Merge branch 'upstream-bump-v1.3.0' into 'master'

Bump to version 1.3.0

See merge request nvidia/container-toolkit/container-toolkit!22

Makefile

@@ -6,7 +6,7 @@ DIST_DIR ?= $(CURDIR)/dist
 
 LIB_NAME := nvidia-container-toolkit
 LIB_VERSION := 1.3.0
-LIB_TAG ?= rc.1
+LIB_TAG ?=
 
 GOLANG_VERSION := 1.14.2
 GOLANG_PKG_PATH := github.com/NVIDIA/nvidia-container-toolkit/pkg

config/config.toml.amzn

@@ -1,7 +1,7 @@
 disable-require = false
 #swarm-resource = "DOCKER_RESOURCE_GPU"
 #accept-nvidia-visible-devices-envvar-when-unprivileged = true
-#look-for-nvidia-visible-devices-as-volume-mounts-under = "/var/run/nvidia-container-devices"
+#accept-nvidia-visible-devices-as-volume-mounts = false
 
 [nvidia-container-cli]
 #root = "/run/nvidia/driver"

config/config.toml.centos

@@ -1,7 +1,7 @@
 disable-require = false
 #swarm-resource = "DOCKER_RESOURCE_GPU"
 #accept-nvidia-visible-devices-envvar-when-unprivileged = true
-#look-for-nvidia-visible-devices-as-volume-mounts-under = "/var/run/nvidia-container-devices"
+#accept-nvidia-visible-devices-as-volume-mounts = false
 
 [nvidia-container-cli]
 #root = "/run/nvidia/driver"

config/config.toml.debian

@@ -1,7 +1,7 @@
 disable-require = false
 #swarm-resource = "DOCKER_RESOURCE_GPU"
 #accept-nvidia-visible-devices-envvar-when-unprivileged = true
-#look-for-nvidia-visible-devices-as-volume-mounts-under = "/var/run/nvidia-container-devices"
+#accept-nvidia-visible-devices-as-volume-mounts = false
 
 [nvidia-container-cli]
 #root = "/run/nvidia/driver"

config/config.toml.opensuse-leap

@@ -1,7 +1,7 @@
 disable-require = false
 #swarm-resource = "DOCKER_RESOURCE_GPU"
 #accept-nvidia-visible-devices-envvar-when-unprivileged = true
-#look-for-nvidia-visible-devices-as-volume-mounts-under = "/var/run/nvidia-container-devices"
+#accept-nvidia-visible-devices-as-volume-mounts = false
 
 [nvidia-container-cli]
 #root = "/run/nvidia/driver"

config/config.toml.ubuntu

@@ -1,7 +1,7 @@
 disable-require = false
 #swarm-resource = "DOCKER_RESOURCE_GPU"
 #accept-nvidia-visible-devices-envvar-when-unprivileged = true
-#look-for-nvidia-visible-devices-as-volume-mounts-under = "/var/run/nvidia-container-devices"
+#accept-nvidia-visible-devices-as-volume-mounts = false
 
 [nvidia-container-cli]
 #root = "/run/nvidia/driver"

packaging/debian/changelog

@@ -1,4 +1,18 @@
-nvidia-container-toolkit (1.3.0~rc.1-1) UNRELEASED; urgency=medium
+nvidia-container-toolkit (1.3.0-1)  UNRELEASED; urgency=medium
+
+  * Promote 1.3.0~rc.2-1 to 1.3.0-1
+  * Add dependence on libnvidia-container-tools >= 1.3.0
+
+ -- NVIDIA CORPORATION <cudatools@nvidia.com>  Wed, 16 Sep 2020 13:40:29 -0700
+
+nvidia-container-toolkit (1.3.0~rc.2-1) experimental; urgency=medium
+
+  * 2c180947 Add more tests for new semantics with device list from volume mounts
+  * 7c003857 Refactor accepting device lists from volume mounts as a boolean
+
+ -- NVIDIA CORPORATION <cudatools@nvidia.com>  Mon, 10 Aug 2020 15:05:34 -0700
+
+nvidia-container-toolkit (1.3.0~rc.1-1) experimental; urgency=medium
 
   * b50d86c1 Update build system to accept a TAG variable for things like rc.x
   * fe65573b Add common CI tests for things like golint, gofmt, unit tests, etc.

packaging/debian/control

@@ -10,7 +10,7 @@ Build-Depends: debhelper (>= 9)
 
 Package: nvidia-container-toolkit
 Architecture: any
-Depends: ${misc:Depends}, libnvidia-container-tools (>= 1.2.0), libnvidia-container-tools (<< 2.0.0)
+Depends: ${misc:Depends}, libnvidia-container-tools (>= 1.3.0), libnvidia-container-tools (<< 2.0.0)
 Breaks: nvidia-container-runtime (<< 2.0.0), nvidia-container-runtime-hook
 Replaces: nvidia-container-runtime (<< 2.0.0), nvidia-container-runtime-hook
 Description: NVIDIA container runtime hook

packaging/rpm/SPECS/nvidia-container-toolkit.spec

@@ -18,7 +18,7 @@ Source4: LICENSE
 
 Obsoletes: nvidia-container-runtime < 2.0.0, nvidia-container-runtime-hook
 Provides: nvidia-container-runtime-hook
-Requires: libnvidia-container-tools >= 1.2.0, libnvidia-container-tools < 2.0.0
+Requires: libnvidia-container-tools >= 1.3.0, libnvidia-container-tools < 2.0.0
 
 %description
 Provides a OCI hook to enable GPU support in containers.
@@ -53,7 +53,15 @@ rm -f %{_bindir}/nvidia-container-runtime-hook
 /usr/share/containers/oci/hooks.d/oci-nvidia-hook.json
 
 %changelog
-* Wed Jul 24 2020 NVIDIA CORPORATION <cudatools@nvidia.com> 1.3.0-0.1.rc.1
+* Wed Sep 16 2020 NVIDIA CORPORATION <cudatools@nvidia.com> 1.3.0-1
+- Promote 1.3.0-0.1.rc.2 to 1.3.0-1
+- Add dependence on libnvidia-container-tools >= 1.3.0
+
+* Mon Aug 10 2020 NVIDIA CORPORATION <cudatools@nvidia.com> 1.3.0-0.1.rc.2
+- 2c180947 Add more tests for new semantics with device list from volume mounts
+- 7c003857 Refactor accepting device lists from volume mounts as a boolean
+
+* Fri Jul 24 2020 NVIDIA CORPORATION <cudatools@nvidia.com> 1.3.0-0.1.rc.1
 - b50d86c1 Update build system to accept a TAG variable for things like rc.x
 - fe65573b Add common CI tests for things like golint, gofmt, unit tests, etc.
 - da6fbb34 Revert "Add ability to merge envars of the form NVIDIA_VISIBLE_DEVICES_*"

pkg/container_config.go

@@ -35,6 +35,10 @@ const (
 	capSysAdmin = "CAP_SYS_ADMIN"
 )
 
+const (
+	deviceListAsVolumeMountsRoot = "/var/run/nvidia-container-devices"
+)
+
 type nvidiaConfig struct {
 	Devices            string
 	MigConfigDevices   string
@@ -236,10 +240,10 @@ func getDevicesFromEnvvar(env map[string]string, legacyImage bool) *string {
 	return devices
 }
 
-func getDevicesFromMounts(root string, mounts []Mount) *string {
+func getDevicesFromMounts(mounts []Mount) *string {
 	var devices []string
 	for _, m := range mounts {
-		root := filepath.Clean(root)
+		root := filepath.Clean(deviceListAsVolumeMountsRoot)
 		source := filepath.Clean(m.Source)
 		destination := filepath.Clean(m.Destination)
 
@@ -274,14 +278,16 @@ func getDevicesFromMounts(root string, mounts []Mount) *string {
 }
 
 func getDevices(hookConfig *HookConfig, env map[string]string, mounts []Mount, privileged bool, legacyImage bool) *string {
-	// Try and get the device list from mount volumes first
-	devices := getDevicesFromMounts(*hookConfig.DeviceListVolumeMount, mounts)
-	if devices != nil {
-		return devices
+	// If enabled, try and get the device list from volume mounts first
+	if hookConfig.AcceptDeviceListAsVolumeMounts {
+		devices := getDevicesFromMounts(mounts)
+		if devices != nil {
+			return devices
+		}
 	}
 
 	// Fallback to reading from the environment variable if privileges are correct
-	devices = getDevicesFromEnvvar(env, legacyImage)
+	devices := getDevicesFromEnvvar(env, legacyImage)
 	if devices == nil {
 		return nil
 	}

pkg/container_test.go

@@ -454,30 +454,26 @@ func TestGetNvidiaConfig(t *testing.T) {
 func TestGetDevicesFromMounts(t *testing.T) {
 	var tests = []struct {
 		description     string
-		root            string
 		mounts          []Mount
 		expectedDevices *string
 	}{
 		{
 			description:     "No mounts",
-			root:            defaultDeviceListVolumeMount,
 			mounts:          nil,
 			expectedDevices: nil,
 		},
 		{
 			description: "Host path is not /dev/null",
-			root:        defaultDeviceListVolumeMount,
 			mounts: []Mount{
 				{
 					Source:      "/not/dev/null",
-					Destination: filepath.Join(defaultDeviceListVolumeMount, "GPU0"),
+					Destination: filepath.Join(deviceListAsVolumeMountsRoot, "GPU0"),
 				},
 			},
 			expectedDevices: nil,
 		},
 		{
 			description: "Container path is not prefixed by 'root'",
-			root:        defaultDeviceListVolumeMount,
 			mounts: []Mount{
 				{
 					Source:      "/dev/null",
@@ -488,41 +484,38 @@ func TestGetDevicesFromMounts(t *testing.T) {
 		},
 		{
 			description: "Container path is only 'root'",
-			root:        defaultDeviceListVolumeMount,
 			mounts: []Mount{
 				{
 					Source:      "/dev/null",
-					Destination: defaultDeviceListVolumeMount,
+					Destination: deviceListAsVolumeMountsRoot,
 				},
 			},
 			expectedDevices: nil,
 		},
 		{
 			description: "Discover 2 devices",
-			root:        defaultDeviceListVolumeMount,
 			mounts: []Mount{
 				{
 					Source:      "/dev/null",
-					Destination: filepath.Join(defaultDeviceListVolumeMount, "GPU0"),
+					Destination: filepath.Join(deviceListAsVolumeMountsRoot, "GPU0"),
 				},
 				{
 					Source:      "/dev/null",
-					Destination: filepath.Join(defaultDeviceListVolumeMount, "GPU1"),
+					Destination: filepath.Join(deviceListAsVolumeMountsRoot, "GPU1"),
 				},
 			},
 			expectedDevices: &[]string{"GPU0,GPU1"}[0],
 		},
 		{
 			description: "Discover 2 devices with slashes in the name",
-			root:        defaultDeviceListVolumeMount,
 			mounts: []Mount{
 				{
 					Source:      "/dev/null",
-					Destination: filepath.Join(defaultDeviceListVolumeMount, "GPU0-MIG0/0/1"),
+					Destination: filepath.Join(deviceListAsVolumeMountsRoot, "GPU0-MIG0/0/1"),
 				},
 				{
 					Source:      "/dev/null",
-					Destination: filepath.Join(defaultDeviceListVolumeMount, "GPU1-MIG0/0/1"),
+					Destination: filepath.Join(deviceListAsVolumeMountsRoot, "GPU1-MIG0/0/1"),
 				},
 			},
 			expectedDevices: &[]string{"GPU0-MIG0/0/1,GPU1-MIG0/0/1"}[0],
@@ -530,7 +523,7 @@ func TestGetDevicesFromMounts(t *testing.T) {
 	}
 	for _, tc := range tests {
 		t.Run(tc.description, func(t *testing.T) {
-			devices := getDevicesFromMounts(tc.root, tc.mounts)
+			devices := getDevicesFromMounts(tc.mounts)
 			if !reflect.DeepEqual(devices, tc.expectedDevices) {
 				t.Errorf("Unexpected devices (got: %v, wanted: %v)", *devices, *tc.expectedDevices)
 			}
@@ -545,6 +538,7 @@ func TestDeviceListSourcePriority(t *testing.T) {
 		envvarDevices      string
 		privileged         bool
 		acceptUnprivileged bool
+		acceptMounts       bool
 		expectedDevices    *string
 		expectedPanic      bool
 	}{
@@ -553,16 +547,17 @@ func TestDeviceListSourcePriority(t *testing.T) {
 			mountDevices: []Mount{
 				{
 					Source:      "/dev/null",
-					Destination: filepath.Join(defaultDeviceListVolumeMount, "GPU0"),
+					Destination: filepath.Join(deviceListAsVolumeMountsRoot, "GPU0"),
 				},
 				{
 					Source:      "/dev/null",
-					Destination: filepath.Join(defaultDeviceListVolumeMount, "GPU1"),
+					Destination: filepath.Join(deviceListAsVolumeMountsRoot, "GPU1"),
 				},
 			},
 			envvarDevices:      "GPU2,GPU3",
 			privileged:         false,
 			acceptUnprivileged: false,
+			acceptMounts:       true,
 			expectedDevices:    &[]string{"GPU0,GPU1"}[0],
 		},
 		{
@@ -571,6 +566,7 @@ func TestDeviceListSourcePriority(t *testing.T) {
 			envvarDevices:      "GPU0,GPU1",
 			privileged:         false,
 			acceptUnprivileged: false,
+			acceptMounts:       true,
 			expectedPanic:      true,
 		},
 		{
@@ -579,6 +575,7 @@ func TestDeviceListSourcePriority(t *testing.T) {
 			envvarDevices:      "GPU0,GPU1",
 			privileged:         true,
 			acceptUnprivileged: false,
+			acceptMounts:       true,
 			expectedDevices:    &[]string{"GPU0,GPU1"}[0],
 		},
 		{
@@ -587,8 +584,45 @@ func TestDeviceListSourcePriority(t *testing.T) {
 			envvarDevices:      "GPU0,GPU1",
 			privileged:         false,
 			acceptUnprivileged: true,
+			acceptMounts:       true,
 			expectedDevices:    &[]string{"GPU0,GPU1"}[0],
 		},
+		{
+			description: "Mount devices, unprivileged, accept unprivileged, no accept mounts",
+			mountDevices: []Mount{
+				{
+					Source:      "/dev/null",
+					Destination: filepath.Join(deviceListAsVolumeMountsRoot, "GPU0"),
+				},
+				{
+					Source:      "/dev/null",
+					Destination: filepath.Join(deviceListAsVolumeMountsRoot, "GPU1"),
+				},
+			},
+			envvarDevices:      "GPU2,GPU3",
+			privileged:         false,
+			acceptUnprivileged: true,
+			acceptMounts:       false,
+			expectedDevices:    &[]string{"GPU2,GPU3"}[0],
+		},
+		{
+			description: "Mount devices, unprivileged, no accept unprivileged, no accept mounts",
+			mountDevices: []Mount{
+				{
+					Source:      "/dev/null",
+					Destination: filepath.Join(deviceListAsVolumeMountsRoot, "GPU0"),
+				},
+				{
+					Source:      "/dev/null",
+					Destination: filepath.Join(deviceListAsVolumeMountsRoot, "GPU1"),
+				},
+			},
+			envvarDevices:      "GPU2,GPU3",
+			privileged:         false,
+			acceptUnprivileged: false,
+			acceptMounts:       false,
+			expectedPanic:      true,
+		},
 	}
 	for _, tc := range tests {
 		t.Run(tc.description, func(t *testing.T) {
@@ -600,6 +634,7 @@ func TestDeviceListSourcePriority(t *testing.T) {
 				}
 				hookConfig := getDefaultHookConfig()
 				hookConfig.AcceptEnvvarUnprivileged = tc.acceptUnprivileged
+				hookConfig.AcceptDeviceListAsVolumeMounts = tc.acceptMounts
 				devices = getDevices(&hookConfig, env, tc.mountDevices, tc.privileged, false)
 			}
 

pkg/hook_config.go

@@ -13,10 +13,6 @@ const (
 	driverPath = "/run/nvidia/driver"
 )
 
-const (
-	defaultDeviceListVolumeMount = "/var/run/nvidia-container-devices"
-)
-
 var defaultPaths = [...]string{
 	path.Join(driverPath, configPath),
 	configPath,
@@ -38,20 +34,20 @@ type CLIConfig struct {
 
 // HookConfig : options for the nvidia-container-toolkit.
 type HookConfig struct {
-	DisableRequire           bool    `toml:"disable-require"`
-	SwarmResource            *string `toml:"swarm-resource"`
-	AcceptEnvvarUnprivileged bool    `toml:"accept-nvidia-visible-devices-envvar-when-unprivileged"`
-	DeviceListVolumeMount    *string `toml:"look-for-nvidia-visible-devices-as-volume-mounts-under"`
+	DisableRequire                 bool    `toml:"disable-require"`
+	SwarmResource                  *string `toml:"swarm-resource"`
+	AcceptEnvvarUnprivileged       bool    `toml:"accept-nvidia-visible-devices-envvar-when-unprivileged"`
+	AcceptDeviceListAsVolumeMounts bool    `toml:"accept-nvidia-visible-devices-as-volume-mounts"`
 
 	NvidiaContainerCLI CLIConfig `toml:"nvidia-container-cli"`
 }
 
 func getDefaultHookConfig() (config HookConfig) {
 	return HookConfig{
-		DisableRequire:           false,
-		SwarmResource:            nil,
-		AcceptEnvvarUnprivileged: true,
-		DeviceListVolumeMount:    &[]string{defaultDeviceListVolumeMount}[0],
+		DisableRequire:                 false,
+		SwarmResource:                  nil,
+		AcceptEnvvarUnprivileged:       true,
+		AcceptDeviceListAsVolumeMounts: false,
 		NvidiaContainerCLI: CLIConfig{
 			Root:        nil,
 			Path:        nil,