bottlerocket-os · ytsssun · Jun 12, 2024
diff --git a/Release.toml b/Release.toml
@@ -319,4 +319,6 @@ version = "1.21.0"
     "migrate_v1.21.0_pod-infra-container-image-remove-settings-generator.lz4",
     "migrate_v1.21.0_pod-infra-container-image-affected-services.lz4",
     "migrate_v1.21.0_pod-infra-container-image-services.lz4",
+    "migrate_v1.21.0_container-runtime-nvidia-k8s.lz4",
+    "migrate_v1.21.0_container-runtime-nvidia-k8s-metadata.lz4",
 ]
diff --git a/packages/.gitignore b/packages/.gitignore
@@ -1,3 +1,4 @@
 *.patch.bz2
 *.src.rpm
 *.zip
+*.rpm
diff --git a/packages/nvidia-container-toolkit/nvidia-container-toolkit-config-k8s b/packages/nvidia-container-toolkit/nvidia-container-toolkit-config-k8s
@@ -0,0 +1,13 @@
+[required-extensions]
+kubernetes = "v1"
+std = { version = "v1", helpers = ["default"] }
+
++++
+accept-nvidia-visible-devices-as-volume-mounts = {{default true settings.kubernetes.nvidia.container-runtime.visible-devices-as-volume-mounts}}
+accept-nvidia-visible-devices-envvar-when-unprivileged = {{default false settings.kubernetes.nvidia.container-runtime.visible-devices-envvar-when-unprivileged}}
+
+[nvidia-container-cli]
+root = "/"
+path = "/usr/bin/nvidia-container-cli"
+environment = []
+ldconfig = "@/sbin/ldconfig"
diff --git a/packages/nvidia-container-toolkit/nvidia-container-toolkit-config-k8s.toml b/packages/nvidia-container-toolkit/nvidia-container-toolkit-config-k8s.toml
diff --git a/packages/nvidia-container-toolkit/nvidia-container-toolkit-tmpfiles-k8s.conf b/packages/nvidia-container-toolkit/nvidia-container-toolkit-tmpfiles-k8s.conf
@@ -1 +1 @@
-C /etc/nvidia-container-runtime/config.toml - - - - /usr/share/factory/nvidia-container-runtime/nvidia-container-toolkit-config-k8s.toml
+d /etc/nvidia-container-runtime - - - - -
diff --git a/packages/nvidia-container-toolkit/nvidia-container-toolkit.spec b/packages/nvidia-container-toolkit/nvidia-container-toolkit.spec
@@ -13,7 +13,7 @@ License: Apache-2.0
 URL: https://%{goimport}
 
 Source0: https://%{goimport}/archive/v%{gover}/nvidia-container-toolkit-%{gover}.tar.gz
-Source1: nvidia-container-toolkit-config-k8s.toml
+Source1: nvidia-container-toolkit-config-k8s
 Source2: nvidia-container-toolkit-config-ecs.toml
 Source3: nvidia-oci-hooks-json
 Source4: nvidia-gpu-devices.rules
@@ -82,5 +82,5 @@ ln -s shimpei %{buildroot}%{_cross_bindir}/nvidia-oci
 %{_cross_tmpfilesdir}/nvidia-container-toolkit-ecs.conf
 
 %files k8s
-%{_cross_factorydir}/nvidia-container-runtime/nvidia-container-toolkit-config-k8s.toml
+%{_cross_factorydir}/nvidia-container-runtime/nvidia-container-toolkit-config-k8s
 %{_cross_tmpfilesdir}/nvidia-container-toolkit-k8s.conf
diff --git a/sources/Cargo.lock b/sources/Cargo.lock
diff --git a/sources/Cargo.toml b/sources/Cargo.toml
@@ -27,6 +27,8 @@ members = [
     "api/migration/migrations/v1.21.0/pod-infra-container-image-affected-services",
     "api/migration/migrations/v1.21.0/pod-infra-container-image-remove-settings-generator",
     "api/migration/migrations/v1.21.0/pod-infra-container-image-services",
+    "api/migration/migrations/v1.21.0/container-runtime-nvidia-k8s",
+    "api/migration/migrations/v1.21.0/container-runtime-nvidia-k8s-metadata",
 
     "bloodhound",
 

diff --git a/sources/api/migration/migrations/v1.21.0/container-runtime-nvidia-k8s-metadata/Cargo.toml b/sources/api/migration/migrations/v1.21.0/container-runtime-nvidia-k8s-metadata/Cargo.toml
@@ -0,0 +1,15 @@
+[package]
+name = "container-runtime-nvidia-k8s-metadata"
+version = "0.1.0"
+edition = "2021"
+authors = ["Yutong Sun <[email protected]>"]
+license = "Apache-2.0 OR MIT"
+publish = false
+# Don't rebuild crate just because of changes to README.
+exclude = ["README.md"]
+
+[dependencies]
+migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"}
+
+[build-dependencies]
+bottlerocket-variant = { version = "0.1", path = "../../../../../bottlerocket-variant" }
diff --git a/sources/api/migration/migrations/v1.21.0/container-runtime-nvidia-k8s-metadata/build.rs b/sources/api/migration/migrations/v1.21.0/container-runtime-nvidia-k8s-metadata/build.rs
@@ -0,0 +1,6 @@
+use bottlerocket_variant::Variant;
+
+fn main() {
+    let variant = Variant::from_env().unwrap();
+    variant.emit_cfgs();
+}
diff --git a/sources/api/migration/migrations/v1.21.0/container-runtime-nvidia-k8s-metadata/src/main.rs b/sources/api/migration/migrations/v1.21.0/container-runtime-nvidia-k8s-metadata/src/main.rs
@@ -0,0 +1,26 @@
+use migration_helpers::common_migrations::{AddMetadataMigration, NoOpMigration, SettingMetadata};
+use migration_helpers::migrate;
+use migration_helpers::Result;
+use std::process;
+
+/// We added a new setting for configuring container runtime (containerd) settings only for NVIDIA k8s variants.
+fn run() -> Result<()> {
+    if cfg!(variant_family = "aws-k8s") && cfg!(variant_flavor = "nvidia") {
+        migrate(AddMetadataMigration(&[SettingMetadata {
+            metadata: &["affected-services"],
+            setting: "settings.kubernetes.nvidia.container-runtime",
+        }]))
+    } else {
+        migrate(NoOpMigration)
+    }
+}
+
+// Returning a Result from main makes it print a Debug representation of the error, but with Snafu
+// we have nice Display representations of the error, so we wrap "main" (run) and print any error.
+// https://github.com/shepmaster/snafu/issues/110
+fn main() {
+    if let Err(e) = run() {
+        eprintln!("{}", e);
+        process::exit(1);
+    }
+}
diff --git a/sources/api/migration/migrations/v1.21.0/container-runtime-nvidia-k8s/Cargo.toml b/sources/api/migration/migrations/v1.21.0/container-runtime-nvidia-k8s/Cargo.toml
@@ -0,0 +1,15 @@
+[package]
+name = "container-runtime-nvidia-k8s"
+version = "0.1.0"
+edition = "2021"
+authors = ["Monirul Islam <[email protected]>"]
+license = "Apache-2.0 OR MIT"
+publish = false
+# Don't rebuild crate just because of changes to README.
+exclude = ["README.md"]
+
+[dependencies]
+migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"}
+
+[build-dependencies]
+bottlerocket-variant = { version = "0.1", path = "../../../../../bottlerocket-variant" }
diff --git a/sources/api/migration/migrations/v1.21.0/container-runtime-nvidia-k8s/build.rs b/sources/api/migration/migrations/v1.21.0/container-runtime-nvidia-k8s/build.rs
@@ -0,0 +1,6 @@
+use bottlerocket_variant::Variant;
+
+fn main() {
+    let variant = Variant::from_env().unwrap();
+    variant.emit_cfgs();
+}
diff --git a/sources/api/migration/migrations/v1.21.0/container-runtime-nvidia-k8s/src/main.rs b/sources/api/migration/migrations/v1.21.0/container-runtime-nvidia-k8s/src/main.rs
@@ -0,0 +1,24 @@
+use migration_helpers::common_migrations::{AddPrefixesMigration, NoOpMigration};
+use migration_helpers::{migrate, Result};
+use std::process;
+
+/// We added a new setting for configuring container runtime (containerd) settings only for NVIDIA k8s variants.
+fn run() -> Result<()> {
+    if cfg!(variant_family = "aws-k8s") && cfg!(variant_flavor = "nvidia") {
+        migrate(AddPrefixesMigration(vec![
+            "settings.kubernetes.nvidia.container-runtime",
+        ]))
+    } else {
+        migrate(NoOpMigration)
+    }
+}
+
+// Returning a Result from main makes it print a Debug representation of the error, but with Snafu
+// we have nice Display representations of the error, so we wrap "main" (run) and print any error.
+// https://github.com/shepmaster/snafu/issues/110
+fn main() {
+    if let Err(e) = run() {
+        eprintln!("{}", e);
+        process::exit(1);
+    }
+}
diff --git a/sources/models/shared-defaults/nvidia-k8s-container-toolkit.toml b/sources/models/shared-defaults/nvidia-k8s-container-toolkit.toml
@@ -0,0 +1,14 @@
+[settings.kubernetes.nvidia.container-runtime]
+visible-devices-as-volume-mounts = true
+visible-devices-envvar-when-unprivileged = false
+
+[metadata.settings.kubernetes.nvidia.container-runtime]
+affected-services = ["nvidia-container-toolkit"]
+
+[services.nvidia-container-toolkit]
+configuration-files = ["nvidia-container-toolkit"]
+restart-commands = []
+
+[configuration-files.nvidia-container-toolkit]
+path = "/etc/nvidia-container-runtime/config.toml"
+template-path = "/usr/share/factory/nvidia-container-runtime/nvidia-container-toolkit-config-k8s"
diff --git a/sources/models/src/aws-k8s-1.24-nvidia/defaults.d/81-nvidia-k8s-container-toolkit.toml b/sources/models/src/aws-k8s-1.24-nvidia/defaults.d/81-nvidia-k8s-container-toolkit.toml
@@ -0,0 +1 @@
+../../../shared-defaults/nvidia-k8s-container-toolkit.toml
diff --git a/sources/models/src/aws-k8s-1.25-nvidia/defaults.d/81-nvidia-k8s-container-toolkit.toml b/sources/models/src/aws-k8s-1.25-nvidia/defaults.d/81-nvidia-k8s-container-toolkit.toml
@@ -0,0 +1 @@
+../../../shared-defaults/nvidia-k8s-container-toolkit.toml
diff --git a/sources/models/src/aws-k8s-1.26-nvidia/defaults.d/81-nvidia-k8s-container-toolkit.toml b/sources/models/src/aws-k8s-1.26-nvidia/defaults.d/81-nvidia-k8s-container-toolkit.toml
@@ -0,0 +1 @@
+../../../shared-defaults/nvidia-k8s-container-toolkit.toml
diff --git a/sources/models/src/aws-k8s-1.30-nvidia/defaults.d/81-nvidia-k8s-container-toolkit.toml b/sources/models/src/aws-k8s-1.30-nvidia/defaults.d/81-nvidia-k8s-container-toolkit.toml
@@ -0,0 +1 @@
+../../../shared-defaults/nvidia-k8s-container-toolkit.toml
diff --git a/sources/models/src/lib.rs b/sources/models/src/lib.rs
@@ -307,6 +307,7 @@ struct KubernetesSettings {
     hostname_override: ValidLinuxHostname,
     // Generated in `k8s-1.25+` variants only
     seccomp_default: bool,
+    nvidia: K8sNvidiaSettings,
 }
 
 // ECS settings.
@@ -562,3 +563,14 @@ struct Report {
     name: String,
     description: String,
 }
+
+#[model]
+struct K8sNvidiaSettings {
+    container_runtime: K8sContainerRuntimeSettings,
+}
+
+#[model]
+struct K8sContainerRuntimeSettings {
+    visible_devices_as_volume_mounts: bool,
+    visible_devices_envvar_when_unprivileged: bool,
+}