nvidia package updates #728
Draft
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Piyush Jena <[email protected]>
piyush-jena
force-pushed
the
nvidia-updates
branch
2 times, most recently
from
96f29c6 to
1f86870
Compare
arnaldo2792
requested changes
Nov 11, 2025
| %{_cross_attribution_file} | ||
| %{_cross_bindir}/nvidia-container-runtime-hook | ||
| %{_cross_bindir}/nvidia-ctk | ||
| %{_cross_fips_bindir}/nvidia-ctk |
Contributor
There was a problem hiding this comment.
This is not correct, you have to create a fips-bin package. You will have to restructure slightly how the binaries in the package are provided. @koooosh has done this before so he might be able to help you.
Contributor
There was a problem hiding this comment.
Here's the commit in amazon-ssm-agent where I did something similar. LMK if you have further q's @piyush-jena !
Signed-off-by: Piyush Jena <[email protected]>
With this update, we add a patch to disable `enable-cuda-compat` oci hook as nvidia-k8s-device-plugin doesn't provide any config option to drop it from the CDI spec as suggested in https://www.wiz.io/blog/nvidia-ai-vulnerability-cve-2025-23266-nvidiascape Signed-off-by: Piyush Jena <[email protected]>
piyush-jena
force-pushed
the
nvidia-updates
branch
from
1f86870 to
496f117
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description of changes:
libnvidia-containerto v1.18.0clock_gettimesyscall patch because it has now been upstreamed and released.nvidia-container-toolkitto v1.18.0gofipsbuild is forced bybottlerocket-sdkdue tonvidia-ctkbinary's indirect dependency oncrypto/tls. The direct dependency that indirectly forces thiscrypto/tlsdependency isgithub.com/urfave/cli-altsrc/v3. Check https://github.com/NVIDIA/nvidia-container-toolkit/blame/754cfa7480d9cef7dc956f30ef25112af44dc788/cmd/nvidia-ctk/cdi/generate/config.go#L25.nvidia-k8s-device-pluginto v0.18.0enable-cuda-compatoci hook - This oci hook was the cause of a High Severity CVE (CVE-2025-23266). We add this patch because there's no way to disable this oci hook. For more details visit - https://www.wiz.io/blog/nvidia-ai-vulnerability-cve-2025-23266-nvidiascape. Enablingfeatures.disable-cuda-compat-lib-hookflag innvidia-container-toolkit, which is the recommended mitigation of this CVE doesn't work.Testing done:
nvidia-smoke-testpassesenable-cuda-compatoci hook is not present.Terms of contribution:
By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.