[lxc-devel] [lxc/master] NVIDIA hook improvements
flx42 on Github
lxc-bot at linuxcontainers.org
Mon Mar 19 22:44:08 UTC 2018
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 301 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20180319/66dd085d/attachment.bin>
-------------- next part --------------
From 4a0a5e89e1b77056ee1564861e502bd7dba59656 Mon Sep 17 00:00:00 2001
From: Felix Abecassis <fabecassis at nvidia.com>
Date: Mon, 19 Mar 2018 11:38:06 -0700
Subject: [PATCH 1/2] hooks: fix nvidia hook when running under the lxc-start
AppArmor profile
For a reason that I don't understand, the profile transition needs to
be done on the current process. Changing the attributes for a
subsequent execve(2) (with /proc/self/attr/exec) will cause the kernel
to set AT_SECURE in the auxiliary vector and thus secure_getenv(3)
inside libnvidia-container will return NULL.
Signed-off-by: Felix Abecassis <fabecassis at nvidia.com>
---
hooks/nvidia | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/hooks/nvidia b/hooks/nvidia
index fbe05626c..185b0ed4a 100755
--- a/hooks/nvidia
+++ b/hooks/nvidia
@@ -235,5 +235,10 @@ if [ "${CLI_DISABLE_REQUIRE}" = "false" ]; then
done
fi
+if [ -d "/sys/kernel/security/apparmor" ]; then
+ # Try to transition to the unconfined AppArmor profile.
+ echo "changeprofile unconfined" > /proc/self/attr/current || true
+fi
+
set -x
exec nvidia-container-cli ${global_args[@]} configure ${configure_args[@]} "${LXC_ROOTFS_MOUNT}"
From 89f1ef110e727919d7f2bf591732fb20d6a8951a Mon Sep 17 00:00:00 2001
From: Felix Abecassis <fabecassis at nvidia.com>
Date: Mon, 19 Mar 2018 15:38:53 -0700
Subject: [PATCH 2/2] hooks: implement passthrough for latest features of
libnvidia-container
The "display" driver capability will expose /dev/nvidia-modeset:
https://github.com/NVIDIA/libnvidia-container/commit/9398d41d9f571578d6543703d287b014bcf1bb8c
The "--ldcache" argument allows overriding the location of the DSO cache:
https://github.com/NVIDIA/libnvidia-container/commit/41656bf9ed71448972f3254a10ceb3c53225a4e6
The "--root" argument allows nvidia-container-cli to execute in a different rootfs:
https://github.com/NVIDIA/libnvidia-container/commit/019fdc14e325eea55fbe0397a581bda9d0c4c5b1
Signed-off-by: Felix Abecassis <fabecassis at nvidia.com>
---
hooks/nvidia | 19 +++++++++++++++++--
1 file changed, 17 insertions(+), 2 deletions(-)
diff --git a/hooks/nvidia b/hooks/nvidia
index 185b0ed4a..5b2f55c1d 100755
--- a/hooks/nvidia
+++ b/hooks/nvidia
@@ -58,6 +58,7 @@ capability_to_cli() {
case "$1" in
compute) echo "--compute";;
compat32) echo "--compat32";;
+ display) echo "--display";;
graphics) echo "--graphics";;
utility) echo "--utility";;
video) echo "--video";;
@@ -87,12 +88,14 @@ Optional arguments:
[ --no-load-kmods ]: Do not try to load the NVIDIA kernel modules.
[ --disable-require ]: Disable all the constraints of the form NVIDIA_REQUIRE_*.
[ --debug <path> ]: The path to the log file.
+[ --ldcache <path> ]: The path to the host system's DSO cache.
+[ --root <path> ]: The path to the driver root directory.
[ --ldconfig <path> ]: The path to the ldconfig binary, use a '@' prefix for a host path.
EOF
return 0
}
-options=$(getopt -o h -l help,no-load-kmods,disable-require,debug:,ldconfig: -- "$@")
+options=$(getopt -o h -l help,no-load-kmods,disable-require,debug:,ldcache:,root:,ldconfig: -- "$@")
if [ $? -ne 0 ]; then
usage
exit 1
@@ -102,6 +105,8 @@ eval set -- "$options"
CLI_LOAD_KMODS="true"
CLI_DISABLE_REQUIRE="false"
CLI_DEBUG=
+CLI_LDCACHE=
+CLI_ROOT=
CLI_LDCONFIG=
while :; do
@@ -110,6 +115,8 @@ while :; do
--no-load-kmods) CLI_LOAD_KMODS="false"; shift 1;;
--disable-require) CLI_DISABLE_REQUIRE="true"; shift 1;;
--debug) CLI_DEBUG=$2; shift 2;;
+ --ldcache) CLI_LDCACHE=$2; shift 2;;
+ --root) CLI_ROOT=$2; shift 2;;
--ldconfig) CLI_LDCONFIG=$2; shift 2;;
--) shift 1; break;;
*) break;;
@@ -188,7 +195,7 @@ for req in $(compgen -e "NVIDIA_REQUIRE_"); do
done
if [ "${CLI_CAPABILITIES}" = "all" ]; then
- CLI_CAPABILITIES="compute compat32 graphics utility video"
+ CLI_CAPABILITIES="compute compat32 display graphics utility video"
fi
if [ -z "${CLI_CAPABILITIES}" ]; then
@@ -212,6 +219,14 @@ if [ "${USERNS}" = "yes" ]; then
configure_args+=(--no-cgroups)
fi
+if [ -n "${CLI_LDCACHE}" ]; then
+ global_args+=(--ldcache="${CLI_LDCACHE}")
+fi
+
+if [ -n "${CLI_ROOT}" ]; then
+ global_args+=(--root="${CLI_ROOT}")
+fi
+
if [ -n "${CLI_LDCONFIG}" ]; then
configure_args+=(--ldconfig="${CLI_LDCONFIG}")
fi
More information about the lxc-devel
mailing list