Bump nvidia/cuda in /deployments/container

Bumps nvidia/cuda from 12.9.0-base-ubuntu20.04 to 12.9.1-base-ubuntu20.04.

---
updated-dependencies:
- dependency-name: nvidia/cuda
  dependency-version: 12.9.1-base-ubuntu20.04
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

.github/workflows/image.yaml

@@ -79,8 +79,8 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        dist:
-          - ubi9
+        target:
+          - application
           - packaging
     needs: packages
     steps:
@@ -117,4 +117,4 @@ jobs:
           BUILD_MULTI_ARCH_IMAGES: ${{ inputs.build_multi_arch_images }}
         run: |
           echo "${VERSION}"
-          make -f deployments/container/Makefile build-${{ matrix.dist }}
+          make -f deployments/container/Makefile build-${{ matrix.target }}

.nvidia-ci.yml

@@ -287,5 +287,6 @@ sign-images-dummy:
     - release-images-dummy
   variables:
     NGC_CLI: "echo [DUMMY] ngc-cli/ngc"
+    IMAGE_TAG: "${CI_COMMIT_SHORT_SHA}"
   rules:
     - if: $CI_COMMIT_TAG == null || $CI_COMMIT_TAG == ""

CHANGELOG.md

@@ -1,34 +1,139 @@
 # NVIDIA Container Toolkit Changelog
 
-## v1.17.4
-- Disable mounting of compat libs from container by default
+## v1.18.0-rc.1
+
+- Add create-soname-symlinks hook
+- Require matching version of libnvidia-container-tools
+- Add envvar for libcuda.so parent dir to CDI spec
+- Add EnvVar to Discover interface
+- Resolve to legacy by default in nvidia-container-runtime-hook
+- Default to jit-cdi mode in the nvidia runtime
+- Use functional options to construct runtime mode resolver
+- Add NVIDIA_CTK_CONFIG_FILE_PATH envvar
+- Switch to cuda ubi9 base image
+- Use single version tag for image
+- BUGFIX: modifier: respect GPU volume-mount device requests
+- Ensure consistent sorting of annotation devices
+- Extract deb and rpm packages to single image
+- Remove docker-run as default runtime candidate
+- Return annotation devices from VisibleDevices
+- Make CDI device requests consistent with other methods
+- Construct container info once
+- Add logic to extract annotation device requests to image type
+- Add IsPrivileged function to CUDA container type
+- Add device IDs to nvcdi.GetSpec API
+- Refactor extracting requested devices from the container image
+- Add EnvVars option for all nvidia-ctk cdi commands
+- Add nvidia-cdi-refresh service
+- Add discovery of arch-specific vulkan ICD
+- Add disabled-device-node-modification hook to CDI spec
+- Add a hook to disable device node creation in a container
+- Remove redundant deduplication of search paths for WSL
+- Added ability to disable specific (or all) CDI hooks
+- Consolidate HookName functionality on internal/discover pkg
+- Add envvar to control debug logging in CDI hooks
+- Add FeatureFlags to the nvcdi API
+- Reenable nvsandboxutils for driver discovery
+- Edit discover.mounts to have a deterministic output
+- Refactor the way we create CDI Hooks
+- Issue warning on unsupported CDI hook
+- Run update-ldcache in isolated namespaces
+- Add cuda-compat-mode config option
+- Fix mode detection on Thor-based systems
+- Add rprivate to CDI mount options
+- Skip nil discoverers in merge
+- bump runc go dep to v1.3.0
+- Fix resolution of libs in LDCache on ARM
+- Updated .release:staging to stage images in nvstaging
+- Refactor toolkit installer
+- Allow container runtime executable path to be specified
+- Add support for building ubuntu22.04 on arm64
+- Fix race condition in mounts cache
+- Add support for building ubuntu22.04 on amd64
+- Fix update-ldcache arguments
+- Remove positional arguments from nvidia-ctk-installer
+- Remove deprecated --runtime-args from nvidia-ctk-installer
+- Add version info to nvidia-ctk-installer
+- Update nvidia-ctk-installer app name to match binary name
+- Allow nvidia-ctk config --set to accept comma-separated lists
+- Disable enable-cuda-compat hook for management containers
+- Allow enable-cuda-compat hook to be disabled in CDI spec generation
+- Add disable-cuda-compat-lib-hook feature flag
+- Add basic integration tests for forward compat
+- Ensure that mode hook is executed last
+- Add enable-cuda-compat hook to CDI spec generation
+- Add ldconfig hook in legacy mode
+- Add enable-cuda-compat hook if required
+- Add enable-cuda-compat hook to allow compat libs to be discovered
+- Use libcontainer execseal to run ldconfig
+- Add ignore-imex-channel-requests feature flag
+- Disable nvsandboxutils in nvcdi API
+- Allow cdi mode to work with --gpus flag
+- Add E2E GitHub Action for Container Toolkit
+- Add remote-test option for E2E
+- Enable CDI in runtime if CDI_ENABLED is set
+- Fix overwriting docker feature flags
+- Add option in toolkit container to enable CDI in runtime
+- Remove Set from engine config API
+- Add EnableCDI() method to engine.Interface
+- Add IMEX binaries to CDI discovery
+- Rename test folder to tests
 - Add allow-cuda-compat-libs-from-container feature flag
+- Disable mounting of compat libs from container
 - Skip graphics modifier in CSV mode
-- Properly pass configSearchPaths to a Driver constructor
+- Move nvidia-toolkit to nvidia-ctk-installer
+- Automated regression testing for the NVIDIA Container Toolkit
 - Add support for containerd version 3 config
+- Remove watch option from create-dev-char-symlinks
 - Add string TOML source
+- Improve the implementation for UseLegacyConfig
+- Properly pass configSearchPaths to a Driver constructor
+- Fix create-device-node test when devices exist
+- Add imex mode to CDI spec generation
+- Only allow host-relative LDConfig paths
+- Fix NVIDIA_IMEX_CHANNELS handling on legacy images
+- Fix bug in default config file path
+- Fix fsnotify.Remove logic function.
+- Force symlink creation in create-symlink hook
+
+### Changes in the Toolkit Container
+
+- Create /work/nvidia-toolkit symlink
+- Use Apache license for images
+- Switch to golang distroless image
+- Switch to cuda ubi9 base image
+- Use single version tag for image
+- Extract deb and rpm packages to single image
+- Bump nvidia/cuda in /deployments/container
+- Bump nvidia/cuda in /deployments/container
+- Add E2E GitHub Action for Container Toolkit
+- Bump nvidia/cuda in /deployments/container
+- Move nvidia-toolkit to nvidia-ctk-installer
+- Add support for containerd version 3 config
+- Improve the implementation for UseLegacyConfig
+- Bump nvidia/cuda in /deployments/container
+- Add imex mode to CDI spec generation
+- Only allow host-relative LDConfig paths
+- Fallback to file for runtime config
 
 ### Changes in libnvidia-container
+
+- Fix pointer accessing local variable out of scope
+- Require version match between libnvidia-container-tools and libnvidia-container1
+- Add libnvidia-gpucomp.so to the list of compute libs
+- Use VERSION_ prefix for version parts in makefiles
+- Add additional logging
+- Do not discard container flags when --cuda-compat-mode is not specified
+- Remove unneeded --no-cntlibs argument from list command
+- Add cuda-compat-mode flag to configure command
+- Skip files when user has insufficient permissions
+- Fix building with Go 1.24
 - Add no-cntlibs CLI option to nvidia-container-cli
-
-### Changes in the Toolkit Container
-- Bump CUDA base image version to 12.6.3
-
-## v1.17.3
-- Only allow host-relative LDConfig paths by default.
-### Changes in libnvidia-container
+- Fix always using fallback
+- Add fallback for systems without memfd_create()
 - Create virtual copy of host ldconfig binary before calling fexecve()
+- Fix some typos in text.
 
-## v1.17.2
-- Fixed a bug where legacy images would set imex channels as `all`.
-
-## v1.17.1
-- Fixed a bug where specific symlinks existing in a container image could cause a container to fail to start.
-- Fixed a bug on Tegra-based systems where a container would fail to start.
-- Fixed a bug where the default container runtime config path was not properly set.
-
-### Changes in the Toolkit Container
-- Fallback to using a config file if the current runtime config can not be determined from the command line.
 
 ## v1.17.0
 - Promote v1.17.0-rc.2 to v1.17.0

README.md

@@ -28,4 +28,4 @@ The [user guide](https://docs.nvidia.com/datacenter/cloud-native/container-toolk
 [Checkout the Contributing document!](CONTRIBUTING.md)
 
 * Please let us know by [filing a new issue](https://github.com/NVIDIA/nvidia-container-toolkit/issues/new)
-* You can contribute by creating a [merge request](https://gitlab.com/nvidia/container-toolkit/container-toolkit/-/merge_requests/new) to our public GitLab repository
+* You can contribute by creating a [pull request](https://github.com/NVIDIA/nvidia-container-toolkit/compare) to our public GitHub repository

cmd/nvidia-cdi-hook/commands/commands.go

@@ -20,6 +20,7 @@ import (
 	"github.com/urfave/cli/v2"
 
 	"github.com/NVIDIA/nvidia-container-toolkit/cmd/nvidia-cdi-hook/chmod"
+	createsonamesymlinks "github.com/NVIDIA/nvidia-container-toolkit/cmd/nvidia-cdi-hook/create-soname-symlinks"
 	symlinks "github.com/NVIDIA/nvidia-container-toolkit/cmd/nvidia-cdi-hook/create-symlinks"
 	"github.com/NVIDIA/nvidia-container-toolkit/cmd/nvidia-cdi-hook/cudacompat"
 	disabledevicenodemodification "github.com/NVIDIA/nvidia-container-toolkit/cmd/nvidia-cdi-hook/disable-device-node-modification"
@@ -35,6 +36,7 @@ func New(logger logger.Interface) []*cli.Command {
 		symlinks.NewCommand(logger),
 		chmod.NewCommand(logger),
 		cudacompat.NewCommand(logger),
+		createsonamesymlinks.NewCommand(logger),
 		disabledevicenodemodification.NewCommand(logger),
 	}
 }

cmd/nvidia-cdi-hook/create-soname-symlinks/soname-symlinks.go

@@ -0,0 +1,166 @@
+/**
+# SPDX-FileCopyrightText: Copyright (c) 2025 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+**/
+
+package create_soname_symlinks
+
+import (
+	"errors"
+	"fmt"
+	"log"
+	"os"
+
+	"github.com/moby/sys/reexec"
+	"github.com/urfave/cli/v2"
+
+	"github.com/NVIDIA/nvidia-container-toolkit/internal/ldconfig"
+	"github.com/NVIDIA/nvidia-container-toolkit/internal/logger"
+	"github.com/NVIDIA/nvidia-container-toolkit/internal/oci"
+)
+
+const (
+	reexecUpdateLdCacheCommandName = "reexec-create-soname-symlinks"
+)
+
+type command struct {
+	logger logger.Interface
+}
+
+type options struct {
+	folders       cli.StringSlice
+	ldconfigPath  string
+	containerSpec string
+}
+
+func init() {
+	reexec.Register(reexecUpdateLdCacheCommandName, createSonameSymlinksHandler)
+	if reexec.Init() {
+		os.Exit(0)
+	}
+}
+
+// NewCommand constructs an create-soname-symlinks command with the specified logger
+func NewCommand(logger logger.Interface) *cli.Command {
+	c := command{
+		logger: logger,
+	}
+	return c.build()
+}
+
+// build the create-soname-symlinks command
+func (m command) build() *cli.Command {
+	cfg := options{}
+
+	// Create the 'create-soname-symlinks' command
+	c := cli.Command{
+		Name:  "create-soname-symlinks",
+		Usage: "Create soname symlinks libraries in specified directories",
+		Before: func(c *cli.Context) error {
+			return m.validateFlags(c, &cfg)
+		},
+		Action: func(c *cli.Context) error {
+			return m.run(c, &cfg)
+		},
+	}
+
+	c.Flags = []cli.Flag{
+		&cli.StringSliceFlag{
+			Name:        "folder",
+			Usage:       "Specify a directory to generate soname symlinks in. Can be specified multiple times",
+			Destination: &cfg.folders,
+		},
+		&cli.StringFlag{
+			Name:        "ldconfig-path",
+			Usage:       "Specify the path to ldconfig on the host",
+			Destination: &cfg.ldconfigPath,
+			Value:       "/sbin/ldconfig",
+		},
+		&cli.StringFlag{
+			Name:        "container-spec",
+			Usage:       "Specify the path to the OCI container spec. If empty or '-' the spec will be read from STDIN",
+			Destination: &cfg.containerSpec,
+		},
+	}
+
+	return &c
+}
+
+func (m command) validateFlags(c *cli.Context, cfg *options) error {
+	if cfg.ldconfigPath == "" {
+		return errors.New("ldconfig-path must be specified")
+	}
+	return nil
+}
+
+func (m command) run(c *cli.Context, cfg *options) error {
+	s, err := oci.LoadContainerState(cfg.containerSpec)
+	if err != nil {
+		return fmt.Errorf("failed to load container state: %v", err)
+	}
+
+	containerRootDir, err := s.GetContainerRoot()
+	if err != nil || containerRootDir == "" || containerRootDir == "/" {
+		return fmt.Errorf("failed to determined container root: %v", err)
+	}
+
+	cmd, err := ldconfig.NewRunner(
+		reexecUpdateLdCacheCommandName,
+		cfg.ldconfigPath,
+		containerRootDir,
+		cfg.folders.Value()...,
+	)
+	if err != nil {
+		return err
+	}
+
+	return cmd.Run()
+}
+
+// createSonameSymlinksHandler wraps createSonameSymlinks with error handling.
+func createSonameSymlinksHandler() {
+	if err := createSonameSymlinks(os.Args); err != nil {
+		log.Printf("Error updating ldcache: %v", err)
+		os.Exit(1)
+	}
+}
+
+// createSonameSymlinks ensures that soname symlinks are created in the
+// specified directories.
+// It is invoked from a reexec'd handler and provides namespace isolation for
+// the operations performed by this hook. At the point where this is invoked,
+// we are in a new mount namespace that is cloned from the parent.
+//
+// args[0] is the reexec initializer function name
+// args[1] is the path of the ldconfig binary on the host
+// args[2] is the container root directory
+// The remaining args are directories where soname symlinks need to be created.
+func createSonameSymlinks(args []string) error {
+	if len(args) < 3 {
+		return fmt.Errorf("incorrect arguments: %v", args)
+	}
+	hostLdconfigPath := args[1]
+	containerRootDirPath := args[2]
+
+	ldconfig, err := ldconfig.New(
+		hostLdconfigPath,
+		containerRootDirPath,
+	)
+	if err != nil {
+		return fmt.Errorf("failed to construct ldconfig runner: %w", err)
+	}
+
+	return ldconfig.CreateSonameSymlinks(args[3:]...)
+}

cmd/nvidia-cdi-hook/update-ldcache/container-root.go

@@ -1,46 +0,0 @@
-/**
-# Copyright (c) 2025, NVIDIA CORPORATION.  All rights reserved.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-**/
-
-package ldcache
-
-import (
-	"os"
-	"path/filepath"
-
-	"github.com/moby/sys/symlink"
-)
-
-// A containerRoot represents the root filesystem of a container.
-type containerRoot string
-
-// hasPath checks whether the specified path exists in the root.
-func (r containerRoot) hasPath(path string) bool {
-	resolved, err := r.resolve(path)
-	if err != nil {
-		return false
-	}
-	if _, err := os.Stat(resolved); err != nil && os.IsNotExist(err) {
-		return false
-	}
-	return true
-}
-
-// resolve returns the absolute path including root path.
-// Symlinks are resolved, but are guaranteed to resolve in the root.
-func (r containerRoot) resolve(path string) (string, error) {
-	absolute := filepath.Clean(filepath.Join(string(r), path))
-	return symlink.FollowSymlinkInScope(absolute, string(r))
-}

cmd/nvidia-cdi-hook/update-ldcache/update-ldcache.go

@@ -21,24 +21,16 @@ import (
 	"fmt"
 	"log"
 	"os"
-	"strings"
 
 	"github.com/moby/sys/reexec"
 	"github.com/urfave/cli/v2"
 
-	"github.com/NVIDIA/nvidia-container-toolkit/internal/config"
+	"github.com/NVIDIA/nvidia-container-toolkit/internal/ldconfig"
 	"github.com/NVIDIA/nvidia-container-toolkit/internal/logger"
 	"github.com/NVIDIA/nvidia-container-toolkit/internal/oci"
 )
 
 const (
-	// ldsoconfdFilenamePattern specifies the pattern for the filename
-	// in ld.so.conf.d that includes references to the specified directories.
-	// The 00-nvcr prefix is chosen to ensure that these libraries have a
-	// higher precedence than other libraries on the system, but lower than
-	// the 00-cuda-compat that is included in some containers.
-	ldsoconfdFilenamePattern = "00-nvcr-*.conf"
-
 	reexecUpdateLdCacheCommandName = "reexec-update-ldcache"
 )
 
@@ -123,15 +115,15 @@ func (m command) run(c *cli.Context, cfg *options) error {
 		return fmt.Errorf("failed to determined container root: %v", err)
 	}
 
-	args := []string{
+	cmd, err := ldconfig.NewRunner(
 		reexecUpdateLdCacheCommandName,
-		strings.TrimPrefix(config.NormalizeLDConfigPath("@"+cfg.ldconfigPath), "@"),
+		cfg.ldconfigPath,
 		containerRootDir,
+		cfg.folders.Value()...,
+	)
+	if err != nil {
+		return err
 	}
-	args = append(args, cfg.folders.Value()...)
-
-	cmd := createReexecCommand(args)
-
 	return cmd.Run()
 }
 
@@ -143,15 +135,16 @@ func updateLdCacheHandler() {
 	}
 }
 
-// updateLdCache is invoked from a reexec'd handler and provides namespace
-// isolation for the operations performed by this hook.
-// At the point where this is invoked, we are in a new mount namespace that is
-// cloned from the parent.
+// updateLdCache ensures that the ldcache in the container is updated to include
+// libraries that are mounted from the host.
+// It is invoked from a reexec'd handler and provides namespace isolation for
+// the operations performed by this hook. At the point where this is invoked,
+// we are in a new mount namespace that is cloned from the parent.
 //
 // args[0] is the reexec initializer function name
 // args[1] is the path of the ldconfig binary on the host
 // args[2] is the container root directory
-// The remaining args are folders that need to be added to the ldcache.
+// The remaining args are folders where soname symlinks need to be created.
 func updateLdCache(args []string) error {
 	if len(args) < 3 {
 		return fmt.Errorf("incorrect arguments: %v", args)
@@ -159,97 +152,13 @@ func updateLdCache(args []string) error {
 	hostLdconfigPath := args[1]
 	containerRootDirPath := args[2]
 
-	// To prevent leaking the parent proc filesystem, we create a new proc mount
-	// in the container root.
-	if err := mountProc(containerRootDirPath); err != nil {
-		return fmt.Errorf("error mounting /proc: %w", err)
-	}
-
-	// We mount the host ldconfig before we pivot root since host paths are not
-	// visible after the pivot root operation.
-	ldconfigPath, err := mountLdConfig(hostLdconfigPath, containerRootDirPath)
+	ldconfig, err := ldconfig.New(
+		hostLdconfigPath,
+		containerRootDirPath,
+	)
 	if err != nil {
-		return fmt.Errorf("error mounting host ldconfig: %w", err)
+		return fmt.Errorf("failed to construct ldconfig runner: %w", err)
 	}
 
-	// We pivot to the container root for the new process, this further limits
-	// access to the host.
-	if err := pivotRoot(containerRootDirPath); err != nil {
-		return fmt.Errorf("error running pivot_root: %w", err)
-	}
-
-	return runLdconfig(ldconfigPath, args[3:]...)
-}
-
-// runLdconfig runs the ldconfig binary and ensures that the specified directories
-// are processed for the ldcache.
-func runLdconfig(ldconfigPath string, directories ...string) error {
-	args := []string{
-		"ldconfig",
-		// Explicitly specify using /etc/ld.so.conf since the host's ldconfig may
-		// be configured to use a different config file by default.
-		// Note that since we apply the `-r {{ .containerRootDir }}` argument, /etc/ld.so.conf is
-		// in the container.
-		"-f", "/etc/ld.so.conf",
-	}
-
-	containerRoot := containerRoot("/")
-
-	if containerRoot.hasPath("/etc/ld.so.cache") {
-		args = append(args, "-C", "/etc/ld.so.cache")
-	} else {
-		args = append(args, "-N")
-	}
-
-	if containerRoot.hasPath("/etc/ld.so.conf.d") {
-		err := createLdsoconfdFile(ldsoconfdFilenamePattern, directories...)
-		if err != nil {
-			return fmt.Errorf("failed to update ld.so.conf.d: %w", err)
-		}
-	} else {
-		args = append(args, directories...)
-	}
-
-	return SafeExec(ldconfigPath, args, nil)
-}
-
-// createLdsoconfdFile creates a file at /etc/ld.so.conf.d/.
-// The file is created at /etc/ld.so.conf.d/{{ .pattern }} using `CreateTemp` and
-// contains the specified directories on each line.
-func createLdsoconfdFile(pattern string, dirs ...string) error {
-	if len(dirs) == 0 {
-		return nil
-	}
-
-	ldsoconfdDir := "/etc/ld.so.conf.d"
-	if err := os.MkdirAll(ldsoconfdDir, 0755); err != nil {
-		return fmt.Errorf("failed to create ld.so.conf.d: %w", err)
-	}
-
-	configFile, err := os.CreateTemp(ldsoconfdDir, pattern)
-	if err != nil {
-		return fmt.Errorf("failed to create config file: %w", err)
-	}
-	defer func() {
-		_ = configFile.Close()
-	}()
-
-	added := make(map[string]bool)
-	for _, dir := range dirs {
-		if added[dir] {
-			continue
-		}
-		_, err = fmt.Fprintf(configFile, "%s\n", dir)
-		if err != nil {
-			return fmt.Errorf("failed to update config file: %w", err)
-		}
-		added[dir] = true
-	}
-
-	// The created file needs to be world readable for the cases where the container is run as a non-root user.
-	if err := configFile.Chmod(0644); err != nil {
-		return fmt.Errorf("failed to chmod config file: %w", err)
-	}
-
-	return nil
+	return ldconfig.UpdateLDCache(args[3:]...)
 }

cmd/nvidia-container-runtime-hook/container_config.go

@@ -242,7 +242,14 @@ func (hookConfig *hookConfig) getNvidiaConfig(image image.CUDA, privileged bool)
 	}
 }
 
-func (hookConfig *hookConfig) getContainerConfig() (config containerConfig) {
+func (hookConfig *hookConfig) getContainerConfig() (config *containerConfig) {
+	hookConfig.Lock()
+	defer hookConfig.Unlock()
+
+	if hookConfig.containerConfig != nil {
+		return hookConfig.containerConfig
+	}
+
 	var h HookState
 	d := json.NewDecoder(os.Stdin)
 	if err := d.Decode(&h); err != nil {
@@ -271,10 +278,13 @@ func (hookConfig *hookConfig) getContainerConfig() (config containerConfig) {
 		log.Panicln(err)
 	}
 
-	return containerConfig{
+	cc := containerConfig{
 		Pid:    h.Pid,
 		Rootfs: s.Root.Path,
 		Image:  i,
 		Nvidia: hookConfig.getNvidiaConfig(i, privileged),
 	}
+	hookConfig.containerConfig = &cc
+
+	return hookConfig.containerConfig
 }

cmd/nvidia-container-runtime-hook/container_config_test.go

@@ -487,7 +487,7 @@ func TestGetNvidiaConfig(t *testing.T) {
 				hookCfg := tc.hookConfig
 				if hookCfg == nil {
 					defaultConfig, _ := config.GetDefault()
-					hookCfg = &hookConfig{defaultConfig}
+					hookCfg = &hookConfig{Config: defaultConfig}
 				}
 				cfg = hookCfg.getNvidiaConfig(image, tc.privileged)
 			}

cmd/nvidia-container-runtime-hook/hook_config.go

@@ -4,50 +4,46 @@ import (
 	"fmt"
 	"log"
 	"os"
-	"path"
 	"reflect"
 	"strings"
+	"sync"
 
 	"github.com/NVIDIA/nvidia-container-toolkit/internal/config"
 	"github.com/NVIDIA/nvidia-container-toolkit/internal/config/image"
-)
-
-const (
-	configPath = "/etc/nvidia-container-runtime/config.toml"
-	driverPath = "/run/nvidia/driver"
+	"github.com/NVIDIA/nvidia-container-toolkit/internal/info"
 )
 
 // hookConfig wraps the toolkit config.
 // This allows for functions to be defined on the local type.
 type hookConfig struct {
+	sync.Mutex
 	*config.Config
+	containerConfig *containerConfig
 }
 
 // loadConfig loads the required paths for the hook config.
 func loadConfig() (*config.Config, error) {
-	var configPaths []string
-	var required bool
-	if len(*configflag) != 0 {
-		configPaths = append(configPaths, *configflag)
-		required = true
-	} else {
-		configPaths = append(configPaths, path.Join(driverPath, configPath), configPath)
+	configFilePath, required := getConfigFilePath()
+	cfg, err := config.New(
+		config.WithConfigFile(configFilePath),
+		config.WithRequired(true),
+	)
+	if err == nil {
+		return cfg.Config()
+	} else if os.IsNotExist(err) && !required {
+		return config.GetDefault()
 	}
+	return nil, fmt.Errorf("couldn't open required configuration file: %v", err)
+}
 
-	for _, p := range configPaths {
-		cfg, err := config.New(
-			config.WithConfigFile(p),
-			config.WithRequired(true),
-		)
-		if err == nil {
-			return cfg.Config()
-		} else if os.IsNotExist(err) && !required {
-			continue
-		}
-		return nil, fmt.Errorf("couldn't open required configuration file: %v", err)
+func getConfigFilePath() (string, bool) {
+	if configFromFlag := *configflag; configFromFlag != "" {
+		return configFromFlag, true
 	}
-
-	return config.GetDefault()
+	if configFromEnvvar := os.Getenv(config.FilePathOverrideEnvVar); configFromEnvvar != "" {
+		return configFromEnvvar, true
+	}
+	return config.GetConfigFilePath(), false
 }
 
 func getHookConfig() (*hookConfig, error) {
@@ -55,7 +51,7 @@ func getHookConfig() (*hookConfig, error) {
 	if err != nil {
 		return nil, fmt.Errorf("failed to load config: %v", err)
 	}
-	config := &hookConfig{cfg}
+	config := &hookConfig{Config: cfg}
 
 	allSupportedDriverCapabilities := image.SupportedDriverCapabilities
 	if config.SupportedDriverCapabilities == "all" {
@@ -73,8 +69,8 @@ func getHookConfig() (*hookConfig, error) {
 
 // getConfigOption returns the toml config option associated with the
 // specified struct field.
-func (c hookConfig) getConfigOption(fieldName string) string {
-	t := reflect.TypeOf(c)
+func (c *hookConfig) getConfigOption(fieldName string) string {
+	t := reflect.TypeOf(&c)
 	f, ok := t.FieldByName(fieldName)
 	if !ok {
 		return fieldName
@@ -127,3 +123,21 @@ func (c *hookConfig) nvidiaContainerCliCUDACompatModeFlags() []string {
 	}
 	return []string{flag}
 }
+
+func (c *hookConfig) assertModeIsLegacy() error {
+	if c.NVIDIAContainerRuntimeHookConfig.SkipModeDetection {
+		return nil
+	}
+
+	mr := info.NewRuntimeModeResolver(
+		info.WithLogger(&logInterceptor{}),
+		info.WithImage(&c.containerConfig.Image),
+		info.WithDefaultMode(info.LegacyRuntimeMode),
+	)
+
+	mode := mr.ResolveRuntimeMode(c.NVIDIAContainerRuntimeConfig.Mode)
+	if mode == "legacy" {
+		return nil
+	}
+	return fmt.Errorf("invoking the NVIDIA Container Runtime Hook directly (e.g. specifying the docker --gpus flag) is not supported. Please use the NVIDIA Container Runtime (e.g. specify the --runtime=nvidia flag) instead")
+}

cmd/nvidia-container-runtime-hook/hook_config_test.go

@@ -90,10 +90,10 @@ func TestGetHookConfig(t *testing.T) {
 				}
 			}
 
-			var cfg hookConfig
+			var cfg *hookConfig
 			getHookConfig := func() {
 				c, _ := getHookConfig()
-				cfg = *c
+				cfg = c
 			}
 
 			if tc.expectedPanic {

cmd/nvidia-container-runtime-hook/main.go

@@ -55,7 +55,7 @@ func getCLIPath(config config.ContainerCLIConfig) string {
 }
 
 // getRootfsPath returns an absolute path. We don't need to resolve symlinks for now.
-func getRootfsPath(config containerConfig) string {
+func getRootfsPath(config *containerConfig) string {
 	rootfs, err := filepath.Abs(config.Rootfs)
 	if err != nil {
 		log.Panicln(err)
@@ -82,8 +82,8 @@ func doPrestart() {
 		return
 	}
 
-	if !hook.NVIDIAContainerRuntimeHookConfig.SkipModeDetection && info.ResolveAutoMode(&logInterceptor{}, hook.NVIDIAContainerRuntimeConfig.Mode, container.Image) != "legacy" {
-		log.Panicln("invoking the NVIDIA Container Runtime Hook directly (e.g. specifying the docker --gpus flag) is not supported. Please use the NVIDIA Container Runtime (e.g. specify the --runtime=nvidia flag) instead.")
+	if err := hook.assertModeIsLegacy(); err != nil {
+		log.Panicf("%v", err)
 	}
 
 	rootfs := getRootfsPath(container)

cmd/nvidia-container-runtime/main_test.go

@@ -122,11 +122,10 @@ func TestGoodInput(t *testing.T) {
 	err = cmdCreate.Run()
 	require.NoError(t, err, "runtime should not return an error")
 
-	// Check config.json for NVIDIA prestart hook
+	// Check config.json to ensure that the NVIDIA prestart was not inserted.
 	spec, err = cfg.getRuntimeSpec()
 	require.NoError(t, err, "should be no errors when reading and parsing spec from config.json")
-	require.NotEmpty(t, spec.Hooks, "there should be hooks in config.json")
-	require.Equal(t, 1, nvidiaHookCount(spec.Hooks), "exactly one nvidia prestart hook should be inserted correctly into config.json")
+	require.Empty(t, spec.Hooks, "there should be no hooks in config.json")
 }
 
 // NVIDIA prestart hook already present in config file
@@ -168,11 +167,10 @@ func TestDuplicateHook(t *testing.T) {
 	output, err := cmdCreate.CombinedOutput()
 	require.NoErrorf(t, err, "runtime should not return an error", "output=%v", string(output))
 
-	// Check config.json for NVIDIA prestart hook
+	// Check config.json to ensure that the NVIDIA prestart hook was removed.
 	spec, err = cfg.getRuntimeSpec()
 	require.NoError(t, err, "should be no errors when reading and parsing spec from config.json")
-	require.NotEmpty(t, spec.Hooks, "there should be hooks in config.json")
-	require.Equal(t, 1, nvidiaHookCount(spec.Hooks), "exactly one nvidia prestart hook should be inserted correctly into config.json")
+	require.Empty(t, spec.Hooks, "there should be no hooks in config.json")
 }
 
 // addNVIDIAHook is a basic wrapper for an addHookModifier that is used for
@@ -240,18 +238,3 @@ func (c testConfig) generateNewRuntimeSpec() error {
 	}
 	return nil
 }
-
-// Return number of valid NVIDIA prestart hooks in runtime spec
-func nvidiaHookCount(hooks *specs.Hooks) int {
-	if hooks == nil {
-		return 0
-	}
-
-	count := 0
-	for _, hook := range hooks.Prestart {
-		if strings.Contains(hook.Path, nvidiaHook) {
-			count++
-		}
-	}
-	return count
-}

cmd/nvidia-ctk-installer/toolkit/installer/directory.go

@@ -28,7 +28,7 @@ type createDirectory struct {
 	logger logger.Interface
 }
 
-func (t *toolkitInstaller) createDirectory() Installer {
+func (t *ToolkitInstaller) createDirectory() Installer {
 	return &createDirectory{
 		logger: t.logger,
 	}

cmd/nvidia-ctk-installer/toolkit/installer/executables.go

@@ -28,20 +28,18 @@ import (
 	log "github.com/sirupsen/logrus"
 
 	"github.com/NVIDIA/nvidia-container-toolkit/cmd/nvidia-ctk-installer/container/operator"
+	"github.com/NVIDIA/nvidia-container-toolkit/internal/config"
 )
 
 type executable struct {
 	requiresKernelModule bool
 	path                 string
 	symlink              string
-	args                 []string
 	env                  map[string]string
 }
 
-func (t *toolkitInstaller) collectExecutables(destDir string) ([]Installer, error) {
-	configHome := filepath.Join(destDir, ".config")
-	configDir := filepath.Join(configHome, "nvidia-container-runtime")
-	configPath := filepath.Join(configDir, "config.toml")
+func (t *ToolkitInstaller) collectExecutables(destDir string) ([]Installer, error) {
+	configFilePath := t.ConfigFilePath(destDir)
 
 	executables := []executable{
 		{
@@ -56,7 +54,7 @@ func (t *toolkitInstaller) collectExecutables(destDir string) ([]Installer, erro
 			path:                 runtime.Path,
 			requiresKernelModule: true,
 			env: map[string]string{
-				"XDG_CONFIG_HOME": configHome,
+				config.FilePathOverrideEnvVar: configFilePath,
 			},
 		}
 		executables = append(executables, e)
@@ -72,7 +70,9 @@ func (t *toolkitInstaller) collectExecutables(destDir string) ([]Installer, erro
 		executable{
 			path:    "nvidia-container-runtime-hook",
 			symlink: "nvidia-container-toolkit",
-			args:    []string{fmt.Sprintf("-config %s", configPath)},
+			env: map[string]string{
+				config.FilePathOverrideEnvVar: configFilePath,
+			},
 		},
 	)
 
@@ -94,7 +94,6 @@ func (t *toolkitInstaller) collectExecutables(destDir string) ([]Installer, erro
 			Source:            executablePath,
 			WrappedExecutable: dotRealFilename,
 			CheckModules:      executable.requiresKernelModule,
-			Args:              executable.args,
 			Envvars: map[string]string{
 				"PATH": strings.Join([]string{destDir, "$PATH"}, ":"),
 			},
@@ -124,7 +123,6 @@ type wrapper struct {
 	Envvars           map[string]string
 	WrappedExecutable string
 	CheckModules      bool
-	Args              []string
 }
 
 type render struct {
@@ -165,9 +163,6 @@ fi
 {{$key}}={{$value}} \
 {{- end }}
 	{{ .DestDir }}/{{ .WrappedExecutable }} \
-{{- range $arg := .Args }}
-		{{$arg}} \
-{{- end }}
 		"$@"
 `
 

cmd/nvidia-ctk-installer/toolkit/installer/executables_test.go

@@ -68,19 +68,6 @@ fi
 PATH=/foo/bar/baz \
 	/dest-dir/some-runtime \
 		"$@"
-`,
-		},
-		{
-			description: "args are added",
-			w: &wrapper{
-				WrappedExecutable: "some-runtime",
-				Args:              []string{"--config foo", "bar"},
-			},
-			expected: `#! /bin/sh
-	/dest-dir/some-runtime \
-		--config foo \
-		bar \
-		"$@"
 `,
 		},
 	}

cmd/nvidia-ctk-installer/toolkit/installer/installer.go

@@ -33,7 +33,7 @@ type Installer interface {
 	Install(string) error
 }
 
-type toolkitInstaller struct {
+type ToolkitInstaller struct {
 	logger       logger.Interface
 	ignoreErrors bool
 	sourceRoot   string
@@ -43,11 +43,11 @@ type toolkitInstaller struct {
 	ensureTargetDirectory Installer
 }
 
-var _ Installer = (*toolkitInstaller)(nil)
+var _ Installer = (*ToolkitInstaller)(nil)
 
 // New creates a toolkit installer with the specified options.
-func New(opts ...Option) (Installer, error) {
-	t := &toolkitInstaller{
+func New(opts ...Option) (*ToolkitInstaller, error) {
+	t := &ToolkitInstaller{
 		sourceRoot: "/",
 	}
 	for _, opt := range opts {
@@ -73,7 +73,7 @@ func New(opts ...Option) (Installer, error) {
 }
 
 // Install ensures that the required toolkit files are installed in the specified directory.
-func (t *toolkitInstaller) Install(destDir string) error {
+func (t *ToolkitInstaller) Install(destDir string) error {
 	var installers []Installer
 
 	installers = append(installers, t.ensureTargetDirectory)
@@ -98,6 +98,11 @@ func (t *toolkitInstaller) Install(destDir string) error {
 	return errs
 }
 
+func (t *ToolkitInstaller) ConfigFilePath(destDir string) string {
+	toolkitConfigDir := filepath.Join(destDir, ".config", "nvidia-container-runtime")
+	return filepath.Join(toolkitConfigDir, "config.toml")
+}
+
 type symlink struct {
 	linkname string
 	target   string

cmd/nvidia-ctk-installer/toolkit/installer/installer_test.go

@@ -112,7 +112,7 @@ func TestToolkitInstaller(t *testing.T) {
 			return nil
 		},
 	}
-	i := toolkitInstaller{
+	i := ToolkitInstaller{
 		logger:                logger,
 		artifactRoot:          r,
 		ensureTargetDirectory: createDirectory,
@@ -172,8 +172,8 @@ if [ "${?}" != "0" ]; then
 	echo "nvidia driver modules are not yet loaded, invoking runc directly"
 	exec runc "$@"
 fi
+NVIDIA_CTK_CONFIG_FILE_PATH=/foo/bar/baz/.config/nvidia-container-runtime/config.toml \
 PATH=/foo/bar/baz:$PATH \
-XDG_CONFIG_HOME=/foo/bar/baz/.config \
 	/foo/bar/baz/nvidia-container-runtime.real \
 		"$@"
 `,
@@ -187,8 +187,8 @@ if [ "${?}" != "0" ]; then
 	echo "nvidia driver modules are not yet loaded, invoking runc directly"
 	exec runc "$@"
 fi
+NVIDIA_CTK_CONFIG_FILE_PATH=/foo/bar/baz/.config/nvidia-container-runtime/config.toml \
 PATH=/foo/bar/baz:$PATH \
-XDG_CONFIG_HOME=/foo/bar/baz/.config \
 	/foo/bar/baz/nvidia-container-runtime.cdi.real \
 		"$@"
 `,
@@ -202,8 +202,8 @@ if [ "${?}" != "0" ]; then
 	echo "nvidia driver modules are not yet loaded, invoking runc directly"
 	exec runc "$@"
 fi
+NVIDIA_CTK_CONFIG_FILE_PATH=/foo/bar/baz/.config/nvidia-container-runtime/config.toml \
 PATH=/foo/bar/baz:$PATH \
-XDG_CONFIG_HOME=/foo/bar/baz/.config \
 	/foo/bar/baz/nvidia-container-runtime.legacy.real \
 		"$@"
 `,
@@ -240,9 +240,9 @@ PATH=/foo/bar/baz:$PATH \
 				path: "/foo/bar/baz/nvidia-container-runtime-hook",
 				mode: 0777,
 				wrapper: `#! /bin/sh
+NVIDIA_CTK_CONFIG_FILE_PATH=/foo/bar/baz/.config/nvidia-container-runtime/config.toml \
 PATH=/foo/bar/baz:$PATH \
 	/foo/bar/baz/nvidia-container-runtime-hook.real \
-		-config /foo/bar/baz/.config/nvidia-container-runtime/config.toml \
 		"$@"
 `,
 			},

cmd/nvidia-ctk-installer/toolkit/installer/libraries.go

@@ -28,7 +28,7 @@ import (
 // A predefined set of library candidates are considered, with the first one
 // resulting in success being installed to the toolkit folder. The install process
 // resolves the symlink for the library and copies the versioned library itself.
-func (t *toolkitInstaller) collectLibraries() ([]Installer, error) {
+func (t *ToolkitInstaller) collectLibraries() ([]Installer, error) {
 	requiredLibraries := []string{
 		"libnvidia-container.so.1",
 		"libnvidia-container-go.so.1",

cmd/nvidia-ctk-installer/toolkit/installer/options.go

@@ -19,29 +19,29 @@ package installer
 
 import "github.com/NVIDIA/nvidia-container-toolkit/internal/logger"
 
-type Option func(*toolkitInstaller)
+type Option func(*ToolkitInstaller)
 
 func WithLogger(logger logger.Interface) Option {
-	return func(ti *toolkitInstaller) {
+	return func(ti *ToolkitInstaller) {
 		ti.logger = logger
 	}
 }
 
 func WithArtifactRoot(artifactRoot *artifactRoot) Option {
-	return func(ti *toolkitInstaller) {
+	return func(ti *ToolkitInstaller) {
 		ti.artifactRoot = artifactRoot
 	}
 }
 
 func WithIgnoreErrors(ignoreErrors bool) Option {
-	return func(ti *toolkitInstaller) {
+	return func(ti *ToolkitInstaller) {
 		ti.ignoreErrors = ignoreErrors
 	}
 }
 
 // WithSourceRoot sets the root directory for locating artifacts to be installed.
 func WithSourceRoot(sourceRoot string) Option {
-	return func(ti *toolkitInstaller) {
+	return func(ti *ToolkitInstaller) {
 		ti.sourceRoot = sourceRoot
 	}
 }

cmd/nvidia-ctk-installer/toolkit/toolkit.go

@@ -37,8 +37,6 @@ import (
 const (
 	// DefaultNvidiaDriverRoot specifies the default NVIDIA driver run directory
 	DefaultNvidiaDriverRoot = "/run/nvidia/driver"
-
-	configFilename = "config.toml"
 )
 
 type cdiOptions struct {
@@ -316,7 +314,7 @@ func (t *Installer) Install(cli *cli.Context, opts *Options) error {
 		t.logger.Errorf("Ignoring error: %v", fmt.Errorf("could not install toolkit components: %w", err))
 	}
 
-	err = t.installToolkitConfig(cli, opts)
+	err = t.installToolkitConfig(cli, opts, toolkit.ConfigFilePath(t.toolkitRoot))
 	if err != nil && !opts.ignoreErrors {
 		return fmt.Errorf("error installing NVIDIA container toolkit config: %v", err)
 	} else if err != nil {
@@ -343,13 +341,11 @@ func (t *Installer) Install(cli *cli.Context, opts *Options) error {
 
 // installToolkitConfig installs the config file for the NVIDIA container toolkit ensuring
 // that the settings are updated to match the desired install and nvidia driver directories.
-func (t *Installer) installToolkitConfig(c *cli.Context, opts *Options) error {
-	toolkitConfigDir := filepath.Join(t.toolkitRoot, ".config", "nvidia-container-runtime")
-	toolkitConfigPath := filepath.Join(toolkitConfigDir, configFilename)
+func (t *Installer) installToolkitConfig(c *cli.Context, opts *Options, toolkitConfigPath string) error {
 
 	t.logger.Infof("Installing NVIDIA container toolkit config '%v'", toolkitConfigPath)
 
-	err := t.createDirectories(toolkitConfigDir)
+	err := t.createDirectories(filepath.Dir(toolkitConfigPath))
 	if err != nil && !opts.ignoreErrors {
 		return fmt.Errorf("could not create required directories: %v", err)
 	} else if err != nil {

cmd/nvidia-ctk-installer/toolkit/toolkit_test.go

@@ -86,6 +86,7 @@ devices:
               hostPath: /host/driver/root/dev/nvidia-caps-imex-channels/channel2047
 containerEdits:
     env:
+        - NVIDIA_CTK_LIBCUDA_DIR=/lib/x86_64-linux-gnu
         - NVIDIA_VISIBLE_DEVICES=void
     hooks:
         - hookName: createContainer
@@ -97,6 +98,15 @@ containerEdits:
             - libcuda.so.1::/lib/x86_64-linux-gnu/libcuda.so
           env:
             - NVIDIA_CTK_DEBUG=false
+        - hookName: createContainer
+          path: {{ .toolkitRoot }}/nvidia-cdi-hook
+          args:
+            - nvidia-cdi-hook
+            - create-soname-symlinks
+            - --folder
+            - /lib/x86_64-linux-gnu
+          env:
+            - NVIDIA_CTK_DEBUG=false
         - hookName: createContainer
           path: {{ .toolkitRoot }}/nvidia-cdi-hook
           args:

cmd/nvidia-ctk/cdi/generate/generate_test.go

@@ -80,6 +80,7 @@ devices:
               hostPath: {{ .driverRoot }}/dev/nvidia0
 containerEdits:
     env:
+        - NVIDIA_CTK_LIBCUDA_DIR=/lib/x86_64-linux-gnu
         - NVIDIA_VISIBLE_DEVICES=void
     deviceNodes:
         - path: /dev/nvidiactl
@@ -102,6 +103,15 @@ containerEdits:
             - --host-driver-version=999.88.77
           env:
             - NVIDIA_CTK_DEBUG=false
+        - hookName: createContainer
+          path: /usr/bin/nvidia-cdi-hook
+          args:
+            - nvidia-cdi-hook
+            - create-soname-symlinks
+            - --folder
+            - /lib/x86_64-linux-gnu
+          env:
+            - NVIDIA_CTK_DEBUG=false
         - hookName: createContainer
           path: /usr/bin/nvidia-cdi-hook
           args:
@@ -164,6 +174,7 @@ devices:
               hostPath: {{ .driverRoot }}/dev/nvidia0
 containerEdits:
     env:
+        - NVIDIA_CTK_LIBCUDA_DIR=/lib/x86_64-linux-gnu
         - NVIDIA_VISIBLE_DEVICES=void
     deviceNodes:
         - path: /dev/nvidiactl
@@ -178,6 +189,15 @@ containerEdits:
             - libcuda.so.1::/lib/x86_64-linux-gnu/libcuda.so
           env:
             - NVIDIA_CTK_DEBUG=false
+        - hookName: createContainer
+          path: /usr/bin/nvidia-cdi-hook
+          args:
+            - nvidia-cdi-hook
+            - create-soname-symlinks
+            - --folder
+            - /lib/x86_64-linux-gnu
+          env:
+            - NVIDIA_CTK_DEBUG=false
         - hookName: createContainer
           path: /usr/bin/nvidia-cdi-hook
           args:
@@ -240,6 +260,7 @@ devices:
               hostPath: {{ .driverRoot }}/dev/nvidia0
 containerEdits:
     env:
+        - NVIDIA_CTK_LIBCUDA_DIR=/lib/x86_64-linux-gnu
         - NVIDIA_VISIBLE_DEVICES=void
     deviceNodes:
         - path: /dev/nvidiactl
@@ -254,6 +275,15 @@ containerEdits:
             - libcuda.so.1::/lib/x86_64-linux-gnu/libcuda.so
           env:
             - NVIDIA_CTK_DEBUG=false
+        - hookName: createContainer
+          path: /usr/bin/nvidia-cdi-hook
+          args:
+            - nvidia-cdi-hook
+            - create-soname-symlinks
+            - --folder
+            - /lib/x86_64-linux-gnu
+          env:
+            - NVIDIA_CTK_DEBUG=false
         - hookName: createContainer
           path: /usr/bin/nvidia-cdi-hook
           args:
@@ -307,6 +337,7 @@ devices:
               hostPath: {{ .driverRoot }}/dev/nvidia0
 containerEdits:
     env:
+        - NVIDIA_CTK_LIBCUDA_DIR=/lib/x86_64-linux-gnu
         - NVIDIA_VISIBLE_DEVICES=void
     deviceNodes:
         - path: /dev/nvidiactl

deployments/container/Dockerfile

@@ -16,7 +16,7 @@
 ARG GOLANG_VERSION=x.x.x
 ARG VERSION="N/A"
 
-FROM nvcr.io/nvidia/cuda:12.9.0-base-ubi9 AS build
+FROM nvcr.io/nvidia/cuda:12.9.1-base-ubi9 AS build
 
 RUN dnf install -y \
     wget make git gcc \
@@ -48,14 +48,18 @@ ARG VERSION="N/A"
 ARG GIT_COMMIT="unknown"
 RUN make PREFIX=/artifacts/bin cmd-nvidia-ctk-installer
 
-# The packaging stage collects the deb and rpm packages built for supported
-# architectures.
-FROM nvcr.io/nvidia/cuda:12.9.0-base-ubi9 AS packaging
+# The packaging stage collects the deb and rpm packages built for
+# supported architectures.
+FROM nvcr.io/nvidia/distroless/go:v3.1.9-dev AS packaging
+
+USER 0:0
+SHELL ["/busybox/sh", "-c"]
+RUN ln -s /busybox/sh /bin/sh
 
 ARG ARTIFACTS_ROOT
 COPY ${ARTIFACTS_ROOT} /artifacts/packages/
 
-WORKDIR /artifacts/packages
+WORKDIR /artifacts
 
 # build-args are added to the manifest.txt file below.
 ARG PACKAGE_VERSION
@@ -70,10 +74,17 @@ RUN echo "#IMAGE_EPOCH=$(date '+%s')" > /artifacts/manifest.txt && \
     env | sed 's/^/#/g' >> /artifacts/manifest.txt && \
     find /artifacts/packages -iname '*.deb' -o -iname '*.rpm' >> /artifacts/manifest.txt
 
-RUN mkdir /licenses && mv /NGC-DL-CONTAINER-LICENSE /licenses/NGC-DL-CONTAINER-LICENSE
+LABEL name="NVIDIA Container Toolkit Packages"
+LABEL vendor="NVIDIA"
+LABEL version="${VERSION}"
+LABEL release="N/A"
+LABEL summary="deb and rpm packages for the NVIDIA Container Toolkit"
+LABEL description="See summary"
+
+COPY LICENSE /licenses/
 
 # The debpackages stage is used to extract the contents of deb packages.
-FROM nvcr.io/nvidia/cuda:12.9.0-base-ubuntu20.04 AS debpackages
+FROM nvcr.io/nvidia/cuda:12.9.1-base-ubuntu20.04 AS debpackages
 
 ARG TARGETARCH
 ARG PACKAGE_DIST_DEB=ubuntu18.04
@@ -92,7 +103,7 @@ RUN set -eux; \
     for p in $(ls /deb-packages/${ARCH}/*.deb); do dpkg-deb -xv $p /artifacts/deb/; done
 
 # The rpmpackages stage is used to extract the contents of the rpm packages.
-FROM nvcr.io/nvidia/cuda:12.9.0-base-ubi9 AS rpmpackages
+FROM nvcr.io/nvidia/cuda:12.9.1-base-ubi9 AS rpmpackages
 RUN dnf install -y cpio
 
 ARG TARGETARCH
@@ -116,13 +127,19 @@ RUN set -eux; \
 # - The extracted deb packages
 # - The extracted rpm packages
 # - The nvidia-ctk-installer binary
-FROM nvcr.io/nvidia/cuda:12.9.0-base-ubi9 AS artifacts
+FROM scratch AS artifacts
 
 COPY --from=rpmpackages /artifacts/rpm /artifacts/rpm
 COPY --from=debpackages /artifacts/deb /artifacts/deb
 COPY --from=build /artifacts/bin /artifacts/build
 
-FROM nvcr.io/nvidia/cuda:12.9.0-base-ubi9
+# The application stage contains the application used as a GPU Operator
+# operand.
+FROM nvcr.io/nvidia/distroless/go:v3.1.9-dev AS application
+
+USER 0:0
+SHELL ["/busybox/sh", "-c"]
+RUN ln -s /busybox/sh /bin/sh
 
 ENV NVIDIA_DISABLE_REQUIRE="true"
 ENV NVIDIA_VISIBLE_DEVICES=void
@@ -144,6 +161,11 @@ LABEL release="N/A"
 LABEL summary="Automatically Configure your Container Runtime for GPU support."
 LABEL description="See summary"
 
-RUN mkdir /licenses && mv /NGC-DL-CONTAINER-LICENSE /licenses/NGC-DL-CONTAINER-LICENSE
+COPY LICENSE /licenses/
 
 ENTRYPOINT ["/work/nvidia-ctk-installer"]
+
+# The GPU Operator exec's nvidia-toolkit in its entrypoint.
+# We create a symlink here to ensure compatibility with older
+# GPU Operator versions.
+RUN ln -s /work/nvidia-ctk-installer /work/nvidia-toolkit

deployments/container/Makefile

@@ -38,7 +38,7 @@ OUT_IMAGE_TAG = $(OUT_IMAGE_VERSION)
 OUT_IMAGE = $(OUT_IMAGE_NAME):$(OUT_IMAGE_TAG)
 
 ##### Public rules #####
-DEFAULT_PUSH_TARGET := ubi9
+DEFAULT_PUSH_TARGET := application
 DISTRIBUTIONS := $(DEFAULT_PUSH_TARGET)
 
 META_TARGETS := packaging
@@ -102,8 +102,6 @@ build: build-$(DEFAULT_PUSH_TARGET)
 push: push-$(DEFAULT_PUSH_TARGET)
 
 # Test targets
-test-%: DIST = $(*)
-
 TEST_CASES ?= docker crio containerd
 $(TEST_TARGETS): test-%:
 	TEST_CASES="$(TEST_CASES)" bash -x $(CURDIR)/test/container/main.sh run \

docker/Dockerfile.debian

@@ -57,17 +57,14 @@ WORKDIR $DIST_DIR
 COPY packaging/debian ./debian
 COPY deployments/systemd/ .
 
-ARG LIBNVIDIA_CONTAINER_TOOLS_VERSION
-ENV LIBNVIDIA_CONTAINER_TOOLS_VERSION ${LIBNVIDIA_CONTAINER_TOOLS_VERSION}
-
 RUN dch --create --package="${PKG_NAME}" \
         --newversion "${REVISION}" \
-            "See https://gitlab.com/nvidia/container-toolkit/container-toolkit/-/blob/${GIT_COMMIT}/CHANGELOG.md for the changelog" && \
+            "See https://github.com/NVIDIA/nvidia-container-toolkit/blob/${GIT_COMMIT}/CHANGELOG.md for the changelog" && \
     dch --append "Bump libnvidia-container dependency to ${LIBNVIDIA_CONTAINER1_VERSION}" && \
     dch -r "" && \
     if [ "$REVISION" != "$(dpkg-parsechangelog --show-field=Version)" ]; then exit 1; fi
 
 CMD export DISTRIB="$(lsb_release -cs)" && \
-    debuild -eDISTRIB -eSECTION -eLIBNVIDIA_CONTAINER_TOOLS_VERSION -eVERSION="${REVISION}" \
+    debuild -eDISTRIB -eSECTION -eVERSION="${REVISION}" \
     --dpkg-buildpackage-hook='sh debian/prepare' -i -us -uc -b && \
     mv /tmp/*.deb /dist

docker/Dockerfile.opensuse-leap

@@ -48,16 +48,12 @@ WORKDIR $DIST_DIR/..
 COPY packaging/rpm .
 COPY deployments/systemd/ .
 
-ARG LIBNVIDIA_CONTAINER_TOOLS_VERSION
-ENV LIBNVIDIA_CONTAINER_TOOLS_VERSION ${LIBNVIDIA_CONTAINER_TOOLS_VERSION}
-
 CMD arch=$(uname -m) && \
     rpmbuild --clean --target=$arch -bb \
              -D "_topdir $PWD" \
              -D "release_date $(date +'%a %b %d %Y')" \
              -D "git_commit ${GIT_COMMIT}" \
              -D "version ${PKG_VERS}" \
-             -D "libnvidia_container_tools_version ${LIBNVIDIA_CONTAINER_TOOLS_VERSION}" \
              -D "release ${PKG_REV}" \
              SPECS/nvidia-container-toolkit.spec && \
     mv RPMS/$arch/*.rpm /dist

docker/Dockerfile.rpm-yum

@@ -73,16 +73,12 @@ WORKDIR $DIST_DIR/..
 COPY packaging/rpm .
 COPY deployments/systemd/ ${DIST_DIR}/
 
-ARG LIBNVIDIA_CONTAINER_TOOLS_VERSION
-ENV LIBNVIDIA_CONTAINER_TOOLS_VERSION ${LIBNVIDIA_CONTAINER_TOOLS_VERSION}
-
 CMD arch=$(uname -m) && \
     rpmbuild --clean --target=$arch -bb \
              -D "_topdir $PWD" \
              -D "release_date $(date +'%a %b %d %Y')" \
              -D "git_commit ${GIT_COMMIT}" \
              -D "version ${PKG_VERS}" \
-             -D "libnvidia_container_tools_version ${LIBNVIDIA_CONTAINER_TOOLS_VERSION}" \
              -D "release ${PKG_REV}" \
              SPECS/nvidia-container-toolkit.spec && \
     mv RPMS/$arch/*.rpm /dist

docker/Dockerfile.ubuntu

@@ -55,17 +55,14 @@ WORKDIR $DIST_DIR
 COPY packaging/debian ./debian
 COPY deployments/systemd/ .
 
-ARG LIBNVIDIA_CONTAINER_TOOLS_VERSION
-ENV LIBNVIDIA_CONTAINER_TOOLS_VERSION ${LIBNVIDIA_CONTAINER_TOOLS_VERSION}
-
 RUN dch --create --package="${PKG_NAME}" \
         --newversion "${REVISION}" \
-            "See https://gitlab.com/nvidia/container-toolkit/container-toolkit/-/blob/${GIT_COMMIT}/CHANGELOG.md for the changelog" && \
-    dch --append "Bump libnvidia-container dependency to ${LIBNVIDIA_CONTAINER_TOOLS_VERSION}" && \
+            "See https://github.com/NVIDIA/nvidia-container-toolkit/blob/${GIT_COMMIT}/CHANGELOG.md for the changelog" && \
+    dch --append "Bump libnvidia-container dependency to ${REVISION}" && \
     dch -r "" && \
     if [ "$REVISION" != "$(dpkg-parsechangelog --show-field=Version)" ]; then exit 1; fi
 
 CMD export DISTRIB="$(lsb_release -cs)" && \
-    debuild -eDISTRIB -eSECTION -eLIBNVIDIA_CONTAINER_TOOLS_VERSION -eVERSION="${REVISION}" \
+    debuild -eDISTRIB -eSECTION -eVERSION="${REVISION}" \
     --dpkg-buildpackage-hook='sh debian/prepare' -i -us -uc -b && \
     mv /tmp/*.deb /dist

docker/docker.mk

@@ -85,11 +85,6 @@ docker-all: $(AMD64_TARGETS) $(X86_64_TARGETS) \
 --%: docker-build-%
 	@
 
-LIBNVIDIA_CONTAINER_VERSION ?= $(LIB_VERSION)
-LIBNVIDIA_CONTAINER_TAG ?= $(LIB_TAG)
-
-LIBNVIDIA_CONTAINER_TOOLS_VERSION := $(LIBNVIDIA_CONTAINER_VERSION)$(if $(LIBNVIDIA_CONTAINER_TAG),~$(LIBNVIDIA_CONTAINER_TAG))-1
-
 # private ubuntu target
 --ubuntu%: OS := ubuntu
 
@@ -129,7 +124,6 @@ docker-build-%:
 	    --build-arg PKG_NAME="$(LIB_NAME)" \
 	    --build-arg PKG_VERS="$(PACKAGE_VERSION)" \
 	    --build-arg PKG_REV="$(PACKAGE_REVISION)" \
-	    --build-arg LIBNVIDIA_CONTAINER_TOOLS_VERSION="$(LIBNVIDIA_CONTAINER_TOOLS_VERSION)" \
 	    --build-arg GIT_COMMIT="$(GIT_COMMIT)" \
 	    --tag $(BUILDIMAGE) \
 	    --file $(DOCKERFILE) .

go.mod

@@ -27,7 +27,6 @@ require (
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/kr/pretty v0.3.1 // indirect
-	github.com/opencontainers/cgroups v0.0.1 // indirect
 	github.com/opencontainers/runtime-tools v0.9.1-0.20221107090550-2e043c6bd626 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/rogpeppe/go-internal v1.11.0 // indirect

go.sum

@@ -37,8 +37,6 @@ github.com/moby/sys/reexec v0.1.0/go.mod h1:EqjBg8F3X7iZe5pU6nRZnYCMUTXoxsjiIfHu
 github.com/moby/sys/symlink v0.3.0 h1:GZX89mEZ9u53f97npBy4Rc3vJKj7JBDj/PN2I22GrNU=
 github.com/moby/sys/symlink v0.3.0/go.mod h1:3eNdhduHmYPcgsJtZXW1W4XUJdZGBIkttZ8xKqPUJq0=
 github.com/mrunalp/fileutils v0.5.0/go.mod h1:M1WthSahJixYnrXQl/DFQuteStB1weuxD2QJNHXfbSQ=
-github.com/opencontainers/cgroups v0.0.1 h1:MXjMkkFpKv6kpuirUa4USFBas573sSAY082B4CiHEVA=
-github.com/opencontainers/cgroups v0.0.1/go.mod h1:s8lktyhlGUqM7OSRL5P7eAW6Wb+kWPNvt4qvVfzA5vs=
 github.com/opencontainers/runc v1.3.0 h1:cvP7xbEvD0QQAs0nZKLzkVog2OPZhI/V2w3WmTmUSXI=
 github.com/opencontainers/runc v1.3.0/go.mod h1:9wbWt42gV+KRxKRVVugNP6D5+PQciRbenB4fLVsqGPs=
 github.com/opencontainers/runtime-spec v1.0.3-0.20220825212826-86290f6a00fb/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=

hack/pull-packages.sh

@@ -53,6 +53,6 @@ docker run --rm \
     -v $(pwd):$(pwd) \
     -w $(pwd) \
     -u $(id -u):$(id -g) \
-    --entrypoint="bash" \
+    --entrypoint="sh" \
         ${IMAGE} \
-        -c "cp --preserve=timestamps -R /artifacts/* ${DIST_DIR}"
+        -c "cp -p -R /artifacts/* ${DIST_DIR}"

internal/config/config.go

@@ -31,8 +31,10 @@ import (
 )
 
 const (
-	configOverride = "XDG_CONFIG_HOME"
-	configFilePath = "nvidia-container-runtime/config.toml"
+	FilePathOverrideEnvVar = "NVIDIA_CTK_CONFIG_FILE_PATH"
+	RelativeFilePath       = "nvidia-container-runtime/config.toml"
+
+	configRootOverride = "XDG_CONFIG_HOME"
 
 	nvidiaCTKExecutable          = "nvidia-ctk"
 	nvidiaCTKDefaultFilePath     = "/usr/bin/nvidia-ctk"
@@ -74,11 +76,15 @@ type Config struct {
 
 // GetConfigFilePath returns the path to the config file for the configured system
 func GetConfigFilePath() string {
-	if XDGConfigDir := os.Getenv(configOverride); len(XDGConfigDir) != 0 {
-		return filepath.Join(XDGConfigDir, configFilePath)
+	if configFilePathOverride := os.Getenv(FilePathOverrideEnvVar); configFilePathOverride != "" {
+		return configFilePathOverride
+	}
+	configRoot := "/etc"
+	if XDGConfigDir := os.Getenv(configRootOverride); len(XDGConfigDir) != 0 {
+		configRoot = XDGConfigDir
 	}
 
-	return filepath.Join("/etc", configFilePath)
+	return filepath.Join(configRoot, RelativeFilePath)
 }
 
 // GetConfig sets up the config struct. Values are read from a toml file

internal/config/config_test.go

@@ -27,9 +27,26 @@ import (
 
 func TestGetConfigWithCustomConfig(t *testing.T) {
 	testDir := t.TempDir()
-	t.Setenv(configOverride, testDir)
+	t.Setenv(configRootOverride, testDir)
 
-	filename := filepath.Join(testDir, configFilePath)
+	filename := filepath.Join(testDir, RelativeFilePath)
+
+	// By default debug is disabled
+	contents := []byte("[nvidia-container-runtime]\ndebug = \"/nvidia-container-toolkit.log\"")
+
+	require.NoError(t, os.MkdirAll(filepath.Dir(filename), 0766))
+	require.NoError(t, os.WriteFile(filename, contents, 0600))
+
+	cfg, err := GetConfig()
+	require.NoError(t, err)
+	require.Equal(t, "/nvidia-container-toolkit.log", cfg.NVIDIAContainerRuntimeConfig.DebugFilePath)
+}
+
+func TestGetConfigWithConfigFilePathOverride(t *testing.T) {
+	testDir := t.TempDir()
+	filename := filepath.Join(testDir, RelativeFilePath)
+
+	t.Setenv(FilePathOverrideEnvVar, filename)
 
 	// By default debug is disabled
 	contents := []byte("[nvidia-container-runtime]\ndebug = \"/nvidia-container-toolkit.log\"")

internal/discover/cache.go

@@ -23,6 +23,7 @@ type cache struct {
 
 	sync.Mutex
 	devices []Device
+	envVars []EnvVar
 	hooks   []Hook
 	mounts  []Mount
 }
@@ -51,6 +52,20 @@ func (c *cache) Devices() ([]Device, error) {
 	return c.devices, nil
 }
 
+func (c *cache) EnvVars() ([]EnvVar, error) {
+	c.Lock()
+	defer c.Unlock()
+
+	if c.envVars == nil {
+		envVars, err := c.d.EnvVars()
+		if err != nil {
+			return nil, err
+		}
+		c.envVars = envVars
+	}
+	return c.envVars, nil
+}
+
 func (c *cache) Hooks() ([]Hook, error) {
 	c.Lock()
 	defer c.Unlock()

internal/discover/discover.go

@@ -22,6 +22,12 @@ type Device struct {
 	Path     string
 }
 
+// EnvVar represents a discovered environment variable.
+type EnvVar struct {
+	Name  string
+	Value string
+}
+
 // Mount represents a discovered mount.
 type Mount struct {
 	HostPath string
@@ -42,6 +48,7 @@ type Hook struct {
 //go:generate moq -rm -fmt=goimports -stub -out discover_mock.go . Discover
 type Discover interface {
 	Devices() ([]Device, error)
+	EnvVars() ([]EnvVar, error)
 	Mounts() ([]Mount, error)
 	Hooks() ([]Hook, error)
 }

internal/discover/discover_mock.go

@@ -20,6 +20,9 @@ var _ Discover = &DiscoverMock{}
 //			DevicesFunc: func() ([]Device, error) {
 //				panic("mock out the Devices method")
 //			},
+//			EnvVarsFunc: func() ([]EnvVar, error) {
+//				panic("mock out the EnvVars method")
+//			},
 //			HooksFunc: func() ([]Hook, error) {
 //				panic("mock out the Hooks method")
 //			},
@@ -36,6 +39,9 @@ type DiscoverMock struct {
 	// DevicesFunc mocks the Devices method.
 	DevicesFunc func() ([]Device, error)
 
+	// EnvVarsFunc mocks the EnvVars method.
+	EnvVarsFunc func() ([]EnvVar, error)
+
 	// HooksFunc mocks the Hooks method.
 	HooksFunc func() ([]Hook, error)
 
@@ -47,6 +53,9 @@ type DiscoverMock struct {
 		// Devices holds details about calls to the Devices method.
 		Devices []struct {
 		}
+		// EnvVars holds details about calls to the EnvVars method.
+		EnvVars []struct {
+		}
 		// Hooks holds details about calls to the Hooks method.
 		Hooks []struct {
 		}
@@ -55,6 +64,7 @@ type DiscoverMock struct {
 		}
 	}
 	lockDevices sync.RWMutex
+	lockEnvVars sync.RWMutex
 	lockHooks   sync.RWMutex
 	lockMounts  sync.RWMutex
 }
@@ -90,6 +100,37 @@ func (mock *DiscoverMock) DevicesCalls() []struct {
 	return calls
 }
 
+// EnvVars calls EnvVarsFunc.
+func (mock *DiscoverMock) EnvVars() ([]EnvVar, error) {
+	callInfo := struct {
+	}{}
+	mock.lockEnvVars.Lock()
+	mock.calls.EnvVars = append(mock.calls.EnvVars, callInfo)
+	mock.lockEnvVars.Unlock()
+	if mock.EnvVarsFunc == nil {
+		var (
+			envVarsOut []EnvVar
+			errOut     error
+		)
+		return envVarsOut, errOut
+	}
+	return mock.EnvVarsFunc()
+}
+
+// EnvVarsCalls gets all the calls that were made to EnvVars.
+// Check the length with:
+//
+//	len(mockedDiscover.EnvVarsCalls())
+func (mock *DiscoverMock) EnvVarsCalls() []struct {
+} {
+	var calls []struct {
+	}
+	mock.lockEnvVars.RLock()
+	calls = mock.calls.EnvVars
+	mock.lockEnvVars.RUnlock()
+	return calls
+}
+
 // Hooks calls HooksFunc.
 func (mock *DiscoverMock) Hooks() ([]Hook, error) {
 	callInfo := struct {

internal/discover/envvar.go

@@ -0,0 +1,41 @@
+/**
+# SPDX-FileCopyrightText: Copyright (c) 2025 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+**/
+
+package discover
+
+var _ Discover = (*EnvVar)(nil)
+
+// Devices returns an empty list of devices for a EnvVar discoverer.
+func (e EnvVar) Devices() ([]Device, error) {
+	return nil, nil
+}
+
+// EnvVars returns an empty list of envs for a EnvVar discoverer.
+func (e EnvVar) EnvVars() ([]EnvVar, error) {
+	return []EnvVar{e}, nil
+}
+
+// Mounts returns an empty list of mounts for a EnvVar discoverer.
+func (e EnvVar) Mounts() ([]Mount, error) {
+	return nil, nil
+}
+
+// Hooks allows the Hook type to also implement the Discoverer interface.
+// It returns a single hook
+func (e EnvVar) Hooks() ([]Hook, error) {
+	return nil, nil
+}

internal/discover/first-valid.go

@@ -45,6 +45,19 @@ func (f firstOf) Devices() ([]Device, error) {
 	return nil, errs
 }
 
+func (f firstOf) EnvVars() ([]EnvVar, error) {
+	var errs error
+	for _, d := range f {
+		envs, err := d.EnvVars()
+		if err != nil {
+			errs = errors.Join(errs, err)
+			continue
+		}
+		return envs, nil
+	}
+	return nil, errs
+}
+
 func (f firstOf) Hooks() ([]Hook, error) {
 	var errs error
 	for _, d := range f {

internal/discover/hooks.go

@@ -46,6 +46,9 @@ const (
 	// An UpdateLDCacheHook is the hook used to update the ldcache in the
 	// container. This allows injected libraries to be discoverable.
 	UpdateLDCacheHook = HookName("update-ldcache")
+	// A CreateSonameSymlinksHook is the hook used to ensure that soname symlinks
+	// for injected libraries exist in the container.
+	CreateSonameSymlinksHook = HookName("create-soname-symlinks")
 
 	defaultNvidiaCDIHookPath = "/usr/bin/nvidia-cdi-hook"
 )
@@ -57,6 +60,11 @@ func (h *Hook) Devices() ([]Device, error) {
 	return nil, nil
 }
 
+// EnvVars returns an empty list of envs for a Hook discoverer.
+func (h *Hook) EnvVars() ([]EnvVar, error) {
+	return nil, nil
+}
+
 // Mounts returns an empty list of mounts for a Hook discoverer.
 func (h *Hook) Mounts() ([]Mount, error) {
 	return nil, nil

internal/discover/ldconfig.go

@@ -51,28 +51,22 @@ func (d ldconfig) Hooks() ([]Hook, error) {
 		return nil, fmt.Errorf("failed to discover mounts for ldcache update: %v", err)
 	}
 
-	h := createLDCacheUpdateHook(
-		d.hookCreator,
-		d.ldconfigPath,
-		getLibraryPaths(mounts),
-	)
-
-	return h.Hooks()
-}
-
-// createLDCacheUpdateHook locates the NVIDIA Container Toolkit CLI and creates a hook for updating the LD Cache
-func createLDCacheUpdateHook(hookCreator HookCreator, ldconfig string, libraries []string) *Hook {
 	var args []string
 
-	if ldconfig != "" {
-		args = append(args, "--ldconfig-path", ldconfig)
+	if d.ldconfigPath != "" {
+		args = append(args, "--ldconfig-path", d.ldconfigPath)
 	}
 
-	for _, f := range uniqueFolders(libraries) {
+	for _, f := range uniqueFolders(getLibraryPaths(mounts)) {
 		args = append(args, "--folder", f)
 	}
 
-	return hookCreator.Create(UpdateLDCacheHook, args...)
+	h := Merge(
+		d.hookCreator.Create(CreateSonameSymlinksHook, args...),
+		d.hookCreator.Create(UpdateLDCacheHook, args...),
+	)
+
+	return h.Hooks()
 }
 
 // getLibraryPaths extracts the library dirs from the specified mounts

internal/discover/ldconfig_test.go

@@ -39,11 +39,24 @@ func TestLDCacheUpdateHook(t *testing.T) {
 		mounts        []Mount
 		mountError    error
 		expectedError error
-		expectedArgs  []string
+		expectedHooks []Hook
 	}{
 		{
-			description:  "empty mounts",
-			expectedArgs: []string{"nvidia-cdi-hook", "update-ldcache"},
+			description: "empty mounts",
+			expectedHooks: []Hook{
+				{
+					Lifecycle: "createContainer",
+					Path:      testNvidiaCDIHookPath,
+					Args:      []string{"nvidia-cdi-hook", "create-soname-symlinks"},
+					Env:       []string{"NVIDIA_CTK_DEBUG=false"},
+				},
+				{
+					Lifecycle: "createContainer",
+					Path:      testNvidiaCDIHookPath,
+					Args:      []string{"nvidia-cdi-hook", "update-ldcache"},
+					Env:       []string{"NVIDIA_CTK_DEBUG=false"},
+				},
+			},
 		},
 		{
 			description:   "mount error",
@@ -66,7 +79,20 @@ func TestLDCacheUpdateHook(t *testing.T) {
 					Path: "/usr/local/lib/libbar.so",
 				},
 			},
-			expectedArgs: []string{"nvidia-cdi-hook", "update-ldcache", "--folder", "/usr/local/lib", "--folder", "/usr/local/libother"},
+			expectedHooks: []Hook{
+				{
+					Lifecycle: "createContainer",
+					Path:      testNvidiaCDIHookPath,
+					Args:      []string{"nvidia-cdi-hook", "create-soname-symlinks", "--folder", "/usr/local/lib", "--folder", "/usr/local/libother"},
+					Env:       []string{"NVIDIA_CTK_DEBUG=false"},
+				},
+				{
+					Lifecycle: "createContainer",
+					Path:      testNvidiaCDIHookPath,
+					Args:      []string{"nvidia-cdi-hook", "update-ldcache", "--folder", "/usr/local/lib", "--folder", "/usr/local/libother"},
+					Env:       []string{"NVIDIA_CTK_DEBUG=false"},
+				},
+			},
 		},
 		{
 			description: "host paths are ignored",
@@ -76,12 +102,38 @@ func TestLDCacheUpdateHook(t *testing.T) {
 					Path:     "/usr/local/lib/libfoo.so",
 				},
 			},
-			expectedArgs: []string{"nvidia-cdi-hook", "update-ldcache", "--folder", "/usr/local/lib"},
+			expectedHooks: []Hook{
+				{
+					Lifecycle: "createContainer",
+					Path:      testNvidiaCDIHookPath,
+					Args:      []string{"nvidia-cdi-hook", "create-soname-symlinks", "--folder", "/usr/local/lib"},
+					Env:       []string{"NVIDIA_CTK_DEBUG=false"},
+				},
+				{
+					Lifecycle: "createContainer",
+					Path:      testNvidiaCDIHookPath,
+					Args:      []string{"nvidia-cdi-hook", "update-ldcache", "--folder", "/usr/local/lib"},
+					Env:       []string{"NVIDIA_CTK_DEBUG=false"},
+				},
+			},
 		},
 		{
 			description:  "explicit ldconfig path is passed",
 			ldconfigPath: testLdconfigPath,
-			expectedArgs: []string{"nvidia-cdi-hook", "update-ldcache", "--ldconfig-path", testLdconfigPath},
+			expectedHooks: []Hook{
+				{
+					Lifecycle: "createContainer",
+					Path:      testNvidiaCDIHookPath,
+					Args:      []string{"nvidia-cdi-hook", "create-soname-symlinks", "--ldconfig-path", testLdconfigPath},
+					Env:       []string{"NVIDIA_CTK_DEBUG=false"},
+				},
+				{
+					Lifecycle: "createContainer",
+					Path:      testNvidiaCDIHookPath,
+					Args:      []string{"nvidia-cdi-hook", "update-ldcache", "--ldconfig-path", testLdconfigPath},
+					Env:       []string{"NVIDIA_CTK_DEBUG=false"},
+				},
+			},
 		},
 	}
 
@@ -92,13 +144,6 @@ func TestLDCacheUpdateHook(t *testing.T) {
 					return tc.mounts, tc.mountError
 				},
 			}
-			expectedHook := Hook{
-				Path:      testNvidiaCDIHookPath,
-				Args:      tc.expectedArgs,
-				Lifecycle: "createContainer",
-				Env:       []string{"NVIDIA_CTK_DEBUG=false"},
-			}
-
 			d, err := NewLDCacheUpdateHook(logger, mountMock, hookCreator, tc.ldconfigPath)
 			require.NoError(t, err)
 
@@ -112,9 +157,7 @@ func TestLDCacheUpdateHook(t *testing.T) {
 			}
 
 			require.NoError(t, err)
-			require.Len(t, hooks, 1)
-
-			require.EqualValues(t, hooks[0], expectedHook)
+			require.EqualValues(t, tc.expectedHooks, hooks)
 
 			devices, err := d.Devices()
 			require.NoError(t, err)

internal/discover/list.go

@@ -53,6 +53,21 @@ func (d list) Devices() ([]Device, error) {
 	return allDevices, nil
 }
 
+// EnvVars returns all environment variables from the included discoverers.
+func (d list) EnvVars() ([]EnvVar, error) {
+	var allEnvs []EnvVar
+
+	for i, di := range d {
+		envs, err := di.EnvVars()
+		if err != nil {
+			return nil, fmt.Errorf("error discovering envs for discoverer %v: %w", i, err)
+		}
+		allEnvs = append(allEnvs, envs...)
+	}
+
+	return allEnvs, nil
+}
+
 // Mounts returns all mounts from the included discoverers
 func (d list) Mounts() ([]Mount, error) {
 	var allMounts []Mount

internal/discover/none.go

@@ -27,6 +27,11 @@ func (e None) Devices() ([]Device, error) {
 	return nil, nil
 }
 
+// EnvVars returns an empty list of devices
+func (e None) EnvVars() ([]EnvVar, error) {
+	return nil, nil
+}
+
 // Mounts returns an empty list of mounts
 func (e None) Mounts() ([]Mount, error) {
 	return nil, nil

internal/edits/device.go

@@ -20,8 +20,6 @@ import (
 	"tags.cncf.io/container-device-interface/pkg/cdi"
 	"tags.cncf.io/container-device-interface/specs-go"
 
-	"github.com/opencontainers/runc/libcontainer/devices"
-
 	"github.com/NVIDIA/nvidia-container-toolkit/internal/discover"
 )
 
@@ -45,37 +43,19 @@ func (d device) toEdits() (*cdi.ContainerEdits, error) {
 // toSpec converts a discovered Device to a CDI Spec Device. Note
 // that missing info is filled in when edits are applied by querying the Device node.
 func (d device) toSpec() (*specs.DeviceNode, error) {
-	s := d.fromPathOrDefault()
 	// The HostPath field was added in the v0.5.0 CDI specification.
 	// The cdi package uses strict unmarshalling when loading specs from file causing failures for
 	// unexpected fields.
 	// Since the behaviour for HostPath == "" and HostPath == Path are equivalent, we clear HostPath
 	// if it is equal to Path to ensure compatibility with the widest range of specs.
-	if s.HostPath == d.Path {
-		s.HostPath = ""
+	hostPath := d.HostPath
+	if hostPath == d.Path {
+		hostPath = ""
 	}
-
-	return s, nil
-}
-
-// fromPathOrDefault attempts to return the returns the information about the
-// CDI device from the specified host path.
-// If this fails a minimal device is returned so that this information can be
-// queried by the container runtime such as containerd.
-func (d device) fromPathOrDefault() *specs.DeviceNode {
-	dn, err := devices.DeviceFromPath(d.HostPath, "rwm")
-	if err != nil {
-		return &specs.DeviceNode{
-			HostPath: d.HostPath,
-			Path:     d.Path,
-		}
-	}
-
-	return &specs.DeviceNode{
-		HostPath: d.HostPath,
+	s := specs.DeviceNode{
+		HostPath: hostPath,
 		Path:     d.Path,
-		Major:    dn.Major,
-		Minor:    dn.Minor,
-		FileMode: &dn.FileMode,
 	}
+
+	return &s, nil
 }

internal/edits/edits.go

@@ -55,6 +55,11 @@ func FromDiscoverer(d discover.Discover) (*cdi.ContainerEdits, error) {
 		return nil, fmt.Errorf("failed to discover devices: %v", err)
 	}
 
+	envs, err := d.EnvVars()
+	if err != nil {
+		return nil, fmt.Errorf("failed to discover environment variables: %w", err)
+	}
+
 	mounts, err := d.Mounts()
 	if err != nil {
 		return nil, fmt.Errorf("failed to discover mounts: %v", err)
@@ -74,6 +79,10 @@ func FromDiscoverer(d discover.Discover) (*cdi.ContainerEdits, error) {
 		c.Append(edits)
 	}
 
+	for _, e := range envs {
+		c.Append(envvar(e).toEdits())
+	}
+
 	for _, m := range mounts {
 		c.Append(mount(m).toEdits())
 	}

internal/edits/envvar.go

@@ -0,0 +1,39 @@
+/**
+# SPDX-FileCopyrightText: Copyright (c) 2025 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+**/
+
+package edits
+
+import (
+	"fmt"
+
+	"tags.cncf.io/container-device-interface/pkg/cdi"
+	"tags.cncf.io/container-device-interface/specs-go"
+
+	"github.com/NVIDIA/nvidia-container-toolkit/internal/discover"
+)
+
+type envvar discover.EnvVar
+
+// toEdits converts a discovered envvar to CDI Container Edits.
+func (d envvar) toEdits() *cdi.ContainerEdits {
+	e := cdi.ContainerEdits{
+		ContainerEdits: &specs.ContainerEdits{
+			Env: []string{fmt.Sprintf("%s=%s", d.Name, d.Value)},
+		},
+	}
+	return &e
+}

internal/info/auto.go

@@ -23,34 +23,114 @@ import (
 	"github.com/NVIDIA/nvidia-container-toolkit/internal/logger"
 )
 
-// ResolveAutoMode determines the correct mode for the platform if set to "auto"
-func ResolveAutoMode(logger logger.Interface, mode string, image image.CUDA) (rmode string) {
-	return resolveMode(logger, mode, image, nil)
+// A RuntimeMode is used to select a specific mode of operation for the NVIDIA Container Runtime.
+type RuntimeMode string
+
+const (
+	// In LegacyRuntimeMode the nvidia-container-runtime injects the
+	// nvidia-container-runtime-hook as a prestart hook into the incoming
+	// container config. This hook invokes the nvidia-container-cli to perform
+	// the required modifications to the container.
+	LegacyRuntimeMode = RuntimeMode("legacy")
+	// In CSVRuntimeMode the nvidia-container-runtime processes a set of CSV
+	// files to determine which container modification are required. The
+	// contents of these CSV files are used to generate an in-memory CDI
+	// specification which is used to modify the container config.
+	CSVRuntimeMode = RuntimeMode("csv")
+	// In CDIRuntimeMode the nvidia-container-runtime applies the modifications
+	// to the container config required for the requested CDI devices in the
+	// same way that other CDI clients would.
+	CDIRuntimeMode = RuntimeMode("cdi")
+	// In JitCDIRuntimeMode the nvidia-container-runtime generates in-memory CDI
+	// specifications for requested NVIDIA devices.
+	JitCDIRuntimeMode = RuntimeMode("jit-cdi")
+)
+
+type RuntimeModeResolver interface {
+	ResolveRuntimeMode(string) RuntimeMode
 }
 
-func resolveMode(logger logger.Interface, mode string, image image.CUDA, propertyExtractor info.PropertyExtractor) (rmode string) {
+type modeResolver struct {
+	logger logger.Interface
+	// TODO: This only needs to consider the requested devices.
+	image             *image.CUDA
+	propertyExtractor info.PropertyExtractor
+	defaultMode       RuntimeMode
+}
+
+type Option func(*modeResolver)
+
+func WithDefaultMode(defaultMode RuntimeMode) Option {
+	return func(mr *modeResolver) {
+		mr.defaultMode = defaultMode
+	}
+}
+
+func WithLogger(logger logger.Interface) Option {
+	return func(mr *modeResolver) {
+		mr.logger = logger
+	}
+}
+
+func WithImage(image *image.CUDA) Option {
+	return func(mr *modeResolver) {
+		mr.image = image
+	}
+}
+
+func WithPropertyExtractor(propertyExtractor info.PropertyExtractor) Option {
+	return func(mr *modeResolver) {
+		mr.propertyExtractor = propertyExtractor
+	}
+}
+
+func NewRuntimeModeResolver(opts ...Option) RuntimeModeResolver {
+	r := &modeResolver{
+		defaultMode: JitCDIRuntimeMode,
+	}
+	for _, opt := range opts {
+		opt(r)
+	}
+	if r.logger == nil {
+		r.logger = &logger.NullLogger{}
+	}
+
+	return r
+}
+
+// ResolveAutoMode determines the correct mode for the platform if set to "auto"
+func ResolveAutoMode(logger logger.Interface, mode string, image image.CUDA) (rmode RuntimeMode) {
+	r := modeResolver{
+		logger:            logger,
+		image:             &image,
+		propertyExtractor: nil,
+	}
+	return r.ResolveRuntimeMode(mode)
+}
+
+func (m *modeResolver) ResolveRuntimeMode(mode string) (rmode RuntimeMode) {
 	if mode != "auto" {
-		logger.Infof("Using requested mode '%s'", mode)
-		return mode
+		m.logger.Infof("Using requested mode '%s'", mode)
+		return RuntimeMode(mode)
 	}
 	defer func() {
-		logger.Infof("Auto-detected mode as '%v'", rmode)
+		m.logger.Infof("Auto-detected mode as '%v'", rmode)
 	}()
 
-	if image.OnlyFullyQualifiedCDIDevices() {
-		return "cdi"
+	if m.image.OnlyFullyQualifiedCDIDevices() {
+		return CDIRuntimeMode
 	}
 
 	nvinfo := info.New(
-		info.WithLogger(logger),
-		info.WithPropertyExtractor(propertyExtractor),
+		info.WithLogger(m.logger),
+		info.WithPropertyExtractor(m.propertyExtractor),
 	)
 
 	switch nvinfo.ResolvePlatform() {
 	case info.PlatformNVML, info.PlatformWSL:
-		return "legacy"
+		return m.defaultMode
 	case info.PlatformTegra:
-		return "csv"
+		return CSVRuntimeMode
 	}
-	return "legacy"
+	return m.defaultMode
 }

internal/info/auto_test.go

@@ -43,11 +43,16 @@ func TestResolveAutoMode(t *testing.T) {
 			mode:         "not-auto",
 			expectedMode: "not-auto",
 		},
+		{
+			description:  "legacy resolves to legacy",
+			mode:         "legacy",
+			expectedMode: "legacy",
+		},
 		{
 			description:  "no info defaults to legacy",
 			mode:         "auto",
 			info:         map[string]bool{},
-			expectedMode: "legacy",
+			expectedMode: "jit-cdi",
 		},
 		{
 			description: "non-nvml, non-tegra, nvgpu resolves to csv",
@@ -80,14 +85,14 @@ func TestResolveAutoMode(t *testing.T) {
 			expectedMode: "csv",
 		},
 		{
-			description: "nvml, non-tegra, non-nvgpu resolves to legacy",
+			description: "nvml, non-tegra, non-nvgpu resolves to jit-cdi",
 			mode:        "auto",
 			info: map[string]bool{
 				"nvml":  true,
 				"tegra": false,
 				"nvgpu": false,
 			},
-			expectedMode: "legacy",
+			expectedMode: "jit-cdi",
 		},
 		{
 			description: "nvml, non-tegra, nvgpu resolves to csv",
@@ -100,14 +105,14 @@ func TestResolveAutoMode(t *testing.T) {
 			expectedMode: "csv",
 		},
 		{
-			description: "nvml, tegra, non-nvgpu resolves to legacy",
+			description: "nvml, tegra, non-nvgpu resolves to jit-cdi",
 			mode:        "auto",
 			info: map[string]bool{
 				"nvml":  true,
 				"tegra": true,
 				"nvgpu": false,
 			},
-			expectedMode: "legacy",
+			expectedMode: "jit-cdi",
 		},
 		{
 			description: "nvml, tegra, nvgpu resolves to csv",
@@ -136,7 +141,7 @@ func TestResolveAutoMode(t *testing.T) {
 			},
 		},
 		{
-			description: "at least one non-cdi device resolves to legacy",
+			description: "at least one non-cdi device resolves to jit-cdi",
 			mode:        "auto",
 			envmap: map[string]string{
 				"NVIDIA_VISIBLE_DEVICES": "nvidia.com/gpu=0,0",
@@ -146,7 +151,7 @@ func TestResolveAutoMode(t *testing.T) {
 				"tegra": false,
 				"nvgpu": false,
 			},
-			expectedMode: "legacy",
+			expectedMode: "jit-cdi",
 		},
 		{
 			description: "at least one non-cdi device resolves to csv",
@@ -170,7 +175,7 @@ func TestResolveAutoMode(t *testing.T) {
 			expectedMode: "cdi",
 		},
 		{
-			description: "cdi mount and non-CDI devices resolves to legacy",
+			description: "cdi mount and non-CDI devices resolves to jit-cdi",
 			mode:        "auto",
 			mounts: []string{
 				"/var/run/nvidia-container-devices/cdi/nvidia.com/gpu/0",
@@ -181,7 +186,7 @@ func TestResolveAutoMode(t *testing.T) {
 				"tegra": false,
 				"nvgpu": false,
 			},
-			expectedMode: "legacy",
+			expectedMode: "jit-cdi",
 		},
 		{
 			description: "cdi mount and non-CDI envvar resolves to cdi",
@@ -199,22 +204,6 @@ func TestResolveAutoMode(t *testing.T) {
 			},
 			expectedMode: "cdi",
 		},
-		{
-			description: "non-cdi mount and CDI envvar resolves to legacy",
-			mode:        "auto",
-			envmap: map[string]string{
-				"NVIDIA_VISIBLE_DEVICES": "nvidia.com/gpu=0",
-			},
-			mounts: []string{
-				"/var/run/nvidia-container-devices/0",
-			},
-			info: map[string]bool{
-				"nvml":  true,
-				"tegra": false,
-				"nvgpu": false,
-			},
-			expectedMode: "legacy",
-		},
 	}
 
 	for _, tc := range testCases {
@@ -251,7 +240,12 @@ func TestResolveAutoMode(t *testing.T) {
 				image.WithAcceptDeviceListAsVolumeMounts(true),
 				image.WithAcceptEnvvarUnprivileged(true),
 			)
-			mode := resolveMode(logger, tc.mode, image, properties)
+			mr := NewRuntimeModeResolver(
+				WithLogger(logger),
+				WithImage(&image),
+				WithPropertyExtractor(properties),
+			)
+			mode := mr.ResolveRuntimeMode(tc.mode)
 			require.EqualValues(t, tc.expectedMode, mode)
 		})
 	}

internal/ldconfig/ldconfig.go

@@ -0,0 +1,206 @@
+/**
+# SPDX-FileCopyrightText: Copyright (c) 2025 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+**/
+
+package ldconfig
+
+import (
+	"fmt"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"strings"
+
+	"github.com/NVIDIA/nvidia-container-toolkit/internal/config"
+)
+
+const (
+	// ldsoconfdFilenamePattern specifies the pattern for the filename
+	// in ld.so.conf.d that includes references to the specified directories.
+	// The 00-nvcr prefix is chosen to ensure that these libraries have a
+	// higher precedence than other libraries on the system, but lower than
+	// the 00-cuda-compat that is included in some containers.
+	ldsoconfdFilenamePattern = "00-nvcr-*.conf"
+)
+
+type Ldconfig struct {
+	ldconfigPath string
+	inRoot       string
+}
+
+// NewRunner creates an exec.Cmd that can be used to run ldconfig.
+func NewRunner(id string, ldconfigPath string, containerRoot string, additionalargs ...string) (*exec.Cmd, error) {
+	args := []string{
+		id,
+		strings.TrimPrefix(config.NormalizeLDConfigPath("@"+ldconfigPath), "@"),
+		containerRoot,
+	}
+	args = append(args, additionalargs...)
+
+	return createReexecCommand(args)
+}
+
+// New creates an Ldconfig struct that is used to perform operations on the
+// ldcache and libraries in a particular root (e.g. a container).
+func New(ldconfigPath string, inRoot string) (*Ldconfig, error) {
+	l := &Ldconfig{
+		ldconfigPath: ldconfigPath,
+		inRoot:       inRoot,
+	}
+	if ldconfigPath == "" {
+		return nil, fmt.Errorf("an ldconfig path must be specified")
+	}
+	if inRoot == "" || inRoot == "/" {
+		return nil, fmt.Errorf("ldconfig must be run in the non-system root")
+	}
+	return l, nil
+}
+
+// CreateSonameSymlinks uses ldconfig to create the soname symlinks in the
+// specified directories.
+func (l *Ldconfig) CreateSonameSymlinks(directories ...string) error {
+	if len(directories) == 0 {
+		return nil
+	}
+	ldconfigPath, err := l.prepareRoot()
+	if err != nil {
+		return err
+	}
+
+	args := []string{
+		filepath.Base(ldconfigPath),
+		// Explicitly disable updating the LDCache.
+		"-N",
+		// Specify -n to only process the specified directories.
+		"-n",
+	}
+	args = append(args, directories...)
+
+	return SafeExec(ldconfigPath, args, nil)
+}
+
+func (l *Ldconfig) UpdateLDCache(directories ...string) error {
+	ldconfigPath, err := l.prepareRoot()
+	if err != nil {
+		return err
+	}
+
+	args := []string{
+		filepath.Base(ldconfigPath),
+		// Explicitly specify using /etc/ld.so.conf since the host's ldconfig may
+		// be configured to use a different config file by default.
+		"-f", "/etc/ld.so.conf",
+	}
+
+	if l.ldcacheExists() {
+		args = append(args, "-C", "/etc/ld.so.cache")
+	} else {
+		args = append(args, "-N")
+	}
+
+	// If the ld.so.conf.d directory exists, we create a config file there
+	// containing the required directories, otherwise we add the specified
+	// directories to the ldconfig command directly.
+	if l.ldsoconfdDirectoryExists() {
+		err := createLdsoconfdFile(ldsoconfdFilenamePattern, directories...)
+		if err != nil {
+			return fmt.Errorf("failed to update ld.so.conf.d: %w", err)
+		}
+	} else {
+		args = append(args, directories...)
+	}
+
+	return SafeExec(ldconfigPath, args, nil)
+}
+
+func (l *Ldconfig) prepareRoot() (string, error) {
+	// To prevent leaking the parent proc filesystem, we create a new proc mount
+	// in the specified root.
+	if err := mountProc(l.inRoot); err != nil {
+		return "", fmt.Errorf("error mounting /proc: %w", err)
+	}
+
+	// We mount the host ldconfig before we pivot root since host paths are not
+	// visible after the pivot root operation.
+	ldconfigPath, err := mountLdConfig(l.ldconfigPath, l.inRoot)
+	if err != nil {
+		return "", fmt.Errorf("error mounting host ldconfig: %w", err)
+	}
+
+	// We pivot to the container root for the new process, this further limits
+	// access to the host.
+	if err := pivotRoot(l.inRoot); err != nil {
+		return "", fmt.Errorf("error running pivot_root: %w", err)
+	}
+
+	return ldconfigPath, nil
+}
+
+func (l *Ldconfig) ldcacheExists() bool {
+	if _, err := os.Stat("/etc/ld.so.cache"); err != nil && os.IsNotExist(err) {
+		return false
+	}
+	return true
+}
+
+func (l *Ldconfig) ldsoconfdDirectoryExists() bool {
+	info, err := os.Stat("/etc/ld.so.conf.d")
+	if os.IsNotExist(err) {
+		return false
+	}
+	return info.IsDir()
+}
+
+// createLdsoconfdFile creates a file at /etc/ld.so.conf.d/.
+// The file is created at /etc/ld.so.conf.d/{{ .pattern }} using `CreateTemp` and
+// contains the specified directories on each line.
+func createLdsoconfdFile(pattern string, dirs ...string) error {
+	if len(dirs) == 0 {
+		return nil
+	}
+
+	ldsoconfdDir := "/etc/ld.so.conf.d"
+	if err := os.MkdirAll(ldsoconfdDir, 0755); err != nil {
+		return fmt.Errorf("failed to create ld.so.conf.d: %w", err)
+	}
+
+	configFile, err := os.CreateTemp(ldsoconfdDir, pattern)
+	if err != nil {
+		return fmt.Errorf("failed to create config file: %w", err)
+	}
+	defer func() {
+		_ = configFile.Close()
+	}()
+
+	added := make(map[string]bool)
+	for _, dir := range dirs {
+		if added[dir] {
+			continue
+		}
+		_, err = fmt.Fprintf(configFile, "%s\n", dir)
+		if err != nil {
+			return fmt.Errorf("failed to update config file: %w", err)
+		}
+		added[dir] = true
+	}
+
+	// The created file needs to be world readable for the cases where the container is run as a non-root user.
+	if err := configFile.Chmod(0644); err != nil {
+		return fmt.Errorf("failed to chmod config file: %w", err)
+	}
+
+	return nil
+}

internal/ldconfig/ldconfig_linux.go

@@ -17,7 +17,7 @@
 # limitations under the License.
 **/
 
-package ldcache
+package ldconfig
 
 import (
 	"errors"
@@ -29,8 +29,8 @@ import (
 	"syscall"
 
 	securejoin "github.com/cyphar/filepath-securejoin"
-
 	"github.com/moby/sys/reexec"
+
 	"github.com/opencontainers/runc/libcontainer/utils"
 	"golang.org/x/sys/unix"
 )
@@ -182,7 +182,7 @@ func createTmpFs(target string, size int) error {
 // createReexecCommand creates a command that can be used to trigger the reexec
 // initializer.
 // On linux this command runs in new namespaces.
-func createReexecCommand(args []string) *exec.Cmd {
+func createReexecCommand(args []string) (*exec.Cmd, error) {
 	cmd := reexec.Command(args...)
 	cmd.Stdin = os.Stdin
 	cmd.Stdout = os.Stdout
@@ -196,5 +196,5 @@ func createReexecCommand(args []string) *exec.Cmd {
 			syscall.CLONE_NEWNET,
 	}
 
-	return cmd
+	return cmd, nil
 }

internal/ldconfig/ldconfig_other.go

@@ -17,14 +17,11 @@
 # limitations under the License.
 **/
 
-package ldcache
+package ldconfig
 
 import (
 	"fmt"
-	"os"
 	"os/exec"
-
-	"github.com/moby/sys/reexec"
 )
 
 func pivotRoot(newroot string) error {
@@ -39,13 +36,6 @@ func mountProc(newroot string) error {
 	return fmt.Errorf("not supported")
 }
 
-// createReexecCommand creates a command that can be used ot trigger the reexec
-// initializer.
-func createReexecCommand(args []string) *exec.Cmd {
-	cmd := reexec.Command(args...)
-	cmd.Stdin = os.Stdin
-	cmd.Stdout = os.Stdout
-	cmd.Stderr = os.Stderr
-
-	return cmd
+func createReexecCommand(args []string) (*exec.Cmd, error) {
+	return nil, fmt.Errorf("not supported")
 }

internal/ldconfig/safe-exec_linux.go

@@ -16,7 +16,7 @@
 # limitations under the License.
 **/
 
-package ldcache
+package ldconfig
 
 import (
 	"fmt"

internal/ldconfig/safe-exec_other.go

@@ -16,7 +16,7 @@
 # limitations under the License.
 **/
 
-package ldcache
+package ldconfig
 
 import "syscall"
 

internal/modifier/cdi.go

@@ -18,6 +18,7 @@ package modifier
 
 import (
 	"fmt"
+	"strings"
 
 	"tags.cncf.io/container-device-interface/pkg/parser"
 
@@ -27,17 +28,27 @@ import (
 	"github.com/NVIDIA/nvidia-container-toolkit/internal/modifier/cdi"
 	"github.com/NVIDIA/nvidia-container-toolkit/internal/oci"
 	"github.com/NVIDIA/nvidia-container-toolkit/pkg/nvcdi"
-	"github.com/NVIDIA/nvidia-container-toolkit/pkg/nvcdi/spec"
+)
+
+const (
+	automaticDeviceVendor = "runtime.nvidia.com"
+	automaticDeviceClass  = "gpu"
+	automaticDeviceKind   = automaticDeviceVendor + "/" + automaticDeviceClass
+	automaticDevicePrefix = automaticDeviceKind + "="
 )
 
 // NewCDIModifier creates an OCI spec modifier that determines the modifications to make based on the
 // CDI specifications available on the system. The NVIDIA_VISIBLE_DEVICES environment variable is
 // used to select the devices to include.
-func NewCDIModifier(logger logger.Interface, cfg *config.Config, image image.CUDA) (oci.SpecModifier, error) {
+func NewCDIModifier(logger logger.Interface, cfg *config.Config, image image.CUDA, isJitCDI bool) (oci.SpecModifier, error) {
+	defaultKind := cfg.NVIDIAContainerRuntimeConfig.Modes.CDI.DefaultKind
+	if isJitCDI {
+		defaultKind = automaticDeviceKind
+	}
 	deviceRequestor := newCDIDeviceRequestor(
 		logger,
 		image,
-		cfg.NVIDIAContainerRuntimeConfig.Modes.CDI.DefaultKind,
+		defaultKind,
 	)
 	devices := deviceRequestor.DeviceRequests()
 	if len(devices) == 0 {
@@ -107,17 +118,34 @@ func (c *cdiDeviceRequestor) DeviceRequests() []string {
 func filterAutomaticDevices(devices []string) []string {
 	var automatic []string
 	for _, device := range devices {
-		vendor, class, _ := parser.ParseDevice(device)
-		if vendor == "runtime.nvidia.com" && class == "gpu" {
-			automatic = append(automatic, device)
+		if !strings.HasPrefix(device, automaticDevicePrefix) {
+			continue
 		}
+		automatic = append(automatic, device)
 	}
 	return automatic
 }
 
 func newAutomaticCDISpecModifier(logger logger.Interface, cfg *config.Config, devices []string) (oci.SpecModifier, error) {
 	logger.Debugf("Generating in-memory CDI specs for devices %v", devices)
-	spec, err := generateAutomaticCDISpec(logger, cfg, devices)
+
+	var identifiers []string
+	for _, device := range devices {
+		identifiers = append(identifiers, strings.TrimPrefix(device, automaticDevicePrefix))
+	}
+
+	cdilib, err := nvcdi.New(
+		nvcdi.WithLogger(logger),
+		nvcdi.WithNVIDIACDIHookPath(cfg.NVIDIACTKConfig.Path),
+		nvcdi.WithDriverRoot(cfg.NVIDIAContainerCLIConfig.Root),
+		nvcdi.WithVendor(automaticDeviceVendor),
+		nvcdi.WithClass(automaticDeviceClass),
+	)
+	if err != nil {
+		return nil, fmt.Errorf("failed to construct CDI library: %w", err)
+	}
+
+	spec, err := cdilib.GetSpec(identifiers...)
 	if err != nil {
 		return nil, fmt.Errorf("failed to generate CDI spec: %w", err)
 	}
@@ -132,27 +160,6 @@ func newAutomaticCDISpecModifier(logger logger.Interface, cfg *config.Config, de
 	return cdiDeviceRequestor, nil
 }
 
-func generateAutomaticCDISpec(logger logger.Interface, cfg *config.Config, devices []string) (spec.Interface, error) {
-	cdilib, err := nvcdi.New(
-		nvcdi.WithLogger(logger),
-		nvcdi.WithNVIDIACDIHookPath(cfg.NVIDIACTKConfig.Path),
-		nvcdi.WithDriverRoot(cfg.NVIDIAContainerCLIConfig.Root),
-		nvcdi.WithVendor("runtime.nvidia.com"),
-		nvcdi.WithClass("gpu"),
-	)
-	if err != nil {
-		return nil, fmt.Errorf("failed to construct CDI library: %w", err)
-	}
-
-	var identifiers []string
-	for _, device := range devices {
-		_, _, id := parser.ParseDevice(device)
-		identifiers = append(identifiers, id)
-	}
-
-	return cdilib.GetSpec(identifiers...)
-}
-
 type deduplicatedDeviceRequestor struct {
 	deviceRequestor
 }

internal/modifier/cdi_test.go

@@ -70,6 +70,18 @@ func TestDeviceRequests(t *testing.T) {
 			},
 			expectedDevices: []string{"nvidia.com/gpu=0", "example.com/class=device"},
 		},
+		{
+			description: "cdi devices from envvar with default kind",
+			input: cdiDeviceRequestor{
+				defaultKind: "runtime.nvidia.com/gpu",
+			},
+			spec: &specs.Spec{
+				Process: &specs.Process{
+					Env: []string{"NVIDIA_VISIBLE_DEVICES=all"},
+				},
+			},
+			expectedDevices: []string{"runtime.nvidia.com/gpu=all"},
+		},
 		{
 			description: "no matching annotations",
 			prefixes:    []string{"not-prefix/"},

internal/platform-support/dgpu/by-path-hooks.go

@@ -41,6 +41,11 @@ func (d *byPathHookDiscoverer) Devices() ([]discover.Device, error) {
 	return nil, nil
 }
 
+// EnvVars returns the empty list for the by-path hook discoverer
+func (d *byPathHookDiscoverer) EnvVars() ([]discover.EnvVar, error) {
+	return nil, nil
+}
+
 // Hooks returns the hooks for the GPU device.
 // The following hooks are detected:
 //  1. A hook to create /dev/dri/by-path symlinks

internal/platform-support/dgpu/nvsandboxutils.go

@@ -106,6 +106,10 @@ func (d *nvsandboxutilsDGPU) Devices() ([]discover.Device, error) {
 	return devices, nil
 }
 
+func (d *nvsandboxutilsDGPU) EnvVars() ([]discover.EnvVar, error) {
+	return nil, nil
+}
+
 // Hooks returns a hook to create the by-path symlinks for the discovered devices.
 func (d *nvsandboxutilsDGPU) Hooks() ([]discover.Hook, error) {
 	if len(d.deviceLinks) == 0 {

internal/runtime/runtime_factory.go

@@ -101,14 +101,14 @@ func newSpecModifier(logger logger.Interface, cfg *config.Config, ociSpec oci.Sp
 	return modifiers, nil
 }
 
-func newModeModifier(logger logger.Interface, mode string, cfg *config.Config, image image.CUDA) (oci.SpecModifier, error) {
+func newModeModifier(logger logger.Interface, mode info.RuntimeMode, cfg *config.Config, image image.CUDA) (oci.SpecModifier, error) {
 	switch mode {
-	case "legacy":
+	case info.LegacyRuntimeMode:
 		return modifier.NewStableRuntimeModifier(logger, cfg.NVIDIAContainerRuntimeHookConfig.Path), nil
-	case "csv":
+	case info.CSVRuntimeMode:
 		return modifier.NewCSVModifier(logger, cfg, image)
-	case "cdi":
-		return modifier.NewCDIModifier(logger, cfg, image)
+	case info.CDIRuntimeMode, info.JitCDIRuntimeMode:
+		return modifier.NewCDIModifier(logger, cfg, image, mode == info.JitCDIRuntimeMode)
 	}
 
 	return nil, fmt.Errorf("invalid runtime mode: %v", cfg.NVIDIAContainerRuntimeConfig.Mode)
@@ -119,7 +119,7 @@ func newModeModifier(logger logger.Interface, mode string, cfg *config.Config, i
 // The image is also used to determine the runtime mode to apply.
 // If a non-CDI mode is detected we ensure that the image does not process
 // annotation devices.
-func initRuntimeModeAndImage(logger logger.Interface, cfg *config.Config, ociSpec oci.Spec) (string, *image.CUDA, error) {
+func initRuntimeModeAndImage(logger logger.Interface, cfg *config.Config, ociSpec oci.Spec) (info.RuntimeMode, *image.CUDA, error) {
 	rawSpec, err := ociSpec.Load()
 	if err != nil {
 		return "", nil, fmt.Errorf("failed to load OCI spec: %v", err)
@@ -136,9 +136,13 @@ func initRuntimeModeAndImage(logger logger.Interface, cfg *config.Config, ociSpe
 		return "", nil, err
 	}
 
-	mode := info.ResolveAutoMode(logger, cfg.NVIDIAContainerRuntimeConfig.Mode, image)
+	modeResolver := info.NewRuntimeModeResolver(
+		info.WithLogger(logger),
+		info.WithImage(&image),
+	)
+	mode := modeResolver.ResolveRuntimeMode(cfg.NVIDIAContainerRuntimeConfig.Mode)
 	// We update the mode here so that we can continue passing just the config to other functions.
-	cfg.NVIDIAContainerRuntimeConfig.Mode = mode
+	cfg.NVIDIAContainerRuntimeConfig.Mode = string(mode)
 
 	if mode == "cdi" || len(cfg.NVIDIAContainerRuntimeConfig.Modes.CDI.AnnotationPrefixes) == 0 {
 		return mode, &image, nil
@@ -154,12 +158,12 @@ func initRuntimeModeAndImage(logger logger.Interface, cfg *config.Config, ociSpe
 }
 
 // supportedModifierTypes returns the modifiers supported for a specific runtime mode.
-func supportedModifierTypes(mode string) []string {
+func supportedModifierTypes(mode info.RuntimeMode) []string {
 	switch mode {
-	case "cdi":
+	case info.CDIRuntimeMode, info.JitCDIRuntimeMode:
 		// For CDI mode we make no additional modifications.
 		return []string{"nvidia-hook-remover", "mode"}
-	case "csv":
+	case info.CSVRuntimeMode:
 		// For CSV mode we support mode and feature-gated modification.
 		return []string{"nvidia-hook-remover", "feature-gated", "mode"}
 	default:

packaging/debian/control

@@ -10,7 +10,7 @@ Build-Depends: debhelper (>= 9)
 
 Package: nvidia-container-toolkit
 Architecture: any
-Depends: ${misc:Depends}, nvidia-container-toolkit-base (= @VERSION@), libnvidia-container-tools (>= @LIBNVIDIA_CONTAINER_TOOLS_VERSION@), libnvidia-container-tools (<< 2.0.0)
+Depends: ${misc:Depends}, nvidia-container-toolkit-base (= @VERSION@), libnvidia-container-tools (= @VERSION@), libnvidia-container-tools (<< 2.0.0)
 Breaks: nvidia-container-runtime (<= 3.5.0-1), nvidia-container-runtime-hook
 Replaces: nvidia-container-runtime (<= 3.5.0-1), nvidia-container-runtime-hook
 Description: NVIDIA Container toolkit

packaging/debian/prepare

@@ -3,7 +3,6 @@
 set -e
 
 sed -i "s;@SECTION@;${SECTION:+$SECTION/};g" debian/control
-sed -i "s;@LIBNVIDIA_CONTAINER_TOOLS_VERSION@;${LIBNVIDIA_CONTAINER_TOOLS_VERSION:+$LIBNVIDIA_CONTAINER_TOOLS_VERSION};g" debian/control
 sed -i "s;@VERSION@;${VERSION:+$VERSION};g" debian/control
 
 if [ -n "$DISTRIB" ]; then

packaging/rpm/SPECS/nvidia-container-toolkit.spec

@@ -23,7 +23,7 @@ Source8: nvidia-cdi-refresh.path
 Obsoletes: nvidia-container-runtime <= 3.5.0-1, nvidia-container-runtime-hook <= 1.4.0-2
 Provides: nvidia-container-runtime
 Provides: nvidia-container-runtime-hook
-Requires: libnvidia-container-tools >= %{libnvidia_container_tools_version}, libnvidia-container-tools < 2.0.0
+Requires: libnvidia-container-tools == %{version}-%{release}, libnvidia-container-tools < 2.0.0
 Requires: nvidia-container-toolkit-base == %{version}-%{release}
 
 %description
@@ -85,8 +85,8 @@ fi
 %changelog
 # As of 1.10.0-1 we generate the release information automatically
 * %{release_date} NVIDIA CORPORATION <cudatools@nvidia.com> %{version}-%{release}
-- See https://gitlab.com/nvidia/container-toolkit/container-toolkit/-/blob/%{git_commit}/CHANGELOG.md
-- Bump libnvidia-container dependency to libnvidia-container-tools >= %{libnvidia_container_tools_version}
+- See https://github.com/NVIDIA/nvidia-container-toolkit/blob/%{git_commit}/CHANGELOG.md
+- Bump libnvidia-container dependency to libnvidia-container-tools == %{version}-%{release}
 
 # The BASE package consists of the NVIDIA Container Runtime and the NVIDIA Container Toolkit CLI.
 # This allows the package to be installed on systems where no NVIDIA Container CLI is available.

pkg/nvcdi/api.go

@@ -56,6 +56,9 @@ const (
 	EnableCudaCompatHook = discover.EnableCudaCompatHook
 	// An UpdateLDCacheHook is used to update the ldcache in the container.
 	UpdateLDCacheHook = discover.UpdateLDCacheHook
+	// A CreateSonameSymlinksHook is the hook used to ensure that soname symlinks
+	// for injected libraries exist in the container.
+	CreateSonameSymlinksHook = discover.CreateSonameSymlinksHook
 
 	// Deprecated: Use CreateSymlinksHook instead.
 	HookCreateSymlinks = CreateSymlinksHook

pkg/nvcdi/driver-nvml.go

@@ -82,7 +82,7 @@ func (l *nvcdilib) newDriverVersionDiscoverer(version string) (discover.Discover
 
 // NewDriverLibraryDiscoverer creates a discoverer for the libraries associated with the specified driver version.
 func (l *nvcdilib) NewDriverLibraryDiscoverer(version string) (discover.Discover, error) {
-	libraryPaths, err := getVersionLibs(l.logger, l.driver, version)
+	libraryPaths, libCudaDirectoryPath, err := getVersionLibs(l.logger, l.driver, version)
 	if err != nil {
 		return nil, fmt.Errorf("failed to get libraries for driver version: %v", err)
 	}
@@ -116,6 +116,12 @@ func (l *nvcdilib) NewDriverLibraryDiscoverer(version string) (discover.Discover
 	disableDeviceNodeModification := l.hookCreator.Create(DisableDeviceNodeModificationHook)
 	discoverers = append(discoverers, disableDeviceNodeModification)
 
+	environmentVariable := &discover.EnvVar{
+		Name:  "NVIDIA_CTK_LIBCUDA_DIR",
+		Value: libCudaDirectoryPath,
+	}
+	discoverers = append(discoverers, environmentVariable)
+
 	d := discover.Merge(discoverers...)
 
 	return d, nil
@@ -203,39 +209,41 @@ func NewDriverBinariesDiscoverer(logger logger.Interface, driverRoot string) dis
 // getVersionLibs checks the LDCache for libraries ending in the specified driver version.
 // Although the ldcache at the specified driverRoot is queried, the paths are returned relative to this driverRoot.
 // This allows the standard mount location logic to be used for resolving the mounts.
-func getVersionLibs(logger logger.Interface, driver *root.Driver, version string) ([]string, error) {
+func getVersionLibs(logger logger.Interface, driver *root.Driver, version string) ([]string, string, error) {
 	logger.Infof("Using driver version %v", version)
 
 	libCudaPaths, err := cuda.New(
 		driver.Libraries(),
 	).Locate("." + version)
 	if err != nil {
-		return nil, fmt.Errorf("failed to locate libcuda.so.%v: %v", version, err)
+		return nil, "", fmt.Errorf("failed to locate libcuda.so.%v: %v", version, err)
 	}
-	libRoot := filepath.Dir(libCudaPaths[0])
+	libCudaDirectoryPath := filepath.Dir(libCudaPaths[0])
 
 	libraries := lookup.NewFileLocator(
 		lookup.WithLogger(logger),
 		lookup.WithSearchPaths(
-			libRoot,
-			filepath.Join(libRoot, "vdpau"),
+			libCudaDirectoryPath,
+			filepath.Join(libCudaDirectoryPath, "vdpau"),
 		),
 		lookup.WithOptional(true),
 	)
 
 	libs, err := libraries.Locate("*.so." + version)
 	if err != nil {
-		return nil, fmt.Errorf("failed to locate libraries for driver version %v: %v", version, err)
+		return nil, "", fmt.Errorf("failed to locate libraries for driver version %v: %v", version, err)
 	}
 
 	if driver.Root == "/" || driver.Root == "" {
-		return libs, nil
+		return libs, libCudaDirectoryPath, nil
 	}
 
+	libCudaDirectoryPath = driver.RelativeToRoot(libCudaDirectoryPath)
+
 	var relative []string
 	for _, l := range libs {
 		relative = append(relative, strings.TrimPrefix(l, driver.Root))
 	}
 
-	return relative, nil
+	return relative, libCudaDirectoryPath, nil
 }

pkg/nvcdi/workarounds-device-folder-permissions.go

@@ -55,6 +55,11 @@ func (d *deviceFolderPermissions) Devices() ([]discover.Device, error) {
 	return nil, nil
 }
 
+// EnvVars are empty for this discoverer
+func (d *deviceFolderPermissions) EnvVars() ([]discover.EnvVar, error) {
+	return nil, nil
+}
+
 // Hooks returns a set of hooks that sets the file mode to 755 of parent folders for nested device nodes.
 func (d *deviceFolderPermissions) Hooks() ([]discover.Hook, error) {
 	folders, err := d.getDeviceSubfolders()

scripts/extract-packages.sh

@@ -17,7 +17,7 @@
 function assert_usage() {
     echo "Incorrect arguments: $*" >&2
     echo "$(basename "${BASH_SOURCE[0]}") PACKAGE_IMAGE_NAME:PACKAGE_IMAGE_TAG" >&2
-    echo -e "\\tPACKAGE_IMAGE: container image holding packages [e.g. registry.gitlab.com/nvidia/container-toolkit/container-toolkit/staging/container-toolkit]" >&2
+    echo -e "\\tPACKAGE_IMAGE: container image holding packages [e.g. ghcr.io/nvidia/container-toolkit]" >&2
     echo -e "\\tPACKAGE_TAG: tag for container image holding packages. [e.g. 1a2b3c4-packaging]" >&2
     exit 1
 }
@@ -70,9 +70,9 @@ function copy-file() {
         -v "$(pwd):$(pwd)" \
         -w "$(pwd)" \
         -u "$(id -u):$(id -g)" \
-        --entrypoint="bash" \
+        --entrypoint="sh" \
             "${image}" \
-            -c "cp ${path_in_image} ${path_on_host}"
+            -c "cp -p ${path_in_image} ${path_on_host}"
     fi
 }
 

scripts/release-kitmaker-artifactory.sh

@@ -160,7 +160,7 @@ function upload_archive() {
     props+=("platform=${os}-${arch}")
     props+=("changelist=${GIT_COMMIT_SHORT}")
     props+=("branch=${branch}")
-    props+=("source=https://gitlab.com/nvidia/container-toolkit/container-toolkit")
+    props+=("source=https://github.com/NVIDIA/nvidia-container-toolkit")
     # Package properties:
     props+=("package.epoch=${IMAGE_EPOCH}")
     props+=("package.version=${VERSION}")

scripts/utils.sh

@@ -96,9 +96,9 @@ function copy_file() {
         -v "$(pwd):$(pwd)" \
         -w "$(pwd)" \
         -u "$(id -u):$(id -g)" \
-        --entrypoint="bash" \
+        --entrypoint="sh" \
             "${image}" \
-            -c "cp ${path_in_image} ${path_on_host}"
+            -c "cp -p ${path_in_image} ${path_on_host}"
     fi
 }
 

tests/e2e/infra/aws.yaml

@@ -28,3 +28,4 @@ spec:
     install: false
   nvidiaDriver:
     install: true
+    branch: 550

tests/e2e/nvidia-container-toolkit_test.go

@@ -173,10 +173,10 @@ var _ = Describe("docker", Ordered, ContinueOnFailure, func() {
 
 	When("Testing CUDA Forward compatibility", Ordered, func() {
 		BeforeAll(func(ctx context.Context) {
-			_, _, err := runner.Run("docker pull nvcr.io/nvidia/cuda:12.8.0-base-ubi8")
+			_, _, err := runner.Run("docker pull nvcr.io/nvidia/cuda:12.9.0-base-ubi8")
 			Expect(err).ToNot(HaveOccurred())
 
-			compatOutput, _, err := runner.Run("docker run --rm -i -e NVIDIA_VISIBLE_DEVICES=void nvcr.io/nvidia/cuda:12.8.0-base-ubi8 bash -c \"ls /usr/local/cuda/compat/libcuda.*.*\"")
+			compatOutput, _, err := runner.Run("docker run --rm -i -e NVIDIA_VISIBLE_DEVICES=void nvcr.io/nvidia/cuda:12.9.0-base-ubi8 bash -c \"ls /usr/local/cuda/compat/libcuda.*.*\"")
 			Expect(err).ToNot(HaveOccurred())
 			Expect(compatOutput).ToNot(BeEmpty())
 
@@ -199,21 +199,21 @@ var _ = Describe("docker", Ordered, ContinueOnFailure, func() {
 		})
 
 		It("should work with the nvidia runtime in legacy mode", func(ctx context.Context) {
-			ldconfigOut, _, err := runner.Run("docker run --rm -i -e NVIDIA_DISABLE_REQUIRE=true --runtime=nvidia --gpus all nvcr.io/nvidia/cuda:12.8.0-base-ubi8 bash -c \"ldconfig -p | grep libcuda.so.1\"")
+			ldconfigOut, _, err := runner.Run("docker run --rm -i -e NVIDIA_DISABLE_REQUIRE=true --runtime=nvidia --gpus all nvcr.io/nvidia/cuda:12.9.0-base-ubi8 bash -c \"ldconfig -p | grep libcuda.so.1\"")
 			Expect(err).ToNot(HaveOccurred())
-			Expect(ldconfigOut).To(ContainSubstring("/usr/local/cuda/compat"))
+			Expect(ldconfigOut).To(ContainSubstring("/usr/local/cuda-12.9/compat/"))
 		})
 
 		It("should work with the nvidia runtime in CDI mode", func(ctx context.Context) {
-			ldconfigOut, _, err := runner.Run("docker run --rm -i -e NVIDIA_DISABLE_REQUIRE=true  --runtime=nvidia -e NVIDIA_VISIBLE_DEVICES=runtime.nvidia.com/gpu=all nvcr.io/nvidia/cuda:12.8.0-base-ubi8 bash -c \"ldconfig -p | grep libcuda.so.1\"")
+			ldconfigOut, _, err := runner.Run("docker run --rm -i -e NVIDIA_DISABLE_REQUIRE=true  --runtime=nvidia -e NVIDIA_VISIBLE_DEVICES=runtime.nvidia.com/gpu=all nvcr.io/nvidia/cuda:12.9.0-base-ubi8 bash -c \"ldconfig -p | grep libcuda.so.1\"")
 			Expect(err).ToNot(HaveOccurred())
-			Expect(ldconfigOut).To(ContainSubstring("/usr/local/cuda/compat"))
+			Expect(ldconfigOut).To(ContainSubstring("/usr/local/cuda-12.9/compat/"))
 		})
 
-		It("should NOT work with nvidia-container-runtime-hook", func(ctx context.Context) {
-			ldconfigOut, _, err := runner.Run("docker run --rm -i -e NVIDIA_DISABLE_REQUIRE=true --runtime=runc --gpus all nvcr.io/nvidia/cuda:12.8.0-base-ubi8 bash -c \"ldconfig -p | grep libcuda.so.1\"")
+		It("should work with nvidia-container-runtime-hook", func(ctx context.Context) {
+			ldconfigOut, _, err := runner.Run("docker run --rm -i -e NVIDIA_DISABLE_REQUIRE=true --runtime=runc --gpus all nvcr.io/nvidia/cuda:12.9.0-base-ubi8 bash -c \"ldconfig -p | grep libcuda.so.1\"")
 			Expect(err).ToNot(HaveOccurred())
-			Expect(ldconfigOut).To(ContainSubstring("/usr/lib64"))
+			Expect(ldconfigOut).To(ContainSubstring("/usr/local/cuda-12.9/compat/"))
 		})
 	})
 
@@ -235,4 +235,26 @@ var _ = Describe("docker", Ordered, ContinueOnFailure, func() {
 			Expect(output).To(Equal("ModifyDeviceFiles: 0\n"))
 		})
 	})
+
+	When("A container is run using CDI", Ordered, func() {
+		BeforeAll(func(ctx context.Context) {
+			_, _, err := runner.Run("docker pull ubuntu")
+			Expect(err).ToNot(HaveOccurred())
+		})
+
+		It("should include libcuda.so in the ldcache", func(ctx context.Context) {
+			ldcacheOutput, _, err := runner.Run("docker run --rm -i --runtime=nvidia -e NVIDIA_VISIBLE_DEVICES=runtime.nvidia.com/gpu=all ubuntu bash -c \"ldconfig -p | grep 'libcuda.so'\"")
+			Expect(err).ToNot(HaveOccurred())
+			Expect(ldcacheOutput).ToNot(BeEmpty())
+
+			ldcacheLines := strings.Split(ldcacheOutput, "\n")
+			var libs []string
+			for _, line := range ldcacheLines {
+				parts := strings.SplitN(line, " (", 2)
+				libs = append(libs, strings.TrimSpace(parts[0]))
+			}
+
+			Expect(libs).To(ContainElements([]string{"libcuda.so", "libcuda.so.1"}))
+		})
+	})
 })

vendor/github.com/opencontainers/cgroups/LICENSE

@@ -1,201 +0,0 @@
-                                 Apache License
-                           Version 2.0, January 2004
-                        http://www.apache.org/licenses/
-
-   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
-
-   1. Definitions.
-
-      "License" shall mean the terms and conditions for use, reproduction,
-      and distribution as defined by Sections 1 through 9 of this document.
-
-      "Licensor" shall mean the copyright owner or entity authorized by
-      the copyright owner that is granting the License.
-
-      "Legal Entity" shall mean the union of the acting entity and all
-      other entities that control, are controlled by, or are under common
-      control with that entity. For the purposes of this definition,
-      "control" means (i) the power, direct or indirect, to cause the
-      direction or management of such entity, whether by contract or
-      otherwise, or (ii) ownership of fifty percent (50%) or more of the
-      outstanding shares, or (iii) beneficial ownership of such entity.
-
-      "You" (or "Your") shall mean an individual or Legal Entity
-      exercising permissions granted by this License.
-
-      "Source" form shall mean the preferred form for making modifications,
-      including but not limited to software source code, documentation
-      source, and configuration files.
-
-      "Object" form shall mean any form resulting from mechanical
-      transformation or translation of a Source form, including but
-      not limited to compiled object code, generated documentation,
-      and conversions to other media types.
-
-      "Work" shall mean the work of authorship, whether in Source or
-      Object form, made available under the License, as indicated by a
-      copyright notice that is included in or attached to the work
-      (an example is provided in the Appendix below).
-
-      "Derivative Works" shall mean any work, whether in Source or Object
-      form, that is based on (or derived from) the Work and for which the
-      editorial revisions, annotations, elaborations, or other modifications
-      represent, as a whole, an original work of authorship. For the purposes
-      of this License, Derivative Works shall not include works that remain
-      separable from, or merely link (or bind by name) to the interfaces of,
-      the Work and Derivative Works thereof.
-
-      "Contribution" shall mean any work of authorship, including
-      the original version of the Work and any modifications or additions
-      to that Work or Derivative Works thereof, that is intentionally
-      submitted to Licensor for inclusion in the Work by the copyright owner
-      or by an individual or Legal Entity authorized to submit on behalf of
-      the copyright owner. For the purposes of this definition, "submitted"
-      means any form of electronic, verbal, or written communication sent
-      to the Licensor or its representatives, including but not limited to
-      communication on electronic mailing lists, source code control systems,
-      and issue tracking systems that are managed by, or on behalf of, the
-      Licensor for the purpose of discussing and improving the Work, but
-      excluding communication that is conspicuously marked or otherwise
-      designated in writing by the copyright owner as "Not a Contribution."
-
-      "Contributor" shall mean Licensor and any individual or Legal Entity
-      on behalf of whom a Contribution has been received by Licensor and
-      subsequently incorporated within the Work.
-
-   2. Grant of Copyright License. Subject to the terms and conditions of
-      this License, each Contributor hereby grants to You a perpetual,
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-      copyright license to reproduce, prepare Derivative Works of,
-      publicly display, publicly perform, sublicense, and distribute the
-      Work and such Derivative Works in Source or Object form.
-
-   3. Grant of Patent License. Subject to the terms and conditions of
-      this License, each Contributor hereby grants to You a perpetual,
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-      (except as stated in this section) patent license to make, have made,
-      use, offer to sell, sell, import, and otherwise transfer the Work,
-      where such license applies only to those patent claims licensable
-      by such Contributor that are necessarily infringed by their
-      Contribution(s) alone or by combination of their Contribution(s)
-      with the Work to which such Contribution(s) was submitted. If You
-      institute patent litigation against any entity (including a
-      cross-claim or counterclaim in a lawsuit) alleging that the Work
-      or a Contribution incorporated within the Work constitutes direct
-      or contributory patent infringement, then any patent licenses
-      granted to You under this License for that Work shall terminate
-      as of the date such litigation is filed.
-
-   4. Redistribution. You may reproduce and distribute copies of the
-      Work or Derivative Works thereof in any medium, with or without
-      modifications, and in Source or Object form, provided that You
-      meet the following conditions:
-
-      (a) You must give any other recipients of the Work or
-          Derivative Works a copy of this License; and
-
-      (b) You must cause any modified files to carry prominent notices
-          stating that You changed the files; and
-
-      (c) You must retain, in the Source form of any Derivative Works
-          that You distribute, all copyright, patent, trademark, and
-          attribution notices from the Source form of the Work,
-          excluding those notices that do not pertain to any part of
-          the Derivative Works; and
-
-      (d) If the Work includes a "NOTICE" text file as part of its
-          distribution, then any Derivative Works that You distribute must
-          include a readable copy of the attribution notices contained
-          within such NOTICE file, excluding those notices that do not
-          pertain to any part of the Derivative Works, in at least one
-          of the following places: within a NOTICE text file distributed
-          as part of the Derivative Works; within the Source form or
-          documentation, if provided along with the Derivative Works; or,
-          within a display generated by the Derivative Works, if and
-          wherever such third-party notices normally appear. The contents
-          of the NOTICE file are for informational purposes only and
-          do not modify the License. You may add Your own attribution
-          notices within Derivative Works that You distribute, alongside
-          or as an addendum to the NOTICE text from the Work, provided
-          that such additional attribution notices cannot be construed
-          as modifying the License.
-
-      You may add Your own copyright statement to Your modifications and
-      may provide additional or different license terms and conditions
-      for use, reproduction, or distribution of Your modifications, or
-      for any such Derivative Works as a whole, provided Your use,
-      reproduction, and distribution of the Work otherwise complies with
-      the conditions stated in this License.
-
-   5. Submission of Contributions. Unless You explicitly state otherwise,
-      any Contribution intentionally submitted for inclusion in the Work
-      by You to the Licensor shall be under the terms and conditions of
-      this License, without any additional terms or conditions.
-      Notwithstanding the above, nothing herein shall supersede or modify
-      the terms of any separate license agreement you may have executed
-      with Licensor regarding such Contributions.
-
-   6. Trademarks. This License does not grant permission to use the trade
-      names, trademarks, service marks, or product names of the Licensor,
-      except as required for reasonable and customary use in describing the
-      origin of the Work and reproducing the content of the NOTICE file.
-
-   7. Disclaimer of Warranty. Unless required by applicable law or
-      agreed to in writing, Licensor provides the Work (and each
-      Contributor provides its Contributions) on an "AS IS" BASIS,
-      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
-      implied, including, without limitation, any warranties or conditions
-      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
-      PARTICULAR PURPOSE. You are solely responsible for determining the
-      appropriateness of using or redistributing the Work and assume any
-      risks associated with Your exercise of permissions under this License.
-
-   8. Limitation of Liability. In no event and under no legal theory,
-      whether in tort (including negligence), contract, or otherwise,
-      unless required by applicable law (such as deliberate and grossly
-      negligent acts) or agreed to in writing, shall any Contributor be
-      liable to You for damages, including any direct, indirect, special,
-      incidental, or consequential damages of any character arising as a
-      result of this License or out of the use or inability to use the
-      Work (including but not limited to damages for loss of goodwill,
-      work stoppage, computer failure or malfunction, or any and all
-      other commercial damages or losses), even if such Contributor
-      has been advised of the possibility of such damages.
-
-   9. Accepting Warranty or Additional Liability. While redistributing
-      the Work or Derivative Works thereof, You may choose to offer,
-      and charge a fee for, acceptance of support, warranty, indemnity,
-      or other liability obligations and/or rights consistent with this
-      License. However, in accepting such obligations, You may act only
-      on Your own behalf and on Your sole responsibility, not on behalf
-      of any other Contributor, and only if You agree to indemnify,
-      defend, and hold each Contributor harmless for any liability
-      incurred by, or claims asserted against, such Contributor by reason
-      of your accepting any such warranty or additional liability.
-
-   END OF TERMS AND CONDITIONS
-
-   APPENDIX: How to apply the Apache License to your work.
-
-      To apply the Apache License to your work, attach the following
-      boilerplate notice, with the fields enclosed by brackets "{}"
-      replaced with your own identifying information. (Don't include
-      the brackets!)  The text should be enclosed in the appropriate
-      comment syntax for the file format. We also recommend that a
-      file or class name and description of purpose be included on the
-      same "printed page" as the copyright notice for easier
-      identification within third-party archives.
-
-   Copyright {yyyy} {name of copyright owner}
-
-   Licensed under the Apache License, Version 2.0 (the "License");
-   you may not use this file except in compliance with the License.
-   You may obtain a copy of the License at
-
-       http://www.apache.org/licenses/LICENSE-2.0
-
-   Unless required by applicable law or agreed to in writing, software
-   distributed under the License is distributed on an "AS IS" BASIS,
-   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-   See the License for the specific language governing permissions and
-   limitations under the License.

vendor/github.com/opencontainers/cgroups/devices/config/device.go

@@ -1,174 +0,0 @@
-package config
-
-import (
-	"fmt"
-	"os"
-	"strconv"
-)
-
-const (
-	Wildcard = -1
-)
-
-type Device struct {
-	Rule
-
-	// Path to the device.
-	Path string `json:"path"`
-
-	// FileMode permission bits for the device.
-	FileMode os.FileMode `json:"file_mode"`
-
-	// Uid of the device.
-	Uid uint32 `json:"uid"`
-
-	// Gid of the device.
-	Gid uint32 `json:"gid"`
-}
-
-// Permissions is a cgroupv1-style string to represent device access. It
-// has to be a string for backward compatibility reasons, hence why it has
-// methods to do set operations.
-type Permissions string
-
-const (
-	deviceRead uint = (1 << iota)
-	deviceWrite
-	deviceMknod
-)
-
-func (p Permissions) toSet() uint {
-	var set uint
-	for _, perm := range p {
-		switch perm {
-		case 'r':
-			set |= deviceRead
-		case 'w':
-			set |= deviceWrite
-		case 'm':
-			set |= deviceMknod
-		}
-	}
-	return set
-}
-
-func fromSet(set uint) Permissions {
-	var perm string
-	if set&deviceRead == deviceRead {
-		perm += "r"
-	}
-	if set&deviceWrite == deviceWrite {
-		perm += "w"
-	}
-	if set&deviceMknod == deviceMknod {
-		perm += "m"
-	}
-	return Permissions(perm)
-}
-
-// Union returns the union of the two sets of Permissions.
-func (p Permissions) Union(o Permissions) Permissions {
-	lhs := p.toSet()
-	rhs := o.toSet()
-	return fromSet(lhs | rhs)
-}
-
-// Difference returns the set difference of the two sets of Permissions.
-// In set notation, A.Difference(B) gives you A\B.
-func (p Permissions) Difference(o Permissions) Permissions {
-	lhs := p.toSet()
-	rhs := o.toSet()
-	return fromSet(lhs &^ rhs)
-}
-
-// Intersection computes the intersection of the two sets of Permissions.
-func (p Permissions) Intersection(o Permissions) Permissions {
-	lhs := p.toSet()
-	rhs := o.toSet()
-	return fromSet(lhs & rhs)
-}
-
-// IsEmpty returns whether the set of permissions in a Permissions is
-// empty.
-func (p Permissions) IsEmpty() bool {
-	return p == Permissions("")
-}
-
-// IsValid returns whether the set of permissions is a subset of valid
-// permissions (namely, {r,w,m}).
-func (p Permissions) IsValid() bool {
-	return p == fromSet(p.toSet())
-}
-
-type Type rune
-
-const (
-	WildcardDevice Type = 'a'
-	BlockDevice    Type = 'b'
-	CharDevice     Type = 'c' // or 'u'
-	FifoDevice     Type = 'p'
-)
-
-func (t Type) IsValid() bool {
-	switch t {
-	case WildcardDevice, BlockDevice, CharDevice, FifoDevice:
-		return true
-	default:
-		return false
-	}
-}
-
-func (t Type) CanMknod() bool {
-	switch t {
-	case BlockDevice, CharDevice, FifoDevice:
-		return true
-	default:
-		return false
-	}
-}
-
-func (t Type) CanCgroup() bool {
-	switch t {
-	case WildcardDevice, BlockDevice, CharDevice:
-		return true
-	default:
-		return false
-	}
-}
-
-type Rule struct {
-	// Type of device ('c' for char, 'b' for block). If set to 'a', this rule
-	// acts as a wildcard and all fields other than Allow are ignored.
-	Type Type `json:"type"`
-
-	// Major is the device's major number.
-	Major int64 `json:"major"`
-
-	// Minor is the device's minor number.
-	Minor int64 `json:"minor"`
-
-	// Permissions is the set of permissions that this rule applies to (in the
-	// cgroupv1 format -- any combination of "rwm").
-	Permissions Permissions `json:"permissions"`
-
-	// Allow specifies whether this rule is allowed.
-	Allow bool `json:"allow"`
-}
-
-func (d *Rule) CgroupString() string {
-	var (
-		major = strconv.FormatInt(d.Major, 10)
-		minor = strconv.FormatInt(d.Minor, 10)
-	)
-	if d.Major == Wildcard {
-		major = "*"
-	}
-	if d.Minor == Wildcard {
-		minor = "*"
-	}
-	return fmt.Sprintf("%c %s:%s %s", d.Type, major, minor, d.Permissions)
-}
-
-func (d *Rule) Mkdev() (uint64, error) {
-	return mkDev(d)
-}

vendor/github.com/opencontainers/cgroups/devices/config/mknod_unix.go

@@ -1,14 +0,0 @@
-package config
-
-import (
-	"errors"
-
-	"golang.org/x/sys/unix"
-)
-
-func mkDev(d *Rule) (uint64, error) {
-	if d.Major == Wildcard || d.Minor == Wildcard {
-		return 0, errors.New("cannot mkdev() device with wildcards")
-	}
-	return unix.Mkdev(uint32(d.Major), uint32(d.Minor)), nil
-}

vendor/github.com/opencontainers/runc/libcontainer/devices/device_deprecated.go

@@ -1,20 +0,0 @@
-package devices
-
-import "github.com/opencontainers/cgroups/devices/config"
-
-// Deprecated: use [github.com/opencontainers/cgroups/devices/config].
-const (
-	Wildcard       = config.Wildcard
-	WildcardDevice = config.WildcardDevice
-	BlockDevice    = config.BlockDevice
-	CharDevice     = config.CharDevice
-	FifoDevice     = config.FifoDevice
-)
-
-// Deprecated: use [github.com/opencontainers/cgroups/devices/config].
-type (
-	Device      = config.Device
-	Permissions = config.Permissions
-	Type        = config.Type
-	Rule        = config.Rule
-)

vendor/github.com/opencontainers/runc/libcontainer/devices/device_unix.go

@@ -1,112 +0,0 @@
-//go:build !windows
-
-package devices
-
-import (
-	"errors"
-	"os"
-	"path/filepath"
-
-	"golang.org/x/sys/unix"
-)
-
-// ErrNotADevice denotes that a file is not a valid linux device.
-var ErrNotADevice = errors.New("not a device node")
-
-// Testing dependencies
-var (
-	unixLstat = unix.Lstat
-	osReadDir = os.ReadDir
-)
-
-// DeviceFromPath takes the path to a device and its cgroup_permissions (which
-// cannot be easily queried) to look up the information about a linux device
-// and returns that information as a Device struct.
-func DeviceFromPath(path, permissions string) (*Device, error) {
-	var stat unix.Stat_t
-	err := unixLstat(path, &stat)
-	if err != nil {
-		return nil, err
-	}
-
-	var (
-		devType   Type
-		mode      = stat.Mode
-		devNumber = uint64(stat.Rdev) //nolint:unconvert // Rdev is uint32 on e.g. MIPS.
-		major     = unix.Major(devNumber)
-		minor     = unix.Minor(devNumber)
-	)
-	switch mode & unix.S_IFMT {
-	case unix.S_IFBLK:
-		devType = BlockDevice
-	case unix.S_IFCHR:
-		devType = CharDevice
-	case unix.S_IFIFO:
-		devType = FifoDevice
-	default:
-		return nil, ErrNotADevice
-	}
-	return &Device{
-		Rule: Rule{
-			Type:        devType,
-			Major:       int64(major),
-			Minor:       int64(minor),
-			Permissions: Permissions(permissions),
-		},
-		Path:     path,
-		FileMode: os.FileMode(mode &^ unix.S_IFMT),
-		Uid:      stat.Uid,
-		Gid:      stat.Gid,
-	}, nil
-}
-
-// HostDevices returns all devices that can be found under /dev directory.
-func HostDevices() ([]*Device, error) {
-	return GetDevices("/dev")
-}
-
-// GetDevices recursively traverses a directory specified by path
-// and returns all devices found there.
-func GetDevices(path string) ([]*Device, error) {
-	files, err := osReadDir(path)
-	if err != nil {
-		return nil, err
-	}
-	var out []*Device
-	for _, f := range files {
-		switch {
-		case f.IsDir():
-			switch f.Name() {
-			// ".lxc" & ".lxd-mounts" added to address https://github.com/lxc/lxd/issues/2825
-			// ".udev" added to address https://github.com/opencontainers/runc/issues/2093
-			case "pts", "shm", "fd", "mqueue", ".lxc", ".lxd-mounts", ".udev":
-				continue
-			default:
-				sub, err := GetDevices(filepath.Join(path, f.Name()))
-				if err != nil {
-					return nil, err
-				}
-
-				out = append(out, sub...)
-				continue
-			}
-		case f.Name() == "console":
-			continue
-		}
-		device, err := DeviceFromPath(filepath.Join(path, f.Name()), "rwm")
-		if err != nil {
-			if errors.Is(err, ErrNotADevice) {
-				continue
-			}
-			if os.IsNotExist(err) {
-				continue
-			}
-			return nil, err
-		}
-		if device.Type == FifoDevice {
-			continue
-		}
-		out = append(out, device)
-	}
-	return out, nil
-}

vendor/modules.txt

@@ -37,12 +37,8 @@ github.com/moby/sys/reexec
 # github.com/moby/sys/symlink v0.3.0
 ## explicit; go 1.17
 github.com/moby/sys/symlink
-# github.com/opencontainers/cgroups v0.0.1
-## explicit; go 1.23.0
-github.com/opencontainers/cgroups/devices/config
 # github.com/opencontainers/runc v1.3.0
 ## explicit; go 1.23.0
-github.com/opencontainers/runc/libcontainer/devices
 github.com/opencontainers/runc/libcontainer/exeseal
 github.com/opencontainers/runc/libcontainer/system
 github.com/opencontainers/runc/libcontainer/utils

versions.mk

@@ -13,8 +13,8 @@
 # limitations under the License.
 
 LIB_NAME := nvidia-container-toolkit
-LIB_VERSION := 1.17.4
-LIB_TAG :=
+LIB_VERSION := 1.18.0
+LIB_TAG := rc.1
 
 # The package version is the combination of the library version and tag.
 # If the tag is specified the two components are joined with a tilde (~).