Disable chmod-hook by default

[ArangoGutierrez]

Fixes #1218

The chmod createContainer hook was added as a workaround to a specific crun issue for device nodes that are found in subdirectories of /dev. Since this has since been addressed in crun, this PR disables the chmod hook by default to reduce the number of supported hooks.

See:

• https://gitlab.com/nvidia/container-toolkit/container-toolkit/-/merge_requests/232
• https://gitlab.com/nvidia/container-toolkit/container-toolkit/-/issues/8#note_1137929772
• MIGs inside Podman fail with crun containers/crun#1047 (comment)
• linux: create parent dir with 0755 containers/crun#1051
• https://github.com/containers/crun/releases/tag/1.7

[elezar]

As mentioned in the addition of the flag. Does maintaining a map of "forced" hooks make more sense here than handling each hook separately?

[elezar]

Does this indicate that we may need something like the following in the runtime config?

[nvidia-container-runtime.hooks]

disabled = [...]
# Specify a list of explicitly enabled hooks. If a hook is specified as both enabled and disabled, it will be enabled.
enabled = [...]

[coveralls]

Pull Request Test Coverage Report for Build 16913104397

Details

• 40 of 44 (90.91%) changed or added relevant lines in 5 files are covered.
• No unchanged relevant lines lost coverage.
• Overall coverage increased (+0.3%) to 35.81%

---

Changes Missing Coverage	Covered Lines	Changed/Added Lines	%
pkg/nvcdi/options.go	0	4	0.0%

Totals
Change from base Build 16907071183:	0.3%
Covered Lines:	4627
Relevant Lines:	12921

---

💛 - Coveralls

[elezar]

Suggested change

	Usage: "Explicitly enable a hook in the generated CDI specification. This can be specified multiple times.",
	Usage: "Explicitly enable a hook in the generated CDI specification. This overrides disabled hooks. This can be specified multiple times.",

[ArangoGutierrez]

added

[elezar]

Why is this required? I thought we added support to read settings from a config file using altsrc.

[ArangoGutierrez]

delete

[elezar]

I don't think we should add these config options, and IF we decide to add them we should not add them in the nvidia-container-runtime-hook section. This section is specific for the nvidia-container-runtime-hook that is used to call out to the nvidia-container-cli.

[ArangoGutierrez]

removed for now, maybe a discuss-todo item

[elezar]

Did you forget to push?

[ArangoGutierrez]

yes...

[ArangoGutierrez]

Sorry, now pushed

[elezar]

This implies ordering between the calls to WithDisabledHooks and WithEnabledHooks. I would rather have the order or precedence well-defined such that hooks that are specifically ENABLED take precedence over hooks that are specifically DISABLED.

[elezar]

Maybe this can be simplified by keeping the cdiHookCreator struct as is, and introducing an options struct that we can use to set up the correct values of disabledHooks.

[ArangoGutierrez]

you are right, let me think on a proper solution for this

[ArangoGutierrez]

Done

[elezar]

I thought we said we're going to remove this?

[ArangoGutierrez]

Removed

[elezar]

This need not be a map. Also does it make sense to just set this inline when constructing the hook creator?

[ArangoGutierrez]

turned into a list.
I do think it is better to have it here, so the list is easier to maintain. Over time, we might want to add other hooks to the list.

[Copilot]

Pull Request Overview

This PR disables the chmod createContainer hook by default, addressing issue #1218. The chmod hook was originally added as a workaround for a specific crun issue with device nodes in subdirectories of /dev, but this has since been fixed in crun version 1.7.

• Adds defaultDisabledHooks slice containing the ChmodHook to disable it by default
• Introduces WithEnabledHooks option to explicitly enable hooks that are disabled by default
• Updates the hook creation logic to handle both disabled and enabled hooks with proper precedence

Reviewed Changes

Copilot reviewed 7 out of 8 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
internal/discover/hooks.go	Adds default disabled hooks list and enabled hooks functionality
pkg/nvcdi/options.go	Adds WithEnabledHook option function
pkg/nvcdi/lib.go	Adds enabledHooks field and passes it to hook creator
cmd/nvidia-ctk/cdi/generate/generate.go	Adds --enable-hook CLI flag and option handling
cmd/nvidia-ctk/cdi/generate/generate_test.go	Adds test case for enabling chmod hook
internal/runtime/runtime_factory.go	Refactors hook creator initialization to use options slice
cmd/nvidia-ctk-installer/toolkit/toolkit_test.go	Updates expected test output

[Copilot]

The loop iterates over enabledHooks variable instead of cdiHookCreator.enabledHooks. This will cause enabled hooks to not be properly processed since the local enabledHooks variable is always empty at this point.

Suggested change

	for hook := range enabledHooks {
	for hook := range cdiHookCreator.enabledHooks {

[elezar]

Does this mean that we don't have a test for the case where enabled overrides disabled?

[elezar]

Let's revert this change.

[elezar]

Let's update these to also use generics so that we can pass ...string or ...HookName.

[elezar]

Since this is only actually used in the construction of the cdiHookCreator and doesn't affect behaviour, does it make sense to split out separate options instead of updating the struct directly? Something like:

diff --git a/internal/discover/hooks.go b/internal/discover/hooks.go
index acfaef86..ada69fb8 100644
--- a/internal/discover/hooks.go
+++ b/internal/discover/hooks.go
@@ -85,12 +85,17 @@ func (h *Hook) Hooks() ([]Hook, error) {
 	return []Hook{*h}, nil
 }
 
-type Option func(*cdiHookCreator)
+type hookCreatorOptions struct {
+	nvidiaCDIHookPath string
+	disabledHooks     []HookName
+	enabledHooks      []HookName
+}
+
+type Option func(*hookCreatorOptions)
 
 type cdiHookCreator struct {
 	nvidiaCDIHookPath string
 	disabledHooks     map[HookName]bool
-	enabledHooks      map[HookName]bool
 
 	fixedArgs    []string
 	debugLogging bool
@@ -111,60 +116,61 @@ type HookCreator interface {
 
 // WithDisabledHooks explicitly disables the specified hooks.
 // This can be specified multiple times.
-func WithDisabledHooks(hooks ...HookName) Option {
-	return func(c *cdiHookCreator) {
-		for _, hook := range hooks {
-			c.disabledHooks[hook] = true
+func WithDisabledHooks[T string | HookName](hooks ...T) Option {
+	return func(c *hookCreatorOptions) {
+		for _, h := range hooks {
+			c.disabledHooks = append(c.disabledHooks, HookName(h))
 		}
 	}
 }
 
 // WithEnabledHooks explicitly enables the specified hooks.
 // This is useful for enabling hooks that are disabled by default.
-func WithEnabledHooks(hooks ...HookName) Option {
-	return func(c *cdiHookCreator) {
-		for _, hook := range hooks {
-			c.enabledHooks[hook] = true
+func WithEnabledHooks[T string | HookName](hooks ...T) Option {
+	return func(c *hookCreatorOptions) {
+		for _, h := range hooks {
+			c.enabledHooks = append(c.disabledHooks, HookName(h))
 		}
 	}
 }
 
 // WithNVIDIACDIHookPath sets the path to the nvidia-cdi-hook binary.
 func WithNVIDIACDIHookPath(nvidiaCDIHookPath string) Option {
-	return func(c *cdiHookCreator) {
+	return func(c *hookCreatorOptions) {
 		c.nvidiaCDIHookPath = nvidiaCDIHookPath
 	}
 }
 
 func NewHookCreator(opts ...Option) HookCreator {
-	disabledHooks := make(map[HookName]bool)
-	enabledHooks := make(map[HookName]bool)
-	for _, hook := range defaultDisabledHooks {
-		disabledHooks[hook] = true
-	}
-
-	cdiHookCreator := &cdiHookCreator{
+	o := &hookCreatorOptions{
 		nvidiaCDIHookPath: defaultNvidiaCDIHookPath,
-		disabledHooks:     disabledHooks,
-		enabledHooks:      enabledHooks,
 	}
 	for _, opt := range opts {
-		opt(cdiHookCreator)
+		opt(o)
 	}
 
-	// Correct the disabledHooks map to ensure that explicitly enabled hooks
-	// are not disabled.
-	for hook := range enabledHooks {
-		cdiHookCreator.disabledHooks[hook] = false
+	o.disabledHooks = append(o.disabledHooks, defaultDisabledHooks...)
+
+	disabledHooks := make(map[HookName]bool)
+	for _, h := range o.disabledHooks {
+		disabledHooks[h] = true
 	}
 
-	if cdiHookCreator.disabledHooks[AllHooks] {
+	if disabledHooks[AllHooks] && len(o.enabledHooks) == 0 {
 		return &allDisabledHookCreator{}
 	}
 
-	cdiHookCreator.fixedArgs = getFixedArgsForCDIHookCLI(cdiHookCreator.nvidiaCDIHookPath)
+	for _, h := range o.enabledHooks {
+		disabledHooks[h] = false
+	}
+
+	c := &cdiHookCreator{
+		nvidiaCDIHookPath: o.nvidiaCDIHookPath,
+		disabledHooks:     make(map[HookName]bool),
+		fixedArgs:         getFixedArgsForCDIHookCLI(o.nvidiaCDIHookPath),
+	}
 
-	return cdiHookCreator
+	return c
 }
 
 // Create creates a new hook with the given name and arguments.
@@ -183,7 +189,11 @@ func (c cdiHookCreator) Create(name HookName, args ...string) *Hook {
 }
 
 func (c cdiHookCreator) isDisabled(name HookName, args ...string) bool {
-	if c.disabledHooks[name] {
+	disabled, ok := c.disabledHooks[name]
+	if ok {
+		return disabled
+	}
+	if c.disabledHooks[AllHooks] {
 		return true
 	}
 

It would also be good to add a unit test to test cdiHookCreator.isDisabled behaviour.

[ArangoGutierrez]

Unit test added

[elezar]

nit: license header

[ArangoGutierrez]

done

[elezar]

We should be calling New() to test the actual constructor. Here we are just testing that we disable the hooks in the test.

[ArangoGutierrez]

done

[elezar]

We use the require package for our tests in this project.

[ArangoGutierrez]

Done

[elezar]

One note. Users that REQUIRE this hook don't have the option to opt-in to it when using the runtime -- only CDI. Maybe that's sufficient though.

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.