feat: Add config.toml for rootless container support

ublue-os · Feb 16, 2023 · 64d9089 · 64d9089
1 parent 36adc24
commit 64d9089
Show file tree

Hide file tree

Showing 3 changed files with 53 additions and 6 deletions.
diff --git a/Containerfile b/Containerfile
@@ -47,6 +47,11 @@ ADD ublue-os-nvidia-addons.spec /tmp/ublue-os-nvidia-addons/ublue-os-nvidia-addo
 
 ADD https://nvidia.github.io/nvidia-docker/rhel9.0/nvidia-docker.repo \
     /tmp/ublue-os-nvidia-addons/rpmbuild/SOURCES/nvidia-container-runtime.repo
+
+RUN sed -i "s@gpgcheck=0@gpgcheck=1@" /tmp/ublue-os-nvidia-addons/rpmbuild/SOURCES/nvidia-container-runtime.repo
+
+ADD files/etc/nvidia-container-runtime/config-rootless.toml \
+    /tmp/ublue-os-nvidia-addons/rpmbuild/SOURCES/config-rootless.toml
 ADD https://raw.githubusercontent.com/NVIDIA/dgx-selinux/master/bin/RHEL9/nvidia-container.pp \
     /tmp/ublue-os-nvidia-addons/rpmbuild/SOURCES/nvidia-container.pp
 
@@ -65,30 +70,35 @@ RUN rpm -q "xorg-x11-drv-$(cat /tmp/nvidia-package-name.txt)" \
 
 FROM ${BASE_IMAGE}:${FEDORA_MAJOR_VERSION}
 
-COPY --from=builder /var/cache/akmods      /tmp/akmods
+COPY --from=builder /var/cache/akmods /tmp/akmods
 COPY --from=builder /tmp/ublue-os-nvidia-addons /tmp/ublue-os-nvidia-addons
 
 RUN sed -i 's@enabled=1@enabled=0@g' /etc/yum.repos.d/fedora-{cisco-openh264,modular,updates-modular}.repo
 
+RUN install -D /tmp/ublue-os-nvidia-addons/rpmbuild/SOURCES/nvidia-container-runtime.repo \
+    /etc/yum.repos.d/nvidia-container-runtime.repo
+
 RUN KERNEL_VERSION="$(rpm -q kernel --queryformat '%{VERSION}-%{RELEASE}.%{ARCH}')" \
     NVIDIA_FULL_VERSION="$(cat /tmp/akmods/nvidia-full-version.txt)" \
     NVIDIA_PACKAGE_NAME="$(cat /tmp/akmods/nvidia-package-name.txt)" \
     && \
         rpm-ostree install \
             https://mirrors.rpmfusion.org/free/fedora/rpmfusion-free-release-$(rpm -E %fedora).noarch.rpm \
             https://mirrors.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-$(rpm -E %fedora).noarch.rpm \
-            /tmp/ublue-os-nvidia-addons/rpmbuild/RPMS/noarch/ublue-os-nvidia-addons-*.rpm \
     && \
         sed -i 's@enabled=1@enabled=0@g' /etc/yum.repos.d/rpmfusion-free{,-updates}.repo \
     && \
         rpm-ostree install \
             xorg-x11-drv-${NVIDIA_PACKAGE_NAME}-{,cuda-,devel-,kmodsrc-,power-}${NVIDIA_FULL_VERSION} \
             kernel-devel-${KERNEL_VERSION} nvidia-container-toolkit \
             "/tmp/akmods/${NVIDIA_PACKAGE_NAME}/kmod-${NVIDIA_PACKAGE_NAME}-${KERNEL_VERSION}-${NVIDIA_FULL_VERSION#*:}.rpm" \
+            /tmp/ublue-os-nvidia-addons/rpmbuild/RPMS/noarch/ublue-os-nvidia-addons-*.rpm \
+    && \
+        cp /etc/nvidia-container-runtime/config{-rootless,}.toml \
     && \
         semodule --verbose --install /usr/share/selinux/packages/nvidia-container.pp \
     && \
-        sed -i 's@enabled=1@enabled=0@g' /etc/yum.repos.d/{nvidia-container-runtime,rpmfusion-nonfree{,-updates}}.repo \
+        sed -i 's@enabled=1@enabled=0@g' /etc/yum.repos.d/rpmfusion-nonfree{,-updates}.repo \
     && \
         ln -s /usr/bin/ld.bfd /etc/alternatives/ld && \
         ln -s /etc/alternatives/ld /usr/bin/ld \

diff --git a/files/etc/nvidia-container-runtime/config-rootless.toml b/files/etc/nvidia-container-runtime/config-rootless.toml
@@ -0,0 +1,34 @@
+disable-require = false
+#swarm-resource = "DOCKER_RESOURCE_GPU"
+#accept-nvidia-visible-devices-envvar-when-unprivileged = true
+#accept-nvidia-visible-devices-as-volume-mounts = false
+
+[nvidia-container-cli]
+#root = "/run/nvidia/driver"
+#path = "/usr/bin/nvidia-container-cli"
+environment = []
+#debug = "/var/log/nvidia-container-toolkit.log"
+#ldcache = "/etc/ld.so.cache"
+load-kmods = true
+#no-cgroups = false
+no-cgroups = true
+#user = "root:video"
+ldconfig = "@/sbin/ldconfig"
+
+[nvidia-container-runtime]
+#debug = "/var/log/nvidia-container-runtime.log"
+debug = "~/.local/nvidia-container-runtime.log"
+log-level = "info"
+
+# Specify the runtimes to consider. This list is processed in order and the PATH
+# searched for matching executables unless the entry is an absolute path.
+runtimes = [
+    "docker-runc",
+    "runc",
+]
+
+mode = "auto"
+
+    [nvidia-container-runtime.modes.csv]
+
+    mount-spec-path = "/etc/nvidia-container-runtime/host-files-for-container.d"
diff --git a/ublue-os-nvidia-addons.spec b/ublue-os-nvidia-addons.spec
@@ -11,7 +11,8 @@ Supplements:    mokutil policycoreutils
 
 Source0:        public_key.der
 Source1:        nvidia-container-runtime.repo
-Source2:        nvidia-container.pp
+Source2:        config-rootless.toml
+Source3:        nvidia-container.pp
 
 %description
 Adds various runtime files for nvidia support. These include a key for importing with mokutil to enable secure boot for nvidia kernel modules
@@ -24,13 +25,15 @@ Adds various runtime files for nvidia support. These include a key for importing
 # Have different name for *.der in case kmodgenca is needed for creating more keys
 install -Dm0644 %{SOURCE0} %{buildroot}%{_sysconfdir}/pki/akmods/certs/akmods-nvidia.der
 install -Dm0644 %{SOURCE1} %{buildroot}%{_sysconfdir}/yum.repos.d/nvidia-container-runtime.repo
-install -Dm0644 %{SOURCE2} %{buildroot}%{_datadir}/selinux/packages/nvidia-container.pp
+install -Dm0644 %{SOURCE2} %{buildroot}%{_sysconfdir}/nvidia-container-runtime/config-rootless.toml
+install -Dm0644 %{SOURCE3} %{buildroot}%{_datadir}/selinux/packages/nvidia-container.pp
 
-sed -i "s@gpgcheck=0@gpgcheck=1@" %{buildroot}%{_sysconfdir}/yum.repos.d/nvidia-container-runtime.repo
+sed -i 's@enabled=1@enabled=0@g' %{buildroot}%{_sysconfdir}/yum.repos.d/nvidia-container-runtime.repo
 
 %files
 %attr(0644,root,root) %{_sysconfdir}/pki/akmods/certs/akmods-nvidia.der
 %attr(0644,root,root) %{_sysconfdir}/yum.repos.d/nvidia-container-runtime.repo
+%attr(0644,root,root) %{_sysconfdir}/nvidia-container-runtime/config-rootless.toml
 %attr(0644,root,root) %{_datadir}/selinux/packages/nvidia-container.pp
 
 %changelog