Merge branch 'fix-release-tooling' into 'main'

Ensure CLI versions are set correctly for RPM packages

See merge request nvidia/container-toolkit/container-toolkit!211

.common-ci.yml

@@ -57,6 +57,10 @@ stages:
   variables:
     DIST: debian9
 
+.dist-fedora35:
+  variables:
+    DIST: fedora35
+
 .dist-opensuse-leap15.1:
   variables:
     DIST: opensuse-leap15.1

.gitlab-ci.yml

@@ -94,7 +94,7 @@ unit-tests:
     - .multi-arch-build
     - .package-artifacts
   stage: package-build
-  timeout: 2h 30m
+  timeout: 3h
   script:
     - ./scripts/build-packages.sh ${DIST}-${ARCH}
 
@@ -158,6 +158,18 @@ package-debian9-amd64:
     - .dist-debian9
     - .arch-amd64
 
+package-fedora35-aarch64:
+  extends:
+    - .package-build
+    - .dist-fedora35
+    - .arch-aarch64
+
+package-fedora35-x86_64:
+  extends:
+    - .package-build
+    - .dist-fedora35
+    - .arch-x86_64
+
 package-opensuse-leap15.1-x86_64:
   extends:
     - .package-build
@@ -278,6 +290,8 @@ image-packaging:
     - package-centos8-x86_64
     - package-debian10-amd64
     - package-debian9-amd64
+    - package-fedora35-aarch64
+    - package-fedora35-x86_64
     - package-opensuse-leap15.1-x86_64
     - package-ubuntu16.04-amd64
     - package-ubuntu16.04-ppc64le

CHANGELOG.md

@@ -1,11 +1,20 @@
 # NVIDIA Container Toolkit Changelog
 
-## v1.11.1-rc.2
+## v1.11.0-rc.3
+
+* Build fedora35 packages
+* Introduce an `nvidia-container-toolkit-base` package for better dependency management
+* Fix removal of `nvidia-container-runtime-hook` on RPM-based systems
+* Inject platform files into container on Tegra-based systems
+* [toolkit container] Update CUDA base images to 11.7.1
+* [libnvidia-container] Preload libgcc_s.so.1 on arm64 systems
+
+## v1.11.0-rc.2
 
 * Allow `accept-nvidia-visible-devices-*` config options to be set by toolkit container
 * [libnvidia-container] Fix bug where LDCache was not updated when the `--no-pivot-root` option was specified
 
-## v1.11.1-rc.1
+## v1.11.0-rc.1
 
 * Add discovery of GPUDirect Storage (`nvidia-fs*`) devices if the `NVIDIA_GDS` environment variable of the container is set to `enabled`
 * Add discovery of MOFED Infiniband devices if the `NVIDIA_MOFED` environment variable of the container is set to `enabled`

build/container/Dockerfile.centos

@@ -69,7 +69,7 @@ RUN PACKAGE_ARCH=${PACKAGE_ARCH/amd64/x86_64} && PACKAGE_ARCH=${PACKAGE_ARCH/arm
     yum localinstall -y \
     ${PACKAGE_DIST}/${PACKAGE_ARCH}/libnvidia-container1-1.*.rpm \
     ${PACKAGE_DIST}/${PACKAGE_ARCH}/libnvidia-container-tools-1.*.rpm \
-    ${PACKAGE_DIST}/${PACKAGE_ARCH}/nvidia-container-toolkit-${PACKAGE_VERSION}*.rpm
+    ${PACKAGE_DIST}/${PACKAGE_ARCH}/nvidia-container-toolkit*-${PACKAGE_VERSION}*.rpm
 
 WORKDIR /work
 

build/container/Dockerfile.ubuntu

@@ -77,7 +77,7 @@ RUN if [ "${PACKAGE_ARCH}" = "arm64" ]; then \
 RUN dpkg -i \
     ${PACKAGE_DIST}/${PACKAGE_ARCH}/libnvidia-container1_1.*.deb \
     ${PACKAGE_DIST}/${PACKAGE_ARCH}/libnvidia-container-tools_1.*.deb \
-    ${PACKAGE_DIST}/${PACKAGE_ARCH}/nvidia-container-toolkit_${PACKAGE_VERSION}*.deb
+    ${PACKAGE_DIST}/${PACKAGE_ARCH}/nvidia-container-toolkit*_${PACKAGE_VERSION}*.deb
 
 WORKDIR /work
 

cmd/nvidia-container-runtime/runtime_factory.go

@@ -77,10 +77,16 @@ func newSpecModifier(logger *logrus.Logger, cfg *config.Config, ociSpec oci.Spec
 		return nil, err
 	}
 
+	tegraModifier, err := modifier.NewTegraPlatformFiles(logger)
+	if err != nil {
+		return nil, err
+	}
+
 	modifiers := modifier.Merge(
 		modeModifier,
 		gdsModifier,
 		mofedModifier,
+		tegraModifier,
 	)
 	return modifiers, nil
 }

config/config.toml.centos

@@ -1,32 +0,0 @@
-disable-require = false
-#swarm-resource = "DOCKER_RESOURCE_GPU"
-#accept-nvidia-visible-devices-envvar-when-unprivileged = true
-#accept-nvidia-visible-devices-as-volume-mounts = false
-
-[nvidia-container-cli]
-#root = "/run/nvidia/driver"
-#path = "/usr/bin/nvidia-container-cli"
-environment = []
-#debug = "/var/log/nvidia-container-toolkit.log"
-#ldcache = "/etc/ld.so.cache"
-load-kmods = true
-#no-cgroups = false
-#user = "root:video"
-ldconfig = "@/sbin/ldconfig"
-
-[nvidia-container-runtime]
-#debug = "/var/log/nvidia-container-runtime.log"
-log-level = "info"
-
-# Specify the runtimes to consider. This list is processed in order and the PATH
-# searched for matching executables unless the entry is an absolute path.
-runtimes = [
-    "docker-runc",
-    "runc",
-]
-
-mode = "auto"
-
-    [nvidia-container-runtime.modes.csv]
-
-    mount-spec-path = "/etc/nvidia-container-runtime/host-files-for-container.d"

docker/Dockerfile.amazonlinux

@@ -1,76 +0,0 @@
-ARG BASEIMAGE
-FROM ${BASEIMAGE}
-
-RUN yum install -y \
-        ca-certificates \
-        gcc \
-        wget \
-        git \
-        rpm-build \
-        make && \
-    rm -rf /var/cache/yum/*
-
-ARG GOLANG_VERSION=0.0.0
-RUN set -eux; \
-    \
-    arch="$(uname -m)"; \
-    case "${arch##*-}" in \
-        x86_64 | amd64) ARCH='amd64' ;; \
-        ppc64el | ppc64le) ARCH='ppc64le' ;; \
-        aarch64) ARCH='arm64' ;; \
-        *) echo "unsupported architecture"; exit 1 ;; \
-    esac; \
-    wget -nv -O - https://storage.googleapis.com/golang/go${GOLANG_VERSION}.linux-${ARCH}.tar.gz \
-    | tar -C /usr/local -xz
-
-ENV GOPATH /go
-ENV PATH $GOPATH/bin:/usr/local/go/bin:$PATH
-
-# packaging
-ARG PKG_NAME
-ARG PKG_VERS
-ARG PKG_REV
-
-ENV VERSION $PKG_VERS
-ENV RELEASE $PKG_REV
-
-# output directory
-ENV DIST_DIR=/tmp/nvidia-container-toolkit-$PKG_VERS/SOURCES
-RUN mkdir -p $DIST_DIR /dist
-
-# nvidia-container-toolkit
-WORKDIR $GOPATH/src/nvidia-container-toolkit
-COPY . .
-
-ARG GIT_COMMIT
-ENV GIT_COMMIT ${GIT_COMMIT}
-RUN make PREFIX=${DIST_DIR} cmds
-
-ARG CONFIG_TOML_SUFFIX
-ENV CONFIG_TOML_SUFFIX ${CONFIG_TOML_SUFFIX}
-COPY config/config.toml.${CONFIG_TOML_SUFFIX} $DIST_DIR/config.toml
-
-# Hook for Project Atomic's fork of Docker: https://github.com/projectatomic/docker/tree/docker-1.13.1-rhel#add-dockerhooks-exec-custom-hooks-for-prestartpoststop-containerspatch
-# This might not be useful on Amazon Linux, but it's simpler to keep the RHEL
-# and Amazon Linux packages identical.
-COPY oci-nvidia-hook $DIST_DIR/oci-nvidia-hook
-
-# Hook for libpod/CRI-O: https://github.com/containers/libpod/blob/v0.8.5/pkg/hooks/docs/oci-hooks.5.md
-COPY oci-nvidia-hook.json $DIST_DIR/oci-nvidia-hook.json
-
-WORKDIR $DIST_DIR/..
-COPY packaging/rpm .
-
-ARG LIBNVIDIA_CONTAINER_TOOLS_VERSION
-ENV LIBNVIDIA_CONTAINER_TOOLS_VERSION ${LIBNVIDIA_CONTAINER_TOOLS_VERSION}
-
-CMD arch=$(uname -m) && \
-    rpmbuild --clean --target=$arch -bb \
-             -D "_topdir $PWD" \
-             -D "release_date $(date +'%a %b %d %Y')" \
-             -D "git_commit ${GIT_COMMIT}" \
-             -D "version $VERSION" \
-             -D "libnvidia_container_tools_version ${LIBNVIDIA_CONTAINER_TOOLS_VERSION}" \
-             -D "release $RELEASE" \
-             SPECS/nvidia-container-toolkit.spec && \
-    mv RPMS/$arch/*.rpm /dist

docker/Dockerfile.debian

@@ -76,6 +76,6 @@ RUN dch --create --package="${PKG_NAME}" \
     if [ "$REVISION" != "$(dpkg-parsechangelog --show-field=Version)" ]; then exit 1; fi
 
 CMD export DISTRIB="$(lsb_release -cs)" && \
-    debuild -eDISTRIB -eSECTION -eLIBNVIDIA_CONTAINER_TOOLS_VERSION \
+    debuild -eDISTRIB -eSECTION -eLIBNVIDIA_CONTAINER_TOOLS_VERSION -eVERSION="${REVISION}" \
     --dpkg-buildpackage-hook='sh debian/prepare' -i -us -uc -b && \
     mv /tmp/nvidia-container-toolkit_*.deb /dist

docker/Dockerfile.opensuse-leap

@@ -28,9 +28,9 @@ ENV PATH $GOPATH/bin:/usr/local/go/bin:$PATH
 ARG PKG_NAME
 ARG PKG_VERS
 ARG PKG_REV
-
-ENV VERSION $PKG_VERS
-ENV RELEASE $PKG_REV
+ENV PKG_NAME ${PKG_NAME}
+ENV PKG_VERS ${PKG_VERS}
+ENV PKG_REV ${PKG_REV}
 
 # output directory
 ENV DIST_DIR=/tmp/nvidia-container-toolkit-$PKG_VERS/SOURCES
@@ -65,8 +65,8 @@ CMD arch=$(uname -m) && \
              -D "_topdir $PWD" \
              -D "release_date $(date +'%a %b %d %Y')" \
              -D "git_commit ${GIT_COMMIT}" \
-             -D "version $VERSION" \
+             -D "version ${PKG_VERS}" \
              -D "libnvidia_container_tools_version ${LIBNVIDIA_CONTAINER_TOOLS_VERSION}" \
-             -D "release $RELEASE" \
+             -D "release ${PKG_REV}" \
              SPECS/nvidia-container-toolkit.spec && \
     mv RPMS/$arch/*.rpm /dist

docker/Dockerfile.rpm-yum

@@ -1,3 +1,19 @@
+# Copyright (c) 2022, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# This is the dockerfile for building packages on yum-based RPM systems.
+
 ARG BASEIMAGE
 FROM ${BASEIMAGE}
 
@@ -30,9 +46,9 @@ ENV PATH $GOPATH/bin:/usr/local/go/bin:$PATH
 ARG PKG_NAME
 ARG PKG_VERS
 ARG PKG_REV
-
-ENV VERSION $PKG_VERS
-ENV RELEASE $PKG_REV
+ENV PKG_NAME ${PKG_NAME}
+ENV PKG_VERS ${PKG_VERS}
+ENV PKG_REV ${PKG_REV}
 
 # output directory
 ENV DIST_DIR=/tmp/nvidia-container-toolkit-$PKG_VERS/SOURCES
@@ -67,8 +83,8 @@ CMD arch=$(uname -m) && \
              -D "_topdir $PWD" \
              -D "release_date $(date +'%a %b %d %Y')" \
              -D "git_commit ${GIT_COMMIT}" \
-             -D "version $VERSION" \
+             -D "version ${PKG_VERS}" \
              -D "libnvidia_container_tools_version ${LIBNVIDIA_CONTAINER_TOOLS_VERSION}" \
-             -D "release $RELEASE" \
+             -D "release ${PKG_REV}" \
              SPECS/nvidia-container-toolkit.spec && \
     mv RPMS/$arch/*.rpm /dist

docker/Dockerfile.ubuntu

@@ -69,6 +69,6 @@ RUN dch --create --package="${PKG_NAME}" \
     if [ "$REVISION" != "$(dpkg-parsechangelog --show-field=Version)" ]; then exit 1; fi
 
 CMD export DISTRIB="$(lsb_release -cs)" && \
-    debuild -eDISTRIB -eSECTION -eLIBNVIDIA_CONTAINER_TOOLS_VERSION \
+    debuild -eDISTRIB -eSECTION -eLIBNVIDIA_CONTAINER_TOOLS_VERSION -eVERSION="${REVISION}" \
     --dpkg-buildpackage-hook='sh debian/prepare' -i -us -uc -b && \
     mv /tmp/*.deb /dist

docker/docker.mk

@@ -14,10 +14,10 @@
 
 # Supported OSs by architecture
 AMD64_TARGETS := ubuntu20.04 ubuntu18.04 ubuntu16.04 debian10 debian9
-X86_64_TARGETS := centos7 centos8 rhel7 rhel8 amazonlinux2 opensuse-leap15.1
+X86_64_TARGETS := fedora35 centos7 centos8 rhel7 rhel8 amazonlinux2 opensuse-leap15.1
 PPC64LE_TARGETS := ubuntu18.04 ubuntu16.04 centos7 centos8 rhel7 rhel8
 ARM64_TARGETS := ubuntu20.04 ubuntu18.04
-AARCH64_TARGETS := centos8 rhel8 amazonlinux2
+AARCH64_TARGETS := fedora35 centos8 rhel8 amazonlinux2
 
 # Define top-level build targets
 docker%: SHELL:=/bin/bash
@@ -104,12 +104,26 @@ LIBNVIDIA_CONTAINER_TAG ?= $(LIB_TAG)
 --centos%: OS := centos
 --centos%: PKG_REV := $(if $(LIB_TAG),0.1.$(LIB_TAG),1)
 --centos%: LIBNVIDIA_CONTAINER_TOOLS_VERSION := $(LIBNVIDIA_CONTAINER_VERSION)-$(if $(LIBNVIDIA_CONTAINER_TAG),0.1.$(LIBNVIDIA_CONTAINER_TAG),1)
+--centos%: DOCKERFILE = $(CURDIR)/docker/Dockerfile.rpm-yum
+--centos%: CONFIG_TOML_SUFFIX := rpm-yum
 --centos8%: BASEIMAGE = quay.io/centos/centos:stream8
 
+# private fedora target
+--fedora%: OS := fedora
+--fedora%: PKG_REV := $(if $(LIB_TAG),0.1.$(LIB_TAG),1)
+--fedora%: LIBNVIDIA_CONTAINER_TOOLS_VERSION := $(LIBNVIDIA_CONTAINER_VERSION)-$(if $(LIBNVIDIA_CONTAINER_TAG),0.1.$(LIBNVIDIA_CONTAINER_TAG),1)
+--fedora%: DOCKERFILE = $(CURDIR)/docker/Dockerfile.rpm-yum
+--fedora%: CONFIG_TOML_SUFFIX := rpm-yum
+# The fedora(35) base image has very slow performance when building aarch64 packages.
+# Since our primary concern here is glibc versions, we use the older glibc version available in centos8.
+--fedora35%: BASEIMAGE = quay.io/centos/centos:stream8
+
 # private amazonlinux target
 --amazonlinux%: OS := amazonlinux
 --amazonlinux%: LIBNVIDIA_CONTAINER_TOOLS_VERSION := $(LIBNVIDIA_CONTAINER_VERSION)-$(if $(LIBNVIDIA_CONTAINER_TAG),0.1.$(LIBNVIDIA_CONTAINER_TAG),1)
 --amazonlinux%: PKG_REV := $(if $(LIB_TAG),0.1.$(LIB_TAG),1)
+--amazonlinux%: DOCKERFILE = $(CURDIR)/docker/Dockerfile.rpm-yum
+--amazonlinux%: CONFIG_TOML_SUFFIX := rpm-yum
 
 # private opensuse-leap target
 --opensuse-leap%: OS = opensuse-leap
@@ -123,8 +137,11 @@ LIBNVIDIA_CONTAINER_TAG ?= $(LIB_TAG)
 --rhel%: PKG_REV := $(if $(LIB_TAG),0.1.$(LIB_TAG),1)
 --rhel%: VERSION = $(patsubst rhel%-$(ARCH),%,$(TARGET_PLATFORM))
 --rhel%: ARTIFACTS_DIR = $(DIST_DIR)/rhel$(VERSION)/$(ARCH)
+--rhel%: DOCKERFILE = $(CURDIR)/docker/Dockerfile.rpm-yum
+--rhel%: CONFIG_TOML_SUFFIX := rpm-yum
 --rhel8%: BASEIMAGE = quay.io/centos/centos:stream8
 
+
 # We allow the CONFIG_TOML_SUFFIX to be overridden.
 CONFIG_TOML_SUFFIX ?= $(OS)
 
@@ -140,9 +157,9 @@ docker-build-%:
 	    --build-arg PKG_NAME="$(LIB_NAME)" \
 	    --build-arg PKG_VERS="$(LIB_VERSION)" \
 	    --build-arg PKG_REV="$(PKG_REV)" \
-		--build-arg LIBNVIDIA_CONTAINER_TOOLS_VERSION="$(LIBNVIDIA_CONTAINER_TOOLS_VERSION)" \
+	    --build-arg LIBNVIDIA_CONTAINER_TOOLS_VERSION="$(LIBNVIDIA_CONTAINER_TOOLS_VERSION)" \
 	    --build-arg CONFIG_TOML_SUFFIX="$(CONFIG_TOML_SUFFIX)" \
-		--build-arg GIT_COMMIT="$(GIT_COMMIT)" \
+	    --build-arg GIT_COMMIT="$(GIT_COMMIT)" \
 	    --tag $(BUILDIMAGE) \
 	    --file $(DOCKERFILE) .
 	$(DOCKER) run \

go.mod

@@ -4,15 +4,21 @@ go 1.14
 
 require (
 	github.com/BurntSushi/toml v1.0.0
-	github.com/NVIDIA/go-nvml v0.11.6-0
+	github.com/NVIDIA/go-nvml v0.11.6-0.0.20220715143214-a79f46f2a6f7
 	github.com/container-orchestrated-devices/container-device-interface v0.4.1-0.20220614144320-dc973e22f674
-	github.com/containers/podman/v4 v4.0.3
+	github.com/cpuguy83/go-md2man/v2 v2.0.1 // indirect
+	github.com/kr/text v0.2.0 // indirect
 	github.com/opencontainers/runc v1.1.3
 	github.com/opencontainers/runtime-spec v1.0.3-0.20211214071223-8958f93039ab
+	github.com/opencontainers/runtime-tools v0.9.1-0.20220110225228-7e2d60f1e41f // indirect
 	github.com/pelletier/go-toml v1.9.4
 	github.com/sirupsen/logrus v1.8.1
 	github.com/stretchr/testify v1.7.0
+	github.com/urfave/cli v1.22.4 // indirect
 	github.com/urfave/cli/v2 v2.3.0
+	github.com/xeipuuv/gojsonpointer v0.0.0-20190809123943-df4f5c81cb3b // indirect
+	gitlab.com/nvidia/cloud-native/go-nvlib v0.0.0-20220725232003-c7f47cb02a33
 	golang.org/x/mod v0.5.0
 	golang.org/x/sys v0.0.0-20220114195835-da31bd327af9
+	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
 )

internal/info/auto.go

@@ -16,6 +16,8 @@
 
 package info
 
+import "gitlab.com/nvidia/cloud-native/go-nvlib/pkg/nvinfo"
+
 // Logger is a basic interface for logging to allow these functions to be called
 // from code where logrus is not used.
 type Logger interface {
@@ -32,10 +34,10 @@ func ResolveAutoMode(logger Logger, mode string) (rmode string) {
 		logger.Infof("Auto-detected mode as '%v'", rmode)
 	}()
 
-	isTegra, reason := IsTegraSystem()
+	isTegra, reason := nvinfo.IsTegraSystem()
 	logger.Debugf("Is Tegra-based system? %v: %v", isTegra, reason)
 
-	hasNVML, reason := HasNVML()
+	hasNVML, reason := nvinfo.HasNVML()
 	logger.Debugf("Has NVML? %v: %v", hasNVML, reason)
 
 	if isTegra && !hasNVML {

internal/modifier/tegra.go

@@ -0,0 +1,45 @@
+/**
+# Copyright (c) 2022, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+**/
+
+package modifier
+
+import (
+	"github.com/NVIDIA/nvidia-container-toolkit/internal/discover"
+	"github.com/NVIDIA/nvidia-container-toolkit/internal/lookup"
+	"github.com/NVIDIA/nvidia-container-toolkit/internal/oci"
+	"github.com/sirupsen/logrus"
+	"gitlab.com/nvidia/cloud-native/go-nvlib/pkg/nvinfo"
+)
+
+// NewTegraPlatformFiles creates a modifier to inject the Tegra platform files into a container.
+func NewTegraPlatformFiles(logger *logrus.Logger) (oci.SpecModifier, error) {
+	isTegra, _ := nvinfo.IsTegraSystem()
+	if !isTegra {
+		return nil, nil
+	}
+
+	tegraSystemMounts := discover.NewMounts(
+		logger,
+		lookup.NewFileLocator(logger, ""),
+		"",
+		[]string{
+			"/etc/nv_tegra_release",
+			"/sys/devices/soc0/family",
+		},
+	)
+
+	return NewModifierFromDiscoverer(logger, tegraSystemMounts)
+}

packaging/debian/control

@@ -10,8 +10,16 @@ Build-Depends: debhelper (>= 9)
 
 Package: nvidia-container-toolkit
 Architecture: any
-Depends: ${misc:Depends}, libnvidia-container-tools (>= @LIBNVIDIA_CONTAINER_TOOLS_VERSION@), libnvidia-container-tools (<< 2.0.0), libseccomp2
+Depends: ${misc:Depends}, nvidia-container-toolkit-base (= @VERSION@), libnvidia-container-tools (>= @LIBNVIDIA_CONTAINER_TOOLS_VERSION@), libnvidia-container-tools (<< 2.0.0), libseccomp2
 Breaks: nvidia-container-runtime (<= 3.5.0-1), nvidia-container-runtime-hook
 Replaces: nvidia-container-runtime (<= 3.5.0-1), nvidia-container-runtime-hook
 Description: NVIDIA Container toolkit
  Provides tools and utilities to enable GPU support in containers.
+
+Package: nvidia-container-toolkit-base
+Architecture: any
+Depends: ${misc:Depends}
+Breaks: nvidia-container-runtime (<= 3.5.0-1), nvidia-container-runtime-hook, nvidia-container-toolkit (<= 1.10.0-1)
+Replaces: nvidia-container-runtime (<= 3.5.0-1), nvidia-container-runtime-hook
+Description: NVIDIA Container Toolkit Base
+ Provides tools such as the NVIDIA Container Runtime and NVIDIA Container Toolkit CLI to enable GPU support in containers.

packaging/debian/nvidia-container-toolkit-base.install

@@ -0,0 +1,3 @@
+config.toml /etc/nvidia-container-runtime
+nvidia-container-runtime /usr/bin
+nvidia-ctk /usr/bin

packaging/debian/nvidia-container-toolkit.install

@@ -1,4 +1 @@
-config.toml /etc/nvidia-container-runtime
 nvidia-container-runtime-hook /usr/bin
-nvidia-container-runtime /usr/bin
-nvidia-ctk /usr/bin

packaging/debian/prepare

@@ -4,6 +4,7 @@ set -e
 
 sed -i "s;@SECTION@;${SECTION:+$SECTION/};g" debian/control
 sed -i "s;@LIBNVIDIA_CONTAINER_TOOLS_VERSION@;${LIBNVIDIA_CONTAINER_TOOLS_VERSION:+$LIBNVIDIA_CONTAINER_TOOLS_VERSION};g" debian/control
+sed -i "s;@VERSION@;${VERSION:+$VERSION};g" debian/control
 
 if [ -n "$DISTRIB" ]; then
     sed -i "s;UNRELEASED;$DISTRIB;" debian/changelog

packaging/rpm/SPECS/nvidia-container-toolkit.spec

@@ -18,10 +18,11 @@ Source4: oci-nvidia-hook
 Source5: oci-nvidia-hook.json
 Source6: LICENSE
 
-Obsoletes: nvidia-container-runtime <= 3.5.0-1, nvidia-container-runtime-hook
+Obsoletes: nvidia-container-runtime <= 3.5.0-1, nvidia-container-runtime-hook <= 1.4.0-2
 Provides: nvidia-container-runtime
 Provides: nvidia-container-runtime-hook
 Requires: libnvidia-container-tools >= %{libnvidia_container_tools_version}, libnvidia-container-tools < 2.0.0
+Requires: nvidia-container-toolkit-base == %{version}-%{release}
 
 %if 0%{?suse_version}
 Requires: libseccomp2
@@ -55,14 +56,11 @@ install -m 644 -t %{buildroot}/usr/share/containers/oci/hooks.d oci-nvidia-hook.
 ln -sf %{_bindir}/nvidia-container-runtime-hook %{_bindir}/nvidia-container-toolkit
 
 %postun
-rm -f %{_bindir}/nvidia-container-runtime-toolkit
+rm -f %{_bindir}/nvidia-container-toolkit
 
 %files
 %license LICENSE
 %{_bindir}/nvidia-container-runtime-hook
-%{_bindir}/nvidia-container-runtime
-%{_bindir}/nvidia-ctk
-%config /etc/nvidia-container-runtime/config.toml
 /usr/libexec/oci/hooks.d/oci-nvidia-hook
 /usr/share/containers/oci/hooks.d/oci-nvidia-hook.json
 
@@ -71,3 +69,22 @@ rm -f %{_bindir}/nvidia-container-runtime-toolkit
 * %{release_date} NVIDIA CORPORATION <cudatools@nvidia.com> %{version}-%{release}
 - See https://gitlab.com/nvidia/container-toolkit/container-toolkit/-/blob/%{git_commit}/CHANGELOG.md
 - Bump libnvidia-container dependency to libnvidia-container-tools >= %{libnvidia_container_tools_version}
+
+# The BASE package consists of the NVIDIA Container Runtime and the NVIDIA Container Toolkit CLI.
+# This allows the package to be installed on systems where no NVIDIA Container CLI is available.
+%package base
+Summary: NVIDIA Container Toolkit Base
+Obsoletes: nvidia-container-runtime <= 3.5.0-1, nvidia-container-runtime-hook <= 1.4.0-2
+Provides: nvidia-container-runtime
+# Since this package allows certain components of the NVIDIA Container Toolkit to be installed separately
+# it conflicts with older versions of the nvidia-container-toolkit package that also provide these files.
+Conflicts: nvidia-container-toolkit <= 1.10.0-1
+
+%description base
+Provides tools such as the NVIDIA Container Runtime and NVIDIA Container Toolkit CLI to enable GPU support in containers.
+
+%files base
+%license LICENSE
+%config /etc/nvidia-container-runtime/config.toml
+%{_bindir}/nvidia-container-runtime
+%{_bindir}/nvidia-ctk

scripts/build-packages.sh

@@ -37,6 +37,8 @@ all=(
     centos8-x86_64
     debian10-amd64
     debian9-amd64
+    fedora35-aarch64
+    fedora35-x86_64
     opensuse-leap15.1-x86_64
     ubuntu16.04-amd64
     ubuntu16.04-ppc64le

scripts/packages-sign-all.sh

@@ -61,6 +61,8 @@ function sign() {
         ;;
     debian*) pkg_type=deb
         ;;
+    fedora*) pkg_type=rpm
+        ;;
     opensuse-leap*) pkg_type=rpm
         ;;
     ubuntu*) pkg_type=deb

scripts/release-packages.sh

@@ -94,6 +94,8 @@ function sync() {
         ;;
     debian*) pkg_type=deb
         ;;
+    fedora*) pkg_type=rpm
+        ;;
     opensuse-leap*) pkg_type=rpm
         ;;
     ubuntu*) pkg_type=deb
@@ -148,6 +150,8 @@ all=(
     centos8-x86_64
     debian10-amd64
     debian9-amd64
+    fedora35-aarch64
+    fedora35-x86_64
     opensuse-leap15.1-x86_64
     ubuntu16.04-amd64
     ubuntu16.04-ppc64le

test/container/containerd_test.sh

@@ -43,8 +43,8 @@ testing::containerd::toolkit::run() {
 
 	# Ensure that we can run some non GPU containers from within dind
 	with_retry 3 5s testing::containerd::dind::exec " \
-		ctr --address=${containerd_dind_containerd_dir}/containerd.sock image pull nvcr.io/nvidia/cuda:11.1-base; \
-		ctr --address=${containerd_dind_containerd_dir}/containerd.sock run --rm --runtime=io.containerd.runtime.v1.linux nvcr.io/nvidia/cuda:11.1-base cuda echo foo"
+		ctr --address=${containerd_dind_containerd_dir}/containerd.sock image pull nvcr.io/nvidia/cuda:11.1.1-base-ubuntu20.04; \
+		ctr --address=${containerd_dind_containerd_dir}/containerd.sock run --rm --runtime=io.containerd.runtime.v1.linux nvcr.io/nvidia/cuda:11.1.1-base-ubuntu20.04 cuda echo foo"
 
 	# Share the volumes so that we can edit the config file and point to the new runtime
 	# Share the pid so that we can ask docker to reload its config
@@ -63,8 +63,8 @@ testing::containerd::toolkit::run() {
 
 	# Ensure that we haven't broken non GPU containers
 	with_retry 3 5s testing::containerd::dind::exec " \
-		ctr --address=${containerd_dind_containerd_dir}/containerd.sock image pull nvcr.io/nvidia/cuda:11.1-base; \
-		ctr --address=${containerd_dind_containerd_dir}/containerd.sock run --rm --runtime=io.containerd.runtime.v1.linux nvcr.io/nvidia/cuda:11.1-base cuda echo foo"
+		ctr --address=${containerd_dind_containerd_dir}/containerd.sock image pull nvcr.io/nvidia/cuda:11.1.1-base-ubuntu20.04; \
+		ctr --address=${containerd_dind_containerd_dir}/containerd.sock run --rm --runtime=io.containerd.runtime.v1.linux nvcr.io/nvidia/cuda:11.1.1-base-ubuntu20.04 cuda echo foo"
 }
 
 # This test runs containerd setup and containerd cleanup in succession to ensure that the

test/release/Makefile

@@ -14,7 +14,7 @@
 
 WORKFLOW ?= nvidia-docker
 
-DISTRIBUTIONS := ubuntu18.04 centos8
+DISTRIBUTIONS := ubuntu18.04 centos8 fedora35
 
 IMAGE_TARGETS := $(patsubst %,image-%, $(DISTRIBUTIONS))
 RUN_TARGETS := $(patsubst %,run-%, $(DISTRIBUTIONS))
@@ -28,7 +28,6 @@ image-%: DOCKERFILE = docker/$(*)/Dockerfile
 images: $(IMAGE_TARGETS)
 $(IMAGE_TARGETS): image-%: $(DOCKERFILE)
 	docker build ${PLATFORM_ARGS} \
-    --build-arg WORKFLOW="$(WORKFLOW)" \
     -t nvidia-container-toolkit-repo-test:$(*) \
     -f $(DOCKERFILE) \
     $(shell dirname $(DOCKERFILE))
@@ -36,6 +35,7 @@ $(IMAGE_TARGETS): image-%: $(DOCKERFILE)
 
 %-ubuntu18.04: ARCH ?= amd64
 %-centos8: ARCH ?= x86_64
+%-fedora35: ARCH ?= x86_64
 
 PLATFORM_ARGS = --platform=linux/${ARCH}
 

test/release/docker/centos8/Dockerfile

@@ -1,16 +1,6 @@
-ARG BASEIMAGE=centos:8
+ARG BASEIMAGE=quay.io/centos/centos:stream8
 FROM ${BASEIMAGE}
 
-ARG BASEIMAGE
-# See https://www.centos.org/centos-linux-eol/
-# and https://stackoverflow.com/a/70930049 for move to vault.centos.org
-# and https://serverfault.com/questions/1093922/failing-to-run-yum-update-in-centos-8 for move to vault.epel.cloud
-RUN [[ "${BASEIMAGE}" != "centos:8" ]] || \
-    ( \
-      sed -i 's/mirrorlist/#mirrorlist/g' /etc/yum.repos.d/CentOS-Linux-* && \
-      sed -i 's|#baseurl=http://mirror.centos.org|baseurl=http://vault.epel.cloud|g' /etc/yum.repos.d/CentOS-Linux-* \
-    )
-
 RUN yum install -y \
     yum-utils \
     ruby-devel \
@@ -35,9 +25,8 @@ RUN fpm -s empty \
     rm -f /tmp/docker.rpm
 
 
-ARG WORKFLOW=nvidia-docker
-RUN curl -s -L https://nvidia.github.io/${WORKFLOW}/centos8/nvidia-docker.repo \
-    | tee /etc/yum.repos.d/nvidia-docker.repo
+RUN curl -s -L https://nvidia.github.io/libnvidia-container/centos8/libnvidia-container.repo \
+    | tee /etc/yum.repos.d/nvidia-container-toolkit.repo
 
 COPY entrypoint.sh /
 COPY install_repo.sh /

test/release/docker/centos8/install_repo.sh

@@ -21,5 +21,5 @@
 
 test_repo=$1
 echo "Setting up TEST repo: ${test_repo}"
-sed -i -e "s#nvidia\.github\.io/libnvidia-container#${test_repo}/libnvidia-container#g" /etc/yum.repos.d/nvidia-docker.repo
+sed -i -e "s#nvidia\.github\.io/libnvidia-container#${test_repo}/libnvidia-container#g" /etc/yum.repos.d/nvidia-container-toolkit.repo
 yum-config-manager --enable libnvidia-container-experimental

test/release/docker/fedora35/Dockerfile

@@ -0,0 +1,34 @@
+ARG BASEIMAGE=fedora:35
+FROM ${BASEIMAGE}
+
+RUN yum install -y \
+    yum-utils \
+    ruby-devel \
+    gcc \
+    make \
+    rpm-build \
+    rubygems \
+    createrepo
+
+RUN gem install --no-document fpm
+
+# We create and install a dummy docker package since these dependencies are out of
+# scope for the tests performed here.
+RUN fpm -s empty \
+    -t rpm \
+    --description "A dummy package for docker-ce_18.06.3.ce-3.el7" \
+    -n docker-ce --version 18.06.3.ce-3.el7 \
+    -p /tmp/docker.rpm \
+    && \
+    yum localinstall -y /tmp/docker.rpm \
+    && \
+    rm -f /tmp/docker.rpm
+
+
+RUN curl -s -L https://nvidia.github.io/libnvidia-container/fedora35/nvidia-container-toolkit.repo \
+    | tee /etc/yum.repos.d/nvidia-container-toolkit.repo
+
+COPY entrypoint.sh /
+COPY install_repo.sh /
+
+ENTRYPOINT [ "/entrypoint.sh" ]

test/release/docker/fedora35/entrypoint.sh

@@ -0,0 +1,42 @@
+#!/usr/bin/env bash
+
+# Copyright (c) 2021, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# This script is used to build the packages for the components of the NVIDIA
+# Container Stack. These include the nvidia-container-toolkit in this repository
+# as well as the components included in the third_party folder.
+# All required packages are generated in the specified dist folder.
+
+: ${LOCAL_REPO_DIRECTORY:=/local-repository}
+if [[ -d ${LOCAL_REPO_DIRECTORY} ]]; then
+    echo "Setting up local-repository"
+    createrepo /local-repository
+
+    cat >/etc/yum.repos.d/local.repo <<EOL
+[local-repository]
+name=NVIDIA Container Toolkit Local Packages
+baseurl=file:///local-repository
+enabled=0
+gpgcheck=0
+protect=1
+EOL
+    yum-config-manager --enable local-repository
+elif [[ -n ${TEST_REPO} ]]; then
+    ./install_repo.sh ${TEST_REPO}
+else
+    echo "Skipping repo setup"
+fi
+
+exec bash $@

test/release/docker/fedora35/install_repo.sh

@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+
+# Copyright (c) 2021, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# This script is used to build the packages for the components of the NVIDIA
+# Container Stack. These include the nvidia-container-toolkit in this repository
+# as well as the components included in the third_party folder.
+# All required packages are generated in the specified dist folder.
+
+test_repo=$1
+echo "Setting up TEST repo: ${test_repo}"
+sed -i -e "s#nvidia\.github\.io/libnvidia-container#${test_repo}/libnvidia-container#g" /etc/yum.repos.d/nvidia-container-toolkit.repo
+yum-config-manager --enable libnvidia-container-experimental

test/release/docker/ubuntu18.04/Dockerfile

@@ -39,9 +39,8 @@ RUN fpm -s empty \
     rm -f /tmp/docker.deb
 
 
-ARG WORKFLOW=nvidia-docker
-RUN curl -s -L https://nvidia.github.io/${WORKFLOW}/gpgkey | apt-key add - \
-   && curl -s -L https://nvidia.github.io/${WORKFLOW}/ubuntu18.04/nvidia-docker.list | tee /etc/apt/sources.list.d/nvidia-docker.list \
+RUN curl -s -L https://nvidia.github.io/libnvidia-container/gpgkey | apt-key add - \
+   && curl -s -L https://nvidia.github.io/libnvidia-container/ubuntu18.04/libnvidia-container.list | tee /etc/apt/sources.list.d/nvidia-container-toolkit.list \
    && apt-get update
 
 COPY entrypoint.sh /

test/release/docker/ubuntu18.04/install_repo.sh

@@ -21,5 +21,5 @@
 
 test_repo=$1
 echo "Setting up TEST repo: ${test_repo}"
-sed -i -e "s#nvidia\.github\.io/libnvidia-container#${test_repo}/libnvidia-container#g" /etc/apt/sources.list.d/nvidia-docker.list
-sed -i -e '/experimental/ s/^#//g' /etc/apt/sources.list.d/nvidia-docker.list
+sed -i -e "s#nvidia\.github\.io/libnvidia-container#${test_repo}/libnvidia-container#g" /etc/apt/sources.list.d/nvidia-container-toolkit.list
+sed -i -e '/experimental/ s/^#//g' /etc/apt/sources.list.d/nvidia-container-toolkit.list

tools/container/crio/crio.go

@@ -1,5 +1,5 @@
 /**
-# Copyright (c) 2021, NVIDIA CORPORATION.  All rights reserved.
+# Copyright (c) 2021-2022, NVIDIA CORPORATION.  All rights reserved.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -12,7 +12,8 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-*/
+**/
+
 package main
 
 import (
@@ -22,8 +23,6 @@ import (
 	"path/filepath"
 
 	"github.com/NVIDIA/nvidia-container-toolkit/internal/config"
-	hooks "github.com/containers/podman/v4/pkg/hooks/1.0.0"
-	rspec "github.com/opencontainers/runtime-spec/specs-go"
 	log "github.com/sirupsen/logrus"
 	cli "github.com/urfave/cli/v2"
 )
@@ -164,20 +163,20 @@ func getHookPath(hooksDir string, hookFilename string) string {
 	return filepath.Join(hooksDir, hookFilename)
 }
 
-func generateOciHook(toolkitDir string) hooks.Hook {
+func generateOciHook(toolkitDir string) podmanHook {
 	hookPath := filepath.Join(toolkitDir, config.NVIDIAContainerRuntimeHookExecutable)
 	envPath := "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:" + toolkitDir
 	always := true
 
-	hook := hooks.Hook{
+	hook := podmanHook{
 		Version: "1.0.0",
 		Stages:  []string{"prestart"},
-		Hook: rspec.Hook{
+		Hook: specHook{
 			Path: hookPath,
 			Args: []string{filepath.Base(config.NVIDIAContainerRuntimeHookExecutable), "prestart"},
 			Env:  []string{envPath},
 		},
-		When: hooks.When{
+		When: When{
 			Always:   &always,
 			Commands: []string{".*"},
 		},

tools/container/crio/hooks.go

@@ -0,0 +1,50 @@
+/**
+# Copyright (c) 2022, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+**/
+
+package main
+
+// podmanHook is the hook configuration structure.
+// This is taken from `Hook` at https://github.com/containers/podman/blob/3c53200e9d61fdf95fe1da825bb2a89372551350/pkg/hooks/1.0.0/hook.go#L18
+type podmanHook struct {
+	Version string   `json:"version"`
+	Hook    specHook `json:"hook"`
+	When    When     `json:"when"`
+	Stages  []string `json:"stages"`
+}
+
+// specHook specifies a command that is run at a particular event in the lifecycle of a container
+// This is taken from `Hook` at https://github.com/opencontainers/runtime-spec/blob/9ee22abf867e374c5464c7bbe0d0db01482254ab/specs-go/config.go#L128
+type specHook struct {
+	Path    string   `json:"path"`
+	Args    []string `json:"args,omitempty"`
+	Env     []string `json:"env,omitempty"`
+	Timeout *int     `json:"timeout,omitempty"`
+}
+
+// When holds hook-injection conditions.
+// This is taken from `When` at https://github.com/containers/podman/blob/3c53200e9d61fdf95fe1da825bb2a89372551350/pkg/hooks/1.0.0/when.go#L11
+type When struct {
+	Always        *bool             `json:"always,omitempty"`
+	Annotations   map[string]string `json:"annotations,omitempty"`
+	Commands      []string          `json:"commands,omitempty"`
+	HasBindMounts *bool             `json:"hasBindMounts,omitempty"`
+
+	// Or enables any-of matching.
+	//
+	// Deprecated: this property is for is backwards-compatibility with
+	// 0.1.0 hooks.  It will be removed when we drop support for them.
+	Or bool `json:"-"`
+}

tools/container/toolkit/toolkit.go

@@ -117,13 +117,14 @@ func main() {
 		&cli.BoolFlag{
 			Name:        "accept-nvidia-visible-devices-envvar-when-unprivileged",
 			Usage:       "Set the accept-nvidia-visible-devices-envvar-when-unprivileged config option",
+			Value:       true,
 			Destination: &opts.acceptNVIDIAVisibleDevicesWhenUnprivileged,
 			EnvVars:     []string{"ACCEPT_NVIDIA_VISIBLE_DEVICES_ENVVAR_WHEN_UNPRIVILEGED"},
 		},
 		&cli.BoolFlag{
 			Name:        "accept-nvidia-visible-devices-as-volume-mounts",
 			Usage:       "Set the accept-nvidia-visible-devices-as-volume-mounts config option",
-			Destination: &opts.acceptNVIDIAVisibleDevicesWhenUnprivileged,
+			Destination: &opts.acceptNVIDIAVisibleDevicesAsVolumeMounts,
 			EnvVars:     []string{"ACCEPT_NVIDIA_VISIBLE_DEVICES_AS_VOLUME_MOUNTS"},
 		},
 		&cli.StringFlag{
@@ -314,6 +315,10 @@ func installToolkitConfig(toolkitConfigPath string, nvidiaContainerCliExecutable
 	if err != nil {
 		return fmt.Errorf("error writing config: %v", err)
 	}
+
+	os.Stdout.WriteString("Using config:\n")
+	config.WriteTo(os.Stdout)
+
 	return nil
 }
 

vendor/github.com/containers/podman/v4/pkg/hooks/1.0.0/hook.go

@@ -1,89 +0,0 @@
-// Package hook is the 1.0.0 hook configuration structure.
-package hook
-
-import (
-	"encoding/json"
-	"fmt"
-	"os"
-	"regexp"
-
-	rspec "github.com/opencontainers/runtime-spec/specs-go"
-	"github.com/pkg/errors"
-)
-
-// Version is the hook configuration version defined in this package.
-const Version = "1.0.0"
-
-// Hook is the hook configuration structure.
-type Hook struct {
-	Version string     `json:"version"`
-	Hook    rspec.Hook `json:"hook"`
-	When    When       `json:"when"`
-	Stages  []string   `json:"stages"`
-}
-
-// Read reads hook JSON bytes, verifies them, and returns the hook configuration.
-func Read(content []byte) (hook *Hook, err error) {
-	if err = json.Unmarshal(content, &hook); err != nil {
-		return nil, err
-	}
-	return hook, nil
-}
-
-// Validate performs load-time hook validation.
-func (hook *Hook) Validate(extensionStages []string) (err error) {
-	if hook == nil {
-		return errors.New("nil hook")
-	}
-
-	if hook.Version != Version {
-		return fmt.Errorf("unexpected hook version %q (expecting %v)", hook.Version, Version)
-	}
-
-	if hook.Hook.Path == "" {
-		return errors.New("missing required property: hook.path")
-	}
-
-	if _, err := os.Stat(hook.Hook.Path); err != nil {
-		return err
-	}
-
-	for key, value := range hook.When.Annotations {
-		if _, err = regexp.Compile(key); err != nil {
-			return errors.Wrapf(err, "invalid annotation key %q", key)
-		}
-		if _, err = regexp.Compile(value); err != nil {
-			return errors.Wrapf(err, "invalid annotation value %q", value)
-		}
-	}
-
-	for _, command := range hook.When.Commands {
-		if _, err = regexp.Compile(command); err != nil {
-			return errors.Wrapf(err, "invalid command %q", command)
-		}
-	}
-
-	if hook.Stages == nil {
-		return errors.New("missing required property: stages")
-	}
-
-	validStages := map[string]bool{
-		"createContainer": true,
-		"createRuntime":   true,
-		"prestart":        true,
-		"poststart":       true,
-		"poststop":        true,
-		"startContainer":  true,
-	}
-	for _, stage := range extensionStages {
-		validStages[stage] = true
-	}
-
-	for _, stage := range hook.Stages {
-		if !validStages[stage] {
-			return fmt.Errorf("unknown stage %q", stage)
-		}
-	}
-
-	return nil
-}

vendor/github.com/containers/podman/v4/pkg/hooks/1.0.0/when.go

@@ -1,95 +0,0 @@
-package hook
-
-import (
-	"regexp"
-
-	rspec "github.com/opencontainers/runtime-spec/specs-go"
-	"github.com/pkg/errors"
-)
-
-// When holds hook-injection conditions.
-type When struct {
-	Always        *bool             `json:"always,omitempty"`
-	Annotations   map[string]string `json:"annotations,omitempty"`
-	Commands      []string          `json:"commands,omitempty"`
-	HasBindMounts *bool             `json:"hasBindMounts,omitempty"`
-
-	// Or enables any-of matching.
-	//
-	// Deprecated: this property is for is backwards-compatibility with
-	// 0.1.0 hooks.  It will be removed when we drop support for them.
-	Or bool `json:"-"`
-}
-
-// Match returns true if the given conditions match the configuration.
-func (when *When) Match(config *rspec.Spec, annotations map[string]string, hasBindMounts bool) (match bool, err error) {
-	matches := 0
-
-	if when.Always != nil {
-		if *when.Always {
-			if when.Or {
-				return true, nil
-			}
-			matches++
-		} else if !when.Or {
-			return false, nil
-		}
-	}
-
-	if when.HasBindMounts != nil {
-		if *when.HasBindMounts && hasBindMounts {
-			if when.Or {
-				return true, nil
-			}
-			matches++
-		} else if !when.Or {
-			return false, nil
-		}
-	}
-
-	for keyPattern, valuePattern := range when.Annotations {
-		match := false
-		for key, value := range annotations {
-			match, err = regexp.MatchString(keyPattern, key)
-			if err != nil {
-				return false, errors.Wrap(err, "annotation key")
-			}
-			if match {
-				match, err = regexp.MatchString(valuePattern, value)
-				if err != nil {
-					return false, errors.Wrap(err, "annotation value")
-				}
-				if match {
-					break
-				}
-			}
-		}
-		if match {
-			if when.Or {
-				return true, nil
-			}
-			matches++
-		} else if !when.Or {
-			return false, nil
-		}
-	}
-
-	if config.Process != nil && len(when.Commands) > 0 {
-		if len(config.Process.Args) == 0 {
-			return false, errors.New("process.args must have at least one entry")
-		}
-		command := config.Process.Args[0]
-		for _, cmdPattern := range when.Commands {
-			match, err := regexp.MatchString(cmdPattern, command)
-			if err != nil {
-				return false, errors.Wrap(err, "command")
-			}
-			if match {
-				return true, nil
-			}
-		}
-		return false, nil
-	}
-
-	return matches > 0, nil
-}

vendor/gitlab.com/nvidia/cloud-native/go-nvlib/LICENSE

@@ -1,6 +1,7 @@
+
                                  Apache License
                            Version 2.0, January 2004
-                        https://www.apache.org/licenses/
+                        http://www.apache.org/licenses/
 
    TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
 
@@ -178,7 +179,7 @@
    APPENDIX: How to apply the Apache License to your work.
 
       To apply the Apache License to your work, attach the following
-      boilerplate notice, with the fields enclosed by brackets "{}"
+      boilerplate notice, with the fields enclosed by brackets "[]"
       replaced with your own identifying information. (Don't include
       the brackets!)  The text should be enclosed in the appropriate
       comment syntax for the file format. We also recommend that a
@@ -186,13 +187,13 @@
       same "printed page" as the copyright notice for easier
       identification within third-party archives.
 
-   Copyright {yyyy} {name of copyright owner}
+   Copyright [yyyy] [name of copyright owner]
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.
    You may obtain a copy of the License at
 
-       https://www.apache.org/licenses/LICENSE-2.0
+       http://www.apache.org/licenses/LICENSE-2.0
 
    Unless required by applicable law or agreed to in writing, software
    distributed under the License is distributed on an "AS IS" BASIS,

vendor/gitlab.com/nvidia/cloud-native/go-nvlib/pkg/nvinfo/info.go

@@ -14,7 +14,7 @@
 # limitations under the License.
 **/
 
-package info
+package nvinfo
 
 import (
 	"fmt"
@@ -24,7 +24,7 @@ import (
 	"github.com/NVIDIA/go-nvml/pkg/dl"
 )
 
-// HasNVML returns true if NVML is detected on the sytems
+// HasNVML returns true if NVML is detected on the system
 func HasNVML() (bool, string) {
 	const (
 		nvmlLibraryName      = "libnvidia-ml.so.1"

vendor/modules.txt

@@ -2,7 +2,7 @@
 ## explicit
 github.com/BurntSushi/toml
 github.com/BurntSushi/toml/internal
-# github.com/NVIDIA/go-nvml v0.11.6-0
+# github.com/NVIDIA/go-nvml v0.11.6-0.0.20220715143214-a79f46f2a6f7
 ## explicit
 github.com/NVIDIA/go-nvml/pkg/dl
 # github.com/blang/semver v3.5.1+incompatible
@@ -11,10 +11,8 @@ github.com/blang/semver
 ## explicit
 github.com/container-orchestrated-devices/container-device-interface/pkg/cdi
 github.com/container-orchestrated-devices/container-device-interface/specs-go
-# github.com/containers/podman/v4 v4.0.3
-## explicit
-github.com/containers/podman/v4/pkg/hooks/1.0.0
 # github.com/cpuguy83/go-md2man/v2 v2.0.1
+## explicit
 github.com/cpuguy83/go-md2man/v2/md2man
 # github.com/davecgh/go-spew v1.1.1
 github.com/davecgh/go-spew/spew
@@ -24,6 +22,8 @@ github.com/fsnotify/fsnotify
 github.com/hashicorp/errwrap
 # github.com/hashicorp/go-multierror v1.1.1
 github.com/hashicorp/go-multierror
+# github.com/kr/text v0.2.0
+## explicit
 # github.com/opencontainers/runc v1.1.3
 ## explicit
 github.com/opencontainers/runc/libcontainer/devices
@@ -31,6 +31,7 @@ github.com/opencontainers/runc/libcontainer/devices
 ## explicit
 github.com/opencontainers/runtime-spec/specs-go
 # github.com/opencontainers/runtime-tools v0.9.1-0.20220110225228-7e2d60f1e41f
+## explicit
 github.com/opencontainers/runtime-tools/error
 github.com/opencontainers/runtime-tools/filepath
 github.com/opencontainers/runtime-tools/generate
@@ -61,15 +62,21 @@ github.com/stretchr/testify/assert
 github.com/stretchr/testify/require
 # github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635
 github.com/syndtr/gocapability/capability
+# github.com/urfave/cli v1.22.4
+## explicit
 # github.com/urfave/cli/v2 v2.3.0
 ## explicit
 github.com/urfave/cli/v2
 # github.com/xeipuuv/gojsonpointer v0.0.0-20190809123943-df4f5c81cb3b
+## explicit
 github.com/xeipuuv/gojsonpointer
 # github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415
 github.com/xeipuuv/gojsonreference
 # github.com/xeipuuv/gojsonschema v1.2.0
 github.com/xeipuuv/gojsonschema
+# gitlab.com/nvidia/cloud-native/go-nvlib v0.0.0-20220725232003-c7f47cb02a33
+## explicit
+gitlab.com/nvidia/cloud-native/go-nvlib/pkg/nvinfo
 # golang.org/x/mod v0.5.0
 ## explicit
 golang.org/x/mod/semver
@@ -78,6 +85,8 @@ golang.org/x/mod/semver
 golang.org/x/sys/internal/unsafeheader
 golang.org/x/sys/unix
 golang.org/x/sys/windows
+# gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c
+## explicit
 # gopkg.in/yaml.v2 v2.4.0
 gopkg.in/yaml.v2
 # gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b

versions.mk

@@ -14,7 +14,7 @@
 
 LIB_NAME := nvidia-container-toolkit
 LIB_VERSION := 1.11.0
-LIB_TAG := rc.2
+LIB_TAG := rc.3
 
 # Specify the nvidia-docker2 and nvidia-container-runtime package versions.
 # Note: The tag is automatically specified to match LIB_TAG.
@@ -24,7 +24,7 @@ NVIDIA_CONTAINER_RUNTIME_VERSION := 3.11.0
 # Specify the expected libnvidia-container0 version for arm64-based ubuntu builds.
 LIBNVIDIA_CONTAINER0_VERSION := 0.10.0+jetpack
 
-CUDA_VERSION := 11.7.0
+CUDA_VERSION := 11.7.1
 GOLANG_VERSION := 1.17.8
 
 GIT_COMMIT ?= $(shell git describe --dirty --long --always 2> /dev/null || echo "")