check the length with:
-//
-//	len(mockedfileInstaller.installContentCalls())
-func (mock *fileInstallerMock) installContentCalls() []struct {
-	Reader io.Reader
-	S      string
-	V      os.FileMode
-} {
-	var calls []struct {
-		Reader io.Reader
-		S      string
-		V      os.FileMode
-	}
-	mock.lockinstallContent.RLock()
-	calls = mock.calls.installContent
-	mock.lockinstallContent.RUnlock()
-	return calls
-}
-
-// installFile calls installFileFunc.
-func (mock *fileInstallerMock) installFile(s1 string, s2 string) (os.FileMode, error) {
-	if mock.installFileFunc == nil {
-		panic("fileInstallerMock.installFileFunc: method is nil but fileInstaller.installFile was just called")
-	}
-	callInfo := struct {
-		S1 string
-		S2 string
-	}{
-		S1: s1,
-		S2: s2,
-	}
-	mock.lockinstallFile.Lock()
-	mock.calls.installFile = append(mock.calls.installFile, callInfo)
-	mock.lockinstallFile.Unlock()
-	return mock.installFileFunc(s1, s2)
-}
-
-// installFileCalls gets all the calls that were made to installFile.
-// Check the length with:
-//
-//	len(mockedfileInstaller.installFileCalls())
-func (mock *fileInstallerMock) installFileCalls() []struct {
-	S1 string
-	S2 string
-} {
-	var calls []struct {
-		S1 string
-		S2 string
-	}
-	mock.lockinstallFile.RLock()
-	calls = mock.calls.installFile
-	mock.lockinstallFile.RUnlock()
-	return calls
-}
-
-// installSymlink calls installSymlinkFunc.
-func (mock *fileInstallerMock) installSymlink(s1 string, s2 string) error {
-	if mock.installSymlinkFunc == nil {
-		panic("fileInstallerMock.installSymlinkFunc: method is nil but fileInstaller.installSymlink was just called")
-	}
-	callInfo := struct {
-		S1 string
-		S2 string
-	}{
-		S1: s1,
-		S2: s2,
-	}
-	mock.lockinstallSymlink.Lock()
-	mock.calls.installSymlink = append(mock.calls.installSymlink, callInfo)
-	mock.lockinstallSymlink.Unlock()
-	return mock.installSymlinkFunc(s1, s2)
-}
-
-// installSymlinkCalls gets all the calls that were made to installSymlink.
-// Check the length with:
-//
-//	len(mockedfileInstaller.installSymlinkCalls())
-func (mock *fileInstallerMock) installSymlinkCalls() []struct {
-	S1 string
-	S2 string
-} {
-	var calls []struct {
-		S1 string
-		S2 string
-	}
-	mock.lockinstallSymlink.RLock()
-	calls = mock.calls.installSymlink
-	mock.lockinstallSymlink.RUnlock()
-	return calls
-}

cmd/nvidia-ctk-installer/toolkit/installer/installer.go

@@ -1,168 +0,0 @@
-/**
-# SPDX-FileCopyrightText: Copyright (c) 2025 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-**/
-
-package installer
-
-import (
-	"errors"
-	"fmt"
-	"io"
-	"io/fs"
-	"os"
-	"path/filepath"
-
-	"github.com/NVIDIA/nvidia-container-toolkit/internal/logger"
-)
-
-//go:generate moq -rm -fmt=goimports -out installer_mock.go . Installer
-type Installer interface {
-	Install(string) error
-}
-
-type toolkitInstaller struct {
-	logger       logger.Interface
-	ignoreErrors bool
-	sourceRoot   string
-
-	artifactRoot *artifactRoot
-
-	ensureTargetDirectory Installer
-}
-
-var _ Installer = (*toolkitInstaller)(nil)
-
-// New creates a toolkit installer with the specified options.
-func New(opts ...Option) (Installer, error) {
-	t := &toolkitInstaller{}
-	for _, opt := range opts {
-		opt(t)
-	}
-
-	if t.logger == nil {
-		t.logger = logger.New()
-	}
-	if t.sourceRoot == "" {
-		t.sourceRoot = "/"
-	}
-	if t.artifactRoot == nil {
-		artifactRoot, err := newArtifactRoot(t.logger, t.sourceRoot)
-		if err != nil {
-			return nil, err
-		}
-		t.artifactRoot = artifactRoot
-	}
-
-	if t.ensureTargetDirectory == nil {
-		t.ensureTargetDirectory = t.createDirectory()
-	}
-
-	return t, nil
-}
-
-// Install ensures that the required toolkit files are installed in the specified directory.
-func (t *toolkitInstaller) Install(destDir string) error {
-	var installers []Installer
-
-	installers = append(installers, t.ensureTargetDirectory)
-
-	libraries, err := t.collectLibraries()
-	if err != nil {
-		return fmt.Errorf("failed to collect libraries: %w", err)
-	}
-	installers = append(installers, libraries...)
-
-	executables, err := t.collectExecutables(destDir)
-	if err != nil {
-		return fmt.Errorf("failed to collect executables: %w", err)
-	}
-	installers = append(installers, executables...)
-
-	var errs error
-	for _, i := range installers {
-		errs = errors.Join(errs, i.Install(destDir))
-	}
-
-	return errs
-}
-
-type symlink struct {
-	linkname string
-	target   string
-}
-
-func (s symlink) Install(destDir string) error {
-	symlinkPath := filepath.Join(destDir, s.linkname)
-	return installSymlink(s.target, symlinkPath)
-}
-
-//go:generate moq -rm -fmt=goimports -out file-installer_mock.go . fileInstaller
-type fileInstaller interface {
-	installContent(io.Reader, string, os.FileMode) error
-	installFile(string, string) (os.FileMode, error)
-	installSymlink(string, string) error
-}
-
-var installSymlink = installSymlinkStub
-
-func installSymlinkStub(target string, link string) error {
-	err := os.Symlink(target, link)
-	if err != nil {
-		return fmt.Errorf("error creating symlink '%v' => '%v': %v", link, target, err)
-	}
-	return nil
-}
-
-var installFile = installFileStub
-
-func installFileStub(src string, dest string) (os.FileMode, error) {
-	sourceInfo, err := os.Stat(src)
-	if err != nil {
-		return 0, fmt.Errorf("error getting file info for '%v': %v", src, err)
-	}
-
-	source, err := os.Open(src)
-	if err != nil {
-		return 0, fmt.Errorf("error opening source: %w", err)
-	}
-	defer source.Close()
-
-	mode := sourceInfo.Mode()
-	if err := installContent(source, dest, mode); err != nil {
-		return 0, err
-	}
-	return mode, nil
-}
-
-var installContent = installContentStub
-
-func installContentStub(content io.Reader, dest string, mode fs.FileMode) error {
-	destination, err := os.Create(dest)
-	if err != nil {
-		return fmt.Errorf("error creating destination: %w", err)
-	}
-	defer destination.Close()
-
-	_, err = io.Copy(destination, content)
-	if err != nil {
-		return fmt.Errorf("error copying file: %w", err)
-	}
-	err = os.Chmod(dest, mode)
-	if err != nil {
-		return fmt.Errorf("error setting mode for '%v': %v", dest, err)
-	}
-	return nil
-}

cmd/nvidia-ctk-installer/toolkit/installer/installer_mock.go

@@ -1,74 +0,0 @@
-// Code generated by moq; DO NOT EDIT.
-// github.com/matryer/moq
-
-package installer
-
-import (
-	"sync"
-)
-
-// Ensure, that InstallerMock does implement Installer.
-// If this is not the case, regenerate this file with moq.
-var _ Installer = &InstallerMock{}
-
-// InstallerMock is a mock implementation of Installer.
-//
-//	func TestSomethingThatUsesInstaller(t *testing.T) {
-//
-//		// make and configure a mocked Installer
-//		mockedInstaller := &InstallerMock{
-//			InstallFunc: func(s string) error {
-//				panic("mock out the Install method")
-//			},
-//		}
-//
-//		// use mockedInstaller in code that requires Installer
-//		// and then make assertions.
-//
-//	}
-type InstallerMock struct {
-	// InstallFunc mocks the Install method.
-	InstallFunc func(s string) error
-
-	// calls tracks calls to the methods.
-	calls struct {
-		// Install holds details about calls to the Install method.
-		Install []struct {
-			// S is the s argument value.
-			S string
-		}
-	}
-	lockInstall sync.RWMutex
-}
-
-// Install calls InstallFunc.
-func (mock *InstallerMock) Install(s string) error {
-	if mock.InstallFunc == nil {
-		panic("InstallerMock.InstallFunc: method is nil but Installer.Install was just called")
-	}
-	callInfo := struct {
-		S string
-	}{
-		S: s,
-	}
-	mock.lockInstall.Lock()
-	mock.calls.Install = append(mock.calls.Install, callInfo)
-	mock.lockInstall.Unlock()
-	return mock.InstallFunc(s)
-}
-
-// InstallCalls gets all the calls that were made to Install.
-// Check the length with:
-//
-//	len(mockedInstaller.InstallCalls())
-func (mock *InstallerMock) InstallCalls() []struct {
-	S string
-} {
-	var calls []struct {
-		S string
-	}
-	mock.lockInstall.RLock()
-	calls = mock.calls.Install
-	mock.lockInstall.RUnlock()
-	return calls
-}

cmd/nvidia-ctk-installer/toolkit/installer/installer_test.go

@@ -1,251 +0,0 @@
-/**
-# SPDX-FileCopyrightText: Copyright (c) 2025 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-**/
-
-package installer
-
-import (
-	"bytes"
-	"fmt"
-	"io"
-	"io/fs"
-	"os"
-	"path/filepath"
-	"testing"
-
-	testlog "github.com/sirupsen/logrus/hooks/test"
-	"github.com/stretchr/testify/require"
-
-	"github.com/NVIDIA/nvidia-container-toolkit/internal/lookup"
-)
-
-func TestToolkitInstaller(t *testing.T) {
-	logger, _ := testlog.NewNullLogger()
-
-	type contentCall struct {
-		wrapper string
-		path    string
-		mode    fs.FileMode
-	}
-	var contentCalls []contentCall
-
-	installer := &fileInstallerMock{
-		installFileFunc: func(s1, s2 string) (os.FileMode, error) {
-			return 0666, nil
-		},
-		installContentFunc: func(reader io.Reader, s string, fileMode fs.FileMode) error {
-			var b bytes.Buffer
-			if _, err := b.ReadFrom(reader); err != nil {
-				return err
-			}
-			contents := contentCall{
-				wrapper: b.String(),
-				path:    s,
-				mode:    fileMode,
-			}
-
-			contentCalls = append(contentCalls, contents)
-			return nil
-		},
-		installSymlinkFunc: func(s1, s2 string) error {
-			return nil
-		},
-	}
-	installFile = installer.installFile
-	installContent = installer.installContent
-	installSymlink = installer.installSymlink
-
-	root := "/artifacts/test"
-	libraries := &lookup.LocatorMock{
-		LocateFunc: func(s string) ([]string, error) {
-			switch s {
-			case "libnvidia-container.so.1":
-				return []string{filepath.Join(root, "libnvidia-container.so.987.65.43")}, nil
-			case "libnvidia-container-go.so.1":
-				return []string{filepath.Join(root, "libnvidia-container-go.so.1.23.4")}, nil
-			}
-			return nil, fmt.Errorf("%v not found", s)
-		},
-	}
-	executables := &lookup.LocatorMock{
-		LocateFunc: func(s string) ([]string, error) {
-			switch s {
-			case "nvidia-container-runtime.cdi":
-				fallthrough
-			case "nvidia-container-runtime.legacy":
-				fallthrough
-			case "nvidia-container-runtime":
-				fallthrough
-			case "nvidia-ctk":
-				fallthrough
-			case "nvidia-container-cli":
-				fallthrough
-			case "nvidia-container-runtime-hook":
-				fallthrough
-			case "nvidia-cdi-hook":
-				return []string{filepath.Join(root, "usr/bin", s)}, nil
-			}
-			return nil, fmt.Errorf("%v not found", s)
-		},
-	}
-
-	r := &artifactRoot{
-		libraries:   libraries,
-		executables: executables,
-	}
-
-	createDirectory := &InstallerMock{
-		InstallFunc: func(c string) error {
-			return nil
-		},
-	}
-	i := toolkitInstaller{
-		logger:                logger,
-		artifactRoot:          r,
-		ensureTargetDirectory: createDirectory,
-	}
-
-	err := i.Install("/foo/bar/baz")
-	require.NoError(t, err)
-
-	require.ElementsMatch(t,
-		[]struct {
-			S string
-		}{
-			{"/foo/bar/baz"},
-		},
-		createDirectory.InstallCalls(),
-	)
-
-	require.ElementsMatch(t,
-		installer.installFileCalls(),
-		[]struct {
-			S1 string
-			S2 string
-		}{
-			{"/artifacts/test/libnvidia-container-go.so.1.23.4", "/foo/bar/baz/libnvidia-container-go.so.1.23.4"},
-			{"/artifacts/test/libnvidia-container.so.987.65.43", "/foo/bar/baz/libnvidia-container.so.987.65.43"},
-			{"/artifacts/test/usr/bin/nvidia-container-runtime.cdi", "/foo/bar/baz/nvidia-container-runtime.cdi.real"},
-			{"/artifacts/test/usr/bin/nvidia-container-runtime.legacy", "/foo/bar/baz/nvidia-container-runtime.legacy.real"},
-			{"/artifacts/test/usr/bin/nvidia-container-runtime", "/foo/bar/baz/nvidia-container-runtime.real"},
-			{"/artifacts/test/usr/bin/nvidia-ctk", "/foo/bar/baz/nvidia-ctk.real"},
-			{"/artifacts/test/usr/bin/nvidia-cdi-hook", "/foo/bar/baz/nvidia-cdi-hook.real"},
-			{"/artifacts/test/usr/bin/nvidia-container-cli", "/foo/bar/baz/nvidia-container-cli.real"},
-			{"/artifacts/test/usr/bin/nvidia-container-runtime-hook", "/foo/bar/baz/nvidia-container-runtime-hook.real"},
-		},
-	)
-
-	require.ElementsMatch(t,
-		installer.installSymlinkCalls(),
-		[]struct {
-			S1 string
-			S2 string
-		}{
-			{"libnvidia-container-go.so.1.23.4", "/foo/bar/baz/libnvidia-container-go.so.1"},
-			{"libnvidia-container.so.987.65.43", "/foo/bar/baz/libnvidia-container.so.1"},
-			{"nvidia-container-runtime-hook", "/foo/bar/baz/nvidia-container-toolkit"},
-		},
-	)
-
-	require.ElementsMatch(t,
-		contentCalls,
-		[]contentCall{
-			{
-				path: "/foo/bar/baz/nvidia-container-runtime",
-				mode: 0777,
-				wrapper: `#! /bin/sh
-cat /proc/modules | grep -e "^nvidia " >/dev/null 2>&1
-if [ "${?}" != "0" ]; then
-	echo "nvidia driver modules are not yet loaded, invoking runc directly"
-	exec runc "$@"
-fi
-PATH=/foo/bar/baz:$PATH \
-XDG_CONFIG_HOME=/foo/bar/baz/.config \
-	/foo/bar/baz/nvidia-container-runtime.real \
-		"$@"
-`,
-			},
-			{
-				path: "/foo/bar/baz/nvidia-container-runtime.cdi",
-				mode: 0777,
-				wrapper: `#! /bin/sh
-cat /proc/modules | grep -e "^nvidia " >/dev/null 2>&1
-if [ "${?}" != "0" ]; then
-	echo "nvidia driver modules are not yet loaded, invoking runc directly"
-	exec runc "$@"
-fi
-PATH=/foo/bar/baz:$PATH \
-XDG_CONFIG_HOME=/foo/bar/baz/.config \
-	/foo/bar/baz/nvidia-container-runtime.cdi.real \
-		"$@"
-`,
-			},
-			{
-				path: "/foo/bar/baz/nvidia-container-runtime.legacy",
-				mode: 0777,
-				wrapper: `#! /bin/sh
-cat /proc/modules | grep -e "^nvidia " >/dev/null 2>&1
-if [ "${?}" != "0" ]; then
-	echo "nvidia driver modules are not yet loaded, invoking runc directly"
-	exec runc "$@"
-fi
-PATH=/foo/bar/baz:$PATH \
-XDG_CONFIG_HOME=/foo/bar/baz/.config \
-	/foo/bar/baz/nvidia-container-runtime.legacy.real \
-		"$@"
-`,
-			},
-			{
-				path: "/foo/bar/baz/nvidia-ctk",
-				mode: 0777,
-				wrapper: `#! /bin/sh
-PATH=/foo/bar/baz:$PATH \
-	/foo/bar/baz/nvidia-ctk.real \
-		"$@"
-`,
-			},
-			{
-				path: "/foo/bar/baz/nvidia-cdi-hook",
-				mode: 0777,
-				wrapper: `#! /bin/sh
-PATH=/foo/bar/baz:$PATH \
-	/foo/bar/baz/nvidia-cdi-hook.real \
-		"$@"
-`,
-			},
-			{
-				path: "/foo/bar/baz/nvidia-container-cli",
-				mode: 0777,
-				wrapper: `#! /bin/sh
-LD_LIBRARY_PATH=/foo/bar/baz:$LD_LIBRARY_PATH \
-PATH=/foo/bar/baz:$PATH \
-	/foo/bar/baz/nvidia-container-cli.real \
-		"$@"
-`,
-			},
-			{
-				path: "/foo/bar/baz/nvidia-container-runtime-hook",
-				mode: 0777,
-				wrapper: `#! /bin/sh
-PATH=/foo/bar/baz:$PATH \
-	/foo/bar/baz/nvidia-container-runtime-hook.real \
-		-config /foo/bar/baz/.config/nvidia-container-runtime/config.toml \
-		"$@"
-`,
-			},
-		},
-	)
-}

cmd/nvidia-ctk-installer/toolkit/installer/libraries.go

@@ -1,73 +0,0 @@
-/**
-# SPDX-FileCopyrightText: Copyright (c) 2025 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-**/
-
-package installer
-
-import (
-	"path/filepath"
-
-	log "github.com/sirupsen/logrus"
-)
-
-// collectLibraries locates and installs the libraries that are part of
-// the nvidia-container-toolkit.
-// A predefined set of library candidates are considered, with the first one
-// resulting in success being installed to the toolkit folder. The install process
-// resolves the symlink for the library and copies the versioned library itself.
-func (t *toolkitInstaller) collectLibraries() ([]Installer, error) {
-	requiredLibraries := []string{
-		"libnvidia-container.so.1",
-		"libnvidia-container-go.so.1",
-	}
-
-	var installers []Installer
-	for _, l := range requiredLibraries {
-		libraryPath, err := t.artifactRoot.findLibrary(l)
-		if err != nil {
-			if t.ignoreErrors {
-				log.Errorf("Ignoring error: %v", err)
-				continue
-			}
-			return nil, err
-		}
-
-		installers = append(installers, library(libraryPath))
-
-		if filepath.Base(libraryPath) == l {
-			continue
-		}
-
-		link := symlink{
-			linkname: l,
-			target:   filepath.Base(libraryPath),
-		}
-		installers = append(installers, link)
-	}
-
-	return installers, nil
-}
-
-type library string
-
-// Install copies the library l to the destination folder.
-// The same basename is used in the destination folder.
-func (l library) Install(destinationDir string) error {
-	dest := filepath.Join(destinationDir, filepath.Base(string(l)))
-
-	_, err := installFile(string(l), dest)
-	return err
-}

cmd/nvidia-ctk-installer/toolkit/installer/options.go

@@ -1,47 +0,0 @@
-/**
-# SPDX-FileCopyrightText: Copyright (c) 2025 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-**/
-
-package installer
-
-import "github.com/NVIDIA/nvidia-container-toolkit/internal/logger"
-
-type Option func(*toolkitInstaller)
-
-func WithLogger(logger logger.Interface) Option {
-	return func(ti *toolkitInstaller) {
-		ti.logger = logger
-	}
-}
-
-func WithArtifactRoot(artifactRoot *artifactRoot) Option {
-	return func(ti *toolkitInstaller) {
-		ti.artifactRoot = artifactRoot
-	}
-}
-
-func WithIgnoreErrors(ignoreErrors bool) Option {
-	return func(ti *toolkitInstaller) {
-		ti.ignoreErrors = ignoreErrors
-	}
-}
-
-// WithSourceRoot sets the root directory for locating artifacts to be installed.
-func WithSourceRoot(sourceRoot string) Option {
-	return func(ti *toolkitInstaller) {
-		ti.sourceRoot = sourceRoot
-	}
-}

cmd/nvidia-ctk-installer/toolkit/toolkit_test.go

@@ -1,222 +0,0 @@
-/**
-# Copyright 2024 NVIDIA CORPORATION
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-**/
-
-package toolkit
-
-import (
-	"fmt"
-	"os"
-	"path/filepath"
-	"strings"
-	"testing"
-
-	testlog "github.com/sirupsen/logrus/hooks/test"
-	"github.com/stretchr/testify/require"
-	"github.com/urfave/cli/v2"
-
-	"github.com/NVIDIA/nvidia-container-toolkit/internal/config"
-	"github.com/NVIDIA/nvidia-container-toolkit/internal/lookup/symlinks"
-	"github.com/NVIDIA/nvidia-container-toolkit/internal/test"
-)
-
-func TestInstall(t *testing.T) {
-	t.Setenv("__NVCT_TESTING_DEVICES_ARE_FILES", "true")
-	logger, _ := testlog.NewNullLogger()
-
-	moduleRoot, err := test.GetModuleRoot()
-	require.NoError(t, err)
-
-	artifactRoot := filepath.Join(moduleRoot, "testdata", "installer", "artifacts")
-
-	testCases := []struct {
-		description     string
-		hostRoot        string
-		packageType     string
-		cdiEnabled      bool
-		expectedError   error
-		expectedCdiSpec string
-	}{
-		{
-			hostRoot:    "rootfs-empty",
-			packageType: "deb",
-		},
-		{
-			hostRoot:    "rootfs-empty",
-			packageType: "rpm",
-		},
-		{
-			hostRoot:      "rootfs-empty",
-			packageType:   "deb",
-			cdiEnabled:    true,
-			expectedError: fmt.Errorf("no NVIDIA device nodes found"),
-		},
-		{
-			hostRoot:    "rootfs-1",
-			packageType: "deb",
-			cdiEnabled:  true,
-			expectedCdiSpec: `---
-cdiVersion: 0.5.0
-kind: example.com/class
-devices:
-    - name: all
-      containerEdits:
-        deviceNodes:
-            - path: /dev/nvidia0
-              hostPath: /host/driver/root/dev/nvidia0
-            - path: /dev/nvidiactl
-              hostPath: /host/driver/root/dev/nvidiactl
-            - path: /dev/nvidia-caps-imex-channels/channel0
-              hostPath: /host/driver/root/dev/nvidia-caps-imex-channels/channel0
-            - path: /dev/nvidia-caps-imex-channels/channel1
-              hostPath: /host/driver/root/dev/nvidia-caps-imex-channels/channel1
-            - path: /dev/nvidia-caps-imex-channels/channel2047
-              hostPath: /host/driver/root/dev/nvidia-caps-imex-channels/channel2047
-containerEdits:
-    env:
-        - NVIDIA_VISIBLE_DEVICES=void
-    hooks:
-        - hookName: createContainer
-          path: {{ .toolkitRoot }}/nvidia-cdi-hook
-          args:
-            - nvidia-cdi-hook
-            - create-symlinks
-            - --link
-            - libcuda.so.1::/lib/x86_64-linux-gnu/libcuda.so
-          env:
-            - NVIDIA_CTK_DEBUG=false
-        - hookName: createContainer
-          path: {{ .toolkitRoot }}/nvidia-cdi-hook
-          args:
-            - nvidia-cdi-hook
-            - update-ldcache
-            - --folder
-            - /lib/x86_64-linux-gnu
-          env:
-            - NVIDIA_CTK_DEBUG=false
-    mounts:
-        - hostPath: /host/driver/root/lib/x86_64-linux-gnu/libcuda.so.999.88.77
-          containerPath: /lib/x86_64-linux-gnu/libcuda.so.999.88.77
-          options:
-            - ro
-            - nosuid
-            - nodev
-            - rbind
-            - rprivate
-`,
-		},
-	}
-
-	for _, tc := range testCases {
-		// hostRoot := filepath.Join(moduleRoot, "testdata", "lookup", tc.hostRoot)
-		t.Run(tc.description, func(t *testing.T) {
-			testRoot := t.TempDir()
-			toolkitRoot := filepath.Join(testRoot, "toolkit-test")
-			cdiOutputDir := filepath.Join(moduleRoot, "toolkit-test", "/var/cdi")
-			sourceRoot := filepath.Join(artifactRoot, tc.packageType)
-			options := Options{
-				DriverRoot:        "/host/driver/root",
-				DriverRootCtrPath: filepath.Join(moduleRoot, "testdata", "lookup", tc.hostRoot),
-				CDI: cdiOptions{
-					Enabled:   tc.cdiEnabled,
-					outputDir: cdiOutputDir,
-					kind:      "example.com/class",
-				},
-			}
-
-			ti := NewInstaller(
-				WithLogger(logger),
-				WithToolkitRoot(toolkitRoot),
-				WithSourceRoot(sourceRoot),
-			)
-			require.NoError(t, ti.ValidateOptions(&options))
-
-			err := ti.Install(&cli.Context{}, &options)
-			if tc.expectedError == nil {
-				require.NoError(t, err)
-			} else {
-				require.Contains(t, err.Error(), tc.expectedError.Error())
-			}
-
-			require.DirExists(t, toolkitRoot)
-			requireSymlink(t, toolkitRoot, "libnvidia-container.so.1", "libnvidia-container.so.99.88.77")
-			requireSymlink(t, toolkitRoot, "libnvidia-container-go.so.1", "libnvidia-container-go.so.99.88.77")
-
-			requireWrappedExecutable(t, toolkitRoot, "nvidia-cdi-hook")
-			requireWrappedExecutable(t, toolkitRoot, "nvidia-container-cli")
-			requireWrappedExecutable(t, toolkitRoot, "nvidia-container-runtime")
-			requireWrappedExecutable(t, toolkitRoot, "nvidia-container-runtime-hook")
-			requireWrappedExecutable(t, toolkitRoot, "nvidia-container-runtime.cdi")
-			requireWrappedExecutable(t, toolkitRoot, "nvidia-container-runtime.legacy")
-			requireWrappedExecutable(t, toolkitRoot, "nvidia-ctk")
-
-			requireSymlink(t, toolkitRoot, "nvidia-container-toolkit", "nvidia-container-runtime-hook")
-
-			// TODO: Add checks for wrapper contents
-			// grep -q -E "nvidia driver modules are not yet loaded, invoking runc directly" "${shared_dir}/usr/local/nvidia/toolkit/nvidia-container-runtime"
-			// grep -q -E "exec runc \".@\"" "${shared_dir}/usr/local/nvidia/toolkit/nvidia-container-runtime"
-
-			require.DirExists(t, filepath.Join(toolkitRoot, ".config"))
-			require.DirExists(t, filepath.Join(toolkitRoot, ".config", "nvidia-container-runtime"))
-			require.FileExists(t, filepath.Join(toolkitRoot, ".config", "nvidia-container-runtime", "config.toml"))
-
-			cfgToml, err := config.New(config.WithConfigFile(filepath.Join(toolkitRoot, ".config", "nvidia-container-runtime", "config.toml")))
-			require.NoError(t, err)
-
-			cfg, err := cfgToml.Config()
-			require.NoError(t, err)
-
-			// Ensure that the config file has the required contents.
-			// TODO: Add checks for additional config options.
-			require.Equal(t, "/host/driver/root", cfg.NVIDIAContainerCLIConfig.Root)
-			require.Equal(t, "@/host/driver/root/sbin/ldconfig", string(cfg.NVIDIAContainerCLIConfig.Ldconfig))
-			require.EqualValues(t, filepath.Join(toolkitRoot, "nvidia-container-cli"), cfg.NVIDIAContainerCLIConfig.Path)
-			require.EqualValues(t, filepath.Join(toolkitRoot, "nvidia-ctk"), cfg.NVIDIACTKConfig.Path)
-
-			if len(tc.expectedCdiSpec) > 0 {
-				cdiSpecFile := filepath.Join(cdiOutputDir, "example.com-class.yaml")
-				require.FileExists(t, cdiSpecFile)
-				info, err := os.Stat(cdiSpecFile)
-				require.NoError(t, err)
-				require.NotZero(t, info.Mode()&0004)
-				contents, err := os.ReadFile(cdiSpecFile)
-				require.NoError(t, err)
-				require.Equal(t, strings.ReplaceAll(tc.expectedCdiSpec, "{{ .toolkitRoot }}", toolkitRoot), string(contents))
-			}
-		})
-	}
-}
-
-func requireWrappedExecutable(t *testing.T, toolkitRoot string, expectedExecutable string) {
-	requireExecutable(t, toolkitRoot, expectedExecutable)
-	requireExecutable(t, toolkitRoot, expectedExecutable+".real")
-}
-
-func requireExecutable(t *testing.T, toolkitRoot string, expectedExecutable string) {
-	executable := filepath.Join(toolkitRoot, expectedExecutable)
-	require.FileExists(t, executable)
-	info, err := os.Lstat(executable)
-	require.NoError(t, err)
-	require.Zero(t, info.Mode()&os.ModeSymlink)
-	require.NotZero(t, info.Mode()&0111)
-}
-
-func requireSymlink(t *testing.T, toolkitRoot string, expectedLink string, expectedTarget string) {
-	link := filepath.Join(toolkitRoot, expectedLink)
-	require.FileExists(t, link)
-	target, err := symlinks.Resolve(link)
-	require.NoError(t, err)
-	require.Equal(t, expectedTarget, target)
-}

cmd/nvidia-ctk/cdi/generate/generate.go

@@ -25,8 +25,6 @@ import (
 	"github.com/urfave/cli/v2"
 	cdi "tags.cncf.io/container-device-interface/pkg/parser"
 
-	"github.com/NVIDIA/go-nvml/pkg/nvml"
-
 	"github.com/NVIDIA/nvidia-container-toolkit/internal/config"
 	"github.com/NVIDIA/nvidia-container-toolkit/internal/logger"
 	"github.com/NVIDIA/nvidia-container-toolkit/internal/platform-support/tegra/csv"
@@ -57,15 +55,11 @@ type options struct {
 
 	configSearchPaths  cli.StringSlice
 	librarySearchPaths cli.StringSlice
-	disabledHooks      cli.StringSlice
 
 	csv struct {
 		files          cli.StringSlice
 		ignorePatterns cli.StringSlice
 	}
-
-	// the following are used for dependency injection during spec generation.
-	nvmllib nvml.Interface
 }
 
 // NewCommand constructs a generate-cdi command with the specified logger
@@ -97,55 +91,45 @@ func (m command) build() *cli.Command {
 			Name:        "config-search-path",
 			Usage:       "Specify the path to search for config files when discovering the entities that should be included in the CDI specification.",
 			Destination: &opts.configSearchPaths,
-			EnvVars:     []string{"NVIDIA_CTK_CDI_GENERATE_CONFIG_SEARCH_PATHS"},
 		},
 		&cli.StringFlag{
 			Name:        "output",
 			Usage:       "Specify the file to output the generated CDI specification to. If this is '' the specification is output to STDOUT",
 			Destination: &opts.output,
-			EnvVars:     []string{"NVIDIA_CTK_CDI_OUTPUT_FILE_PATH"},
 		},
 		&cli.StringFlag{
 			Name:        "format",
 			Usage:       "The output format for the generated spec [json | yaml]. This overrides the format defined by the output file extension (if specified).",
 			Value:       spec.FormatYAML,
 			Destination: &opts.format,
-			EnvVars:     []string{"NVIDIA_CTK_CDI_GENERATE_OUTPUT_FORMAT"},
 		},
 		&cli.StringFlag{
-			Name:    "mode",
-			Aliases: []string{"discovery-mode"},
-			Usage: "The mode to use when discovering the available entities. " +
-				"One of [" + strings.Join(nvcdi.AllModes[string](), " | ") + "]. " +
-				"If mode is set to 'auto' the mode will be determined based on the system configuration.",
-			Value:       string(nvcdi.ModeAuto),
+			Name:        "mode",
+			Aliases:     []string{"discovery-mode"},
+			Usage:       "The mode to use when discovering the available entities. One of [auto | nvml | wsl]. If mode is set to 'auto' the mode will be determined based on the system configuration.",
+			Value:       nvcdi.ModeAuto,
 			Destination: &opts.mode,
-			EnvVars:     []string{"NVIDIA_CTK_CDI_GENERATE_MODE"},
 		},
 		&cli.StringFlag{
 			Name:        "dev-root",
 			Usage:       "Specify the root where `/dev` is located. If this is not specified, the driver-root is assumed.",
 			Destination: &opts.devRoot,
-			EnvVars:     []string{"NVIDIA_CTK_DEV_ROOT"},
 		},
 		&cli.StringSliceFlag{
 			Name:        "device-name-strategy",
 			Usage:       "Specify the strategy for generating device names. If this is specified multiple times, the devices will be duplicated for each strategy. One of [index | uuid | type-index]",
 			Value:       cli.NewStringSlice(nvcdi.DeviceNameStrategyIndex, nvcdi.DeviceNameStrategyUUID),
 			Destination: &opts.deviceNameStrategies,
-			EnvVars:     []string{"NVIDIA_CTK_CDI_GENERATE_DEVICE_NAME_STRATEGIES"},
 		},
 		&cli.StringFlag{
 			Name:        "driver-root",
 			Usage:       "Specify the NVIDIA GPU driver root to use when discovering the entities that should be included in the CDI specification.",
 			Destination: &opts.driverRoot,
-			EnvVars:     []string{"NVIDIA_CTK_DRIVER_ROOT"},
 		},
 		&cli.StringSliceFlag{
 			Name:        "library-search-path",
 			Usage:       "Specify the path to search for libraries when discovering the entities that should be included in the CDI specification.\n\tNote: This option only applies to CSV mode.",
 			Destination: &opts.librarySearchPaths,
-			EnvVars:     []string{"NVIDIA_CTK_CDI_GENERATE_LIBRARY_SEARCH_PATHS"},
 		},
 		&cli.StringFlag{
 			Name:    "nvidia-cdi-hook-path",
@@ -154,13 +138,11 @@ func (m command) build() *cli.Command {
 				"If not specified, the PATH will be searched for `nvidia-cdi-hook`. " +
 				"NOTE: That if this is specified as `nvidia-ctk`, the PATH will be searched for `nvidia-ctk` instead.",
 			Destination: &opts.nvidiaCDIHookPath,
-			EnvVars:     []string{"NVIDIA_CTK_CDI_HOOK_PATH"},
 		},
 		&cli.StringFlag{
 			Name:        "ldconfig-path",
 			Usage:       "Specify the path to use for ldconfig in the generated CDI specification",
 			Destination: &opts.ldconfigPath,
-			EnvVars:     []string{"NVIDIA_CTK_CDI_GENERATE_LDCONFIG_PATH"},
 		},
 		&cli.StringFlag{
 			Name:        "vendor",
@@ -168,7 +150,6 @@ func (m command) build() *cli.Command {
 			Usage:       "the vendor string to use for the generated CDI specification.",
 			Value:       "nvidia.com",
 			Destination: &opts.vendor,
-			EnvVars:     []string{"NVIDIA_CTK_CDI_GENERATE_VENDOR"},
 		},
 		&cli.StringFlag{
 			Name:        "class",
@@ -176,30 +157,17 @@ func (m command) build() *cli.Command {
 			Usage:       "the class string to use for the generated CDI specification.",
 			Value:       "gpu",
 			Destination: &opts.class,
-			EnvVars:     []string{"NVIDIA_CTK_CDI_GENERATE_CLASS"},
 		},
 		&cli.StringSliceFlag{
 			Name:        "csv.file",
 			Usage:       "The path to the list of CSV files to use when generating the CDI specification in CSV mode.",
 			Value:       cli.NewStringSlice(csv.DefaultFileList()...),
 			Destination: &opts.csv.files,
-			EnvVars:     []string{"NVIDIA_CTK_CDI_GENERATE_CSV_FILES"},
 		},
 		&cli.StringSliceFlag{
 			Name:        "csv.ignore-pattern",
-			Usage:       "specify a pattern the CSV mount specifications.",
+			Usage:       "Specify a pattern the CSV mount specifications.",
 			Destination: &opts.csv.ignorePatterns,
-			EnvVars:     []string{"NVIDIA_CTK_CDI_GENERATE_CSV_IGNORE_PATTERNS"},
-		},
-		&cli.StringSliceFlag{
-			Name:    "disable-hook",
-			Aliases: []string{"disable-hooks"},
-			Usage: "specify a specific hook to skip when generating CDI " +
-				"specifications. This can be specified multiple times and the " +
-				"special hook name 'all' can be used ensure that the generated " +
-				"CDI specification does not include any hooks.",
-			Destination: &opts.disabledHooks,
-			EnvVars:     []string{"NVIDIA_CTK_CDI_GENERATE_DISABLED_HOOKS"},
 		},
 	}
 
@@ -216,7 +184,13 @@ func (m command) validateFlags(c *cli.Context, opts *options) error {
 	}
 
 	opts.mode = strings.ToLower(opts.mode)
-	if !nvcdi.IsValidMode(opts.mode) {
+	switch opts.mode {
+	case nvcdi.ModeAuto:
+	case nvcdi.ModeCSV:
+	case nvcdi.ModeNvml:
+	case nvcdi.ModeWsl:
+	case nvcdi.ModeManagement:
+	default:
 		return fmt.Errorf("invalid discovery mode: %v", opts.mode)
 	}
 
@@ -287,7 +261,7 @@ func (m command) generateSpec(opts *options) (spec.Interface, error) {
 		deviceNamers = append(deviceNamers, deviceNamer)
 	}
 
-	cdiOptions := []nvcdi.Option{
+	cdilib, err := nvcdi.New(
 		nvcdi.WithLogger(m.logger),
 		nvcdi.WithDriverRoot(opts.driverRoot),
 		nvcdi.WithDevRoot(opts.devRoot),
@@ -299,15 +273,7 @@ func (m command) generateSpec(opts *options) (spec.Interface, error) {
 		nvcdi.WithLibrarySearchPaths(opts.librarySearchPaths.Value()),
 		nvcdi.WithCSVFiles(opts.csv.files.Value()),
 		nvcdi.WithCSVIgnorePatterns(opts.csv.ignorePatterns.Value()),
-		// We set the following to allow for dependency injection:
-		nvcdi.WithNvmlLib(opts.nvmllib),
-	}
-
-	for _, hook := range opts.disabledHooks.Value() {
-		cdiOptions = append(cdiOptions, nvcdi.WithDisabledHook(hook))
-	}
-
-	cdilib, err := nvcdi.New(cdiOptions...)
+	)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create CDI library: %v", err)
 	}

cmd/nvidia-ctk/cdi/generate/generate_test.go

@@ -1,371 +0,0 @@
-/**
-# Copyright (c) 2025, NVIDIA CORPORATION.  All rights reserved.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-**/
-
-package generate
-
-import (
-	"bytes"
-	"path/filepath"
-	"strings"
-	"testing"
-
-	"github.com/NVIDIA/go-nvml/pkg/nvml"
-	"github.com/NVIDIA/go-nvml/pkg/nvml/mock/dgxa100"
-	testlog "github.com/sirupsen/logrus/hooks/test"
-	"github.com/stretchr/testify/require"
-	"github.com/urfave/cli/v2"
-
-	"github.com/NVIDIA/nvidia-container-toolkit/internal/test"
-)
-
-func TestGenerateSpec(t *testing.T) {
-	t.Setenv("__NVCT_TESTING_DEVICES_ARE_FILES", "true")
-	moduleRoot, err := test.GetModuleRoot()
-	require.NoError(t, err)
-
-	driverRoot := filepath.Join(moduleRoot, "testdata", "lookup", "rootfs-1")
-
-	logger, _ := testlog.NewNullLogger()
-	testCases := []struct {
-		description           string
-		options               options
-		expectedValidateError error
-		expectedOptions       options
-		expectedError         error
-		expectedSpec          string
-	}{
-		{
-			description: "default",
-			options: options{
-				format:     "yaml",
-				mode:       "nvml",
-				vendor:     "example.com",
-				class:      "device",
-				driverRoot: driverRoot,
-			},
-			expectedOptions: options{
-				format:            "yaml",
-				mode:              "nvml",
-				vendor:            "example.com",
-				class:             "device",
-				nvidiaCDIHookPath: "/usr/bin/nvidia-cdi-hook",
-				driverRoot:        driverRoot,
-			},
-			expectedSpec: `---
-cdiVersion: 0.5.0
-kind: example.com/device
-devices:
-    - name: "0"
-      containerEdits:
-        deviceNodes:
-            - path: /dev/nvidia0
-              hostPath: {{ .driverRoot }}/dev/nvidia0
-    - name: all
-      containerEdits:
-        deviceNodes:
-            - path: /dev/nvidia0
-              hostPath: {{ .driverRoot }}/dev/nvidia0
-containerEdits:
-    env:
-        - NVIDIA_VISIBLE_DEVICES=void
-    deviceNodes:
-        - path: /dev/nvidiactl
-          hostPath: {{ .driverRoot }}/dev/nvidiactl
-    hooks:
-        - hookName: createContainer
-          path: /usr/bin/nvidia-cdi-hook
-          args:
-            - nvidia-cdi-hook
-            - create-symlinks
-            - --link
-            - libcuda.so.1::/lib/x86_64-linux-gnu/libcuda.so
-          env:
-            - NVIDIA_CTK_DEBUG=false
-        - hookName: createContainer
-          path: /usr/bin/nvidia-cdi-hook
-          args:
-            - nvidia-cdi-hook
-            - enable-cuda-compat
-            - --host-driver-version=999.88.77
-          env:
-            - NVIDIA_CTK_DEBUG=false
-        - hookName: createContainer
-          path: /usr/bin/nvidia-cdi-hook
-          args:
-            - nvidia-cdi-hook
-            - update-ldcache
-            - --folder
-            - /lib/x86_64-linux-gnu
-          env:
-            - NVIDIA_CTK_DEBUG=false
-        - hookName: createContainer
-          path: /usr/bin/nvidia-cdi-hook
-          args:
-            - nvidia-cdi-hook
-            - disable-device-node-modification
-          env:
-            - NVIDIA_CTK_DEBUG=false
-    mounts:
-        - hostPath: {{ .driverRoot }}/lib/x86_64-linux-gnu/libcuda.so.999.88.77
-          containerPath: /lib/x86_64-linux-gnu/libcuda.so.999.88.77
-          options:
-            - ro
-            - nosuid
-            - nodev
-            - rbind
-            - rprivate
-`,
-		},
-		{
-			description: "disableHooks1",
-			options: options{
-				format:        "yaml",
-				mode:          "nvml",
-				vendor:        "example.com",
-				class:         "device",
-				driverRoot:    driverRoot,
-				disabledHooks: valueOf(cli.NewStringSlice("enable-cuda-compat")),
-			},
-			expectedOptions: options{
-				format:            "yaml",
-				mode:              "nvml",
-				vendor:            "example.com",
-				class:             "device",
-				nvidiaCDIHookPath: "/usr/bin/nvidia-cdi-hook",
-				driverRoot:        driverRoot,
-				disabledHooks:     valueOf(cli.NewStringSlice("enable-cuda-compat")),
-			},
-			expectedSpec: `---
-cdiVersion: 0.5.0
-kind: example.com/device
-devices:
-    - name: "0"
-      containerEdits:
-        deviceNodes:
-            - path: /dev/nvidia0
-              hostPath: {{ .driverRoot }}/dev/nvidia0
-    - name: all
-      containerEdits:
-        deviceNodes:
-            - path: /dev/nvidia0
-              hostPath: {{ .driverRoot }}/dev/nvidia0
-containerEdits:
-    env:
-        - NVIDIA_VISIBLE_DEVICES=void
-    deviceNodes:
-        - path: /dev/nvidiactl
-          hostPath: {{ .driverRoot }}/dev/nvidiactl
-    hooks:
-        - hookName: createContainer
-          path: /usr/bin/nvidia-cdi-hook
-          args:
-            - nvidia-cdi-hook
-            - create-symlinks
-            - --link
-            - libcuda.so.1::/lib/x86_64-linux-gnu/libcuda.so
-          env:
-            - NVIDIA_CTK_DEBUG=false
-        - hookName: createContainer
-          path: /usr/bin/nvidia-cdi-hook
-          args:
-            - nvidia-cdi-hook
-            - update-ldcache
-            - --folder
-            - /lib/x86_64-linux-gnu
-          env:
-            - NVIDIA_CTK_DEBUG=false
-        - hookName: createContainer
-          path: /usr/bin/nvidia-cdi-hook
-          args:
-            - nvidia-cdi-hook
-            - disable-device-node-modification
-          env:
-            - NVIDIA_CTK_DEBUG=false
-    mounts:
-        - hostPath: {{ .driverRoot }}/lib/x86_64-linux-gnu/libcuda.so.999.88.77
-          containerPath: /lib/x86_64-linux-gnu/libcuda.so.999.88.77
-          options:
-            - ro
-            - nosuid
-            - nodev
-            - rbind
-            - rprivate
-`,
-		},
-		{
-			description: "disableHooks2",
-			options: options{
-				format:        "yaml",
-				mode:          "nvml",
-				vendor:        "example.com",
-				class:         "device",
-				driverRoot:    driverRoot,
-				disabledHooks: valueOf(cli.NewStringSlice("enable-cuda-compat", "update-ldcache")),
-			},
-			expectedOptions: options{
-				format:            "yaml",
-				mode:              "nvml",
-				vendor:            "example.com",
-				class:             "device",
-				nvidiaCDIHookPath: "/usr/bin/nvidia-cdi-hook",
-				driverRoot:        driverRoot,
-				disabledHooks:     valueOf(cli.NewStringSlice("enable-cuda-compat", "update-ldcache")),
-			},
-			expectedSpec: `---
-cdiVersion: 0.5.0
-kind: example.com/device
-devices:
-    - name: "0"
-      containerEdits:
-        deviceNodes:
-            - path: /dev/nvidia0
-              hostPath: {{ .driverRoot }}/dev/nvidia0
-    - name: all
-      containerEdits:
-        deviceNodes:
-            - path: /dev/nvidia0
-              hostPath: {{ .driverRoot }}/dev/nvidia0
-containerEdits:
-    env:
-        - NVIDIA_VISIBLE_DEVICES=void
-    deviceNodes:
-        - path: /dev/nvidiactl
-          hostPath: {{ .driverRoot }}/dev/nvidiactl
-    hooks:
-        - hookName: createContainer
-          path: /usr/bin/nvidia-cdi-hook
-          args:
-            - nvidia-cdi-hook
-            - create-symlinks
-            - --link
-            - libcuda.so.1::/lib/x86_64-linux-gnu/libcuda.so
-          env:
-            - NVIDIA_CTK_DEBUG=false
-        - hookName: createContainer
-          path: /usr/bin/nvidia-cdi-hook
-          args:
-            - nvidia-cdi-hook
-            - disable-device-node-modification
-          env:
-            - NVIDIA_CTK_DEBUG=false
-    mounts:
-        - hostPath: {{ .driverRoot }}/lib/x86_64-linux-gnu/libcuda.so.999.88.77
-          containerPath: /lib/x86_64-linux-gnu/libcuda.so.999.88.77
-          options:
-            - ro
-            - nosuid
-            - nodev
-            - rbind
-            - rprivate
-`,
-		},
-		{
-			description: "disableHooksAll",
-			options: options{
-				format:        "yaml",
-				mode:          "nvml",
-				vendor:        "example.com",
-				class:         "device",
-				driverRoot:    driverRoot,
-				disabledHooks: valueOf(cli.NewStringSlice("all")),
-			},
-			expectedOptions: options{
-				format:            "yaml",
-				mode:              "nvml",
-				vendor:            "example.com",
-				class:             "device",
-				nvidiaCDIHookPath: "/usr/bin/nvidia-cdi-hook",
-				driverRoot:        driverRoot,
-				disabledHooks:     valueOf(cli.NewStringSlice("all")),
-			},
-			expectedSpec: `---
-cdiVersion: 0.5.0
-kind: example.com/device
-devices:
-    - name: "0"
-      containerEdits:
-        deviceNodes:
-            - path: /dev/nvidia0
-              hostPath: {{ .driverRoot }}/dev/nvidia0
-    - name: all
-      containerEdits:
-        deviceNodes:
-            - path: /dev/nvidia0
-              hostPath: {{ .driverRoot }}/dev/nvidia0
-containerEdits:
-    env:
-        - NVIDIA_VISIBLE_DEVICES=void
-    deviceNodes:
-        - path: /dev/nvidiactl
-          hostPath: {{ .driverRoot }}/dev/nvidiactl
-    mounts:
-        - hostPath: {{ .driverRoot }}/lib/x86_64-linux-gnu/libcuda.so.999.88.77
-          containerPath: /lib/x86_64-linux-gnu/libcuda.so.999.88.77
-          options:
-            - ro
-            - nosuid
-            - nodev
-            - rbind
-            - rprivate
-`,
-		},
-	}
-
-	for _, tc := range testCases {
-		t.Run(tc.description, func(t *testing.T) {
-			c := command{
-				logger: logger,
-			}
-
-			err := c.validateFlags(nil, &tc.options)
-			require.ErrorIs(t, err, tc.expectedValidateError)
-			require.EqualValues(t, tc.expectedOptions, tc.options)
-
-			// Set up a mock server, reusing the DGX A100 mock.
-			server := dgxa100.New()
-			// Override the driver version to match the version in our mock filesystem.
-			server.SystemGetDriverVersionFunc = func() (string, nvml.Return) {
-				return "999.88.77", nvml.SUCCESS
-			}
-			// Set the device count to 1 explicitly since we only have a single device node.
-			server.DeviceGetCountFunc = func() (int, nvml.Return) {
-				return 1, nvml.SUCCESS
-			}
-			for _, d := range server.Devices {
-				// TODO: This is not implemented in the mock.
-				(d.(*dgxa100.Device)).GetMaxMigDeviceCountFunc = func() (int, nvml.Return) {
-					return 0, nvml.SUCCESS
-				}
-			}
-			tc.options.nvmllib = server
-
-			spec, err := c.generateSpec(&tc.options)
-			require.ErrorIs(t, err, tc.expectedError)
-
-			var buf bytes.Buffer
-			_, err = spec.WriteTo(&buf)
-			require.NoError(t, err)
-
-			require.Equal(t, strings.ReplaceAll(tc.expectedSpec, "{{ .driverRoot }}", driverRoot), buf.String())
-		})
-	}
-}
-
-// valueOf returns the value of a pointer.
-// Note that this does not check for a nil pointer and is only used for testing.
-func valueOf[T any](v *T) T {
-	return *v
-}

cmd/nvidia-ctk/cdi/list/list.go

@@ -64,7 +64,6 @@ func (m command) build() *cli.Command {
 			Usage:       "specify the directories to scan for CDI specifications",
 			Value:       cli.NewStringSlice(cdi.DefaultSpecDirs...),
 			Destination: &cfg.cdiSpecDirs,
-			EnvVars:     []string{"NVIDIA_CTK_CDI_SPEC_DIRS"},
 		},
 	}
 

cmd/nvidia-ctk/config/config.go

@@ -194,14 +194,7 @@ func setFlagToKeyValue(setFlag string, setListSeparator string) (string, interfa
 	case reflect.String:
 		return key, value, nil
 	case reflect.Slice:
-		valueParts := []string{value}
-		for _, sep := range []string{setListSeparator, ","} {
-			if !strings.Contains(value, sep) {
-				continue
-			}
-			valueParts = strings.Split(value, sep)
-			break
-		}
+		valueParts := strings.Split(value, setListSeparator)
 		switch field.Elem().Kind() {
 		case reflect.String:
 			return key, valueParts, nil

cmd/nvidia-ctk/hook/hook.go

@@ -27,7 +27,7 @@ type hookCommand struct {
 	logger logger.Interface
 }
 
-// NewCommand constructs CLI subcommand for handling CDI hooks.
+// NewCommand constructs a hook command with the specified logger
 func NewCommand(logger logger.Interface) *cli.Command {
 	c := hookCommand{
 		logger: logger,
@@ -37,21 +37,10 @@ func NewCommand(logger logger.Interface) *cli.Command {
 
 // build
 func (m hookCommand) build() *cli.Command {
-	// Create the 'hook' subcommand
+	// Create the 'hook' command
 	hook := cli.Command{
 		Name:  "hook",
 		Usage: "A collection of hooks that may be injected into an OCI spec",
-		// We set the default action for the `hook` subcommand to issue a
-		// warning and exit with no error.
-		// This means that if an unsupported hook is run, a container will not fail
-		// to launch. An unsupported hook could be the result of a CDI specification
-		// referring to a new hook that is not yet supported by an older NVIDIA
-		// Container Toolkit version or a hook that has been removed in newer
-		// version.
-		Action: func(ctx *cli.Context) error {
-			commands.IssueUnsupportedHookWarning(m.logger, ctx)
-			return nil
-		},
 	}
 
 	hook.Subcommands = commands.New(m.logger)

cmd/nvidia-ctk/main.go

@@ -49,7 +49,6 @@ func main() {
 
 	// Create the top-level CLI
 	c := cli.NewApp()
-	c.DisableSliceFlagSeparator = true
 	c.Name = "NVIDIA Container Toolkit CLI"
 	c.UseShortOptionHandling = true
 	c.EnableBashCompletion = true

cmd/nvidia-ctk/system/create-dev-char-symlinks/create-dev-char-symlinks.go

@@ -19,8 +19,12 @@ package devchar
 import (
 	"fmt"
 	"os"
+	"os/signal"
 	"path/filepath"
+	"strings"
+	"syscall"
 
+	"github.com/fsnotify/fsnotify"
 	"github.com/urfave/cli/v2"
 
 	"github.com/NVIDIA/nvidia-container-toolkit/internal/logger"
@@ -40,6 +44,7 @@ type config struct {
 	devCharPath       string
 	driverRoot        string
 	dryRun            bool
+	watch             bool
 	createAll         bool
 	createDeviceNodes bool
 	loadKernelModules bool
@@ -84,6 +89,13 @@ func (m command) build() *cli.Command {
 			Destination: &cfg.driverRoot,
 			EnvVars:     []string{"NVIDIA_DRIVER_ROOT", "DRIVER_ROOT"},
 		},
+		&cli.BoolFlag{
+			Name:        "watch",
+			Usage:       "If set, the command will watch for changes to the driver root and recreate the symlinks when changes are detected.",
+			Value:       false,
+			Destination: &cfg.watch,
+			EnvVars:     []string{"WATCH"},
+		},
 		&cli.BoolFlag{
 			Name:        "create-all",
 			Usage:       "Create all possible /dev/char symlinks instead of limiting these to existing device nodes.",
@@ -115,7 +127,7 @@ func (m command) build() *cli.Command {
 }
 
 func (m command) validateFlags(r *cli.Context, cfg *config) error {
-	if cfg.createAll {
+	if cfg.createAll && cfg.watch {
 		return fmt.Errorf("create-all and watch are mutually exclusive")
 	}
 
@@ -133,6 +145,19 @@ func (m command) validateFlags(r *cli.Context, cfg *config) error {
 }
 
 func (m command) run(c *cli.Context, cfg *config) error {
+	var watcher *fsnotify.Watcher
+	var sigs chan os.Signal
+
+	if cfg.watch {
+		watcher, err := newFSWatcher(filepath.Join(cfg.driverRoot, "dev"))
+		if err != nil {
+			return fmt.Errorf("failed to create FS watcher: %v", err)
+		}
+		defer watcher.Close()
+
+		sigs = newOSWatcher(syscall.SIGHUP, syscall.SIGINT, syscall.SIGTERM, syscall.SIGQUIT)
+	}
+
 	l, err := NewSymlinkCreator(
 		WithLogger(m.logger),
 		WithDevCharPath(cfg.devCharPath),
@@ -146,11 +171,47 @@ func (m command) run(c *cli.Context, cfg *config) error {
 		return fmt.Errorf("failed to create symlink creator: %v", err)
 	}
 
+create:
 	err = l.CreateLinks()
 	if err != nil {
 		return fmt.Errorf("failed to create links: %v", err)
 	}
-	return nil
+	if !cfg.watch {
+		return nil
+	}
+	for {
+		select {
+
+		case event := <-watcher.Events:
+			deviceNode := filepath.Base(event.Name)
+			if !strings.HasPrefix(deviceNode, "nvidia") {
+				continue
+			}
+			if event.Op&fsnotify.Create == fsnotify.Create {
+				m.logger.Infof("%s created, restarting.", event.Name)
+				goto create
+			}
+			if event.Op&fsnotify.Create == fsnotify.Remove {
+				m.logger.Infof("%s removed. Ignoring", event.Name)
+
+			}
+
+		// Watch for any other fs errors and log them.
+		case err := <-watcher.Errors:
+			m.logger.Errorf("inotify: %s", err)
+
+		// React to signals
+		case s := <-sigs:
+			switch s {
+			case syscall.SIGHUP:
+				m.logger.Infof("Received SIGHUP, recreating symlinks.")
+				goto create
+			default:
+				m.logger.Infof("Received signal %q, shutting down.", s)
+				return nil
+			}
+		}
+	}
 }
 
 type linkCreator struct {
@@ -338,3 +399,27 @@ type deviceNode struct {
 func (d deviceNode) devCharName() string {
 	return fmt.Sprintf("%d:%d", d.major, d.minor)
 }
+
+func newFSWatcher(files ...string) (*fsnotify.Watcher, error) {
+	watcher, err := fsnotify.NewWatcher()
+	if err != nil {
+		return nil, err
+	}
+
+	for _, f := range files {
+		err = watcher.Add(f)
+		if err != nil {
+			watcher.Close()
+			return nil, err
+		}
+	}
+
+	return watcher, nil
+}
+
+func newOSWatcher(sigs ...os.Signal) chan os.Signal {
+	sigChan := make(chan os.Signal, 1)
+	signal.Notify(sigChan, sigs...)
+
+	return sigChan
+}

deployments/container/Dockerfile.packaging

@@ -14,7 +14,7 @@
 
 ARG GOLANG_VERSION=x.x.x
 
-FROM nvcr.io/nvidia/cuda:12.9.0-base-ubuntu20.04
+FROM nvidia/cuda:12.9.1-base-ubuntu20.04
 
 ARG ARTIFACTS_ROOT
 COPY ${ARTIFACTS_ROOT} /artifacts/packages/

deployments/container/Dockerfile.ubi8

@@ -15,7 +15,7 @@
 ARG GOLANG_VERSION=x.x.x
 ARG VERSION="N/A"
 
-FROM nvcr.io/nvidia/cuda:12.9.0-base-ubi8 AS build
+FROM nvidia/cuda:12.9.1-base-ubi8 as build
 
 RUN yum install -y \
     wget make git gcc \
@@ -36,18 +36,19 @@ RUN set -eux; \
     | tar -C /usr/local -xz
 
 
-ENV GOPATH=/go
-ENV PATH=$GOPATH/bin:/usr/local/go/bin:$PATH
+ENV GOPATH /go
+ENV PATH $GOPATH/bin:/usr/local/go/bin:$PATH
 
 WORKDIR /build
 COPY . .
 
-RUN mkdir /artifacts
-ARG VERSION="N/A"
-ARG GIT_COMMIT="unknown"
-RUN make PREFIX=/artifacts cmd-nvidia-ctk-installer
+# NOTE: Until the config utilities are properly integrated into the
+# nvidia-container-toolkit repository, these are built from the `tools` folder
+# and not `cmd`.
+RUN GOPATH=/artifacts go install -ldflags="-s -w -X 'main.Version=${VERSION}'" ./tools/...
 
-FROM nvcr.io/nvidia/cuda:12.9.0-base-ubi8
+
+FROM nvidia/cuda:12.9.1-base-ubi8
 
 ENV NVIDIA_DISABLE_REQUIRE="true"
 ENV NVIDIA_VISIBLE_DEVICES=void
@@ -61,8 +62,7 @@ WORKDIR /artifacts/packages
 
 ARG PACKAGE_VERSION
 ARG TARGETARCH
-ENV PACKAGE_ARCH=${TARGETARCH}
-
+ENV PACKAGE_ARCH ${TARGETARCH}
 RUN PACKAGE_ARCH=${PACKAGE_ARCH/amd64/x86_64} && PACKAGE_ARCH=${PACKAGE_ARCH/arm64/aarch64} && \
     yum localinstall -y \
     ${PACKAGE_DIST}/${PACKAGE_ARCH}/libnvidia-container1-1.*.rpm \
@@ -71,12 +71,10 @@ RUN PACKAGE_ARCH=${PACKAGE_ARCH/amd64/x86_64} && PACKAGE_ARCH=${PACKAGE_ARCH/arm
 
 WORKDIR /work
 
-COPY --from=build /artifacts/nvidia-ctk-installer /work/nvidia-ctk-installer
-RUN ln -s nvidia-ctk-installer nvidia-toolkit
+COPY --from=build /artifacts/bin /work
 
 ENV PATH=/work:$PATH
 
-ARG VERSION
 LABEL io.k8s.display-name="NVIDIA Container Runtime Config"
 LABEL name="NVIDIA Container Runtime Config"
 LABEL vendor="NVIDIA"
@@ -87,4 +85,4 @@ LABEL description="See summary"
 
 RUN mkdir /licenses && mv /NGC-DL-CONTAINER-LICENSE /licenses/NGC-DL-CONTAINER-LICENSE
 
-ENTRYPOINT ["/work/nvidia-ctk-installer"]
+ENTRYPOINT ["/work/nvidia-toolkit"]

deployments/container/Dockerfile.ubuntu

@@ -15,7 +15,7 @@
 ARG GOLANG_VERSION=x.x.x
 ARG VERSION="N/A"
 
-FROM nvcr.io/nvidia/cuda:12.9.0-base-ubuntu20.04 AS build
+FROM nvidia/cuda:12.9.1-base-ubuntu20.04 as build
 
 RUN apt-get update && \
     apt-get install -y wget make git gcc \
@@ -35,18 +35,19 @@ RUN set -eux; \
     wget -nv -O - https://storage.googleapis.com/golang/go${GOLANG_VERSION}.linux-${ARCH}.tar.gz \
     | tar -C /usr/local -xz
 
-ENV GOPATH=/go
-ENV PATH=$GOPATH/bin:/usr/local/go/bin:$PATH
+ENV GOPATH /go
+ENV PATH $GOPATH/bin:/usr/local/go/bin:$PATH
 
 WORKDIR /build
 COPY . .
 
-RUN mkdir /artifacts
-ARG VERSION="N/A"
-ARG GIT_COMMIT="unknown"
-RUN make PREFIX=/artifacts cmd-nvidia-ctk-installer
+# NOTE: Until the config utilities are properly integrated into the
+# nvidia-container-toolkit repository, these are built from the `tools` folder
+# and not `cmd`.
+RUN GOPATH=/artifacts go install -ldflags="-s -w -X 'main.Version=${VERSION}'" ./tools/...
 
-FROM nvcr.io/nvidia/cuda:12.9.0-base-ubuntu20.04
+
+FROM nvcr.io/nvidia/cuda:12.9.1-base-ubuntu20.04
 
 # Remove the CUDA repository configurations to avoid issues with rotated GPG keys
 RUN rm -f /etc/apt/sources.list.d/cuda.list
@@ -70,7 +71,7 @@ WORKDIR /artifacts/packages
 
 ARG PACKAGE_VERSION
 ARG TARGETARCH
-ENV PACKAGE_ARCH=${TARGETARCH}
+ENV PACKAGE_ARCH ${TARGETARCH}
 
 RUN dpkg -i \
     ${PACKAGE_DIST}/${PACKAGE_ARCH}/libnvidia-container1_1.*.deb \
@@ -79,12 +80,10 @@ RUN dpkg -i \
 
 WORKDIR /work
 
-COPY --from=build /artifacts/nvidia-ctk-installer /work/nvidia-ctk-installer
-RUN ln -s nvidia-ctk-installer nvidia-toolkit
+COPY --from=build /artifacts/bin /work/
 
 ENV PATH=/work:$PATH
 
-ARG VERSION
 LABEL io.k8s.display-name="NVIDIA Container Runtime Config"
 LABEL name="NVIDIA Container Runtime Config"
 LABEL vendor="NVIDIA"
@@ -95,4 +94,4 @@ LABEL description="See summary"
 
 RUN mkdir /licenses && mv /NGC-DL-CONTAINER-LICENSE /licenses/NGC-DL-CONTAINER-LICENSE
 
-ENTRYPOINT ["/work/nvidia-ctk-installer"]
+ENTRYPOINT ["/work/nvidia-toolkit"]

deployments/devel/Dockerfile

@@ -14,7 +14,7 @@
 
 # This Dockerfile is also used to define the golang version used in this project
 # This allows dependabot to manage this version in addition to other images.
-FROM golang:1.24.4
+FROM golang:1.23.10
 
 WORKDIR /work
 COPY * .

deployments/devel/go.mod

@@ -1,61 +1,60 @@
 module github.com/NVIDIA/k8s-device-plugin/deployments/devel
 
-go 1.24
+go 1.23
 
-toolchain go1.24.0
+toolchain go1.23.1
 
 require (
-	github.com/golangci/golangci-lint v1.64.7
-	github.com/matryer/moq v0.5.3
+	github.com/golangci/golangci-lint v1.61.0
+	github.com/matryer/moq v0.5.0
 )
 
 require (
-	4d63.com/gocheckcompilerdirectives v1.3.0 // indirect
-	4d63.com/gochecknoglobals v0.2.2 // indirect
-	github.com/4meepo/tagalign v1.4.2 // indirect
-	github.com/Abirdcfly/dupword v0.1.3 // indirect
-	github.com/Antonboom/errname v1.0.0 // indirect
-	github.com/Antonboom/nilnil v1.0.1 // indirect
-	github.com/Antonboom/testifylint v1.5.2 // indirect
+	4d63.com/gocheckcompilerdirectives v1.2.1 // indirect
+	4d63.com/gochecknoglobals v0.2.1 // indirect
+	github.com/4meepo/tagalign v1.3.4 // indirect
+	github.com/Abirdcfly/dupword v0.1.1 // indirect
+	github.com/Antonboom/errname v0.1.13 // indirect
+	github.com/Antonboom/nilnil v0.1.9 // indirect
+	github.com/Antonboom/testifylint v1.4.3 // indirect
 	github.com/BurntSushi/toml v1.4.1-0.20240526193622-a339e1f7089c // indirect
-	github.com/Crocmagnon/fatcontext v0.7.1 // indirect
+	github.com/Crocmagnon/fatcontext v0.5.2 // indirect
 	github.com/Djarvur/go-err113 v0.0.0-20210108212216-aea10b59be24 // indirect
-	github.com/GaijinEntertainment/go-exhaustruct/v3 v3.3.1 // indirect
+	github.com/GaijinEntertainment/go-exhaustruct/v3 v3.3.0 // indirect
 	github.com/Masterminds/semver/v3 v3.3.0 // indirect
-	github.com/OpenPeeDeeP/depguard/v2 v2.2.1 // indirect
-	github.com/alecthomas/go-check-sumtype v0.3.1 // indirect
-	github.com/alexkohler/nakedret/v2 v2.0.5 // indirect
+	github.com/OpenPeeDeeP/depguard/v2 v2.2.0 // indirect
+	github.com/alecthomas/go-check-sumtype v0.1.4 // indirect
+	github.com/alexkohler/nakedret/v2 v2.0.4 // indirect
 	github.com/alexkohler/prealloc v1.0.0 // indirect
 	github.com/alingse/asasalint v0.0.11 // indirect
-	github.com/alingse/nilnesserr v0.1.2 // indirect
 	github.com/ashanbrown/forbidigo v1.6.0 // indirect
-	github.com/ashanbrown/makezero v1.2.0 // indirect
+	github.com/ashanbrown/makezero v1.1.1 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
-	github.com/bkielbasa/cyclop v1.2.3 // indirect
+	github.com/bkielbasa/cyclop v1.2.1 // indirect
 	github.com/blizzy78/varnamelen v0.8.0 // indirect
-	github.com/bombsimon/wsl/v4 v4.5.0 // indirect
-	github.com/breml/bidichk v0.3.2 // indirect
-	github.com/breml/errchkjson v0.4.0 // indirect
-	github.com/butuzov/ireturn v0.3.1 // indirect
-	github.com/butuzov/mirror v1.3.0 // indirect
-	github.com/catenacyber/perfsprint v0.8.2 // indirect
+	github.com/bombsimon/wsl/v4 v4.4.1 // indirect
+	github.com/breml/bidichk v0.2.7 // indirect
+	github.com/breml/errchkjson v0.3.6 // indirect
+	github.com/butuzov/ireturn v0.3.0 // indirect
+	github.com/butuzov/mirror v1.2.0 // indirect
+	github.com/catenacyber/perfsprint v0.7.1 // indirect
 	github.com/ccojocar/zxcvbn-go v1.0.2 // indirect
-	github.com/cespare/xxhash/v2 v2.3.0 // indirect
+	github.com/cespare/xxhash/v2 v2.1.2 // indirect
 	github.com/charithe/durationcheck v0.0.10 // indirect
 	github.com/chavacava/garif v0.1.0 // indirect
-	github.com/ckaznocha/intrange v0.3.0 // indirect
-	github.com/curioswitch/go-reassign v0.3.0 // indirect
+	github.com/ckaznocha/intrange v0.2.0 // indirect
+	github.com/curioswitch/go-reassign v0.2.0 // indirect
 	github.com/daixiang0/gci v0.13.5 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/denis-tingaikin/go-header v0.5.0 // indirect
 	github.com/ettle/strcase v0.2.0 // indirect
-	github.com/fatih/color v1.18.0 // indirect
+	github.com/fatih/color v1.17.0 // indirect
 	github.com/fatih/structtag v1.2.0 // indirect
 	github.com/firefart/nonamedreturns v1.0.5 // indirect
 	github.com/fsnotify/fsnotify v1.5.4 // indirect
 	github.com/fzipp/gocyclo v0.6.0 // indirect
-	github.com/ghostiam/protogetter v0.3.9 // indirect
-	github.com/go-critic/go-critic v0.12.0 // indirect
+	github.com/ghostiam/protogetter v0.3.6 // indirect
+	github.com/go-critic/go-critic v0.11.4 // indirect
 	github.com/go-toolsmith/astcast v1.1.0 // indirect
 	github.com/go-toolsmith/astcopy v1.1.0 // indirect
 	github.com/go-toolsmith/astequal v1.2.0 // indirect
@@ -63,68 +62,66 @@ require (
 	github.com/go-toolsmith/astp v1.1.0 // indirect
 	github.com/go-toolsmith/strparse v1.1.0 // indirect
 	github.com/go-toolsmith/typep v1.1.0 // indirect
-	github.com/go-viper/mapstructure/v2 v2.2.1 // indirect
-	github.com/go-xmlfmt/xmlfmt v1.1.3 // indirect
+	github.com/go-viper/mapstructure/v2 v2.1.0 // indirect
+	github.com/go-xmlfmt/xmlfmt v1.1.2 // indirect
 	github.com/gobwas/glob v0.2.3 // indirect
 	github.com/gofrs/flock v0.12.1 // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
-	github.com/golangci/dupl v0.0.0-20250308024227-f665c8d69b32 // indirect
-	github.com/golangci/go-printf-func-name v0.1.0 // indirect
-	github.com/golangci/gofmt v0.0.0-20250106114630-d62b90e6713d // indirect
+	github.com/golangci/dupl v0.0.0-20180902072040-3e9179ac440a // indirect
+	github.com/golangci/gofmt v0.0.0-20240816233607-d8596aa466a9 // indirect
 	github.com/golangci/misspell v0.6.0 // indirect
+	github.com/golangci/modinfo v0.3.4 // indirect
 	github.com/golangci/plugin-module-register v0.1.1 // indirect
-	github.com/golangci/revgrep v0.8.0 // indirect
+	github.com/golangci/revgrep v0.5.3 // indirect
 	github.com/golangci/unconvert v0.0.0-20240309020433-c5143eacb3ed // indirect
-	github.com/google/go-cmp v0.7.0 // indirect
+	github.com/google/go-cmp v0.6.0 // indirect
 	github.com/gordonklaus/ineffassign v0.1.0 // indirect
 	github.com/gostaticanalysis/analysisutil v0.7.1 // indirect
-	github.com/gostaticanalysis/comment v1.5.0 // indirect
-	github.com/gostaticanalysis/forcetypeassert v0.2.0 // indirect
+	github.com/gostaticanalysis/comment v1.4.2 // indirect
+	github.com/gostaticanalysis/forcetypeassert v0.1.0 // indirect
 	github.com/gostaticanalysis/nilerr v0.1.1 // indirect
-	github.com/hashicorp/go-immutable-radix/v2 v2.1.0 // indirect
 	github.com/hashicorp/go-version v1.7.0 // indirect
-	github.com/hashicorp/golang-lru/v2 v2.0.7 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
 	github.com/hexops/gotextdiff v1.0.3 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jgautheron/goconst v1.7.1 // indirect
 	github.com/jingyugao/rowserrcheck v1.1.1 // indirect
-	github.com/jjti/go-spancheck v0.6.4 // indirect
-	github.com/julz/importas v0.2.0 // indirect
-	github.com/karamaru-alpha/copyloopvar v1.2.1 // indirect
-	github.com/kisielk/errcheck v1.9.0 // indirect
-	github.com/kkHAIKE/contextcheck v1.1.6 // indirect
+	github.com/jirfag/go-printf-func-name v0.0.0-20200119135958-7558a9eaa5af // indirect
+	github.com/jjti/go-spancheck v0.6.2 // indirect
+	github.com/julz/importas v0.1.0 // indirect
+	github.com/karamaru-alpha/copyloopvar v1.1.0 // indirect
+	github.com/kisielk/errcheck v1.7.0 // indirect
+	github.com/kkHAIKE/contextcheck v1.1.5 // indirect
 	github.com/kulti/thelper v0.6.3 // indirect
 	github.com/kunwardeep/paralleltest v1.0.10 // indirect
-	github.com/lasiar/canonicalheader v1.1.2 // indirect
-	github.com/ldez/exptostd v0.4.2 // indirect
-	github.com/ldez/gomoddirectives v0.6.1 // indirect
-	github.com/ldez/grignotin v0.9.0 // indirect
-	github.com/ldez/tagliatelle v0.7.1 // indirect
-	github.com/ldez/usetesting v0.4.2 // indirect
+	github.com/kyoh86/exportloopref v0.1.11 // indirect
+	github.com/lasiar/canonicalheader v1.1.1 // indirect
+	github.com/ldez/gomoddirectives v0.2.4 // indirect
+	github.com/ldez/tagliatelle v0.5.0 // indirect
 	github.com/leonklingele/grouper v1.1.2 // indirect
+	github.com/lufeee/execinquery v1.2.1 // indirect
 	github.com/macabu/inamedparam v0.1.3 // indirect
 	github.com/magiconair/properties v1.8.6 // indirect
 	github.com/maratori/testableexamples v1.0.0 // indirect
 	github.com/maratori/testpackage v1.1.1 // indirect
-	github.com/matoous/godox v1.1.0 // indirect
-	github.com/mattn/go-colorable v0.1.14 // indirect
+	github.com/matoous/godox v0.0.0-20230222163458-006bad1f9d26 // indirect
+	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
-	github.com/mattn/go-runewidth v0.0.16 // indirect
+	github.com/mattn/go-runewidth v0.0.9 // indirect
 	github.com/matttproud/golang_protobuf_extensions v1.0.1 // indirect
-	github.com/mgechev/revive v1.7.0 // indirect
+	github.com/mgechev/revive v1.3.9 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/moricho/tparallel v0.3.2 // indirect
 	github.com/nakabonne/nestif v0.3.1 // indirect
 	github.com/nishanths/exhaustive v0.12.0 // indirect
 	github.com/nishanths/predeclared v0.2.2 // indirect
-	github.com/nunnatsa/ginkgolinter v0.19.1 // indirect
+	github.com/nunnatsa/ginkgolinter v0.16.2 // indirect
 	github.com/olekukonko/tablewriter v0.0.5 // indirect
 	github.com/pelletier/go-toml v1.9.5 // indirect
 	github.com/pelletier/go-toml/v2 v2.2.3 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/polyfloyd/go-errorlint v1.7.1 // indirect
+	github.com/polyfloyd/go-errorlint v1.6.0 // indirect
 	github.com/prometheus/client_golang v1.12.1 // indirect
 	github.com/prometheus/client_model v0.2.0 // indirect
 	github.com/prometheus/common v0.32.1 // indirect
@@ -134,64 +131,62 @@ require (
 	github.com/quasilyte/gogrep v0.5.0 // indirect
 	github.com/quasilyte/regex/syntax v0.0.0-20210819130434-b3f0c404a727 // indirect
 	github.com/quasilyte/stdinfo v0.0.0-20220114132959-f7386bf02567 // indirect
-	github.com/raeperd/recvcheck v0.2.0 // indirect
-	github.com/rivo/uniseg v0.4.7 // indirect
-	github.com/rogpeppe/go-internal v1.14.1 // indirect
 	github.com/ryancurrah/gomodguard v1.3.5 // indirect
 	github.com/ryanrolds/sqlclosecheck v0.5.1 // indirect
-	github.com/sanposhiho/wastedassign/v2 v2.1.0 // indirect
-	github.com/santhosh-tekuri/jsonschema/v6 v6.0.1 // indirect
+	github.com/sanposhiho/wastedassign/v2 v2.0.7 // indirect
+	github.com/santhosh-tekuri/jsonschema/v5 v5.3.1 // indirect
 	github.com/sashamelentyev/interfacebloat v1.1.0 // indirect
-	github.com/sashamelentyev/usestdlibvars v1.28.0 // indirect
-	github.com/securego/gosec/v2 v2.22.2 // indirect
+	github.com/sashamelentyev/usestdlibvars v1.27.0 // indirect
+	github.com/securego/gosec/v2 v2.21.2 // indirect
+	github.com/shazow/go-diff v0.0.0-20160112020656-b6b7b6733b8c // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/sivchari/containedctx v1.0.3 // indirect
-	github.com/sivchari/tenv v1.12.1 // indirect
-	github.com/sonatard/noctx v0.1.0 // indirect
+	github.com/sivchari/tenv v1.10.0 // indirect
+	github.com/sonatard/noctx v0.0.2 // indirect
 	github.com/sourcegraph/go-diff v0.7.0 // indirect
-	github.com/spf13/afero v1.12.0 // indirect
+	github.com/spf13/afero v1.11.0 // indirect
 	github.com/spf13/cast v1.5.0 // indirect
-	github.com/spf13/cobra v1.9.1 // indirect
+	github.com/spf13/cobra v1.8.1 // indirect
 	github.com/spf13/jwalterweatherman v1.1.0 // indirect
-	github.com/spf13/pflag v1.0.6 // indirect
+	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/spf13/viper v1.12.0 // indirect
 	github.com/ssgreg/nlreturn/v2 v2.2.1 // indirect
-	github.com/stbenjam/no-sprintf-host-port v0.2.0 // indirect
+	github.com/stbenjam/no-sprintf-host-port v0.1.1 // indirect
 	github.com/stretchr/objx v0.5.2 // indirect
-	github.com/stretchr/testify v1.10.0 // indirect
+	github.com/stretchr/testify v1.9.0 // indirect
 	github.com/subosito/gotenv v1.4.1 // indirect
-	github.com/tdakkota/asciicheck v0.4.1 // indirect
-	github.com/tetafro/godot v1.5.0 // indirect
-	github.com/timakin/bodyclose v0.0.0-20241017074812-ed6a65f985e3 // indirect
-	github.com/timonwong/loggercheck v0.10.1 // indirect
-	github.com/tomarrell/wrapcheck/v2 v2.10.0 // indirect
+	github.com/tdakkota/asciicheck v0.2.0 // indirect
+	github.com/tetafro/godot v1.4.17 // indirect
+	github.com/timakin/bodyclose v0.0.0-20230421092635-574207250966 // indirect
+	github.com/timonwong/loggercheck v0.9.4 // indirect
+	github.com/tomarrell/wrapcheck/v2 v2.9.0 // indirect
 	github.com/tommy-muehle/go-mnd/v2 v2.5.1 // indirect
-	github.com/ultraware/funlen v0.2.0 // indirect
-	github.com/ultraware/whitespace v0.2.0 // indirect
-	github.com/uudashr/gocognit v1.2.0 // indirect
-	github.com/uudashr/iface v1.3.1 // indirect
+	github.com/ultraware/funlen v0.1.0 // indirect
+	github.com/ultraware/whitespace v0.1.1 // indirect
+	github.com/uudashr/gocognit v1.1.3 // indirect
 	github.com/xen0n/gosmopolitan v1.2.2 // indirect
 	github.com/yagipy/maintidx v1.0.0 // indirect
 	github.com/yeya24/promlinter v0.3.0 // indirect
 	github.com/ykadowak/zerologlint v0.1.5 // indirect
 	gitlab.com/bosi/decorder v0.4.2 // indirect
-	go-simpler.org/musttag v0.13.0 // indirect
-	go-simpler.org/sloglint v0.9.0 // indirect
+	go-simpler.org/musttag v0.12.2 // indirect
+	go-simpler.org/sloglint v0.7.2 // indirect
 	go.uber.org/atomic v1.7.0 // indirect
-	go.uber.org/automaxprocs v1.6.0 // indirect
+	go.uber.org/automaxprocs v1.5.3 // indirect
 	go.uber.org/multierr v1.6.0 // indirect
 	go.uber.org/zap v1.24.0 // indirect
-	golang.org/x/exp/typeparams v0.0.0-20250210185358-939b2ce775ac // indirect
-	golang.org/x/mod v0.24.0 // indirect
-	golang.org/x/sync v0.12.0 // indirect
-	golang.org/x/sys v0.31.0 // indirect
-	golang.org/x/text v0.22.0 // indirect
-	golang.org/x/tools v0.31.0 // indirect
-	google.golang.org/protobuf v1.36.5 // indirect
+	golang.org/x/exp v0.0.0-20240904232852-e7e105dedf7e // indirect
+	golang.org/x/exp/typeparams v0.0.0-20240314144324-c7f7c6466f7f // indirect
+	golang.org/x/mod v0.21.0 // indirect
+	golang.org/x/sync v0.8.0 // indirect
+	golang.org/x/sys v0.25.0 // indirect
+	golang.org/x/text v0.18.0 // indirect
+	golang.org/x/tools v0.24.0 // indirect
+	google.golang.org/protobuf v1.34.2 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	honnef.co/go/tools v0.6.1 // indirect
+	honnef.co/go/tools v0.5.1 // indirect
 	mvdan.cc/gofumpt v0.7.0 // indirect
 	mvdan.cc/unparam v0.0.0-20240528143540-8a5130ca722f // indirect
 )

deployments/devel/go.sum

@@ -1,7 +1,7 @@
-4d63.com/gocheckcompilerdirectives v1.3.0 h1:Ew5y5CtcAAQeTVKUVFrE7EwHMrTO6BggtEj8BZSjZ3A=
-4d63.com/gocheckcompilerdirectives v1.3.0/go.mod h1:ofsJ4zx2QAuIP/NO/NAh1ig6R1Fb18/GI7RVMwz7kAY=
-4d63.com/gochecknoglobals v0.2.2 h1:H1vdnwnMaZdQW/N+NrkT1SZMTBmcwHe9Vq8lJcYYTtU=
-4d63.com/gochecknoglobals v0.2.2/go.mod h1:lLxwTQjL5eIesRbvnzIP3jZtG140FnTdz+AlMa+ogt0=
+4d63.com/gocheckcompilerdirectives v1.2.1 h1:AHcMYuw56NPjq/2y615IGg2kYkBdTvOaojYCBcRE7MA=
+4d63.com/gocheckcompilerdirectives v1.2.1/go.mod h1:yjDJSxmDTtIHHCqX0ufRYZDL6vQtMG7tJdKVeWwsqvs=
+4d63.com/gochecknoglobals v0.2.1 h1:1eiorGsgHOFOuoOiJDy2psSrQbRdIHrlge0IJIkUgDc=
+4d63.com/gochecknoglobals v0.2.1/go.mod h1:KRE8wtJB3CXCsb1xy421JfTHIIbmT3U5ruxw2Qu8fSU=
 cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU=
@@ -35,82 +35,79 @@ cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohl
 cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs=
 cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0=
 dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
-github.com/4meepo/tagalign v1.4.2 h1:0hcLHPGMjDyM1gHG58cS73aQF8J4TdVR96TZViorO9E=
-github.com/4meepo/tagalign v1.4.2/go.mod h1:+p4aMyFM+ra7nb41CnFG6aSDXqRxU/w1VQqScKqDARI=
-github.com/Abirdcfly/dupword v0.1.3 h1:9Pa1NuAsZvpFPi9Pqkd93I7LIYRURj+A//dFd5tgBeE=
-github.com/Abirdcfly/dupword v0.1.3/go.mod h1:8VbB2t7e10KRNdwTVoxdBaxla6avbhGzb8sCTygUMhw=
-github.com/Antonboom/errname v1.0.0 h1:oJOOWR07vS1kRusl6YRSlat7HFnb3mSfMl6sDMRoTBA=
-github.com/Antonboom/errname v1.0.0/go.mod h1:gMOBFzK/vrTiXN9Oh+HFs+e6Ndl0eTFbtsRTSRdXyGI=
-github.com/Antonboom/nilnil v1.0.1 h1:C3Tkm0KUxgfO4Duk3PM+ztPncTFlOf0b2qadmS0s4xs=
-github.com/Antonboom/nilnil v1.0.1/go.mod h1:CH7pW2JsRNFgEh8B2UaPZTEPhCMuFowP/e8Udp9Nnb0=
-github.com/Antonboom/testifylint v1.5.2 h1:4s3Xhuv5AvdIgbd8wOOEeo0uZG7PbDKQyKY5lGoQazk=
-github.com/Antonboom/testifylint v1.5.2/go.mod h1:vxy8VJ0bc6NavlYqjZfmp6EfqXMtBgQ4+mhCojwC1P8=
+github.com/4meepo/tagalign v1.3.4 h1:P51VcvBnf04YkHzjfclN6BbsopfJR5rxs1n+5zHt+w8=
+github.com/4meepo/tagalign v1.3.4/go.mod h1:M+pnkHH2vG8+qhE5bVc/zeP7HS/j910Fwa9TUSyZVI0=
+github.com/Abirdcfly/dupword v0.1.1 h1:Bsxe0fIw6OwBtXMIncaTxCLHYO5BB+3mcsR5E8VXloY=
+github.com/Abirdcfly/dupword v0.1.1/go.mod h1:B49AcJdTYYkpd4HjgAcutNGG9HZ2JWwKunH9Y2BA6sM=
+github.com/Antonboom/errname v0.1.13 h1:JHICqsewj/fNckzrfVSe+T33svwQxmjC+1ntDsHOVvM=
+github.com/Antonboom/errname v0.1.13/go.mod h1:uWyefRYRN54lBg6HseYCFhs6Qjcy41Y3Jl/dVhA87Ns=
+github.com/Antonboom/nilnil v0.1.9 h1:eKFMejSxPSA9eLSensFmjW2XTgTwJMjZ8hUHtV4s/SQ=
+github.com/Antonboom/nilnil v0.1.9/go.mod h1:iGe2rYwCq5/Me1khrysB4nwI7swQvjclR8/YRPl5ihQ=
+github.com/Antonboom/testifylint v1.4.3 h1:ohMt6AHuHgttaQ1xb6SSnxCeK4/rnK7KKzbvs7DmEck=
+github.com/Antonboom/testifylint v1.4.3/go.mod h1:+8Q9+AOLsz5ZiQiiYujJKs9mNz398+M6UgslP4qgJLA=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/BurntSushi/toml v1.4.1-0.20240526193622-a339e1f7089c h1:pxW6RcqyfI9/kWtOwnv/G+AzdKuy2ZrqINhenH4HyNs=
 github.com/BurntSushi/toml v1.4.1-0.20240526193622-a339e1f7089c/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
-github.com/Crocmagnon/fatcontext v0.7.1 h1:SC/VIbRRZQeQWj/TcQBS6JmrXcfA+BU4OGSVUt54PjM=
-github.com/Crocmagnon/fatcontext v0.7.1/go.mod h1:1wMvv3NXEBJucFGfwOJBxSVWcoIO6emV215SMkW9MFU=
+github.com/Crocmagnon/fatcontext v0.5.2 h1:vhSEg8Gqng8awhPju2w7MKHqMlg4/NI+gSDHtR3xgwA=
+github.com/Crocmagnon/fatcontext v0.5.2/go.mod h1:87XhRMaInHP44Q7Tlc7jkgKKB7kZAOPiDkFMdKCC+74=
 github.com/Djarvur/go-err113 v0.0.0-20210108212216-aea10b59be24 h1:sHglBQTwgx+rWPdisA5ynNEsoARbiCBOyGcJM4/OzsM=
 github.com/Djarvur/go-err113 v0.0.0-20210108212216-aea10b59be24/go.mod h1:4UJr5HIiMZrwgkSPdsjy2uOQExX/WEILpIrO9UPGuXs=
-github.com/GaijinEntertainment/go-exhaustruct/v3 v3.3.1 h1:Sz1JIXEcSfhz7fUi7xHnhpIE0thVASYjvosApmHuD2k=
-github.com/GaijinEntertainment/go-exhaustruct/v3 v3.3.1/go.mod h1:n/LSCXNuIYqVfBlVXyHfMQkZDdp1/mmxfSjADd3z1Zg=
+github.com/GaijinEntertainment/go-exhaustruct/v3 v3.3.0 h1:/fTUt5vmbkAcMBt4YQiuC23cV0kEsN1MVMNqeOW43cU=
+github.com/GaijinEntertainment/go-exhaustruct/v3 v3.3.0/go.mod h1:ONJg5sxcbsdQQ4pOW8TGdTidT2TMAUy/2Xhr8mrYaao=
 github.com/Masterminds/semver/v3 v3.3.0 h1:B8LGeaivUe71a5qox1ICM/JLl0NqZSW5CHyL+hmvYS0=
 github.com/Masterminds/semver/v3 v3.3.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM=
-github.com/OpenPeeDeeP/depguard/v2 v2.2.1 h1:vckeWVESWp6Qog7UZSARNqfu/cZqvki8zsuj3piCMx4=
-github.com/OpenPeeDeeP/depguard/v2 v2.2.1/go.mod h1:q4DKzC4UcVaAvcfd41CZh0PWpGgzrVxUYBlgKNGquUo=
-github.com/alecthomas/assert/v2 v2.11.0 h1:2Q9r3ki8+JYXvGsDyBXwH3LcJ+WK5D0gc5E8vS6K3D0=
-github.com/alecthomas/assert/v2 v2.11.0/go.mod h1:Bze95FyfUr7x34QZrjL+XP+0qgp/zg8yS+TtBj1WA3k=
-github.com/alecthomas/go-check-sumtype v0.3.1 h1:u9aUvbGINJxLVXiFvHUlPEaD7VDULsrxJb4Aq31NLkU=
-github.com/alecthomas/go-check-sumtype v0.3.1/go.mod h1:A8TSiN3UPRw3laIgWEUOHHLPa6/r9MtoigdlP5h3K/E=
-github.com/alecthomas/repr v0.4.0 h1:GhI2A8MACjfegCPVq9f1FLvIBS+DrQ2KQBFZP1iFzXc=
-github.com/alecthomas/repr v0.4.0/go.mod h1:Fr0507jx4eOXV7AlPV6AVZLYrLIuIeSOWtW57eE/O/4=
+github.com/OpenPeeDeeP/depguard/v2 v2.2.0 h1:vDfG60vDtIuf0MEOhmLlLLSzqaRM8EMcgJPdp74zmpA=
+github.com/OpenPeeDeeP/depguard/v2 v2.2.0/go.mod h1:CIzddKRvLBC4Au5aYP/i3nyaWQ+ClszLIuVocRiCYFQ=
+github.com/alecthomas/assert/v2 v2.2.2 h1:Z/iVC0xZfWTaFNE6bA3z07T86hd45Xe2eLt6WVy2bbk=
+github.com/alecthomas/assert/v2 v2.2.2/go.mod h1:pXcQ2Asjp247dahGEmsZ6ru0UVwnkhktn7S0bBDLxvQ=
+github.com/alecthomas/go-check-sumtype v0.1.4 h1:WCvlB3l5Vq5dZQTFmodqL2g68uHiSwwlWcT5a2FGK0c=
+github.com/alecthomas/go-check-sumtype v0.1.4/go.mod h1:WyYPfhfkdhyrdaligV6svFopZV8Lqdzn5pyVBaV6jhQ=
+github.com/alecthomas/repr v0.2.0 h1:HAzS41CIzNW5syS8Mf9UwXhNH1J9aix/BvDRf1Ml2Yk=
+github.com/alecthomas/repr v0.2.0/go.mod h1:Fr0507jx4eOXV7AlPV6AVZLYrLIuIeSOWtW57eE/O/4=
 github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
 github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
 github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d/go.mod h1:rBZYJk541a8SKzHPHnH3zbiI+7dagKZ0cgpgrD7Fyho=
-github.com/alexkohler/nakedret/v2 v2.0.5 h1:fP5qLgtwbx9EJE8dGEERT02YwS8En4r9nnZ71RK+EVU=
-github.com/alexkohler/nakedret/v2 v2.0.5/go.mod h1:bF5i0zF2Wo2o4X4USt9ntUWve6JbFv02Ff4vlkmS/VU=
+github.com/alexkohler/nakedret/v2 v2.0.4 h1:yZuKmjqGi0pSmjGpOC016LtPJysIL0WEUiaXW5SUnNg=
+github.com/alexkohler/nakedret/v2 v2.0.4/go.mod h1:bF5i0zF2Wo2o4X4USt9ntUWve6JbFv02Ff4vlkmS/VU=
 github.com/alexkohler/prealloc v1.0.0 h1:Hbq0/3fJPQhNkN0dR95AVrr6R7tou91y0uHG5pOcUuw=
 github.com/alexkohler/prealloc v1.0.0/go.mod h1:VetnK3dIgFBBKmg0YnD9F9x6Icjd+9cvfHR56wJVlKE=
 github.com/alingse/asasalint v0.0.11 h1:SFwnQXJ49Kx/1GghOFz1XGqHYKp21Kq1nHad/0WQRnw=
 github.com/alingse/asasalint v0.0.11/go.mod h1:nCaoMhw7a9kSJObvQyVzNTPBDbNpdocqrSP7t/cW5+I=
-github.com/alingse/nilnesserr v0.1.2 h1:Yf8Iwm3z2hUUrP4muWfW83DF4nE3r1xZ26fGWUKCZlo=
-github.com/alingse/nilnesserr v0.1.2/go.mod h1:1xJPrXonEtX7wyTq8Dytns5P2hNzoWymVUIaKm4HNFg=
 github.com/ashanbrown/forbidigo v1.6.0 h1:D3aewfM37Yb3pxHujIPSpTf6oQk9sc9WZi8gerOIVIY=
 github.com/ashanbrown/forbidigo v1.6.0/go.mod h1:Y8j9jy9ZYAEHXdu723cUlraTqbzjKF1MUyfOKL+AjcU=
-github.com/ashanbrown/makezero v1.2.0 h1:/2Lp1bypdmK9wDIq7uWBlDF1iMUpIIS4A+pF6C9IEUU=
-github.com/ashanbrown/makezero v1.2.0/go.mod h1:dxlPhHbDMC6N6xICzFBSK+4njQDdK8euNO0qjQMtGY4=
+github.com/ashanbrown/makezero v1.1.1 h1:iCQ87C0V0vSyO+M9E/FZYbu65auqH0lnsOkf5FcB28s=
+github.com/ashanbrown/makezero v1.1.1/go.mod h1:i1bJLCRSCHOcOa9Y6MyF2FTfMZMFdHvxKHxgO5Z1axI=
 github.com/benbjohnson/clock v1.1.0 h1:Q92kusRqC1XV2MjkWETPvjJVqKetz1OzxZB7mHJLju8=
 github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=
 github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
 github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
-github.com/bkielbasa/cyclop v1.2.3 h1:faIVMIGDIANuGPWH031CZJTi2ymOQBULs9H21HSMa5w=
-github.com/bkielbasa/cyclop v1.2.3/go.mod h1:kHTwA9Q0uZqOADdupvcFJQtp/ksSnytRMe8ztxG8Fuo=
+github.com/bkielbasa/cyclop v1.2.1 h1:AeF71HZDob1P2/pRm1so9cd1alZnrpyc4q2uP2l0gJY=
+github.com/bkielbasa/cyclop v1.2.1/go.mod h1:K/dT/M0FPAiYjBgQGau7tz+3TMh4FWAEqlMhzFWCrgM=
 github.com/blizzy78/varnamelen v0.8.0 h1:oqSblyuQvFsW1hbBHh1zfwrKe3kcSj0rnXkKzsQ089M=
 github.com/blizzy78/varnamelen v0.8.0/go.mod h1:V9TzQZ4fLJ1DSrjVDfl89H7aMnTvKkApdHeyESmyR7k=
-github.com/bombsimon/wsl/v4 v4.5.0 h1:iZRsEvDdyhd2La0FVi5k6tYehpOR/R7qIUjmKk7N74A=
-github.com/bombsimon/wsl/v4 v4.5.0/go.mod h1:NOQ3aLF4nD7N5YPXMruR6ZXDOAqLoM0GEpLwTdvmOSc=
-github.com/breml/bidichk v0.3.2 h1:xV4flJ9V5xWTqxL+/PMFF6dtJPvZLPsyixAoPe8BGJs=
-github.com/breml/bidichk v0.3.2/go.mod h1:VzFLBxuYtT23z5+iVkamXO386OB+/sVwZOpIj6zXGos=
-github.com/breml/errchkjson v0.4.0 h1:gftf6uWZMtIa/Is3XJgibewBm2ksAQSY/kABDNFTAdk=
-github.com/breml/errchkjson v0.4.0/go.mod h1:AuBOSTHyLSaaAFlWsRSuRBIroCh3eh7ZHh5YeelDIk8=
-github.com/butuzov/ireturn v0.3.1 h1:mFgbEI6m+9W8oP/oDdfA34dLisRFCj2G6o/yiI1yZrY=
-github.com/butuzov/ireturn v0.3.1/go.mod h1:ZfRp+E7eJLC0NQmk1Nrm1LOrn/gQlOykv+cVPdiXH5M=
-github.com/butuzov/mirror v1.3.0 h1:HdWCXzmwlQHdVhwvsfBb2Au0r3HyINry3bDWLYXiKoc=
-github.com/butuzov/mirror v1.3.0/go.mod h1:AEij0Z8YMALaq4yQj9CPPVYOyJQyiexpQEQgihajRfI=
-github.com/catenacyber/perfsprint v0.8.2 h1:+o9zVmCSVa7M4MvabsWvESEhpsMkhfE7k0sHNGL95yw=
-github.com/catenacyber/perfsprint v0.8.2/go.mod h1:q//VWC2fWbcdSLEY1R3l8n0zQCDPdE4IjZwyY1HMunM=
+github.com/bombsimon/wsl/v4 v4.4.1 h1:jfUaCkN+aUpobrMO24zwyAMwMAV5eSziCkOKEauOLdw=
+github.com/bombsimon/wsl/v4 v4.4.1/go.mod h1:Xu/kDxGZTofQcDGCtQe9KCzhHphIe0fDuyWTxER9Feo=
+github.com/breml/bidichk v0.2.7 h1:dAkKQPLl/Qrk7hnP6P+E0xOodrq8Us7+U0o4UBOAlQY=
+github.com/breml/bidichk v0.2.7/go.mod h1:YodjipAGI9fGcYM7II6wFvGhdMYsC5pHDlGzqvEW3tQ=
+github.com/breml/errchkjson v0.3.6 h1:VLhVkqSBH96AvXEyclMR37rZslRrY2kcyq+31HCsVrA=
+github.com/breml/errchkjson v0.3.6/go.mod h1:jhSDoFheAF2RSDOlCfhHO9KqhZgAYLyvHe7bRCX8f/U=
+github.com/butuzov/ireturn v0.3.0 h1:hTjMqWw3y5JC3kpnC5vXmFJAWI/m31jaCYQqzkS6PL0=
+github.com/butuzov/ireturn v0.3.0/go.mod h1:A09nIiwiqzN/IoVo9ogpa0Hzi9fex1kd9PSD6edP5ZA=
+github.com/butuzov/mirror v1.2.0 h1:9YVK1qIjNspaqWutSv8gsge2e/Xpq1eqEkslEUHy5cs=
+github.com/butuzov/mirror v1.2.0/go.mod h1:DqZZDtzm42wIAIyHXeN8W/qb1EPlb9Qn/if9icBOpdQ=
+github.com/catenacyber/perfsprint v0.7.1 h1:PGW5G/Kxn+YrN04cRAZKC+ZuvlVwolYMrIyyTJ/rMmc=
+github.com/catenacyber/perfsprint v0.7.1/go.mod h1:/wclWYompEyjUD2FuIIDVKNkqz7IgBIWXIH3V0Zol50=
 github.com/ccojocar/zxcvbn-go v1.0.2 h1:na/czXU8RrhXO4EZme6eQJLR4PzcGsahsBOAwU6I3Vg=
 github.com/ccojocar/zxcvbn-go v1.0.2/go.mod h1:g1qkXtUSvHP8lhHp5GrSmTz6uWALGRMQdw6Qnz/hi60=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
+github.com/cespare/xxhash/v2 v2.1.2 h1:YRXhKfTDauu4ajMg1TPgFO5jnlC2HCbmLXMcTG5cbYE=
 github.com/cespare/xxhash/v2 v2.1.2/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
-github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
-github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/charithe/durationcheck v0.0.10 h1:wgw73BiocdBDQPik+zcEoBG/ob8uyBHf2iyoHGPf5w4=
 github.com/charithe/durationcheck v0.0.10/go.mod h1:bCWXb7gYRysD1CU3C+u4ceO49LoGOY1C1L6uouGNreQ=
 github.com/chavacava/garif v0.1.0 h1:2JHa3hbYf5D9dsgseMKAmc/MZ109otzgNFk5s87H9Pc=
@@ -118,13 +115,13 @@ github.com/chavacava/garif v0.1.0/go.mod h1:XMyYCkEL58DF0oyW4qDjjnPWONs2HBqYKI+U
 github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
 github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
 github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
-github.com/ckaznocha/intrange v0.3.0 h1:VqnxtK32pxgkhJgYQEeOArVidIPg+ahLP7WBOXZd5ZY=
-github.com/ckaznocha/intrange v0.3.0/go.mod h1:+I/o2d2A1FBHgGELbGxzIcyd3/9l9DuwjM8FsbSS3Lo=
+github.com/ckaznocha/intrange v0.2.0 h1:FykcZuJ8BD7oX93YbO1UY9oZtkRbp+1/kJcDjkefYLs=
+github.com/ckaznocha/intrange v0.2.0/go.mod h1:r5I7nUlAAG56xmkOpw4XVr16BXhwYTUdcuRFeevn1oE=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
-github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
-github.com/curioswitch/go-reassign v0.3.0 h1:dh3kpQHuADL3cobV/sSGETA8DOv457dwl+fbBAhrQPs=
-github.com/curioswitch/go-reassign v0.3.0/go.mod h1:nApPCCTtqLJN/s8HfItCcKV0jIPwluBOvZP+dsJGA88=
+github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
+github.com/curioswitch/go-reassign v0.2.0 h1:G9UZyOcpk/d7Gd6mqYgd8XYWFMw/znxwGDUstnC9DIo=
+github.com/curioswitch/go-reassign v0.2.0/go.mod h1:x6OpXuWvgfQaMGks2BZybTngWjT84hqJfKoO8Tt/Roc=
 github.com/daixiang0/gci v0.13.5 h1:kThgmH1yBmZSBCh1EJVxQ7JsHpm5Oms0AMed/0LaH4c=
 github.com/daixiang0/gci v0.13.5/go.mod h1:12etP2OniiIdP4q+kjUGrC/rUagga7ODbqsom5Eo5Yk=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -132,16 +129,14 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/denis-tingaikin/go-header v0.5.0 h1:SRdnP5ZKvcO9KKRP1KJrhFR3RrlGuD+42t4429eC9k8=
 github.com/denis-tingaikin/go-header v0.5.0/go.mod h1:mMenU5bWrok6Wl2UsZjy+1okegmwQ3UgWl4V1D8gjlY=
-github.com/dlclark/regexp2 v1.11.0 h1:G/nrcoOa7ZXlpoa/91N3X7mM3r8eIlMBBJZvsz/mxKI=
-github.com/dlclark/regexp2 v1.11.0/go.mod h1:DHkYz0B9wPfa6wondMfaivmHpzrQ3v9q8cnmRbL6yW8=
 github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
 github.com/ettle/strcase v0.2.0 h1:fGNiVF21fHXpX1niBgk0aROov1LagYsOwV/xqKDKR/Q=
 github.com/ettle/strcase v0.2.0/go.mod h1:DajmHElDSaX76ITe3/VHVyMin4LWSJN5Z909Wp+ED1A=
-github.com/fatih/color v1.18.0 h1:S8gINlzdQ840/4pfAwic/ZE0djQEH3wM94VfqLTZcOM=
-github.com/fatih/color v1.18.0/go.mod h1:4FelSpRwEGDpQ12mAdzqdOukCy4u8WUtOY6lkT/6HfU=
+github.com/fatih/color v1.17.0 h1:GlRw1BRJxkpqUCBKzKOw098ed57fEsKeNjpTe3cSjK4=
+github.com/fatih/color v1.17.0/go.mod h1:YZ7TlrGPkiz6ku9fK3TLD/pl3CpsiFyu8N92HLgmosI=
 github.com/fatih/structtag v1.2.0 h1:/OdNE99OxoI/PqaW/SuSK9uxxT3f/tcSZgon/ssNSx4=
 github.com/fatih/structtag v1.2.0/go.mod h1:mBJUNpUnHmRKrKlQQlmCrh5PuhftFbNv8Ys4/aAZl94=
 github.com/firefart/nonamedreturns v1.0.5 h1:tM+Me2ZaXs8tfdDw3X6DOX++wMCOqzYUho6tUTYIdRA=
@@ -152,10 +147,10 @@ github.com/fsnotify/fsnotify v1.5.4 h1:jRbGcIw6P2Meqdwuo0H1p6JVLbL5DHKAKlYndzMwV
 github.com/fsnotify/fsnotify v1.5.4/go.mod h1:OVB6XrOHzAwXMpEM7uPOzcehqUV2UqJxmVXmkdnm1bU=
 github.com/fzipp/gocyclo v0.6.0 h1:lsblElZG7d3ALtGMx9fmxeTKZaLLpU8mET09yN4BBLo=
 github.com/fzipp/gocyclo v0.6.0/go.mod h1:rXPyn8fnlpa0R2csP/31uerbiVBugk5whMdlyaLkLoA=
-github.com/ghostiam/protogetter v0.3.9 h1:j+zlLLWzqLay22Cz/aYwTHKQ88GE2DQ6GkWSYFOI4lQ=
-github.com/ghostiam/protogetter v0.3.9/go.mod h1:WZ0nw9pfzsgxuRsPOFQomgDVSWtDLJRfQJEhsGbmQMA=
-github.com/go-critic/go-critic v0.12.0 h1:iLosHZuye812wnkEz1Xu3aBwn5ocCPfc9yqmFG9pa6w=
-github.com/go-critic/go-critic v0.12.0/go.mod h1:DpE0P6OVc6JzVYzmM5gq5jMU31zLr4am5mB/VfFK64w=
+github.com/ghostiam/protogetter v0.3.6 h1:R7qEWaSgFCsy20yYHNIJsU9ZOb8TziSRRxuAOTVKeOk=
+github.com/ghostiam/protogetter v0.3.6/go.mod h1:7lpeDnEJ1ZjL/YtyoN99ljO4z0pd3H0d18/t2dPBxHw=
+github.com/go-critic/go-critic v0.11.4 h1:O7kGOCx0NDIni4czrkRIXTnit0mkyKOCePh3My6OyEU=
+github.com/go-critic/go-critic v0.11.4/go.mod h1:2QAdo4iuLik5S9YG0rT4wcZ8QxwHYkrr6/2MWAiv/vc=
 github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
@@ -191,10 +186,10 @@ github.com/go-toolsmith/strparse v1.1.0 h1:GAioeZUK9TGxnLS+qfdqNbA4z0SSm5zVNtCQi
 github.com/go-toolsmith/strparse v1.1.0/go.mod h1:7ksGy58fsaQkGQlY8WVoBFNyEPMGuJin1rfoPS4lBSQ=
 github.com/go-toolsmith/typep v1.1.0 h1:fIRYDyF+JywLfqzyhdiHzRop/GQDxxNhLGQ6gFUNHus=
 github.com/go-toolsmith/typep v1.1.0/go.mod h1:fVIw+7zjdsMxDA3ITWnH1yOiw1rnTQKCsF/sk2H/qig=
-github.com/go-viper/mapstructure/v2 v2.2.1 h1:ZAaOCxANMuZx5RCeg0mBdEZk7DZasvvZIxtHqx8aGss=
-github.com/go-viper/mapstructure/v2 v2.2.1/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
-github.com/go-xmlfmt/xmlfmt v1.1.3 h1:t8Ey3Uy7jDSEisW2K3somuMKIpzktkWptA0iFCnRUWY=
-github.com/go-xmlfmt/xmlfmt v1.1.3/go.mod h1:aUCEOzzezBEjDBbFBoSiya/gduyIiWYRP6CnSFIV8AM=
+github.com/go-viper/mapstructure/v2 v2.1.0 h1:gHnMa2Y/pIxElCH2GlZZ1lZSsn6XMtufpGyP1XxdC/w=
+github.com/go-viper/mapstructure/v2 v2.1.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
+github.com/go-xmlfmt/xmlfmt v1.1.2 h1:Nea7b4icn8s57fTx1M5AI4qQT5HEM3rVUO8MuE6g80U=
+github.com/go-xmlfmt/xmlfmt v1.1.2/go.mod h1:aUCEOzzezBEjDBbFBoSiya/gduyIiWYRP6CnSFIV8AM=
 github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y=
 github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8=
 github.com/gofrs/flock v0.12.1 h1:MTLVXXHf8ekldpJk3AKicLij9MdwOWkZ+a/jHHZby9E=
@@ -229,20 +224,20 @@ github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaS
 github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
 github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=
 github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
-github.com/golangci/dupl v0.0.0-20250308024227-f665c8d69b32 h1:WUvBfQL6EW/40l6OmeSBYQJNSif4O11+bmWEz+C7FYw=
-github.com/golangci/dupl v0.0.0-20250308024227-f665c8d69b32/go.mod h1:NUw9Zr2Sy7+HxzdjIULge71wI6yEg1lWQr7Evcu8K0E=
-github.com/golangci/go-printf-func-name v0.1.0 h1:dVokQP+NMTO7jwO4bwsRwLWeudOVUPPyAKJuzv8pEJU=
-github.com/golangci/go-printf-func-name v0.1.0/go.mod h1:wqhWFH5mUdJQhweRnldEywnR5021wTdZSNgwYceV14s=
-github.com/golangci/gofmt v0.0.0-20250106114630-d62b90e6713d h1:viFft9sS/dxoYY0aiOTsLKO2aZQAPT4nlQCsimGcSGE=
-github.com/golangci/gofmt v0.0.0-20250106114630-d62b90e6713d/go.mod h1:ivJ9QDg0XucIkmwhzCDsqcnxxlDStoTl89jDMIoNxKY=
-github.com/golangci/golangci-lint v1.64.7 h1:Xk1EyxoXqZabn5b4vnjNKSjCx1whBK53NP+mzLfX7HA=
-github.com/golangci/golangci-lint v1.64.7/go.mod h1:5cEsUQBSr6zi8XI8OjmcY2Xmliqc4iYL7YoPrL+zLJ4=
+github.com/golangci/dupl v0.0.0-20180902072040-3e9179ac440a h1:w8hkcTqaFpzKqonE9uMCefW1WDie15eSP/4MssdenaM=
+github.com/golangci/dupl v0.0.0-20180902072040-3e9179ac440a/go.mod h1:ryS0uhF+x9jgbj/N71xsEqODy9BN81/GonCZiOzirOk=
+github.com/golangci/gofmt v0.0.0-20240816233607-d8596aa466a9 h1:/1322Qns6BtQxUZDTAT4SdcoxknUki7IAoK4SAXr8ME=
+github.com/golangci/gofmt v0.0.0-20240816233607-d8596aa466a9/go.mod h1:Oesb/0uFAyWoaw1U1qS5zyjCg5NP9C9iwjnI4tIsXEE=
+github.com/golangci/golangci-lint v1.61.0 h1:VvbOLaRVWmyxCnUIMTbf1kDsaJbTzH20FAMXTAlQGu8=
+github.com/golangci/golangci-lint v1.61.0/go.mod h1:e4lztIrJJgLPhWvFPDkhiMwEFRrWlmFbrZea3FsJyN8=
 github.com/golangci/misspell v0.6.0 h1:JCle2HUTNWirNlDIAUO44hUsKhOFqGPoC4LZxlaSXDs=
 github.com/golangci/misspell v0.6.0/go.mod h1:keMNyY6R9isGaSAu+4Q8NMBwMPkh15Gtc8UCVoDtAWo=
+github.com/golangci/modinfo v0.3.4 h1:oU5huX3fbxqQXdfspamej74DFX0kyGLkw1ppvXoJ8GA=
+github.com/golangci/modinfo v0.3.4/go.mod h1:wytF1M5xl9u0ij8YSvhkEVPP3M5Mc7XLl1pxH3B2aUM=
 github.com/golangci/plugin-module-register v0.1.1 h1:TCmesur25LnyJkpsVrupv1Cdzo+2f7zX0H6Jkw1Ol6c=
 github.com/golangci/plugin-module-register v0.1.1/go.mod h1:TTpqoB6KkwOJMV8u7+NyXMrkwwESJLOkfl9TxR1DGFc=
-github.com/golangci/revgrep v0.8.0 h1:EZBctwbVd0aMeRnNUsFogoyayvKHyxlV3CdUA46FX2s=
-github.com/golangci/revgrep v0.8.0/go.mod h1:U4R/s9dlXZsg8uJmaR1GrloUr14D7qDl8gi2iPXJH8k=
+github.com/golangci/revgrep v0.5.3 h1:3tL7c1XBMtWHHqVpS5ChmiAAoe4PF/d5+ULzV9sLAzs=
+github.com/golangci/revgrep v0.5.3/go.mod h1:U4R/s9dlXZsg8uJmaR1GrloUr14D7qDl8gi2iPXJH8k=
 github.com/golangci/unconvert v0.0.0-20240309020433-c5143eacb3ed h1:IURFTjxeTfNFP0hTEi1YKjB/ub8zkpaOqFFMApi2EAs=
 github.com/golangci/unconvert v0.0.0-20240309020433-c5143eacb3ed/go.mod h1:XLXN8bNw4CGRPaqgl3bv/lhz7bsGPh4/xSaMTbo2vkQ=
 github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
@@ -259,8 +254,8 @@ github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
-github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
-github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
+github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
+github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
 github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0=
@@ -271,8 +266,8 @@ github.com/google/pprof v0.0.0-20200212024743-f11f1df84d12/go.mod h1:ZgVRPoUq/hf
 github.com/google/pprof v0.0.0-20200229191704-1ebb73c60ed3/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
 github.com/google/pprof v0.0.0-20200430221834-fc25d7d30c6d/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
 github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
-github.com/google/pprof v0.0.0-20241210010833-40e02aabc2ad h1:a6HEuzUHeKH6hwfN/ZoQgRgVIWFJljSWa/zetS2WTvg=
-github.com/google/pprof v0.0.0-20241210010833-40e02aabc2ad/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144=
+github.com/google/pprof v0.0.0-20240827171923-fa2c70bbbfe5 h1:5iH8iuqE5apketRbSFBy+X1V0o+l+8NF1avt4HWl7cA=
+github.com/google/pprof v0.0.0-20240827171923-fa2c70bbbfe5/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144=
 github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
 github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
 github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
@@ -281,27 +276,20 @@ github.com/gordonklaus/ineffassign v0.1.0/go.mod h1:Qcp2HIAYhR7mNUVSIxZww3Guk4it
 github.com/gostaticanalysis/analysisutil v0.7.1 h1:ZMCjoue3DtDWQ5WyU16YbjbQEQ3VuzwxALrpYd+HeKk=
 github.com/gostaticanalysis/analysisutil v0.7.1/go.mod h1:v21E3hY37WKMGSnbsw2S/ojApNWb6C1//mXO48CXbVc=
 github.com/gostaticanalysis/comment v1.4.1/go.mod h1:ih6ZxzTHLdadaiSnF5WY3dxUoXfXAlTaRzuaNDlSado=
+github.com/gostaticanalysis/comment v1.4.2 h1:hlnx5+S2fY9Zo9ePo4AhgYsYHbM2+eAv8m/s1JiCd6Q=
 github.com/gostaticanalysis/comment v1.4.2/go.mod h1:KLUTGDv6HOCotCH8h2erHKmpci2ZoR8VPu34YA2uzdM=
-github.com/gostaticanalysis/comment v1.5.0 h1:X82FLl+TswsUMpMh17srGRuKaaXprTaytmEpgnKIDu8=
-github.com/gostaticanalysis/comment v1.5.0/go.mod h1:V6eb3gpCv9GNVqb6amXzEUX3jXLVK/AdA+IrAMSqvEc=
-github.com/gostaticanalysis/forcetypeassert v0.2.0 h1:uSnWrrUEYDr86OCxWa4/Tp2jeYDlogZiZHzGkWFefTk=
-github.com/gostaticanalysis/forcetypeassert v0.2.0/go.mod h1:M5iPavzE9pPqWyeiVXSFghQjljW1+l/Uke3PXHS6ILY=
+github.com/gostaticanalysis/forcetypeassert v0.1.0 h1:6eUflI3DiGusXGK6X7cCcIgVCpZ2CiZ1Q7jl6ZxNV70=
+github.com/gostaticanalysis/forcetypeassert v0.1.0/go.mod h1:qZEedyP/sY1lTGV1uJ3VhWZ2mqag3IkWsDHVbplHXak=
 github.com/gostaticanalysis/nilerr v0.1.1 h1:ThE+hJP0fEp4zWLkWHWcRyI2Od0p7DlgYG3Uqrmrcpk=
 github.com/gostaticanalysis/nilerr v0.1.1/go.mod h1:wZYb6YI5YAxxq0i1+VJbY0s2YONW0HU0GPE3+5PWN4A=
 github.com/gostaticanalysis/testutil v0.3.1-0.20210208050101-bfb5c8eec0e4/go.mod h1:D+FIZ+7OahH3ePw/izIEeH5I06eKs1IKI4Xr64/Am3M=
-github.com/gostaticanalysis/testutil v0.5.0 h1:Dq4wT1DdTwTGCQQv3rl3IvD5Ld0E6HiY+3Zh0sUGqw8=
-github.com/gostaticanalysis/testutil v0.5.0/go.mod h1:OLQSbuM6zw2EvCcXTz1lVq5unyoNft372msDY0nY5Hs=
-github.com/hashicorp/go-immutable-radix/v2 v2.1.0 h1:CUW5RYIcysz+D3B+l1mDeXrQ7fUvGGCwJfdASSzbrfo=
-github.com/hashicorp/go-immutable-radix/v2 v2.1.0/go.mod h1:hgdqLXA4f6NIjRVisM1TJ9aOJVNRqKZj+xDGF6m7PBw=
-github.com/hashicorp/go-uuid v1.0.3 h1:2gKiV6YVmrJ1i2CKKa9obLvRieoRGviZFL26PcT/Co8=
-github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
+github.com/gostaticanalysis/testutil v0.4.0 h1:nhdCmubdmDF6VEatUNjgUZBJKWRqugoISdUv3PPQgHY=
+github.com/gostaticanalysis/testutil v0.4.0/go.mod h1:bLIoPefWXrRi/ssLFWX1dx7Repi5x3CuviD3dgAZaBU=
 github.com/hashicorp/go-version v1.2.1/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
 github.com/hashicorp/go-version v1.7.0 h1:5tqGy27NaOTB8yJKUZELlFAS/LTKJkrmONwQKeRZfjY=
 github.com/hashicorp/go-version v1.7.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
 github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
-github.com/hashicorp/golang-lru/v2 v2.0.7 h1:a+bsQ5rvGLjzHuww6tVxozPZFVghXaHOwFs4luLUK2k=
-github.com/hashicorp/golang-lru/v2 v2.0.7/go.mod h1:QeFd9opnmA6QUJc5vARoKUSoFhyfM2/ZepoAG6RGpeM=
 github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4=
 github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
 github.com/hexops/gotextdiff v1.0.3 h1:gitA9+qJrrTCsiCl7+kh75nPqQt1cx4ZkudSTLoUqJM=
@@ -313,8 +301,10 @@ github.com/jgautheron/goconst v1.7.1 h1:VpdAG7Ca7yvvJk5n8dMwQhfEZJh95kl/Hl9S1OI5
 github.com/jgautheron/goconst v1.7.1/go.mod h1:aAosetZ5zaeC/2EfMeRswtxUFBpe2Hr7HzkgX4fanO4=
 github.com/jingyugao/rowserrcheck v1.1.1 h1:zibz55j/MJtLsjP1OF4bSdgXxwL1b+Vn7Tjzq7gFzUs=
 github.com/jingyugao/rowserrcheck v1.1.1/go.mod h1:4yvlZSDb3IyDTUZJUmpZfm2Hwok+Dtp+nu2qOq+er9c=
-github.com/jjti/go-spancheck v0.6.4 h1:Tl7gQpYf4/TMU7AT84MN83/6PutY21Nb9fuQjFTpRRc=
-github.com/jjti/go-spancheck v0.6.4/go.mod h1:yAEYdKJ2lRkDA8g7X+oKUHXOWVAXSBJRv04OhF+QUjk=
+github.com/jirfag/go-printf-func-name v0.0.0-20200119135958-7558a9eaa5af h1:KA9BjwUk7KlCh6S9EAGWBt1oExIUv9WyNCiRz5amv48=
+github.com/jirfag/go-printf-func-name v0.0.0-20200119135958-7558a9eaa5af/go.mod h1:HEWGJkRDzjJY2sqdDwxccsGicWEf9BQOZsq2tV+xzM0=
+github.com/jjti/go-spancheck v0.6.2 h1:iYtoxqPMzHUPp7St+5yA8+cONdyXD3ug6KK15n7Pklk=
+github.com/jjti/go-spancheck v0.6.2/go.mod h1:+X7lvIrR5ZdUTkxFYqzJ0abr8Sb5LOo80uOhWNqIrYA=
 github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4=
 github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
 github.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
@@ -324,15 +314,15 @@ github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1
 github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk=
 github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
 github.com/julienschmidt/httprouter v1.3.0/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8IZAc4RVcycCCAKdM=
-github.com/julz/importas v0.2.0 h1:y+MJN/UdL63QbFJHws9BVC5RpA2iq0kpjrFajTGivjQ=
-github.com/julz/importas v0.2.0/go.mod h1:pThlt589EnCYtMnmhmRYY/qn9lCf/frPOK+WMx3xiJY=
-github.com/karamaru-alpha/copyloopvar v1.2.1 h1:wmZaZYIjnJ0b5UoKDjUHrikcV0zuPyyxI4SVplLd2CI=
-github.com/karamaru-alpha/copyloopvar v1.2.1/go.mod h1:nFmMlFNlClC2BPvNaHMdkirmTJxVCY0lhxBtlfOypMM=
-github.com/kisielk/errcheck v1.9.0 h1:9xt1zI9EBfcYBvdU1nVrzMzzUPUtPKs9bVSIM3TAb3M=
-github.com/kisielk/errcheck v1.9.0/go.mod h1:kQxWMMVZgIkDq7U8xtG/n2juOjbLgZtedi0D+/VL/i8=
+github.com/julz/importas v0.1.0 h1:F78HnrsjY3cR7j0etXy5+TU1Zuy7Xt08X/1aJnH5xXY=
+github.com/julz/importas v0.1.0/go.mod h1:oSFU2R4XK/P7kNBrnL/FEQlDGN1/6WoxXEjSSXO0DV0=
+github.com/karamaru-alpha/copyloopvar v1.1.0 h1:x7gNyKcC2vRBO1H2Mks5u1VxQtYvFiym7fCjIP8RPos=
+github.com/karamaru-alpha/copyloopvar v1.1.0/go.mod h1:u7CIfztblY0jZLOQZgH3oYsJzpC2A7S6u/lfgSXHy0k=
+github.com/kisielk/errcheck v1.7.0 h1:+SbscKmWJ5mOK/bO1zS60F5I9WwZDWOfRsC4RwfwRV0=
+github.com/kisielk/errcheck v1.7.0/go.mod h1:1kLL+jV4e+CFfueBmI1dSK2ADDyQnlrnrY/FqKluHJQ=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
-github.com/kkHAIKE/contextcheck v1.1.6 h1:7HIyRcnyzxL9Lz06NGhiKvenXq7Zw6Q0UQu/ttjfJCE=
-github.com/kkHAIKE/contextcheck v1.1.6/go.mod h1:3dDbMRNBFaq8HFXWC1JyvDSPm43CmE6IuHam8Wr0rkg=
+github.com/kkHAIKE/contextcheck v1.1.5 h1:CdnJh63tcDe53vG+RebdpdXJTc9atMgGqdx8LXxiilg=
+github.com/kkHAIKE/contextcheck v1.1.5/go.mod h1:O930cpht4xb1YQpK+1+AgoM3mFsvxr7uyFptcnWTYUA=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
@@ -347,20 +337,18 @@ github.com/kulti/thelper v0.6.3 h1:ElhKf+AlItIu+xGnI990no4cE2+XaSu1ULymV2Yulxs=
 github.com/kulti/thelper v0.6.3/go.mod h1:DsqKShOvP40epevkFrvIwkCMNYxMeTNjdWL4dqWHZ6I=
 github.com/kunwardeep/paralleltest v1.0.10 h1:wrodoaKYzS2mdNVnc4/w31YaXFtsc21PCTdvWJ/lDDs=
 github.com/kunwardeep/paralleltest v1.0.10/go.mod h1:2C7s65hONVqY7Q5Efj5aLzRCNLjw2h4eMc9EcypGjcY=
-github.com/lasiar/canonicalheader v1.1.2 h1:vZ5uqwvDbyJCnMhmFYimgMZnJMjwljN5VGY0VKbMXb4=
-github.com/lasiar/canonicalheader v1.1.2/go.mod h1:qJCeLFS0G/QlLQ506T+Fk/fWMa2VmBUiEI2cuMK4djI=
-github.com/ldez/exptostd v0.4.2 h1:l5pOzHBz8mFOlbcifTxzfyYbgEmoUqjxLFHZkjlbHXs=
-github.com/ldez/exptostd v0.4.2/go.mod h1:iZBRYaUmcW5jwCR3KROEZ1KivQQp6PHXbDPk9hqJKCQ=
-github.com/ldez/gomoddirectives v0.6.1 h1:Z+PxGAY+217f/bSGjNZr/b2KTXcyYLgiWI6geMBN2Qc=
-github.com/ldez/gomoddirectives v0.6.1/go.mod h1:cVBiu3AHR9V31em9u2kwfMKD43ayN5/XDgr+cdaFaKs=
-github.com/ldez/grignotin v0.9.0 h1:MgOEmjZIVNn6p5wPaGp/0OKWyvq42KnzAt/DAb8O4Ow=
-github.com/ldez/grignotin v0.9.0/go.mod h1:uaVTr0SoZ1KBii33c47O1M8Jp3OP3YDwhZCmzT9GHEk=
-github.com/ldez/tagliatelle v0.7.1 h1:bTgKjjc2sQcsgPiT902+aadvMjCeMHrY7ly2XKFORIk=
-github.com/ldez/tagliatelle v0.7.1/go.mod h1:3zjxUpsNB2aEZScWiZTHrAXOl1x25t3cRmzfK1mlo2I=
-github.com/ldez/usetesting v0.4.2 h1:J2WwbrFGk3wx4cZwSMiCQQ00kjGR0+tuuyW0Lqm4lwA=
-github.com/ldez/usetesting v0.4.2/go.mod h1:eEs46T3PpQ+9RgN9VjpY6qWdiw2/QmfiDeWmdZdrjIQ=
+github.com/kyoh86/exportloopref v0.1.11 h1:1Z0bcmTypkL3Q4k+IDHMWTcnCliEZcaPiIe0/ymEyhQ=
+github.com/kyoh86/exportloopref v0.1.11/go.mod h1:qkV4UF1zGl6EkF1ox8L5t9SwyeBAZ3qLMd6up458uqA=
+github.com/lasiar/canonicalheader v1.1.1 h1:wC+dY9ZfiqiPwAexUApFush/csSPXeIi4QqyxXmng8I=
+github.com/lasiar/canonicalheader v1.1.1/go.mod h1:cXkb3Dlk6XXy+8MVQnF23CYKWlyA7kfQhSw2CcZtZb0=
+github.com/ldez/gomoddirectives v0.2.4 h1:j3YjBIjEBbqZ0NKtBNzr8rtMHTOrLPeiwTkfUJZ3alg=
+github.com/ldez/gomoddirectives v0.2.4/go.mod h1:oWu9i62VcQDYp9EQ0ONTfqLNh+mDLWWDO+SO0qSQw5g=
+github.com/ldez/tagliatelle v0.5.0 h1:epgfuYt9v0CG3fms0pEgIMNPuFf/LpPIfjk4kyqSioo=
+github.com/ldez/tagliatelle v0.5.0/go.mod h1:rj1HmWiL1MiKQuOONhd09iySTEkUuE/8+5jtPYz9xa4=
 github.com/leonklingele/grouper v1.1.2 h1:o1ARBDLOmmasUaNDesWqWCIFH3u7hoFlM84YrjT3mIY=
 github.com/leonklingele/grouper v1.1.2/go.mod h1:6D0M/HVkhs2yRKRFZUoGjeDy7EZTfFBE9gl4kjmIGkA=
+github.com/lufeee/execinquery v1.2.1 h1:hf0Ems4SHcUGBxpGN7Jz78z1ppVkP/837ZlETPCEtOM=
+github.com/lufeee/execinquery v1.2.1/go.mod h1:EC7DrEKView09ocscGHC+apXMIaorh4xqSxS/dy8SbM=
 github.com/macabu/inamedparam v0.1.3 h1:2tk/phHkMlEL/1GNe/Yf6kkR/hkcUdAEY3L0hjYV1Mk=
 github.com/macabu/inamedparam v0.1.3/go.mod h1:93FLICAIk/quk7eaPPQvbzihUdn/QkGDwIZEoLtpH6I=
 github.com/magiconair/properties v1.8.6 h1:5ibWZ6iY0NctNGWo87LalDlEZ6R41TqbbDamhfG/Qzo=
@@ -369,23 +357,23 @@ github.com/maratori/testableexamples v1.0.0 h1:dU5alXRrD8WKSjOUnmJZuzdxWOEQ57+7s
 github.com/maratori/testableexamples v1.0.0/go.mod h1:4rhjL1n20TUTT4vdh3RDqSizKLyXp7K2u6HgraZCGzE=
 github.com/maratori/testpackage v1.1.1 h1:S58XVV5AD7HADMmD0fNnziNHqKvSdDuEKdPD1rNTU04=
 github.com/maratori/testpackage v1.1.1/go.mod h1:s4gRK/ym6AMrqpOa/kEbQTV4Q4jb7WeLZzVhVVVOQMc=
-github.com/matoous/godox v1.1.0 h1:W5mqwbyWrwZv6OQ5Z1a/DHGMOvXYCBP3+Ht7KMoJhq4=
-github.com/matoous/godox v1.1.0/go.mod h1:jgE/3fUXiTurkdHOLT5WEkThTSuE7yxHv5iWPa80afs=
+github.com/matoous/godox v0.0.0-20230222163458-006bad1f9d26 h1:gWg6ZQ4JhDfJPqlo2srm/LN17lpybq15AryXIRcWYLE=
+github.com/matoous/godox v0.0.0-20230222163458-006bad1f9d26/go.mod h1:1BELzlh859Sh1c6+90blK8lbYy0kwQf1bYlBhBysy1s=
 github.com/matryer/is v1.4.0 h1:sosSmIWwkYITGrxZ25ULNDeKiMNzFSr4V/eqBQP0PeE=
 github.com/matryer/is v1.4.0/go.mod h1:8I/i5uYgLzgsgEloJE1U6xx5HkBQpAZvepWuujKwMRU=
-github.com/matryer/moq v0.5.3 h1:4femQCFmBUwFPYs8VfM5ID7AI67/DTEDRBbTtSWy7GU=
-github.com/matryer/moq v0.5.3/go.mod h1:8288Qkw7gMZhUP3cIN86GG7g5p9jRuZH8biXLW4RXvQ=
-github.com/mattn/go-colorable v0.1.14 h1:9A9LHSqF/7dyVVX6g0U9cwm9pG3kP9gSzcuIPHPsaIE=
-github.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stgPZH1UqBm1s8=
+github.com/matryer/moq v0.5.0 h1:h2PJUYjZSiyEahzVogDRmrgL9Bsx9xYAl8l+LPfmwL8=
+github.com/matryer/moq v0.5.0/go.mod h1:39GTnrD0mVWHPvWdYj5ki/lxfhLQEtHcLh+tWoYF/iE=
+github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
+github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
+github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
+github.com/mattn/go-runewidth v0.0.9 h1:Lm995f3rfxdpd6TSmuVCHVb/QhupuXlYr8sCI/QdE+0=
 github.com/mattn/go-runewidth v0.0.9/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI=
-github.com/mattn/go-runewidth v0.0.16 h1:E5ScNMtiwvlvB5paMFdw9p4kSQzbXFikJ5SQO6TULQc=
-github.com/mattn/go-runewidth v0.0.16/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
 github.com/matttproud/golang_protobuf_extensions v1.0.1 h1:4hp9jkHxhMHkqkrB3Ix0jegS5sx/RkqARlsWZ6pIwiU=
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
-github.com/mgechev/revive v1.7.0 h1:JyeQ4yO5K8aZhIKf5rec56u0376h8AlKNQEmjfkjKlY=
-github.com/mgechev/revive v1.7.0/go.mod h1:qZnwcNhoguE58dfi96IJeSTPeZQejNeoMQLUZGi4SW4=
+github.com/mgechev/revive v1.3.9 h1:18Y3R4a2USSBF+QZKFQwVkBROUda7uoBlkEuBD+YD1A=
+github.com/mgechev/revive v1.3.9/go.mod h1:+uxEIr5UH0TjXWHTno3xh4u7eg6jDpXKzQccA9UGhHU=
 github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
 github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
 github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
@@ -405,14 +393,14 @@ github.com/nishanths/exhaustive v0.12.0 h1:vIY9sALmw6T/yxiASewa4TQcFsVYZQQRUQJhK
 github.com/nishanths/exhaustive v0.12.0/go.mod h1:mEZ95wPIZW+x8kC4TgC+9YCUgiST7ecevsVDTgc2obs=
 github.com/nishanths/predeclared v0.2.2 h1:V2EPdZPliZymNAn79T8RkNApBjMmVKh5XRpLm/w98Vk=
 github.com/nishanths/predeclared v0.2.2/go.mod h1:RROzoN6TnGQupbC+lqggsOlcgysk3LMK/HI84Mp280c=
-github.com/nunnatsa/ginkgolinter v0.19.1 h1:mjwbOlDQxZi9Cal+KfbEJTCz327OLNfwNvoZ70NJ+c4=
-github.com/nunnatsa/ginkgolinter v0.19.1/go.mod h1:jkQ3naZDmxaZMXPWaS9rblH+i+GWXQCaS/JFIWcOH2s=
+github.com/nunnatsa/ginkgolinter v0.16.2 h1:8iLqHIZvN4fTLDC0Ke9tbSZVcyVHoBs0HIbnVSxfHJk=
+github.com/nunnatsa/ginkgolinter v0.16.2/go.mod h1:4tWRinDN1FeJgU+iJANW/kz7xKN5nYRAOfJDQUS9dOQ=
 github.com/olekukonko/tablewriter v0.0.5 h1:P2Ga83D34wi1o9J6Wh1mRuqd4mF/x/lgBS7N7AbDhec=
 github.com/olekukonko/tablewriter v0.0.5/go.mod h1:hPp6KlRPjbx+hW8ykQs1w3UBbZlj6HuIJcUGPhkA7kY=
-github.com/onsi/ginkgo/v2 v2.22.2 h1:/3X8Panh8/WwhU/3Ssa6rCKqPLuAkVY2I0RoyDLySlU=
-github.com/onsi/ginkgo/v2 v2.22.2/go.mod h1:oeMosUL+8LtarXBHu/c0bx2D/K9zyQ6uX3cTyztHwsk=
-github.com/onsi/gomega v1.36.2 h1:koNYke6TVk6ZmnyHrCXba/T/MoLBXFjeC1PtvYgw0A8=
-github.com/onsi/gomega v1.36.2/go.mod h1:DdwyADRjrc825LhMEkD76cHR5+pUnjhUN8GlHlRPHzY=
+github.com/onsi/ginkgo/v2 v2.20.2 h1:7NVCeyIWROIAheY21RLS+3j2bb52W0W82tkberYytp4=
+github.com/onsi/ginkgo/v2 v2.20.2/go.mod h1:K9gyxPIlb+aIvnZ8bd9Ak+YP18w3APlR+5coaZoE2ag=
+github.com/onsi/gomega v1.34.2 h1:pNCwDkzrsv7MS9kpaQvVb1aVLahQXyJ/Tv5oAZMI3i8=
+github.com/onsi/gomega v1.34.2/go.mod h1:v1xfxRgk0KIsG+QOdm7p8UosrOzPYRo60fd3B/1Dukc=
 github.com/otiai10/copy v1.2.0/go.mod h1:rrF5dJ5F0t/EWSYODDu4j9/vEeYHMkc8jt0zJChqQWw=
 github.com/otiai10/copy v1.14.0 h1:dCI/t1iTdYGtkvCuBG2BgR6KZa83PTclw4U5n2wAllU=
 github.com/otiai10/copy v1.14.0/go.mod h1:ECfuL02W+/FkTWZWgQqXPWZgW9oeKCSQ5qVfSc4qc4w=
@@ -430,8 +418,8 @@ github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/polyfloyd/go-errorlint v1.7.1 h1:RyLVXIbosq1gBdk/pChWA8zWYLsq9UEw7a1L5TVMCnA=
-github.com/polyfloyd/go-errorlint v1.7.1/go.mod h1:aXjNb1x2TNhoLsk26iv1yl7a+zTnXPhwEMtEXukiLR8=
+github.com/polyfloyd/go-errorlint v1.6.0 h1:tftWV9DE7txiFzPpztTAwyoRLKNj9gpVm2cg8/OwcYY=
+github.com/polyfloyd/go-errorlint v1.6.0/go.mod h1:HR7u8wuP1kb1NeN1zqTd1ZMlqUKPPHF+Id4vIPvDqVw=
 github.com/prashantv/gostub v1.1.0 h1:BTyx3RfQjRHnUWaGF9oQos79AlQ5k8WNktv7VGvVH4g=
 github.com/prashantv/gostub v1.1.0/go.mod h1:A5zLQHz7ieHGG7is6LLXLz7I8+3LZzsrV0P1IAHhP5U=
 github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
@@ -466,29 +454,26 @@ github.com/quasilyte/regex/syntax v0.0.0-20210819130434-b3f0c404a727 h1:TCg2WBOl
 github.com/quasilyte/regex/syntax v0.0.0-20210819130434-b3f0c404a727/go.mod h1:rlzQ04UMyJXu/aOvhd8qT+hvDrFpiwqp8MRXDY9szc0=
 github.com/quasilyte/stdinfo v0.0.0-20220114132959-f7386bf02567 h1:M8mH9eK4OUR4lu7Gd+PU1fV2/qnDNfzT635KRSObncs=
 github.com/quasilyte/stdinfo v0.0.0-20220114132959-f7386bf02567/go.mod h1:DWNGW8A4Y+GyBgPuaQJuWiy0XYftx4Xm/y5Jqk9I6VQ=
-github.com/raeperd/recvcheck v0.2.0 h1:GnU+NsbiCqdC2XX5+vMZzP+jAJC5fht7rcVTAhX74UI=
-github.com/raeperd/recvcheck v0.2.0/go.mod h1:n04eYkwIR0JbgD73wT8wL4JjPC3wm0nFtzBnWNocnYU=
-github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
-github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ=
-github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
-github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
-github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
+github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8=
+github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/ryancurrah/gomodguard v1.3.5 h1:cShyguSwUEeC0jS7ylOiG/idnd1TpJ1LfHGpV3oJmPU=
 github.com/ryancurrah/gomodguard v1.3.5/go.mod h1:MXlEPQRxgfPQa62O8wzK3Ozbkv9Rkqr+wKjSxTdsNJE=
 github.com/ryanrolds/sqlclosecheck v0.5.1 h1:dibWW826u0P8jNLsLN+En7+RqWWTYrjCB9fJfSfdyCU=
 github.com/ryanrolds/sqlclosecheck v0.5.1/go.mod h1:2g3dUjoS6AL4huFdv6wn55WpLIDjY7ZgUR4J8HOO/XQ=
-github.com/sanposhiho/wastedassign/v2 v2.1.0 h1:crurBF7fJKIORrV85u9UUpePDYGWnwvv3+A96WvwXT0=
-github.com/sanposhiho/wastedassign/v2 v2.1.0/go.mod h1:+oSmSC+9bQ+VUAxA66nBb0Z7N8CK7mscKTDYC6aIek4=
-github.com/santhosh-tekuri/jsonschema/v6 v6.0.1 h1:PKK9DyHxif4LZo+uQSgXNqs0jj5+xZwwfKHgph2lxBw=
-github.com/santhosh-tekuri/jsonschema/v6 v6.0.1/go.mod h1:JXeL+ps8p7/KNMjDQk3TCwPpBy0wYklyWTfbkIzdIFU=
+github.com/sanposhiho/wastedassign/v2 v2.0.7 h1:J+6nrY4VW+gC9xFzUc+XjPD3g3wF3je/NsJFwFK7Uxc=
+github.com/sanposhiho/wastedassign/v2 v2.0.7/go.mod h1:KyZ0MWTwxxBmfwn33zh3k1dmsbF2ud9pAAGfoLfjhtI=
+github.com/santhosh-tekuri/jsonschema/v5 v5.3.1 h1:lZUw3E0/J3roVtGQ+SCrUrg3ON6NgVqpn3+iol9aGu4=
+github.com/santhosh-tekuri/jsonschema/v5 v5.3.1/go.mod h1:uToXkOrWAZ6/Oc07xWQrPOhJotwFIyu2bBVN41fcDUY=
 github.com/sashamelentyev/interfacebloat v1.1.0 h1:xdRdJp0irL086OyW1H/RTZTr1h/tMEOsumirXcOJqAw=
 github.com/sashamelentyev/interfacebloat v1.1.0/go.mod h1:+Y9yU5YdTkrNvoX0xHc84dxiN1iBi9+G8zZIhPVoNjQ=
-github.com/sashamelentyev/usestdlibvars v1.28.0 h1:jZnudE2zKCtYlGzLVreNp5pmCdOxXUzwsMDBkR21cyQ=
-github.com/sashamelentyev/usestdlibvars v1.28.0/go.mod h1:9nl0jgOfHKWNFS43Ojw0i7aRoS4j6EBye3YBhmAIRF8=
-github.com/securego/gosec/v2 v2.22.2 h1:IXbuI7cJninj0nRpZSLCUlotsj8jGusohfONMrHoF6g=
-github.com/securego/gosec/v2 v2.22.2/go.mod h1:UEBGA+dSKb+VqM6TdehR7lnQtIIMorYJ4/9CW1KVQBE=
+github.com/sashamelentyev/usestdlibvars v1.27.0 h1:t/3jZpSXtRPRf2xr0m63i32ZrusyurIGT9E5wAvXQnI=
+github.com/sashamelentyev/usestdlibvars v1.27.0/go.mod h1:9nl0jgOfHKWNFS43Ojw0i7aRoS4j6EBye3YBhmAIRF8=
+github.com/securego/gosec/v2 v2.21.2 h1:deZp5zmYf3TWwU7A7cR2+SolbTpZ3HQiwFqnzQyEl3M=
+github.com/securego/gosec/v2 v2.21.2/go.mod h1:au33kg78rNseF5PwPnTWhuYBFf534bvJRvOrgZ/bFzU=
+github.com/shazow/go-diff v0.0.0-20160112020656-b6b7b6733b8c h1:W65qqJCIOVP4jpqPQ0YvHYKwcMEMVWIzWC5iNQQfBTU=
+github.com/shazow/go-diff v0.0.0-20160112020656-b6b7b6733b8c/go.mod h1:/PevMnwAxekIXwN8qQyfc5gl2NlkB3CQlkizAbOkeBs=
 github.com/shurcooL/go v0.0.0-20180423040247-9e1955d9fb6e/go.mod h1:TDJrrUr11Vxrven61rcy3hJMUqaf/CLWYhHNPmT14Lk=
 github.com/shurcooL/go-goon v0.0.0-20170922171312-37c2f522c041/go.mod h1:N5mDOmsrJOB+vfqUK+7DmDyjhSLIIBnXo9lvZJj3MWQ=
 github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
@@ -498,29 +483,28 @@ github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/sivchari/containedctx v1.0.3 h1:x+etemjbsh2fB5ewm5FeLNi5bUjK0V8n0RB+Wwfd0XE=
 github.com/sivchari/containedctx v1.0.3/go.mod h1:c1RDvCbnJLtH4lLcYD/GqwiBSSf4F5Qk0xld2rBqzJ4=
-github.com/sivchari/tenv v1.12.1 h1:+E0QzjktdnExv/wwsnnyk4oqZBUfuh89YMQT1cyuvSY=
-github.com/sivchari/tenv v1.12.1/go.mod h1:1LjSOUCc25snIr5n3DtGGrENhX3LuWefcplwVGC24mw=
-github.com/sonatard/noctx v0.1.0 h1:JjqOc2WN16ISWAjAk8M5ej0RfExEXtkEyExl2hLW+OM=
-github.com/sonatard/noctx v0.1.0/go.mod h1:0RvBxqY8D4j9cTTTWE8ylt2vqj2EPI8fHmrxHdsaZ2c=
+github.com/sivchari/tenv v1.10.0 h1:g/hzMA+dBCKqGXgW8AV/1xIWhAvDrx0zFKNR48NFMg0=
+github.com/sivchari/tenv v1.10.0/go.mod h1:tdY24masnVoZFxYrHv/nD6Tc8FbkEtAQEEziXpyMgqY=
+github.com/sonatard/noctx v0.0.2 h1:L7Dz4De2zDQhW8S0t+KUjY0MAQJd6SgVwhzNIc4ok00=
+github.com/sonatard/noctx v0.0.2/go.mod h1:kzFz+CzWSjQ2OzIm46uJZoXuBpa2+0y3T36U18dWqIo=
 github.com/sourcegraph/go-diff v0.7.0 h1:9uLlrd5T46OXs5qpp8L/MTltk0zikUGi0sNNyCpA8G0=
 github.com/sourcegraph/go-diff v0.7.0/go.mod h1:iBszgVvyxdc8SFZ7gm69go2KDdt3ag071iBaWPF6cjs=
-github.com/spf13/afero v1.12.0 h1:UcOPyRBYczmFn6yvphxkn9ZEOY65cpwGKb5mL36mrqs=
-github.com/spf13/afero v1.12.0/go.mod h1:ZTlWwG4/ahT8W7T0WQ5uYmjI9duaLQGy3Q2OAl4sk/4=
+github.com/spf13/afero v1.11.0 h1:WJQKhtpdm3v2IzqG8VMqrr6Rf3UYpEF239Jy9wNepM8=
+github.com/spf13/afero v1.11.0/go.mod h1:GH9Y3pIexgf1MTIWtNGyogA5MwRIDXGUr+hbWNoBjkY=
 github.com/spf13/cast v1.5.0 h1:rj3WzYc11XZaIZMPKmwP96zkFEnnAmV8s6XbB2aY32w=
 github.com/spf13/cast v1.5.0/go.mod h1:SpXXQ5YoyJw6s3/6cMTQuxvgRl3PCJiyaX9p6b155UU=
-github.com/spf13/cobra v1.9.1 h1:CXSaggrXdbHK9CF+8ywj8Amf7PBRmPCOJugH954Nnlo=
-github.com/spf13/cobra v1.9.1/go.mod h1:nDyEzZ8ogv936Cinf6g1RU9MRY64Ir93oCnqb9wxYW0=
+github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM=
+github.com/spf13/cobra v1.8.1/go.mod h1:wHxEcudfqmLYa8iTfL+OuZPbBZkmvliBWKIezN3kD9Y=
 github.com/spf13/jwalterweatherman v1.1.0 h1:ue6voC5bR5F8YxI5S67j9i582FU4Qvo2bmqnqMYADFk=
 github.com/spf13/jwalterweatherman v1.1.0/go.mod h1:aNWZUN0dPAAO/Ljvb5BEdw96iTZ0EXowPYD95IqWIGo=
+github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
-github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
-github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/spf13/viper v1.12.0 h1:CZ7eSOd3kZoaYDLbXnmzgQI5RlciuXBMA+18HwHRfZQ=
 github.com/spf13/viper v1.12.0/go.mod h1:b6COn30jlNxbm/V2IqWiNWkJ+vZNiMNksliPCiuKtSI=
 github.com/ssgreg/nlreturn/v2 v2.2.1 h1:X4XDI7jstt3ySqGU86YGAURbxw3oTDPK9sPEi6YEwQ0=
 github.com/ssgreg/nlreturn/v2 v2.2.1/go.mod h1:E/iiPB78hV7Szg2YfRgyIrk1AD6JVMTRkkxBiELzh2I=
-github.com/stbenjam/no-sprintf-host-port v0.2.0 h1:i8pxvGrt1+4G0czLr/WnmyH7zbZ8Bg8etvARQ1rpyl4=
-github.com/stbenjam/no-sprintf-host-port v0.2.0/go.mod h1:eL0bQ9PasS0hsyTyfTjjG+E80QIyPnBVQbYZyv20Jfk=
+github.com/stbenjam/no-sprintf-host-port v0.1.1 h1:tYugd/yrm1O0dV+ThCbaKZh195Dfm07ysF0U6JQXczc=
+github.com/stbenjam/no-sprintf-host-port v0.1.1/go.mod h1:TLhvtIvONRzdmkFiio4O8LHsN9N74I+PhRquPsxpL0I=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
@@ -535,34 +519,32 @@ github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
-github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
-github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
+github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/subosito/gotenv v1.4.1 h1:jyEFiXpy21Wm81FBN71l9VoMMV8H8jG+qIK3GCpY6Qs=
 github.com/subosito/gotenv v1.4.1/go.mod h1:ayKnFf/c6rvx/2iiLrJUk1e6plDbT3edrFNGqEflhK0=
-github.com/tdakkota/asciicheck v0.4.1 h1:bm0tbcmi0jezRA2b5kg4ozmMuGAFotKI3RZfrhfovg8=
-github.com/tdakkota/asciicheck v0.4.1/go.mod h1:0k7M3rCfRXb0Z6bwgvkEIMleKH3kXNz9UqJ9Xuqopr8=
+github.com/tdakkota/asciicheck v0.2.0 h1:o8jvnUANo0qXtnslk2d3nMKTFNlOnJjRrNcj0j9qkHM=
+github.com/tdakkota/asciicheck v0.2.0/go.mod h1:Qb7Y9EgjCLJGup51gDHFzbI08/gbGhL/UVhYIPWG2rg=
 github.com/tenntenn/modver v1.0.1 h1:2klLppGhDgzJrScMpkj9Ujy3rXPUspSjAcev9tSEBgA=
 github.com/tenntenn/modver v1.0.1/go.mod h1:bePIyQPb7UeioSRkw3Q0XeMhYZSMx9B8ePqg6SAMGH0=
 github.com/tenntenn/text/transform v0.0.0-20200319021203-7eef512accb3 h1:f+jULpRQGxTSkNYKJ51yaw6ChIqO+Je8UqsTKN/cDag=
 github.com/tenntenn/text/transform v0.0.0-20200319021203-7eef512accb3/go.mod h1:ON8b8w4BN/kE1EOhwT0o+d62W65a6aPw1nouo9LMgyY=
-github.com/tetafro/godot v1.5.0 h1:aNwfVI4I3+gdxjMgYPus9eHmoBeJIbnajOyqZYStzuw=
-github.com/tetafro/godot v1.5.0/go.mod h1:2oVxTBSftRTh4+MVfUaUXR6bn2GDXCaMcOG4Dk3rfio=
-github.com/timakin/bodyclose v0.0.0-20241017074812-ed6a65f985e3 h1:y4mJRFlM6fUyPhoXuFg/Yu02fg/nIPFMOY8tOqppoFg=
-github.com/timakin/bodyclose v0.0.0-20241017074812-ed6a65f985e3/go.mod h1:mkjARE7Yr8qU23YcGMSALbIxTQ9r9QBVahQOBRfU460=
-github.com/timonwong/loggercheck v0.10.1 h1:uVZYClxQFpw55eh+PIoqM7uAOHMrhVcDoWDery9R8Lg=
-github.com/timonwong/loggercheck v0.10.1/go.mod h1:HEAWU8djynujaAVX7QI65Myb8qgfcZ1uKbdpg3ZzKl8=
-github.com/tomarrell/wrapcheck/v2 v2.10.0 h1:SzRCryzy4IrAH7bVGG4cK40tNUhmVmMDuJujy4XwYDg=
-github.com/tomarrell/wrapcheck/v2 v2.10.0/go.mod h1:g9vNIyhb5/9TQgumxQyOEqDHsmGYcGsVMOx/xGkqdMo=
+github.com/tetafro/godot v1.4.17 h1:pGzu+Ye7ZUEFx7LHU0dAKmCOXWsPjl7qA6iMGndsjPs=
+github.com/tetafro/godot v1.4.17/go.mod h1:2oVxTBSftRTh4+MVfUaUXR6bn2GDXCaMcOG4Dk3rfio=
+github.com/timakin/bodyclose v0.0.0-20230421092635-574207250966 h1:quvGphlmUVU+nhpFa4gg4yJyTRJ13reZMDHrKwYw53M=
+github.com/timakin/bodyclose v0.0.0-20230421092635-574207250966/go.mod h1:27bSVNWSBOHm+qRp1T9qzaIpsWEP6TbUnei/43HK+PQ=
+github.com/timonwong/loggercheck v0.9.4 h1:HKKhqrjcVj8sxL7K77beXh0adEm6DLjV/QOGeMXEVi4=
+github.com/timonwong/loggercheck v0.9.4/go.mod h1:caz4zlPcgvpEkXgVnAJGowHAMW2NwHaNlpS8xDbVhTg=
+github.com/tomarrell/wrapcheck/v2 v2.9.0 h1:801U2YCAjLhdN8zhZ/7tdjB3EnAoRlJHt/s+9hijLQ4=
+github.com/tomarrell/wrapcheck/v2 v2.9.0/go.mod h1:g9vNIyhb5/9TQgumxQyOEqDHsmGYcGsVMOx/xGkqdMo=
 github.com/tommy-muehle/go-mnd/v2 v2.5.1 h1:NowYhSdyE/1zwK9QCLeRb6USWdoif80Ie+v+yU8u1Zw=
 github.com/tommy-muehle/go-mnd/v2 v2.5.1/go.mod h1:WsUAkMJMYww6l/ufffCD3m+P7LEvr8TnZn9lwVDlgzw=
-github.com/ultraware/funlen v0.2.0 h1:gCHmCn+d2/1SemTdYMiKLAHFYxTYz7z9VIDRaTGyLkI=
-github.com/ultraware/funlen v0.2.0/go.mod h1:ZE0q4TsJ8T1SQcjmkhN/w+MceuatI6pBFSxxyteHIJA=
-github.com/ultraware/whitespace v0.2.0 h1:TYowo2m9Nfj1baEQBjuHzvMRbp19i+RCcRYrSWoFa+g=
-github.com/ultraware/whitespace v0.2.0/go.mod h1:XcP1RLD81eV4BW8UhQlpaR+SDc2givTvyI8a586WjW8=
-github.com/uudashr/gocognit v1.2.0 h1:3BU9aMr1xbhPlvJLSydKwdLN3tEUUrzPSSM8S4hDYRA=
-github.com/uudashr/gocognit v1.2.0/go.mod h1:k/DdKPI6XBZO1q7HgoV2juESI2/Ofj9AcHPZhBBdrTU=
-github.com/uudashr/iface v1.3.1 h1:bA51vmVx1UIhiIsQFSNq6GZ6VPTk3WNMZgRiCe9R29U=
-github.com/uudashr/iface v1.3.1/go.mod h1:4QvspiRd3JLPAEXBQ9AiZpLbJlrWWgRChOKDJEuQTdg=
+github.com/ultraware/funlen v0.1.0 h1:BuqclbkY6pO+cvxoq7OsktIXZpgBSkYTQtmwhAK81vI=
+github.com/ultraware/funlen v0.1.0/go.mod h1:XJqmOQja6DpxarLj6Jj1U7JuoS8PvL4nEqDaQhy22p4=
+github.com/ultraware/whitespace v0.1.1 h1:bTPOGejYFulW3PkcrqkeQwOd6NKOOXvmGD9bo/Gk8VQ=
+github.com/ultraware/whitespace v0.1.1/go.mod h1:XcP1RLD81eV4BW8UhQlpaR+SDc2givTvyI8a586WjW8=
+github.com/uudashr/gocognit v1.1.3 h1:l+a111VcDbKfynh+airAy/DJQKaXh2m9vkoysMPSZyM=
+github.com/uudashr/gocognit v1.1.3/go.mod h1:aKH8/e8xbTRBwjbCkwZ8qt4l2EpKXl31KMHgSS+lZ2U=
 github.com/xen0n/gosmopolitan v1.2.2 h1:/p2KTnMzwRexIW8GlKawsTWOxn7UHA+jCMF/V8HHtvU=
 github.com/xen0n/gosmopolitan v1.2.2/go.mod h1:7XX7Mj61uLYrj0qmeN0zi7XDon9JRAEhYQqAPLVNTeg=
 github.com/yagipy/maintidx v1.0.0 h1:h5NvIsCz+nRDapQ0exNv4aJ0yXSI0420omVANTv3GJM=
@@ -582,10 +564,10 @@ gitlab.com/bosi/decorder v0.4.2 h1:qbQaV3zgwnBZ4zPMhGLW4KZe7A7NwxEhJx39R3shffo=
 gitlab.com/bosi/decorder v0.4.2/go.mod h1:muuhHoaJkA9QLcYHq4Mj8FJUwDZ+EirSHRiaTcTf6T8=
 go-simpler.org/assert v0.9.0 h1:PfpmcSvL7yAnWyChSjOz6Sp6m9j5lyK8Ok9pEL31YkQ=
 go-simpler.org/assert v0.9.0/go.mod h1:74Eqh5eI6vCK6Y5l3PI8ZYFXG4Sa+tkr70OIPJAUr28=
-go-simpler.org/musttag v0.13.0 h1:Q/YAW0AHvaoaIbsPj3bvEI5/QFP7w696IMUpnKXQfCE=
-go-simpler.org/musttag v0.13.0/go.mod h1:FTzIGeK6OkKlUDVpj0iQUXZLUO1Js9+mvykDQy9C5yM=
-go-simpler.org/sloglint v0.9.0 h1:/40NQtjRx9txvsB/RN022KsUJU+zaaSb/9q9BSefSrE=
-go-simpler.org/sloglint v0.9.0/go.mod h1:G/OrAF6uxj48sHahCzrbarVMptL2kjWTaUeC8+fOGww=
+go-simpler.org/musttag v0.12.2 h1:J7lRc2ysXOq7eM8rwaTYnNrHd5JwjppzB6mScysB2Cs=
+go-simpler.org/musttag v0.12.2/go.mod h1:uN1DVIasMTQKk6XSik7yrJoEysGtR2GRqvWnI9S7TYM=
+go-simpler.org/sloglint v0.7.2 h1:Wc9Em/Zeuu7JYpl+oKoYOsQSy2X560aVueCW/m6IijY=
+go-simpler.org/sloglint v0.7.2/go.mod h1:US+9C80ppl7VsThQclkM7BkCHQAzuz8kHLsW3ppuluo=
 go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
 go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8=
 go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
@@ -593,8 +575,8 @@ go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.uber.org/atomic v1.7.0 h1:ADUqmZGgLDDfbSL9ZmPxKTybcoEYHgpYfELNoN+7hsw=
 go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
-go.uber.org/automaxprocs v1.6.0 h1:O3y2/QNTOdbF+e/dpXNNW7Rx2hZ4sTIPyybbxyNqTUs=
-go.uber.org/automaxprocs v1.6.0/go.mod h1:ifeIMSnPZuznNm6jmdzmU3/bfk01Fe2fotchwEFJ8r8=
+go.uber.org/automaxprocs v1.5.3 h1:kWazyxZUrS3Gs4qUpbwo5kEIMGe/DAvi5Z4tl2NW4j8=
+go.uber.org/automaxprocs v1.5.3/go.mod h1:eRbA25aqJrxAbsLO0xy5jVwPt7FQnRgjW+efnwa1WM0=
 go.uber.org/goleak v1.1.11 h1:wy28qYRKZgnJTxGxvye5/wgWr1EKjmUDGYox5mGlRlI=
 go.uber.org/goleak v1.1.11/go.mod h1:cwTWslyiVhfpKIDGSZEM2HlOvcqm+tG4zioyIeLoqMQ=
 go.uber.org/multierr v1.6.0 h1:y6IPFStTAIT5Ytl7/XYmHvzXQ7S3g/IeZW9hyZ5thw4=
@@ -608,8 +590,7 @@ golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8U
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
-golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
-golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4=
+golang.org/x/crypto v0.1.0/go.mod h1:RecgLatLF4+eUMCP1PoPZQb+cVrJcOPbHkTkbkB9sbw=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -620,12 +601,12 @@ golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u0
 golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
 golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM=
 golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU=
-golang.org/x/exp v0.0.0-20240909161429-701f63a606c0 h1:e66Fs6Z+fZTbFBAxKfP3PALWBtpfqks2bwGcexMxgtk=
-golang.org/x/exp v0.0.0-20240909161429-701f63a606c0/go.mod h1:2TbTHSBQa924w8M6Xs1QcRcFwyucIwBGpK1p2f1YFFY=
+golang.org/x/exp v0.0.0-20240904232852-e7e105dedf7e h1:I88y4caeGeuDQxgdoFPUq097j7kNfw6uvuiNxUBfcBk=
+golang.org/x/exp v0.0.0-20240904232852-e7e105dedf7e/go.mod h1:akd2r19cwCdwSwWeIdzYQGa/EZZyqcOdwWiwj5L5eKQ=
 golang.org/x/exp/typeparams v0.0.0-20220428152302-39d4317da171/go.mod h1:AbB0pIl9nAr9wVwH+Z2ZpaocVmF5I4GyWCDIsVjR0bk=
 golang.org/x/exp/typeparams v0.0.0-20230203172020-98cc5a0785f9/go.mod h1:AbB0pIl9nAr9wVwH+Z2ZpaocVmF5I4GyWCDIsVjR0bk=
-golang.org/x/exp/typeparams v0.0.0-20250210185358-939b2ce775ac h1:TSSpLIG4v+p0rPv1pNOQtl1I8knsO4S9trOxNMOLVP4=
-golang.org/x/exp/typeparams v0.0.0-20250210185358-939b2ce775ac/go.mod h1:AbB0pIl9nAr9wVwH+Z2ZpaocVmF5I4GyWCDIsVjR0bk=
+golang.org/x/exp/typeparams v0.0.0-20240314144324-c7f7c6466f7f h1:phY1HzDcf18Aq9A8KkmRtY9WvOFIxN8wgfvy6Zm1DV8=
+golang.org/x/exp/typeparams v0.0.0-20240314144324-c7f7c6466f7f/go.mod h1:AbB0pIl9nAr9wVwH+Z2ZpaocVmF5I4GyWCDIsVjR0bk=
 golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
 golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
@@ -648,15 +629,14 @@ golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.5.1/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro=
 golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3/go.mod h1:3p9vT2HGsQu2K1YbXdKPJLVgG5VJdoTa1poYQBtP1AY=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
+golang.org/x/mod v0.6.0/go.mod h1:4mET923SAdbXp2ki8ey+zGs1SLqsuM2Y0uvdZR/fUNI=
 golang.org/x/mod v0.7.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
-golang.org/x/mod v0.9.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
-golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
-golang.org/x/mod v0.13.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
-golang.org/x/mod v0.24.0 h1:ZfthKaKaT4NrhGVZHO1/WDTwGES4De8KtWO0SIbNJMU=
-golang.org/x/mod v0.24.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww=
+golang.org/x/mod v0.21.0 h1:vvrHzRwRfVKSiLrG+d4FMl/Qi4ukBCE6kZlTUkDYRT0=
+golang.org/x/mod v0.21.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -691,14 +671,12 @@ golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96b
 golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20211015210444-4f30a5c0130f/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
+golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco=
 golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
+golang.org/x/net v0.5.0/go.mod h1:DivGGAXEgPSlEBzxGzZI+ZLohi+xUj054jfeKui00ws=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
-golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
-golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
-golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
-golang.org/x/net v0.16.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
-golang.org/x/net v0.37.0 h1:1zLorHbz+LYj7MQlSf1+2tPIIgibq2eL5xkrGk6f+2c=
-golang.org/x/net v0.37.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8=
+golang.org/x/net v0.28.0 h1:a9JDOJc5GMUJ0+UDqmLT86WiEy7iWyIhz8gz8E4e5hE=
+golang.org/x/net v0.28.0/go.mod h1:yqtgsTWOOnlGLG9GFRrK3++bGOUEkNBoHZc8MEDWPNg=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -718,10 +696,8 @@ golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
-golang.org/x/sync v0.4.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
-golang.org/x/sync v0.12.0 h1:MHc5BpPuC30uJk597Ri8TV3CNZcTLu6B6z4lJy+g6Jw=
-golang.org/x/sync v0.12.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ=
+golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -755,6 +731,7 @@ golang.org/x/sys v0.0.0-20200625212154-ddb9806d33ae/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -768,22 +745,20 @@ golang.org/x/sys v0.0.0-20220412211240-33da011f77ad/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.4.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.31.0 h1:ioabZlmFYtWhL+TRYpcnNlLwhyxaM9kWTDEmfnprqik=
-golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/sys v0.25.0 h1:r+8e+loiHxRqhXVl6ML1nO3l1+oFoWbnlu2Ehimmi34=
+golang.org/x/sys v0.25.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
+golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc=
+golang.org/x/term v0.4.0/go.mod h1:9P2UbLfCdcvo3p/nzKvsmas4TnlujnuoV9hGgYzW1lQ=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
-golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U=
-golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
-golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU=
-golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -792,12 +767,10 @@ golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.6.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
-golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
-golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
-golang.org/x/text v0.22.0 h1:bofq7m3/HAFvbF51jz3Q9wLg3jkvSPuiZu/pD1XwgtM=
-golang.org/x/text v0.22.0/go.mod h1:YRoo4H8PVmsu+E3Ou7cqLVH8oXWIHVoX0jqUWALQhfY=
+golang.org/x/text v0.18.0 h1:XvMDiNzPAl0jr17s6W9lcaIhGUfUORdGCNsuLmPG224=
+golang.org/x/text v0.18.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
@@ -807,6 +780,7 @@ golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3
 golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/tools v0.0.0-20190312151545-0bb0c0a6e846/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
+golang.org/x/tools v0.0.0-20190321232350-e250d351ecad/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
 golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
 golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
@@ -814,8 +788,10 @@ golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgw
 golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
 golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
 golang.org/x/tools v0.0.0-20190816200558-6889da9d5479/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20190910044552-dd2b5c81c578/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20191108193012-7d206e10da11/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191113191852-77e3bb0ad9e7/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191115202509-3a792d9c32b2/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
@@ -846,19 +822,20 @@ golang.org/x/tools v0.0.0-20200804011535-6c149bb5ef0d/go.mod h1:njjCfa9FT2d7l9Bc
 golang.org/x/tools v0.0.0-20200820010801-b793a1359eac/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
 golang.org/x/tools v0.0.0-20200825202427-b303f430e36d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
 golang.org/x/tools v0.0.0-20201023174141-c8cfbd0f21e6/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
+golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0=
 golang.org/x/tools v0.1.1-0.20210205202024-ef80cdb6ec6d/go.mod h1:9bzcO0MWcOuT0tm1iBGzDVPshzfwoVvREIui8C+MHqU=
 golang.org/x/tools v0.1.1-0.20210302220138-2ac05c832e1a/go.mod h1:9bzcO0MWcOuT0tm1iBGzDVPshzfwoVvREIui8C+MHqU=
 golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
+golang.org/x/tools v0.1.9/go.mod h1:nABZi5QlRsZVlzPpHl034qft6wpY4eDcsTt5AaioBiU=
 golang.org/x/tools v0.1.10/go.mod h1:Uh6Zz+xoGYZom868N8YTex3t7RhtHDBrE8Gzo9bV56E=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
+golang.org/x/tools v0.2.0/go.mod h1:y4OqIKeOV/fWJetJ8bXPU1sEVniLMIyDAZWeHdV+NTA=
 golang.org/x/tools v0.3.0/go.mod h1:/rWhSS2+zyEVwoJf8YAX6L2f0ntZ7Kn/mGgAWcipA5k=
+golang.org/x/tools v0.5.0/go.mod h1:N+Kgy78s5I24c24dU8OfWNEotWjutIs8SnJvn5IDq+k=
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
-golang.org/x/tools v0.7.0/go.mod h1:4pg6aUX35JBAogB10C9AtvVL+qowtN4pT3CGSQex14s=
-golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
-golang.org/x/tools v0.14.0/go.mod h1:uYBEerGOWcJyEORxN+Ek8+TT266gXkNlHdJBwexUsBg=
-golang.org/x/tools v0.31.0 h1:0EedkvKDbh+qistFTd0Bcwe/YLh4vHwWEkiI0toFIBU=
-golang.org/x/tools v0.31.0/go.mod h1:naFTU+Cev749tSJRXJlna0T3WxKvb1kWEx15xA4SdmQ=
+golang.org/x/tools v0.24.0 h1:J1shsA93PJUEVaUSaay7UXAyE8aimq3GW0pjlolpa24=
+golang.org/x/tools v0.24.0/go.mod h1:YhNqVBIfWHdzvTLs0d8LCuMhkKUgSUKldakyV7W/WDQ=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -938,8 +915,8 @@ google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGj
 google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-google.golang.org/protobuf v1.36.5 h1:tPhr+woSbjfYvY6/GPufUoYizxw1cF/yFoxJ2fmpwlM=
-google.golang.org/protobuf v1.36.5/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
+google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg=
+google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
@@ -966,8 +943,8 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh
 honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
 honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
 honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
-honnef.co/go/tools v0.6.1 h1:R094WgE8K4JirYjBaOpz/AvTyUu/3wbmAoskKN/pxTI=
-honnef.co/go/tools v0.6.1/go.mod h1:3puzxxljPCe8RGJX7BIy1plGbxEOZni5mR2aXe3/uk4=
+honnef.co/go/tools v0.5.1 h1:4bH5o3b5ZULQ4UrBmP+63W9r7qIkqJClEA9ko5YKx+I=
+honnef.co/go/tools v0.5.1/go.mod h1:e9irvo83WDG9/irijV44wr3tbhcFeRnfpVlRqVwpzMs=
 mvdan.cc/gofumpt v0.7.0 h1:bg91ttqXmi9y2xawvkuMXyvAA/1ZGJqYAEGjXuP0JXU=
 mvdan.cc/gofumpt v0.7.0/go.mod h1:txVFJy/Sc/mvaycET54pV8SW8gWxTlUuGHVEcncmNUo=
 mvdan.cc/unparam v0.0.0-20240528143540-8a5130ca722f h1:lMpcwN6GxNbWtbpI1+xzFLSW8XzX0u72NttUGVFjO3U=

deployments/systemd/nvidia-cdi-refresh.service

@@ -1,28 +0,0 @@
-# Copyright (c) 2025, NVIDIA CORPORATION.  All rights reserved.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-[Unit]
-Description=Refresh NVIDIA CDI specification file
-ConditionPathExists=/usr/bin/nvidia-smi
-ConditionPathExists=/usr/bin/nvidia-ctk
-
-[Service]
-Type=oneshot
-EnvironmentFile=-/etc/nvidia-container-toolkit/cdi-refresh.env
-ExecCondition=/usr/bin/grep -qE '/nvidia.ko' /lib/modules/%v/modules.dep
-ExecStart=/usr/bin/nvidia-ctk cdi generate --output=/var/run/cdi/nvidia.yaml
-CapabilityBoundingSet=CAP_SYS_MODULE CAP_SYS_ADMIN CAP_MKNOD
-
-[Install]
-WantedBy=multi-user.target

docker/Dockerfile.debian

@@ -55,7 +55,6 @@ RUN make PREFIX=${DIST_DIR} cmds
 
 WORKDIR $DIST_DIR
 COPY packaging/debian ./debian
-COPY deployments/systemd/ .
 
 ARG LIBNVIDIA_CONTAINER_TOOLS_VERSION
 ENV LIBNVIDIA_CONTAINER_TOOLS_VERSION ${LIBNVIDIA_CONTAINER_TOOLS_VERSION}

docker/Dockerfile.opensuse-leap

@@ -46,7 +46,6 @@ RUN make PREFIX=${DIST_DIR} cmds
 
 WORKDIR $DIST_DIR/..
 COPY packaging/rpm .
-COPY deployments/systemd/ .
 
 ARG LIBNVIDIA_CONTAINER_TOOLS_VERSION
 ENV LIBNVIDIA_CONTAINER_TOOLS_VERSION ${LIBNVIDIA_CONTAINER_TOOLS_VERSION}

docker/Dockerfile.rpm-yum

@@ -71,7 +71,6 @@ RUN make PREFIX=${DIST_DIR} cmds
 
 WORKDIR $DIST_DIR/..
 COPY packaging/rpm .
-COPY deployments/systemd/ ${DIST_DIR}/
 
 ARG LIBNVIDIA_CONTAINER_TOOLS_VERSION
 ENV LIBNVIDIA_CONTAINER_TOOLS_VERSION ${LIBNVIDIA_CONTAINER_TOOLS_VERSION}

docker/Dockerfile.ubuntu

@@ -53,7 +53,6 @@ RUN make PREFIX=${DIST_DIR} cmds
 
 WORKDIR $DIST_DIR
 COPY packaging/debian ./debian
-COPY deployments/systemd/ .
 
 ARG LIBNVIDIA_CONTAINER_TOOLS_VERSION
 ENV LIBNVIDIA_CONTAINER_TOOLS_VERSION ${LIBNVIDIA_CONTAINER_TOOLS_VERSION}

docker/docker.mk

@@ -13,10 +13,10 @@
 # limitations under the License.
 
 # Supported OSs by architecture
-AMD64_TARGETS := ubuntu22.04 ubuntu20.04 ubuntu18.04 ubuntu16.04 debian10 debian9
+AMD64_TARGETS := ubuntu20.04 ubuntu18.04 ubuntu16.04 debian10 debian9
 X86_64_TARGETS := centos7 centos8 rhel7 rhel8 amazonlinux2 opensuse-leap15.1
 PPC64LE_TARGETS := ubuntu18.04 ubuntu16.04 centos7 centos8 rhel7 rhel8
-ARM64_TARGETS := ubuntu22.04 ubuntu20.04 ubuntu18.04
+ARM64_TARGETS := ubuntu20.04 ubuntu18.04
 AARCH64_TARGETS := centos7 centos8 rhel8 amazonlinux2
 
 # Define top-level build targets

go.mod

@@ -1,29 +1,29 @@
 module github.com/NVIDIA/nvidia-container-toolkit
 
-go 1.23.0
+go 1.22
 
 require (
-	github.com/NVIDIA/go-nvlib v0.7.3
-	github.com/NVIDIA/go-nvml v0.12.9-0
+	github.com/NVIDIA/go-nvlib v0.7.2
+	github.com/NVIDIA/go-nvml v0.12.4-1
 	github.com/cyphar/filepath-securejoin v0.4.1
+	github.com/fsnotify/fsnotify v1.7.0
 	github.com/moby/sys/reexec v0.1.0
 	github.com/moby/sys/symlink v0.3.0
-	github.com/opencontainers/runc v1.3.0
+	github.com/opencontainers/runc v1.2.6
 	github.com/opencontainers/runtime-spec v1.2.1
 	github.com/pelletier/go-toml v1.9.5
 	github.com/sirupsen/logrus v1.9.3
 	github.com/stretchr/testify v1.10.0
-	github.com/urfave/cli/v2 v2.27.7
-	golang.org/x/mod v0.25.0
-	golang.org/x/sys v0.33.0
-	tags.cncf.io/container-device-interface v1.0.1
-	tags.cncf.io/container-device-interface/specs-go v1.0.0
+	github.com/urfave/cli/v2 v2.27.5
+	golang.org/x/mod v0.20.0
+	golang.org/x/sys v0.28.0
+	tags.cncf.io/container-device-interface v0.8.1
+	tags.cncf.io/container-device-interface/specs-go v0.8.0
 )
 
 require (
-	github.com/cpuguy83/go-md2man/v2 v2.0.7 // indirect
+	github.com/cpuguy83/go-md2man/v2 v2.0.5 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/fsnotify/fsnotify v1.7.0 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/kr/pretty v0.3.1 // indirect
@@ -35,6 +35,7 @@ require (
 	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
 	github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1 // indirect
 	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	sigs.k8s.io/yaml v1.4.0 // indirect
+	sigs.k8s.io/yaml v1.3.0 // indirect
 )

go.sum

@@ -1,11 +1,11 @@
-github.com/NVIDIA/go-nvlib v0.7.3 h1:kXc8PkWUlrwedSpM4fR8xT/DAq1NKy8HqhpgteFcGAw=
-github.com/NVIDIA/go-nvlib v0.7.3/go.mod h1:i95Je7GinMy/+BDs++DAdbPmT2TubjNP8i8joC7DD7I=
-github.com/NVIDIA/go-nvml v0.12.9-0 h1:e344UK8ZkeMeeLkdQtRhmXRxNf+u532LDZPGMtkdus0=
-github.com/NVIDIA/go-nvml v0.12.9-0/go.mod h1:+KNA7c7gIBH7SKSJ1ntlwkfN80zdx8ovl4hrK3LmPt4=
+github.com/NVIDIA/go-nvlib v0.7.2 h1:7sy/NVUa4sM9FLKwH6CjBfHSWrJUmv8emVyxLTzjfOA=
+github.com/NVIDIA/go-nvlib v0.7.2/go.mod h1:2Kh2kYSP5IJ8EKf0/SYDzHiQKb9EJkwOf2LQzu6pXzY=
+github.com/NVIDIA/go-nvml v0.12.4-1 h1:WKUvqshhWSNTfm47ETRhv0A0zJyr1ncCuHiXwoTrBEc=
+github.com/NVIDIA/go-nvml v0.12.4-1/go.mod h1:8Llmj+1Rr+9VGGwZuRer5N/aCjxGuR5nPb/9ebBiIEQ=
 github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM=
 github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ=
-github.com/cpuguy83/go-md2man/v2 v2.0.7 h1:zbFlGlXEAKlwXpmvle3d8Oe3YnkKIK4xSRTd3sHPnBo=
-github.com/cpuguy83/go-md2man/v2 v2.0.7/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
+github.com/cpuguy83/go-md2man/v2 v2.0.5 h1:ZtcqGrnekaHpVLArFSe4HK5DoKx1T0rq2DwVB0alcyc=
+github.com/cpuguy83/go-md2man/v2 v2.0.5/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/cyphar/filepath-securejoin v0.4.1 h1:JyxxyPEaktOD+GAnqIqTf9A8tHyAG22rowi7HkoSU1s=
 github.com/cyphar/filepath-securejoin v0.4.1/go.mod h1:Sdj7gXlvMcPZsbhwhQ33GguGLDGQL7h7bg04C/+u9jI=
@@ -14,8 +14,6 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA=
 github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM=
-github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
-github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
@@ -37,16 +35,16 @@ github.com/moby/sys/reexec v0.1.0/go.mod h1:EqjBg8F3X7iZe5pU6nRZnYCMUTXoxsjiIfHu
 github.com/moby/sys/symlink v0.3.0 h1:GZX89mEZ9u53f97npBy4Rc3vJKj7JBDj/PN2I22GrNU=
 github.com/moby/sys/symlink v0.3.0/go.mod h1:3eNdhduHmYPcgsJtZXW1W4XUJdZGBIkttZ8xKqPUJq0=
 github.com/mrunalp/fileutils v0.5.0/go.mod h1:M1WthSahJixYnrXQl/DFQuteStB1weuxD2QJNHXfbSQ=
-github.com/opencontainers/runc v1.3.0 h1:cvP7xbEvD0QQAs0nZKLzkVog2OPZhI/V2w3WmTmUSXI=
-github.com/opencontainers/runc v1.3.0/go.mod h1:9wbWt42gV+KRxKRVVugNP6D5+PQciRbenB4fLVsqGPs=
+github.com/opencontainers/runc v1.2.6 h1:P7Hqg40bsMvQGCS4S7DJYhUZOISMLJOB2iGX5COWiPk=
+github.com/opencontainers/runc v1.2.6/go.mod h1:dOQeFo29xZKBNeRBI0B19mJtfHv68YgCTh1X+YphA+4=
 github.com/opencontainers/runtime-spec v1.0.3-0.20220825212826-86290f6a00fb/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
 github.com/opencontainers/runtime-spec v1.2.1 h1:S4k4ryNgEpxW1dzyqffOmhI1BHYcjzU8lpJfSlR0xww=
 github.com/opencontainers/runtime-spec v1.2.1/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
 github.com/opencontainers/runtime-tools v0.9.1-0.20221107090550-2e043c6bd626 h1:DmNGcqH3WDbV5k8OJ+esPWbqUOX5rMLR2PMvziDMJi0=
 github.com/opencontainers/runtime-tools v0.9.1-0.20221107090550-2e043c6bd626/go.mod h1:BRHJJd0E+cx42OybVYSgUvZmU0B8P9gZuRXlZUP7TKI=
 github.com/opencontainers/selinux v1.9.1/go.mod h1:2i0OySw99QjzBBQByd1Gr9gSjvuho1lHsJxIJ3gGbJI=
-github.com/opencontainers/selinux v1.11.1 h1:nHFvthhM0qY8/m+vfhJylliSshm8G1jJ2jDMcgULaH8=
-github.com/opencontainers/selinux v1.11.1/go.mod h1:E5dMC3VPuVvVHDYmi78qvhJp8+M586T4DlDRYpFkyec=
+github.com/opencontainers/selinux v1.11.0 h1:+5Zbo97w3Lbmb3PeqQtpmTkMwsW5nRI3YaLpt7tQ7oU=
+github.com/opencontainers/selinux v1.11.0/go.mod h1:E5dMC3VPuVvVHDYmi78qvhJp8+M586T4DlDRYpFkyec=
 github.com/pelletier/go-toml v1.9.5 h1:4yBQzkHv+7BHq2PQUZF3Mx0IYxG7LsP222s7Agd3ve8=
 github.com/pelletier/go-toml v1.9.5/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c=
 github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
@@ -69,8 +67,8 @@ github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf
 github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635 h1:kdXcSzyDtseVEc4yCz2qF8ZrQvIDBJLl4S1c3GCXmoI=
 github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
 github.com/urfave/cli v1.19.1/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA=
-github.com/urfave/cli/v2 v2.27.7 h1:bH59vdhbjLv3LAvIu6gd0usJHgoTTPhCFib8qqOwXYU=
-github.com/urfave/cli/v2 v2.27.7/go.mod h1:CyNAG/xg+iAOg0N4MPGZqVmv2rCoP267496AOXUZjA4=
+github.com/urfave/cli/v2 v2.27.5 h1:WoHEJLdsXr6dDWoJgMq/CboDmyY/8HMMH1fTECbih+w=
+github.com/urfave/cli/v2 v2.27.5/go.mod h1:3Sevf16NykTbInEnD0yKkjDAeZDS0A6bzhBH5hrMvTQ=
 github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
 github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb h1:zGWFAtiMcyryUHoUjUJX0/lt1H2+i2Ka2n+D3DImSNo=
 github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
@@ -80,23 +78,24 @@ github.com/xeipuuv/gojsonschema v1.2.0 h1:LhYJRs+L4fBtjZUfuSZIKGeVu0QRy8e5Xi7D17
 github.com/xeipuuv/gojsonschema v1.2.0/go.mod h1:anYRn/JVcOK2ZgGU+IjEV4nwlhoK5sQluxsYJ78Id3Y=
 github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1 h1:gEOO8jv9F4OT7lGCjxCBTO/36wtF6j2nSip77qHd4x4=
 github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1/go.mod h1:Ohn+xnUBiLI6FVj/9LpzZWtj1/D6lUovWYBkxHVV3aM=
-golang.org/x/mod v0.25.0 h1:n7a+ZbQKQA/Ysbyb0/6IbB1H/X41mKgbhfv7AfG/44w=
-golang.org/x/mod v0.25.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww=
+golang.org/x/mod v0.20.0 h1:utOm6MM3R3dnawAiJgn0y+xvuYRsm1RKM/4giyfDgV0=
+golang.org/x/mod v0.20.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191115151921-52ab43148777/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
-golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA=
+golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
+gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E=
-sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY=
-tags.cncf.io/container-device-interface v1.0.1 h1:KqQDr4vIlxwfYh0Ed/uJGVgX+CHAkahrgabg6Q8GYxc=
-tags.cncf.io/container-device-interface v1.0.1/go.mod h1:JojJIOeW3hNbcnOH2q0NrWNha/JuHoDZcmYxAZwb2i0=
-tags.cncf.io/container-device-interface/specs-go v1.0.0 h1:8gLw29hH1ZQP9K1YtAzpvkHCjjyIxHZYzBAvlQ+0vD8=
-tags.cncf.io/container-device-interface/specs-go v1.0.0/go.mod h1:u86hoFWqnh3hWz3esofRFKbI261bUlvUfLKGrDhJkgQ=
+sigs.k8s.io/yaml v1.3.0 h1:a2VclLzOGrwOHDiV8EfBGhvjHvP46CtW5j6POvhYGGo=
+sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8=
+tags.cncf.io/container-device-interface v0.8.1 h1:c0jN4Mt6781jD67NdPajmZlD1qrqQyov/Xfoab37lj0=
+tags.cncf.io/container-device-interface v0.8.1/go.mod h1:Apb7N4VdILW0EVdEMRYXIDVRZfNJZ+kmEUss2kRRQ6Y=
+tags.cncf.io/container-device-interface/specs-go v0.8.0 h1:QYGFzGxvYK/ZLMrjhvY0RjpUavIn4KcmRmVP/JjdBTA=
+tags.cncf.io/container-device-interface/specs-go v0.8.0/go.mod h1:BhJIkjjPh4qpys+qm4DAYtUyryaTDg9zris+AczXyws=

internal/config/config.go

@@ -110,7 +110,7 @@ func GetDefault() (*Config, error) {
 		NVIDIAContainerRuntimeConfig: RuntimeConfig{
 			DebugFilePath: "/dev/null",
 			LogLevel:      "info",
-			Runtimes:      []string{"runc", "crun"},
+			Runtimes:      []string{"docker-runc", "runc", "crun"},
 			Mode:          "auto",
 			Modes: modesConfig{
 				CSV: csvModeConfig{

internal/config/config_test.go

@@ -63,7 +63,7 @@ func TestGetConfig(t *testing.T) {
 				NVIDIAContainerRuntimeConfig: RuntimeConfig{
 					DebugFilePath: "/dev/null",
 					LogLevel:      "info",
-					Runtimes:      []string{"runc", "crun"},
+					Runtimes:      []string{"docker-runc", "runc", "crun"},
 					Mode:          "auto",
 					Modes: modesConfig{
 						CSV: csvModeConfig{
@@ -170,7 +170,7 @@ func TestGetConfig(t *testing.T) {
 				NVIDIAContainerRuntimeConfig: RuntimeConfig{
 					DebugFilePath: "/dev/null",
 					LogLevel:      "info",
-					Runtimes:      []string{"runc", "crun"},
+					Runtimes:      []string{"docker-runc", "runc", "crun"},
 					Mode:          "auto",
 					Modes: modesConfig{
 						CSV: csvModeConfig{
@@ -289,7 +289,7 @@ func TestGetConfig(t *testing.T) {
 				NVIDIAContainerRuntimeConfig: RuntimeConfig{
 					DebugFilePath: "/dev/null",
 					LogLevel:      "info",
-					Runtimes:      []string{"runc", "crun"},
+					Runtimes:      []string{"docker-runc", "runc", "crun"},
 					Mode:          "auto",
 					Modes: modesConfig{
 						CSV: csvModeConfig{
@@ -331,7 +331,7 @@ func TestGetConfig(t *testing.T) {
 				NVIDIAContainerRuntimeConfig: RuntimeConfig{
 					DebugFilePath: "/dev/null",
 					LogLevel:      "info",
-					Runtimes:      []string{"runc", "crun"},
+					Runtimes:      []string{"docker-runc", "runc", "crun"},
 					Mode:          "auto",
 					Modes: modesConfig{
 						CSV: csvModeConfig{

internal/config/features.go

@@ -41,6 +41,9 @@ type features struct {
 	// access to an IMEX channel by simply specifying an environment variable,
 	// possibly bypassing other checks by an orchestration system such as
 	// kubernetes.
+	// Note that this is not enabled by default to maintain backward compatibility
+	// with the existing behaviour when the NVIDIA Container Toolkit is used in
+	// non-kubernetes environments.
 	IgnoreImexChannelRequests *feature `toml:"ignore-imex-channel-requests,omitempty"`
 }
 

internal/config/image/builder.go

@@ -21,35 +21,22 @@ import (
 	"strings"
 
 	"github.com/opencontainers/runtime-spec/specs-go"
-
-	"github.com/NVIDIA/nvidia-container-toolkit/internal/logger"
 )
 
 type builder struct {
-	CUDA
-
+	env            map[string]string
+	mounts         []specs.Mount
 	disableRequire bool
 }
 
-// Option is a functional option for creating a CUDA image.
-type Option func(*builder) error
-
 // New creates a new CUDA image from the input options.
 func New(opt ...Option) (CUDA, error) {
-	b := &builder{
-		CUDA: CUDA{
-			acceptEnvvarUnprivileged: true,
-		},
-	}
+	b := &builder{}
 	for _, o := range opt {
 		if err := o(b); err != nil {
 			return CUDA{}, err
 		}
 	}
-
-	if b.logger == nil {
-		b.logger = logger.New()
-	}
 	if b.env == nil {
 		b.env = make(map[string]string)
 	}
@@ -63,36 +50,15 @@ func (b builder) build() (CUDA, error) {
 		b.env[EnvVarNvidiaDisableRequire] = "true"
 	}
 
-	return b.CUDA, nil
+	c := CUDA{
+		env:    b.env,
+		mounts: b.mounts,
+	}
+	return c, nil
 }
 
-func WithAcceptDeviceListAsVolumeMounts(acceptDeviceListAsVolumeMounts bool) Option {
-	return func(b *builder) error {
-		b.acceptDeviceListAsVolumeMounts = acceptDeviceListAsVolumeMounts
-		return nil
-	}
-}
-
-func WithAcceptEnvvarUnprivileged(acceptEnvvarUnprivileged bool) Option {
-	return func(b *builder) error {
-		b.acceptEnvvarUnprivileged = acceptEnvvarUnprivileged
-		return nil
-	}
-}
-
-func WithAnnotations(annotations map[string]string) Option {
-	return func(b *builder) error {
-		b.annotations = annotations
-		return nil
-	}
-}
-
-func WithAnnotationsPrefixes(annotationsPrefixes []string) Option {
-	return func(b *builder) error {
-		b.annotationsPrefixes = annotationsPrefixes
-		return nil
-	}
-}
+// Option is a functional option for creating a CUDA image.
+type Option func(*builder) error
 
 // WithDisableRequire sets the disable require option.
 func WithDisableRequire(disableRequire bool) Option {
@@ -127,14 +93,6 @@ func WithEnvMap(env map[string]string) Option {
 	}
 }
 
-// WithLogger sets the logger to use when creating the CUDA image.
-func WithLogger(logger logger.Interface) Option {
-	return func(b *builder) error {
-		b.logger = logger
-		return nil
-	}
-}
-
 // WithMounts sets the mounts associated with the CUDA image.
 func WithMounts(mounts []specs.Mount) Option {
 	return func(b *builder) error {
@@ -142,20 +100,3 @@ func WithMounts(mounts []specs.Mount) Option {
 		return nil
 	}
 }
-
-// WithPreferredVisibleDevicesEnvVars sets the environment variables that
-// should take precedence over the default NVIDIA_VISIBLE_DEVICES.
-func WithPreferredVisibleDevicesEnvVars(preferredVisibleDeviceEnvVars ...string) Option {
-	return func(b *builder) error {
-		b.preferredVisibleDeviceEnvVars = preferredVisibleDeviceEnvVars
-		return nil
-	}
-}
-
-// WithPrivileged sets whether an image is privileged or not.
-func WithPrivileged(isPrivileged bool) Option {
-	return func(b *builder) error {
-		b.isPrivileged = isPrivileged
-		return nil
-	}
-}

internal/config/image/cuda_image.go

@@ -25,8 +25,6 @@ import (
 	"github.com/opencontainers/runtime-spec/specs-go"
 	"golang.org/x/mod/semver"
 	"tags.cncf.io/container-device-interface/pkg/parser"
-
-	"github.com/NVIDIA/nvidia-container-toolkit/internal/logger"
 )
 
 const (
@@ -40,44 +38,27 @@ const (
 // a map of environment variable to values that can be used to perform lookups
 // such as requirements.
 type CUDA struct {
-	logger logger.Interface
-
-	annotations  map[string]string
-	env          map[string]string
-	isPrivileged bool
-	mounts       []specs.Mount
-
-	annotationsPrefixes            []string
-	acceptDeviceListAsVolumeMounts bool
-	acceptEnvvarUnprivileged       bool
-	preferredVisibleDeviceEnvVars  []string
+	env    map[string]string
+	mounts []specs.Mount
 }
 
 // NewCUDAImageFromSpec creates a CUDA image from the input OCI runtime spec.
 // The process environment is read (if present) to construc the CUDA Image.
-func NewCUDAImageFromSpec(spec *specs.Spec, opts ...Option) (CUDA, error) {
-	if spec == nil {
-		return New(opts...)
-	}
-
+func NewCUDAImageFromSpec(spec *specs.Spec) (CUDA, error) {
 	var env []string
-	if spec.Process != nil {
+	if spec != nil && spec.Process != nil {
 		env = spec.Process.Env
 	}
 
-	specOpts := []Option{
-		WithAnnotations(spec.Annotations),
+	return New(
 		WithEnv(env),
 		WithMounts(spec.Mounts),
-		WithPrivileged(IsPrivileged((*OCISpec)(spec))),
-	}
-
-	return New(append(opts, specOpts...)...)
+	)
 }
 
-// newCUDAImageFromEnv creates a CUDA image from the input environment. The environment
+// NewCUDAImageFromEnv creates a CUDA image from the input environment. The environment
 // is a list of strings of the form ENVAR=VALUE.
-func newCUDAImageFromEnv(env []string) (CUDA, error) {
+func NewCUDAImageFromEnv(env []string) (CUDA, error) {
 	return New(WithEnv(env))
 }
 
@@ -102,10 +83,6 @@ func (i CUDA) IsLegacy() bool {
 	return len(legacyCudaVersion) > 0 && len(cudaRequire) == 0
 }
 
-func (i CUDA) IsPrivileged() bool {
-	return i.isPrivileged
-}
-
 // GetRequirements returns the requirements from all NVIDIA_REQUIRE_ environment
 // variables.
 func (i CUDA) GetRequirements() ([]string, error) {
@@ -223,115 +200,46 @@ func parseMajorMinorVersion(version string) (string, error) {
 // OnlyFullyQualifiedCDIDevices returns true if all devices requested in the image are requested as CDI devices/
 func (i CUDA) OnlyFullyQualifiedCDIDevices() bool {
 	var hasCDIdevice bool
-	for _, device := range i.VisibleDevices() {
+	for _, device := range i.VisibleDevicesFromEnvVar() {
 		if !parser.IsQualifiedName(device) {
 			return false
 		}
 		hasCDIdevice = true
 	}
+
+	for _, device := range i.DevicesFromMounts() {
+		if !strings.HasPrefix(device, "cdi/") {
+			return false
+		}
+		hasCDIdevice = true
+	}
 	return hasCDIdevice
 }
 
-// VisibleDevices returns a list of devices requested in the container image.
-// If volume mount requests are enabled these are returned if requested,
-// otherwise device requests through environment variables are considered.
-// In cases where environment variable requests required privileged containers,
-// such devices requests are ignored.
-func (i CUDA) VisibleDevices() []string {
-	// If annotation device requests are present, these are preferred.
-	annotationDeviceRequests := i.cdiDeviceRequestsFromAnnotations()
-	if len(annotationDeviceRequests) > 0 {
-		return annotationDeviceRequests
-	}
-
-	// If enabled, try and get the device list from volume mounts first
-	if i.acceptDeviceListAsVolumeMounts {
-		volumeMountDeviceRequests := i.visibleDevicesFromMounts()
-		if len(volumeMountDeviceRequests) > 0 {
-			return volumeMountDeviceRequests
-		}
-	}
-
-	// Get the Fallback to reading from the environment variable if privileges are correct
-	envVarDeviceRequests := i.VisibleDevicesFromEnvVar()
-	if len(envVarDeviceRequests) == 0 {
-		return nil
-	}
-
-	// If the container is privileged, or environment variable requests are
-	// allowed for unprivileged containers, these devices are returned.
-	if i.isPrivileged || i.acceptEnvvarUnprivileged {
-		return envVarDeviceRequests
-	}
-
-	// We log a warning if we are ignoring the environment variable requests.
-	i.logger.Warningf("Ignoring devices specified in NVIDIA_VISIBLE_DEVICES in unprivileged container")
-
-	return nil
-}
-
-// cdiDeviceRequestsFromAnnotations returns a list of devices specified in the
-// annotations.
-// Keys starting with the specified prefixes are considered and expected to
-// contain a comma-separated list of fully-qualified CDI devices names.
-// The format of the requested devices is not checked and the list is not
-// deduplicated.
-func (i CUDA) cdiDeviceRequestsFromAnnotations() []string {
-	if len(i.annotationsPrefixes) == 0 || len(i.annotations) == 0 {
-		return nil
-	}
-
-	var devices []string
-	for key, value := range i.annotations {
-		for _, prefix := range i.annotationsPrefixes {
-			if strings.HasPrefix(key, prefix) {
-				devices = append(devices, strings.Split(value, ",")...)
-				// There is no need to check additional prefixes since we
-				// typically deduplicate devices in any case.
-				break
-			}
-		}
-	}
-	return devices
-}
-
-// VisibleDevicesFromEnvVar returns the set of visible devices requested through environment variables.
-// If any of the preferredVisibleDeviceEnvVars are present in the image, they
-// are used to determine the visible devices. If this is not the case, the
-// NVIDIA_VISIBLE_DEVICES environment variable is used.
+// VisibleDevicesFromEnvVar returns the set of visible devices requested through
+// the NVIDIA_VISIBLE_DEVICES environment variable.
 func (i CUDA) VisibleDevicesFromEnvVar() []string {
-	for _, envVar := range i.preferredVisibleDeviceEnvVars {
-		if i.HasEnvvar(envVar) {
-			return i.DevicesFromEnvvars(i.preferredVisibleDeviceEnvVars...).List()
-		}
-	}
 	return i.DevicesFromEnvvars(EnvVarNvidiaVisibleDevices).List()
 }
 
-// visibleDevicesFromMounts returns the set of visible devices requested as mounts.
-func (i CUDA) visibleDevicesFromMounts() []string {
+// VisibleDevicesFromMounts returns the set of visible devices requested as mounts.
+func (i CUDA) VisibleDevicesFromMounts() []string {
 	var devices []string
-	for _, device := range i.requestsFromMounts() {
+	for _, device := range i.DevicesFromMounts() {
 		switch {
+		case strings.HasPrefix(device, volumeMountDevicePrefixCDI):
+			continue
 		case strings.HasPrefix(device, volumeMountDevicePrefixImex):
 			continue
-		case strings.HasPrefix(device, volumeMountDevicePrefixCDI):
-			name, err := cdiDeviceMountRequest(device).qualifiedName()
-			if err != nil {
-				i.logger.Warningf("Ignoring invalid mount request for CDI device %v: %v", device, err)
-				continue
-			}
-			devices = append(devices, name)
-		default:
-			devices = append(devices, device)
 		}
-
+		devices = append(devices, device)
 	}
 	return devices
 }
 
-// requestsFromMounts returns a list of device specified as mounts.
-func (i CUDA) requestsFromMounts() []string {
+// DevicesFromMounts returns a list of device specified as mounts.
+// TODO: This should be merged with getDevicesFromMounts used in the NVIDIA Container Runtime
+func (i CUDA) DevicesFromMounts() []string {
 	root := filepath.Clean(DeviceListAsVolumeMountsRoot)
 	seen := make(map[string]bool)
 	var devices []string
@@ -363,30 +271,23 @@ func (i CUDA) requestsFromMounts() []string {
 	return devices
 }
 
-// a cdiDeviceMountRequest represents a CDI device requests as a mount.
-// Here the host path /dev/null is mounted to a particular path in the container.
-// The container path has the form:
-// /var/run/nvidia-container-devices/cdi/<vendor>/<class>/<device>
-// or
-// /var/run/nvidia-container-devices/cdi/<vendor>/<class>=<device>
-type cdiDeviceMountRequest string
-
-// qualifiedName returns the fully-qualified name of the CDI device.
-func (m cdiDeviceMountRequest) qualifiedName() (string, error) {
-	if !strings.HasPrefix(string(m), volumeMountDevicePrefixCDI) {
-		return "", fmt.Errorf("invalid mount CDI device request: %s", m)
+// CDIDevicesFromMounts returns a list of CDI devices specified as mounts on the image.
+func (i CUDA) CDIDevicesFromMounts() []string {
+	var devices []string
+	for _, mountDevice := range i.DevicesFromMounts() {
+		if !strings.HasPrefix(mountDevice, volumeMountDevicePrefixCDI) {
+			continue
+		}
+		parts := strings.SplitN(strings.TrimPrefix(mountDevice, volumeMountDevicePrefixCDI), "/", 3)
+		if len(parts) != 3 {
+			continue
+		}
+		vendor := parts[0]
+		class := parts[1]
+		device := parts[2]
+		devices = append(devices, fmt.Sprintf("%s/%s=%s", vendor, class, device))
 	}
-
-	requestedDevice := strings.TrimPrefix(string(m), volumeMountDevicePrefixCDI)
-	if parser.IsQualifiedName(requestedDevice) {
-		return requestedDevice, nil
-	}
-
-	parts := strings.SplitN(requestedDevice, "/", 3)
-	if len(parts) != 3 {
-		return "", fmt.Errorf("invalid mount CDI device request: %s", m)
-	}
-	return fmt.Sprintf("%s/%s=%s", parts[0], parts[1], parts[2]), nil
+	return devices
 }
 
 // ImexChannelsFromEnvVar returns the list of IMEX channels requested for the image.
@@ -401,7 +302,7 @@ func (i CUDA) ImexChannelsFromEnvVar() []string {
 // ImexChannelsFromMounts returns the list of IMEX channels requested for the image.
 func (i CUDA) ImexChannelsFromMounts() []string {
 	var channels []string
-	for _, mountDevice := range i.requestsFromMounts() {
+	for _, mountDevice := range i.DevicesFromMounts() {
 		if !strings.HasPrefix(mountDevice, volumeMountDevicePrefixImex) {
 			continue
 		}

internal/config/image/cuda_image_test.go

@@ -21,91 +21,9 @@ import (
 	"testing"
 
 	"github.com/opencontainers/runtime-spec/specs-go"
-	testlog "github.com/sirupsen/logrus/hooks/test"
 	"github.com/stretchr/testify/require"
 )
 
-func TestNewCUDAImageFromSpec(t *testing.T) {
-	logger, _ := testlog.NewNullLogger()
-
-	testCases := []struct {
-		description string
-		spec        *specs.Spec
-		options     []Option
-		expected    CUDA
-	}{
-		{
-			description: "no env vars",
-			spec: &specs.Spec{
-				Process: &specs.Process{
-					Env: []string{},
-				},
-			},
-			expected: CUDA{
-				logger:                   logger,
-				env:                      map[string]string{},
-				acceptEnvvarUnprivileged: true,
-			},
-		},
-		{
-			description: "NVIDIA_VISIBLE_DEVICES=all",
-			spec: &specs.Spec{
-				Process: &specs.Process{
-					Env: []string{"NVIDIA_VISIBLE_DEVICES=all"},
-				},
-			},
-			expected: CUDA{
-				logger:                   logger,
-				env:                      map[string]string{"NVIDIA_VISIBLE_DEVICES": "all"},
-				acceptEnvvarUnprivileged: true,
-			},
-		},
-		{
-			description: "Spec overrides options",
-			spec: &specs.Spec{
-				Process: &specs.Process{
-					Env: []string{"NVIDIA_VISIBLE_DEVICES=all"},
-				},
-				Mounts: []specs.Mount{
-					{
-						Source:      "/spec-source",
-						Destination: "/spec-destination",
-					},
-				},
-			},
-			options: []Option{
-				WithEnvMap(map[string]string{"OTHER": "value"}),
-				WithMounts([]specs.Mount{
-					{
-						Source:      "/option-source",
-						Destination: "/option-destination",
-					},
-				}),
-			},
-			expected: CUDA{
-				logger: logger,
-				env:    map[string]string{"NVIDIA_VISIBLE_DEVICES": "all"},
-				mounts: []specs.Mount{
-					{
-						Source:      "/spec-source",
-						Destination: "/spec-destination",
-					},
-				},
-				acceptEnvvarUnprivileged: true,
-			},
-		},
-	}
-
-	for _, tc := range testCases {
-		t.Run(tc.description, func(t *testing.T) {
-			options := append([]Option{WithLogger(logger)}, tc.options...)
-			image, err := NewCUDAImageFromSpec(tc.spec, options...)
-			require.NoError(t, err)
-			require.EqualValues(t, tc.expected, image)
-		})
-	}
-}
-
 func TestParseMajorMinorVersionValid(t *testing.T) {
 	var tests = []struct {
 		version  string
@@ -204,7 +122,7 @@ func TestGetRequirements(t *testing.T) {
 
 	for _, tc := range testCases {
 		t.Run(tc.description, func(t *testing.T) {
-			image, err := newCUDAImageFromEnv(tc.env)
+			image, err := NewCUDAImageFromEnv(tc.env)
 			require.NoError(t, err)
 
 			requirements, err := image.GetRequirements()
@@ -215,226 +133,6 @@ func TestGetRequirements(t *testing.T) {
 	}
 }
 
-func TestGetDevicesFromEnvvar(t *testing.T) {
-	envDockerResourceGPUs := "DOCKER_RESOURCE_GPUS"
-	gpuID := "GPU-12345"
-	anotherGPUID := "GPU-67890"
-	thirdGPUID := "MIG-12345"
-
-	var tests = []struct {
-		description                   string
-		preferredVisibleDeviceEnvVars []string
-		env                           map[string]string
-		expectedDevices               []string
-	}{
-		{
-			description: "empty env returns nil for non-legacy image",
-		},
-		{
-			description: "blank NVIDIA_VISIBLE_DEVICES returns nil for non-legacy image",
-			env: map[string]string{
-				EnvVarNvidiaVisibleDevices: "",
-			},
-		},
-		{
-			description: "'void' NVIDIA_VISIBLE_DEVICES returns nil for non-legacy image",
-			env: map[string]string{
-				EnvVarNvidiaVisibleDevices: "void",
-			},
-		},
-		{
-			description: "'none' NVIDIA_VISIBLE_DEVICES returns empty for non-legacy image",
-			env: map[string]string{
-				EnvVarNvidiaVisibleDevices: "none",
-			},
-			expectedDevices: []string{""},
-		},
-		{
-			description: "NVIDIA_VISIBLE_DEVICES set returns value for non-legacy image",
-			env: map[string]string{
-				EnvVarNvidiaVisibleDevices: gpuID,
-			},
-			expectedDevices: []string{gpuID},
-		},
-		{
-			description: "NVIDIA_VISIBLE_DEVICES set returns value for legacy image",
-			env: map[string]string{
-				EnvVarNvidiaVisibleDevices: gpuID,
-				EnvVarCudaVersion:          "legacy",
-			},
-			expectedDevices: []string{gpuID},
-		},
-		{
-			description: "empty env returns all for legacy image",
-			env: map[string]string{
-				EnvVarCudaVersion: "legacy",
-			},
-			expectedDevices: []string{"all"},
-		},
-		// Add the `DOCKER_RESOURCE_GPUS` envvar and ensure that this is ignored when
-		// not enabled
-		{
-			description: "missing NVIDIA_VISIBLE_DEVICES returns nil for non-legacy image",
-			env: map[string]string{
-				envDockerResourceGPUs: anotherGPUID,
-			},
-		},
-		{
-			description: "blank NVIDIA_VISIBLE_DEVICES returns nil for non-legacy image",
-			env: map[string]string{
-				EnvVarNvidiaVisibleDevices: "",
-				envDockerResourceGPUs:      anotherGPUID,
-			},
-		},
-		{
-			description: "'void' NVIDIA_VISIBLE_DEVICES returns nil for non-legacy image",
-			env: map[string]string{
-				EnvVarNvidiaVisibleDevices: "void",
-				envDockerResourceGPUs:      anotherGPUID,
-			},
-		},
-		{
-			description: "'none' NVIDIA_VISIBLE_DEVICES returns empty for non-legacy image",
-			env: map[string]string{
-				EnvVarNvidiaVisibleDevices: "none",
-				envDockerResourceGPUs:      anotherGPUID,
-			},
-			expectedDevices: []string{""},
-		},
-		{
-			description: "NVIDIA_VISIBLE_DEVICES set returns value for non-legacy image",
-			env: map[string]string{
-				EnvVarNvidiaVisibleDevices: gpuID,
-				envDockerResourceGPUs:      anotherGPUID,
-			},
-			expectedDevices: []string{gpuID},
-		},
-		{
-			description: "NVIDIA_VISIBLE_DEVICES set returns value for legacy image",
-			env: map[string]string{
-				EnvVarNvidiaVisibleDevices: gpuID,
-				envDockerResourceGPUs:      anotherGPUID,
-				EnvVarCudaVersion:          "legacy",
-			},
-			expectedDevices: []string{gpuID},
-		},
-		{
-			description: "empty env returns all for legacy image",
-			env: map[string]string{
-				envDockerResourceGPUs: anotherGPUID,
-				EnvVarCudaVersion:     "legacy",
-			},
-			expectedDevices: []string{"all"},
-		},
-		// Add the `DOCKER_RESOURCE_GPUS` envvar and ensure that this is selected when
-		// enabled
-		{
-			description:                   "empty env returns nil for non-legacy image",
-			preferredVisibleDeviceEnvVars: []string{envDockerResourceGPUs},
-		},
-		{
-			description:                   "blank DOCKER_RESOURCE_GPUS returns nil for non-legacy image",
-			preferredVisibleDeviceEnvVars: []string{envDockerResourceGPUs},
-			env: map[string]string{
-				envDockerResourceGPUs: "",
-			},
-		},
-		{
-			description:                   "'void' DOCKER_RESOURCE_GPUS returns nil for non-legacy image",
-			preferredVisibleDeviceEnvVars: []string{envDockerResourceGPUs},
-			env: map[string]string{
-				envDockerResourceGPUs: "void",
-			},
-		},
-		{
-			description:                   "'none' DOCKER_RESOURCE_GPUS returns empty for non-legacy image",
-			preferredVisibleDeviceEnvVars: []string{envDockerResourceGPUs},
-			env: map[string]string{
-				envDockerResourceGPUs: "none",
-			},
-			expectedDevices: []string{""},
-		},
-		{
-			description:                   "DOCKER_RESOURCE_GPUS set returns value for non-legacy image",
-			preferredVisibleDeviceEnvVars: []string{envDockerResourceGPUs},
-			env: map[string]string{
-				envDockerResourceGPUs: gpuID,
-			},
-			expectedDevices: []string{gpuID},
-		},
-		{
-			description:                   "DOCKER_RESOURCE_GPUS set returns value for legacy image",
-			preferredVisibleDeviceEnvVars: []string{envDockerResourceGPUs},
-			env: map[string]string{
-				envDockerResourceGPUs: gpuID,
-				EnvVarCudaVersion:     "legacy",
-			},
-			expectedDevices: []string{gpuID},
-		},
-		{
-			description:                   "DOCKER_RESOURCE_GPUS is selected if present",
-			preferredVisibleDeviceEnvVars: []string{envDockerResourceGPUs},
-			env: map[string]string{
-				envDockerResourceGPUs: anotherGPUID,
-			},
-			expectedDevices: []string{anotherGPUID},
-		},
-		{
-			description:                   "DOCKER_RESOURCE_GPUS overrides NVIDIA_VISIBLE_DEVICES if present",
-			preferredVisibleDeviceEnvVars: []string{envDockerResourceGPUs},
-			env: map[string]string{
-				EnvVarNvidiaVisibleDevices: gpuID,
-				envDockerResourceGPUs:      anotherGPUID,
-			},
-			expectedDevices: []string{anotherGPUID},
-		},
-		{
-			description:                   "DOCKER_RESOURCE_GPUS_ADDITIONAL overrides NVIDIA_VISIBLE_DEVICES if present",
-			preferredVisibleDeviceEnvVars: []string{"DOCKER_RESOURCE_GPUS_ADDITIONAL"},
-			env: map[string]string{
-				EnvVarNvidiaVisibleDevices:        gpuID,
-				"DOCKER_RESOURCE_GPUS_ADDITIONAL": anotherGPUID,
-			},
-			expectedDevices: []string{anotherGPUID},
-		},
-		{
-			description:                   "All available swarm resource envvars are selected and override NVIDIA_VISIBLE_DEVICES if present",
-			preferredVisibleDeviceEnvVars: []string{"DOCKER_RESOURCE_GPUS", "DOCKER_RESOURCE_GPUS_ADDITIONAL"},
-			env: map[string]string{
-				EnvVarNvidiaVisibleDevices:        gpuID,
-				"DOCKER_RESOURCE_GPUS":            thirdGPUID,
-				"DOCKER_RESOURCE_GPUS_ADDITIONAL": anotherGPUID,
-			},
-			expectedDevices: []string{thirdGPUID, anotherGPUID},
-		},
-		{
-			description:                   "DOCKER_RESOURCE_GPUS_ADDITIONAL or DOCKER_RESOURCE_GPUS override NVIDIA_VISIBLE_DEVICES if present",
-			preferredVisibleDeviceEnvVars: []string{"DOCKER_RESOURCE_GPUS", "DOCKER_RESOURCE_GPUS_ADDITIONAL"},
-			env: map[string]string{
-				EnvVarNvidiaVisibleDevices:        gpuID,
-				"DOCKER_RESOURCE_GPUS_ADDITIONAL": anotherGPUID,
-			},
-			expectedDevices: []string{anotherGPUID},
-		},
-	}
-
-	for _, tc := range tests {
-		t.Run(tc.description, func(t *testing.T) {
-			image, err := New(
-				WithEnvMap(tc.env),
-				WithPrivileged(true),
-				WithAcceptDeviceListAsVolumeMounts(false),
-				WithAcceptEnvvarUnprivileged(false),
-				WithPreferredVisibleDevicesEnvVars(tc.preferredVisibleDeviceEnvVars...),
-			)
-
-			require.NoError(t, err)
-			devices := image.VisibleDevicesFromEnvVar()
-			require.EqualValues(t, tc.expectedDevices, devices)
-		})
-	}
-}
-
 func TestGetVisibleDevicesFromMounts(t *testing.T) {
 	var tests = []struct {
 		description     string
@@ -487,9 +185,9 @@ func TestGetVisibleDevicesFromMounts(t *testing.T) {
 			expectedDevices: []string{"GPU0-MIG0/0/1", "GPU1-MIG0/0/1"},
 		},
 		{
-			description:     "cdi devices are included",
-			mounts:          makeTestMounts("GPU0", "nvidia.com/gpu=all", "GPU1"),
-			expectedDevices: []string{"GPU0", "nvidia.com/gpu=all", "GPU1"},
+			description:     "cdi devices are ignored",
+			mounts:          makeTestMounts("GPU0", "cdi/nvidia.com/gpu=all", "GPU1"),
+			expectedDevices: []string{"GPU0", "GPU1"},
 		},
 		{
 			description:     "imex devices are ignored",
@@ -499,121 +197,8 @@ func TestGetVisibleDevicesFromMounts(t *testing.T) {
 	}
 	for _, tc := range tests {
 		t.Run(tc.description, func(t *testing.T) {
-			image, err := New(WithMounts(tc.mounts))
-			require.NoError(t, err)
-			require.Equal(t, tc.expectedDevices, image.visibleDevicesFromMounts())
-		})
-	}
-}
-
-func TestVisibleDevices(t *testing.T) {
-	var tests = []struct {
-		description        string
-		mountDevices       []specs.Mount
-		envvarDevices      string
-		privileged         bool
-		acceptUnprivileged bool
-		acceptMounts       bool
-		expectedDevices    []string
-	}{
-		{
-			description: "Mount devices, unprivileged, no accept unprivileged",
-			mountDevices: []specs.Mount{
-				{
-					Source:      "/dev/null",
-					Destination: filepath.Join(DeviceListAsVolumeMountsRoot, "GPU0"),
-				},
-				{
-					Source:      "/dev/null",
-					Destination: filepath.Join(DeviceListAsVolumeMountsRoot, "GPU1"),
-				},
-			},
-			envvarDevices:      "GPU2,GPU3",
-			privileged:         false,
-			acceptUnprivileged: false,
-			acceptMounts:       true,
-			expectedDevices:    []string{"GPU0", "GPU1"},
-		},
-		{
-			description:        "No mount devices, unprivileged, no accept unprivileged",
-			mountDevices:       nil,
-			envvarDevices:      "GPU0,GPU1",
-			privileged:         false,
-			acceptUnprivileged: false,
-			acceptMounts:       true,
-			expectedDevices:    nil,
-		},
-		{
-			description:        "No mount devices, privileged, no accept unprivileged",
-			mountDevices:       nil,
-			envvarDevices:      "GPU0,GPU1",
-			privileged:         true,
-			acceptUnprivileged: false,
-			acceptMounts:       true,
-			expectedDevices:    []string{"GPU0", "GPU1"},
-		},
-		{
-			description:        "No mount devices, unprivileged, accept unprivileged",
-			mountDevices:       nil,
-			envvarDevices:      "GPU0,GPU1",
-			privileged:         false,
-			acceptUnprivileged: true,
-			acceptMounts:       true,
-			expectedDevices:    []string{"GPU0", "GPU1"},
-		},
-		{
-			description: "Mount devices, unprivileged, accept unprivileged, no accept mounts",
-			mountDevices: []specs.Mount{
-				{
-					Source:      "/dev/null",
-					Destination: filepath.Join(DeviceListAsVolumeMountsRoot, "GPU0"),
-				},
-				{
-					Source:      "/dev/null",
-					Destination: filepath.Join(DeviceListAsVolumeMountsRoot, "GPU1"),
-				},
-			},
-			envvarDevices:      "GPU2,GPU3",
-			privileged:         false,
-			acceptUnprivileged: true,
-			acceptMounts:       false,
-			expectedDevices:    []string{"GPU2", "GPU3"},
-		},
-		{
-			description: "Mount devices, unprivileged, no accept unprivileged, no accept mounts",
-			mountDevices: []specs.Mount{
-				{
-					Source:      "/dev/null",
-					Destination: filepath.Join(DeviceListAsVolumeMountsRoot, "GPU0"),
-				},
-				{
-					Source:      "/dev/null",
-					Destination: filepath.Join(DeviceListAsVolumeMountsRoot, "GPU1"),
-				},
-			},
-			envvarDevices:      "GPU2,GPU3",
-			privileged:         false,
-			acceptUnprivileged: false,
-			acceptMounts:       false,
-			expectedDevices:    nil,
-		},
-	}
-	for _, tc := range tests {
-		t.Run(tc.description, func(t *testing.T) {
-			// Wrap the call to getDevices() in a closure.
-			image, err := New(
-				WithEnvMap(
-					map[string]string{
-						EnvVarNvidiaVisibleDevices: tc.envvarDevices,
-					},
-				),
-				WithMounts(tc.mountDevices),
-				WithPrivileged(tc.privileged),
-				WithAcceptDeviceListAsVolumeMounts(tc.acceptMounts),
-				WithAcceptEnvvarUnprivileged(tc.acceptUnprivileged),
-			)
-			require.NoError(t, err)
-			require.Equal(t, tc.expectedDevices, image.VisibleDevices())
+			image, _ := New(WithMounts(tc.mounts))
+			require.Equal(t, tc.expectedDevices, image.VisibleDevicesFromMounts())
 		})
 	}
 }
@@ -639,7 +224,7 @@ func TestImexChannelsFromEnvVar(t *testing.T) {
 	for _, tc := range testCases {
 		for id, baseEnvvars := range map[string][]string{"": nil, "legacy": {"CUDA_VERSION=1.2.3"}} {
 			t.Run(tc.description+id, func(t *testing.T) {
-				i, err := newCUDAImageFromEnv(append(baseEnvvars, tc.env...))
+				i, err := NewCUDAImageFromEnv(append(baseEnvvars, tc.env...))
 				require.NoError(t, err)
 
 				channels := i.ImexChannelsFromEnvVar()
@@ -649,73 +234,6 @@ func TestImexChannelsFromEnvVar(t *testing.T) {
 	}
 }
 
-func TestCDIDeviceRequestsFromAnnotations(t *testing.T) {
-	testCases := []struct {
-		description     string
-		prefixes        []string
-		annotations     map[string]string
-		expectedDevices []string
-	}{
-		{
-			description: "no annotations",
-		},
-		{
-			description: "no matching annotations",
-			prefixes:    []string{"not-prefix/"},
-			annotations: map[string]string{
-				"prefix/foo": "example.com/device=bar",
-			},
-		},
-		{
-			description: "single matching annotation",
-			prefixes:    []string{"prefix/"},
-			annotations: map[string]string{
-				"prefix/foo": "example.com/device=bar",
-			},
-			expectedDevices: []string{"example.com/device=bar"},
-		},
-		{
-			description: "multiple matching annotations",
-			prefixes:    []string{"prefix/", "another-prefix/"},
-			annotations: map[string]string{
-				"prefix/foo":         "example.com/device=bar",
-				"another-prefix/bar": "example.com/device=baz",
-			},
-			expectedDevices: []string{"example.com/device=bar", "example.com/device=baz"},
-		},
-		{
-			description: "multiple matching annotations with duplicate devices",
-			prefixes:    []string{"prefix/", "another-prefix/"},
-			annotations: map[string]string{
-				"prefix/foo":         "example.com/device=bar",
-				"another-prefix/bar": "example.com/device=bar",
-			},
-			expectedDevices: []string{"example.com/device=bar", "example.com/device=bar"},
-		},
-		{
-			description: "invalid devices are returned as is",
-			prefixes:    []string{"prefix/"},
-			annotations: map[string]string{
-				"prefix/foo": "example.com/device",
-			},
-			expectedDevices: []string{"example.com/device"},
-		},
-	}
-
-	for _, tc := range testCases {
-		t.Run(tc.description, func(t *testing.T) {
-			image, err := New(
-				WithAnnotationsPrefixes(tc.prefixes),
-				WithAnnotations(tc.annotations),
-			)
-			require.NoError(t, err)
-
-			devices := image.cdiDeviceRequestsFromAnnotations()
-			require.ElementsMatch(t, tc.expectedDevices, devices)
-		})
-	}
-}
-
 func makeTestMounts(paths ...string) []specs.Mount {
 	var mounts []specs.Mount
 	for _, path := range paths {

internal/config/image/privileged.go

@@ -24,39 +24,20 @@ const (
 	capSysAdmin = "CAP_SYS_ADMIN"
 )
 
-type CapabilitiesGetter interface {
-	GetCapabilities() []string
-}
-
-type OCISpec specs.Spec
-
-type OCISpecCapabilities specs.LinuxCapabilities
-
 // IsPrivileged returns true if the container is a privileged container.
-func IsPrivileged(s CapabilitiesGetter) bool {
-	if s == nil {
+func IsPrivileged(s *specs.Spec) bool {
+	if s.Process.Capabilities == nil {
 		return false
 	}
-	for _, c := range s.GetCapabilities() {
+
+	// We only make sure that the bounding capabibility set has
+	// CAP_SYS_ADMIN. This allows us to make sure that the container was
+	// actually started as '--privileged', but also allow non-root users to
+	// access the privileged NVIDIA capabilities.
+	for _, c := range s.Process.Capabilities.Bounding {
 		if c == capSysAdmin {
 			return true
 		}
 	}
-
 	return false
 }
-
-func (s OCISpec) GetCapabilities() []string {
-	if s.Process == nil || s.Process.Capabilities == nil {
-		return nil
-	}
-	return (*OCISpecCapabilities)(s.Process.Capabilities).GetCapabilities()
-}
-
-func (c OCISpecCapabilities) GetCapabilities() []string {
-	// We only make sure that the bounding capability set has
-	// CAP_SYS_ADMIN. This allows us to make sure that the container was
-	// actually started as '--privileged', but also allow non-root users to
-	// access the privileged NVIDIA capabilities.
-	return c.Bounding
-}

internal/config/image/privileged_test.go

@@ -1,57 +0,0 @@
-/**
-# Copyright (c) NVIDIA CORPORATION.  All rights reserved.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-**/
-
-package image
-
-import (
-	"testing"
-
-	"github.com/opencontainers/runtime-spec/specs-go"
-	"github.com/stretchr/testify/require"
-)
-
-func TestIsPrivileged(t *testing.T) {
-	var tests = []struct {
-		spec     specs.Spec
-		expected bool
-	}{
-		{
-			specs.Spec{
-				Process: &specs.Process{
-					Capabilities: &specs.LinuxCapabilities{
-						Bounding: []string{"CAP_SYS_ADMIN"},
-					},
-				},
-			},
-			true,
-		},
-		{
-			specs.Spec{
-				Process: &specs.Process{
-					Capabilities: &specs.LinuxCapabilities{
-						Bounding: []string{"CAP_SYS_FOO"},
-					},
-				},
-			},
-			false,
-		},
-	}
-	for i, tc := range tests {
-		privileged := IsPrivileged((*OCISpec)(&tc.spec))
-
-		require.Equal(t, tc.expected, privileged, "%d: %v", i, tc)
-	}
-}

internal/config/toml_test.go

@@ -62,7 +62,7 @@ load-kmods = true
 #debug = "/var/log/nvidia-container-runtime.log"
 log-level = "info"
 mode = "auto"
-runtimes = ["runc", "crun"]
+runtimes = ["docker-runc", "runc", "crun"]
 
 [nvidia-container-runtime.modes]
 

internal/discover/compat_libs.go

@@ -9,12 +9,16 @@ import (
 
 // NewCUDACompatHookDiscoverer creates a discoverer for a enable-cuda-compat hook.
 // This hook is responsible for setting up CUDA compatibility in the container and depends on the host driver version.
-func NewCUDACompatHookDiscoverer(logger logger.Interface, hookCreator HookCreator, driver *root.Driver) Discover {
+func NewCUDACompatHookDiscoverer(logger logger.Interface, nvidiaCDIHookPath string, driver *root.Driver) Discover {
 	_, cudaVersionPattern := getCUDALibRootAndVersionPattern(logger, driver)
 	var args []string
 	if !strings.Contains(cudaVersionPattern, "*") {
 		args = append(args, "--host-driver-version="+cudaVersionPattern)
 	}
 
-	return hookCreator.Create("enable-cuda-compat", args...)
+	return CreateNvidiaCDIHook(
+		nvidiaCDIHookPath,
+		"enable-cuda-compat",
+		args...,
+	)
 }

internal/discover/discover.go

@@ -39,7 +39,7 @@ type Hook struct {
 
 // Discover defines an interface for discovering the devices, mounts, and hooks available on a system
 //
-//go:generate moq -rm -fmt=goimports -stub -out discover_mock.go . Discover
+//go:generate moq -stub -out discover_mock.go . Discover
 type Discover interface {
 	Devices() ([]Device, error)
 	Mounts() ([]Mount, error)

internal/discover/gds.go

@@ -29,11 +29,10 @@ type gdsDeviceDiscoverer struct {
 }
 
 // NewGDSDiscoverer creates a discoverer for GPUDirect Storage devices and mounts.
-func NewGDSDiscoverer(logger logger.Interface, driverRoot string) (Discover, error) {
+func NewGDSDiscoverer(logger logger.Interface, driverRoot string, devRoot string) (Discover, error) {
 	devices := NewCharDeviceDiscoverer(
 		logger,
-		// The /dev/nvidia-fs* devices are always created at /
-		"/",
+		devRoot,
 		[]string{"/dev/nvidia-fs*"},
 	)
 

internal/discover/graphics.go

@@ -20,7 +20,6 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
-	"runtime"
 	"strings"
 
 	"github.com/NVIDIA/nvidia-container-toolkit/internal/config/image"
@@ -37,21 +36,21 @@ import (
 // TODO: The logic for creating DRM devices should be consolidated between this
 // and the logic for generating CDI specs for a single device. This is only used
 // when applying OCI spec modifications to an incoming spec in "legacy" mode.
-func NewDRMNodesDiscoverer(logger logger.Interface, devices image.VisibleDevices, devRoot string, hookCreator HookCreator) (Discover, error) {
+func NewDRMNodesDiscoverer(logger logger.Interface, devices image.VisibleDevices, devRoot string, nvidiaCDIHookPath string) (Discover, error) {
 	drmDeviceNodes, err := newDRMDeviceDiscoverer(logger, devices, devRoot)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create DRM device discoverer: %v", err)
 	}
 
-	drmByPathSymlinks := newCreateDRMByPathSymlinks(logger, drmDeviceNodes, devRoot, hookCreator)
+	drmByPathSymlinks := newCreateDRMByPathSymlinks(logger, drmDeviceNodes, devRoot, nvidiaCDIHookPath)
 
 	discover := Merge(drmDeviceNodes, drmByPathSymlinks)
 	return discover, nil
 }
 
 // NewGraphicsMountsDiscoverer creates a discoverer for the mounts required by graphics tools such as vulkan.
-func NewGraphicsMountsDiscoverer(logger logger.Interface, driver *root.Driver, hookCreator HookCreator) (Discover, error) {
-	libraries := newGraphicsLibrariesDiscoverer(logger, driver, hookCreator)
+func NewGraphicsMountsDiscoverer(logger logger.Interface, driver *root.Driver, nvidiaCDIHookPath string) (Discover, error) {
+	libraries := newGraphicsLibrariesDiscoverer(logger, driver, nvidiaCDIHookPath)
 
 	configs := NewMounts(
 		logger,
@@ -82,38 +81,27 @@ func NewGraphicsMountsDiscoverer(logger logger.Interface, driver *root.Driver, h
 // vulkan ICD files are at {{ .driverRoot }}/vulkan instead of in /etc/vulkan.
 func newVulkanConfigsDiscover(logger logger.Interface, driver *root.Driver) Discover {
 	locator := lookup.First(driver.Configs(), driver.Files())
-
-	required := []string{
-		"vulkan/icd.d/nvidia_icd.json",
-		"vulkan/icd.d/nvidia_layers.json",
-		"vulkan/implicit_layer.d/nvidia_layers.json",
-	}
-	// For some RPM-based driver packages, the vulkan ICD files are installed to
-	// /usr/share/vulkan/icd.d/nvidia_icd.%{_target_cpu}.json
-	// We also include this in the list of candidates for the ICD file.
-	switch runtime.GOARCH {
-	case "amd64":
-		required = append(required, "vulkan/icd.d/nvidia_icd.x86_64.json")
-	case "arm64":
-		required = append(required, "vulkan/icd.d/nvidia_icd.aarch64.json")
-	}
 	return &mountsToContainerPath{
-		logger:        logger,
-		locator:       locator,
-		required:      required,
+		logger:  logger,
+		locator: locator,
+		required: []string{
+			"vulkan/icd.d/nvidia_icd.json",
+			"vulkan/icd.d/nvidia_layers.json",
+			"vulkan/implicit_layer.d/nvidia_layers.json",
+		},
 		containerRoot: "/etc",
 	}
 }
 
 type graphicsDriverLibraries struct {
 	Discover
-	logger      logger.Interface
-	hookCreator HookCreator
+	logger            logger.Interface
+	nvidiaCDIHookPath string
 }
 
 var _ Discover = (*graphicsDriverLibraries)(nil)
 
-func newGraphicsLibrariesDiscoverer(logger logger.Interface, driver *root.Driver, hookCreator HookCreator) Discover {
+func newGraphicsLibrariesDiscoverer(logger logger.Interface, driver *root.Driver, nvidiaCDIHookPath string) Discover {
 	cudaLibRoot, cudaVersionPattern := getCUDALibRootAndVersionPattern(logger, driver)
 
 	libraries := NewMounts(
@@ -152,9 +140,9 @@ func newGraphicsLibrariesDiscoverer(logger logger.Interface, driver *root.Driver
 	)
 
 	return &graphicsDriverLibraries{
-		Discover:    Merge(libraries, xorgLibraries),
-		logger:      logger,
-		hookCreator: hookCreator,
+		Discover:          Merge(libraries, xorgLibraries),
+		logger:            logger,
+		nvidiaCDIHookPath: nvidiaCDIHookPath,
 	}
 }
 
@@ -215,9 +203,9 @@ func (d graphicsDriverLibraries) Hooks() ([]Hook, error) {
 		return nil, nil
 	}
 
-	hook := d.hookCreator.Create("create-symlinks", links...)
+	hooks := CreateCreateSymlinkHook(d.nvidiaCDIHookPath, links)
 
-	return hook.Hooks()
+	return hooks.Hooks()
 }
 
 // isDriverLibrary checks whether the specified filename is a specific driver library.
@@ -287,19 +275,19 @@ func buildXOrgSearchPaths(libRoot string) []string {
 
 type drmDevicesByPath struct {
 	None
-	logger      logger.Interface
-	hookCreator HookCreator
-	devRoot     string
-	devicesFrom Discover
+	logger            logger.Interface
+	nvidiaCDIHookPath string
+	devRoot           string
+	devicesFrom       Discover
 }
 
 // newCreateDRMByPathSymlinks creates a discoverer for a hook to create the by-path symlinks for DRM devices discovered by the specified devices discoverer
-func newCreateDRMByPathSymlinks(logger logger.Interface, devices Discover, devRoot string, hookCreator HookCreator) Discover {
+func newCreateDRMByPathSymlinks(logger logger.Interface, devices Discover, devRoot string, nvidiaCDIHookPath string) Discover {
 	d := drmDevicesByPath{
-		logger:      logger,
-		hookCreator: hookCreator,
-		devRoot:     devRoot,
-		devicesFrom: devices,
+		logger:            logger,
+		nvidiaCDIHookPath: nvidiaCDIHookPath,
+		devRoot:           devRoot,
+		devicesFrom:       devices,
 	}
 
 	return &d
@@ -327,9 +315,13 @@ func (d drmDevicesByPath) Hooks() ([]Hook, error) {
 		args = append(args, "--link", l)
 	}
 
-	hook := d.hookCreator.Create("create-symlinks", args...)
+	hook := CreateNvidiaCDIHook(
+		d.nvidiaCDIHookPath,
+		"create-symlinks",
+		args...,
+	)
 
-	return hook.Hooks()
+	return []Hook{hook}, nil
 }
 
 // getSpecificLinkArgs returns the required specific links that need to be created

internal/discover/graphics_test.go

@@ -25,7 +25,6 @@ import (
 
 func TestGraphicsLibrariesDiscoverer(t *testing.T) {
 	logger, _ := testlog.NewNullLogger()
-	hookCreator := NewHookCreator()
 
 	testCases := []struct {
 		description    string
@@ -140,9 +139,9 @@ func TestGraphicsLibrariesDiscoverer(t *testing.T) {
 	for _, tc := range testCases {
 		t.Run(tc.description, func(t *testing.T) {
 			d := &graphicsDriverLibraries{
-				Discover:    tc.libraries,
-				logger:      logger,
-				hookCreator: hookCreator,
+				Discover:          tc.libraries,
+				logger:            logger,
+				nvidiaCDIHookPath: "/usr/bin/nvidia-cdi-hook",
 			}
 
 			devices, err := d.Devices()

internal/discover/hooks.go

@@ -23,179 +23,60 @@ import (
 	"tags.cncf.io/container-device-interface/pkg/cdi"
 )
 
-// A HookName represents a supported CDI hooks.
-type HookName string
-
-const (
-	// AllHooks is a special hook name that allows all hooks to be matched.
-	AllHooks = HookName("all")
-
-	// A ChmodHook is used to set the file mode of the specified paths.
-	// Deprecated: The chmod hook is deprecated and will be removed in a future release.
-	ChmodHook = HookName("chmod")
-	// A CreateSymlinksHook is used to create symlinks in the container.
-	CreateSymlinksHook = HookName("create-symlinks")
-	// DisableDeviceNodeModificationHook refers to the hook used to ensure that
-	// device nodes are not created by libnvidia-ml.so or nvidia-smi in a
-	// container.
-	// Added in v1.17.8
-	DisableDeviceNodeModificationHook = HookName("disable-device-node-modification")
-	// An EnableCudaCompatHook is used to enabled CUDA Forward Compatibility.
-	// Added in v1.17.5
-	EnableCudaCompatHook = HookName("enable-cuda-compat")
-	// An UpdateLDCacheHook is the hook used to update the ldcache in the
-	// container. This allows injected libraries to be discoverable.
-	UpdateLDCacheHook = HookName("update-ldcache")
-
-	defaultNvidiaCDIHookPath = "/usr/bin/nvidia-cdi-hook"
-)
-
 var _ Discover = (*Hook)(nil)
 
 // Devices returns an empty list of devices for a Hook discoverer.
-func (h *Hook) Devices() ([]Device, error) {
+func (h Hook) Devices() ([]Device, error) {
 	return nil, nil
 }
 
 // Mounts returns an empty list of mounts for a Hook discoverer.
-func (h *Hook) Mounts() ([]Mount, error) {
+func (h Hook) Mounts() ([]Mount, error) {
 	return nil, nil
 }
 
 // Hooks allows the Hook type to also implement the Discoverer interface.
 // It returns a single hook
-func (h *Hook) Hooks() ([]Hook, error) {
-	if h == nil {
-		return nil, nil
-	}
-
-	return []Hook{*h}, nil
+func (h Hook) Hooks() ([]Hook, error) {
+	return []Hook{h}, nil
 }
 
-type Option func(*cdiHookCreator)
-
-type cdiHookCreator struct {
-	nvidiaCDIHookPath string
-	disabledHooks     map[HookName]bool
-
-	fixedArgs    []string
-	debugLogging bool
-}
-
-// An allDisabledHookCreator is a HookCreator that does not create any hooks.
-type allDisabledHookCreator struct{}
-
-// Create returns nil for all hooks for an allDisabledHookCreator.
-func (a *allDisabledHookCreator) Create(name HookName, args ...string) *Hook {
-	return nil
-}
-
-// A HookCreator defines an interface for creating discover hooks.
-type HookCreator interface {
-	Create(HookName, ...string) *Hook
-}
-
-// WithDisabledHooks sets the set of hooks that are disabled for the CDI hook creator.
-// This can be specified multiple times.
-func WithDisabledHooks(hooks ...HookName) Option {
-	return func(c *cdiHookCreator) {
-		for _, hook := range hooks {
-			c.disabledHooks[hook] = true
-		}
-	}
-}
-
-// WithNVIDIACDIHookPath sets the path to the nvidia-cdi-hook binary.
-func WithNVIDIACDIHookPath(nvidiaCDIHookPath string) Option {
-	return func(c *cdiHookCreator) {
-		c.nvidiaCDIHookPath = nvidiaCDIHookPath
-	}
-}
-
-func NewHookCreator(opts ...Option) HookCreator {
-	cdiHookCreator := &cdiHookCreator{
-		nvidiaCDIHookPath: defaultNvidiaCDIHookPath,
-		disabledHooks:     make(map[HookName]bool),
-	}
-	for _, opt := range opts {
-		opt(cdiHookCreator)
+// CreateCreateSymlinkHook creates a hook which creates a symlink from link -> target.
+func CreateCreateSymlinkHook(nvidiaCDIHookPath string, links []string) Discover {
+	if len(links) == 0 {
+		return None{}
 	}
 
-	if cdiHookCreator.disabledHooks[AllHooks] {
-		return &allDisabledHookCreator{}
+	var args []string
+	for _, link := range links {
+		args = append(args, "--link", link)
 	}
-
-	cdiHookCreator.fixedArgs = getFixedArgsForCDIHookCLI(cdiHookCreator.nvidiaCDIHookPath)
-
-	return cdiHookCreator
+	return CreateNvidiaCDIHook(
+		nvidiaCDIHookPath,
+		"create-symlinks",
+		args...,
+	)
 }
 
-// Create creates a new hook with the given name and arguments.
-// If a hook is disabled, a nil hook is returned.
-func (c cdiHookCreator) Create(name HookName, args ...string) *Hook {
-	if c.isDisabled(name, args...) {
-		return nil
-	}
+// CreateNvidiaCDIHook creates a hook which invokes the NVIDIA Container CLI hook subcommand.
+func CreateNvidiaCDIHook(nvidiaCDIHookPath string, hookName string, additionalArgs ...string) Hook {
+	return cdiHook(nvidiaCDIHookPath).Create(hookName, additionalArgs...)
+}
 
-	return &Hook{
+type cdiHook string
+
+func (c cdiHook) Create(name string, args ...string) Hook {
+	return Hook{
 		Lifecycle: cdi.CreateContainerHook,
-		Path:      c.nvidiaCDIHookPath,
-		Args:      append(c.requiredArgs(name), c.transformArgs(name, args...)...),
-		Env:       []string{fmt.Sprintf("NVIDIA_CTK_DEBUG=%v", c.debugLogging)},
+		Path:      string(c),
+		Args:      append(c.requiredArgs(name), args...),
+		Env:       []string{fmt.Sprintf("NVIDIA_CTK_DEBUG=%v", false)},
 	}
 }
-
-// isDisabled checks if the specified hook name is disabled.
-func (c cdiHookCreator) isDisabled(name HookName, args ...string) bool {
-	if c.disabledHooks[name] {
-		return true
-	}
-
-	switch name {
-	case CreateSymlinksHook:
-		if len(args) == 0 {
-			return true
-		}
-	case ChmodHook:
-		if len(args) == 0 {
-			return true
-		}
-	}
-	return false
-}
-
-func (c cdiHookCreator) requiredArgs(name HookName) []string {
-	return append(c.fixedArgs, string(name))
-}
-
-func (c cdiHookCreator) transformArgs(name HookName, args ...string) []string {
-	switch name {
-	case CreateSymlinksHook:
-		var transformedArgs []string
-		for _, arg := range args {
-			transformedArgs = append(transformedArgs, "--link", arg)
-		}
-		return transformedArgs
-	case ChmodHook:
-		var transformedArgs = []string{"--mode", "755"}
-		for _, arg := range args {
-			transformedArgs = append(transformedArgs, "--path", arg)
-		}
-		return transformedArgs
-	default:
-		return args
-	}
-}
-
-// getFixedArgsForCDIHookCLI returns the fixed arguments for the hook CLI.
-// If the nvidia-ctk binary is used, hooks are implemented under the hook
-// subcommand.
-// For the nvidia-cdi-hook binary, the hooks are implemented as subcommands of
-// the top-level CLI.
-func getFixedArgsForCDIHookCLI(nvidiaCDIHookPath string) []string {
-	base := filepath.Base(nvidiaCDIHookPath)
+func (c cdiHook) requiredArgs(name string) []string {
+	base := filepath.Base(string(c))
 	if base == "nvidia-ctk" {
-		return []string{base, "hook"}
+		return []string{base, "hook", name}
 	}
-	return []string{base}
+	return []string{base, name}
 }

internal/discover/ipc_test.go

@@ -52,8 +52,7 @@ func TestIPCMounts(t *testing.T) {
 					"ro",
 					"nosuid",
 					"nodev",
-					"rbind",
-					"rprivate",
+					"bind",
 					"noexec",
 				},
 			},

internal/discover/ldconfig.go

@@ -25,12 +25,12 @@ import (
 )
 
 // NewLDCacheUpdateHook creates a discoverer that updates the ldcache for the specified mounts. A logger can also be specified
-func NewLDCacheUpdateHook(logger logger.Interface, mounts Discover, hookCreator HookCreator, ldconfigPath string) (Discover, error) {
+func NewLDCacheUpdateHook(logger logger.Interface, mounts Discover, nvidiaCDIHookPath, ldconfigPath string) (Discover, error) {
 	d := ldconfig{
-		logger:       logger,
-		hookCreator:  hookCreator,
-		ldconfigPath: ldconfigPath,
-		mountsFrom:   mounts,
+		logger:            logger,
+		nvidiaCDIHookPath: nvidiaCDIHookPath,
+		ldconfigPath:      ldconfigPath,
+		mountsFrom:        mounts,
 	}
 
 	return &d, nil
@@ -38,10 +38,10 @@ func NewLDCacheUpdateHook(logger logger.Interface, mounts Discover, hookCreator
 
 type ldconfig struct {
 	None
-	logger       logger.Interface
-	hookCreator  HookCreator
-	ldconfigPath string
-	mountsFrom   Discover
+	logger            logger.Interface
+	nvidiaCDIHookPath string
+	ldconfigPath      string
+	mountsFrom        Discover
 }
 
 // Hooks checks the required mounts for libraries and returns a hook to update the LDcache for the discovered paths.
@@ -50,18 +50,16 @@ func (d ldconfig) Hooks() ([]Hook, error) {
 	if err != nil {
 		return nil, fmt.Errorf("failed to discover mounts for ldcache update: %v", err)
 	}
-
-	h := createLDCacheUpdateHook(
-		d.hookCreator,
+	h := CreateLDCacheUpdateHook(
+		d.nvidiaCDIHookPath,
 		d.ldconfigPath,
 		getLibraryPaths(mounts),
 	)
-
-	return h.Hooks()
+	return []Hook{h}, nil
 }
 
-// createLDCacheUpdateHook locates the NVIDIA Container Toolkit CLI and creates a hook for updating the LD Cache
-func createLDCacheUpdateHook(hookCreator HookCreator, ldconfig string, libraries []string) *Hook {
+// CreateLDCacheUpdateHook locates the NVIDIA Container Toolkit CLI and creates a hook for updating the LD Cache
+func CreateLDCacheUpdateHook(executable string, ldconfig string, libraries []string) Hook {
 	var args []string
 
 	if ldconfig != "" {
@@ -72,7 +70,13 @@ func createLDCacheUpdateHook(hookCreator HookCreator, ldconfig string, libraries
 		args = append(args, "--folder", f)
 	}
 
-	return hookCreator.Create(UpdateLDCacheHook, args...)
+	hook := CreateNvidiaCDIHook(
+		executable,
+		"update-ldcache",
+		args...,
+	)
+
+	return hook
 }
 
 // getLibraryPaths extracts the library dirs from the specified mounts

internal/discover/ldconfig_test.go

@@ -31,7 +31,6 @@ const (
 
 func TestLDCacheUpdateHook(t *testing.T) {
 	logger, _ := testlog.NewNullLogger()
-	hookCreator := NewHookCreator(WithNVIDIACDIHookPath(testNvidiaCDIHookPath))
 
 	testCases := []struct {
 		description   string
@@ -99,7 +98,7 @@ func TestLDCacheUpdateHook(t *testing.T) {
 				Env:       []string{"NVIDIA_CTK_DEBUG=false"},
 			}
 
-			d, err := NewLDCacheUpdateHook(logger, mountMock, hookCreator, tc.ldconfigPath)
+			d, err := NewLDCacheUpdateHook(logger, mountMock, testNvidiaCDIHookPath, tc.ldconfigPath)
 			require.NoError(t, err)
 
 			hooks, err := d.Hooks()

internal/discover/mounts-to-container-path.go

@@ -71,8 +71,7 @@ func (d *mountsToContainerPath) Mounts() ([]Mount, error) {
 				"ro",
 				"nosuid",
 				"nodev",
-				"rbind",
-				"rprivate",
+				"bind",
 			},
 		}
 		mounts = append(mounts, mount)

internal/discover/mounts-to-container-path_test.go

@@ -32,8 +32,7 @@ func TestMountsToContainerPath(t *testing.T) {
 		"ro",
 		"nosuid",
 		"nodev",
-		"rbind",
-		"rprivate",
+		"bind",
 	}
 
 	testCases := []struct {

internal/discover/mounts.go

@@ -20,6 +20,7 @@ import (
 	"fmt"
 	"path/filepath"
 	"strings"
+	"sync"
 
 	"github.com/NVIDIA/nvidia-container-toolkit/internal/logger"
 	"github.com/NVIDIA/nvidia-container-toolkit/internal/lookup"
@@ -34,13 +35,15 @@ type mounts struct {
 	lookup   lookup.Locator
 	root     string
 	required []string
+	sync.Mutex
+	cache []Mount
 }
 
 var _ Discover = (*mounts)(nil)
 
 // NewMounts creates a discoverer for the required mounts using the specified locator.
 func NewMounts(logger logger.Interface, lookup lookup.Locator, root string, required []string) Discover {
-	return WithCache(newMounts(logger, lookup, root, required))
+	return newMounts(logger, lookup, root, required)
 }
 
 // newMounts creates a discoverer for the required mounts using the specified locator.
@@ -58,6 +61,14 @@ func (d *mounts) Mounts() ([]Mount, error) {
 		return nil, fmt.Errorf("no lookup defined")
 	}
 
+	if d.cache != nil {
+		d.logger.Debugf("returning cached mounts")
+		return d.cache, nil
+	}
+
+	d.Lock()
+	defer d.Unlock()
+
 	var mounts []Mount
 	seen := make(map[string]bool)
 	for _, candidate := range d.required {
@@ -91,8 +102,7 @@ func (d *mounts) Mounts() ([]Mount, error) {
 					"ro",
 					"nosuid",
 					"nodev",
-					"rbind",
-					"rprivate",
+					"bind",
 				},
 			}
 			mounts = append(mounts, mount)
@@ -100,7 +110,9 @@ func (d *mounts) Mounts() ([]Mount, error) {
 		}
 	}
 
-	return mounts, nil
+	d.cache = mounts
+
+	return d.cache, nil
 }
 
 // relativeTo returns the path relative to the root for the file locator

internal/discover/mounts_test.go

@@ -41,8 +41,7 @@ func TestMounts(t *testing.T) {
 		"ro",
 		"nosuid",
 		"nodev",
-		"rbind",
-		"rprivate",
+		"bind",
 	}
 
 	logger, _ := testlog.NewNullLogger()

internal/discover/symlinks.go

@@ -23,26 +23,26 @@ import (
 
 type additionalSymlinks struct {
 	Discover
-	version     string
-	hookCreator HookCreator
+	version           string
+	nvidiaCDIHookPath string
 }
 
 // WithDriverDotSoSymlinks decorates the provided discoverer.
 // A hook is added that checks for specific driver symlinks that need to be created.
-func WithDriverDotSoSymlinks(mounts Discover, version string, hookCreator HookCreator) Discover {
+func WithDriverDotSoSymlinks(mounts Discover, version string, nvidiaCDIHookPath string) Discover {
 	if version == "" {
 		version = "*.*"
 	}
 	return &additionalSymlinks{
-		Discover:    mounts,
-		hookCreator: hookCreator,
-		version:     version,
+		Discover:          mounts,
+		nvidiaCDIHookPath: nvidiaCDIHookPath,
+		version:           version,
 	}
 }
 
 // Hooks returns a hook to create the additional symlinks based on the mounts.
 func (d *additionalSymlinks) Hooks() ([]Hook, error) {
-	mounts, err := d.Mounts()
+	mounts, err := d.Discover.Mounts()
 	if err != nil {
 		return nil, fmt.Errorf("failed to get library mounts: %v", err)
 	}
@@ -73,12 +73,8 @@ func (d *additionalSymlinks) Hooks() ([]Hook, error) {
 		return hooks, nil
 	}
 
-	createSymlinkHooks, err := d.hookCreator.Create("create-symlinks", links...).Hooks()
-	if err != nil {
-		return nil, fmt.Errorf("failed to create symlink hook: %v", err)
-	}
-
-	return append(hooks, createSymlinkHooks...), nil
+	hook := CreateCreateSymlinkHook(d.nvidiaCDIHookPath, links).(Hook)
+	return append(hooks, hook), nil
 }
 
 // getLinksForMount maps the path to created links if any.

internal/discover/symlinks_test.go

@@ -113,7 +113,7 @@ func TestWithWithDriverDotSoSymlinks(t *testing.T) {
 			expectedHooks: []Hook{
 				{
 					Lifecycle: "createContainer",
-					Path:      "/usr/bin/nvidia-cdi-hook",
+					Path:      "/path/to/nvidia-cdi-hook",
 					Args:      []string{"nvidia-cdi-hook", "create-symlinks", "--link", "libcuda.so.1::/usr/lib/libcuda.so"},
 					Env:       []string{"NVIDIA_CTK_DEBUG=false"},
 				},
@@ -146,7 +146,7 @@ func TestWithWithDriverDotSoSymlinks(t *testing.T) {
 			expectedHooks: []Hook{
 				{
 					Lifecycle: "createContainer",
-					Path:      "/usr/bin/nvidia-cdi-hook",
+					Path:      "/path/to/nvidia-cdi-hook",
 					Args:      []string{"nvidia-cdi-hook", "create-symlinks", "--link", "libcuda.so.1::/usr/lib/libcuda.so"},
 					Env:       []string{"NVIDIA_CTK_DEBUG=false"},
 				},
@@ -178,7 +178,7 @@ func TestWithWithDriverDotSoSymlinks(t *testing.T) {
 			expectedHooks: []Hook{
 				{
 					Lifecycle: "createContainer",
-					Path:      "/usr/bin/nvidia-cdi-hook",
+					Path:      "/path/to/nvidia-cdi-hook",
 					Args:      []string{"nvidia-cdi-hook", "create-symlinks", "--link", "libcuda.so.1::/usr/lib/libcuda.so"},
 					Env:       []string{"NVIDIA_CTK_DEBUG=false"},
 				},
@@ -248,7 +248,7 @@ func TestWithWithDriverDotSoSymlinks(t *testing.T) {
 				},
 				{
 					Lifecycle: "createContainer",
-					Path:      "/usr/bin/nvidia-cdi-hook",
+					Path:      "/path/to/nvidia-cdi-hook",
 					Args:      []string{"nvidia-cdi-hook", "create-symlinks", "--link", "libcuda.so.1::/usr/lib/libcuda.so"},
 					Env:       []string{"NVIDIA_CTK_DEBUG=false"},
 				},
@@ -298,7 +298,7 @@ func TestWithWithDriverDotSoSymlinks(t *testing.T) {
 			expectedHooks: []Hook{
 				{
 					Lifecycle: "createContainer",
-					Path:      "/usr/bin/nvidia-cdi-hook",
+					Path:      "/path/to/nvidia-cdi-hook",
 					Args: []string{
 						"nvidia-cdi-hook", "create-symlinks",
 						"--link", "libcuda.so.1::/usr/lib/libcuda.so",
@@ -311,13 +311,12 @@ func TestWithWithDriverDotSoSymlinks(t *testing.T) {
 		},
 	}
 
-	hookCreator := NewHookCreator()
 	for _, tc := range testCases {
 		t.Run(tc.description, func(t *testing.T) {
 			d := WithDriverDotSoSymlinks(
 				tc.discover,
 				tc.version,
-				hookCreator,
+				"/path/to/nvidia-cdi-hook",
 			)
 
 			devices, err := d.Devices()

internal/edits/hook.go

@@ -38,11 +38,15 @@ func (d hook) toEdits() *cdi.ContainerEdits {
 // toSpec converts a discovered Hook to a CDI Spec Hook. Note
 // that missing info is filled in when edits are applied by querying the Hook node.
 func (d hook) toSpec() *specs.Hook {
+	env := d.Env
+	if env == nil {
+		env = []string{"NVIDIA_CTK_DEBUG=false"}
+	}
 	s := specs.Hook{
 		HookName: d.Lifecycle,
 		Path:     d.Path,
 		Args:     d.Args,
-		Env:      d.Env,
+		Env:      env,
 	}
 
 	return &s

internal/info/auto_test.go

@@ -184,7 +184,7 @@ func TestResolveAutoMode(t *testing.T) {
 			expectedMode: "legacy",
 		},
 		{
-			description: "cdi mount and non-CDI envvar resolves to cdi",
+			description: "cdi mount and non-CDI envvar resolves to legacy",
 			mode:        "auto",
 			envmap: map[string]string{
 				"NVIDIA_VISIBLE_DEVICES": "0",
@@ -197,22 +197,6 @@ func TestResolveAutoMode(t *testing.T) {
 				"tegra": false,
 				"nvgpu": false,
 			},
-			expectedMode: "cdi",
-		},
-		{
-			description: "non-cdi mount and CDI envvar resolves to legacy",
-			mode:        "auto",
-			envmap: map[string]string{
-				"NVIDIA_VISIBLE_DEVICES": "nvidia.com/gpu=0",
-			},
-			mounts: []string{
-				"/var/run/nvidia-container-devices/0",
-			},
-			info: map[string]bool{
-				"nvml":  true,
-				"tegra": false,
-				"nvgpu": false,
-			},
 			expectedMode: "legacy",
 		},
 	}
@@ -248,8 +232,6 @@ func TestResolveAutoMode(t *testing.T) {
 			image, _ := image.New(
 				image.WithEnvMap(tc.envmap),
 				image.WithMounts(mounts),
-				image.WithAcceptDeviceListAsVolumeMounts(true),
-				image.WithAcceptEnvvarUnprivileged(true),
 			)
 			mode := resolveMode(logger, tc.mode, image, properties)
 			require.EqualValues(t, tc.expectedMode, mode)

internal/info/proc/devices/devices.go

@@ -49,7 +49,7 @@ type Major int
 
 // Devices represents the set of devices under /proc/devices
 //
-//go:generate moq -rm -fmt=goimports -stub -out devices_mock.go . Devices
+//go:generate moq -stub -out devices_mock.go . Devices
 type Devices interface {
 	Exists(Name) bool
 	Get(Name) (Major, bool)

internal/ldcache/ldcache.go

@@ -84,7 +84,7 @@ type entry2 struct {
 
 // LDCache represents the interface for performing lookups into the LDCache
 //
-//go:generate moq -rm -fmt=goimports -out ldcache_mock.go . LDCache
+//go:generate moq -rm -out ldcache_mock.go . LDCache
 type LDCache interface {
 	List() ([]string, []string)
 }

internal/lookup/device.go

@@ -28,15 +28,9 @@ const (
 // NewCharDeviceLocator creates a Locator that can be used to find char devices at the specified root. A logger is
 // also specified.
 func NewCharDeviceLocator(opts ...Option) Locator {
-	filter := assertCharDevice
-	// TODO: We should have a better way to inject this logic than this envvar.
-	if os.Getenv("__NVCT_TESTING_DEVICES_ARE_FILES") == "true" {
-		filter = assertFile
-	}
-
 	opts = append(opts,
 		WithSearchPaths("", devRoot),
-		WithFilter(filter),
+		WithFilter(assertCharDevice),
 	)
 	return NewFileLocator(
 		opts...,

internal/lookup/locator.go

@@ -18,7 +18,7 @@ package lookup
 
 import "errors"
 
-//go:generate moq -rm -fmt=goimports -stub -out locator_mock.go . Locator
+//go:generate moq -stub -out locator_mock.go . Locator
 
 // Locator defines the interface for locating files on a system.
 type Locator interface {

internal/modifier/cdi.go

@@ -18,6 +18,7 @@ package modifier
 
 import (
 	"fmt"
+	"strings"
 
 	"tags.cncf.io/container-device-interface/pkg/parser"
 
@@ -33,13 +34,11 @@ import (
 // NewCDIModifier creates an OCI spec modifier that determines the modifications to make based on the
 // CDI specifications available on the system. The NVIDIA_VISIBLE_DEVICES environment variable is
 // used to select the devices to include.
-func NewCDIModifier(logger logger.Interface, cfg *config.Config, image image.CUDA) (oci.SpecModifier, error) {
-	deviceRequestor := newCDIDeviceRequestor(
-		logger,
-		image,
-		cfg.NVIDIAContainerRuntimeConfig.Modes.CDI.DefaultKind,
-	)
-	devices := deviceRequestor.DeviceRequests()
+func NewCDIModifier(logger logger.Interface, cfg *config.Config, ociSpec oci.Spec) (oci.SpecModifier, error) {
+	devices, err := getDevicesFromSpec(logger, ociSpec, cfg)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get required devices from OCI specification: %v", err)
+	}
 	if len(devices) == 0 {
 		logger.Debugf("No devices requested; no modification required.")
 		return nil, nil
@@ -66,38 +65,87 @@ func NewCDIModifier(logger logger.Interface, cfg *config.Config, image image.CUD
 	)
 }
 
-type deviceRequestor interface {
-	DeviceRequests() []string
-}
-
-type cdiDeviceRequestor struct {
-	image       image.CUDA
-	logger      logger.Interface
-	defaultKind string
-}
-
-func newCDIDeviceRequestor(logger logger.Interface, image image.CUDA, defaultKind string) deviceRequestor {
-	c := &cdiDeviceRequestor{
-		logger:      logger,
-		image:       image,
-		defaultKind: defaultKind,
+func getDevicesFromSpec(logger logger.Interface, ociSpec oci.Spec, cfg *config.Config) ([]string, error) {
+	rawSpec, err := ociSpec.Load()
+	if err != nil {
+		return nil, fmt.Errorf("failed to load OCI spec: %v", err)
 	}
-	return withUniqueDevices(c)
-}
 
-func (c *cdiDeviceRequestor) DeviceRequests() []string {
-	if c == nil {
-		return nil
+	annotationDevices, err := getAnnotationDevices(cfg.NVIDIAContainerRuntimeConfig.Modes.CDI.AnnotationPrefixes, rawSpec.Annotations)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse container annotations: %v", err)
 	}
+	if len(annotationDevices) > 0 {
+		return annotationDevices, nil
+	}
+
+	container, err := image.NewCUDAImageFromSpec(rawSpec)
+	if err != nil {
+		return nil, err
+	}
+	if cfg.AcceptDeviceListAsVolumeMounts {
+		mountDevices := container.CDIDevicesFromMounts()
+		if len(mountDevices) > 0 {
+			return mountDevices, nil
+		}
+	}
+
 	var devices []string
-	for _, name := range c.image.VisibleDevices() {
+	seen := make(map[string]bool)
+	for _, name := range container.VisibleDevicesFromEnvVar() {
 		if !parser.IsQualifiedName(name) {
-			name = fmt.Sprintf("%s=%s", c.defaultKind, name)
+			name = fmt.Sprintf("%s=%s", cfg.NVIDIAContainerRuntimeConfig.Modes.CDI.DefaultKind, name)
+		}
+		if seen[name] {
+			logger.Debugf("Ignoring duplicate device %q", name)
+			continue
 		}
 		devices = append(devices, name)
 	}
 
-	return devices
+	if len(devices) == 0 {
+		return nil, nil
+	}
+
+	if cfg.AcceptEnvvarUnprivileged || image.IsPrivileged(rawSpec) {
+		return devices, nil
+	}
+
+	logger.Warningf("Ignoring devices specified in NVIDIA_VISIBLE_DEVICES: %v", devices)
+
+	return nil, nil
+}
+
+// getAnnotationDevices returns a list of devices specified in the annotations.
+// Keys starting with the specified prefixes are considered and expected to contain a comma-separated list of
+// fully-qualified CDI devices names. If any device name is not fully-quality an error is returned.
+// The list of returned devices is deduplicated.
+func getAnnotationDevices(prefixes []string, annotations map[string]string) ([]string, error) {
+	devicesByKey := make(map[string][]string)
+	for key, value := range annotations {
+		for _, prefix := range prefixes {
+			if strings.HasPrefix(key, prefix) {
+				devicesByKey[key] = strings.Split(value, ",")
+			}
+		}
+	}
+
+	seen := make(map[string]bool)
+	var annotationDevices []string
+	for key, devices := range devicesByKey {
+		for _, device := range devices {
+			if !parser.IsQualifiedName(device) {
+				return nil, fmt.Errorf("invalid device name %q in annotation %q", device, key)
+			}
+			if seen[device] {
+				continue
+			}
+			annotationDevices = append(annotationDevices, device)
+			seen[device] = true
+		}
+	}
+
+	return annotationDevices, nil
 }
 
 // filterAutomaticDevices searches for "automatic" device names in the input slice.
@@ -121,7 +169,7 @@ func newAutomaticCDISpecModifier(logger logger.Interface, cfg *config.Config, de
 	if err != nil {
 		return nil, fmt.Errorf("failed to generate CDI spec: %w", err)
 	}
-	cdiDeviceRequestor, err := cdi.New(
+	cdiModifier, err := cdi.New(
 		cdi.WithLogger(logger),
 		cdi.WithSpec(spec.Raw()),
 	)
@@ -129,7 +177,7 @@ func newAutomaticCDISpecModifier(logger logger.Interface, cfg *config.Config, de
 		return nil, fmt.Errorf("failed to construct CDI modifier: %w", err)
 	}
 
-	return cdiDeviceRequestor, nil
+	return cdiModifier, nil
 }
 
 func generateAutomaticCDISpec(logger logger.Interface, cfg *config.Config, devices []string) (spec.Interface, error) {
@@ -144,35 +192,26 @@ func generateAutomaticCDISpec(logger logger.Interface, cfg *config.Config, devic
 		return nil, fmt.Errorf("failed to construct CDI library: %w", err)
 	}
 
-	var identifiers []string
+	identifiers := []string{}
 	for _, device := range devices {
 		_, _, id := parser.ParseDevice(device)
 		identifiers = append(identifiers, id)
 	}
 
-	return cdilib.GetSpec(identifiers...)
-}
-
-type deduplicatedDeviceRequestor struct {
-	deviceRequestor
-}
-
-func withUniqueDevices(deviceRequestor deviceRequestor) deviceRequestor {
-	return &deduplicatedDeviceRequestor{deviceRequestor: deviceRequestor}
-}
-
-func (d *deduplicatedDeviceRequestor) DeviceRequests() []string {
-	if d == nil {
-		return nil
+	deviceSpecs, err := cdilib.GetDeviceSpecsByID(identifiers...)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get CDI device specs: %w", err)
 	}
-	seen := make(map[string]bool)
-	var devices []string
-	for _, device := range d.deviceRequestor.DeviceRequests() {
-		if seen[device] {
-			continue
-		}
-		seen[device] = true
-		devices = append(devices, device)
+
+	commonEdits, err := cdilib.GetCommonEdits()
+	if err != nil {
+		return nil, fmt.Errorf("failed to get common CDI spec edits: %w", err)
 	}
-	return devices
+
+	return spec.New(
+		spec.WithDeviceSpecs(deviceSpecs),
+		spec.WithEdits(*commonEdits.ContainerEdits),
+		spec.WithVendor("runtime.nvidia.com"),
+		spec.WithClass("gpu"),
+	)
 }

internal/modifier/cdi_test.go

@@ -17,144 +17,76 @@
 package modifier
 
 import (
+	"fmt"
 	"testing"
 
-	"github.com/opencontainers/runtime-spec/specs-go"
-	testlog "github.com/sirupsen/logrus/hooks/test"
 	"github.com/stretchr/testify/require"
-
-	"github.com/NVIDIA/nvidia-container-toolkit/internal/config/image"
 )
 
-func TestDeviceRequests(t *testing.T) {
-	logger, _ := testlog.NewNullLogger()
-
+func TestGetAnnotationDevices(t *testing.T) {
 	testCases := []struct {
 		description     string
-		input           cdiDeviceRequestor
-		spec            *specs.Spec
 		prefixes        []string
+		annotations     map[string]string
 		expectedDevices []string
+		expectedError   error
 	}{
 		{
-			description: "empty spec yields no devices",
-		},
-		{
-			description: "cdi devices from mounts",
-			input: cdiDeviceRequestor{
-				defaultKind: "nvidia.com/gpu",
-			},
-			spec: &specs.Spec{
-				Mounts: []specs.Mount{
-					{
-						Destination: "/var/run/nvidia-container-devices/cdi/nvidia.com/gpu/0",
-						Source:      "/dev/null",
-					},
-					{
-						Destination: "/var/run/nvidia-container-devices/cdi/nvidia.com/gpu/1",
-						Source:      "/dev/null",
-					},
-				},
-			},
-			expectedDevices: []string{"nvidia.com/gpu=0", "nvidia.com/gpu=1"},
-		},
-		{
-			description: "cdi devices from envvar",
-			input: cdiDeviceRequestor{
-				defaultKind: "nvidia.com/gpu",
-			},
-			spec: &specs.Spec{
-				Process: &specs.Process{
-					Env: []string{"NVIDIA_VISIBLE_DEVICES=0,example.com/class=device"},
-				},
-			},
-			expectedDevices: []string{"nvidia.com/gpu=0", "example.com/class=device"},
+			description: "no annotations",
 		},
 		{
 			description: "no matching annotations",
 			prefixes:    []string{"not-prefix/"},
-			spec: &specs.Spec{
-				Annotations: map[string]string{
-					"prefix/foo": "example.com/device=bar",
-				},
+			annotations: map[string]string{
+				"prefix/foo": "example.com/device=bar",
 			},
 		},
 		{
 			description: "single matching annotation",
 			prefixes:    []string{"prefix/"},
-			spec: &specs.Spec{
-				Annotations: map[string]string{
-					"prefix/foo": "example.com/device=bar",
-				},
+			annotations: map[string]string{
+				"prefix/foo": "example.com/device=bar",
 			},
 			expectedDevices: []string{"example.com/device=bar"},
 		},
 		{
 			description: "multiple matching annotations",
 			prefixes:    []string{"prefix/", "another-prefix/"},
-			spec: &specs.Spec{
-				Annotations: map[string]string{
-					"prefix/foo":         "example.com/device=bar",
-					"another-prefix/bar": "example.com/device=baz",
-				},
+			annotations: map[string]string{
+				"prefix/foo":         "example.com/device=bar",
+				"another-prefix/bar": "example.com/device=baz",
 			},
 			expectedDevices: []string{"example.com/device=bar", "example.com/device=baz"},
 		},
 		{
 			description: "multiple matching annotations with duplicate devices",
 			prefixes:    []string{"prefix/", "another-prefix/"},
-			spec: &specs.Spec{
-				Annotations: map[string]string{
-					"prefix/foo":         "example.com/device=bar",
-					"another-prefix/bar": "example.com/device=bar",
-				},
+			annotations: map[string]string{
+				"prefix/foo":         "example.com/device=bar",
+				"another-prefix/bar": "example.com/device=bar",
 			},
-			expectedDevices: []string{"example.com/device=bar", "example.com/device=bar"},
+			expectedDevices: []string{"example.com/device=bar"},
 		},
 		{
-			description: "devices in annotations are expanded",
-			input: cdiDeviceRequestor{
-				defaultKind: "nvidia.com/gpu",
+			description: "invalid devices",
+			prefixes:    []string{"prefix/"},
+			annotations: map[string]string{
+				"prefix/foo": "example.com/device",
 			},
-			prefixes: []string{"prefix/"},
-			spec: &specs.Spec{
-				Annotations: map[string]string{
-					"prefix/foo": "device",
-				},
-			},
-			expectedDevices: []string{"nvidia.com/gpu=device"},
-		},
-		{
-			description: "invalid devices in annotations are treated as strings",
-			input: cdiDeviceRequestor{
-				defaultKind: "nvidia.com/gpu",
-			},
-			prefixes: []string{"prefix/"},
-			spec: &specs.Spec{
-				Annotations: map[string]string{
-					"prefix/foo": "example.com/device",
-				},
-			},
-			expectedDevices: []string{"nvidia.com/gpu=example.com/device"},
+			expectedError: fmt.Errorf("invalid device %q", "example.com/device"),
 		},
 	}
 
 	for _, tc := range testCases {
-		tc.input.logger = logger
-
-		image, err := image.NewCUDAImageFromSpec(
-			tc.spec,
-			image.WithAcceptDeviceListAsVolumeMounts(true),
-			image.WithAcceptEnvvarUnprivileged(true),
-			image.WithAnnotationsPrefixes(tc.prefixes),
-		)
-		require.NoError(t, err)
-		tc.input.image = image
-
 		t.Run(tc.description, func(t *testing.T) {
-			devices := tc.input.DeviceRequests()
+			devices, err := getAnnotationDevices(tc.prefixes, tc.annotations)
+			if tc.expectedError != nil {
+				require.Error(t, err)
+				return
+			}
+
 			require.NoError(t, err)
-			require.EqualValues(t, tc.expectedDevices, devices)
+			require.ElementsMatch(t, tc.expectedDevices, devices)
 		})
 	}
 }

internal/modifier/discover_test.go

@@ -78,12 +78,14 @@ func TestDiscoverModifier(t *testing.T) {
 						{
 							Path: "/hook/a",
 							Args: []string{"/hook/a", "arga"},
+							Env:  []string{"NVIDIA_CTK_DEBUG=false"},
 						},
 					},
 					CreateContainer: []specs.Hook{
 						{
 							Path: "/hook/b",
 							Args: []string{"/hook/b", "argb"},
+							Env:  []string{"NVIDIA_CTK_DEBUG=false"},
 						},
 					},
 				},
@@ -123,6 +125,7 @@ func TestDiscoverModifier(t *testing.T) {
 						{
 							Path: "/hook/b",
 							Args: []string{"/hook/b", "argb"},
+							Env:  []string{"NVIDIA_CTK_DEBUG=false"},
 						},
 					},
 				},

internal/modifier/gated.go

@@ -36,7 +36,7 @@ import (
 //	NVIDIA_GDRCOPY=enabled
 //
 // If not devices are selected, no changes are made.
-func NewFeatureGatedModifier(logger logger.Interface, cfg *config.Config, image image.CUDA, driver *root.Driver, hookCreator discover.HookCreator) (oci.SpecModifier, error) {
+func NewFeatureGatedModifier(logger logger.Interface, cfg *config.Config, image image.CUDA, driver *root.Driver) (oci.SpecModifier, error) {
 	if devices := image.VisibleDevicesFromEnvVar(); len(devices) == 0 {
 		logger.Infof("No modification required; no devices requested")
 		return nil, nil
@@ -48,7 +48,7 @@ func NewFeatureGatedModifier(logger logger.Interface, cfg *config.Config, image
 	devRoot := cfg.NVIDIAContainerCLIConfig.Root
 
 	if image.Getenv("NVIDIA_GDS") == "enabled" {
-		d, err := discover.NewGDSDiscoverer(logger, driverRoot)
+		d, err := discover.NewGDSDiscoverer(logger, driverRoot, devRoot)
 		if err != nil {
 			return nil, fmt.Errorf("failed to construct discoverer for GDS devices: %w", err)
 		}
@@ -81,7 +81,7 @@ func NewFeatureGatedModifier(logger logger.Interface, cfg *config.Config, image
 
 	// If the feature flag has explicitly been toggled, we don't make any modification.
 	if !cfg.Features.DisableCUDACompatLibHook.IsEnabled() {
-		cudaCompatDiscoverer, err := getCudaCompatModeDiscoverer(logger, cfg, driver, hookCreator)
+		cudaCompatDiscoverer, err := getCudaCompatModeDiscoverer(logger, cfg, driver)
 		if err != nil {
 			return nil, fmt.Errorf("failed to construct CUDA Compat discoverer: %w", err)
 		}
@@ -91,13 +91,13 @@ func NewFeatureGatedModifier(logger logger.Interface, cfg *config.Config, image
 	return NewModifierFromDiscoverer(logger, discover.Merge(discoverers...))
 }
 
-func getCudaCompatModeDiscoverer(logger logger.Interface, cfg *config.Config, driver *root.Driver, hookCreator discover.HookCreator) (discover.Discover, error) {
+func getCudaCompatModeDiscoverer(logger logger.Interface, cfg *config.Config, driver *root.Driver) (discover.Discover, error) {
 	// For legacy mode, we only include the enable-cuda-compat hook if cuda-compat-mode is set to hook.
 	if cfg.NVIDIAContainerRuntimeConfig.Mode == "legacy" && cfg.NVIDIAContainerRuntimeConfig.Modes.Legacy.CUDACompatMode != config.CUDACompatModeHook {
 		return nil, nil
 	}
 
-	compatLibHookDiscoverer := discover.NewCUDACompatHookDiscoverer(logger, hookCreator, driver)
+	compatLibHookDiscoverer := discover.NewCUDACompatHookDiscoverer(logger, cfg.NVIDIACTKConfig.Path, driver)
 	// For non-legacy modes we return the hook as is. These modes *should* already include the update-ldcache hook.
 	if cfg.NVIDIAContainerRuntimeConfig.Mode != "legacy" {
 		return compatLibHookDiscoverer, nil
@@ -108,7 +108,7 @@ func getCudaCompatModeDiscoverer(logger logger.Interface, cfg *config.Config, dr
 	ldcacheUpdateHookDiscoverer, err := discover.NewLDCacheUpdateHook(
 		logger,
 		discover.None{},
-		hookCreator,
+		cfg.NVIDIACTKConfig.Path,
 		"",
 	)
 	if err != nil {

internal/modifier/graphics.go

@@ -29,16 +29,18 @@ import (
 
 // NewGraphicsModifier constructs a modifier that injects graphics-related modifications into an OCI runtime specification.
 // The value of the NVIDIA_DRIVER_CAPABILITIES environment variable is checked to determine if this modification should be made.
-func NewGraphicsModifier(logger logger.Interface, cfg *config.Config, containerImage image.CUDA, driver *root.Driver, hookCreator discover.HookCreator) (oci.SpecModifier, error) {
+func NewGraphicsModifier(logger logger.Interface, cfg *config.Config, containerImage image.CUDA, driver *root.Driver) (oci.SpecModifier, error) {
 	if required, reason := requiresGraphicsModifier(containerImage); !required {
 		logger.Infof("No graphics modifier required: %v", reason)
 		return nil, nil
 	}
 
+	nvidiaCDIHookPath := cfg.NVIDIACTKConfig.Path
+
 	mounts, err := discover.NewGraphicsMountsDiscoverer(
 		logger,
 		driver,
-		hookCreator,
+		nvidiaCDIHookPath,
 	)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create mounts discoverer: %v", err)
@@ -50,7 +52,7 @@ func NewGraphicsModifier(logger logger.Interface, cfg *config.Config, containerI
 		logger,
 		containerImage.DevicesFromEnvvars(image.EnvVarNvidiaVisibleDevices),
 		devRoot,
-		hookCreator,
+		nvidiaCDIHookPath,
 	)
 	if err != nil {
 		return nil, fmt.Errorf("failed to construct discoverer: %v", err)

internal/nvsandboxutils/gen/nvsandboxutils/generateapi.go

@@ -167,7 +167,7 @@ func generateInterfaceComment(input GeneratableInterfacePoperties) (string, erro
 	commentFmt := []string{
 		"// %s represents the interface for the %s type.",
 		"//",
-		"//go:generate moq -rm -fmt=goimports -out mock/%s.go -pkg mock . %s:%s",
+		"//go:generate moq -out mock/%s.go -pkg mock . %s:%s",
 	}
 
 	var signature strings.Builder

internal/nvsandboxutils/lib.go

@@ -35,7 +35,7 @@ var errLibraryAlreadyLoaded = errors.New("library already loaded")
 // dynamicLibrary is an interface for abstacting the underlying library.
 // This also allows for mocking and testing.
 
-//go:generate moq -rm -fmt=goimports -stub -out dynamicLibrary_mock.go . dynamicLibrary
+//go:generate moq -rm -stub -out dynamicLibrary_mock.go . dynamicLibrary
 type dynamicLibrary interface {
 	Lookup(string) error
 	Open() error

internal/nvsandboxutils/mock/interface.go

@@ -4,9 +4,8 @@
 package mock
 
 import (
-	"sync"
-
 	"github.com/NVIDIA/nvidia-container-toolkit/internal/nvsandboxutils"
+	"sync"
 )
 
 // Ensure, that Interface does implement nvsandboxutils.Interface.

internal/nvsandboxutils/zz_generated.api.go

@@ -31,7 +31,7 @@ var (
 
 // Interface represents the interface for the library type.
 //
-//go:generate moq -rm -fmt=goimports -out mock/interface.go -pkg mock . Interface:Interface
+//go:generate moq -out mock/interface.go -pkg mock . Interface:Interface
 type Interface interface {
 	ErrorString(Ret) string
 	GetDriverVersion() (string, Ret)

internal/oci/runtime.go

@@ -19,7 +19,7 @@ package oci
 // Runtime is an interface for a runtime shim. The Exec method accepts a list
 // of command line arguments, and returns an error / nil.
 //
-//go:generate moq -rm -fmt=goimports -stub -out runtime_mock.go . Runtime
+//go:generate moq -rm -stub -out runtime_mock.go . Runtime
 type Runtime interface {
 	Exec([]string) error
 	String() string

internal/oci/spec.go

@@ -33,7 +33,7 @@ type SpecModifier interface {
 
 // Spec defines the operations to be performed on an OCI specification
 //
-//go:generate moq -rm -fmt=goimports -stub -out spec_mock.go . Spec
+//go:generate moq -stub -out spec_mock.go . Spec
 type Spec interface {
 	Load() (*specs.Spec, error)
 	Flush() error

internal/oci/spec_memory.go

@@ -61,11 +61,11 @@ func (s *memorySpec) Modify(m SpecModifier) error {
 // Otherwise the returned value will be empty and the boolean will
 // be false.
 func (s memorySpec) LookupEnv(key string) (string, bool) {
-	if s.Spec == nil || s.Process == nil {
+	if s.Spec == nil || s.Spec.Process == nil {
 		return "", false
 	}
 
-	for _, env := range s.Process.Env {
+	for _, env := range s.Spec.Process.Env {
 		if !strings.HasPrefix(env, key) {
 			continue
 		}