Merge branch 'add-experimental-config' into 'master'

Add commented experimental option to config files See merge request nvidia/container-toolkit/container-toolkit!131
Merge branch 'revert-skip-release' into 'master'
2025-06-26 18:18:24 +00:00 · 2022-04-11 11:48:25 +00:00 · 2022-04-11 11:46:36 +00:00 · 2022-04-11 12:57:03 +02:00 · 2022-04-11 12:53:42 +02:00 · 2022-04-11 12:53:22 +02:00
476 changed files with 58390 additions and 22220 deletions
--- a/.common-ci.yml
+++ b/.common-ci.yml
@@ -20,6 +20,7 @@ default:
 variables:
  GIT_SUBMODULE_STRATEGY: recursive
  BUILDIMAGE: "${CI_REGISTRY_IMAGE}/build:${CI_COMMIT_SHORT_SHA}"
+  BUILD_MULTI_ARCH_IMAGES: "true"

 stages:
  - image
@@ -32,7 +33,6 @@ stages:
  - test
  - scan
  - release
-  - build-all

 # Define the distribution targets
 .dist-amazonlinux2:
@@ -42,11 +42,12 @@ stages:
 .dist-centos7:
  variables:
    DIST: centos7
-    CVE_UPDATES: "nss"
+    CVE_UPDATES: "cyrus-sasl-lib"

 .dist-centos8:
  variables:
    DIST: centos8
+    CVE_UPDATES: "cyrus-sasl-lib"

 .dist-debian10:
  variables:
@@ -63,6 +64,7 @@ stages:
 .dist-ubi8:
  variables:
    DIST: ubi8
+    CVE_UPDATES: "cyrus-sasl-lib"

 .dist-ubuntu16.04:
  variables:
@@ -71,6 +73,12 @@ stages:
 .dist-ubuntu18.04:
  variables:
    DIST: ubuntu18.04
+    CVE_UPDATES: "libsasl2-2 libsasl2-modules-db"
+
+.dist-ubuntu20.04:
+  variables:
+    DIST: ubuntu20.04
+    CVE_UPDATES: "libsasl2-2 libsasl2-modules-db"

 .dist-packaging:
  variables:
@@ -97,6 +105,15 @@ stages:
  variables:
    ARCH: x86_64

+# Define the platform targets
+.platform-amd64:
+  variables:
+    PLATFORM: linux/amd64
+
+.platform-arm64:
+  variables:
+    PLATFORM: linux/arm64
+
 # Define test helpers
 .integration:
  stage: test
@@ -118,20 +135,30 @@ test-packaging:
  needs:
    - image-packaging

+# Download the regctl binary for use in the release steps
+.regctl-setup:
+  before_script:
+    - export REGCTL_VERSION=v0.3.10
+    - apk add --no-cache curl
+    - mkdir -p bin
+    - curl -sSLo bin/regctl https://github.com/regclient/regclient/releases/download/${REGCTL_VERSION}/regctl-linux-amd64
+    - chmod a+x bin/regctl
+    - export PATH=$(pwd)/bin:${PATH}
+
 # .release forms the base of the deployment jobs which push images to the CI registry.
 # This is extended with the version to be deployed (e.g. the SHA or TAG) and the
 # target os.
 .release:
-  stage:
-    release
+  stage: release
  variables:
    # Define the source image for the release
    IMAGE_NAME: "${CI_REGISTRY_IMAGE}/container-toolkit"
    VERSION: "${CI_COMMIT_SHORT_SHA}"
    # OUT_IMAGE_VERSION is overridden for external releases
    OUT_IMAGE_VERSION: "${CI_COMMIT_SHORT_SHA}"
-  stage: release
  before_script:
+    - !reference [.regctl-setup, before_script]
+
    # We ensure that the OUT_IMAGE_VERSION is set
    - 'echo Version: ${OUT_IMAGE_VERSION} ; [[ -n "${OUT_IMAGE_VERSION}" ]] || exit 1'

@@ -139,16 +166,16 @@ test-packaging:
    # need to tag the image.
    # Note: a leading 'v' is stripped from the version if present
    - apk add --no-cache make bash
-    - 'echo "Logging in to CI registry ${CI_REGISTRY}"'
-    - docker login -u "${CI_REGISTRY_USER}" -p "${CI_REGISTRY_PASSWORD}" "${CI_REGISTRY}"
-    - docker pull "${IMAGE_NAME}:${VERSION}-${DIST}"
  script:
-    - docker tag "${IMAGE_NAME}:${VERSION}-${DIST}" "${OUT_IMAGE_NAME}:${OUT_IMAGE_VERSION}-${DIST}"
    # Log in to the "output" registry, tag the image and push the image
-    - 'echo "Logging in to output registry ${OUT_REGISTRY}"'
-    - docker logout
-    - docker login -u "${OUT_REGISTRY_USER}" -p "${OUT_REGISTRY_TOKEN}" "${OUT_REGISTRY}"
-    - make IMAGE_NAME=${OUT_IMAGE_NAME} VERSION=${OUT_IMAGE_VERSION} -f build/container/Makefile push-${DIST}
+    - 'echo "Logging in to CI registry ${CI_REGISTRY}"'
+    - regctl registry login "${CI_REGISTRY}" -u "${CI_REGISTRY_USER}" -p "${CI_REGISTRY_PASSWORD}"
+    - '[ ${CI_REGISTRY} = ${OUT_REGISTRY} ] || echo "Logging in to output registry ${OUT_REGISTRY}"'
+    - '[ ${CI_REGISTRY} = ${OUT_REGISTRY} ] || regctl registry login "${OUT_REGISTRY}" -u "${OUT_REGISTRY_USER}" -p "${OUT_REGISTRY_TOKEN}"'
+
+    # Since OUT_IMAGE_NAME and OUT_IMAGE_VERSION are set, this will push the CI image to the
+    # Target
+    - make -f build/container/Makefile push-${DIST}

 # Define a staging release step that pushes an image to an internal "staging" repository
 # This is triggered for all pipelines (i.e. not only tags) to test the pipeline steps
@@ -207,6 +234,16 @@ release:staging-ubuntu18.04:
    - test-crio-ubuntu18.04
    - test-docker-ubuntu18.04

+release:staging-ubuntu20.04:
+  extends:
+    - .release:staging
+    - .dist-ubuntu20.04
+  needs:
+    - test-toolkit-ubuntu20.04
+    - test-containerd-ubuntu20.04
+    - test-crio-ubuntu20.04
+    - test-docker-ubuntu20.04
+
 release:staging-packaging:
  extends:
    - .release:staging
--- a/.gitignore
+++ b/.gitignore
@@ -1,8 +1,9 @@
 dist
 *.swp
 *.swo
-/coverage.out
+/coverage.out*
 /test/output/
 /nvidia-container-runtime
 /nvidia-container-toolkit
+/nvidia-ctk
 /shared-*
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -194,19 +194,33 @@ package-ubuntu18.04-ppc64le:
    - .dist-ubuntu18.04
    - .arch-ppc64le

+.buildx-setup:
+  before_script:
+    -  export BUILDX_VERSION=v0.6.3
+    -  apk add --no-cache curl
+    -  mkdir -p ~/.docker/cli-plugins
+    -  curl -sSLo ~/.docker/cli-plugins/docker-buildx "https://github.com/docker/buildx/releases/download/${BUILDX_VERSION}/buildx-${BUILDX_VERSION}.linux-amd64"
+    -  chmod a+x ~/.docker/cli-plugins/docker-buildx
+
+    -  docker buildx create --use --platform=linux/amd64,linux/arm64
+
+    -  '[[ -n "${SKIP_QEMU_SETUP}" ]] || docker run --rm --privileged multiarch/qemu-user-static --reset -p yes'
+
 # Define the image build targets
 .image-build:
  stage: image-build
  variables:
    IMAGE_NAME: "${CI_REGISTRY_IMAGE}/container-toolkit"
    VERSION: "${CI_COMMIT_SHORT_SHA}"
+    PUSH_ON_BUILD: "true"
  before_script:
+    - !reference [.buildx-setup, before_script]
+
    - apk add --no-cache bash make
    - 'echo "Logging in to CI registry ${CI_REGISTRY}"'
    - docker login -u "${CI_REGISTRY_USER}" -p "${CI_REGISTRY_PASSWORD}" "${CI_REGISTRY}"
  script:
    - make -f build/container/Makefile build-${DIST}
-    - make -f build/container/Makefile push-${DIST}

 image-centos7:
  extends:
@@ -233,9 +247,10 @@ image-ubi8:
    - .package-artifacts
    - .dist-ubi8
  needs:
-    # Note: The ubi8 image currently uses the centos7 packages
-    - package-centos7-ppc64le
-    - package-centos7-x86_64
+    # Note: The ubi8 image uses the centos8 packages
+    - package-centos8-aarch64
+    - package-centos8-x86_64
+    - package-centos8-ppc64le

 image-ubuntu18.04:
  extends:
@@ -247,6 +262,16 @@ image-ubuntu18.04:
    - package-ubuntu18.04-arm64
    - package-ubuntu18.04-ppc64le

+image-ubuntu20.04:
+  extends:
+    - .image-build
+    - .package-artifacts
+    - .dist-ubuntu20.04
+  needs:
+    - package-ubuntu18.04-amd64
+    - package-ubuntu18.04-arm64
+    - package-ubuntu18.04-ppc64le
+
 # The DIST=packaging target creates an image containing all built packages
 image-packaging:
  extends:
@@ -328,45 +353,31 @@ test-docker-ubuntu18.04:
  needs:
    - image-ubuntu18.04

-# build-all jobs build packages for every OS / ARCH combination we support.
-#
-# They are run under two conditions:
-# 1) Automatically whenever a new tag is pushed to the repo (e.g. v1.1.0)
-# 2) Manually by a reviewer just before merging a MR.
-.build-all-for-arch:
-  variables:
-    # Setting DIST=docker invokes the docker- release targets
-    DIST: docker
+test-toolkit-ubuntu20.04:
  extends:
-    - .package-build
-  stage: build-all
-  rules:
-    - if: $CI_COMMIT_TAG
-      when: always
+    - .test:toolkit
+    - .dist-ubuntu20.04
+  needs:
+    - image-ubuntu20.04

-# The full set of build-all jobs organized to
-# have builds for each ARCH run in parallel.
-build-all-amd64:
+test-containerd-ubuntu20.04:
  extends:
-    - .build-all-for-arch
-    - .arch-amd64
+    - .test:containerd
+    - .dist-ubuntu20.04
+  needs:
+    - image-ubuntu20.04

-build-all-x86_64:
+test-crio-ubuntu20.04:
  extends:
-    - .build-all-for-arch
-    - .arch-x86_64
+    - .test:crio
+    - .dist-ubuntu20.04
+  needs:
+    - image-ubuntu20.04

-build-all-ppc64le:
+test-docker-ubuntu20.04:
  extends:
-    - .build-all-for-arch
-    - .arch-ppc64le
+    - .test:docker
+    - .dist-ubuntu20.04
+  needs:
+    - image-ubuntu20.04

-build-all-arm64:
-  extends:
-    - .build-all-for-arch
-    - .arch-arm64
-
-build-all-aarch64:
-  extends:
-    - .build-all-for-arch
-    - .arch-aarch64
--- a/.nvidia-ci.yml
+++ b/.nvidia-ci.yml
@@ -46,6 +46,7 @@ variables:
    OUT_REGISTRY_TOKEN: "${CI_REGISTRY_PASSWORD}"
    OUT_REGISTRY: "${CI_REGISTRY}"
    OUT_IMAGE_NAME: "${CI_REGISTRY_IMAGE}/container-toolkit"
+    PUSH_MULTIPLE_TAGS: "false"
  # We delay the job start to allow the public pipeline to generate the required images.
  when: delayed
  start_in: 30 minutes
@@ -56,13 +57,13 @@ variables:
      - job_execution_timeout
      - stuck_or_timeout_failure
  before_script:
+    - !reference [.regctl-setup, before_script]
+    - apk add --no-cache make bash
    - >
-      docker pull ${IN_REGISTRY}/${IN_IMAGE_NAME}:${IN_VERSION}-${DIST} > /dev/null && echo "${IN_REGISTRY}/${IN_IMAGE_NAME}:${IN_VERSION}-${DIST}" || ( echo "${IN_REGISTRY}/${IN_IMAGE_NAME}:${IN_VERSION}-${DIST} does not exist" && sleep infinity )
+      regctl manifest get ${IN_REGISTRY}/${IN_IMAGE_NAME}:${IN_VERSION}-${DIST} --list > /dev/null && echo "${IN_REGISTRY}/${IN_IMAGE_NAME}:${IN_VERSION}-${DIST}" || ( echo "${IN_REGISTRY}/${IN_IMAGE_NAME}:${IN_VERSION}-${DIST} does not exist" && sleep infinity )
  script:
-    - docker pull ${IN_REGISTRY}/${IN_IMAGE_NAME}:${IN_VERSION}-${DIST}
-    - docker tag ${IN_REGISTRY}/${IN_IMAGE_NAME}:${IN_VERSION}-${DIST} ${OUT_IMAGE_NAME}:${CI_COMMIT_SHORT_SHA}-${DIST}
-    - docker login -u "${OUT_REGISTRY_USER}" -p "${OUT_REGISTRY_TOKEN}" "${OUT_REGISTRY}"
-    - docker push ${OUT_IMAGE_NAME}:${CI_COMMIT_SHORT_SHA}-${DIST}
+    - regctl registry login "${OUT_REGISTRY}" -u "${OUT_REGISTRY_USER}" -p "${OUT_REGISTRY_TOKEN}"
+    - make -f build/container/Makefile IMAGE=${IN_REGISTRY}/${IN_IMAGE_NAME}:${IN_VERSION}-${DIST} OUT_IMAGE=${OUT_IMAGE_NAME}:${CI_COMMIT_SHORT_SHA}-${DIST} push-${DIST}

 image-centos7:
  extends:
@@ -84,6 +85,11 @@ image-ubuntu18.04:
    - .image-pull
    - .dist-ubuntu18.04

+image-ubuntu20.04:
+  extends:
+    - .image-pull
+    - .dist-ubuntu20.04
+
 # The DIST=packaging target creates an image containing all built packages
 image-packaging:
  extends:
@@ -112,7 +118,7 @@ image-packaging:
  before_script:
    - docker login -u "${CI_REGISTRY_USER}" -p "${CI_REGISTRY_PASSWORD}" "${CI_REGISTRY}"
    # TODO: We should specify the architecture here and scan all architectures
-    - docker pull "${IMAGE}"
+    - docker pull --platform="${PLATFORM}" "${IMAGE}"
    - docker save "${IMAGE}" -o "${IMAGE_ARCHIVE}"
    - AuthHeader=$(echo -n $SSA_CLIENT_ID:$SSA_CLIENT_SECRET | base64 -w0)
    - >
@@ -131,34 +137,91 @@ image-packaging:
      - policy_evaluation.json

 # Define the scan targets
-scan-centos7:
+scan-centos7-amd64:
  extends:
    - .scan
    - .dist-centos7
+    - .platform-amd64
  needs:
    - image-centos7

-scan-centos8:
+scan-centos7-arm64:
+  extends:
+    - .scan
+    - .dist-centos7
+    - .platform-arm64
+  needs:
+    - image-centos7
+    - scan-centos7-amd64
+
+scan-centos8-amd64:
  extends:
    - .scan
    - .dist-centos8
+    - .platform-amd64
  needs:
    - image-centos8

-scan-ubuntu18.04:
+scan-centos8-arm64:
+  extends:
+    - .scan
+    - .dist-centos8
+    - .platform-arm64
+  needs:
+    - image-centos8
+    - scan-centos8-amd64
+
+scan-ubuntu18.04-amd64:
  extends:
    - .scan
    - .dist-ubuntu18.04
+    - .platform-amd64
  needs:
    - image-ubuntu18.04

-scan-ubi8:
+scan-ubuntu18.04-arm64:
+  extends:
+    - .scan
+    - .dist-ubuntu18.04
+    - .platform-arm64
+  needs:
+    - image-ubuntu18.04
+    - scan-ubuntu18.04-amd64
+
+scan-ubuntu20.04-amd64:
+  extends:
+    - .scan
+    - .dist-ubuntu20.04
+    - .platform-amd64
+  needs:
+    - image-ubuntu20.04
+
+scan-ubuntu20.04-arm64:
+  extends:
+    - .scan
+    - .dist-ubuntu20.04
+    - .platform-arm64
+  needs:
+    - image-ubuntu20.04
+    - scan-ubuntu20.04-amd64
+
+scan-ubi8-amd64:
  extends:
    - .scan
    - .dist-ubi8
+    - .platform-amd64
  needs:
    - image-ubi8

+scan-ubi8-arm64:
+  extends:
+    - .scan
+    - .dist-ubi8
+    - .platform-arm64
+  needs:
+    - image-ubi8
+    - scan-ubi8-amd64
+
 # Define external release helpers
 .release:ngc:
  extends:
@@ -185,6 +248,13 @@ release:staging-ubuntu18.04:
  needs:
    - image-ubuntu18.04

+release:staging-ubuntu20.04:
+  extends:
+    - .release:staging
+    - .dist-ubuntu20.04
+  needs:
+    - image-ubuntu20.04
+
 # Define the external release targets
 # Release to NGC
 release:ngc-centos7:
@@ -197,11 +267,16 @@ release:ngc-centos8:
    - .release:ngc
    - .dist-centos8

-release:ngc-ubuntu18:
+release:ngc-ubuntu18.04:
  extends:
    - .release:ngc
    - .dist-ubuntu18.04

+release:ngc-ubuntu20.04:
+  extends:
+    - .release:ngc
+    - .dist-ubuntu20.04
+
 release:ngc-ubi8:
  extends:
    - .release:ngc
@@ -218,11 +293,16 @@ release:dockerhub-centos8:
    - .release:dockerhub
    - .dist-centos8

-release:dockerhub-ubuntu18:
+release:dockerhub-ubuntu18.04:
  extends:
    - .release:dockerhub
    - .dist-ubuntu18.04

+release:dockerhub-ubuntu20.04:
+  extends:
+    - .release:dockerhub
+    - .dist-ubuntu20.04
+
 release:dockerhub-ubi8:
  extends:
    - .release:dockerhub
--- a/18
+++ b/18
@@ -90,11 +90,7 @@ ineffassign:

 lint:
 # We use `go list -f '{{.Dir}}' $(MODULE)/...` to skip the `vendor` folder.
-	go list -f '{{.Dir}}' $(MODULE)/... | grep -v /internal/ | xargs golint -set_exit_status
-
-lint-internal:
-# We use `go list -f '{{.Dir}}' $(MODULE)/...` to skip the `vendor` folder.
-	go list -f '{{.Dir}}' $(MODULE)/internal/... | xargs golint -set_exit_status
+	go list -f '{{.Dir}}' $(MODULE)/... | xargs golint -set_exit_status

 misspell:
 	misspell $(MODULE)/...
@@ -142,3 +138,15 @@ $(DOCKER_TARGETS): docker-%: .build-image
 		--user $$(id -u):$$(id -g) \
 		$(BUILDIMAGE) \
 			make $(*)
+
+# Start an interactive shell using the development image.
+PHONY: .shell
+.shell:
+	$(DOCKER) run \
+		--rm \
+		-ti \
+		-e GOCACHE=/tmp/.cache \
+		-v $(PWD):$(PWD) \
+		-w $(PWD) \
+		--user $$(id -u):$$(id -g) \
+		$(BUILDIMAGE)
--- a/build/container/Dockerfile.centos
+++ b/build/container/Dockerfile.centos
@@ -44,11 +44,12 @@ FROM nvidia/cuda:${CUDA_VERSION}-base-${BASE_DIST}

 ARG BASE_DIST
 # See https://www.centos.org/centos-linux-eol/
-# and https://stackoverflow.com/a/70930049
+# and https://stackoverflow.com/a/70930049 for move to vault.centos.org
+# and https://serverfault.com/questions/1093922/failing-to-run-yum-update-in-centos-8 for move to vault.epel.cloud
 RUN [[ "${BASE_DIST}" != "centos8" ]] || \
    ( \
      sed -i 's/mirrorlist/#mirrorlist/g' /etc/yum.repos.d/CentOS-Linux-* && \
-      sed -i 's|#baseurl=http://mirror.centos.org|baseurl=http://vault.centos.org|g' /etc/yum.repos.d/CentOS-Linux-* \
+      sed -i 's|#baseurl=http://mirror.centos.org|baseurl=http://vault.epel.cloud|g' /etc/yum.repos.d/CentOS-Linux-* \
    )

 ENV NVIDIA_DISABLE_REQUIRE="true"
@@ -62,8 +63,10 @@ COPY ${ARTIFACTS_ROOT}/${PACKAGE_DIST} /artifacts/packages/${PACKAGE_DIST}
 WORKDIR /artifacts/packages

 ARG PACKAGE_VERSION
-ARG PACKAGE_ARCH
-RUN yum localinstall -y \
+ARG TARGETARCH
+ENV PACKAGE_ARCH ${TARGETARCH}
+RUN PACKAGE_ARCH=${PACKAGE_ARCH/amd64/x86_64} && PACKAGE_ARCH=${PACKAGE_ARCH/arm64/aarch64} && \
+    yum localinstall -y \
    ${PACKAGE_DIST}/${PACKAGE_ARCH}/libnvidia-container1-${PACKAGE_VERSION}*.rpm \
    ${PACKAGE_DIST}/${PACKAGE_ARCH}/libnvidia-container-tools-${PACKAGE_VERSION}*.rpm \
    ${PACKAGE_DIST}/${PACKAGE_ARCH}/nvidia-container-toolkit-${PACKAGE_VERSION}*.rpm
--- a/build/container/Dockerfile.ubuntu
+++ b/build/container/Dockerfile.ubuntu
@@ -40,11 +40,12 @@ COPY . .
 RUN GOPATH=/artifacts go install -ldflags="-s -w -X 'main.Version=${VERSION}'" ./tools/...


-FROM nvidia/cuda:${CUDA_VERSION}-base-${BASE_DIST}
+FROM nvcr.io/nvidia/cuda:${CUDA_VERSION}-base-${BASE_DIST}

 ARG DEBIAN_FRONTEND=noninteractive
 RUN apt-get update && apt-get install -y --no-install-recommends \
    libcap2 \
+    curl \
        && \
    rm -rf /var/lib/apt/lists/*

@@ -59,7 +60,17 @@ COPY ${ARTIFACTS_ROOT}/${PACKAGE_DIST} /artifacts/packages/${PACKAGE_DIST}
 WORKDIR /artifacts/packages

 ARG PACKAGE_VERSION
-ARG PACKAGE_ARCH
+ARG TARGETARCH
+ENV PACKAGE_ARCH ${TARGETARCH}
+
+ARG LIBNVIDIA_CONTAINER_REPO="https://nvidia.github.io/libnvidia-container"
+ARG LIBNVIDIA_CONTAINER0_VERSION
+RUN if [ "${PACKAGE_ARCH}" = "arm64" ]; then \
+        curl -L ${LIBNVIDIA_CONTAINER_REPO}/${PACKAGE_DIST}/${PACKAGE_ARCH}/libnvidia-container0_${LIBNVIDIA_CONTAINER0_VERSION}_${PACKAGE_ARCH}.deb \
+            --output ${PACKAGE_DIST}/${PACKAGE_ARCH}/libnvidia-container0_${LIBNVIDIA_CONTAINER0_VERSION}_${PACKAGE_ARCH}.deb && \
+        dpkg -i ${PACKAGE_DIST}/${PACKAGE_ARCH}/libnvidia-container0_${LIBNVIDIA_CONTAINER0_VERSION}_${PACKAGE_ARCH}.deb; \
+    fi
+
 RUN dpkg -i \
    ${PACKAGE_DIST}/${PACKAGE_ARCH}/libnvidia-container1_${PACKAGE_VERSION}*.deb \
    ${PACKAGE_DIST}/${PACKAGE_ARCH}/libnvidia-container-tools_${PACKAGE_VERSION}*.deb \
@@ -81,4 +92,11 @@ LABEL description="See summary"

 COPY ./LICENSE /licenses/LICENSE

+# Install / upgrade packages here that are required to resolve CVEs
+ARG CVE_UPDATES
+RUN if [ -n "${CVE_UPDATES}" ]; then \
+        apt-get update && apt-get upgrade -y ${CVE_UPDATES} && \
+        rm -rf /var/lib/apt/lists/*; \
+    fi
+
 ENTRYPOINT ["/work/nvidia-toolkit"]
--- a/build/container/Makefile
+++ b/build/container/Makefile
@@ -12,7 +12,14 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

-DOCKER   ?= docker
+BUILD_MULTI_ARCH_IMAGES ?= false
+DOCKER ?= docker
+
+BUILDX =
+ifeq ($(BUILD_MULTI_ARCH_IMAGES),true)
+BUILDX = buildx
+endif
+
 MKDIR    ?= mkdir
 DIST_DIR ?= $(CURDIR)/dist

@@ -25,36 +32,47 @@ IMAGE_NAME := $(REGISTRY)/container-toolkit
 endif

 VERSION ?= $(LIB_VERSION)$(if $(LIB_TAG),-$(LIB_TAG))
+IMAGE_VERSION := $(VERSION)

 IMAGE_TAG ?= $(VERSION)-$(DIST)
 IMAGE = $(IMAGE_NAME):$(IMAGE_TAG)

+OUT_IMAGE_NAME ?= $(IMAGE_NAME)
+OUT_IMAGE_VERSION ?= $(IMAGE_VERSION)
+OUT_IMAGE_TAG = $(OUT_IMAGE_VERSION)-$(DIST)
+OUT_IMAGE = $(OUT_IMAGE_NAME):$(OUT_IMAGE_TAG)
+
 ##### Public rules #####
 DEFAULT_PUSH_TARGET := ubuntu18.04
-TARGETS := ubuntu20.04 ubuntu18.04 ubi8 centos7 centos8
+DISTRIBUTIONS := ubuntu20.04 ubuntu18.04 ubi8 centos7 centos8

 META_TARGETS := packaging

-BUILD_TARGETS := $(patsubst %,build-%,$(TARGETS) $(META_TARGETS))
-PUSH_TARGETS := $(patsubst %,push-%,$(TARGETS) $(META_TARGETS))
-TEST_TARGETS := $(patsubst %,test-%, $(TARGETS))
+BUILD_TARGETS := $(patsubst %,build-%,$(DISTRIBUTIONS) $(META_TARGETS))
+PUSH_TARGETS := $(patsubst %,push-%,$(DISTRIBUTIONS) $(META_TARGETS))
+TEST_TARGETS := $(patsubst %,test-%, $(DISTRIBUTIONS))

-.PHONY: $(TARGETS) $(PUSH_TARGETS) $(BUILD_TARGETS) $(TEST_TARGETS)
+.PHONY: $(DISTRIBUTIONS) $(PUSH_TARGETS) $(BUILD_TARGETS) $(TEST_TARGETS)

-push-%: DIST = $(*)
-$(PUSH_TARGETS): push-%:
-	$(DOCKER) push "$(IMAGE_NAME):$(IMAGE_TAG)"
+ifneq ($(BUILD_MULTI_ARCH_IMAGES),true)
+include $(CURDIR)/build/container/native-only.mk
+else
+include $(CURDIR)/build/container/multi-arch.mk
+endif

 # For the default push target we also push a short tag equal to the version.
 # We skip this for the development release
 DEVEL_RELEASE_IMAGE_VERSION ?= devel
-ifneq ($(strip $(VERSION)),$(DEVEL_RELEASE_IMAGE_VERSION))
+PUSH_MULTIPLE_TAGS ?= true
+ifeq ($(strip $(OUT_IMAGE_VERSION)),$(DEVEL_RELEASE_IMAGE_VERSION))
+PUSH_MULTIPLE_TAGS = false
+endif
+ifeq ($(PUSH_MULTIPLE_TAGS),true)
 push-$(DEFAULT_PUSH_TARGET): push-short
 endif
-push-short:
-	$(DOCKER) tag "$(IMAGE_NAME):$(VERSION)-$(DEFAULT_PUSH_TARGET)" "$(IMAGE_NAME):$(VERSION)"
-	$(DOCKER) push "$(IMAGE_NAME):$(VERSION)"

+push-%: DIST = $(*)
+push-short: DIST = $(DEFAULT_PUSH_TARGET)

 build-%: DIST = $(*)
 build-%: DOCKERFILE = $(CURDIR)/build/container/Dockerfile.$(DOCKERFILE_SUFFIX)
@@ -64,16 +82,17 @@ ARTIFACTS_ROOT ?= $(shell realpath --relative-to=$(CURDIR) $(DIST_DIR))
 # Use a generic build target to build the relevant images
 $(BUILD_TARGETS): build-%: $(ARTIFACTS_ROOT)
 	DOCKER_BUILDKIT=1 \
-		$(DOCKER) build --pull \
-		--platform=linux/amd64 \
+		$(DOCKER) $(BUILDX) build --pull \
+		$(DOCKER_BUILD_OPTIONS) \
+		$(DOCKER_BUILD_PLATFORM_OPTIONS) \
 		--tag $(IMAGE) \
 		--build-arg ARTIFACTS_ROOT="$(ARTIFACTS_ROOT)" \
 		--build-arg BASE_DIST="$(BASE_DIST)" \
 		--build-arg CUDA_VERSION="$(CUDA_VERSION)" \
 		--build-arg GOLANG_VERSION="$(GOLANG_VERSION)" \
+		--build-arg LIBNVIDIA_CONTAINER0_VERSION="$(LIBNVIDIA_CONTAINER0_DEPENDENCY)" \
 		--build-arg PACKAGE_DIST="$(PACKAGE_DIST)" \
 		--build-arg PACKAGE_VERSION="$(PACKAGE_VERSION)" \
-		--build-arg PACKAGE_ARCH="$(PACKAGE_ARCH)" \
 		--build-arg VERSION="$(VERSION)" \
 		--build-arg CVE_UPDATES="$(CVE_UPDATES)" \
 		-f $(DOCKERFILE) \
@@ -82,20 +101,17 @@ $(BUILD_TARGETS): build-%: $(ARTIFACTS_ROOT)

 build-ubuntu%: BASE_DIST = $(*)
 build-ubuntu%: DOCKERFILE_SUFFIX := ubuntu
-build-ubuntu%: PACKAGE_ARCH := amd64
-build-ubuntu%: PACKAGE_DIST = $(BASE_DIST)
+build-ubuntu%: PACKAGE_DIST = ubuntu18.04
 build-ubuntu%: PACKAGE_VERSION := $(LIB_VERSION)$(if $(LIB_TAG),~$(LIB_TAG))
+build-ubuntu%: LIBNVIDIA_CONTAINER0_DEPENDENCY=$(LIBNVIDIA_CONTAINER0_VERSION)

-# TODO: Update this to use the centos8 packages
 build-ubi8: BASE_DIST := ubi8
 build-ubi8: DOCKERFILE_SUFFIX := centos
-build-ubi8: PACKAGE_ARCH := x86_64
-build-ubi8: PACKAGE_DIST = centos7
+build-ubi8: PACKAGE_DIST = centos8
 build-ubi8: PACKAGE_VERSION := $(LIB_VERSION)-$(if $(LIB_TAG),0.1.$(LIB_TAG),1)

 build-centos%: BASE_DIST = $(*)
 build-centos%: DOCKERFILE_SUFFIX := centos
-build-centos%: PACKAGE_ARCH := x86_64
 build-centos%: PACKAGE_DIST = $(BASE_DIST)
 build-centos%: PACKAGE_VERSION := $(LIB_VERSION)-$(if $(LIB_TAG),0.1.$(LIB_TAG),1)

--- a/build/container/multi-arch.mk
+++ b/build/container/multi-arch.mk
@@ -0,0 +1,34 @@
+# Copyright (c) 2022, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+PUSH_ON_BUILD ?= false
+DOCKER_BUILD_OPTIONS = --output=type=image,push=$(PUSH_ON_BUILD)
+DOCKER_BUILD_PLATFORM_OPTIONS = --platform=linux/amd64,linux/arm64
+
+REGCTL ?= regctl
+$(PUSH_TARGETS): push-%:
+	$(REGCTL) \
+	        image copy \
+	        $(IMAGE) $(OUT_IMAGE)
+
+push-short:
+	$(REGCTL) \
+	        image copy \
+	        $(IMAGE) $(OUT_IMAGE_NAME):$(OUT_IMAGE_VERSION)
+
+# We only have x86_64 packages for centos7
+build-centos7: DOCKER_BUILD_PLATFORM_OPTIONS = --platform=linux/amd64
+
+# We only generate a single image for packaging targets
+build-packaging: DOCKER_BUILD_PLATFORM_OPTIONS = --platform=linux/amd64
--- a/build/container/native-only.mk
+++ b/build/container/native-only.mk
@@ -0,0 +1,23 @@
+# Copyright (c) 2022, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+DOCKER_BUILD_PLATFORM_OPTIONS = --platform=linux/amd64
+
+$(PUSH_TARGETS): push-%:
+	$(DOCKER) tag "$(IMAGE)" "$(OUT_IMAGE)"
+	$(DOCKER) push "$(OUT_IMAGE)"
+
+push-short:
+	$(DOCKER) tag "$(IMAGE_NAME):$(VERSION)-$(DEFAULT_PUSH_TARGET)" "$(OUT_IMAGE_NAME):$(OUT_IMAGE_VERSION)"
+	$(DOCKER) push "$(OUT_IMAGE_NAME):$(OUT_IMAGE_VERSION)"
--- a/cmd/nvidia-container-runtime/README.md
+++ b/cmd/nvidia-container-runtime/README.md
@@ -0,0 +1,25 @@
+# The NVIDIA Container Runtime
+
+The NVIDIA Container Runtime is a shim for OCI-compliant low-level runtimes such as [runc](https://github.com/opencontainers/runc). When a `create` command is detected, the incoming [OCI runtime specification](https://github.com/opencontainers/runtime-spec) is modified in place and the command is forwarded to the low-level runtime.
+
+## Standard Mode
+
+In the standard mode configuration, the NVIDIA Container Runtime adds a [`prestart` hook](https://github.com/opencontainers/runtime-spec/blob/master/config.md#prestart) to the incomming OCI specification that invokes the NVIDIA Container Runtime Hook for all containers created. This hook checks whether NVIDIA devices are requested and ensures GPU access is configured using the `nvidia-container-cli` from project [libnvidia-container](https://github.com/NVIDIA/libnvidia-container).
+
+## Experimental Mode
+
+The NVIDIA Container Runtime can be configured in an experimental mode by setting the following options in the runtime's `config.toml` file:
+
+```toml
+[nvidia-container-runtime]
+experimental = true
+```
+
+When this setting is enabled, the modifications made to the OCI specification are controlled by the `nvidia-container-runtime.discover-mode` option, with the following mode supported:
+
+* `"legacy"`: This mode mirrors the behaviour of the standard mode, inserting the NVIDIA Container Runtime Hook as a `prestart` hook into the container's OCI specification.
+* `"csv"`: This mode uses CSV files at `/etc/nvidia-container-runtime/host-files-for-container.d` to define the devices and mounts that are to be injected into a container when it is created.
+
+### Notes on using the docker CLI
+
+The `docker` CLI supports the `--gpus` flag to select GPUs for inclusion in a container. Since specifying this flag inserts the same NVIDIA Container Runtime Hook into the OCI runtime specification. When experimental mode is activated, the NVIDIA Container Runtime detects the presence of the hook and raises an error. This requirement will be relaxed in the near future.
--- a/cmd/nvidia-container-runtime/main.go
+++ b/cmd/nvidia-container-runtime/main.go
@@ -3,20 +3,9 @@ package main
 import (
 	"fmt"
 	"os"
-	"path"

-	"github.com/pelletier/go-toml"
-)
-
-const (
-	configOverride = "XDG_CONFIG_HOME"
-	configFilePath = "nvidia-container-runtime/config.toml"
-
-	hookDefaultFilePath = "/usr/bin/nvidia-container-runtime-hook"
-)
-
-var (
-	configDir = "/etc/"
+	"github.com/NVIDIA/nvidia-container-toolkit/internal/config"
+	"github.com/sirupsen/logrus"
 )

 var logger = NewLogger()
@@ -24,66 +13,42 @@ var logger = NewLogger()
 func main() {
 	err := run(os.Args)
 	if err != nil {
-		logger.Errorf("Error running %v: %v", os.Args, err)
+		logger.Errorf("%v", err)
 		os.Exit(1)
 	}
 }

 // run is an entry point that allows for idiomatic handling of errors
 // when calling from the main function.
-func run(argv []string) (err error) {
-	cfg, err := getConfig()
+func run(argv []string) (rerr error) {
+	logger.Debugf("Running %v", argv)
+	cfg, err := config.GetConfig()
 	if err != nil {
 		return fmt.Errorf("error loading config: %v", err)
 	}

-	err = logger.LogToFile(cfg.debugFilePath)
+	err = logger.LogToFile(cfg.NVIDIAContainerRuntimeConfig.DebugFilePath)
 	if err != nil {
 		return fmt.Errorf("error opening debug log file: %v", err)
 	}
 	defer func() {
 		// We capture and log a returning error before closing the log file.
-		if err != nil {
-			logger.Errorf("Error running %v: %v", argv, err)
+		if rerr != nil {
+			logger.Errorf("%v", rerr)
 		}
 		logger.CloseFile()
 	}()

-	r, err := newRuntime(argv)
+	if logLevel, err := logrus.ParseLevel(cfg.NVIDIAContainerRuntimeConfig.LogLevel); err == nil {
+		logger.SetLevel(logLevel)
+	} else {
+		logger.Warnf("Invalid log-level '%v'; using '%v'", cfg.NVIDIAContainerRuntimeConfig.LogLevel, logger.Level.String())
+	}
+
+	runtime, err := newNVIDIAContainerRuntime(logger.Logger, cfg, argv)
 	if err != nil {
-		return fmt.Errorf("error creating runtime: %v", err)
+		return fmt.Errorf("failed to create NVIDIA Container Runtime: %v", err)
 	}

-	logger.Printf("Running %s\n", argv[0])
-	return r.Exec(argv)
-}
-
-type config struct {
-	debugFilePath string
-}
-
-// getConfig sets up the config struct. Values are read from a toml file
-// or set via the environment.
-func getConfig() (*config, error) {
-	cfg := &config{}
-
-	if XDGConfigDir := os.Getenv(configOverride); len(XDGConfigDir) != 0 {
-		configDir = XDGConfigDir
-	}
-
-	configFilePath := path.Join(configDir, configFilePath)
-
-	tomlContent, err := os.ReadFile(configFilePath)
-	if err != nil {
-		return nil, err
-	}
-
-	toml, err := toml.Load(string(tomlContent))
-	if err != nil {
-		return nil, err
-	}
-
-	cfg.debugFilePath = toml.GetDefault("nvidia-container-runtime.debug", "/dev/null").(string)
-
-	return cfg, nil
+	return runtime.Exec(argv)
 }
--- a/cmd/nvidia-container-runtime/main_test.go
+++ b/cmd/nvidia-container-runtime/main_test.go
@@ -3,15 +3,15 @@ package main
 import (
 	"bytes"
 	"encoding/json"
-	"fmt"
 	"io/ioutil"
 	"os"
 	"os/exec"
 	"path/filepath"
-	"runtime"
 	"strings"
 	"testing"

+	"github.com/NVIDIA/nvidia-container-toolkit/cmd/nvidia-container-runtime/modifier"
+	"github.com/NVIDIA/nvidia-container-toolkit/internal/test"
 	"github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/stretchr/testify/require"
 )
@@ -35,7 +35,7 @@ func TestMain(m *testing.M) {
 	// TEST SETUP
 	// Determine the module root and the test binary path
 	var err error
-	moduleRoot, err := getModuleRoot()
+	moduleRoot, err := test.GetModuleRoot()
 	if err != nil {
 		logger.Fatalf("error in test setup: could not get module root: %v", err)
 	}
@@ -43,7 +43,7 @@ func TestMain(m *testing.M) {
 	testInputPath := filepath.Join(moduleRoot, "test", "input")

 	// Set the environment variables for the test
-	os.Setenv("PATH", prependToPath(testBinPath, moduleRoot))
+	os.Setenv("PATH", test.PrependToPath(testBinPath, moduleRoot))
 	os.Setenv("XDG_CONFIG_HOME", testInputPath)

 	// Confirm that the environment is configured correctly
@@ -71,31 +71,6 @@ func TestMain(m *testing.M) {
 	os.Exit(exitCode)
 }

-func getModuleRoot() (string, error) {
-	_, filename, _, _ := runtime.Caller(0)
-
-	return hasGoMod(filename)
-}
-
-func hasGoMod(dir string) (string, error) {
-	if dir == "" || dir == "/" {
-		return "", fmt.Errorf("module root not found")
-	}
-
-	_, err := os.Stat(filepath.Join(dir, "go.mod"))
-	if err != nil {
-		return hasGoMod(filepath.Dir(dir))
-	}
-	return dir, nil
-}
-
-func prependToPath(additionalPaths ...string) string {
-	paths := strings.Split(os.Getenv("PATH"), ":")
-	paths = append(additionalPaths, paths...)
-
-	return strings.Join(paths, ":")
-}
-
 // case 1) nvidia-container-runtime run --bundle
 // case 2) nvidia-container-runtime create --bundle
 //		- Confirm the runtime handles bad input correctly
@@ -193,11 +168,11 @@ func TestDuplicateHook(t *testing.T) {
 	require.Equal(t, 1, nvidiaHookCount(spec.Hooks), "exactly one nvidia prestart hook should be inserted correctly into config.json")
 }

-// addNVIDIAHook is a basic wrapper for nvidiaContainerRunime.addNVIDIAHook that is used for
+// addNVIDIAHook is a basic wrapper for an addHookModifier that is used for
 // testing.
 func addNVIDIAHook(spec *specs.Spec) error {
-	r := nvidiaContainerRuntime{logger: logger.Logger}
-	return r.addNVIDIAHook(spec)
+	m := modifier.NewStableRuntimeModifier(logger.Logger)
+	return m.Modify(spec)
 }

 func (c testConfig) getRuntimeSpec() (specs.Spec, error) {
@@ -270,24 +245,3 @@ func nvidiaHookCount(hooks *specs.Hooks) int {
 	}
 	return count
 }
-
-func TestGetConfigWithCustomConfig(t *testing.T) {
-	wd, err := os.Getwd()
-	require.NoError(t, err)
-
-	// By default debug is disabled
-	contents := []byte("[nvidia-container-runtime]\ndebug = \"/nvidia-container-toolkit.log\"")
-	testDir := filepath.Join(wd, "test")
-	filename := filepath.Join(testDir, configFilePath)
-
-	os.Setenv(configOverride, testDir)
-
-	require.NoError(t, os.MkdirAll(filepath.Dir(filename), 0766))
-	require.NoError(t, ioutil.WriteFile(filename, contents, 0766))
-
-	defer func() { require.NoError(t, os.RemoveAll(testDir)) }()
-
-	cfg, err := getConfig()
-	require.NoError(t, err)
-	require.Equal(t, cfg.debugFilePath, "/nvidia-container-toolkit.log")
-}
--- a/cmd/nvidia-container-runtime/modifier/experimental.go
+++ b/cmd/nvidia-container-runtime/modifier/experimental.go
@@ -0,0 +1,178 @@
+/**
+# Copyright (c) 2022, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+**/
+
+package modifier
+
+import (
+	"fmt"
+	"os"
+	"strings"
+
+	"github.com/NVIDIA/nvidia-container-toolkit/internal/config"
+	"github.com/NVIDIA/nvidia-container-toolkit/internal/discover"
+	"github.com/NVIDIA/nvidia-container-toolkit/internal/discover/csv"
+	"github.com/NVIDIA/nvidia-container-toolkit/internal/edits"
+	"github.com/NVIDIA/nvidia-container-toolkit/internal/oci"
+	"github.com/opencontainers/runtime-spec/specs-go"
+	"github.com/sirupsen/logrus"
+)
+
+// experiemental represents the modifications required by the experimental runtime
+type experimental struct {
+	logger     *logrus.Logger
+	discoverer discover.Discover
+}
+
+const (
+	visibleDevicesEnvvar = "NVIDIA_VISIBLE_DEVICES"
+	visibleDevicesVoid   = "void"
+
+	nvidiaRequireJetpackEnvvar = "NVIDIA_REQUIRE_JETPACK"
+)
+
+// NewExperimentalModifier creates a modifier that applies the experimental
+// modications to an OCI spec if required by the runtime wrapper.
+func NewExperimentalModifier(logger *logrus.Logger, cfg *config.Config, ociSpec oci.Spec) (oci.SpecModifier, error) {
+	if err := ociSpec.Load(); err != nil {
+		return nil, fmt.Errorf("failed to load OCI spec: %v", err)
+	}
+
+	// In experimental mode, we check whether a modification is required at all and return the lowlevelRuntime directly
+	// if no modification is required.
+	visibleDevices, exists := ociSpec.LookupEnv(visibleDevicesEnvvar)
+	if !exists || visibleDevices == "" || visibleDevices == visibleDevicesVoid {
+		logger.Infof("No modification required: %v=%v (exists=%v)", visibleDevicesEnvvar, visibleDevices, exists)
+		return nil, nil
+	}
+	logger.Infof("Constructing modifier from config: %+v", cfg)
+
+	config := &discover.Config{
+		Root:                                    cfg.NVIDIAContainerCLIConfig.Root,
+		NVIDIAContainerToolkitCLIExecutablePath: cfg.NVIDIACTKConfig.Path,
+	}
+
+	var d discover.Discover
+
+	switch resolveAutoDiscoverMode(logger, cfg.NVIDIAContainerRuntimeConfig.DiscoverMode) {
+	case "legacy":
+		legacyDiscoverer, err := discover.NewLegacyDiscoverer(logger, config)
+		if err != nil {
+			return nil, fmt.Errorf("failed to create legacy discoverer: %v", err)
+		}
+		d = legacyDiscoverer
+	case "csv":
+		csvFiles, err := csv.GetFileList(csv.DefaultMountSpecPath)
+		if err != nil {
+			return nil, fmt.Errorf("failed to get list of CSV files: %v", err)
+		}
+
+		nvidiaRequireJetpack, _ := ociSpec.LookupEnv(nvidiaRequireJetpackEnvvar)
+		if nvidiaRequireJetpack != "csv-mounts=all" {
+			csvFiles = csv.BaseFilesOnly(csvFiles)
+		}
+
+		csvDiscoverer, err := discover.NewFromCSVFiles(logger, csvFiles, config.Root)
+		if err != nil {
+			return nil, fmt.Errorf("failed to create CSV discoverer: %v", err)
+		}
+
+		ldcacheUpdateHook, err := discover.NewLDCacheUpdateHook(logger, csvDiscoverer, config)
+		if err != nil {
+			return nil, fmt.Errorf("failed to create ldcach update hook discoverer: %v", err)
+		}
+
+		createSymlinksHook, err := discover.NewCreateSymlinksHook(logger, csvFiles, config)
+		if err != nil {
+			return nil, fmt.Errorf("failed to create symlink hook discoverer: %v", err)
+		}
+
+		d = discover.NewList(csvDiscoverer, ldcacheUpdateHook, createSymlinksHook)
+	default:
+		return nil, fmt.Errorf("invalid discover mode: %v", cfg.NVIDIAContainerRuntimeConfig.DiscoverMode)
+	}
+
+	return newExperimentalModifierFromDiscoverer(logger, d)
+}
+
+// newExperimentalModifierFromDiscoverer created a modifier that aplies the discovered
+// modifications to an OCI spec if require by the runtime wrapper.
+func newExperimentalModifierFromDiscoverer(logger *logrus.Logger, d discover.Discover) (oci.SpecModifier, error) {
+	m := experimental{
+		logger:     logger,
+		discoverer: d,
+	}
+	return &m, nil
+}
+
+// Modify applies the required modifications to the incomming OCI spec. These modifications
+// are applied in-place.
+func (m experimental) Modify(spec *specs.Spec) error {
+	err := nvidiaContainerRuntimeHookRemover{m.logger}.Modify(spec)
+	if err != nil {
+		return fmt.Errorf("failed to remove existing hooks: %v", err)
+	}
+
+	specEdits, err := edits.NewSpecEdits(m.logger, m.discoverer)
+	if err != nil {
+		return fmt.Errorf("failed to get required container edits: %v", err)
+	}
+
+	return specEdits.Modify(spec)
+}
+
+// resolveAutoDiscoverMode determines the correct discover mode for the specified platform if set to "auto"
+func resolveAutoDiscoverMode(logger *logrus.Logger, mode string) (rmode string) {
+	if mode != "auto" {
+		return mode
+	}
+	defer func() {
+		logger.Infof("Auto-detected discover mode as '%v'", rmode)
+	}()
+
+	isTegra, reason := isTegraSystem()
+	logger.Debugf("Is Tegra-based system? %v: %v", isTegra, reason)
+
+	if isTegra {
+		return "csv"
+	}
+
+	return "legacy"
+}
+
+// isTegraSystem returns true if the system is detected as a Tegra-based system
+func isTegraSystem() (bool, string) {
+	const tegraReleaseFile = "/etc/nv_tegra_release"
+	const tegraFamilyFile = "/sys/devices/soc0/family"
+
+	if info, err := os.Stat(tegraReleaseFile); err == nil && !info.IsDir() {
+		return true, fmt.Sprintf("%v found", tegraReleaseFile)
+	}
+
+	if info, err := os.Stat(tegraFamilyFile); err != nil || !info.IsDir() {
+		return false, fmt.Sprintf("%v not found", tegraFamilyFile)
+	}
+
+	contents, err := os.ReadFile(tegraFamilyFile)
+	if err != nil {
+		return false, fmt.Sprintf("could not read %v", tegraFamilyFile)
+	}
+
+	if strings.HasPrefix(strings.ToLower(string(contents)), "tegra") {
+		return true, fmt.Sprintf("%v has 'tegra' prefix", tegraFamilyFile)
+	}
+
+	return false, fmt.Sprintf("%v has no 'tegra' prefix", tegraFamilyFile)
+}
--- a/cmd/nvidia-container-runtime/modifier/experimental_test.go
+++ b/cmd/nvidia-container-runtime/modifier/experimental_test.go
@@ -0,0 +1,349 @@
+/**
+# Copyright (c) 2022, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+**/
+
+package modifier
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/NVIDIA/nvidia-container-toolkit/internal/config"
+	"github.com/NVIDIA/nvidia-container-toolkit/internal/discover"
+	"github.com/NVIDIA/nvidia-container-toolkit/internal/oci"
+	"github.com/opencontainers/runtime-spec/specs-go"
+	testlog "github.com/sirupsen/logrus/hooks/test"
+	"github.com/stretchr/testify/require"
+)
+
+func TestNewExperimentalModifier(t *testing.T) {
+	logger, _ := testlog.NewNullLogger()
+
+	testCases := []struct {
+		description    string
+		cfg            *config.Config
+		spec           oci.Spec
+		visibleDevices string
+		expectedError  error
+		expectedNil    bool
+	}{
+		{
+			description: "spec load error returns error",
+			spec: &oci.SpecMock{
+				LoadFunc: func() error {
+					return fmt.Errorf("load failed")
+				},
+			},
+			expectedError: fmt.Errorf("load failed"),
+		},
+		{
+			description:    "visible devices not set returns nil",
+			visibleDevices: "NOT_SET",
+			expectedNil:    true,
+		},
+		{
+			description:    "visible devices empty returns nil",
+			visibleDevices: "",
+			expectedNil:    true,
+		},
+		{
+			description:    "visible devices 'void' returns nil",
+			visibleDevices: "void",
+			expectedNil:    true,
+		},
+		{
+			description: "empty config raises error",
+			cfg: &config.Config{
+				NVIDIAContainerRuntimeConfig: config.RuntimeConfig{},
+			},
+			visibleDevices: "all",
+			expectedError:  fmt.Errorf("invalid discover mode"),
+		},
+		{
+			description: "non-legacy discover mode raises error",
+			cfg: &config.Config{
+				NVIDIAContainerRuntimeConfig: config.RuntimeConfig{
+					DiscoverMode: "non-legacy",
+				},
+			},
+			visibleDevices: "all",
+			expectedError:  fmt.Errorf("invalid discover mode"),
+		},
+		{
+			description: "legacy discover mode returns modifier",
+			cfg: &config.Config{
+				NVIDIAContainerRuntimeConfig: config.RuntimeConfig{
+					DiscoverMode: "legacy",
+				},
+			},
+			visibleDevices: "all",
+		},
+		{
+			description: "csv discover mode returns modifier",
+			cfg: &config.Config{
+				NVIDIAContainerRuntimeConfig: config.RuntimeConfig{
+					DiscoverMode: "csv",
+				},
+			},
+			visibleDevices: "all",
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.description, func(t *testing.T) {
+			spec := tc.spec
+			if spec == nil {
+				spec = &oci.SpecMock{
+					LookupEnvFunc: func(s string) (string, bool) {
+						if tc.visibleDevices != "NOT_SET" && s == visibleDevicesEnvvar {
+							return tc.visibleDevices, true
+						}
+						return "", false
+					},
+				}
+			}
+
+			m, err := NewExperimentalModifier(logger, tc.cfg, spec)
+			if tc.expectedError != nil {
+				require.Error(t, err)
+			} else {
+				require.NoError(t, err)
+			}
+
+			if tc.expectedNil || tc.expectedError != nil {
+				require.Nil(t, m)
+			} else {
+				require.NotNil(t, m)
+			}
+		})
+	}
+}
+
+func TestExperimentalModifier(t *testing.T) {
+	logger, _ := testlog.NewNullLogger()
+
+	testCases := []struct {
+		description   string
+		discover      *discover.DiscoverMock
+		spec          *specs.Spec
+		expectedError error
+		expectedSpec  *specs.Spec
+	}{
+		{
+			description: "empty discoverer does not modify spec",
+			discover:    &discover.DiscoverMock{},
+		},
+		{
+			description: "failed hooks discoverer returns error",
+			discover: &discover.DiscoverMock{
+				HooksFunc: func() ([]discover.Hook, error) {
+					return nil, fmt.Errorf("discover.Hooks error")
+				},
+			},
+			expectedError: fmt.Errorf("discover.Hooks error"),
+		},
+		{
+			description: "discovered hooks are injected into spec",
+			spec:        &specs.Spec{},
+			discover: &discover.DiscoverMock{
+				HooksFunc: func() ([]discover.Hook, error) {
+					hooks := []discover.Hook{
+						{
+							Lifecycle: "prestart",
+							Path:      "/hook/a",
+							Args:      []string{"/hook/a", "arga"},
+						},
+						{
+							Lifecycle: "createContainer",
+							Path:      "/hook/b",
+							Args:      []string{"/hook/b", "argb"},
+						},
+					}
+					return hooks, nil
+				},
+			},
+			expectedSpec: &specs.Spec{
+				Hooks: &specs.Hooks{
+					Prestart: []specs.Hook{
+						{
+							Path: "/hook/a",
+							Args: []string{"/hook/a", "arga"},
+						},
+					},
+					CreateContainer: []specs.Hook{
+						{
+							Path: "/hook/b",
+							Args: []string{"/hook/b", "argb"},
+						},
+					},
+				},
+			},
+		},
+		{
+			description: "existing hooks are maintained",
+			spec: &specs.Spec{
+				Hooks: &specs.Hooks{
+					Prestart: []specs.Hook{
+						{
+							Path: "/hook/a",
+							Args: []string{"/hook/a", "arga"},
+						},
+					},
+				},
+			},
+			discover: &discover.DiscoverMock{
+				HooksFunc: func() ([]discover.Hook, error) {
+					hooks := []discover.Hook{
+						{
+							Lifecycle: "prestart",
+							Path:      "/hook/b",
+							Args:      []string{"/hook/b", "argb"},
+						},
+					}
+					return hooks, nil
+				},
+			},
+			expectedSpec: &specs.Spec{
+				Hooks: &specs.Hooks{
+					Prestart: []specs.Hook{
+						{
+							Path: "/hook/a",
+							Args: []string{"/hook/a", "arga"},
+						},
+						{
+							Path: "/hook/b",
+							Args: []string{"/hook/b", "argb"},
+						},
+					},
+				},
+			},
+		},
+		{
+			description: "modification removes existing nvidia-container-runtime-hook",
+			spec: &specs.Spec{
+				Hooks: &specs.Hooks{
+					Prestart: []specs.Hook{
+						{
+							Path: "/path/to/nvidia-container-runtime-hook",
+							Args: []string{"/path/to/nvidia-container-runtime-hook", "prestart"},
+						},
+					},
+				},
+			},
+			discover: &discover.DiscoverMock{
+				HooksFunc: func() ([]discover.Hook, error) {
+					hooks := []discover.Hook{
+						{
+							Lifecycle: "prestart",
+							Path:      "/hook/b",
+							Args:      []string{"/hook/b", "argb"},
+						},
+					}
+					return hooks, nil
+				},
+			},
+			expectedSpec: &specs.Spec{
+				Hooks: &specs.Hooks{
+					Prestart: []specs.Hook{
+						{
+							Path: "/hook/b",
+							Args: []string{"/hook/b", "argb"},
+						},
+					},
+				},
+			},
+		},
+		{
+			description: "modification removes existing nvidia-container-toolkit",
+			spec: &specs.Spec{
+				Hooks: &specs.Hooks{
+					Prestart: []specs.Hook{
+						{
+							Path: "/path/to/nvidia-container-toolkit",
+							Args: []string{"/path/to/nvidia-container-toolkit", "prestart"},
+						},
+					},
+				},
+			},
+			discover: &discover.DiscoverMock{
+				HooksFunc: func() ([]discover.Hook, error) {
+					hooks := []discover.Hook{
+						{
+							Lifecycle: "prestart",
+							Path:      "/hook/b",
+							Args:      []string{"/hook/b", "argb"},
+						},
+					}
+					return hooks, nil
+				},
+			},
+			expectedSpec: &specs.Spec{
+				Hooks: &specs.Hooks{
+					Prestart: []specs.Hook{
+						{
+							Path: "/hook/b",
+							Args: []string{"/hook/b", "argb"},
+						},
+					},
+				},
+			},
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.description, func(t *testing.T) {
+			m, err := newExperimentalModifierFromDiscoverer(logger, tc.discover)
+			require.NoError(t, err)
+
+			err = m.Modify(tc.spec)
+			if tc.expectedError != nil {
+				require.Error(t, err)
+			} else {
+				require.NoError(t, err)
+			}
+
+			require.EqualValues(t, tc.expectedSpec, tc.spec)
+		})
+	}
+}
+
+func TestResolveDiscoverMode(t *testing.T) {
+	logger, _ := testlog.NewNullLogger()
+
+	testCases := []struct {
+		description  string
+		mode         string
+		expectedMode string
+	}{
+		{
+			description:  "non-auto resolves to input",
+			mode:         "not-auto",
+			expectedMode: "not-auto",
+		},
+		// TODO: The following test is brittle in that it will break on Tegra-based systems.
+		// {
+		// 	description:  "auto resolves to legacy",
+		// 	mode:         "auto",
+		// 	expectedMode: "legacy",
+		// },
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.description, func(t *testing.T) {
+			mode := resolveAutoDiscoverMode(logger, tc.mode)
+			require.EqualValues(t, tc.expectedMode, mode)
+		})
+	}
+}
--- a/cmd/nvidia-container-runtime/modifier/hook_remover.go
+++ b/cmd/nvidia-container-runtime/modifier/hook_remover.go
@@ -0,0 +1,79 @@
+/**
+# Copyright (c) 2022, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+**/
+
+package modifier
+
+import (
+	"path/filepath"
+
+	"github.com/NVIDIA/nvidia-container-toolkit/internal/config"
+	"github.com/NVIDIA/nvidia-container-toolkit/internal/oci"
+	"github.com/opencontainers/runtime-spec/specs-go"
+	"github.com/sirupsen/logrus"
+)
+
+// nvidiaContainerRuntimeHookRemover is a spec modifer that detects and removes inserted nvidia-container-runtime hooks
+type nvidiaContainerRuntimeHookRemover struct {
+	logger *logrus.Logger
+}
+
+var _ oci.SpecModifier = (*nvidiaContainerRuntimeHookRemover)(nil)
+
+// Modify removes any NVIDIA Container Runtime hooks from the provided spec
+func (m nvidiaContainerRuntimeHookRemover) Modify(spec *specs.Spec) error {
+	if spec == nil {
+		return nil
+	}
+
+	if spec.Hooks == nil {
+		return nil
+	}
+
+	if len(spec.Hooks.Prestart) == 0 {
+		return nil
+	}
+
+	var newPrestart []specs.Hook
+
+	for _, hook := range spec.Hooks.Prestart {
+		if isNVIDIAContainerRuntimeHook(&hook) {
+			m.logger.Debugf("Removing hook %v", hook)
+			continue
+		}
+		newPrestart = append(newPrestart, hook)
+	}
+
+	if len(newPrestart) != len(spec.Hooks.Prestart) {
+		m.logger.Debugf("Updating 'prestart' hooks to %v", newPrestart)
+		spec.Hooks.Prestart = newPrestart
+	}
+
+	return nil
+}
+
+// isNVIDIAContainerRuntimeHook checks if the provided hook is an nvidia-container-runtime-hook
+// or nvidia-container-toolkit hook. These are included, for example, by the non-experimental
+// nvidia-container-runtime or docker when specifying the --gpus flag.
+func isNVIDIAContainerRuntimeHook(hook *specs.Hook) bool {
+	bins := map[string]struct{}{
+		config.NVIDIAContainerRuntimeHookExecutable: {},
+		config.NVIDIAContainerToolkitExecutable:     {},
+	}
+
+	_, exists := bins[filepath.Base(hook.Path)]
+
+	return exists
+}
--- a/cmd/nvidia-container-runtime/modifier/stable.go
+++ b/cmd/nvidia-container-runtime/modifier/stable.go
@@ -0,0 +1,77 @@
+/*
+# Copyright (c) 2021, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/
+
+package modifier
+
+import (
+	"os"
+	"os/exec"
+	"path/filepath"
+	"strings"
+
+	"github.com/NVIDIA/nvidia-container-toolkit/internal/config"
+	"github.com/NVIDIA/nvidia-container-toolkit/internal/oci"
+	"github.com/opencontainers/runtime-spec/specs-go"
+	"github.com/sirupsen/logrus"
+)
+
+// NewStableRuntimeModifier creates an OCI spec modifier that inserts the NVIDIA Container Runtime Hook into an OCI
+// spec. The specified logger is used to capture log output.
+func NewStableRuntimeModifier(logger *logrus.Logger) oci.SpecModifier {
+	m := stableRuntimeModifier{logger: logger}
+
+	return &m
+}
+
+// stableRuntimeModifier modifies an OCI spec inplace, inserting the nvidia-container-runtime-hook as a
+// prestart hook. If the hook is already present, no modification is made.
+type stableRuntimeModifier struct {
+	logger *logrus.Logger
+}
+
+// Modify applies the required modification to the incoming OCI spec, inserting the nvidia-container-runtime-hook
+// as a prestart hook.
+func (m stableRuntimeModifier) Modify(spec *specs.Spec) error {
+	path, err := exec.LookPath(config.NVIDIAContainerRuntimeHookExecutable)
+	if err != nil {
+		path = filepath.Join(config.DefaultExecutableDir, config.NVIDIAContainerRuntimeHookExecutable)
+		_, err = os.Stat(path)
+		if err != nil {
+			return err
+		}
+	}
+
+	m.logger.Infof("Using prestart hook path: %s", path)
+
+	args := []string{path}
+	if spec.Hooks == nil {
+		spec.Hooks = &specs.Hooks{}
+	} else if len(spec.Hooks.Prestart) != 0 {
+		for _, hook := range spec.Hooks.Prestart {
+			if strings.Contains(hook.Path, config.NVIDIAContainerRuntimeHookExecutable) {
+				m.logger.Infof("existing nvidia prestart hook found in OCI spec")
+				return nil
+			}
+		}
+	}
+
+	spec.Hooks.Prestart = append(spec.Hooks.Prestart, specs.Hook{
+		Path: path,
+		Args: append(args, "prestart"),
+	})
+
+	return nil
+}
--- a/cmd/nvidia-container-runtime/modifier/stable_test.go
+++ b/cmd/nvidia-container-runtime/modifier/stable_test.go
@@ -0,0 +1,170 @@
+/*
+# Copyright (c) 2021, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/
+
+package modifier
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/NVIDIA/nvidia-container-toolkit/internal/test"
+	"github.com/opencontainers/runtime-spec/specs-go"
+	"github.com/sirupsen/logrus"
+	testlog "github.com/sirupsen/logrus/hooks/test"
+	"github.com/stretchr/testify/require"
+)
+
+type testConfig struct {
+	root    string
+	binPath string
+}
+
+var cfg *testConfig
+
+func TestMain(m *testing.M) {
+	// TEST SETUP
+	// Determine the module root and the test binary path
+	var err error
+	moduleRoot, err := test.GetModuleRoot()
+	if err != nil {
+		logrus.Fatalf("error in test setup: could not get module root: %v", err)
+	}
+	testBinPath := filepath.Join(moduleRoot, "test", "bin")
+
+	// Set the environment variables for the test
+	os.Setenv("PATH", test.PrependToPath(testBinPath, moduleRoot))
+
+	// Store the root and binary paths in the test Config
+	cfg = &testConfig{
+		root:    moduleRoot,
+		binPath: testBinPath,
+	}
+
+	// RUN TESTS
+	exitCode := m.Run()
+
+	os.Exit(exitCode)
+}
+
+func TestAddHookModifier(t *testing.T) {
+	logger, logHook := testlog.NewNullLogger()
+
+	testHookPath := filepath.Join(cfg.binPath, "nvidia-container-runtime-hook")
+
+	testCases := []struct {
+		description   string
+		spec          specs.Spec
+		expectedError error
+		expectedSpec  specs.Spec
+	}{
+		{
+			description: "empty spec adds hook",
+			spec:        specs.Spec{},
+			expectedSpec: specs.Spec{
+				Hooks: &specs.Hooks{
+					Prestart: []specs.Hook{
+						{
+							Path: testHookPath,
+							Args: []string{testHookPath, "prestart"},
+						},
+					},
+				},
+			},
+		},
+		{
+			description: "spec with empty hooks adds hook",
+			spec: specs.Spec{
+				Hooks: &specs.Hooks{},
+			},
+			expectedSpec: specs.Spec{
+				Hooks: &specs.Hooks{
+					Prestart: []specs.Hook{
+						{
+							Path: testHookPath,
+							Args: []string{testHookPath, "prestart"},
+						},
+					},
+				},
+			},
+		},
+		{
+			description: "hook is not replaced",
+			spec: specs.Spec{
+				Hooks: &specs.Hooks{
+					Prestart: []specs.Hook{
+						{
+							Path: "nvidia-container-runtime-hook",
+						},
+					},
+				},
+			},
+			expectedSpec: specs.Spec{
+				Hooks: &specs.Hooks{
+					Prestart: []specs.Hook{
+						{
+							Path: "nvidia-container-runtime-hook",
+						},
+					},
+				},
+			},
+		},
+		{
+			description: "other hooks are not replaced",
+			spec: specs.Spec{
+				Hooks: &specs.Hooks{
+					Prestart: []specs.Hook{
+						{
+							Path: "some-hook",
+						},
+					},
+				},
+			},
+			expectedSpec: specs.Spec{
+				Hooks: &specs.Hooks{
+					Prestart: []specs.Hook{
+						{
+							Path: "some-hook",
+						},
+						{
+							Path: testHookPath,
+							Args: []string{testHookPath, "prestart"},
+						},
+					},
+				},
+			},
+		},
+	}
+
+	for _, tc := range testCases {
+		logHook.Reset()
+
+		t.Run(tc.description, func(t *testing.T) {
+
+			m := NewStableRuntimeModifier(logger)
+
+			err := m.Modify(&tc.spec)
+			if tc.expectedError != nil {
+				require.Error(t, err)
+			} else {
+				require.NoError(t, err)
+			}
+
+			require.EqualValues(t, tc.expectedSpec, tc.spec)
+		})
+	}
+
+}
--- a/cmd/nvidia-container-runtime/nvcr.go
+++ b/cmd/nvidia-container-runtime/nvcr.go
@@ -1,132 +0,0 @@
-/*
-# Copyright (c) 2021, NVIDIA CORPORATION.  All rights reserved.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-*/
-
-package main
-
-import (
-	"fmt"
-	"os"
-	"os/exec"
-	"strings"
-
-	"github.com/NVIDIA/nvidia-container-toolkit/internal/oci"
-	"github.com/opencontainers/runtime-spec/specs-go"
-	log "github.com/sirupsen/logrus"
-)
-
-// nvidiaContainerRuntime encapsulates the NVIDIA Container Runtime. It wraps the specified runtime, conditionally
-// modifying the specified OCI specification before invoking the runtime.
-type nvidiaContainerRuntime struct {
-	logger  *log.Logger
-	runtime oci.Runtime
-	ociSpec oci.Spec
-}
-
-var _ oci.Runtime = (*nvidiaContainerRuntime)(nil)
-
-// newNvidiaContainerRuntime is a constructor for a standard runtime shim.
-func newNvidiaContainerRuntimeWithLogger(logger *log.Logger, runtime oci.Runtime, ociSpec oci.Spec) (oci.Runtime, error) {
-	r := nvidiaContainerRuntime{
-		logger:  logger,
-		runtime: runtime,
-		ociSpec: ociSpec,
-	}
-
-	return &r, nil
-}
-
-// Exec defines the entrypoint for the NVIDIA Container Runtime. A check is performed to see whether modifications
-// to the OCI spec are required -- and applicable modifcations applied. The supplied arguments are then
-// forwarded to the underlying runtime's Exec method.
-func (r nvidiaContainerRuntime) Exec(args []string) error {
-	if r.modificationRequired(args) {
-		err := r.modifyOCISpec()
-		if err != nil {
-			return fmt.Errorf("error modifying OCI spec: %v", err)
-		}
-	}
-
-	r.logger.Println("Forwarding command to runtime")
-	return r.runtime.Exec(args)
-}
-
-// modificationRequired checks the intput arguments to determine whether a modification
-// to the OCI spec is required.
-func (r nvidiaContainerRuntime) modificationRequired(args []string) bool {
-	if oci.HasCreateSubcommand(args) {
-		r.logger.Infof("'create' command detected; modification required")
-		return true
-	}
-
-	r.logger.Infof("No modification required")
-	return false
-}
-
-// modifyOCISpec loads and modifies the OCI spec specified in the nvidiaContainerRuntime
-// struct. The spec is modified in-place and written to the same file as the input after
-// modifcationas are applied.
-func (r nvidiaContainerRuntime) modifyOCISpec() error {
-	err := r.ociSpec.Load()
-	if err != nil {
-		return fmt.Errorf("error loading OCI specification for modification: %v", err)
-	}
-
-	err = r.ociSpec.Modify(r.addNVIDIAHook)
-	if err != nil {
-		return fmt.Errorf("error injecting NVIDIA Container Runtime hook: %v", err)
-	}
-
-	err = r.ociSpec.Flush()
-	if err != nil {
-		return fmt.Errorf("error writing modified OCI specification: %v", err)
-	}
-	return nil
-}
-
-// addNVIDIAHook modifies the specified OCI specification in-place, inserting a
-// prestart hook.
-func (r nvidiaContainerRuntime) addNVIDIAHook(spec *specs.Spec) error {
-	path, err := exec.LookPath("nvidia-container-runtime-hook")
-	if err != nil {
-		path = hookDefaultFilePath
-		_, err = os.Stat(path)
-		if err != nil {
-			return err
-		}
-	}
-
-	r.logger.Printf("prestart hook path: %s\n", path)
-
-	args := []string{path}
-	if spec.Hooks == nil {
-		spec.Hooks = &specs.Hooks{}
-	} else if len(spec.Hooks.Prestart) != 0 {
-		for _, hook := range spec.Hooks.Prestart {
-			if !strings.Contains(hook.Path, "nvidia-container-runtime-hook") {
-				continue
-			}
-			r.logger.Println("existing nvidia prestart hook in OCI spec file")
-			return nil
-		}
-	}
-
-	spec.Hooks.Prestart = append(spec.Hooks.Prestart, specs.Hook{
-		Path: path,
-		Args: append(args, "prestart"),
-	})
-
-	return nil
-}
--- a/cmd/nvidia-container-runtime/nvcr_test.go
+++ b/cmd/nvidia-container-runtime/nvcr_test.go
@@ -1,203 +0,0 @@
-/*
-# Copyright (c) 2021, NVIDIA CORPORATION.  All rights reserved.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-*/
-
-package main
-
-import (
-	"fmt"
-	"strings"
-	"testing"
-
-	"github.com/NVIDIA/nvidia-container-toolkit/internal/oci"
-	"github.com/opencontainers/runtime-spec/specs-go"
-	testlog "github.com/sirupsen/logrus/hooks/test"
-	"github.com/stretchr/testify/require"
-)
-
-func TestAddNvidiaHook(t *testing.T) {
-	logger, logHook := testlog.NewNullLogger()
-	shim := nvidiaContainerRuntime{
-		logger: logger,
-	}
-
-	testCases := []struct {
-		spec         *specs.Spec
-		errorPrefix  string
-		shouldNotAdd bool
-	}{
-		{
-			spec: &specs.Spec{},
-		},
-		{
-			spec: &specs.Spec{
-				Hooks: &specs.Hooks{},
-			},
-		},
-		{
-			spec: &specs.Spec{
-				Hooks: &specs.Hooks{
-					Prestart: []specs.Hook{{
-						Path: "some-hook",
-					}},
-				},
-			},
-		},
-		{
-			spec: &specs.Spec{
-				Hooks: &specs.Hooks{
-					Prestart: []specs.Hook{{
-						Path: "nvidia-container-runtime-hook",
-					}},
-				},
-			},
-			shouldNotAdd: true,
-		},
-	}
-
-	for i, tc := range testCases {
-		logHook.Reset()
-
-		var numPrestartHooks int
-		if tc.spec.Hooks != nil {
-			numPrestartHooks = len(tc.spec.Hooks.Prestart)
-		}
-
-		err := shim.addNVIDIAHook(tc.spec)
-
-		if tc.errorPrefix == "" {
-			require.NoErrorf(t, err, "%d: %v", i, tc)
-		} else {
-			require.Truef(t, strings.HasPrefix(err.Error(), tc.errorPrefix), "%d: %v", i, tc)
-
-			require.NotNilf(t, tc.spec.Hooks, "%d: %v", i, tc)
-			require.Equalf(t, 1, nvidiaHookCount(tc.spec.Hooks), "%d: %v", i, tc)
-
-			if tc.shouldNotAdd {
-				require.Equal(t, numPrestartHooks+1, len(tc.spec.Hooks.Poststart), "%d: %v", i, tc)
-			} else {
-				require.Equal(t, numPrestartHooks+1, len(tc.spec.Hooks.Poststart), "%d: %v", i, tc)
-
-				nvidiaHook := tc.spec.Hooks.Poststart[len(tc.spec.Hooks.Poststart)-1]
-
-				// TODO: This assumes that the hook has been set up in the makefile
-				expectedPath := "/usr/bin/nvidia-container-runtime-hook"
-				require.Equalf(t, expectedPath, nvidiaHook.Path, "%d: %v", i, tc)
-				require.Equalf(t, []string{expectedPath, "prestart"}, nvidiaHook.Args, "%d: %v", i, tc)
-				require.Emptyf(t, nvidiaHook.Env, "%d: %v", i, tc)
-				require.Nilf(t, nvidiaHook.Timeout, "%d: %v", i, tc)
-			}
-		}
-	}
-}
-
-func TestNvidiaContainerRuntime(t *testing.T) {
-	logger, hook := testlog.NewNullLogger()
-
-	testCases := []struct {
-		shim         nvidiaContainerRuntime
-		shouldModify bool
-		args         []string
-		modifyError  error
-		writeError   error
-	}{
-		{
-			shim:         nvidiaContainerRuntime{},
-			shouldModify: false,
-		},
-		{
-			shim:         nvidiaContainerRuntime{},
-			args:         []string{"create"},
-			shouldModify: true,
-		},
-		{
-			shim:         nvidiaContainerRuntime{},
-			args:         []string{"--bundle=create"},
-			shouldModify: false,
-		},
-		{
-			shim:         nvidiaContainerRuntime{},
-			args:         []string{"--bundle", "create"},
-			shouldModify: false,
-		},
-		{
-			shim:         nvidiaContainerRuntime{},
-			args:         []string{"create"},
-			shouldModify: true,
-		},
-		{
-			shim:         nvidiaContainerRuntime{},
-			args:         []string{"create"},
-			modifyError:  fmt.Errorf("error modifying"),
-			shouldModify: true,
-		},
-		{
-			shim:         nvidiaContainerRuntime{},
-			args:         []string{"create"},
-			writeError:   fmt.Errorf("error writing"),
-			shouldModify: true,
-		},
-	}
-
-	for i, tc := range testCases {
-		tc.shim.logger = logger
-		hook.Reset()
-
-		ociMock := &oci.SpecMock{
-			ModifyFunc: func(specModifier oci.SpecModifier) error {
-				return tc.modifyError
-			},
-			FlushFunc: func() error {
-				return tc.writeError
-			},
-		}
-		require.Equal(t, tc.shouldModify, tc.shim.modificationRequired(tc.args), "%d: %v", i, tc)
-
-		tc.shim.ociSpec = ociMock
-		tc.shim.runtime = &MockShim{}
-
-		err := tc.shim.Exec(tc.args)
-		if tc.modifyError != nil || tc.writeError != nil {
-			require.Error(t, err, "%d: %v", i, tc)
-		} else {
-			require.NoError(t, err, "%d: %v", i, tc)
-		}
-
-		if tc.shouldModify {
-			require.Equal(t, 1, len(ociMock.ModifyCalls()), "%d: %v", i, tc)
-		} else {
-			require.Equal(t, 0, len(ociMock.ModifyCalls()), "%d: %v", i, tc)
-		}
-
-		writeExpected := tc.shouldModify && tc.modifyError == nil
-		if writeExpected {
-			require.Equal(t, 1, len(ociMock.FlushCalls()), "%d: %v", i, tc)
-		} else {
-			require.Equal(t, 0, len(ociMock.FlushCalls()), "%d: %v", i, tc)
-		}
-	}
-}
-
-type MockShim struct {
-	called      bool
-	args        []string
-	returnError error
-}
-
-func (m *MockShim) Exec(args []string) error {
-	m.called = true
-	m.args = args
-	return m.returnError
-}
--- a/cmd/nvidia-container-runtime/runtime_factory.go
+++ b/cmd/nvidia-container-runtime/runtime_factory.go
@@ -1,5 +1,5 @@
 /*
-# Copyright (c) 2021, NVIDIA CORPORATION.  All rights reserved.
+# Copyright (c) 2021-2022, NVIDIA CORPORATION.  All rights reserved.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -19,56 +19,52 @@ package main
 import (
 	"fmt"

+	"github.com/NVIDIA/nvidia-container-toolkit/cmd/nvidia-container-runtime/modifier"
+	"github.com/NVIDIA/nvidia-container-toolkit/internal/config"
 	"github.com/NVIDIA/nvidia-container-toolkit/internal/oci"
+	"github.com/NVIDIA/nvidia-container-toolkit/internal/runtime"
+	"github.com/sirupsen/logrus"
 )

 const (
-	ociSpecFileName          = "config.json"
 	dockerRuncExecutableName = "docker-runc"
 	runcExecutableName       = "runc"
 )

-// newRuntime is a factory method that constructs a runtime based on the selected configuration.
-func newRuntime(argv []string) (oci.Runtime, error) {
-	ociSpec, err := newOCISpec(argv)
+// newNVIDIAContainerRuntime is a factory method that constructs a runtime based on the selected configuration and specified logger
+func newNVIDIAContainerRuntime(logger *logrus.Logger, cfg *config.Config, argv []string) (oci.Runtime, error) {
+	ociSpec, err := oci.NewSpec(logger, argv)
 	if err != nil {
 		return nil, fmt.Errorf("error constructing OCI specification: %v", err)
 	}

-	runc, err := newRuncRuntime()
+	lowLevelRuntimeCandidates := []string{dockerRuncExecutableName, runcExecutableName}
+	lowLevelRuntime, err := oci.NewLowLevelRuntime(logger, lowLevelRuntimeCandidates)
 	if err != nil {
-		return nil, fmt.Errorf("error constructing runc runtime: %v", err)
+		return nil, fmt.Errorf("error constructing low-level runtime: %v", err)
 	}

-	r, err := newNvidiaContainerRuntimeWithLogger(logger.Logger, runc, ociSpec)
+	specModifier, err := newSpecModifier(logger, cfg, ociSpec)
 	if err != nil {
-		return nil, fmt.Errorf("error constructing NVIDIA Container Runtime: %v", err)
+		return nil, fmt.Errorf("failed to construct OCI spec modifier: %v", err)
 	}

+	// Create the wrapping runtime with the specified modifier
+	r := runtime.NewModifyingRuntimeWrapper(
+		logger,
+		lowLevelRuntime,
+		ociSpec,
+		specModifier,
+	)
+
 	return r, nil
 }

-// newOCISpec constructs an OCI spec for the provided arguments
-func newOCISpec(argv []string) (oci.Spec, error) {
-	bundleDir, err := oci.GetBundleDir(argv)
-	if err != nil {
-		return nil, fmt.Errorf("error parsing command line arguments: %v", err)
+// newSpecModifier is a factory method that creates constructs an OCI spec modifer based on the provided config.
+func newSpecModifier(logger *logrus.Logger, cfg *config.Config, ociSpec oci.Spec) (oci.SpecModifier, error) {
+	if !cfg.NVIDIAContainerRuntimeConfig.Experimental {
+		return modifier.NewStableRuntimeModifier(logger), nil
 	}
-	logger.Infof("Using bundle directory: %v", bundleDir)

-	ociSpecPath := oci.GetSpecFilePath(bundleDir)
-	logger.Infof("Using OCI specification file path: %v", ociSpecPath)
-
-	ociSpec := oci.NewSpecFromFile(ociSpecPath)
-
-	return ociSpec, nil
-}
-
-// newRuncRuntime locates the runc binary and wraps it in a SyscallExecRuntime
-func newRuncRuntime() (oci.Runtime, error) {
-	return oci.NewLowLevelRuntimeWithLogger(
-		logger.Logger,
-		dockerRuncExecutableName,
-		runcExecutableName,
-	)
+	return modifier.NewExperimentalModifier(logger, cfg, ociSpec)
 }
--- a/cmd/nvidia-container-runtime/runtime_factory_test.go
+++ b/cmd/nvidia-container-runtime/runtime_factory_test.go
@@ -17,14 +17,66 @@
 package main

 import (
+	"encoding/json"
+	"os"
+	"path/filepath"
 	"testing"

+	"github.com/NVIDIA/nvidia-container-toolkit/internal/config"
+	"github.com/opencontainers/runtime-spec/specs-go"
+	testlog "github.com/sirupsen/logrus/hooks/test"
 	"github.com/stretchr/testify/require"
 )

-func TestConstructor(t *testing.T) {
-	shim, err := newRuntime([]string{})
+func TestFactoryMethod(t *testing.T) {
+	logger, _ := testlog.NewNullLogger()

-	require.NoError(t, err)
-	require.NotNil(t, shim)
+	testCases := []struct {
+		description   string
+		cfg           *config.Config
+		spec          *specs.Spec
+		expectedError bool
+	}{
+		{
+			description: "empty config no error",
+			cfg: &config.Config{
+				NVIDIAContainerRuntimeConfig: config.RuntimeConfig{},
+			},
+		},
+		{
+			description: "experimental flag supported",
+			cfg: &config.Config{
+				NVIDIAContainerRuntimeConfig: config.RuntimeConfig{
+					Experimental: true,
+					DiscoverMode: "legacy",
+				},
+			},
+			spec: &specs.Spec{
+				Process: &specs.Process{
+					Env: []string{
+						"NVIDIA_VISIBLE_DEVICES=all",
+					},
+				},
+			},
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.description, func(t *testing.T) {
+			bundleDir := t.TempDir()
+
+			specFile, err := os.Create(filepath.Join(bundleDir, "config.json"))
+			require.NoError(t, err)
+			require.NoError(t, json.NewEncoder(specFile).Encode(tc.spec))
+
+			argv := []string{"--bundle", bundleDir}
+
+			_, err = newNVIDIAContainerRuntime(logger, tc.cfg, argv)
+			if tc.expectedError {
+				require.Error(t, err)
+			} else {
+				require.NoError(t, err)
+			}
+		})
+	}
 }
--- a/cmd/nvidia-container-toolkit/hook_config.go
+++ b/cmd/nvidia-container-toolkit/hook_config.go
@@ -7,6 +7,7 @@ import (
 	"reflect"

 	"github.com/BurntSushi/toml"
+	"github.com/NVIDIA/nvidia-container-toolkit/internal/config"
 )

 const (
@@ -41,10 +42,11 @@ type HookConfig struct {
 	AcceptDeviceListAsVolumeMounts bool               `toml:"accept-nvidia-visible-devices-as-volume-mounts"`
 	SupportedDriverCapabilities    DriverCapabilities `toml:"supported-driver-capabilities"`

-	NvidiaContainerCLI CLIConfig `toml:"nvidia-container-cli"`
+	NvidiaContainerCLI     CLIConfig            `toml:"nvidia-container-cli"`
+	NVIDIAContainerRuntime config.RuntimeConfig `toml:"nvidia-container-runtime"`
 }

-func getDefaultHookConfig() (config HookConfig) {
+func getDefaultHookConfig() HookConfig {
 	return HookConfig{
 		DisableRequire:                 false,
 		SwarmResource:                  nil,
@@ -63,6 +65,7 @@ func getDefaultHookConfig() (config HookConfig) {
 			User:        nil,
 			Ldconfig:    nil,
 		},
+		NVIDIAContainerRuntime: *config.GetDefaultRuntimeConfig(),
 	}
 }

--- a/cmd/nvidia-container-toolkit/main.go
+++ b/cmd/nvidia-container-toolkit/main.go
@@ -17,6 +17,7 @@ import (

 var (
 	debugflag  = flag.Bool("debug", false, "enable debug output")
+	forceflag  = flag.Bool("force", false, "force execution of prestart hook in experimental mode")
 	configflag = flag.String("config", "", "configuration file")

 	defaultPATH = []string{"/usr/local/sbin", "/usr/local/bin", "/usr/sbin", "/usr/bin", "/sbin", "/bin"}
@@ -85,6 +86,10 @@ func doPrestart() {
 	hook := getHookConfig()
 	cli := hook.NvidiaContainerCLI

+	if hook.NVIDIAContainerRuntime.Experimental && !*forceflag {
+		log.Panicln("invoking the NVIDIA Container Runtime Hook directly (e.g. specifying the docker --gpus flag) is not supported. Please use the NVIDIA Container Runtime instead.")
+	}
+
 	container := getContainerConfig(hook)
 	nvidia := container.Nvidia
 	if nvidia == nil {
--- a/cmd/nvidia-ctk/README.md
+++ b/cmd/nvidia-ctk/README.md
@@ -0,0 +1,3 @@
+# NVIDIA Container Toolkit CLI
+
+The NVIDIA Container Toolkit CLI `nvidia-ctk` provides a number of utilities that are useful for working with the NVIDIA Container Toolkit.
--- a/cmd/nvidia-ctk/hook/create-symlinks/create-symlinks.go
+++ b/cmd/nvidia-ctk/hook/create-symlinks/create-symlinks.go
@@ -0,0 +1,209 @@
+/**
+# Copyright (c) 2022, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+**/
+
+package symlinks
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+
+	"github.com/NVIDIA/nvidia-container-toolkit/internal/discover/csv"
+	"github.com/NVIDIA/nvidia-container-toolkit/internal/lookup"
+	"github.com/NVIDIA/nvidia-container-toolkit/internal/oci"
+	"github.com/sirupsen/logrus"
+	"github.com/urfave/cli/v2"
+)
+
+type command struct {
+	logger *logrus.Logger
+}
+
+type config struct {
+	hostRoot      string
+	filenames     cli.StringSlice
+	containerSpec string
+}
+
+// NewCommand constructs a hook command with the specified logger
+func NewCommand(logger *logrus.Logger) *cli.Command {
+	c := command{
+		logger: logger,
+	}
+	return c.build()
+}
+
+// build
+func (m command) build() *cli.Command {
+	cfg := config{}
+
+	// Create the '' command
+	c := cli.Command{
+		Name:  "create-symlinks",
+		Usage: "A hook to create symlinks in the container. This can be used to proces CSV mount specs",
+		Action: func(c *cli.Context) error {
+			return m.run(c, &cfg)
+		},
+	}
+
+	c.Flags = []cli.Flag{
+		&cli.StringFlag{
+			Name:        "host-root",
+			Usage:       "The root on the host filesystem to use to resolve symlinks",
+			Destination: &cfg.hostRoot,
+		},
+		&cli.StringSliceFlag{
+			Name:        "csv-filenames",
+			Aliases:     []string{"f"},
+			Usage:       "Specify the (CSV) filenames to process",
+			Destination: &cfg.filenames,
+		},
+		&cli.StringFlag{
+			Name:        "container-spec",
+			Usage:       "Specify the path to the OCI container spec. If empty or '-' the spec will be read from STDIN",
+			Destination: &cfg.containerSpec,
+		},
+	}
+
+	return &c
+}
+
+func (m command) run(c *cli.Context, cfg *config) error {
+	s, err := oci.LoadContainerState(cfg.containerSpec)
+	if err != nil {
+		return fmt.Errorf("failed to load container state: %v", err)
+	}
+
+	spec, err := s.LoadSpec()
+	if err != nil {
+		return fmt.Errorf("failed to load OCI spec: %v", err)
+	}
+
+	var containerRoot string
+	if spec.Root != nil {
+		containerRoot = spec.Root.Path
+	}
+
+	csvFiles := cfg.filenames.Value()
+
+	chainLocator := lookup.NewSymlinkChainLocator(m.logger, cfg.hostRoot)
+
+	var candidates []string
+	for _, file := range csvFiles {
+		mountSpecs, err := csv.NewCSVFileParser(m.logger, file).Parse()
+		if err != nil {
+			m.logger.Debugf("Skipping CSV file %v: %v", file, err)
+			continue
+		}
+
+		for _, ms := range mountSpecs {
+			if ms.Type != csv.MountSpecSym {
+				continue
+			}
+			targets, err := chainLocator.Locate(ms.Path)
+			if err != nil {
+				m.logger.Warnf("Failed to locate symlink %v", ms.Path)
+			}
+			candidates = append(candidates, targets...)
+		}
+	}
+
+	created := make(map[string]bool)
+	// candidates is a list of absolute paths to symlinks in a chain, or the final target of the chain.
+	for _, candidate := range candidates {
+		targets, err := m.Locate(candidate)
+		if err != nil {
+			m.logger.Debugf("Skipping invalid link: %v", err)
+			continue
+		} else if len(targets) != 1 {
+			m.logger.Debugf("Unexepected number of targets: %v", targets)
+			continue
+		} else if targets[0] == candidate {
+			m.logger.Debugf("%v is not a symlink", candidate)
+			continue
+		}
+		target, err := changeRoot(cfg.hostRoot, "/", targets[0])
+		if err != nil {
+			m.logger.Warnf("Failed to resolve path for target %v relative to %v: %v", target, cfg.hostRoot, err)
+			continue
+		}
+
+		linkPath, err := changeRoot(cfg.hostRoot, containerRoot, candidate)
+		if err != nil {
+			m.logger.Warnf("Failed to resolve path for link %v relative to %v: %v", candidate, cfg.hostRoot, err)
+			continue
+		}
+
+		if created[linkPath] {
+			m.logger.Debugf("Link %v already created", linkPath)
+			continue
+		}
+		m.logger.Infof("Symlinking %v to %v", linkPath, target)
+		err = os.MkdirAll(filepath.Dir(linkPath), 0755)
+		if err != nil {
+			m.logger.Warnf("Faild to create directory: %v", err)
+			continue
+		}
+		err = os.Symlink(target, linkPath)
+		if err != nil {
+			m.logger.Warnf("Failed to create symlink: %v", err)
+			continue
+		}
+		created[linkPath] = true
+	}
+
+	return nil
+
+}
+
+func changeRoot(current string, new string, path string) (string, error) {
+	if !filepath.IsAbs(path) {
+		return path, nil
+	}
+
+	relative := path
+	if current != "" {
+		r, err := filepath.Rel(current, path)
+		if err != nil {
+			return "", err
+		}
+		relative = r
+	}
+
+	return filepath.Join(new, relative), nil
+}
+
+// Locate returns the link target of the specified filename or an empty slice if the
+// specified filename is not a symlink.
+func (m command) Locate(filename string) ([]string, error) {
+	info, err := os.Lstat(filename)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get file info: %v", info)
+	}
+	if info.Mode()&os.ModeSymlink == 0 {
+		m.logger.Debugf("%v is not a symlink", filename)
+		return nil, nil
+	}
+
+	target, err := os.Readlink(filename)
+	if err != nil {
+		return nil, fmt.Errorf("error checking symlink: %v", err)
+	}
+
+	m.logger.Debugf("Resolved link: '%v' => '%v'", filename, target)
+
+	return []string{target}, nil
+}
--- a/cmd/nvidia-ctk/hook/hook.go
+++ b/cmd/nvidia-ctk/hook/hook.go
@@ -0,0 +1,52 @@
+/**
+# Copyright (c) 2022, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+**/
+
+package hook
+
+import (
+	symlinks "github.com/NVIDIA/nvidia-container-toolkit/cmd/nvidia-ctk/hook/create-symlinks"
+	ldcache "github.com/NVIDIA/nvidia-container-toolkit/cmd/nvidia-ctk/hook/update-ldcache"
+	"github.com/sirupsen/logrus"
+	"github.com/urfave/cli/v2"
+)
+
+type hookCommand struct {
+	logger *logrus.Logger
+}
+
+// NewCommand constructs a hook command with the specified logger
+func NewCommand(logger *logrus.Logger) *cli.Command {
+	c := hookCommand{
+		logger: logger,
+	}
+	return c.build()
+}
+
+// build
+func (m hookCommand) build() *cli.Command {
+	// Create the 'hook' command
+	hook := cli.Command{
+		Name:  "hook",
+		Usage: "A collection of hooks that may be injected into an OCI spec",
+	}
+
+	hook.Subcommands = []*cli.Command{
+		ldcache.NewCommand(m.logger),
+		symlinks.NewCommand(m.logger),
+	}
+
+	return &hook
+}
--- a/cmd/nvidia-ctk/hook/update-ldcache/update-ldcache.go
+++ b/cmd/nvidia-ctk/hook/update-ldcache/update-ldcache.go
@@ -0,0 +1,134 @@
+/**
+# Copyright (c) 2022, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+**/
+
+package ldcache
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+	"syscall"
+
+	"github.com/NVIDIA/nvidia-container-toolkit/internal/oci"
+	"github.com/sirupsen/logrus"
+	"github.com/urfave/cli/v2"
+)
+
+type command struct {
+	logger *logrus.Logger
+}
+
+type config struct {
+	folders       cli.StringSlice
+	containerSpec string
+}
+
+// NewCommand constructs an update-ldcache command with the specified logger
+func NewCommand(logger *logrus.Logger) *cli.Command {
+	c := command{
+		logger: logger,
+	}
+	return c.build()
+}
+
+// build the update-ldcache command
+func (m command) build() *cli.Command {
+	cfg := config{}
+
+	// Create the 'update-ldcache' command
+	c := cli.Command{
+		Name:  "update-ldcache",
+		Usage: "Update ldcache in a container by running ldconfig",
+		Action: func(c *cli.Context) error {
+			return m.run(c, &cfg)
+		},
+	}
+
+	c.Flags = []cli.Flag{
+		&cli.StringSliceFlag{
+			Name:        "folders",
+			Usage:       "Specifiy the additional folders to add to /etc/ld.so.conf before updating the ld cache",
+			Destination: &cfg.folders,
+		},
+		&cli.StringFlag{
+			Name:        "container-spec",
+			Usage:       "Specify the path to the OCI container spec. If empty or '-' the spec will be read from STDIN",
+			Destination: &cfg.containerSpec,
+		},
+	}
+
+	return &c
+}
+
+func (m command) run(c *cli.Context, cfg *config) error {
+	s, err := oci.LoadContainerState(cfg.containerSpec)
+	if err != nil {
+		return fmt.Errorf("failed to load container state: %v", err)
+	}
+
+	spec, err := s.LoadSpec()
+	if err != nil {
+		return fmt.Errorf("failed to load OCI spec: %v", err)
+	}
+
+	var containerRoot string
+	if spec.Root != nil {
+		containerRoot = spec.Root.Path
+	}
+
+	err = m.createConfig(containerRoot, cfg.folders.Value())
+	if err != nil {
+		return fmt.Errorf("failed to update ld.so.conf: %v", err)
+	}
+
+	args := []string{"/sbin/ldconfig"}
+	if containerRoot != "" {
+		args = append(args, "-r", containerRoot)
+	}
+
+	return syscall.Exec(args[0], args, nil)
+}
+
+// createConfig creates (or updates) /etc/ld.so.conf.d/nvcr-<RANDOM_STRING>.conf in the container
+// to include the required paths.
+func (m command) createConfig(root string, folders []string) error {
+	if len(folders) == 0 {
+		m.logger.Debugf("No folders to add to /etc/ld.so.conf")
+		return nil
+	}
+
+	configFile, err := os.CreateTemp(filepath.Join(root, "/etc/ld.so.conf.d"), "nvcr-*.conf")
+	if err != nil {
+		return fmt.Errorf("failed to create config file: %v", err)
+	}
+	defer configFile.Close()
+
+	m.logger.Debugf("Adding folders %v to %v", folders, configFile.Name())
+
+	configured := make(map[string]bool)
+	for _, folder := range folders {
+		if configured[folder] {
+			continue
+		}
+		_, err = configFile.WriteString(fmt.Sprintf("%s\n", folder))
+		if err != nil {
+			return fmt.Errorf("failed to update ld.so.conf.d: %v", err)
+		}
+		configured[folder] = true
+	}
+
+	return nil
+}
--- a/cmd/nvidia-ctk/main.go
+++ b/cmd/nvidia-ctk/main.go
@@ -0,0 +1,81 @@
+/**
+# Copyright (c) 2021, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+**/
+
+package main
+
+import (
+	"os"
+
+	"github.com/NVIDIA/nvidia-container-toolkit/cmd/nvidia-ctk/hook"
+	log "github.com/sirupsen/logrus"
+	cli "github.com/urfave/cli/v2"
+)
+
+var version string
+
+var logger = log.New()
+
+// config defines the options that can be set for the CLI through config files,
+// environment variables, or command line flags
+type config struct {
+	// Debug indicates whether the CLI is started in "debug" mode
+	Debug bool
+}
+
+func main() {
+	// Create a config struct to hold the parsed environment variables or command line flags
+	config := config{}
+
+	// Create the top-level CLI
+	c := cli.NewApp()
+	c.UseShortOptionHandling = true
+	c.EnableBashCompletion = true
+	c.Usage = "Tools to configure the NVIDIA Container Toolkit"
+	c.Version = version
+
+	// Setup the flags for this command
+	c.Flags = []cli.Flag{
+		&cli.BoolFlag{
+			Name:        "debug",
+			Aliases:     []string{"d"},
+			Usage:       "Enable debug-level logging",
+			Destination: &config.Debug,
+			EnvVars:     []string{"NVIDIA_CTK_DEBUG"},
+		},
+	}
+
+	// Set log-level for all subcommands
+	c.Before = func(c *cli.Context) error {
+		logLevel := log.InfoLevel
+		if config.Debug {
+			logLevel = log.DebugLevel
+		}
+		logger.SetLevel(logLevel)
+		return nil
+	}
+
+	// Define the subcommands
+	c.Commands = []*cli.Command{
+		hook.NewCommand(logger),
+	}
+
+	// Run the CLI
+	err := c.Run(os.Args)
+	if err != nil {
+		log.Errorf("%v", err)
+		log.Exit(1)
+	}
+}
--- a/config/config.toml.amazonlinux
+++ b/config/config.toml.amazonlinux
@@ -16,3 +16,4 @@ ldconfig = "@/sbin/ldconfig"

 [nvidia-container-runtime]
 #debug = "/var/log/nvidia-container-runtime.log"
+#experimental = false
--- a/config/config.toml.centos
+++ b/config/config.toml.centos
@@ -16,3 +16,4 @@ ldconfig = "@/sbin/ldconfig"

 [nvidia-container-runtime]
 #debug = "/var/log/nvidia-container-runtime.log"
+#experimental = false
--- a/config/config.toml.debian
+++ b/config/config.toml.debian
@@ -16,3 +16,4 @@ ldconfig = "@/sbin/ldconfig"

 [nvidia-container-runtime]
 #debug = "/var/log/nvidia-container-runtime.log"
+#experimental = false
--- a/config/config.toml.opensuse-leap
+++ b/config/config.toml.opensuse-leap
@@ -16,3 +16,4 @@ ldconfig = "@/sbin/ldconfig"

 [nvidia-container-runtime]
 #debug = "/var/log/nvidia-container-runtime.log"
+#experimental = false
--- a/config/config.toml.ubuntu
+++ b/config/config.toml.ubuntu
@@ -16,3 +16,4 @@ ldconfig = "@/sbin/ldconfig.real"

 [nvidia-container-runtime]
 #debug = "/var/log/nvidia-container-runtime.log"
+#experimental = false
--- a/config/config.toml.ubuntu+jetpack
+++ b/config/config.toml.ubuntu+jetpack
@@ -1,19 +0,0 @@
-disable-require = false
-supported-driver-capabilities = "compute,compat32,graphics,utility,video,display"
-#swarm-resource = "DOCKER_RESOURCE_GPU"
-#accept-nvidia-visible-devices-envvar-when-unprivileged = true
-#accept-nvidia-visible-devices-as-volume-mounts = false
-
-[nvidia-container-cli]
-#root = "/run/nvidia/driver"
-#path = "/usr/bin/nvidia-container-cli"
-environment = []
-#debug = "/var/log/nvidia-container-toolkit.log"
-#ldcache = "/etc/ld.so.cache"
-load-kmods = true
-#no-cgroups = false
-#user = "root:video"
-ldconfig = "@/sbin/ldconfig.real"
-
-[nvidia-container-runtime]
-#debug = "/var/log/nvidia-container-runtime.log"
--- a/docker/Dockerfile.centos
+++ b/docker/Dockerfile.centos
@@ -1,16 +1,9 @@
 ARG BASEIMAGE
 FROM ${BASEIMAGE}

-ARG BASEIMAGE
-# See https://www.centos.org/centos-linux-eol/
-# and https://stackoverflow.com/a/70930049
-RUN [[ "${BASEIMAGE}" != "centos:8" ]] || \
-    ( \
-      sed -i 's/mirrorlist/#mirrorlist/g' /etc/yum.repos.d/CentOS-Linux-* && \
-      sed -i 's|#baseurl=http://mirror.centos.org|baseurl=http://vault.centos.org|g' /etc/yum.repos.d/CentOS-Linux-* \
-    )
 RUN yum install -y \
        ca-certificates \
+        gcc \
        wget \
        git \
        make \
--- a/docker/docker.mk
+++ b/docker/docker.mk
@@ -98,6 +98,7 @@ docker-all: $(AMD64_TARGETS) $(X86_64_TARGETS) \
 # private centos target
 --centos%: OS := centos
 --centos%: PKG_REV := $(if $(LIB_TAG),0.1.$(LIB_TAG),1)
+--centos8%: BASEIMAGE = quay.io/centos/centos:stream8

 # private amazonlinux target
 --amazonlinux%: OS := amazonlinux
@@ -113,6 +114,7 @@ docker-all: $(AMD64_TARGETS) $(X86_64_TARGETS) \
 --rhel%: PKG_REV := $(if $(LIB_TAG),0.1.$(LIB_TAG),1)
 --rhel%: VERSION = $(patsubst rhel%-$(ARCH),%,$(TARGET_PLATFORM))
 --rhel%: ARTIFACTS_DIR = $(DIST_DIR)/rhel$(VERSION)/$(ARCH)
+--rhel8%: BASEIMAGE = quay.io/centos/centos:stream8

 # We allow the CONFIG_TOML_SUFFIX to be overridden.
 CONFIG_TOML_SUFFIX ?= $(OS)
@@ -122,6 +124,7 @@ docker-build-%:
 	docker pull --platform=linux/$(ARCH) $(BASEIMAGE)
 	DOCKER_BUILDKIT=1 \
 	$(DOCKER) build \
+	    --platform=linux/$(ARCH) \
 	    --progress=plain \
 	    --build-arg BASEIMAGE="$(BASEIMAGE)" \
 	    --build-arg GOLANG_VERSION="$(GOLANG_VERSION)" \
@@ -131,6 +134,7 @@ docker-build-%:
 	    --tag $(BUILDIMAGE) \
 	    --file $(DOCKERFILE) .
 	$(DOCKER) run \
+	    --platform=linux/$(ARCH) \
 	    -e DISTRIB \
 	    -e SECTION \
 	    -v $(ARTIFACTS_DIR):/dist \
--- a/go.mod
+++ b/go.mod
@@ -3,14 +3,15 @@ module github.com/NVIDIA/nvidia-container-toolkit
 go 1.14

 require (
-	github.com/BurntSushi/toml v0.3.1
-	github.com/containers/podman/v2 v2.2.1
-	github.com/opencontainers/runtime-spec v1.0.3-0.20211101234015-a3c33d663ebc
-	github.com/pelletier/go-toml v1.9.3
+	github.com/BurntSushi/toml v1.0.0
+	github.com/container-orchestrated-devices/container-device-interface v0.3.1-0.20220224133719-e5457123010b
+	github.com/containers/podman/v4 v4.0.1
+	github.com/opencontainers/runtime-spec v1.0.3-0.20211214071223-8958f93039ab
+	github.com/pelletier/go-toml v1.9.4
 	github.com/sirupsen/logrus v1.8.1
 	github.com/stretchr/testify v1.7.0
 	github.com/tsaikd/KDGoLib v0.0.0-20191001134900-7f3cf518e07d
 	github.com/urfave/cli/v2 v2.3.0
-	golang.org/x/mod v0.3.0
-	golang.org/x/sys v0.0.0-20210426230700-d19ff857e887
+	golang.org/x/mod v0.5.0
+	golang.org/x/sys v0.0.0-20220114195835-da31bd327af9
 )
--- a/go.sum
+++ b/go.sum
--- a/internal/config/cli.go
+++ b/internal/config/cli.go
@@ -0,0 +1,48 @@
+/**
+# Copyright (c) 2022, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+**/
+
+package config
+
+import (
+	"github.com/pelletier/go-toml"
+)
+
+// ContainerCLIConfig stores the options for the nvidia-container-cli
+type ContainerCLIConfig struct {
+	Root string
+}
+
+// getContainerCLIConfigFrom reads the nvidia container runtime config from the specified toml Tree.
+func getContainerCLIConfigFrom(toml *toml.Tree) *ContainerCLIConfig {
+	cfg := getDefaultContainerCLIConfig()
+
+	if toml == nil {
+		return cfg
+	}
+
+	cfg.Root = toml.GetDefault("nvidia-container-cli.root", cfg.Root).(string)
+
+	return cfg
+}
+
+// getDefaultContainerCLIConfig defines the default values for the config
+func getDefaultContainerCLIConfig() *ContainerCLIConfig {
+	c := ContainerCLIConfig{
+		Root: "",
+	}
+
+	return &c
+}
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -0,0 +1,110 @@
+/**
+# Copyright (c) 2022, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+**/
+
+package config
+
+import (
+	"fmt"
+	"io"
+	"os"
+	"path"
+
+	"github.com/pelletier/go-toml"
+)
+
+const (
+	configOverride = "XDG_CONFIG_HOME"
+	configFilePath = "nvidia-container-runtime/config.toml"
+)
+
+var (
+	// DefaultExecutableDir specifies the default path to use for executables if they cannot be located in the path.
+	DefaultExecutableDir = "/usr/bin"
+
+	// NVIDIAContainerRuntimeHookExecutable is the executable name for the NVIDIA Container Runtime Hook
+	NVIDIAContainerRuntimeHookExecutable = "nvidia-container-runtime-hook"
+	// NVIDIAContainerToolkitExecutable is the executable name for the NVIDIA Container Toolkit (an alias for the NVIDIA Container Runtime Hook)
+	NVIDIAContainerToolkitExecutable = "nvidia-container-toolkit"
+
+	configDir = "/etc/"
+)
+
+// Config represents the contents of the config.toml file for the NVIDIA Container Toolkit
+// Note: This is currently duplicated by the HookConfig in cmd/nvidia-container-toolkit/hook_config.go
+type Config struct {
+	NVIDIAContainerCLIConfig     ContainerCLIConfig `toml:"nvidia-container-cli"`
+	NVIDIACTKConfig              CTKConfig          `toml:"nvidia-ctk"`
+	NVIDIAContainerRuntimeConfig RuntimeConfig      `toml:"nvidia-container-runtime"`
+}
+
+// GetConfig sets up the config struct. Values are read from a toml file
+// or set via the environment.
+func GetConfig() (*Config, error) {
+	if XDGConfigDir := os.Getenv(configOverride); len(XDGConfigDir) != 0 {
+		configDir = XDGConfigDir
+	}
+
+	configFilePath := path.Join(configDir, configFilePath)
+
+	tomlFile, err := os.Open(configFilePath)
+	if err != nil {
+		return nil, fmt.Errorf("failed to open config file %v: %v", configFilePath, err)
+	}
+	defer tomlFile.Close()
+
+	cfg, err := loadConfigFrom(tomlFile)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read config values: %v", err)
+	}
+
+	return cfg, nil
+}
+
+// loadRuntimeConfigFrom reads the config from the specified Reader
+func loadConfigFrom(reader io.Reader) (*Config, error) {
+	toml, err := toml.LoadReader(reader)
+	if err != nil {
+		return nil, err
+	}
+
+	return getConfigFrom(toml), nil
+}
+
+// getConfigFrom reads the nvidia container runtime config from the specified toml Tree.
+func getConfigFrom(toml *toml.Tree) *Config {
+	cfg := getDefaultConfig()
+
+	if toml == nil {
+		return cfg
+	}
+
+	cfg.NVIDIAContainerCLIConfig = *getContainerCLIConfigFrom(toml)
+	cfg.NVIDIACTKConfig = *getCTKConfigFrom(toml)
+	cfg.NVIDIAContainerRuntimeConfig = *getRuntimeConfigFrom(toml)
+
+	return cfg
+}
+
+// getDefaultConfig defines the default values for the config
+func getDefaultConfig() *Config {
+	c := Config{
+		NVIDIAContainerCLIConfig:     *getDefaultContainerCLIConfig(),
+		NVIDIACTKConfig:              *getDefaultCTKConfig(),
+		NVIDIAContainerRuntimeConfig: *GetDefaultRuntimeConfig(),
+	}
+
+	return &c
+}
--- a/internal/config/config_test.go
+++ b/internal/config/config_test.go
@@ -0,0 +1,143 @@
+/**
+# Copyright (c) 2022, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+**/
+
+package config
+
+import (
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestGetConfigWithCustomConfig(t *testing.T) {
+	wd, err := os.Getwd()
+	require.NoError(t, err)
+
+	// By default debug is disabled
+	contents := []byte("[nvidia-container-runtime]\ndebug = \"/nvidia-container-toolkit.log\"")
+	testDir := filepath.Join(wd, "test")
+	filename := filepath.Join(testDir, configFilePath)
+
+	os.Setenv(configOverride, testDir)
+
+	require.NoError(t, os.MkdirAll(filepath.Dir(filename), 0766))
+	require.NoError(t, ioutil.WriteFile(filename, contents, 0766))
+
+	defer func() { require.NoError(t, os.RemoveAll(testDir)) }()
+
+	cfg, err := GetConfig()
+	require.NoError(t, err)
+	require.Equal(t, cfg.NVIDIAContainerRuntimeConfig.DebugFilePath, "/nvidia-container-toolkit.log")
+}
+
+func TestGetConfig(t *testing.T) {
+	testCases := []struct {
+		description    string
+		contents       []string
+		expectedError  error
+		expectedConfig *Config
+	}{
+		{
+			description: "empty config is default",
+			expectedConfig: &Config{
+				NVIDIAContainerCLIConfig: ContainerCLIConfig{
+					Root: "",
+				},
+				NVIDIAContainerRuntimeConfig: RuntimeConfig{
+					DebugFilePath: "/dev/null",
+					Experimental:  false,
+					DiscoverMode:  "auto",
+					LogLevel:      "info",
+				},
+				NVIDIACTKConfig: CTKConfig{
+					Path: "nvidia-ctk",
+				},
+			},
+		},
+		{
+			description: "config options set inline",
+			contents: []string{
+				"nvidia-container-cli.root = \"/bar/baz\"",
+				"nvidia-container-runtime.debug = \"/foo/bar\"",
+				"nvidia-container-runtime.experimental = true",
+				"nvidia-container-runtime.discover-mode = \"not-legacy\"",
+				"nvidia-container-runtime.log-level = \"debug\"",
+				"nvidia-ctk.path = \"/foo/bar/nvidia-ctk\"",
+			},
+			expectedConfig: &Config{
+				NVIDIAContainerCLIConfig: ContainerCLIConfig{
+					Root: "/bar/baz",
+				},
+				NVIDIAContainerRuntimeConfig: RuntimeConfig{
+					DebugFilePath: "/foo/bar",
+					Experimental:  true,
+					DiscoverMode:  "not-legacy",
+					LogLevel:      "debug",
+				},
+				NVIDIACTKConfig: CTKConfig{
+					Path: "/foo/bar/nvidia-ctk",
+				},
+			},
+		},
+		{
+			description: "config options set in section",
+			contents: []string{
+				"[nvidia-container-cli]",
+				"root = \"/bar/baz\"",
+				"[nvidia-container-runtime]",
+				"debug = \"/foo/bar\"",
+				"experimental = true",
+				"discover-mode = \"not-legacy\"",
+				"log-level = \"debug\"",
+				"[nvidia-ctk]",
+				"path = \"/foo/bar/nvidia-ctk\"",
+			},
+			expectedConfig: &Config{
+				NVIDIAContainerCLIConfig: ContainerCLIConfig{
+					Root: "/bar/baz",
+				},
+				NVIDIAContainerRuntimeConfig: RuntimeConfig{
+					DebugFilePath: "/foo/bar",
+					Experimental:  true,
+					DiscoverMode:  "not-legacy",
+					LogLevel:      "debug",
+				},
+				NVIDIACTKConfig: CTKConfig{
+					Path: "/foo/bar/nvidia-ctk",
+				},
+			},
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.description, func(t *testing.T) {
+			reader := strings.NewReader(strings.Join(tc.contents, "\n"))
+
+			cfg, err := loadConfigFrom(reader)
+			if tc.expectedError != nil {
+				require.Error(t, err)
+			} else {
+				require.NoError(t, err)
+			}
+
+			require.EqualValues(t, tc.expectedConfig, cfg)
+		})
+	}
+}
--- a/internal/config/runtime.go
+++ b/internal/config/runtime.go
@@ -0,0 +1,59 @@
+/**
+# Copyright (c) 2022, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+**/
+
+package config
+
+import (
+	"github.com/pelletier/go-toml"
+	"github.com/sirupsen/logrus"
+)
+
+// RuntimeConfig stores the config options for the NVIDIA Container Runtime
+type RuntimeConfig struct {
+	DebugFilePath string
+	Experimental  bool
+	DiscoverMode  string
+	// LogLevel defines the logging level for the application
+	LogLevel string
+}
+
+// getRuntimeConfigFrom reads the nvidia container runtime config from the specified toml Tree.
+func getRuntimeConfigFrom(toml *toml.Tree) *RuntimeConfig {
+	cfg := GetDefaultRuntimeConfig()
+
+	if toml == nil {
+		return cfg
+	}
+
+	cfg.DebugFilePath = toml.GetDefault("nvidia-container-runtime.debug", cfg.DebugFilePath).(string)
+	cfg.Experimental = toml.GetDefault("nvidia-container-runtime.experimental", cfg.Experimental).(bool)
+	cfg.DiscoverMode = toml.GetDefault("nvidia-container-runtime.discover-mode", cfg.DiscoverMode).(string)
+	cfg.LogLevel = toml.GetDefault("nvidia-container-runtime.log-level", cfg.LogLevel).(string)
+
+	return cfg
+}
+
+// GetDefaultRuntimeConfig defines the default values for the config
+func GetDefaultRuntimeConfig() *RuntimeConfig {
+	c := RuntimeConfig{
+		DebugFilePath: "/dev/null",
+		Experimental:  false,
+		DiscoverMode:  "auto",
+		LogLevel:      logrus.InfoLevel.String(),
+	}
+
+	return &c
+}
--- a/internal/config/toolkit-cli.go
+++ b/internal/config/toolkit-cli.go
@@ -0,0 +1,46 @@
+/**
+# Copyright (c) 2022, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+**/
+
+package config
+
+import "github.com/pelletier/go-toml"
+
+// CTKConfig stores the config options for the NVIDIA Container Toolkit CLI (nvidia-ctk)
+type CTKConfig struct {
+	Path string `toml:"path"`
+}
+
+// getCTKConfigFrom reads the nvidia container runtime config from the specified toml Tree.
+func getCTKConfigFrom(toml *toml.Tree) *CTKConfig {
+	cfg := getDefaultCTKConfig()
+
+	if toml == nil {
+		return cfg
+	}
+
+	cfg.Path = toml.GetDefault("nvidia-ctk.path", cfg.Path).(string)
+
+	return cfg
+}
+
+// getDefaultCTKConfig defines the default values for the config
+func getDefaultCTKConfig() *CTKConfig {
+	c := CTKConfig{
+		Path: "nvidia-ctk",
+	}
+
+	return &c
+}
--- a/internal/discover/csv.go
+++ b/internal/discover/csv.go
@@ -0,0 +1,139 @@
+/**
+# Copyright (c) 2021, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+**/
+
+package discover
+
+import (
+	"fmt"
+
+	"github.com/NVIDIA/nvidia-container-toolkit/internal/discover/csv"
+	"github.com/NVIDIA/nvidia-container-toolkit/internal/lookup"
+	"github.com/sirupsen/logrus"
+)
+
+// charDevices is a discover for a list of character devices
+type charDevices mounts
+
+var _ Discover = (*charDevices)(nil)
+
+// NewFromCSVFiles creates a discoverer for the specified CSV files. A logger is also supplied.
+// The constructed discoverer is comprised of a list, with each element in the list being associated with a
+// single CSV files.
+func NewFromCSVFiles(logger *logrus.Logger, files []string, root string) (Discover, error) {
+	if len(files) == 0 {
+		logger.Warnf("No CSV files specified")
+		return None{}, nil
+	}
+
+	symlinkLocator := lookup.NewSymlinkLocator(logger, root)
+	locators := map[csv.MountSpecType]lookup.Locator{
+		csv.MountSpecDev: lookup.NewCharDeviceLocator(logger, root),
+		csv.MountSpecDir: lookup.NewDirectoryLocator(logger, root),
+		// Libraries and symlinks are handled in the same way
+		csv.MountSpecLib: symlinkLocator,
+		csv.MountSpecSym: symlinkLocator,
+	}
+
+	var discoverers []Discover
+	for _, filename := range files {
+		d, err := NewFromCSVFile(logger, locators, filename)
+		if err != nil {
+			logger.Warnf("Skipping CSV file %v: %v", filename, err)
+			continue
+		}
+		discoverers = append(discoverers, d)
+	}
+
+	return &list{discoverers: discoverers}, nil
+}
+
+// NewFromCSVFile creates a discoverer for the specified CSV file. A logger is also supplied.
+// The constructed discoverer is comprised of a list, with each element in the list being associated with a particular
+// MountSpecType.
+func NewFromCSVFile(logger *logrus.Logger, locators map[csv.MountSpecType]lookup.Locator, filename string) (Discover, error) {
+	// Create a discoverer for each file-kind combination
+	targets, err := csv.NewCSVFileParser(logger, filename).Parse()
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse CSV file: %v", err)
+	}
+	if len(targets) == 0 {
+		return nil, fmt.Errorf("CSV file is empty")
+	}
+
+	return newFromMountSpecs(logger, locators, targets)
+}
+
+// newFromMountSpecs creates a discoverer for the CSV file. A logger is also supplied.
+// A list of csvDiscoverers is returned, with each being associated with a single MountSpecType.
+func newFromMountSpecs(logger *logrus.Logger, locators map[csv.MountSpecType]lookup.Locator, targets []*csv.MountSpec) (Discover, error) {
+	if len(targets) == 0 {
+		return &None{}, nil
+	}
+
+	var discoverers []Discover
+	var mountSpecTypes []csv.MountSpecType
+	candidatesByType := make(map[csv.MountSpecType][]string)
+	for _, t := range targets {
+		if _, exists := candidatesByType[t.Type]; !exists {
+			mountSpecTypes = append(mountSpecTypes, t.Type)
+		}
+		candidatesByType[t.Type] = append(candidatesByType[t.Type], t.Path)
+	}
+
+	for _, t := range mountSpecTypes {
+		locator, exists := locators[t]
+		if !exists {
+			return nil, fmt.Errorf("no locator defined for '%v'", t)
+		}
+
+		m := &mounts{
+			logger:   logger,
+			lookup:   locator,
+			required: candidatesByType[t],
+		}
+
+		switch t {
+		case csv.MountSpecDev:
+			// For device mount specs, we insert a charDevices into the list of discoverers.
+			discoverers = append(discoverers, (*charDevices)(m))
+		default:
+			discoverers = append(discoverers, m)
+		}
+	}
+
+	return &list{discoverers: discoverers}, nil
+}
+
+// Mounts returns the discovered mounts for the charDevices. Since this explicitly specifies a
+// device list, the mounts are nil.
+func (d *charDevices) Mounts() ([]Mount, error) {
+	return nil, nil
+}
+
+// Devices returns the discovered devices for the charDevices. Here the device nodes are first
+// discovered as mounts and these are converted to devices.
+func (d *charDevices) Devices() ([]Device, error) {
+	devicesAsMounts, err := (*mounts)(d).Mounts()
+	if err != nil {
+		return nil, err
+	}
+	var devices []Device
+	for _, mount := range devicesAsMounts {
+		devices = append(devices, Device(mount))
+	}
+
+	return devices, nil
+}
--- a/internal/discover/csv/csv.go
+++ b/internal/discover/csv/csv.go
@@ -0,0 +1,131 @@
+/**
+# Copyright (c) 2021, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+**/
+
+package csv
+
+import (
+	"bufio"
+	"errors"
+	"fmt"
+	"io"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/sirupsen/logrus"
+)
+
+const (
+	// DefaultMountSpecPath is default location of CSV files that define the modifications required to the OCI spec
+	DefaultMountSpecPath = "/etc/nvidia-container-runtime/host-files-for-container.d"
+)
+
+// GetFileList returns the (non-recursive) list of CSV files in the specified
+// folder
+func GetFileList(root string) ([]string, error) {
+	contents, err := os.ReadDir(root)
+	if err != nil && errors.Is(err, os.ErrNotExist) {
+		return nil, nil
+	} else if err != nil {
+		return nil, fmt.Errorf("failed to read the contents of %v: %v", root, err)
+	}
+
+	var csvFilePaths []string
+	for _, c := range contents {
+		if c.IsDir() {
+			continue
+		}
+		if c.Name() == ".csv" {
+			continue
+		}
+		ext := strings.ToLower(filepath.Ext(c.Name()))
+		if ext != ".csv" {
+			continue
+		}
+
+		csvFilePaths = append(csvFilePaths, filepath.Join(root, c.Name()))
+	}
+
+	return csvFilePaths, nil
+}
+
+// BaseFilesOnly filters out non-base CSV files from the list of CSV files.
+func BaseFilesOnly(filenames []string) []string {
+	filter := map[string]bool{
+		"l4t.csv":     true,
+		"drivers.csv": true,
+		"devices.csv": true,
+	}
+
+	var selected []string
+	for _, file := range filenames {
+		base := filepath.Base(file)
+		if filter[base] {
+			selected = append(selected, file)
+		}
+	}
+
+	return selected
+}
+
+// Parser specifies an interface for parsing MountSpecs
+type Parser interface {
+	Parse() ([]*MountSpec, error)
+}
+
+type csv struct {
+	logger   *logrus.Logger
+	filename string
+}
+
+// NewCSVFileParser creates a new parser for reading MountSpecs from the specified CSV file
+func NewCSVFileParser(logger *logrus.Logger, filename string) Parser {
+	p := csv{
+		logger:   logger,
+		filename: filename,
+	}
+
+	return &p
+}
+
+// Parse parses the csv file and returns a list of MountSpecs in the file
+func (p csv) Parse() ([]*MountSpec, error) {
+	reader, err := os.Open(p.filename)
+	if err != nil {
+		return nil, fmt.Errorf("failed to open %v for reading: %v", p.filename, err)
+	}
+	defer reader.Close()
+
+	return p.parseFromReader(reader), nil
+}
+
+// parseFromReader parses the specified file and returns a list of required jetson mounts
+func (p csv) parseFromReader(reader io.Reader) []*MountSpec {
+	var targets []*MountSpec
+
+	scanner := bufio.NewScanner(reader)
+	for scanner.Scan() {
+		line := scanner.Text()
+		target, err := NewMountSpecFromLine(line)
+		if err != nil {
+			p.logger.Debugf("Skipping invalid mount spec '%v': %v", line, err)
+			continue
+		}
+		targets = append(targets, target)
+	}
+
+	return targets
+}
--- a/internal/discover/csv/csv_test.go
+++ b/internal/discover/csv/csv_test.go
@@ -0,0 +1,83 @@
+/**
+# Copyright (c) 2021, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+**/
+
+package csv
+
+import (
+	"path/filepath"
+	"testing"
+
+	"github.com/NVIDIA/nvidia-container-toolkit/internal/test"
+	"github.com/stretchr/testify/require"
+)
+
+func TestGetFileList(t *testing.T) {
+	moduleRoot, _ := test.GetModuleRoot()
+
+	testCases := []struct {
+		description   string
+		root          string
+		files         []string
+		expectedError error
+	}{
+		{
+			description: "returns list of CSV files",
+			root:        "test/input/csv_samples/",
+			files: []string{
+				"jetson.csv",
+				"simple_wrong.csv",
+				"simple.csv",
+				"spaced.csv",
+			},
+		},
+		{
+			description: "handles empty folder",
+			root:        "test/input/csv_samples/empty",
+		},
+		{
+			description: "handles non-existent folder",
+			root:        "test/input/csv_samples/NONEXISTENT",
+		},
+		{
+			description: "handles non-existent folder root",
+			root:        "/NONEXISTENT/test/input/csv_samples/",
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.description, func(t *testing.T) {
+			root := filepath.Join(moduleRoot, tc.root)
+			files, err := GetFileList(root)
+
+			if tc.expectedError != nil {
+				require.Error(t, err)
+				require.Empty(t, files)
+				return
+			}
+
+			require.NoError(t, err)
+
+			var foundFiles []string
+			for _, f := range files {
+				require.Equal(t, root, filepath.Dir(f))
+				require.Equal(t, ".csv", filepath.Ext(f))
+				foundFiles = append(foundFiles, filepath.Base(f))
+			}
+
+			require.ElementsMatch(t, tc.files, foundFiles)
+		})
+	}
+}
--- a/internal/discover/csv/mount_spec.go
+++ b/internal/discover/csv/mount_spec.go
@@ -0,0 +1,74 @@
+/**
+# Copyright (c) 2021-2022, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+**/
+
+package csv
+
+import (
+	"fmt"
+	"strings"
+)
+
+// MountSpecType defines the mount types allowed in a CSV file
+type MountSpecType string
+
+const (
+	// MountSpecDev is used for character devices
+	MountSpecDev = MountSpecType("dev")
+	// MountSpecDir is used for directories
+	MountSpecDir = MountSpecType("dir")
+	// MountSpecLib is used for libraries or regular files
+	MountSpecLib = MountSpecType("lib")
+	// MountSpecSym is used for symlinks.
+	MountSpecSym = MountSpecType("sym")
+)
+
+// MountSpec represents a Jetson mount consisting of a type and a path.
+type MountSpec struct {
+	Type MountSpecType
+	Path string
+}
+
+// NewMountSpecFromLine parses the specified line and returns the MountSpec or an error if the line is malformed
+func NewMountSpecFromLine(line string) (*MountSpec, error) {
+	parts := strings.SplitN(strings.TrimSpace(line), ",", 2)
+	if len(parts) < 2 {
+		return nil, fmt.Errorf("failed to parse line: %v", line)
+	}
+	mountType := strings.TrimSpace(parts[0])
+	path := strings.TrimSpace(parts[1])
+
+	return NewMountSpec(mountType, path)
+}
+
+// NewMountSpec creates a MountSpec with the specified type and path. An error is returned if the type is invalid.
+func NewMountSpec(mountType string, path string) (*MountSpec, error) {
+	mt := MountSpecType(mountType)
+	switch mt {
+	case MountSpecDev, MountSpecLib, MountSpecSym, MountSpecDir:
+	default:
+		return nil, fmt.Errorf("unexpected mount type: %v", mt)
+	}
+	if path == "" {
+		return nil, fmt.Errorf("invalid path: %v", path)
+	}
+
+	mount := MountSpec{
+		Type: mt,
+		Path: path,
+	}
+
+	return &mount, nil
+}
--- a/internal/discover/csv/mount_spec_test.go
+++ b/internal/discover/csv/mount_spec_test.go
@@ -0,0 +1,82 @@
+/**
+# Copyright (c) 2022, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+**/
+
+package csv
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestNewMountSpecFromLine(t *testing.T) {
+	parseError := fmt.Errorf("failed to parse line")
+	unexpectedError := fmt.Errorf("unexpected mount type")
+
+	testCases := []struct {
+		line          string
+		expectedError error
+		expectedValue MountSpec
+	}{
+		{
+			line:          "",
+			expectedError: parseError,
+		},
+		{
+			line:          "\t",
+			expectedError: parseError,
+		},
+		{
+			line:          ",",
+			expectedError: parseError,
+		},
+		{
+			line:          "dev,",
+			expectedError: parseError,
+		},
+		{
+			line: "dev ,/a/path",
+			expectedValue: MountSpec{
+				Path: "/a/path",
+				Type: "dev",
+			},
+		},
+		{
+			line: "dev ,/a/path,with,commas",
+			expectedValue: MountSpec{
+				Path: "/a/path,with,commas",
+				Type: "dev",
+			},
+		},
+		{
+			line:          "not-dev ,/a/path",
+			expectedError: unexpectedError,
+		},
+	}
+
+	for i, tc := range testCases {
+		t.Run(fmt.Sprintf("test case %d", i), func(t *testing.T) {
+			target, err := NewMountSpecFromLine(tc.line)
+			if tc.expectedError != nil {
+				require.Error(t, err)
+				return
+			}
+			require.NoError(t, err)
+			require.EqualValues(t, &tc.expectedValue, target)
+		})
+	}
+}
--- a/internal/discover/csv_test.go
+++ b/internal/discover/csv_test.go
@@ -0,0 +1,160 @@
+/**
+# Copyright (c) 2021, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+**/
+
+package discover
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/NVIDIA/nvidia-container-toolkit/internal/discover/csv"
+	"github.com/NVIDIA/nvidia-container-toolkit/internal/lookup"
+	testlog "github.com/sirupsen/logrus/hooks/test"
+	"github.com/stretchr/testify/require"
+)
+
+func TestCharDevices(t *testing.T) {
+	logger, logHook := testlog.NewNullLogger()
+
+	testCases := []struct {
+		description          string
+		input                *charDevices
+		expectedMounts       []Mount
+		expectedMountsError  error
+		expectedDevicesError error
+		expectedDevices      []Device
+	}{
+		{
+			description: "dev mounts are empty",
+			input: (*charDevices)(
+				&mounts{
+					lookup: &lookup.LocatorMock{
+						LocateFunc: func(string) ([]string, error) {
+							return []string{"located"}, nil
+						},
+					},
+					required: []string{"required"},
+				},
+			),
+			expectedDevices: []Device{{Path: "located"}},
+		},
+		{
+			description:          "dev devices returns error for nil lookup",
+			input:                &charDevices{},
+			expectedDevicesError: fmt.Errorf("no lookup defined"),
+		},
+	}
+
+	for _, tc := range testCases {
+		logHook.Reset()
+
+		t.Run(tc.description, func(t *testing.T) {
+			tc.input.logger = logger
+
+			mounts, err := tc.input.Mounts()
+			if tc.expectedMountsError != nil {
+				require.Error(t, err)
+			} else {
+				require.NoError(t, err)
+			}
+			require.ElementsMatch(t, tc.expectedMounts, mounts)
+
+			devices, err := tc.input.Devices()
+			if tc.expectedDevicesError != nil {
+				require.Error(t, err)
+			} else {
+				require.NoError(t, err)
+			}
+			require.ElementsMatch(t, tc.expectedDevices, devices)
+		})
+	}
+}
+
+func TestNewFromMountSpec(t *testing.T) {
+	logger, _ := testlog.NewNullLogger()
+
+	locators := map[csv.MountSpecType]lookup.Locator{
+		"dev": &lookup.LocatorMock{},
+		"lib": &lookup.LocatorMock{},
+	}
+
+	testCases := []struct {
+		description        string
+		targets            []*csv.MountSpec
+		expectedError      error
+		expectedDiscoverer Discover
+	}{
+		{
+			description:        "empty targets returns None discoverer list",
+			expectedDiscoverer: &None{},
+		},
+		{
+			description: "unexpected locator returns error",
+			targets: []*csv.MountSpec{
+				{
+					Type: "foo",
+					Path: "bar",
+				},
+			},
+			expectedError: fmt.Errorf("no locator defined for foo"),
+		},
+		{
+			description: "creates discoverers based on type",
+			targets: []*csv.MountSpec{
+				{
+					Type: "dev",
+					Path: "dev0",
+				},
+				{
+					Type: "lib",
+					Path: "lib0",
+				},
+				{
+					Type: "dev",
+					Path: "dev1",
+				},
+			},
+			expectedDiscoverer: &list{
+				discoverers: []Discover{
+					(*charDevices)(
+						&mounts{
+							logger:   logger,
+							lookup:   locators["dev"],
+							required: []string{"dev0", "dev1"},
+						},
+					),
+					&mounts{
+						logger:   logger,
+						lookup:   locators["lib"],
+						required: []string{"lib0"},
+					},
+				},
+			},
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.description, func(t *testing.T) {
+			discoverer, err := newFromMountSpecs(logger, locators, tc.targets)
+			if tc.expectedError != nil {
+				require.Error(t, err)
+				return
+			}
+			require.NoError(t, err)
+			require.EqualValues(t, tc.expectedDiscoverer, discoverer)
+		})
+	}
+}
--- a/internal/discover/discover.go
+++ b/internal/discover/discover.go
@@ -0,0 +1,48 @@
+/*
+# Copyright (c) 2021-2022, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/
+
+package discover
+
+// Config represents the configuration options for discovery
+type Config struct {
+	Root                                    string
+	NVIDIAContainerToolkitCLIExecutablePath string
+}
+
+// Device represents a discovered character device.
+type Device struct {
+	Path string
+}
+
+// Mount represents a discovered mount.
+type Mount struct {
+	Path string
+}
+
+// Hook represents a discovered hook.
+type Hook struct {
+	Lifecycle string
+	Path      string
+	Args      []string
+}
+
+//go:generate moq -stub -out discover_mock.go . Discover
+// Discover defines an interface for discovering the devices, mounts, and hooks available on a system
+type Discover interface {
+	Devices() ([]Device, error)
+	Mounts() ([]Mount, error)
+	Hooks() ([]Hook, error)
+}
--- a/internal/discover/discover_mock.go
+++ b/internal/discover/discover_mock.go
@@ -0,0 +1,150 @@
+// Code generated by moq; DO NOT EDIT.
+// github.com/matryer/moq
+
+package discover
+
+import (
+	"sync"
+)
+
+// Ensure, that DiscoverMock does implement Discover.
+// If this is not the case, regenerate this file with moq.
+var _ Discover = &DiscoverMock{}
+
+// DiscoverMock is a mock implementation of Discover.
+//
+// 	func TestSomethingThatUsesDiscover(t *testing.T) {
+//
+// 		// make and configure a mocked Discover
+// 		mockedDiscover := &DiscoverMock{
+// 			DevicesFunc: func() ([]Device, error) {
+// 				panic("mock out the Devices method")
+// 			},
+// 			HooksFunc: func() ([]Hook, error) {
+// 				panic("mock out the Hooks method")
+// 			},
+// 			MountsFunc: func() ([]Mount, error) {
+// 				panic("mock out the Mounts method")
+// 			},
+// 		}
+//
+// 		// use mockedDiscover in code that requires Discover
+// 		// and then make assertions.
+//
+// 	}
+type DiscoverMock struct {
+	// DevicesFunc mocks the Devices method.
+	DevicesFunc func() ([]Device, error)
+
+	// HooksFunc mocks the Hooks method.
+	HooksFunc func() ([]Hook, error)
+
+	// MountsFunc mocks the Mounts method.
+	MountsFunc func() ([]Mount, error)
+
+	// calls tracks calls to the methods.
+	calls struct {
+		// Devices holds details about calls to the Devices method.
+		Devices []struct {
+		}
+		// Hooks holds details about calls to the Hooks method.
+		Hooks []struct {
+		}
+		// Mounts holds details about calls to the Mounts method.
+		Mounts []struct {
+		}
+	}
+	lockDevices sync.RWMutex
+	lockHooks   sync.RWMutex
+	lockMounts  sync.RWMutex
+}
+
+// Devices calls DevicesFunc.
+func (mock *DiscoverMock) Devices() ([]Device, error) {
+	callInfo := struct {
+	}{}
+	mock.lockDevices.Lock()
+	mock.calls.Devices = append(mock.calls.Devices, callInfo)
+	mock.lockDevices.Unlock()
+	if mock.DevicesFunc == nil {
+		var (
+			devicesOut []Device
+			errOut     error
+		)
+		return devicesOut, errOut
+	}
+	return mock.DevicesFunc()
+}
+
+// DevicesCalls gets all the calls that were made to Devices.
+// Check the length with:
+//     len(mockedDiscover.DevicesCalls())
+func (mock *DiscoverMock) DevicesCalls() []struct {
+} {
+	var calls []struct {
+	}
+	mock.lockDevices.RLock()
+	calls = mock.calls.Devices
+	mock.lockDevices.RUnlock()
+	return calls
+}
+
+// Hooks calls HooksFunc.
+func (mock *DiscoverMock) Hooks() ([]Hook, error) {
+	callInfo := struct {
+	}{}
+	mock.lockHooks.Lock()
+	mock.calls.Hooks = append(mock.calls.Hooks, callInfo)
+	mock.lockHooks.Unlock()
+	if mock.HooksFunc == nil {
+		var (
+			hooksOut []Hook
+			errOut   error
+		)
+		return hooksOut, errOut
+	}
+	return mock.HooksFunc()
+}
+
+// HooksCalls gets all the calls that were made to Hooks.
+// Check the length with:
+//     len(mockedDiscover.HooksCalls())
+func (mock *DiscoverMock) HooksCalls() []struct {
+} {
+	var calls []struct {
+	}
+	mock.lockHooks.RLock()
+	calls = mock.calls.Hooks
+	mock.lockHooks.RUnlock()
+	return calls
+}
+
+// Mounts calls MountsFunc.
+func (mock *DiscoverMock) Mounts() ([]Mount, error) {
+	callInfo := struct {
+	}{}
+	mock.lockMounts.Lock()
+	mock.calls.Mounts = append(mock.calls.Mounts, callInfo)
+	mock.lockMounts.Unlock()
+	if mock.MountsFunc == nil {
+		var (
+			mountsOut []Mount
+			errOut    error
+		)
+		return mountsOut, errOut
+	}
+	return mock.MountsFunc()
+}
+
+// MountsCalls gets all the calls that were made to Mounts.
+// Check the length with:
+//     len(mockedDiscover.MountsCalls())
+func (mock *DiscoverMock) MountsCalls() []struct {
+} {
+	var calls []struct {
+	}
+	mock.lockMounts.RLock()
+	calls = mock.calls.Mounts
+	mock.lockMounts.RUnlock()
+	return calls
+}
--- a/internal/discover/ldconfig.go
+++ b/internal/discover/ldconfig.go
@@ -0,0 +1,126 @@
+/**
+# Copyright (c) 2022, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+**/
+
+package discover
+
+import (
+	"fmt"
+	"path/filepath"
+	"sort"
+	"strings"
+
+	"github.com/NVIDIA/nvidia-container-toolkit/internal/lookup"
+	"github.com/container-orchestrated-devices/container-device-interface/pkg/cdi"
+	"github.com/sirupsen/logrus"
+)
+
+// NewLDCacheUpdateHook creates a discoverer that updates the ldcache for the specified mounts. A logger can also be specified
+func NewLDCacheUpdateHook(logger *logrus.Logger, mounts Discover, cfg *Config) (Discover, error) {
+	d := ldconfig{
+		logger:                  logger,
+		mountsFrom:              mounts,
+		lookup:                  lookup.NewExecutableLocator(logger, cfg.Root),
+		nvidiaCTKExecutablePath: cfg.NVIDIAContainerToolkitCLIExecutablePath,
+	}
+
+	return &d, nil
+}
+
+const (
+	nvidiaCTKDefaultFilePath = "/usr/bin/nvidia-ctk"
+)
+
+type ldconfig struct {
+	None
+	logger                  *logrus.Logger
+	mountsFrom              Discover
+	lookup                  lookup.Locator
+	nvidiaCTKExecutablePath string
+}
+
+// Hooks checks the required mounts for libraries and returns a hook to update the LDcache for the discovered paths.
+func (d ldconfig) Hooks() ([]Hook, error) {
+	mounts, err := d.mountsFrom.Mounts()
+	if err != nil {
+		return nil, fmt.Errorf("failed to discover mounts for ldcache update: %v", err)
+	}
+
+	libDirs := getLibDirs(mounts)
+
+	hookPath := nvidiaCTKDefaultFilePath
+	targets, err := d.lookup.Locate(d.nvidiaCTKExecutablePath)
+	if err != nil {
+		d.logger.Warnf("Failed to locate %v: %v", d.nvidiaCTKExecutablePath, err)
+	} else if len(targets) == 0 {
+		d.logger.Warnf("%v not found", d.nvidiaCTKExecutablePath)
+	} else {
+		d.logger.Debugf("Found %v candidates: %v", d.nvidiaCTKExecutablePath, targets)
+		hookPath = targets[0]
+	}
+	d.logger.Debugf("Using NVIDIA Container Toolkit CLI path %v", hookPath)
+
+	args := []string{hookPath, "hook", "update-ldcache"}
+	for _, f := range libDirs {
+		args = append(args, "--folders", f)
+	}
+	h := Hook{
+		Lifecycle: cdi.CreateContainerHook,
+		Path:      hookPath,
+		Args:      args,
+	}
+
+	return []Hook{h}, nil
+}
+
+// getLibDirs extracts the library dirs from the specified mounts
+func getLibDirs(mounts []Mount) []string {
+	var paths []string
+	checked := make(map[string]bool)
+
+	for _, m := range mounts {
+		dir := filepath.Dir(m.Path)
+		if dir == "" {
+			continue
+		}
+
+		_, exists := checked[dir]
+		if exists {
+			continue
+		}
+		checked[dir] = isLibName(filepath.Base(m.Path))
+
+		if checked[dir] {
+			paths = append(paths, dir)
+		}
+	}
+
+	sort.Strings(paths)
+
+	return paths
+}
+
+// isLibName checks if the specified filename is a library (i.e. ends in `.so*`)
+func isLibName(filename string) bool {
+	parts := strings.Split(filename, ".")
+
+	for _, p := range parts {
+		if p == "so" {
+			return true
+		}
+	}
+
+	return false
+}
--- a/internal/discover/legacy.go
+++ b/internal/discover/legacy.go
@@ -0,0 +1,70 @@
+/**
+# Copyright (c) 2022, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+**/
+
+package discover
+
+import (
+	"path/filepath"
+
+	"github.com/NVIDIA/nvidia-container-toolkit/internal/config"
+	"github.com/NVIDIA/nvidia-container-toolkit/internal/lookup"
+	"github.com/container-orchestrated-devices/container-device-interface/pkg/cdi"
+	"github.com/sirupsen/logrus"
+)
+
+// NewLegacyDiscoverer creates a discoverer for the experimental runtime
+func NewLegacyDiscoverer(logger *logrus.Logger, cfg *Config) (Discover, error) {
+	d := legacy{
+		logger: logger,
+		lookup: lookup.NewExecutableLocator(logger, cfg.Root),
+	}
+
+	return &d, nil
+}
+
+type legacy struct {
+	None
+	logger *logrus.Logger
+	lookup lookup.Locator
+}
+
+var _ Discover = (*legacy)(nil)
+
+// Hooks returns the "legacy" NVIDIA Container Runtime hook. This hook calls out
+// to the nvidia-container-cli to make modifications to the container as defined
+// in libnvidia-container.
+func (d legacy) Hooks() ([]Hook, error) {
+	hookPath := filepath.Join(config.DefaultExecutableDir, config.NVIDIAContainerRuntimeHookExecutable)
+	targets, err := d.lookup.Locate(config.NVIDIAContainerRuntimeHookExecutable)
+	if err != nil {
+		d.logger.Warnf("Failed to locate %v: %v", config.NVIDIAContainerRuntimeHookExecutable, err)
+	} else if len(targets) == 0 {
+		d.logger.Warnf("%v not found", config.NVIDIAContainerRuntimeHookExecutable)
+	} else {
+		d.logger.Debugf("Found %v candidates: %v", config.NVIDIAContainerRuntimeHookExecutable, targets)
+		hookPath = targets[0]
+	}
+	d.logger.Debugf("Using NVIDIA Container Runtime Hook path %v", hookPath)
+
+	args := []string{hookPath, "--force", "prestart"}
+	h := Hook{
+		Lifecycle: cdi.PrestartHook,
+		Path:      hookPath,
+		Args:      args,
+	}
+
+	return []Hook{h}, nil
+}
--- a/internal/discover/list.go
+++ b/internal/discover/list.go
@@ -0,0 +1,82 @@
+/*
+# Copyright (c) 2021, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/
+
+package discover
+
+import "fmt"
+
+// list is a discoverer that contains a list of Discoverers. The output of the
+// Mounts functions is the concatenation of the output for each of the
+// elements in the list.
+type list struct {
+	discoverers []Discover
+}
+
+var _ Discover = (*list)(nil)
+
+// NewList creates a discoverer that is the composite of a list of discoveres.
+func NewList(d ...Discover) Discover {
+	l := list{
+		discoverers: d,
+	}
+
+	return &l
+}
+
+// Devices returns all devices from the included discoverers
+func (d list) Devices() ([]Device, error) {
+	var allDevices []Device
+
+	for i, di := range d.discoverers {
+		devices, err := di.Devices()
+		if err != nil {
+			return nil, fmt.Errorf("error discovering devices for discoverer %v: %v", i, err)
+		}
+		allDevices = append(allDevices, devices...)
+	}
+
+	return allDevices, nil
+}
+
+// Mounts returns all mounts from the included discoverers
+func (d list) Mounts() ([]Mount, error) {
+	var allMounts []Mount
+
+	for i, di := range d.discoverers {
+		mounts, err := di.Mounts()
+		if err != nil {
+			return nil, fmt.Errorf("error discovering mounts for discoverer %v: %v", i, err)
+		}
+		allMounts = append(allMounts, mounts...)
+	}
+
+	return allMounts, nil
+}
+
+// Hooks returns all Hooks from the included discoverers
+func (d list) Hooks() ([]Hook, error) {
+	var allHooks []Hook
+
+	for i, di := range d.discoverers {
+		hooks, err := di.Hooks()
+		if err != nil {
+			return nil, fmt.Errorf("error discovering hooks for discoverer %v: %v", i, err)
+		}
+		allHooks = append(allHooks, hooks...)
+	}
+
+	return allHooks, nil
+}
--- a/internal/discover/mounts.go
+++ b/internal/discover/mounts.go
@@ -0,0 +1,85 @@
+/*
+# Copyright (c) 2021, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/
+
+package discover
+
+import (
+	"fmt"
+	"sync"
+
+	"github.com/NVIDIA/nvidia-container-toolkit/internal/lookup"
+	"github.com/sirupsen/logrus"
+)
+
+// mounts is a generic discoverer for Mounts. It is customized by specifying the
+// required entities as a list and a Locator that is used to find the target mounts
+// based on the entry in the list.
+type mounts struct {
+	None
+	logger   *logrus.Logger
+	lookup   lookup.Locator
+	required []string
+	sync.Mutex
+	cache []Mount
+}
+
+var _ Discover = (*mounts)(nil)
+
+func (d *mounts) Mounts() ([]Mount, error) {
+	if d.lookup == nil {
+		return nil, fmt.Errorf("no lookup defined")
+	}
+
+	if d.cache != nil {
+		d.logger.Debugf("returning cached mounts")
+		return d.cache, nil
+	}
+
+	d.Lock()
+	defer d.Unlock()
+
+	paths := make(map[string]bool)
+
+	for _, candidate := range d.required {
+		d.logger.Debugf("Locating %v", candidate)
+		located, err := d.lookup.Locate(candidate)
+		if err != nil {
+			d.logger.Warnf("Could not locate %v: %v", candidate, err)
+			continue
+		}
+		if len(located) == 0 {
+			d.logger.Warnf("Missing %v", candidate)
+			continue
+		}
+		d.logger.Debugf("Located %v as %v", candidate, located)
+		for _, p := range located {
+			paths[p] = true
+		}
+	}
+
+	var mounts []Mount
+	for path := range paths {
+		d.logger.Infof("Selecting %v", path)
+		mount := Mount{
+			Path: path,
+		}
+		mounts = append(mounts, mount)
+	}
+
+	d.cache = mounts
+
+	return mounts, nil
+}
--- a/internal/discover/mounts_test.go
+++ b/internal/discover/mounts_test.go
@@ -0,0 +1,165 @@
+/*
+# Copyright (c) 2021, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/
+
+package discover
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/NVIDIA/nvidia-container-toolkit/internal/lookup"
+	"github.com/stretchr/testify/require"
+
+	testlog "github.com/sirupsen/logrus/hooks/test"
+)
+
+func TestMountsReturnsEmptyDevices(t *testing.T) {
+	d := mounts{}
+	devices, err := d.Devices()
+
+	require.NoError(t, err)
+	require.Empty(t, devices)
+}
+
+func TestMounts(t *testing.T) {
+	logger, logHook := testlog.NewNullLogger()
+
+	testCases := []struct {
+		description    string
+		expectedError  error
+		expectedMounts []Mount
+		input          *mounts
+	}{
+		{
+			description:   "nill lookup returns error",
+			expectedError: fmt.Errorf("no lookup defined"),
+			input:         &mounts{},
+		},
+		{
+			description:   "empty required returns no mounts",
+			expectedError: nil,
+			input: &mounts{
+				lookup: &lookup.LocatorMock{
+					LocateFunc: func(string) ([]string, error) {
+						return []string{"located"}, nil
+					},
+				},
+			},
+		},
+		{
+			description:   "required returns located",
+			expectedError: nil,
+			input: &mounts{
+				lookup: &lookup.LocatorMock{
+					LocateFunc: func(string) ([]string, error) {
+						return []string{"located"}, nil
+					},
+				},
+				required: []string{"required"},
+			},
+			expectedMounts: []Mount{{Path: "located"}},
+		},
+		{
+			description:   "mounts removes located duplicates",
+			expectedError: nil,
+			input: &mounts{
+				lookup: &lookup.LocatorMock{
+					LocateFunc: func(string) ([]string, error) {
+						return []string{"located"}, nil
+					},
+				},
+				required: []string{"required0", "required1"},
+			},
+			expectedMounts: []Mount{{Path: "located"}},
+		},
+		{
+			description: "mounts skips located errors",
+			input: &mounts{
+				lookup: &lookup.LocatorMock{
+					LocateFunc: func(s string) ([]string, error) {
+						if s == "error" {
+							return nil, fmt.Errorf(s)
+						}
+						return []string{s}, nil
+					},
+				},
+				required: []string{"required0", "error", "required1"},
+			},
+			expectedMounts: []Mount{{Path: "required0"}, {Path: "required1"}},
+		},
+		{
+			description: "mounts skips unlocated",
+			input: &mounts{
+				lookup: &lookup.LocatorMock{
+					LocateFunc: func(s string) ([]string, error) {
+						if s == "empty" {
+							return nil, nil
+						}
+						return []string{s}, nil
+					},
+				},
+				required: []string{"required0", "empty", "required1"},
+			},
+			expectedMounts: []Mount{{Path: "required0"}, {Path: "required1"}},
+		},
+		{
+			description: "mounts skips unlocated",
+			input: &mounts{
+				lookup: &lookup.LocatorMock{
+					LocateFunc: func(s string) ([]string, error) {
+						if s == "multiple" {
+							return []string{"multiple0", "multiple1"}, nil
+						}
+						return []string{s}, nil
+					},
+				},
+				required: []string{"required0", "multiple", "required1"},
+			},
+			expectedMounts: []Mount{
+				{Path: "required0"},
+				{Path: "multiple0"},
+				{Path: "multiple1"},
+				{Path: "required1"},
+			},
+		},
+	}
+
+	for _, tc := range testCases {
+		logHook.Reset()
+		t.Run(tc.description, func(t *testing.T) {
+			tc.input.logger = logger
+			mounts, err := tc.input.Mounts()
+
+			if tc.expectedError != nil {
+				require.Error(t, err)
+			} else {
+				require.NoError(t, err)
+			}
+			require.ElementsMatch(t, tc.expectedMounts, mounts)
+
+			// We check that the mock is called for each element of required
+			if tc.input.lookup != nil {
+				mock := tc.input.lookup.(*lookup.LocatorMock)
+				require.Len(t, mock.LocateCalls(), len(tc.input.required))
+				var args []string
+				for _, c := range mock.LocateCalls() {
+					args = append(args, c.S)
+				}
+				require.EqualValues(t, args, tc.input.required)
+			}
+		})
+	}
+}
--- a/internal/discover/none.go
+++ b/internal/discover/none.go
@@ -0,0 +1,38 @@
+/*
+# Copyright (c) 2021, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/
+
+package discover
+
+// None is a null discoverer that returns an empty list of devices and
+// mounts.
+type None struct{}
+
+var _ Discover = (*None)(nil)
+
+// Devices returns an empty list of devices
+func (e None) Devices() ([]Device, error) {
+	return []Device{}, nil
+}
+
+// Mounts returns an empty list of mounts
+func (e None) Mounts() ([]Mount, error) {
+	return []Mount{}, nil
+}
+
+// Hooks returns an empty list of hooks
+func (e None) Hooks() ([]Hook, error) {
+	return []Hook{}, nil
+}
--- a/internal/discover/none_test.go
+++ b/internal/discover/none_test.go
@@ -0,0 +1,31 @@
+/*
+# Copyright (c) 2021, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/
+
+package discover
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestNone(t *testing.T) {
+	d := None{}
+
+	mounts, err := d.Mounts()
+	require.NoError(t, err)
+	require.Empty(t, mounts)
+}
--- a/internal/discover/symlinks.go
+++ b/internal/discover/symlinks.go
@@ -0,0 +1,71 @@
+/**
+# Copyright (c) 2022, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+**/
+
+package discover
+
+import (
+	"github.com/NVIDIA/nvidia-container-toolkit/internal/lookup"
+	"github.com/container-orchestrated-devices/container-device-interface/pkg/cdi"
+	"github.com/sirupsen/logrus"
+)
+
+type symlinks struct {
+	None
+	logger                  *logrus.Logger
+	lookup                  lookup.Locator
+	nvidiaCTKExecutablePath string
+	csvFiles                []string
+}
+
+// NewCreateSymlinksHook creates a discoverer for a hook that creates required symlinks in the container
+func NewCreateSymlinksHook(logger *logrus.Logger, csvFiles []string, cfg *Config) (Discover, error) {
+	d := symlinks{
+		logger:                  logger,
+		lookup:                  lookup.NewExecutableLocator(logger, cfg.Root),
+		nvidiaCTKExecutablePath: cfg.NVIDIAContainerToolkitCLIExecutablePath,
+		csvFiles:                csvFiles,
+	}
+
+	return &d, nil
+}
+
+// Hooks returns a hook to create the symlinks from the required CSV files
+func (d symlinks) Hooks() ([]Hook, error) {
+	hookPath := nvidiaCTKDefaultFilePath
+	targets, err := d.lookup.Locate(d.nvidiaCTKExecutablePath)
+	if err != nil {
+		d.logger.Warnf("Failed to locate %v: %v", d.nvidiaCTKExecutablePath, err)
+	} else if len(targets) == 0 {
+		d.logger.Warnf("%v not found", d.nvidiaCTKExecutablePath)
+	} else {
+		d.logger.Debugf("Found %v candidates: %v", d.nvidiaCTKExecutablePath, targets)
+		hookPath = targets[0]
+	}
+	d.logger.Debugf("Using NVIDIA Container Toolkit CLI path %v", hookPath)
+
+	args := []string{hookPath, "hook", "create-symlinks"}
+	for _, f := range d.csvFiles {
+		args = append(args, "--csv-filenames", f)
+	}
+
+	h := Hook{
+		Lifecycle: cdi.CreateContainerHook,
+		Path:      hookPath,
+		Args:      args,
+	}
+
+	return []Hook{h}, nil
+}
--- a/internal/edits/device.go
+++ b/internal/edits/device.go
@@ -0,0 +1,45 @@
+/**
+# Copyright (c) 2022, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+**/
+
+package edits
+
+import (
+	"github.com/NVIDIA/nvidia-container-toolkit/internal/discover"
+	"github.com/container-orchestrated-devices/container-device-interface/pkg/cdi"
+	"github.com/container-orchestrated-devices/container-device-interface/specs-go"
+)
+
+type device discover.Device
+
+// toEdits converts a discovered device to CDI Container Edits.
+func (d device) toEdits() *cdi.ContainerEdits {
+	e := cdi.ContainerEdits{
+		ContainerEdits: &specs.ContainerEdits{
+			DeviceNodes: []*specs.DeviceNode{d.toSpec()},
+		},
+	}
+	return &e
+}
+
+// toSpec converts a discovered Device to a CDI Spec Device. Note
+// that missing info is filled in when edits are applied by querying the Device node.
+func (d device) toSpec() *specs.DeviceNode {
+	s := specs.DeviceNode{
+		Path: d.Path,
+	}
+
+	return &s
+}
--- a/internal/edits/edits.go
+++ b/internal/edits/edits.go
@@ -0,0 +1,93 @@
+/**
+# Copyright (c) 2022, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+**/
+
+package edits
+
+import (
+	"fmt"
+
+	"github.com/NVIDIA/nvidia-container-toolkit/internal/discover"
+	"github.com/NVIDIA/nvidia-container-toolkit/internal/oci"
+	"github.com/container-orchestrated-devices/container-device-interface/pkg/cdi"
+	ociSpecs "github.com/opencontainers/runtime-spec/specs-go"
+	"github.com/sirupsen/logrus"
+)
+
+type edits struct {
+	cdi.ContainerEdits
+	logger *logrus.Logger
+}
+
+// NewSpecEdits creates a SpecModifier that defines the required OCI spec edits (as CDI ContainerEdits) from the specified
+// discoverer.
+func NewSpecEdits(logger *logrus.Logger, d discover.Discover) (oci.SpecModifier, error) {
+	devices, err := d.Devices()
+	if err != nil {
+		return nil, fmt.Errorf("failed to discover devices: %v", err)
+	}
+
+	mounts, err := d.Mounts()
+	if err != nil {
+		return nil, fmt.Errorf("failed to discover mounts: %v", err)
+	}
+
+	hooks, err := d.Hooks()
+	if err != nil {
+		return nil, fmt.Errorf("failed to discover hooks: %v", err)
+	}
+
+	c := cdi.ContainerEdits{}
+	for _, d := range devices {
+		c.Append(device(d).toEdits())
+	}
+
+	for _, m := range mounts {
+		c.Append(mount(m).toEdits())
+	}
+
+	for _, h := range hooks {
+		c.Append(hook(h).toEdits())
+	}
+
+	e := edits{
+		ContainerEdits: c,
+		logger:         logger,
+	}
+
+	return &e, nil
+}
+
+// Modify applies the defined edits to the incoming OCI spec
+func (e *edits) Modify(spec *ociSpecs.Spec) error {
+	if e == nil || e.ContainerEdits.ContainerEdits == nil {
+		return nil
+	}
+
+	e.logger.Info("Mounts:")
+	for _, mount := range e.Mounts {
+		e.logger.Infof("Mounting %v at %v", mount.HostPath, mount.ContainerPath)
+	}
+	e.logger.Infof("Devices:")
+	for _, device := range e.DeviceNodes {
+		e.logger.Infof("Injecting %v", device.Path)
+	}
+	e.logger.Infof("Hooks:")
+	for _, hook := range e.Hooks {
+		e.logger.Infof("Injecting %v", hook.Args)
+	}
+
+	return e.Apply(spec)
+}
--- a/internal/edits/hook.go
+++ b/internal/edits/hook.go
@@ -0,0 +1,47 @@
+/**
+# Copyright (c) 2022, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+**/
+
+package edits
+
+import (
+	"github.com/NVIDIA/nvidia-container-toolkit/internal/discover"
+	"github.com/container-orchestrated-devices/container-device-interface/pkg/cdi"
+	"github.com/container-orchestrated-devices/container-device-interface/specs-go"
+)
+
+type hook discover.Hook
+
+// toEdits converts a discovered hook to CDI Container Edits.
+func (d hook) toEdits() *cdi.ContainerEdits {
+	e := cdi.ContainerEdits{
+		ContainerEdits: &specs.ContainerEdits{
+			Hooks: []*specs.Hook{d.toSpec()},
+		},
+	}
+	return &e
+}
+
+// toSpec converts a discovered Hook to a CDI Spec Hook. Note
+// that missing info is filled in when edits are applied by querying the Hook node.
+func (d hook) toSpec() *specs.Hook {
+	s := specs.Hook{
+		HookName: d.Lifecycle,
+		Path:     d.Path,
+		Args:     d.Args,
+	}
+
+	return &s
+}
--- a/internal/edits/mount.go
+++ b/internal/edits/mount.go
@@ -0,0 +1,53 @@
+/**
+# Copyright (c) 2022, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+**/
+
+package edits
+
+import (
+	"github.com/NVIDIA/nvidia-container-toolkit/internal/discover"
+	"github.com/container-orchestrated-devices/container-device-interface/pkg/cdi"
+	"github.com/container-orchestrated-devices/container-device-interface/specs-go"
+)
+
+type mount discover.Mount
+
+// toEdits converts a discovered mount to CDI Container Edits.
+func (d mount) toEdits() *cdi.ContainerEdits {
+	e := cdi.ContainerEdits{
+		ContainerEdits: &specs.ContainerEdits{
+			Mounts: []*specs.Mount{d.toSpec()},
+		},
+	}
+	return &e
+}
+
+// toSpec converts a discovered Mount to a CDI Spec Mount. Note
+// that missing info is filled in when edits are applied by querying the Mount node.
+func (d mount) toSpec() *specs.Mount {
+	s := specs.Mount{
+		HostPath: d.Path,
+		// TODO: We need to allow the container path to be customised
+		ContainerPath: d.Path,
+		Options: []string{
+			"ro",
+			"nosuid",
+			"nodev",
+			"bind",
+		},
+	}
+
+	return &s
+}
--- a/internal/lookup/device.go
+++ b/internal/lookup/device.go
@@ -0,0 +1,53 @@
+/**
+# Copyright (c) 2021, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+**/
+
+package lookup
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+
+	"github.com/sirupsen/logrus"
+)
+
+const (
+	devRoot = "/dev"
+)
+
+// NewCharDeviceLocator creates a Locator that can be used to find char devices at the specified root. A logger is
+// also specified.
+func NewCharDeviceLocator(logger *logrus.Logger, root string) Locator {
+	l := file{
+		logger:   logger,
+		prefixes: []string{root, filepath.Join(root, devRoot)},
+		filter:   assertCharDevice,
+	}
+
+	return &l
+}
+
+// assertCharDevice checks whether the specified path is a char device and returns an error if this is not the case.
+func assertCharDevice(filename string) error {
+	info, err := os.Stat(filename)
+	if err != nil {
+		return fmt.Errorf("error getting info: %v", err)
+	}
+	if info.Mode()|os.ModeCharDevice == 0 {
+		return fmt.Errorf("%v is not a char device", filename)
+	}
+	return nil
+}
--- a/internal/lookup/dir.go
+++ b/internal/lookup/dir.go
@@ -0,0 +1,50 @@
+/*
+# Copyright (c) 2021, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/
+
+package lookup
+
+import (
+	"fmt"
+	"os"
+
+	log "github.com/sirupsen/logrus"
+)
+
+// NewDirectoryLocator creates a Locator that can be used to find directories at the specified root. A logger
+// is also specified.
+func NewDirectoryLocator(logger *log.Logger, root string) Locator {
+	l := file{
+		logger:   logger,
+		prefixes: []string{root},
+		filter:   assertDirectory,
+	}
+
+	return &l
+}
+
+// assertDirectory checks wither the specified path is a directory.
+func assertDirectory(filename string) error {
+	info, err := os.Stat(filename)
+	if err != nil {
+		return fmt.Errorf("error getting info for %v: %v", filename, err)
+	}
+
+	if !info.IsDir() {
+		return fmt.Errorf("specified path '%v' is not a directory", filename)
+	}
+
+	return nil
+}
--- a/internal/lookup/executable.go
+++ b/internal/lookup/executable.go
@@ -0,0 +1,93 @@
+/*
+# Copyright (c) 2021, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/
+
+package lookup
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+
+	log "github.com/sirupsen/logrus"
+)
+
+const (
+	envPath = "PATH"
+)
+
+var defaultPaths = []string{"/usr/local/sbin", "/usr/local/bin", "/usr/sbin", "/usr/bin", "/sbin", "/bin"}
+
+type executable struct {
+	file
+}
+
+// NewExecutableLocator creates a locator to fine executable files in the path. A logger can also be specified.
+func NewExecutableLocator(logger *log.Logger, root string) Locator {
+	pathEnv := os.Getenv(envPath)
+	paths := filepath.SplitList(pathEnv)
+
+	if root != "" {
+		paths = append(paths, defaultPaths...)
+	}
+
+	var prefixes []string
+	for _, dir := range paths {
+		prefixes = append(prefixes, filepath.Join(root, dir))
+	}
+	l := executable{
+		file: file{
+			logger:   logger,
+			prefixes: prefixes,
+			filter:   assertExecutable,
+		},
+	}
+	return &l
+}
+
+var _ Locator = (*executable)(nil)
+
+// Locate finds executable files in the path. If a relative or absolute path is specified, the prefix paths are not considered.
+func (p executable) Locate(filename string) ([]string, error) {
+	// For absolute paths we ensure that it is executable
+	if strings.Contains(filename, "/") {
+		err := assertExecutable(filename)
+		if err != nil {
+			return nil, fmt.Errorf("absolute path %v is not an executable file: %v", filename, err)
+		}
+		return []string{filename}, nil
+	}
+
+	return p.file.Locate(filename)
+}
+
+// assertExecutable checks whether the specified path is an execuable file.
+func assertExecutable(filename string) error {
+	err := assertFile(filename)
+	if err != nil {
+		return err
+	}
+	info, err := os.Stat(filename)
+	if err != nil {
+		return err
+	}
+
+	if info.Mode()&0111 == 0 {
+		return fmt.Errorf("specified file '%v' is not executable", filename)
+	}
+
+	return nil
+}
--- a/internal/lookup/file.go
+++ b/internal/lookup/file.go
@@ -0,0 +1,85 @@
+/*
+# Copyright (c) 2021, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/
+
+package lookup
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+
+	log "github.com/sirupsen/logrus"
+)
+
+// file can be used to locate file (or file-like elements) at a specified set of
+// prefixes. The validity of a file is determined by a filter function.
+type file struct {
+	logger   *log.Logger
+	prefixes []string
+	filter   func(string) error
+}
+
+// NewFileLocator creates a Locator that can be used to find files at the specified root. A logger
+// can also be specified.
+func NewFileLocator(logger *log.Logger, root string) Locator {
+	l := newFileLocator(logger, root)
+
+	return &l
+}
+
+func newFileLocator(logger *log.Logger, root string) file {
+	return file{
+		logger:   logger,
+		prefixes: []string{root},
+		filter:   assertFile,
+	}
+}
+
+var _ Locator = (*file)(nil)
+
+// Locate attempts to find the specified file. All prefixes are searched and any matching
+// candidates are returned. If no matches are found, an error is returned.
+func (p file) Locate(filename string) ([]string, error) {
+	var filenames []string
+	for _, prefix := range p.prefixes {
+		candidate := filepath.Join(prefix, filename)
+		p.logger.Debugf("Checking candidate '%v'", candidate)
+		err := p.filter(candidate)
+		if err != nil {
+			p.logger.Debugf("Candidate '%v' does not meet requirements: %v", candidate, err)
+			continue
+		}
+		filenames = append(filenames, candidate)
+	}
+	if len(filename) == 0 {
+		return nil, fmt.Errorf("file %v not found", filename)
+	}
+	return filenames, nil
+}
+
+// assertFile checks whether the specified path is a regular file
+func assertFile(filename string) error {
+	info, err := os.Stat(filename)
+	if err != nil {
+		return fmt.Errorf("error getting info for %v: %v", filename, err)
+	}
+
+	if info.IsDir() {
+		return fmt.Errorf("specified path '%v' is a directory", filename)
+	}
+
+	return nil
+}
--- a/internal/lookup/locator.go
+++ b/internal/lookup/locator.go
@@ -0,0 +1,24 @@
+/*
+# Copyright (c) 2021, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/
+
+package lookup
+
+//go:generate moq -stub -out locator_mock.go . Locator
+
+// Locator defines the interface for locating files on a system.
+type Locator interface {
+	Locate(string) ([]string, error)
+}
--- a/internal/lookup/locator_mock.go
+++ b/internal/lookup/locator_mock.go
@@ -0,0 +1,77 @@
+// Code generated by moq; DO NOT EDIT.
+// github.com/matryer/moq
+
+package lookup
+
+import (
+	"sync"
+)
+
+// Ensure, that LocatorMock does implement Locator.
+// If this is not the case, regenerate this file with moq.
+var _ Locator = &LocatorMock{}
+
+// LocatorMock is a mock implementation of Locator.
+//
+// 	func TestSomethingThatUsesLocator(t *testing.T) {
+//
+// 		// make and configure a mocked Locator
+// 		mockedLocator := &LocatorMock{
+// 			LocateFunc: func(s string) ([]string, error) {
+// 				panic("mock out the Locate method")
+// 			},
+// 		}
+//
+// 		// use mockedLocator in code that requires Locator
+// 		// and then make assertions.
+//
+// 	}
+type LocatorMock struct {
+	// LocateFunc mocks the Locate method.
+	LocateFunc func(s string) ([]string, error)
+
+	// calls tracks calls to the methods.
+	calls struct {
+		// Locate holds details about calls to the Locate method.
+		Locate []struct {
+			// S is the s argument value.
+			S string
+		}
+	}
+	lockLocate sync.RWMutex
+}
+
+// Locate calls LocateFunc.
+func (mock *LocatorMock) Locate(s string) ([]string, error) {
+	callInfo := struct {
+		S string
+	}{
+		S: s,
+	}
+	mock.lockLocate.Lock()
+	mock.calls.Locate = append(mock.calls.Locate, callInfo)
+	mock.lockLocate.Unlock()
+	if mock.LocateFunc == nil {
+		var (
+			stringsOut []string
+			errOut     error
+		)
+		return stringsOut, errOut
+	}
+	return mock.LocateFunc(s)
+}
+
+// LocateCalls gets all the calls that were made to Locate.
+// Check the length with:
+//     len(mockedLocator.LocateCalls())
+func (mock *LocatorMock) LocateCalls() []struct {
+	S string
+} {
+	var calls []struct {
+		S string
+	}
+	mock.lockLocate.RLock()
+	calls = mock.calls.Locate
+	mock.lockLocate.RUnlock()
+	return calls
+}
--- a/internal/lookup/symlinks.go
+++ b/internal/lookup/symlinks.go
@@ -0,0 +1,123 @@
+/**
+# Copyright (c) 2021, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+**/
+
+package lookup
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+
+	"github.com/sirupsen/logrus"
+)
+
+type symlinkChain struct {
+	file
+}
+
+type symlink struct {
+	file
+}
+
+// NewSymlinkChainLocator creats a locator that can be used for locating files through symlinks.
+// A logger can also be specified.
+func NewSymlinkChainLocator(logger *logrus.Logger, root string) Locator {
+	l := symlinkChain{
+		file: newFileLocator(logger, root),
+	}
+
+	return &l
+}
+
+// NewSymlinkLocator creats a locator that can be used for locating files through symlinks.
+// A logger can also be specified.
+func NewSymlinkLocator(logger *logrus.Logger, root string) Locator {
+	l := symlink{
+		file: newFileLocator(logger, root),
+	}
+
+	return &l
+}
+
+// Locate finds the specified file at the specified root. If the file is a symlink, the link is followed and all candidates
+// to the final target are returned.
+func (p symlinkChain) Locate(filename string) ([]string, error) {
+	candidates, err := p.file.Locate(filename)
+	if err != nil {
+		return nil, err
+	}
+	if len(candidates) == 0 {
+		return candidates, nil
+	}
+
+	found := make(map[string]bool)
+	for len(candidates) > 0 {
+		candidate := candidates[0]
+		candidates = candidates[:len(candidates)-1]
+		if found[candidate] {
+			continue
+		}
+		found[candidate] = true
+
+		info, err := os.Lstat(candidate)
+		if err != nil {
+			return nil, fmt.Errorf("failed to get file info: %v", info)
+		}
+		if info.Mode()&os.ModeSymlink == 0 {
+			continue
+		}
+		target, err := os.Readlink(candidate)
+		if err != nil {
+			return nil, fmt.Errorf("error checking symlink: %v", err)
+		}
+
+		if !filepath.IsAbs(target) {
+			target, err = filepath.Abs(filepath.Join(filepath.Dir(candidate), target))
+			if err != nil {
+				return nil, fmt.Errorf("failed to construct absolute path: %v", err)
+			}
+		}
+
+		p.logger.Debugf("Resolved link: '%v' => '%v'", candidate, target)
+		if !found[target] {
+			candidates = append(candidates, target)
+		}
+	}
+
+	var filenames []string
+	for f := range found {
+		filenames = append(filenames, f)
+	}
+	return filenames, nil
+}
+
+// Locate finds the specified file at the specified root. If the file is a symlink, the link is resolved and the target returned.
+func (p symlink) Locate(filename string) ([]string, error) {
+	candidates, err := p.file.Locate(filename)
+	if err != nil {
+		return nil, err
+	}
+	if len(candidates) != 1 {
+		return nil, fmt.Errorf("failed to uniquely resolve symlink %v: %v", filename, candidates)
+	}
+
+	target, err := filepath.EvalSymlinks(candidates[0])
+	if err != nil {
+		return nil, fmt.Errorf("failed to resolve link: %v", err)
+	}
+
+	return []string{target}, err
+}
--- a/internal/oci/runtime_low_level.go
+++ b/internal/oci/runtime_low_level.go
@@ -25,19 +25,14 @@ import (

 // NewLowLevelRuntime creates a Runtime that wraps a low-level runtime executable.
 // The executable specified is taken from the list of supplied candidates, with the first match
-// present in the PATH being selected.
-func NewLowLevelRuntime(candidates ...string) (Runtime, error) {
-	return NewLowLevelRuntimeWithLogger(log.StandardLogger(), candidates...)
-}
-
-// NewLowLevelRuntimeWithLogger creates a Runtime as with NewLowLevelRuntime using the specified logger.
-func NewLowLevelRuntimeWithLogger(logger *log.Logger, candidates ...string) (Runtime, error) {
+// present in the PATH being selected. A logger is also specified.
+func NewLowLevelRuntime(logger *log.Logger, candidates []string) (Runtime, error) {
 	runtimePath, err := findRuntime(logger, candidates)
 	if err != nil {
 		return nil, fmt.Errorf("error locating runtime: %v", err)
 	}

-	return NewRuntimeForPathWithLogger(logger, runtimePath)
+	return NewRuntimeForPath(logger, runtimePath)
 }

 // findRuntime checks elements in a list of supplied candidates for a matching executable in the PATH.
--- a/internal/oci/runtime_path.go
+++ b/internal/oci/runtime_path.go
@@ -34,13 +34,8 @@ type pathRuntime struct {

 var _ Runtime = (*pathRuntime)(nil)

-// NewRuntimeForPath creates a Runtime for the specified path with the standard logger
-func NewRuntimeForPath(path string) (Runtime, error) {
-	return NewRuntimeForPathWithLogger(log.StandardLogger(), path)
-}
-
-// NewRuntimeForPathWithLogger creates a Runtime for the specified logger and path
-func NewRuntimeForPathWithLogger(logger *log.Logger, path string) (Runtime, error) {
+// NewRuntimeForPath creates a Runtime for the specified logger and path
+func NewRuntimeForPath(logger *log.Logger, path string) (Runtime, error) {
 	info, err := os.Stat(path)
 	if err != nil {
 		return nil, fmt.Errorf("invalid path '%v': %v", path, err)
--- a/internal/oci/runtime_path_test.go
+++ b/internal/oci/runtime_path_test.go
@@ -24,19 +24,21 @@ import (
 )

 func TestPathRuntimeConstructor(t *testing.T) {
-	r, err := NewRuntimeForPath("////an/invalid/path")
+	logger, _ := testlog.NewNullLogger()
+
+	r, err := NewRuntimeForPath(logger, "////an/invalid/path")
 	require.Error(t, err)
 	require.Nil(t, r)

-	r, err = NewRuntimeForPath("/tmp")
+	r, err = NewRuntimeForPath(logger, "/tmp")
 	require.Error(t, err)
 	require.Nil(t, r)

-	r, err = NewRuntimeForPath("/dev/null")
+	r, err = NewRuntimeForPath(logger, "/dev/null")
 	require.Error(t, err)
 	require.Nil(t, r)

-	r, err = NewRuntimeForPath("/bin/sh")
+	r, err = NewRuntimeForPath(logger, "/bin/sh")
 	require.NoError(t, err)

 	f, ok := r.(*pathRuntime)
--- a/internal/oci/spec.go
+++ b/internal/oci/spec.go
@@ -17,15 +17,20 @@
 package oci

 import (
-	oci "github.com/opencontainers/runtime-spec/specs-go"
+	"fmt"
+
+	"github.com/opencontainers/runtime-spec/specs-go"
+	"github.com/sirupsen/logrus"
 )

-// SpecModifier is a function that accepts a pointer to an OCI Srec and returns an
-// error. The intention is that the function would modify the spec in-place.
-type SpecModifier func(*oci.Spec) error
+// SpecModifier defines an interace for modifying a (raw) OCI spec
+type SpecModifier interface {
+	// Modify is a method that accepts a pointer to an OCI Srec and returns an
+	// error. The intention is that the function would modify the spec in-place.
+	Modify(*specs.Spec) error
+}

 //go:generate moq -stub -out spec_mock.go . Spec
-
 // Spec defines the operations to be performed on an OCI specification
 type Spec interface {
 	Load() error
@@ -33,3 +38,20 @@ type Spec interface {
 	Modify(SpecModifier) error
 	LookupEnv(string) (string, bool)
 }
+
+// NewSpec creates fileSpec based on the command line arguments passed to the
+// application using the specified logger.
+func NewSpec(logger *logrus.Logger, args []string) (Spec, error) {
+	bundleDir, err := GetBundleDir(args)
+	if err != nil {
+		return nil, fmt.Errorf("error getting bundle directory: %v", err)
+	}
+	logger.Infof("Using bundle directory: %v", bundleDir)
+
+	ociSpecPath := GetSpecFilePath(bundleDir)
+	logger.Infof("Using OCI specification file path: %v", ociSpecPath)
+
+	ociSpec := NewFileSpec(ociSpecPath)
+
+	return ociSpec, nil
+}
--- a/internal/oci/spec_file.go
+++ b/internal/oci/spec_file.go
@@ -21,37 +21,21 @@ import (
 	"fmt"
 	"io"
 	"os"
-	"strings"

-	oci "github.com/opencontainers/runtime-spec/specs-go"
+	"github.com/opencontainers/runtime-spec/specs-go"
 )

 type fileSpec struct {
-	*oci.Spec
+	memorySpec
 	path string
 }

 var _ Spec = (*fileSpec)(nil)

-// NewSpecFromArgs creates fileSpec based on the command line arguments passed to the
-// application
-func NewSpecFromArgs(args []string) (Spec, string, error) {
-	bundleDir, err := GetBundleDir(args)
-	if err != nil {
-		return nil, "", fmt.Errorf("error getting bundle directory: %v", err)
-	}
-
-	ociSpecPath := GetSpecFilePath(bundleDir)
-
-	ociSpec := NewSpecFromFile(ociSpecPath)
-
-	return ociSpec, bundleDir, nil
-}
-
-// NewSpecFromFile creates an object that encapsulates a file-backed OCI spec.
+// NewFileSpec creates an object that encapsulates a file-backed OCI spec.
 // This can be used to read from the file, modify the spec, and write to the
 // same file.
-func NewSpecFromFile(filepath string) Spec {
+func NewFileSpec(filepath string) Spec {
 	oci := fileSpec{
 		path: filepath,
 	}
@@ -68,29 +52,31 @@ func (s *fileSpec) Load() error {
 	}
 	defer specFile.Close()

-	return s.loadFrom(specFile)
-}
-
-// loadFrom reads the contents of the OCI spec from the specified io.Reader.
-func (s *fileSpec) loadFrom(reader io.Reader) error {
-	decoder := json.NewDecoder(reader)
-
-	var spec oci.Spec
-	err := decoder.Decode(&spec)
+	spec, err := LoadFrom(specFile)
 	if err != nil {
-		return fmt.Errorf("error reading OCI specification: %v", err)
+		return fmt.Errorf("error loading OCI specification from file: %v", err)
 	}
-
-	s.Spec = &spec
+	s.Spec = spec
 	return nil
 }

-// Modify applies the specified SpecModifier to the stored OCI specification.
-func (s *fileSpec) Modify(f SpecModifier) error {
-	if s.Spec == nil {
-		return fmt.Errorf("no spec loaded for modification")
+// LoadFrom reads the contents of the OCI spec from the specified io.Reader.
+func LoadFrom(reader io.Reader) (*specs.Spec, error) {
+	decoder := json.NewDecoder(reader)
+
+	var spec specs.Spec
+
+	err := decoder.Decode(&spec)
+	if err != nil {
+		return nil, fmt.Errorf("error reading OCI specification: %v", err)
 	}
-	return f(s.Spec)
+
+	return &spec, nil
+}
+
+// Modify applies the specified SpecModifier to the stored OCI specification.
+func (s *fileSpec) Modify(m SpecModifier) error {
+	return s.memorySpec.Modify(m)
 }

 // Flush writes the stored OCI specification to the filepath specifed by the path member.
@@ -106,48 +92,20 @@ func (s fileSpec) Flush() error {
 	}
 	defer specFile.Close()

-	return s.flushTo(specFile)
+	return flushTo(s.Spec, specFile)
 }

 // flushTo writes the stored OCI specification to the specified io.Writer.
-func (s fileSpec) flushTo(writer io.Writer) error {
-	if s.Spec == nil {
+func flushTo(spec *specs.Spec, writer io.Writer) error {
+	if spec == nil {
 		return nil
 	}
 	encoder := json.NewEncoder(writer)

-	err := encoder.Encode(s.Spec)
+	err := encoder.Encode(spec)
 	if err != nil {
 		return fmt.Errorf("error writing OCI specification: %v", err)
 	}

 	return nil
 }
-
-// LookupEnv mirrors os.LookupEnv for the OCI specification. It
-// retrieves the value of the environment variable named
-// by the key. If the variable is present in the environment the
-// value (which may be empty) is returned and the boolean is true.
-// Otherwise the returned value will be empty and the boolean will
-// be false.
-func (s fileSpec) LookupEnv(key string) (string, bool) {
-	if s.Spec == nil || s.Spec.Process == nil {
-		return "", false
-	}
-
-	for _, env := range s.Spec.Process.Env {
-		if !strings.HasPrefix(env, key) {
-			continue
-		}
-
-		parts := strings.SplitN(env, "=", 2)
-		if parts[0] == key {
-			if len(parts) < 2 {
-				return "", true
-			}
-			return parts[1], true
-		}
-	}
-
-	return "", false
-}
--- a/internal/oci/spec_file_test.go
+++ b/internal/oci/spec_file_test.go
@@ -25,111 +25,6 @@ import (
 	"github.com/stretchr/testify/require"
 )

-func TestLookupEnv(t *testing.T) {
-	const envName = "TEST_ENV"
-	testCases := []struct {
-		spec          *specs.Spec
-		expectedValue string
-		expectedExits bool
-	}{
-		{
-			// nil spec
-			spec:          nil,
-			expectedValue: "",
-			expectedExits: false,
-		},
-		{
-			// nil process
-			spec:          &specs.Spec{},
-			expectedValue: "",
-			expectedExits: false,
-		},
-		{
-			// nil env
-			spec: &specs.Spec{
-				Process: &specs.Process{},
-			},
-			expectedValue: "",
-			expectedExits: false,
-		},
-		{
-			// empty env
-			spec: &specs.Spec{
-				Process: &specs.Process{Env: []string{}},
-			},
-			expectedValue: "",
-			expectedExits: false,
-		},
-		{
-			// different env set
-			spec: &specs.Spec{
-				Process: &specs.Process{Env: []string{"SOMETHING_ELSE=foo"}},
-			},
-			expectedValue: "",
-			expectedExits: false,
-		},
-		{
-			// same prefix
-			spec: &specs.Spec{
-				Process: &specs.Process{Env: []string{"TEST_ENV_BUT_NOT=foo"}},
-			},
-			expectedValue: "",
-			expectedExits: false,
-		},
-		{
-			// same suffix
-			spec: &specs.Spec{
-				Process: &specs.Process{Env: []string{"NOT_TEST_ENV=foo"}},
-			},
-			expectedValue: "",
-			expectedExits: false,
-		},
-		{
-			// set blank
-			spec: &specs.Spec{
-				Process: &specs.Process{Env: []string{"TEST_ENV="}},
-			},
-			expectedValue: "",
-			expectedExits: true,
-		},
-		{
-			// set no-equals
-			spec: &specs.Spec{
-				Process: &specs.Process{Env: []string{"TEST_ENV"}},
-			},
-			expectedValue: "",
-			expectedExits: true,
-		},
-		{
-			// set value
-			spec: &specs.Spec{
-				Process: &specs.Process{Env: []string{"TEST_ENV=something"}},
-			},
-			expectedValue: "something",
-			expectedExits: true,
-		},
-		{
-			// set with equals
-			spec: &specs.Spec{
-				Process: &specs.Process{Env: []string{"TEST_ENV=something=somethingelse"}},
-			},
-			expectedValue: "something=somethingelse",
-			expectedExits: true,
-		},
-	}
-
-	for i, tc := range testCases {
-		spec := fileSpec{
-			Spec: tc.spec,
-		}
-
-		value, exists := spec.LookupEnv(envName)
-
-		require.Equal(t, tc.expectedValue, value, "%d: %v", i, tc)
-		require.Equal(t, tc.expectedExits, exists, "%d: %v", i, tc)
-	}
-}
-
 func TestLoadFrom(t *testing.T) {
 	testCases := []struct {
 		contents []byte
@@ -148,8 +43,8 @@ func TestLoadFrom(t *testing.T) {
 	}

 	for i, tc := range testCases {
-		spec := fileSpec{}
-		err := spec.loadFrom(bytes.NewReader(tc.contents))
+		var spec *specs.Spec
+		spec, err := LoadFrom(bytes.NewReader(tc.contents))

 		if tc.isError {
 			require.Error(t, err, "%d: %v", i, tc)
@@ -158,9 +53,9 @@ func TestLoadFrom(t *testing.T) {
 		}

 		if tc.spec == nil {
-			require.Nil(t, spec.Spec, "%d: %v", i, tc)
+			require.Nil(t, spec, "%d: %v", i, tc)
 		} else {
-			require.EqualValues(t, tc.spec, spec.Spec, "%d: %v", i, tc)
+			require.EqualValues(t, tc.spec, spec, "%d: %v", i, tc)
 		}
 	}
 }
@@ -183,8 +78,7 @@ func TestFlushTo(t *testing.T) {
 	for i, tc := range testCases {
 		buffer := bytes.Buffer{}

-		spec := fileSpec{Spec: tc.spec}
-		err := spec.flushTo(&buffer)
+		err := flushTo(tc.spec, &buffer)

 		if tc.isError {
 			require.Error(t, err, "%d: %v", i, tc)
@@ -196,53 +90,10 @@ func TestFlushTo(t *testing.T) {
 	}

 	// Add a simple test for a writer that returns an error when writing
-	spec := fileSpec{Spec: &specs.Spec{}}
-	err := spec.flushTo(errorWriter{})
+	err := flushTo(&specs.Spec{}, errorWriter{})
 	require.Error(t, err)
 }

-func TestModify(t *testing.T) {
-
-	testCases := []struct {
-		spec          *specs.Spec
-		modifierError error
-	}{
-		{
-			spec: nil,
-		},
-		{
-			spec: &specs.Spec{},
-		},
-		{
-			spec:          &specs.Spec{},
-			modifierError: fmt.Errorf("error in modifier"),
-		},
-	}
-
-	for i, tc := range testCases {
-		spec := fileSpec{Spec: tc.spec}
-
-		modifier := func(spec *specs.Spec) error {
-			if tc.modifierError == nil {
-				spec.Version = "updated"
-			}
-			return tc.modifierError
-		}
-
-		err := spec.Modify(modifier)
-
-		if tc.spec == nil {
-			require.Error(t, err, "%d: %v", i, tc)
-		} else if tc.modifierError != nil {
-			require.EqualError(t, err, tc.modifierError.Error(), "%d: %v", i, tc)
-			require.EqualValues(t, &specs.Spec{}, spec.Spec, "%d: %v", i, tc)
-		} else {
-			require.NoError(t, err, "%d: %v", i, tc)
-			require.Equal(t, "updated", spec.Spec.Version, "%d: %v", i, tc)
-		}
-	}
-}
-
 // errorWriter implements the io.Writer interface, always returning an error when
 // writing.
 type errorWriter struct{}
--- a/internal/oci/spec_memory.go
+++ b/internal/oci/spec_memory.go
@@ -0,0 +1,83 @@
+/**
+# Copyright (c) 2022, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+**/
+
+package oci
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/opencontainers/runtime-spec/specs-go"
+)
+
+type memorySpec struct {
+	*specs.Spec
+}
+
+// NewMemorySpec creates a Spec instance from the specified OCI spec
+func NewMemorySpec(spec *specs.Spec) Spec {
+	s := memorySpec{
+		Spec: spec,
+	}
+
+	return &s
+}
+
+// Load is a no-op for the memorySpec spec
+func (s *memorySpec) Load() error {
+	return nil
+}
+
+// Flush is a no-op for the memorySpec spec
+func (s *memorySpec) Flush() error {
+	return nil
+}
+
+// Modify applies the specified SpecModifier to the stored OCI specification.
+func (s *memorySpec) Modify(m SpecModifier) error {
+	if s.Spec == nil {
+		return fmt.Errorf("cannot modify nil spec")
+	}
+	return m.Modify(s.Spec)
+}
+
+// LookupEnv mirrors os.LookupEnv for the OCI specification. It
+// retrieves the value of the environment variable named
+// by the key. If the variable is present in the environment the
+// value (which may be empty) is returned and the boolean is true.
+// Otherwise the returned value will be empty and the boolean will
+// be false.
+func (s memorySpec) LookupEnv(key string) (string, bool) {
+	if s.Spec == nil || s.Spec.Process == nil {
+		return "", false
+	}
+
+	for _, env := range s.Spec.Process.Env {
+		if !strings.HasPrefix(env, key) {
+			continue
+		}
+
+		parts := strings.SplitN(env, "=", 2)
+		if parts[0] == key {
+			if len(parts) < 2 {
+				return "", true
+			}
+			return parts[1], true
+		}
+	}
+
+	return "", false
+}
--- a/internal/oci/spec_memory_test.go
+++ b/internal/oci/spec_memory_test.go
@@ -0,0 +1,178 @@
+/**
+# Copyright (c) 2022, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+**/
+
+package oci
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/opencontainers/runtime-spec/specs-go"
+	"github.com/stretchr/testify/require"
+)
+
+func TestLookupEnv(t *testing.T) {
+	const envName = "TEST_ENV"
+	testCases := []struct {
+		spec          *specs.Spec
+		expectedValue string
+		expectedExits bool
+	}{
+		{
+			// nil spec
+			spec:          nil,
+			expectedValue: "",
+			expectedExits: false,
+		},
+		{
+			// nil process
+			spec:          &specs.Spec{},
+			expectedValue: "",
+			expectedExits: false,
+		},
+		{
+			// nil env
+			spec: &specs.Spec{
+				Process: &specs.Process{},
+			},
+			expectedValue: "",
+			expectedExits: false,
+		},
+		{
+			// empty env
+			spec: &specs.Spec{
+				Process: &specs.Process{Env: []string{}},
+			},
+			expectedValue: "",
+			expectedExits: false,
+		},
+		{
+			// different env set
+			spec: &specs.Spec{
+				Process: &specs.Process{Env: []string{"SOMETHING_ELSE=foo"}},
+			},
+			expectedValue: "",
+			expectedExits: false,
+		},
+		{
+			// same prefix
+			spec: &specs.Spec{
+				Process: &specs.Process{Env: []string{"TEST_ENV_BUT_NOT=foo"}},
+			},
+			expectedValue: "",
+			expectedExits: false,
+		},
+		{
+			// same suffix
+			spec: &specs.Spec{
+				Process: &specs.Process{Env: []string{"NOT_TEST_ENV=foo"}},
+			},
+			expectedValue: "",
+			expectedExits: false,
+		},
+		{
+			// set blank
+			spec: &specs.Spec{
+				Process: &specs.Process{Env: []string{"TEST_ENV="}},
+			},
+			expectedValue: "",
+			expectedExits: true,
+		},
+		{
+			// set no-equals
+			spec: &specs.Spec{
+				Process: &specs.Process{Env: []string{"TEST_ENV"}},
+			},
+			expectedValue: "",
+			expectedExits: true,
+		},
+		{
+			// set value
+			spec: &specs.Spec{
+				Process: &specs.Process{Env: []string{"TEST_ENV=something"}},
+			},
+			expectedValue: "something",
+			expectedExits: true,
+		},
+		{
+			// set with equals
+			spec: &specs.Spec{
+				Process: &specs.Process{Env: []string{"TEST_ENV=something=somethingelse"}},
+			},
+			expectedValue: "something=somethingelse",
+			expectedExits: true,
+		},
+	}
+
+	for i, tc := range testCases {
+		spec := memorySpec{
+			Spec: tc.spec,
+		}
+
+		value, exists := spec.LookupEnv(envName)
+
+		require.Equal(t, tc.expectedValue, value, "%d: %v", i, tc)
+		require.Equal(t, tc.expectedExits, exists, "%d: %v", i, tc)
+	}
+}
+
+func TestModify(t *testing.T) {
+
+	testCases := []struct {
+		spec          *specs.Spec
+		modifierError error
+	}{
+		{
+			spec: nil,
+		},
+		{
+			spec: &specs.Spec{},
+		},
+		{
+			spec:          &specs.Spec{},
+			modifierError: fmt.Errorf("error in modifier"),
+		},
+	}
+
+	for i, tc := range testCases {
+		spec := NewMemorySpec(tc.spec).(*memorySpec)
+
+		err := spec.Modify(modifier{tc.modifierError})
+
+		if tc.spec == nil {
+			require.Error(t, err, "%d: %v", i, tc)
+		} else if tc.modifierError != nil {
+			require.EqualError(t, err, tc.modifierError.Error(), "%d: %v", i, tc)
+			require.EqualValues(t, &specs.Spec{}, spec.Spec, "%d: %v", i, tc)
+		} else {
+			require.NoError(t, err, "%d: %v", i, tc)
+			require.Equal(t, "updated", spec.Spec.Version, "%d: %v", i, tc)
+		}
+	}
+}
+
+// TODO: Ideally we would generated a mock for the SpecModifer too. This causes
+// an import cycle and we define a local type as a work-around.
+type modifier struct {
+	modifierError error
+}
+
+func (m modifier) Modify(spec *specs.Spec) error {
+	if m.modifierError == nil {
+		spec.Version = "updated"
+	}
+	return m.modifierError
+}
--- a/internal/oci/spec_test.go
+++ b/internal/oci/spec_test.go
@@ -1,17 +1,16 @@
 package oci

 import (
-	"fmt"
 	"os"
 	"path/filepath"
-	"runtime"
 	"testing"

+	"github.com/NVIDIA/nvidia-container-toolkit/internal/test"
 	"github.com/stretchr/testify/require"
 )

 func TestMaintainSpec(t *testing.T) {
-	moduleRoot, err := getModuleRoot()
+	moduleRoot, err := test.GetModuleRoot()
 	require.NoError(t, err)

 	files := []string{
@@ -21,7 +20,7 @@ func TestMaintainSpec(t *testing.T) {
 	for _, f := range files {
 		inputSpecPath := filepath.Join(moduleRoot, "test/input", f)

-		spec := NewSpecFromFile(inputSpecPath).(*fileSpec)
+		spec := NewFileSpec(inputSpecPath).(*fileSpec)

 		spec.Load()

@@ -38,21 +37,3 @@ func TestMaintainSpec(t *testing.T) {
 		require.JSONEq(t, string(inputContents), string(outputContents))
 	}
 }
-
-func getModuleRoot() (string, error) {
-	_, filename, _, _ := runtime.Caller(0)
-
-	return hasGoMod(filename)
-}
-
-func hasGoMod(dir string) (string, error) {
-	if dir == "" || dir == "/" {
-		return "", fmt.Errorf("module root not found")
-	}
-
-	_, err := os.Stat(filepath.Join(dir, "go.mod"))
-	if err != nil {
-		return hasGoMod(filepath.Dir(dir))
-	}
-	return dir, nil
-}
--- a/internal/oci/state.go
+++ b/internal/oci/state.go
@@ -0,0 +1,73 @@
+/**
+# Copyright (c) 2022, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+**/
+
+package oci
+
+import (
+	"encoding/json"
+	"fmt"
+	"io"
+	"os"
+
+	"github.com/opencontainers/runtime-spec/specs-go"
+)
+
+// State stores an OCI container state. This includes the spec path and the environment
+type State specs.State
+
+// LoadContainerState loads the container state from the specified filename. If the filename is empty or '-' the state is loaded from STDIN
+func LoadContainerState(filename string) (*State, error) {
+	if filename == "" || filename == "-" {
+		return ReadContainerState(os.Stdin)
+	}
+
+	inputFile, err := os.Open(filename)
+	if err != nil {
+		return nil, fmt.Errorf("failed to open file: %v", err)
+	}
+	defer inputFile.Close()
+
+	return ReadContainerState(inputFile)
+}
+
+// ReadContainerState reads the container state from the specified reader
+func ReadContainerState(reader io.Reader) (*State, error) {
+	var s State
+
+	d := json.NewDecoder(reader)
+	if err := d.Decode(&s); err != nil {
+		return nil, fmt.Errorf("failed to decode container state: %v", err)
+	}
+
+	return &s, nil
+}
+
+// LoadSpec loads the OCI spec associated with the container state
+func (s State) LoadSpec() (*specs.Spec, error) {
+	specFilePath := GetSpecFilePath(s.Bundle)
+	specFile, err := os.Open(specFilePath)
+	if err != nil {
+		return nil, fmt.Errorf("failed to open OCI spec file: %v", err)
+	}
+	defer specFile.Close()
+
+	spec, err := LoadFrom(specFile)
+	if err != nil {
+		return nil, fmt.Errorf("failed to load OCI spec: %v", err)
+	}
+
+	return spec, nil
+}
--- a/internal/runtime/runtime_modifier.go
+++ b/internal/runtime/runtime_modifier.go
@@ -0,0 +1,86 @@
+/*
+# Copyright (c) 2021, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/
+
+package runtime
+
+import (
+	"fmt"
+
+	"github.com/NVIDIA/nvidia-container-toolkit/internal/oci"
+	log "github.com/sirupsen/logrus"
+)
+
+type modifyingRuntimeWrapper struct {
+	logger   *log.Logger
+	runtime  oci.Runtime
+	ociSpec  oci.Spec
+	modifier oci.SpecModifier
+}
+
+var _ oci.Runtime = (*modifyingRuntimeWrapper)(nil)
+
+// NewModifyingRuntimeWrapper creates a runtime wrapper that applies the specified modifier to the OCI specification
+// before invoking the wrapped runtime. If the modifier is nil, the input runtime is returned.
+func NewModifyingRuntimeWrapper(logger *log.Logger, runtime oci.Runtime, spec oci.Spec, modifier oci.SpecModifier) oci.Runtime {
+	if modifier == nil {
+		logger.Infof("Using low-level runtime with no modification")
+		return runtime
+	}
+
+	rt := modifyingRuntimeWrapper{
+		logger:   logger,
+		runtime:  runtime,
+		ociSpec:  spec,
+		modifier: modifier,
+	}
+	return &rt
+}
+
+// Exec checks whether a modification of the OCI specification is required and modifies it accordingly before exec-ing
+// into the wrapped runtime.
+func (r *modifyingRuntimeWrapper) Exec(args []string) error {
+	if oci.HasCreateSubcommand(args) {
+		err := r.modify()
+		if err != nil {
+			return fmt.Errorf("could not apply required modification to OCI specification: %v", err)
+		}
+		r.logger.Infof("Applied required modification to OCI specification")
+	} else {
+		r.logger.Infof("No modification of OCI specification required")
+	}
+
+	r.logger.Infof("Forwarding command to runtime")
+	return r.runtime.Exec(args)
+}
+
+// modify loads, modifies, and flushes the OCI specification using the defined Modifier
+func (r *modifyingRuntimeWrapper) modify() error {
+	err := r.ociSpec.Load()
+	if err != nil {
+		return fmt.Errorf("error loading OCI specification for modification: %v", err)
+	}
+
+	err = r.ociSpec.Modify(r.modifier)
+	if err != nil {
+		return fmt.Errorf("error modifying OCI spec: %v", err)
+	}
+
+	err = r.ociSpec.Flush()
+	if err != nil {
+		return fmt.Errorf("error writing modified OCI specification: %v", err)
+	}
+	return nil
+}
--- a/internal/runtime/runtime_modifier_test.go
+++ b/internal/runtime/runtime_modifier_test.go
@@ -0,0 +1,164 @@
+/*
+# Copyright (c) 2022, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/
+
+package runtime
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/NVIDIA/nvidia-container-toolkit/internal/oci"
+	"github.com/opencontainers/runtime-spec/specs-go"
+	testlog "github.com/sirupsen/logrus/hooks/test"
+	"github.com/stretchr/testify/require"
+)
+
+func TestExec(t *testing.T) {
+	logger, hook := testlog.NewNullLogger()
+
+	testCases := []struct {
+		description   string
+		shouldLoad    bool
+		shouldModify  bool
+		shouldFlush   bool
+		shouldForward bool
+		args          []string
+		modifyError   error
+		writeError    error
+		modifer       oci.SpecModifier
+	}{
+		{
+			description:   "no args forwards",
+			shouldLoad:    false,
+			shouldModify:  false,
+			shouldFlush:   false,
+			shouldForward: true,
+			modifer:       &modiferMock{},
+		},
+		{
+			description:   "create modifies",
+			args:          []string{"create"},
+			shouldLoad:    true,
+			shouldModify:  true,
+			shouldFlush:   true,
+			shouldForward: true,
+			modifer:       &modiferMock{},
+		},
+		{
+			description:   "modify error does not write or forward",
+			args:          []string{"create"},
+			modifyError:   fmt.Errorf("error modifying"),
+			shouldLoad:    true,
+			shouldModify:  true,
+			shouldFlush:   false,
+			shouldForward: false,
+			modifer:       &modiferMock{},
+		},
+		{
+			description:   "write error does not forward",
+			args:          []string{"create"},
+			writeError:    fmt.Errorf("error writing"),
+			shouldLoad:    true,
+			shouldModify:  true,
+			shouldFlush:   true,
+			shouldForward: false,
+			modifer:       &modiferMock{},
+		},
+		{
+			description:   "nil modifier forwards on create",
+			args:          []string{"create"},
+			shouldLoad:    false,
+			shouldModify:  false,
+			shouldFlush:   false,
+			shouldForward: true,
+			modifer:       nil,
+		},
+	}
+
+	for _, tc := range testCases {
+		hook.Reset()
+
+		t.Run(tc.description, func(t *testing.T) {
+			runtimeMock := &oci.RuntimeMock{}
+			specMock := &oci.SpecMock{
+				ModifyFunc: func(specModifier oci.SpecModifier) error {
+					return tc.modifyError
+				},
+				FlushFunc: func() error {
+					return tc.writeError
+				},
+			}
+
+			shim := NewModifyingRuntimeWrapper(
+				logger,
+				runtimeMock,
+				specMock,
+				// TODO: We should test the interactions with the SpecModifier too
+				tc.modifer,
+			)
+
+			err := shim.Exec(tc.args)
+			if tc.modifyError != nil || tc.writeError != nil {
+				require.Error(t, err)
+			} else {
+				require.NoError(t, err)
+			}
+
+			if tc.shouldLoad {
+				require.Equal(t, 1, len(specMock.LoadCalls()))
+			} else {
+				require.Equal(t, 0, len(specMock.LoadCalls()))
+			}
+			if tc.shouldModify {
+				require.Equal(t, 1, len(specMock.ModifyCalls()))
+			} else {
+				require.Equal(t, 0, len(specMock.ModifyCalls()))
+			}
+			if tc.shouldFlush {
+				require.Equal(t, 1, len(specMock.FlushCalls()))
+			} else {
+				require.Equal(t, 0, len(specMock.FlushCalls()))
+			}
+			if tc.shouldForward {
+				require.Equal(t, 1, len(runtimeMock.ExecCalls()))
+			} else {
+				require.Equal(t, 0, len(runtimeMock.ExecCalls()))
+			}
+		})
+	}
+}
+
+func TestNilModiferReturnsRuntime(t *testing.T) {
+	logger, _ := testlog.NewNullLogger()
+
+	runtimeMock := &oci.RuntimeMock{}
+	specMock := &oci.SpecMock{}
+
+	shim := NewModifyingRuntimeWrapper(
+		logger,
+		runtimeMock,
+		specMock,
+		nil,
+	)
+
+	require.Equal(t, runtimeMock, shim)
+}
+
+type modiferMock struct{}
+
+func (m modiferMock) Modify(*specs.Spec) error {
+	return nil
+}
--- a/internal/test/test.go
+++ b/internal/test/test.go
@@ -0,0 +1,52 @@
+/**
+# Copyright (c) 2022, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+**/
+
+package test
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+	"runtime"
+	"strings"
+)
+
+// GetModuleRoot returns the path to the root of the go module
+func GetModuleRoot() (string, error) {
+	_, filename, _, _ := runtime.Caller(0)
+
+	return hasGoMod(filename)
+}
+
+// PrependToPath prefixes the specified additional paths to the PATH environment variable
+func PrependToPath(additionalPaths ...string) string {
+	paths := strings.Split(os.Getenv("PATH"), ":")
+	paths = append(additionalPaths, paths...)
+
+	return strings.Join(paths, ":")
+}
+
+func hasGoMod(dir string) (string, error) {
+	if dir == "" || dir == "/" {
+		return "", fmt.Errorf("module root not found")
+	}
+
+	_, err := os.Stat(filepath.Join(dir, "go.mod"))
+	if err != nil {
+		return hasGoMod(filepath.Dir(dir))
+	}
+	return dir, nil
+}
--- a/packaging/debian/changelog
+++ b/packaging/debian/changelog
@@ -1,3 +1,29 @@
+nvidia-container-toolkit (1.10.0~rc.1-1) experimental; urgency=medium
+
+  * Include nvidia-ctk CLI in installed binaries
+  * Add experimental option to NVIDIA Container Runtime
+
+ -- NVIDIA CORPORATION <cudatools@nvidia.com>  Thu, 24 Mar 2022 13:22:24 +0200
+
+nvidia-container-toolkit (1.9.0-1) UNRELEASED; urgency=medium
+
+ * [libnvidia-container] Add additional check for Tegra in /sys/.../family file in CLI
+ * [libnvidia-container] Update jetpack-specific CLI option to only load Base CSV files by default
+ * [libnvidia-container] Fix bug (from 1.8.0) when mounting GSP firmware into containers without /lib to /usr/lib symlinks
+ * [libnvidia-container] Update nvml.h to CUDA 11.6.1 nvML_DEV 11.6.55
+ * [libnvidia-container] Update switch statement to include new brands from latest nvml.h
+ * [libnvidia-container] Process all --require flags on Jetson platforms
+ * [libnvidia-container] Fix long-standing issue with running ldconfig on Debian systems
+
+ -- NVIDIA CORPORATION <cudatools@nvidia.com> Fri, 18 Mar 2022 06:10:56 +0200
+
+nvidia-container-toolkit (1.8.1-1) UNRELEASED; urgency=medium
+
+ * [libnvidia-container] Fix bug in determining cgroup root when running in nested containers
+ * [libnvidia-container] Fix permission issue when determining cgroup version
+
+ -- NVIDIA CORPORATION <cudatools@nvidia.com> Mon, 14 Feb 2022 09:53:26 +0100
+
 nvidia-container-toolkit (1.8.0-1) UNRELEASED; urgency=medium

 * Promote 1.8.0~rc.2-1 to 1.8.0-1
--- a/packaging/debian/nvidia-container-toolkit.install
+++ b/packaging/debian/nvidia-container-toolkit.install
@@ -1,3 +1,4 @@
 config.toml /etc/nvidia-container-runtime
 nvidia-container-toolkit /usr/bin
-nvidia-container-runtime /usr/bin
+nvidia-container-runtime /usr/bin
+nvidia-ctk /usr/bin
--- a/packaging/rpm/SPECS/nvidia-container-toolkit.spec
+++ b/packaging/rpm/SPECS/nvidia-container-toolkit.spec
@@ -12,10 +12,11 @@ License: Apache-2.0

 Source0: nvidia-container-toolkit
 Source1: nvidia-container-runtime
-Source2: config.toml
-Source3: oci-nvidia-hook
-Source4: oci-nvidia-hook.json
-Source5: LICENSE
+Source2: nvidia-ctk
+Source3: config.toml
+Source4: oci-nvidia-hook
+Source5: oci-nvidia-hook.json
+Source6: LICENSE

 Obsoletes: nvidia-container-runtime <= 3.5.0-1, nvidia-container-runtime-hook
 Provides: nvidia-container-runtime
@@ -33,12 +34,13 @@ Requires: libseccomp
 Provides a OCI hook to enable GPU support in containers.

 %prep
-cp %{SOURCE0} %{SOURCE1} %{SOURCE2} %{SOURCE3} %{SOURCE4} %{SOURCE5} .
+cp %{SOURCE0} %{SOURCE1} %{SOURCE2} %{SOURCE3} %{SOURCE4} %{SOURCE5} %{SOURCE6} .

 %install
 mkdir -p %{buildroot}%{_bindir}
 install -m 755 -t %{buildroot}%{_bindir} nvidia-container-toolkit
 install -m 755 -t %{buildroot}%{_bindir} nvidia-container-runtime
+install -m 755 -t %{buildroot}%{_bindir} nvidia-ctk

 mkdir -p %{buildroot}/etc/nvidia-container-runtime
 install -m 644 -t %{buildroot}/etc/nvidia-container-runtime config.toml
@@ -59,12 +61,30 @@ rm -f %{_bindir}/nvidia-container-runtime-hook
 %license LICENSE
 %{_bindir}/nvidia-container-toolkit
 %{_bindir}/nvidia-container-runtime
+%{_bindir}/nvidia-ctk
 %config /etc/nvidia-container-runtime/config.toml
 /usr/libexec/oci/hooks.d/oci-nvidia-hook
 /usr/share/containers/oci/hooks.d/oci-nvidia-hook.json

 %changelog
-* Fri Feb 04 2022 NVIDIA CORPORATION <cudatools@nvidia.com> 1.8.0-0.1.rc.3
+* Thu Mar 24 2022 NVIDIA CORPORATION <cudatools@nvidia.com> 1.10.0-0.1.rc.1
+- Include nvidia-ctk CLI in installed binaries
+- Add experimental option to NVIDIA Container Runtime
+
+* Fri Mar 18 2022 NVIDIA CORPORATION <cudatools@nvidia.com> 1.9.0-1
+- [libnvidia-container] Add additional check for Tegra in /sys/.../family file in CLI
+- [libnvidia-container] Update jetpack-specific CLI option to only load Base CSV files by default
+- [libnvidia-container] Fix bug (from 1.8.0) when mounting GSP firmware into containers without /lib to /usr/lib symlinks
+- [libnvidia-container] Update nvml.h to CUDA 11.6.1 nvML_DEV 11.6.55
+- [libnvidia-container] Update switch statement to include new brands from latest nvml.h
+- [libnvidia-container] Process all --require flags on Jetson platforms
+- [libnvidia-container] Fix long-standing issue with running ldconfig on Debian systems
+
+* Mon Feb 14 2022 NVIDIA CORPORATION <cudatools@nvidia.com> 1.8.1-1
+- [libnvidia-container] Fix bug in determining cgroup root when running in nested containers
+- [libnvidia-container] Fix permission issue when determining cgroup version
+
+* Fri Feb 04 2022 NVIDIA CORPORATION <cudatools@nvidia.com> 1.8.0-1
 - Promote 1.8.0-0.1.rc.2 to 1.8.0-1

 * Thu Jan 20 2022 NVIDIA CORPORATION <cudatools@nvidia.com> 1.8.0-0.1.rc.2
--- a/test/container/containerd_test.sh
+++ b/test/container/containerd_test.sh
@@ -91,7 +91,7 @@ testing::containerd::toolkit::test_config() {
 		"${toolkit_container_image}" -c "containerd setup \
 			--config=${output_config} \
 			--socket=${containerd_dind_containerd_dir}/containerd.sock \
-			--restart-mode=NONE \
+			--restart-mode=none \
 				/usr/local/nvidia/toolkit"

 	# As a basic test we check that the config has changed
@@ -107,7 +107,7 @@ testing::containerd::toolkit::test_config() {
 		"${toolkit_container_image}" -c "containerd cleanup \
 					--config=${output_config} \
 			--socket=${containerd_dind_containerd_dir}/containerd.sock \
-			--restart-mode=NONE \
+			--restart-mode=none \
 				/usr/local/nvidia/toolkit"

 	if [[ -s "${input_config}" ]]; then
--- a/test/input/csv_samples/.csv
+++ b/test/input/csv_samples/.csv
--- a/test/input/csv_samples/empty/.gitignore
+++ b/test/input/csv_samples/empty/.gitignore
--- a/test/input/csv_samples/jetson.csv
+++ b/test/input/csv_samples/jetson.csv
@@ -0,0 +1,171 @@
+dev, nvidiactl
+dev, nvhost-gpu
+dev, nvhost-ctrl
+dev, nvhost-nvdec
+dev, nvhost-ctrl-gpu
+dev, nvhost-prof-gpu
+dev, nvhost-dbg-gpu
+dev, nvmap
+dev, tegra_dc_ctrl
+dev, tegra_dc_0
+dev, tegra_dc_1
+dev, nvhost-vic
+dev, nvhost-as-gpu
+dir, /usr/lib/aarch64-linux-gnu/gstreamer-1.0/include
+dir, /usr/lib/aarch64-linux-gnu/tegra-egl
+dir, /usr/src/tensorrt
+dir, /usr/local/cuda
+lib, /usr/lib/aarch64-linux-gnu/libv4l/plugins/libv4l2_nvvidconv.so
+lib, /usr/lib/aarch64-linux-gnu/libv4l/plugins/libv4l2_nvvideocodec.so
+lib, /usr/lib/aarch64-linux-gnu/libv4l1.so.0
+lib, /usr/lib/aarch64-linux-gnu/libv4l2.so
+lib, /usr/lib/aarch64-linux-gnu/libv4lconvert.so.0
+lib, /usr/lib/aarch64-linux-gnu/gstreamer-1.0/libgstnvarguscamerasrc.so
+lib, /usr/lib/aarch64-linux-gnu/gstreamer-1.0/libgstnvcompositor.so
+lib, /usr/lib/aarch64-linux-gnu/gstreamer-1.0/libgstnvdrmvideosink.so
+lib, /usr/lib/aarch64-linux-gnu/gstreamer-1.0/libgstnveglglessink.so
+lib, /usr/lib/aarch64-linux-gnu/gstreamer-1.0/libgstnveglstreamsrc.so
+lib, /usr/lib/aarch64-linux-gnu/gstreamer-1.0/libgstnvegltransform.so
+lib, /usr/lib/aarch64-linux-gnu/gstreamer-1.0/libgstnvivafilter.so
+lib, /usr/lib/aarch64-linux-gnu/gstreamer-1.0/libgstnvjpeg.so
+lib, /usr/lib/aarch64-linux-gnu/gstreamer-1.0/libgstnvtee.so
+lib, /usr/lib/aarch64-linux-gnu/gstreamer-1.0/libgstnvvidconv.so
+lib, /usr/lib/aarch64-linux-gnu/gstreamer-1.0/libgstnvvideo4linux2.so
+lib, /usr/lib/aarch64-linux-gnu/gstreamer-1.0/libgstnvvideocuda.so
+lib, /usr/lib/aarch64-linux-gnu/gstreamer-1.0/libgstnvvideosink.so
+lib, /usr/lib/aarch64-linux-gnu/gstreamer-1.0/libgstnvvideosinks.so
+lib, /usr/lib/aarch64-linux-gnu/gstreamer-1.0/libgstomx.so
+lib, /usr/lib/aarch64-linux-gnu/gstreamer-1.0/libgstpulseaudio.so
+lib, /usr/lib/aarch64-linux-gnu/libgstnvivameta.so
+lib, /usr/lib/aarch64-linux-gnu/libgstnvexifmeta.so
+lib, /usr/lib/aarch64-linux-gnu/libgstnvegl-1.0.so.0
+lib, /usr/lib/aarch64-linux-gnu/libnvonnxparser.so
+lib, /usr/lib/aarch64-linux-gnu/libnvinfer.so
+lib, /usr/lib/aarch64-linux-gnu/libnvinfer_plugin.so
+lib, /usr/lib/aarch64-linux-gnu/libnvparsers.so
+lib, /usr/lib/aarch64-linux-gnu/libcudnn.so
+lib, /usr/lib/aarch64-linux-gnu/libnvsample_cudaprocess.so
+lib, /usr/lib/aarch64-linux-gnu/tegra/libdrm.so.2
+lib, /usr/lib/aarch64-linux-gnu/tegra/libnvapputil.so
+lib, /usr/lib/aarch64-linux-gnu/tegra/libnvargus.so
+lib, /usr/lib/aarch64-linux-gnu/tegra/libnvargus_socketclient.so
+lib, /usr/lib/aarch64-linux-gnu/tegra/libnvargus_socketserver.so
+lib, /usr/lib/aarch64-linux-gnu/tegra/libnvavp.so
+lib, /usr/lib/aarch64-linux-gnu/tegra/libnvbuf_utils.so
+lib, /usr/lib/aarch64-linux-gnu/tegra/libnvcam_imageencoder.so
+lib, /usr/lib/aarch64-linux-gnu/tegra/libnvcameratools.so
+lib, /usr/lib/aarch64-linux-gnu/tegra/libnvcamerautils.so
+lib, /usr/lib/aarch64-linux-gnu/tegra/libnvcamlog.so
+lib, /usr/lib/aarch64-linux-gnu/tegra/libnvcamv4l2.so
+lib, /usr/lib/aarch64-linux-gnu/tegra/libnvcolorutil.so
+lib, /usr/lib/aarch64-linux-gnu/tegra/libnvdc.so
+lib, /usr/lib/aarch64-linux-gnu/tegra/libnvddk_2d_v2.so
+lib, /usr/lib/aarch64-linux-gnu/tegra/libnvddk_vic.so
+lib, /usr/lib/aarch64-linux-gnu/tegra/libnveglstream_camconsumer.so
+lib, /usr/lib/aarch64-linux-gnu/tegra/libnveglstreamproducer.so
+lib, /usr/lib/aarch64-linux-gnu/tegra/libnveventlib.so
+lib, /usr/lib/aarch64-linux-gnu/tegra/libnvexif.so
+lib, /usr/lib/aarch64-linux-gnu/tegra/libnvfnet.so
+lib, /usr/lib/aarch64-linux-gnu/tegra/libnvfnetstoredefog.so
+lib, /usr/lib/aarch64-linux-gnu/tegra/libnvfnetstorehdfx.so
+lib, /usr/lib/aarch64-linux-gnu/tegra/libnvgov_boot.so
+lib, /usr/lib/aarch64-linux-gnu/tegra/libnvgov_camera.so
+lib, /usr/lib/aarch64-linux-gnu/tegra/libnvgov_force.so
+lib, /usr/lib/aarch64-linux-gnu/tegra/libnvgov_generic.so
+lib, /usr/lib/aarch64-linux-gnu/tegra/libnvgov_gpucompute.so
+lib, /usr/lib/aarch64-linux-gnu/tegra/libnvgov_graphics.so
+lib, /usr/lib/aarch64-linux-gnu/tegra/libnvgov_il.so
+lib, /usr/lib/aarch64-linux-gnu/tegra/libnvgov_spincircle.so
+lib, /usr/lib/aarch64-linux-gnu/tegra/libnvgov_tbc.so
+lib, /usr/lib/aarch64-linux-gnu/tegra/libnvgov_ui.so
+lib, /usr/lib/aarch64-linux-gnu/tegra/libnvid_mapper.so
+lib, /usr/lib/aarch64-linux-gnu/tegra/libnvidia-egl-wayland.so
+lib, /usr/lib/aarch64-linux-gnu/tegra/libnvidia-eglcore.so.32.1.0
+lib, /usr/lib/aarch64-linux-gnu/tegra/libnvidia-fatbinaryloader.so.32.1.0
+lib, /usr/lib/aarch64-linux-gnu/tegra/libnvidia-glcore.so.32.1.0
+lib, /usr/lib/aarch64-linux-gnu/tegra/libnvidia-glsi.so.32.1.0
+lib, /usr/lib/aarch64-linux-gnu/tegra/libnvidia-glvkspirv.so.32.1.0
+lib, /usr/lib/aarch64-linux-gnu/tegra/libnvidia-ptxjitcompiler.so.1
+lib, /usr/lib/aarch64-linux-gnu/tegra/libnvidia-rmapi-tegra.so.32.1.0
+lib, /usr/lib/aarch64-linux-gnu/tegra/libnvidia-tls.so.32.1.0
+lib, /usr/lib/aarch64-linux-gnu/tegra/libnvimp.so
+lib, /usr/lib/aarch64-linux-gnu/tegra/libnvjpeg.so
+lib, /usr/lib/aarch64-linux-gnu/tegra/libnvll.so
+lib, /usr/lib/aarch64-linux-gnu/tegra/libnvmedia.so
+lib, /usr/lib/aarch64-linux-gnu/tegra/libnvmm.so
+lib, /usr/lib/aarch64-linux-gnu/tegra/libnvmm_contentpipe.so
+lib, /usr/lib/aarch64-linux-gnu/tegra/libnvmm_parser.so
+lib, /usr/lib/aarch64-linux-gnu/tegra/libnvmm_utils.so
+lib, /usr/lib/aarch64-linux-gnu/tegra/libnvmmlite.so
+lib, /usr/lib/aarch64-linux-gnu/tegra/libnvmmlite_image.so
+lib, /usr/lib/aarch64-linux-gnu/tegra/libnvmmlite_utils.so
+lib, /usr/lib/aarch64-linux-gnu/tegra/libnvmmlite_video.so
+lib, /usr/lib/aarch64-linux-gnu/tegra/libnvodm_imager.so
+lib, /usr/lib/aarch64-linux-gnu/tegra/libnvomx.so
+lib, /usr/lib/aarch64-linux-gnu/tegra/libnvomxilclient.so
+lib, /usr/lib/aarch64-linux-gnu/tegra/libnvos.so
+lib, /usr/lib/aarch64-linux-gnu/tegra/libnvosd.so
+lib, /usr/lib/aarch64-linux-gnu/tegra/libnvparser.so
+lib, /usr/lib/aarch64-linux-gnu/tegra/libnvphs.so
+lib, /usr/lib/aarch64-linux-gnu/tegra/libnvphsd.so
+lib, /usr/lib/aarch64-linux-gnu/tegra/libnvrm.so
+lib, /usr/lib/aarch64-linux-gnu/tegra/libnvrm_gpu.so
+lib, /usr/lib/aarch64-linux-gnu/tegra/libnvrm_graphics.so
+lib, /usr/lib/aarch64-linux-gnu/tegra/libnvscf.so
+lib, /usr/lib/aarch64-linux-gnu/tegra/libnvtestresults.so
+lib, /usr/lib/aarch64-linux-gnu/tegra/libnvtnr.so
+lib, /usr/lib/aarch64-linux-gnu/tegra/libnvtracebuf.so
+lib, /usr/lib/aarch64-linux-gnu/tegra/libnvtvmr.so
+lib, /usr/lib/aarch64-linux-gnu/tegra/libnvtx_helper.so
+lib, /usr/lib/aarch64-linux-gnu/tegra/libnvwinsys.so
+lib, /usr/lib/aarch64-linux-gnu/tegra/libsensors.hal-client.nvs.so
+lib, /usr/lib/aarch64-linux-gnu/tegra/libsensors.l4t.no_fusion.nvs.so
+lib, /usr/lib/aarch64-linux-gnu/tegra/libsensors_hal.nvs.so
+lib, /usr/lib/aarch64-linux-gnu/tegra/libtegrav4l2.so
+lib, /usr/lib/aarch64-linux-gnu/tegra/nvidia_icd.json
+lib, /usr/lib/aarch64-linux-gnu/tegra/weston/EGLWLInputEventExample
+lib, /usr/lib/aarch64-linux-gnu/tegra/weston/EGLWLMockNavigation
+lib, /usr/lib/aarch64-linux-gnu/tegra/weston/LayerManagerControl
+lib, /usr/lib/aarch64-linux-gnu/tegra/weston/desktop-shell.so
+lib, /usr/lib/aarch64-linux-gnu/tegra/weston/drm-backend.so
+lib, /usr/lib/aarch64-linux-gnu/tegra/weston/eglstream-backend.so
+lib, /usr/lib/aarch64-linux-gnu/tegra/weston/gl-renderer.so
+lib, /usr/lib/aarch64-linux-gnu/tegra/weston/hmi-controller.so
+lib, /usr/lib/aarch64-linux-gnu/tegra/weston/ivi-controller.so
+lib, /usr/lib/aarch64-linux-gnu/tegra/weston/ivi-shell.so
+lib, /usr/lib/aarch64-linux-gnu/tegra/weston/libilmClient.so.2.0.0
+lib, /usr/lib/aarch64-linux-gnu/tegra/weston/libilmCommon.so.2.0.0
+lib, /usr/lib/aarch64-linux-gnu/tegra/weston/libilmControl.so.2.0.0
+lib, /usr/lib/aarch64-linux-gnu/tegra/weston/libilmInput.so.2.0.0
+lib, /usr/lib/aarch64-linux-gnu/tegra/weston/libinput.so.10.10.1
+lib, /usr/lib/aarch64-linux-gnu/tegra/weston/spring-tool
+lib, /usr/lib/aarch64-linux-gnu/tegra/weston/wayland-backend.so
+lib, /usr/lib/aarch64-linux-gnu/tegra/weston/weston
+lib, /usr/lib/aarch64-linux-gnu/tegra/weston/weston-calibrator
+lib, /usr/lib/aarch64-linux-gnu/tegra/weston/weston-clickdot
+lib, /usr/lib/aarch64-linux-gnu/tegra/weston/weston-cliptest
+lib, /usr/lib/aarch64-linux-gnu/tegra/weston/weston-desktop-shell
+lib, /usr/lib/aarch64-linux-gnu/tegra/weston/weston-dnd
+lib, /usr/lib/aarch64-linux-gnu/tegra/weston/weston-eventdemo
+lib, /usr/lib/aarch64-linux-gnu/tegra/weston/weston-flower
+lib, /usr/lib/aarch64-linux-gnu/tegra/weston/weston-fullscreen
+lib, /usr/lib/aarch64-linux-gnu/tegra/weston/weston-image
+lib, /usr/lib/aarch64-linux-gnu/tegra/weston/weston-info
+lib, /usr/lib/aarch64-linux-gnu/tegra/weston/weston-ivi-shell-user-interface
+lib, /usr/lib/aarch64-linux-gnu/tegra/weston/weston-keyboard
+lib, /usr/lib/aarch64-linux-gnu/tegra/weston/weston-launch
+lib, /usr/lib/aarch64-linux-gnu/tegra/weston/weston-multi-resource
+lib, /usr/lib/aarch64-linux-gnu/tegra/weston/weston-resizor
+lib, /usr/lib/aarch64-linux-gnu/tegra/weston/weston-scaler
+lib, /usr/lib/aarch64-linux-gnu/tegra/weston/weston-screenshooter
+lib, /usr/lib/aarch64-linux-gnu/tegra/weston/weston-simple-egl
+lib, /usr/lib/aarch64-linux-gnu/tegra/weston/weston-simple-shm
+lib, /usr/lib/aarch64-linux-gnu/tegra/weston/weston-simple-touch
+lib, /usr/lib/aarch64-linux-gnu/tegra/weston/weston-smoke
+lib, /usr/lib/aarch64-linux-gnu/tegra/weston/weston-stacking
+lib, /usr/lib/aarch64-linux-gnu/tegra/weston/weston-subsurfaces
+lib, /usr/lib/aarch64-linux-gnu/tegra/weston/weston-terminal
+lib, /usr/lib/aarch64-linux-gnu/tegra/weston/weston-transformed
+lib, /usr/lib/libvisionworks_tracking.so.0.88
+lib, /usr/lib/libvisionworks_sfm.so.0.90
+lib, /usr/lib/libvisionworks.so
--- a/test/input/csv_samples/other.not_csv
+++ b/test/input/csv_samples/other.not_csv
--- a/test/input/csv_samples/simple.csv
+++ b/test/input/csv_samples/simple.csv
@@ -0,0 +1,6 @@
+lib,/lib/target
+dir,/lib/target
+dev,/dev/null
+dev,full
+dev,/dev/target
+sym,/source
--- a/test/input/csv_samples/simple_wrong.csv
+++ b/test/input/csv_samples/simple_wrong.csv
@@ -0,0 +1 @@
+dir
--- a/test/input/csv_samples/spaced.csv
+++ b/test/input/csv_samples/spaced.csv
@@ -0,0 +1,9 @@
+   dev   , /dev/target 
+lib,      /lib/target
+
+dir,/lib/target   
+
+sym, /source
+
+       
+
--- a/test/release/docker/centos8/Dockerfile
+++ b/test/release/docker/centos8/Dockerfile
@@ -1,4 +1,15 @@
-FROM centos:8
+ARG BASEIMAGE=centos:8
+FROM ${BASEIMAGE}
+
+ARG BASEIMAGE
+# See https://www.centos.org/centos-linux-eol/
+# and https://stackoverflow.com/a/70930049 for move to vault.centos.org
+# and https://serverfault.com/questions/1093922/failing-to-run-yum-update-in-centos-8 for move to vault.epel.cloud
+RUN [[ "${BASEIMAGE}" != "centos:8" ]] || \
+    ( \
+      sed -i 's/mirrorlist/#mirrorlist/g' /etc/yum.repos.d/CentOS-Linux-* && \
+      sed -i 's|#baseurl=http://mirror.centos.org|baseurl=http://vault.epel.cloud|g' /etc/yum.repos.d/CentOS-Linux-* \
+    )

 RUN yum install -y \
    yum-utils \
--- a/third_party/libnvidia-container
+++ b/third_party/libnvidia-container
--- a/third_party/nvidia-container-runtime
+++ b/third_party/nvidia-container-runtime
--- a/third_party/nvidia-docker
+++ b/third_party/nvidia-docker
--- a/tools/container/containerd/containerd.go
+++ b/tools/container/containerd/containerd.go
@@ -33,7 +33,7 @@ import (
 const (
 	restartModeSignal  = "signal"
 	restartModeSystemd = "systemd"
-	restartModeNone    = "NONE"
+	restartModeNone    = "none"

 	nvidiaRuntimeName               = "nvidia"
 	nvidiaRuntimeBinary             = "nvidia-container-runtime"
@@ -154,7 +154,7 @@ func main() {
 		},
 		&cli.StringFlag{
 			Name:        "restart-mode",
-			Usage:       "Specify how containerd should be restarted; [signal | systemd]",
+			Usage:       "Specify how containerd should be restarted;  If 'none' is selected, it will not be restarted [signal | systemd | none]",
 			Value:       defaultRestartMode,
 			Destination: &options.restartMode,
 			EnvVars:     []string{"CONTAINERD_RESTART_MODE"},
--- a/Show More
+++ b/Show More