[lxc-devel] [lxc/master] NVIDIA hook improvements

flx42 on Github lxc-bot at linuxcontainers.org
Mon Mar 19 22:44:08 UTC 2018


A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 301 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20180319/66dd085d/attachment.bin>
-------------- next part --------------
From 4a0a5e89e1b77056ee1564861e502bd7dba59656 Mon Sep 17 00:00:00 2001
From: Felix Abecassis <fabecassis at nvidia.com>
Date: Mon, 19 Mar 2018 11:38:06 -0700
Subject: [PATCH 1/2] hooks: fix nvidia hook when running under the lxc-start
 AppArmor profile

For a reason that I don't understand, the profile transition needs to
be done on the current process. Changing the attributes for a
subsequent execve(2) (with /proc/self/attr/exec) will cause the kernel
to set AT_SECURE in the auxiliary vector and thus secure_getenv(3)
inside libnvidia-container will return NULL.

Signed-off-by: Felix Abecassis <fabecassis at nvidia.com>
---
 hooks/nvidia | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/hooks/nvidia b/hooks/nvidia
index fbe05626c..185b0ed4a 100755
--- a/hooks/nvidia
+++ b/hooks/nvidia
@@ -235,5 +235,10 @@ if [ "${CLI_DISABLE_REQUIRE}" = "false" ]; then
     done
 fi
 
+if [ -d "/sys/kernel/security/apparmor" ]; then
+    # Try to transition to the unconfined AppArmor profile.
+    echo "changeprofile unconfined" > /proc/self/attr/current || true
+fi
+
 set -x
 exec nvidia-container-cli ${global_args[@]} configure ${configure_args[@]} "${LXC_ROOTFS_MOUNT}"

From 89f1ef110e727919d7f2bf591732fb20d6a8951a Mon Sep 17 00:00:00 2001
From: Felix Abecassis <fabecassis at nvidia.com>
Date: Mon, 19 Mar 2018 15:38:53 -0700
Subject: [PATCH 2/2] hooks: implement passthrough for latest features of
 libnvidia-container

The "display" driver capability will expose /dev/nvidia-modeset:
https://github.com/NVIDIA/libnvidia-container/commit/9398d41d9f571578d6543703d287b014bcf1bb8c

The "--ldcache" argument allows overriding the location of the DSO cache:
https://github.com/NVIDIA/libnvidia-container/commit/41656bf9ed71448972f3254a10ceb3c53225a4e6

The "--root" argument allows nvidia-container-cli to execute in a different rootfs:
https://github.com/NVIDIA/libnvidia-container/commit/019fdc14e325eea55fbe0397a581bda9d0c4c5b1

Signed-off-by: Felix Abecassis <fabecassis at nvidia.com>
---
 hooks/nvidia | 19 +++++++++++++++++--
 1 file changed, 17 insertions(+), 2 deletions(-)

diff --git a/hooks/nvidia b/hooks/nvidia
index 185b0ed4a..5b2f55c1d 100755
--- a/hooks/nvidia
+++ b/hooks/nvidia
@@ -58,6 +58,7 @@ capability_to_cli() {
     case "$1" in
         compute)  echo "--compute";;
         compat32) echo "--compat32";;
+        display)  echo "--display";;
         graphics) echo "--graphics";;
         utility)  echo "--utility";;
         video)    echo "--video";;
@@ -87,12 +88,14 @@ Optional arguments:
 [ --no-load-kmods ]: Do not try to load the NVIDIA kernel modules.
 [ --disable-require ]: Disable all the constraints of the form NVIDIA_REQUIRE_*.
 [ --debug <path> ]: The path to the log file.
+[ --ldcache <path> ]: The path to the host system's DSO cache.
+[ --root <path> ]: The path to the driver root directory.
 [ --ldconfig <path> ]: The path to the ldconfig binary, use a '@' prefix for a host path.
 EOF
     return 0
 }
 
-options=$(getopt -o h -l help,no-load-kmods,disable-require,debug:,ldconfig: -- "$@")
+options=$(getopt -o h -l help,no-load-kmods,disable-require,debug:,ldcache:,root:,ldconfig: -- "$@")
 if [ $? -ne 0 ]; then
     usage
     exit 1
@@ -102,6 +105,8 @@ eval set -- "$options"
 CLI_LOAD_KMODS="true"
 CLI_DISABLE_REQUIRE="false"
 CLI_DEBUG=
+CLI_LDCACHE=
+CLI_ROOT=
 CLI_LDCONFIG=
 
 while :; do
@@ -110,6 +115,8 @@ while :; do
         --no-load-kmods)    CLI_LOAD_KMODS="false"; shift 1;;
         --disable-require)  CLI_DISABLE_REQUIRE="true"; shift 1;;
         --debug)            CLI_DEBUG=$2; shift 2;;
+        --ldcache)          CLI_LDCACHE=$2; shift 2;;
+        --root)             CLI_ROOT=$2; shift 2;;
         --ldconfig)         CLI_LDCONFIG=$2; shift 2;;
         --)                 shift 1; break;;
         *)                  break;;
@@ -188,7 +195,7 @@ for req in $(compgen -e "NVIDIA_REQUIRE_"); do
 done
 
 if [ "${CLI_CAPABILITIES}" = "all" ]; then
-    CLI_CAPABILITIES="compute compat32 graphics utility video"
+    CLI_CAPABILITIES="compute compat32 display graphics utility video"
 fi
 
 if [ -z "${CLI_CAPABILITIES}" ]; then
@@ -212,6 +219,14 @@ if [ "${USERNS}" = "yes" ]; then
     configure_args+=(--no-cgroups)
 fi
 
+if [ -n "${CLI_LDCACHE}" ]; then
+    global_args+=(--ldcache="${CLI_LDCACHE}")
+fi
+
+if [ -n "${CLI_ROOT}" ]; then
+    global_args+=(--root="${CLI_ROOT}")
+fi
+
 if [ -n "${CLI_LDCONFIG}" ]; then
     configure_args+=(--ldconfig="${CLI_LDCONFIG}")
 fi


More information about the lxc-devel mailing list