WIP: Add an NRI plugin to filter which NUMA nodes a container has access to

[klueska]

This PR implements a Node Resource Interface (NRI) plugin to filter the set of NUMA nodes each container started by Kubernetes has access to. By default, each container is given access to either (1) the full set system NUMA nodes, or (2) the set of system nodes they have already been limited to before hitting the NRI plugin. The NUMA nodes associated with each GPU or MIG device they have access to are then added in one-by-one.

Currently, the implementation only works by parsing the incoming NVIDIA_VISIBLE_DEVICES envar set in the container to discover which GPUs / MIG devices it has access to.

Before we can merge this PR we will need to add the following features (at a minimum):

1. Add a flag to disable the NRI plugin from running entirely
2. Add a helm-chart option to toggle the enable/disable the running of the NRI plugin
3. Support CDI injected GPU/MIG devices
4. Support volume mounted GPU/MIG devices
5. Support NVIDIA_VISIBLE_DEVICES with indices instead of UUIDs

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

[jgehrcke]

I assume this path does not exist on non-NUMA systems? On my laptop I seem to have NUMA support:

lscpu | grep -i numa
NUMA node(s):                         1
NUMA node0 CPU(s):                    0-13

$ stat /sys/devices/system/node/node0
  File: /sys/devices/system/node/node0
  Size: 0         	Blocks: 0          IO Block: 4096   directory

I wonder if we want to log an error on those systems, or rather have an info-level log message.

[klueska]

Yeah, we should probably return an error. I'd rather error out and have to deal with a bug report if we ever encounter a system that doesn't have NUMA enabled, than to a silently skip this without setting anything. One can always disable deployment of the plugin on such a system if they do encounter the error (once we add this option).

[klueska]

Piotr suggested just maintaining a list of GPU nodes vs. non-GPU nodes instead of an explicit list of system nodes. I think the rest of the logic would be robust to doing this since it operates as follows:

• When a container is being started, I first inspect what NUMA nodes it already has set
• If none are set, I set it to the full set of system nodes
• if something is set, I leave it in place but filter it against the system nodes I know about (essentially filtering out the GPU nodes)
• I then go back through 1-by1 adding the GPU nodes for the GPUs the container has access to

I think the same logic could be applied if all I tracked was GPU nodes and non-GPU nodes instead of trying to explicitly discover the system nodes.

[jgehrcke]

So, we define a "system node" to be any NUMA node that has a CPU assigned. Is that right? Is that the one, definite criterion or is there any other criterion? Should we call them cpuNodes? Is there a better way to detect system nodes?

[klueska]

That is the only criteria. We usually refer to this kind of memory as "system memory", which is why I picked "system nodes", but I'm open to suggestions.

[jgehrcke]

Can value at times be a list of integers instead of a list of UUIDs?

[klueska]

Yes, that is why I have the todo at the top of this saying we need to handel all list-strategies. I didn't include it in the list in the PR description though -- adding now.

[jgehrcke]

From were is this called? Ah... I assume it is the NRI lib that is calling into this.

[klueska]

Yes, it is a callback from the NRI plugin library.