Ensure that libcuda.so is in the ldcache #947
Conversation
|
/ok to test |
There was a problem hiding this comment.
PR Overview
This PR adds an end-to-end test to verify that the libcuda symlink chain is properly present in the ldcache when running via Docker with NVIDIA runtime. Key changes include:
- Addition of the "strings" import to support string splitting.
- New test block that pulls an Ubuntu image and runs a container to inspect the ldcache output for libcuda.
- Parsing and validation of the ldcache output to ensure both "libcuda.so" and "libcuda.so.1" are present.
Reviewed Changes
| File | Description |
|---|---|
| tests/e2e/nvidia-container-toolkit_test.go | Added an end-to-end test to validate the presence of libcuda symlink entries in the ldcache |
Copilot reviewed 1 out of 1 changed files in this pull request and generated 2 comments.
elezar
force-pushed
the
ensure-libcuda.so-in-ldcache
branch
from
6e7e1a8 to
44e6630
Compare
|
|
||
| // Create the 'create-soname-symlinks' command | ||
| c := cli.Command{ | ||
| Name: "create-soname-symlinks", |
There was a problem hiding this comment.
@klueska I elected to add a new hook entirely instead of modifying the existing update-ldcache. This is in keeping with "purpose-built hooks" and also means that the hook name can be used to indicate the intent.
elezar
force-pushed
the
ensure-libcuda.so-in-ldcache
branch
from
44e6630 to
e43da10
Compare
elezar
added
the
must-backport
elezar
force-pushed
the
ensure-libcuda.so-in-ldcache
branch
3 times, most recently
from
daadba9 to
9daa179
Compare
| "-N", | ||
| ) | ||
| // Explicitly specific the directories to add. | ||
| args = append(args, dirs...) |
There was a problem hiding this comment.
Question -- does this create .so symlinks for all libraries present in the specified directories? Does this differ from the behavior of the legacy libnvidia-container implementation, which IIRC would only create the .so symlinks for a small list of libraries (like libcuda.so)?
There was a problem hiding this comment.
This is not the .so symlinks, but the SONAME symlinks i.e. libcuda.so.1 -> libcuda.so.RM_VERSION in the case of libcuda. The .so symlinks are created using the "standard" create-symlinks hook.
elezar
force-pushed
the
ensure-libcuda.so-in-ldcache
branch
from
9daa179 to
035abe0
Compare
elezar
removed
the
must-backport
|
@cdesiniotis I am removing the must-backport label for this. Although this was triggered by a customer request, there is a workaround available and I would rather not backport another new hook to the |
Sounds good. |
| if hostDriverVersion == "" { | ||
| m.logger.Debugf("Host driver version not specified") | ||
| return "", nil | ||
| } | ||
| if !containerRoot.hasPath(cudaCompatPath) { | ||
| if !containerRoot.HasPath(cudaCompatPath) { |
There was a problem hiding this comment.
I have picked a more or less arbitrary place in the code to put the following comment. Having more expressive variable names would make review for me easier. You can postpone looking at this comment until after merge, that's fine with me! In the spirit of learning what we do here however I'd appreciate an answer at some point :)
In my software engineering life I have always deeply cared about file system terminology and operations, and about making related code readable and self-expressive. For example,
- I like to distinguish a "relative path" from an "absolute path" via variable name (if possible)
- I like to distinguish a file object from a file path via variable name
- I like to distinguish a path to a file from a path to a directory (expressing intent, of course these are technically the same)
- I like to call things a "base name" for expressing intent a well (when there are no path separators, and this is supposed to be a "file name" or "directory name").
What is containerRoot in canonical unix file path terminology?
- Is it guaranteed to point to a directory?
- Is it an absolute path?
- Is it always just
/?
What are some properties about cudaCompatPath that we know/guarantee, that we could also express in the variable name or in the type?
- Is it always a relative path (not starting with `/)?
- Is it always a path to a directory?
There was a problem hiding this comment.
Thanks for calling this out. I think we could do a pass through this and improve readability greatly. There is no rush on this particular PR (I've elected to hold the changes back from the v1.17.5 release) and as such, I think we can address these concerns here instead of as a follow-up.
The containerRootDir is the absolute path on the host filesystem to the root (/) of the container filesystem. It is specified in the OCI Runtime Specification as Root which informs the slightly ambiguous name. The containerRoot variable is the typed representation of this directory that allows us to attached helper functions such as HasPath / Resolve / Glob to it.
The cudaCompatPath is the absolute path to the directory containing the CUDA compat libraries in the container (if it exists). It defined as a constant with value /usr/local/cuda/compat. That is to say, it is always an absolute path to a directory in the container, and we're confirming that this exists, but have to calculate the path to this folder on the host filesystem to do this check.
There was a problem hiding this comment.
I think we can address these concerns here instead of as a follow-up.
Thank you for that!
There was a problem hiding this comment.
The containerRootDir is the absolute path on the host filesystem to the root (/) of the container filesystem
Is the container filesystem always accessible from within the host filesystem?
It is specified in the OCI Runtime Specification as Root which informs the slightly ambiguous name.
gotcha. Thanks for that background.
The cudaCompatPath is the absolute path to the directory containing the CUDA compat libraries in the container (if it exists).
Thank you for that precision. Now, that is quickly&easily understandable.
but have to calculate the path to this folder on the host filesystem to do this check
meaning that it's always mounted into the container, and never baked into it?
There was a problem hiding this comment.
meaning that it's always mounted into the container, and never baked into it?
No, I think there's a misunderstanding. The folder is baked into the container, but the hook is running on the host (in the Container's mount namespace). This means that we need to calculate the host path to the /usr/local/cuda/compat folder to check if it exists.
| ) | ||
|
|
||
| // A ContainerRoot represents the root filesystem of a container. | ||
| type ContainerRoot string |
There was a problem hiding this comment.
Oh, it's just a string.
Relates to my previous comment: I'd love to see the intent expressed in the variable name: path to a directory?
And this is probably really just my lack of knowledge: I wonder: when is the container's root file system not located at just /?
There was a problem hiding this comment.
I have added som context above. Let me know if it's not clear and I can add more information.
elezar
force-pushed
the
ensure-libcuda.so-in-ldcache
branch
3 times, most recently
from
7229201 to
bdfaea4
Compare
cmd/nvidia-cdi-hook/chmod/chmod.go
Outdated
| @@ -113,15 +113,15 @@ func (m command) run(c *cli.Context, cfg *config) error { | |||
| return fmt.Errorf("failed to load container state: %v", err) | |||
| } | |||
|
|
|||
| containerRoot, err := s.GetContainerRoot() | |||
| containerRoot, err := s.GetContainerRootDirPath() | |||
There was a problem hiding this comment.
❤️ Thanks for adding clarity here.
And now that I have read your explanation.. this is a path that is valid in the host filesystem, and points to the container filesystem's root..? :)
There was a problem hiding this comment.
Yes. It is the absolute path on the host where the root of the container's filesystem is located.
elezar
force-pushed
the
ensure-libcuda.so-in-ldcache
branch
5 times, most recently
from
66fe6d4 to
f653469
Compare
Pull Request Test Coverage Report for Build 15707946920Details
💛 - Coveralls |
Pull Request Test Coverage Report for Build 15849722836Details
💛 - Coveralls |
elezar
force-pushed
the
ensure-libcuda.so-in-ldcache
branch
from
f653469 to
bedd086
Compare
| if ldconfig != "" { | ||
| args = append(args, "--ldconfig-path", ldconfig) | ||
| if d.ldconfigPath != "" { | ||
| args = append(args, "--ldconfig-path", d.ldconfigPath) |
internal/ldconfig/ldconfig.go
Outdated
| args = append(args, "-N") | ||
| } | ||
|
|
||
| // If we did not create the |
There was a problem hiding this comment.
If we did not create the rest of the sentence, then
| } | ||
|
|
||
| type options struct { | ||
| folders cli.StringSlice |
There was a problem hiding this comment.
agree with Jan-P Directory is a much nicer call to Folder.
There was a problem hiding this comment.
These options are filled by the CLI. A convention that I use is that the member matches (with the exception of plurality if required) the primary flag. Since the CLI argument is --folder (and can be repeated), I want to keep this folders.
elezar
force-pushed
the
ensure-libcuda.so-in-ldcache
branch
from
bedd086 to
fddc1d3
Compare
| } | ||
|
|
||
| type options struct { | ||
| folders cli.StringSlice |
There was a problem hiding this comment.
agree with Jan-P Directory is a much nicer call to Folder.
| c.Flags = []cli.Flag{ | ||
| &cli.StringSliceFlag{ | ||
| Name: "folder", | ||
| Usage: "Specify a folder to generate soname symlinks in", |
There was a problem hiding this comment.
if we end up deciding for directory over folder on the discussion above, let's make sure we update this string
| &cli.StringSliceFlag{ | ||
| Name: "folder", | ||
| Usage: "Specify a folder to generate soname symlinks in", | ||
| Destination: &cfg.folders, |
| } | ||
| } | ||
|
|
||
| // createSonameSymlinks runs ldconfig enusures that soname symlinks are created |
There was a problem hiding this comment.
| // createSonameSymlinks runs ldconfig enusures that soname symlinks are created | |
| // createSonameSymlinks runs ldconfig ensures that soname symlinks are created |
| // | ||
| // args[0] is the reexec initializer function name | ||
| // args[1] is the path of the ldconfig binary on the host | ||
| // args[2] is the container root directory |
There was a problem hiding this comment.
we use directory here, I guess this is a good clue on how to define the discussion above.
There was a problem hiding this comment.
This directory is different from the other directories that we're talking about.
| // | ||
| // args[0] is the reexec initializer function name | ||
| // args[1] is the path of the ldconfig binary on the host | ||
| // args[2] is the container root directory | ||
| // The remaining args are folders that need to be added to the ldcache. | ||
| // The remaining args are folders where soname symlinks need to be created. |
There was a problem hiding this comment.
jeje folders vs dir conversation. I guess is was a nice Nit catch by @jgehrcke
internal/ldconfig/ldconfig.go
Outdated
| } | ||
|
|
||
| // CreateSonameSymlinks uses ldconfig to create the soname symlinks in the | ||
| // specified folders. |
| // If the ld.so.conf.d directory exists, we create a config file there | ||
| // containing the required directories, otherwise we add the specified | ||
| // directories to the ldconfig command directly. |
There was a problem hiding this comment.
here we use dir but some lines above we use folder
Please note that the API for the hook uses |
This change adds a create-soname-symlinks hook that can be used to ensure that the soname symlinks for injected libraries exist in a container. This is done by calling ldconfig -n -N for the directories containing the injected libraries. This also ensures that libcuda.so is present in the ldcache when the update-ldcache hook is run. Signed-off-by: Evan Lezar <[email protected]>
Signed-off-by: Evan Lezar <[email protected]>
elezar
force-pushed
the
ensure-libcuda.so-in-ldcache
branch
from
fddc1d3 to
39975fc
Compare
These changes add a hook to create soname symlinks (e.g.
libcuda.so.1->libcuda.so.RM_VERSION) to ensure that thelibcuda.so->libcuda.so.1->libcuda.so.RM_VERSIONsymlink chain exists when the ldcache is updated. This allowslibcuda.soto be present in the ldcache whenldconfigis run.Note that since we're adding a new hook, a generating client such as the k8s-device plugin or the k8s-dra-driver-gpu must be used with a
nvidia-cdi-hookbinary with a sufficient version.See https://nvbugspro.nvidia.com/bug/5076022