Skip to content

Add CUDA forward compatibility hook #948

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Feb 28, 2025
Merged

Add CUDA forward compatibility hook #948

merged 6 commits into from
Feb 28, 2025

Conversation

@elezar
Copy link
Member

@elezar elezar commented Feb 27, 2025

With #877 the default behaviour of the NVIDIA Container Runtime / NVIDIA Container Runtime Hook was changed to not mount compat libraries from the container into the container. This removed "automatic" support for CUDA Forward compatibility.

This change attempts to address this by adding a createContainerHook that will create a file in /etc/ld.so.conf.d/ in the container to ensure that the /usr/local/cuda/compat libraries are added to the ldcache over the libraries mounted from the host. The provided host diver version is compared to the version of the compat libraries in the container and the config update is only performed if the compat libraries are newer than the host drivers.

Note that the hook only creates a file in the container's file system and does not perform any mount operations. This means that this mechanism is not present the same vulnerabilities causing CVE-2024-0132 and CVE-2025-23359.

In the case of the legacy runtime, this behaviour is only triggered if the allow-cuda-compat-libs-from-container feature flag is not enabled. The CDI spec generation has also been extended to include this hook.

This backports #906

@elezar
Add enable-cuda-compat hook to allow compat libs to be discovered
76040ff 
This change adds an nvidia-cdi-hook enable-cuda-compat hook that checks the
container for cuda compat libs and updates /etc/ld.so.conf.d to include their
parent folder if their driver major version is sufficient.

This allows CUDA Forward Compatibility to be used when this is not available
through the libnvidia-container.

Signed-off-by: Evan Lezar <[email protected]>
@elezar
Add enable-cuda-compat hook if required
e1ae57e 
This change adds the enable-cuda-compat hook to the incomming OCI runtime spec
if the allow-cuda-compat-libs-from-container feature flag is not enabled.

An update-ldcache hook is also injected to ensure that the required folders
are processed.

Signed-off-by: Evan Lezar <[email protected]>
@elezar
Add ldconfig hook in legacy mode
f445d4b 
Signed-off-by: Evan Lezar <[email protected]>
@elezar elezar added this to the v1.17.5 milestone Feb 27, 2025
@elezar elezar self-assigned this Feb 27, 2025
@elezar elezar force-pushed the add-compat-lib-hook branch from 3307cb1 to c1bac28 Compare February 27, 2025 15:35
@elezar elezar merged commit f5680dd into NVIDIA:release-1.17 Feb 28, 2025
10 checks passed
@elezar elezar deleted the add-compat-lib-hook branch February 28, 2025 15:10
@KCSesh KCSesh mentioned this pull request Apr 17, 2025
Merged
luodw
luodw reviewed May 24, 2025
View reviewed changes
internal/runtime/runtime_factory.go
return []string{"nvidia-hook-remover", "feature-gated", "mode"}
default:
return []string{"mode", "graphics", "feature-gated"}
return []string{"feature-gated", "graphics", "mode"}
Copy link

@luodw luodw May 24, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@elezar Hi, I have a question here. In this modifier order, it will create CreateContainer Hook like this ["enable-cuda-compat", "update-ldcache", "create-symlinks"]. As "update-ldcache" runs before "create-symlinks", so hook "create-symlinks" do some bind mount so(dynamic link library) in container will not add into ldcache?

debarshiray added a commit to debarshiray/toolbox that referenced this pull request Jun 11, 2025
@debarshiray
build, pkg/nvidia: Bump NVIDIA Container Toolkit to 1.17.5
eb73692 
NVIDIA Container Toolkit 1.17.5 requires Go >= 1.22 [1], and starts
using enable-cuda-compat hooks in the Container Device Interface
specification generated by it [2].  For example:
  "hookName": "createContainer",
  "path": "/usr/bin/nvidia-cdi-hook",
  "args": [
    "nvidia-cdi-hook",
    "enable-cuda-compat",
    "--host-driver-version=570.153.02"
  ]

The new hook makes it possible to have containers with a
/usr/local/cuda/compat/libcuda.so.* that's newer than the proprietary
NVIDIA driver on the host operating system, so that applications can use
a newer CUDA without having to update the driver [3].  Even though this
sounds useful, the hook has been disabled until it's handled by the
'init-container' command and there's a clear way to test it.

The src/go.sum file was updated with 'go mod tidy'.

[1] NVIDIA Container Toolkit commit 5bdf14b1e7c24763
    NVIDIA/nvidia-container-toolkit@5bdf14b1e7c24763
    NVIDIA/nvidia-container-toolkit#941
    NVIDIA/nvidia-container-toolkit#950

[2] NVIDIA Container Toolkit commit 76040ff2ad63fb82
    NVIDIA/nvidia-container-toolkit@76040ff2ad63fb82
    NVIDIA/nvidia-container-toolkit#906
    NVIDIA/nvidia-container-toolkit#948

[3] https://docs.nvidia.com/deploy/cuda-compatibility/

containers#1662
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ArangoGutierrez ArangoGutierrez ArangoGutierrez approved these changes

@cdesiniotis cdesiniotis Awaiting requested review from cdesiniotis

@tariq1890 tariq1890 Awaiting requested review from tariq1890

@klueska klueska Awaiting requested review from klueska

+1 more reviewer

@luodw luodw luodw left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@elezar elezar

Labels

backport

Projects

None yet

Milestone

v1.17.5

Development

Successfully merging this pull request may close these issues.

3 participants

@elezar @luodw @ArangoGutierrez