Merge branch 'upstream-bump-v1.5.0' into 'master'

Bump version to 1.5.0

See merge request nvidia/container-toolkit/container-toolkit!29

.gitlab-ci.yml

@@ -1,3 +1,17 @@
+# Copyright (c) 2019-2021, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 # Build packages for all supported OS / ARCH combinations
 
 stages:
@@ -37,42 +51,40 @@ lint:
   <<: *tests-setup
   stage: tests
   script:
-    - go get -u golang.org/x/lint/golint
-    - golint -set_exit_status ${PROJECT_GOPATH}/pkg
+    - GO111MODULE=off go get -u golang.org/x/lint/golint
+    - make lint
 
 vet:
   <<: *tests-setup
   stage: tests
   script:
-    - go vet ${PROJECT_GOPATH}/pkg
+    - make vet
 
 unit_test:
   <<: *tests-setup
   stage: tests
   script:
-    - go test ${PROJECT_GOPATH}/pkg
+    - make test
 
 fmt:
   <<: *tests-setup
   stage: tests
   script:
-    - res=$(gofmt -l pkg/*.go)
-    - echo "$res"
-    - test -z "$res"
+    - make assert-fmt
 
 ineffassign:
   <<: *tests-setup
   stage: tests
   script:
-    - go get -u github.com/gordonklaus/ineffassign
-    - ineffassign pkg/*.go
+    - GO111MODULE=off go get -u github.com/gordonklaus/ineffassign
+    - make ineffassign
 
 misspell:
   <<: *tests-setup
   stage: tests
   script:
-    - go get -u github.com/client9/misspell/cmd/misspell
-    - misspell pkg/*.go
+    - GO111MODULE=off go get -u github.com/client9/misspell/cmd/misspell
+    - make misspell
 
 # build-one jobs build packages for a single OS / ARCH combination.
 #

Jenkinsfile

@@ -0,0 +1,106 @@
+/*
+# Copyright (c) 2021, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/
+
+podTemplate (cloud:'sw-gpu-cloudnative',
+    containers: [
+    containerTemplate(name: 'docker', image: 'docker:dind', ttyEnabled: true, privileged: true),
+    containerTemplate(name: 'golang', image: 'golang:1.14.2', ttyEnabled: true)
+  ]) {
+    node(POD_LABEL) {
+        stage('checkout') {
+            checkout scm
+        }
+        stage('dependencies') {
+            container('golang') {
+                sh 'GO111MODULE=off go get -u github.com/client9/misspell/cmd/misspell'
+                sh 'GO111MODULE=off go get -u github.com/gordonklaus/ineffassign'
+                sh 'GO111MODULE=off go get -u golang.org/x/lint/golint'
+            }
+            container('docker') {
+                sh 'apk add --no-cache make bash'
+            }
+        }
+        stage('check') {
+            parallel (
+                getGolangStages(["assert-fmt", "lint", "vet", "ineffassign", "misspell"])
+            )
+        }
+        stage('test') {
+            parallel (
+                getGolangStages(["test"])
+            )
+        }
+        stage('build-one') {
+            parallel (
+                getSingleBuildForArchitectures(["amd64", "ppc64le", "arm64"])
+            )
+        }
+        stage('build-all') {
+            parallel (
+                getAllBuildForArchitectures(["amd64", "ppc64le", "arm64", "x86_64", "aarch64"])
+            )
+        }
+    }
+}
+
+def getGolangStages(def targets) {
+    stages = [:]
+
+    for (t in targets) {
+        stages[t] = getLintClosure(t)
+    }
+
+    return stages
+}
+
+def getSingleBuildForArchitectures(def architectures) {
+    return getBuildStagesForArchitectures(architectures, "make", "ubuntu18.04")
+}
+
+def getAllBuildForArchitectures(def architectures) {
+    // TODO: For the time being we only echo the command for the "all" stages
+    return getBuildStagesForArchitectures(architectures, "echo make", "docker")
+}
+
+def getBuildStagesForArchitectures(def architectures, def makeCommand, def makeTargetPrefix) {
+    stages = [:]
+
+    for (a in architectures) {
+        stages[a] = getBuildClosure(a, makeCommand, "${makeTargetPrefix}-${a}")
+    }
+
+    return stages
+}
+
+def getBuildClosure(def architecture, def makeCommand, def makeTarget) {
+    return {
+        container('docker') {
+            stage(architecture) {
+                sh "${makeCommand} ${makeTarget}"
+            }
+        }
+    }
+}
+
+def getLintClosure(def target) {
+    return {
+        container('golang') {
+            stage(target) {
+                sh "make ${target}"
+            }
+        }
+    }
+}

Makefile

@@ -1,19 +1,67 @@
-# Copyright (c) 2017-2020, NVIDIA CORPORATION. All rights reserved.
+# Copyright (c) 2017-2021, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
 
 DOCKER   ?= docker
 MKDIR    ?= mkdir
 DIST_DIR ?= $(CURDIR)/dist
 
 LIB_NAME := nvidia-container-toolkit
-LIB_VERSION := 1.3.0
-LIB_TAG ?= rc.2
+LIB_VERSION := 1.5.0
+LIB_TAG ?=
 
 GOLANG_VERSION := 1.14.2
 GOLANG_PKG_PATH := github.com/NVIDIA/nvidia-container-toolkit/pkg
 
 # By default run all native docker-based targets
 docker-native:
-include $(CURDIR)/docker.mk
+include $(CURDIR)/docker/docker.mk
 
 binary:
 	go build -ldflags "-s -w" -o "$(LIB_NAME)" $(GOLANG_PKG_PATH)
+
+# Define the check targets for the Golang codebase
+MODULE := .
+.PHONY: check fmt assert-fmt ineffassign lint misspell vet
+check: assert-fmt lint misspell vet
+fmt:
+	go list -f '{{.Dir}}' $(MODULE)/... \
+		| xargs gofmt -s -l -w
+
+assert-fmt:
+	go list -f '{{.Dir}}' $(MODULE)/... \
+		| xargs gofmt -s -l > fmt.out
+	@if [ -s fmt.out ]; then \
+		echo "\nERROR: The following files are not formatted:\n"; \
+		cat fmt.out; \
+		rm fmt.out; \
+		exit 1; \
+	else \
+		rm fmt.out; \
+	fi
+
+ineffassign:
+	ineffassign $(MODULE)/...
+
+lint:
+	# We use `go list -f '{{.Dir}}' $(GOLANG_PKG_PATH)/...` to skip the `vendor` folder.
+	go list -f '{{.Dir}}' $(MODULE)/... | xargs golint -set_exit_status
+
+misspell:
+	misspell $(MODULE)/...
+
+vet:
+	go vet $(MODULE)/...
+
+test:
+	go test $(MODULE)/...

docker/docker.mk

@@ -1,4 +1,16 @@
-# Copyright (c) 2017-2020, NVIDIA CORPORATION. All rights reserved.
+# Copyright (c) 2017-2021, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
 
 # Supported OSs by architecture
 AMD64_TARGETS := ubuntu20.04 ubuntu18.04 ubuntu16.04 debian10 debian9
@@ -108,7 +120,7 @@ docker-build-%:
 	DOCKER_BUILDKIT=1 \
 	$(DOCKER) build \
 	    --progress=plain \
-	    --build-arg BASEIMAGE=$(BASEIMAGE) \
+	    --build-arg BASEIMAGE="$(BASEIMAGE)" \
 	    --build-arg GOLANG_VERSION="$(GOLANG_VERSION)" \
 	    --build-arg PKG_VERS="$(LIB_VERSION)" \
 	    --build-arg PKG_REV="$(PKG_REV)" \

packaging/debian/changelog

@@ -1,3 +1,39 @@
+nvidia-container-toolkit (1.5.0-1) UNRELEASED; urgency=medium
+
+  * Add dependence on libnvidia-container-tools >= 1.4.0
+  * Add golang check targets to Makefile
+  * Add Jenkinsfile definition for build targets
+  * Move docker.mk to docker folder
+
+ -- NVIDIA CORPORATION <cudatools@nvidia.com>  Thu, 29 Apr 2021 03:12:43 -0700
+
+nvidia-container-toolkit (1.4.2-1) UNRELEASED; urgency=medium
+
+  * Add dependence on libnvidia-container-tools >= 1.3.3
+
+ -- NVIDIA CORPORATION <cudatools@nvidia.com>  Fri, 05 Feb 2021 02:24:36 -0700
+
+nvidia-container-toolkit (1.4.1-1) UNRELEASED; urgency=medium
+
+  * Ignore NVIDIA_VISIBLE_DEVICES for containers with insufficent privileges
+  * Add dependence on libnvidia-container-tools >= 1.3.2
+
+ -- NVIDIA CORPORATION <cudatools@nvidia.com>  Mon, 25 Jan 2021 02:18:04 -0700
+
+nvidia-container-toolkit (1.4.0-1) UNRELEASED; urgency=medium
+
+  * Add 'compute' capability to list of defaults
+  * Add dependence on libnvidia-container-tools >= 1.3.1
+
+ -- NVIDIA CORPORATION <cudatools@nvidia.com>  Fri, 11 Dec 2020 18:29:23 -0700
+
+nvidia-container-toolkit (1.3.0-1) UNRELEASED; urgency=medium
+
+  * Promote 1.3.0~rc.2-1 to 1.3.0-1
+  * Add dependence on libnvidia-container-tools >= 1.3.0
+
+ -- NVIDIA CORPORATION <cudatools@nvidia.com>  Wed, 16 Sep 2020 13:40:29 -0700
+
 nvidia-container-toolkit (1.3.0~rc.2-1) experimental; urgency=medium
 
   * 2c180947 Add more tests for new semantics with device list from volume mounts

packaging/debian/control

@@ -10,7 +10,7 @@ Build-Depends: debhelper (>= 9)
 
 Package: nvidia-container-toolkit
 Architecture: any
-Depends: ${misc:Depends}, libnvidia-container-tools (>= 1.2.0), libnvidia-container-tools (<< 2.0.0)
+Depends: ${misc:Depends}, libnvidia-container-tools (>= 1.4.0), libnvidia-container-tools (<< 2.0.0)
 Breaks: nvidia-container-runtime (<< 2.0.0), nvidia-container-runtime-hook
 Replaces: nvidia-container-runtime (<< 2.0.0), nvidia-container-runtime-hook
 Description: NVIDIA container runtime hook

packaging/rpm/SPECS/nvidia-container-toolkit.spec

@@ -18,7 +18,7 @@ Source4: LICENSE
 
 Obsoletes: nvidia-container-runtime < 2.0.0, nvidia-container-runtime-hook
 Provides: nvidia-container-runtime-hook
-Requires: libnvidia-container-tools >= 1.2.0, libnvidia-container-tools < 2.0.0
+Requires: libnvidia-container-tools >= 1.4.0, libnvidia-container-tools < 2.0.0
 
 %description
 Provides a OCI hook to enable GPU support in containers.
@@ -53,6 +53,27 @@ rm -f %{_bindir}/nvidia-container-runtime-hook
 /usr/share/containers/oci/hooks.d/oci-nvidia-hook.json
 
 %changelog
+* Thu Apr 29 2021 NVIDIA CORPORATION <cudatools@nvidia.com> 1.5.0-1
+- Add dependence on libnvidia-container-tools >= 1.4.0
+- Add golang check targets to Makefile
+- Add Jenkinsfile definition for build targets
+- Move docker.mk to docker folder
+
+* Fri Feb 05 2021 NVIDIA CORPORATION <cudatools@nvidia.com> 1.4.2-1
+- Add dependence on libnvidia-container-tools >= 1.3.3
+
+* Mon Jan 25 2021 NVIDIA CORPORATION <cudatools@nvidia.com> 1.4.1-1
+- Ignore NVIDIA_VISIBLE_DEVICES for containers with insufficent privileges
+- Add dependence on libnvidia-container-tools >= 1.3.2
+
+* Fri Dec 11 2020 NVIDIA CORPORATION <cudatools@nvidia.com> 1.4.0-1
+- Add 'compute' capability to list of defaults
+- Add dependence on libnvidia-container-tools >= 1.3.1
+
+* Wed Sep 16 2020 NVIDIA CORPORATION <cudatools@nvidia.com> 1.3.0-1
+- Promote 1.3.0-0.1.rc.2 to 1.3.0-1
+- Add dependence on libnvidia-container-tools >= 1.3.0
+
 * Mon Aug 10 2020 NVIDIA CORPORATION <cudatools@nvidia.com> 1.3.0-0.1.rc.2
 - 2c180947 Add more tests for new semantics with device list from volume mounts
 - 7c003857 Refactor accepting device lists from volume mounts as a boolean

pkg/container_config.go

@@ -28,7 +28,7 @@ const (
 
 const (
 	allDriverCapabilities     = "compute,compat32,graphics,utility,video,display,ngx"
-	defaultDriverCapabilities = "utility"
+	defaultDriverCapabilities = "utility,compute"
 )
 
 const (
@@ -295,8 +295,8 @@ func getDevices(hookConfig *HookConfig, env map[string]string, mounts []Mount, p
 		return devices
 	}
 
-	// Error out otherwise
-	log.Panicln("insufficient privileges to read device list from NVIDIA_VISIBLE_DEVICES envvar")
+	configName := hookConfig.getConfigOption("AcceptEnvvarUnprivileged")
+	log.Printf("Ignoring devices specified in NVIDIA_VISIBLE_DEVICES (privileged=%v, %v=%v) ", privileged, configName, hookConfig.AcceptEnvvarUnprivileged)
 
 	return nil
 }

pkg/container_test.go

@@ -540,7 +540,6 @@ func TestDeviceListSourcePriority(t *testing.T) {
 		acceptUnprivileged bool
 		acceptMounts       bool
 		expectedDevices    *string
-		expectedPanic      bool
 	}{
 		{
 			description: "Mount devices, unprivileged, no accept unprivileged",
@@ -567,7 +566,7 @@ func TestDeviceListSourcePriority(t *testing.T) {
 			privileged:         false,
 			acceptUnprivileged: false,
 			acceptMounts:       true,
-			expectedPanic:      true,
+			expectedDevices:    nil,
 		},
 		{
 			description:        "No mount devices, privileged, no accept unprivileged",
@@ -621,7 +620,7 @@ func TestDeviceListSourcePriority(t *testing.T) {
 			privileged:         false,
 			acceptUnprivileged: false,
 			acceptMounts:       false,
-			expectedPanic:      true,
+			expectedDevices:    nil,
 		},
 	}
 	for _, tc := range tests {
@@ -638,12 +637,6 @@ func TestDeviceListSourcePriority(t *testing.T) {
 				devices = getDevices(&hookConfig, env, tc.mountDevices, tc.privileged, false)
 			}
 
-			// For any tests that are expected to panic, make sure they do.
-			if tc.expectedPanic {
-				mustPanic(t, getDevices)
-				return
-			}
-
 			// For all other tests, just grab the devices and check the results
 			getDevices()
 			if !reflect.DeepEqual(devices, tc.expectedDevices) {

pkg/hook_config.go

@@ -4,6 +4,7 @@ import (
 	"log"
 	"os"
 	"path"
+	"reflect"
 
 	"github.com/BurntSushi/toml"
 )
@@ -86,3 +87,18 @@ func getHookConfig() (config HookConfig) {
 
 	return config
 }
+
+// getConfigOption returns the toml config option associated with the
+// specified struct field.
+func (c HookConfig) getConfigOption(fieldName string) string {
+	t := reflect.TypeOf(c)
+	f, ok := t.FieldByName(fieldName)
+	if !ok {
+		return fieldName
+	}
+	v, ok := f.Tag.Lookup("toml")
+	if !ok {
+		return fieldName
+	}
+	return v
+}