From c580b90fb9a77d13a29a60732e424c68e96cd7cb Mon Sep 17 00:00:00 2001 From: Piyush Jena Date: Wed, 5 Nov 2025 06:52:52 +0000 Subject: [PATCH 1/3] packages: update libnvidia-container to v1.18.0 Signed-off-by: Piyush Jena --- ...dd-clock_gettime-to-allowed-syscalls.patch | 29 ------------------- packages/libnvidia-container/Cargo.toml | 4 +-- .../libnvidia-container.spec | 3 +- 3 files changed, 3 insertions(+), 33 deletions(-) delete mode 100644 packages/libnvidia-container/0005-Add-clock_gettime-to-allowed-syscalls.patch diff --git a/packages/libnvidia-container/0005-Add-clock_gettime-to-allowed-syscalls.patch b/packages/libnvidia-container/0005-Add-clock_gettime-to-allowed-syscalls.patch deleted file mode 100644 index 9ddcf5215..000000000 --- a/packages/libnvidia-container/0005-Add-clock_gettime-to-allowed-syscalls.patch +++ /dev/null @@ -1,29 +0,0 @@ -From d401dd5a8621565e040839a5d525cb4ba124cc37 Mon Sep 17 00:00:00 2001 -From: Evan Lezar -Date: Wed, 1 Oct 2025 15:17:56 +0200 -Subject: [PATCH] Add clock_gettime to allowed syscalls - -This change adds clock_gettime to the allowed syscalls when running -ldconfig under seccomp. This seems to be required for newer glibc -versions. - -Signed-off-by: Evan Lezar ---- - src/nvc_ldcache.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/nvc_ldcache.c b/src/nvc_ldcache.c -index 0535090d..a345d870 100644 ---- a/src/nvc_ldcache.c -+++ b/src/nvc_ldcache.c -@@ -272,6 +272,7 @@ limit_syscalls(struct error *err) - SCMP_SYS(brk), - SCMP_SYS(chdir), - SCMP_SYS(chmod), -+ SCMP_SYS(clock_gettime), - SCMP_SYS(close), - SCMP_SYS(execve), - SCMP_SYS(execveat), --- -2.51.0 - diff --git a/packages/libnvidia-container/Cargo.toml b/packages/libnvidia-container/Cargo.toml index e7bec33c6..b3bd53ab8 100644 --- a/packages/libnvidia-container/Cargo.toml +++ b/packages/libnvidia-container/Cargo.toml @@ -13,8 +13,8 @@ releases-url = "https://github.com/NVIDIA/libnvidia-container/releases" # Should match the version of the nvidia-container-toolkit package [[package.metadata.build-package.external-files]] -url = "https://github.com/NVIDIA/libnvidia-container/archive/v1.17.8/libnvidia-container-1.17.8.tar.gz" -sha512 = "727f66bcb7396110c056e483abc5d2ba38381feaf0d47b4b40159933ccc65e76d4b33d7bb32b1ec87851c802d1823165f50f289d92f748f7f50f6896fe2bd10e" +url = "https://github.com/NVIDIA/libnvidia-container/archive/v1.18.0/libnvidia-container-1.18.0.tar.gz" +sha512 = "230b6d3b0a29a54796cebdc212b4cb4b2249d8bb370e97778be88093b6d36153d1325a5755ef69d5b856cfc6b9a904e30d39466d86efd3369b2c838fa57cd7e9" # Check https://github.com/NVIDIA/libnvidia-container/blob//mk/nvidia-modprobe.mk to determine which modprobe version it builds [[package.metadata.build-package.external-files]] diff --git a/packages/libnvidia-container/libnvidia-container.spec b/packages/libnvidia-container/libnvidia-container.spec index 1d6a4a9dc..07c37584c 100644 --- a/packages/libnvidia-container/libnvidia-container.spec +++ b/packages/libnvidia-container/libnvidia-container.spec @@ -1,7 +1,7 @@ %global nvidia_modprobe_version 550.54.14 Name: %{_cross_os}libnvidia-container -Version: 1.17.8 +Version: 1.18.0 Release: 1%{?dist} Epoch: 1 Summary: NVIDIA container runtime library @@ -18,7 +18,6 @@ Patch0001: 0001-use-shared-libtirpc.patch Patch0002: 0002-use-prefix-from-environment.patch Patch0003: 0003-keep-debug-symbols.patch Patch0004: 0004-makefile-avoid-ldconfig-when-cross-compiling.patch -Patch0005: 0005-Add-clock_gettime-to-allowed-syscalls.patch BuildRequires: %{_cross_os}glibc-devel BuildRequires: %{_cross_os}libelf-devel From d14fb229fe89bc38629411062bb25e28ceae14e9 Mon Sep 17 00:00:00 2001 From: Piyush Jena Date: Wed, 5 Nov 2025 19:46:37 +0000 Subject: [PATCH 2/3] packages: update nvidia-container-toolkit to v1.18.0 Signed-off-by: Piyush Jena --- packages/nvidia-container-toolkit/Cargo.toml | 4 +- .../nvidia-container-toolkit.spec | 73 +++++++++++++++---- 2 files changed, 59 insertions(+), 18 deletions(-) diff --git a/packages/nvidia-container-toolkit/Cargo.toml b/packages/nvidia-container-toolkit/Cargo.toml index 7478e7ddb..6f6eab502 100644 --- a/packages/nvidia-container-toolkit/Cargo.toml +++ b/packages/nvidia-container-toolkit/Cargo.toml @@ -13,8 +13,8 @@ releases-url = "https://github.com/NVIDIA/nvidia-container-toolkit/releases" # Should match the version of the libnvidia-container package [[package.metadata.build-package.external-files]] -url = "https://github.com/NVIDIA/nvidia-container-toolkit/archive/v1.17.8/nvidia-container-toolkit-1.17.8.tar.gz" -sha512 = "1ff7a39c09bd51222e3edbe6f31c3838df6a7d09bb0a0171df1e04be613502079253574fe2fb087b253687aa2a826d77f2410253023a127432e9d05a89174159" +url = "https://github.com/NVIDIA/nvidia-container-toolkit/archive/v1.18.0/nvidia-container-toolkit-1.18.0.tar.gz" +sha512 = "5cfe75b385ae9950c7668ffca540e9d5c1ce770dd8d786314e4145463610b5ee3c4a2dc541df8fee203a9c0300380d71b2ba196e0796d4592d6bfccc7730aa38" [build-dependencies] glibc = { path = "../glibc" } diff --git a/packages/nvidia-container-toolkit/nvidia-container-toolkit.spec b/packages/nvidia-container-toolkit/nvidia-container-toolkit.spec index abb4dd8a2..d980f6f47 100644 --- a/packages/nvidia-container-toolkit/nvidia-container-toolkit.spec +++ b/packages/nvidia-container-toolkit/nvidia-container-toolkit.spec @@ -2,7 +2,7 @@ %global gorepo nvidia-container-toolkit %global goimport %{goproject}/%{gorepo} -%global gover 1.17.8 +%global gover 1.18.0 %global rpmver %{gover} Name: %{_cross_os}nvidia-container-toolkit @@ -32,6 +32,24 @@ Requires: (%{name}-k8s if %{_cross_os}variant-family(aws-k8s)) %description %{summary}. +%package bin +Summary: NVIDIA container toolkit binaries +Provides: %{name}(binaries) +Requires: (%{_cross_os}image-feature(no-fips) and %{name}) +Conflicts: (%{_cross_os}image-feature(fips) or %{name}-fips-bin) + +%description bin +%{summary}. + +%package fips-bin +Summary: NVIDIA container toolkit binaries, FIPS edition +Provides: %{name}(binaries) +Requires: (%{_cross_os}image-feature(fips) and %{name}) +Conflicts: (%{_cross_os}image-feature(no-fips) or %{name}-bin) + +%description fips-bin +%{summary}. + %package ecs Summary: Files specific for the ECS variants Requires: %{name} @@ -60,15 +78,21 @@ Conflicts: %{name}-ecs export CGO_LDFLAGS="-Wl,-z,relro -Wl,--export-dynamic" export GOLDFLAGS="-compressdwarf=false -linkmode=external -extldflags '${CGO_LDFLAGS}'" -go build -ldflags="${GOLDFLAGS}" -o nvidia-container-runtime-hook ./cmd/nvidia-container-runtime-hook -go build -ldflags="${GOLDFLAGS}" -o nvidia-ctk ./cmd/nvidia-ctk -go build -ldflags="${GOLDFLAGS}" -o nvidia-cdi-hook ./cmd/nvidia-cdi-hook -go build -ldflags="${GOLDFLAGS}" -o nvidia-container-runtime ./cmd/nvidia-container-runtime -go build -ldflags="${GOLDFLAGS}" -o nvidia-container-runtime.cdi ./cmd/nvidia-container-runtime.cdi -go build -ldflags="${GOLDFLAGS}" -o nvidia-container-runtime.legacy ./cmd/nvidia-container-runtime.legacy +for bin in \ + nvidia-cdi-hook \ + nvidia-container-runtime-hook \ + nvidia-container-runtime \ + nvidia-container-runtime.cdi \ + nvidia-container-runtime.legacy \ + nvidia-ctk ; +do + go build -ldflags="${GOLDFLAGS}" -o ${bin} ./cmd/${bin} + gofips build -ldflags="${GOLDFLAGS}" -o fips/${bin} ./cmd/${bin} +done %install install -d %{buildroot}%{_cross_bindir} +install -d %{buildroot}%{_cross_fips_bindir} install -d %{buildroot}%{_cross_tmpfilesdir} install -d %{buildroot}%{_cross_templatedir} install -d %{buildroot}%{_cross_udevrulesdir} @@ -76,12 +100,19 @@ install -d %{buildroot}%{_cross_unitdir} install -d %{buildroot}%{_cross_datadir}/nvidia-container-toolkit install -d %{buildroot}%{_cross_factorydir}/nvidia-container-runtime install -d %{buildroot}%{_cross_templatedir}/nvidia-container-runtime -install -p -m 0755 nvidia-container-runtime-hook %{buildroot}%{_cross_bindir}/ -install -p -m 0755 nvidia-ctk %{buildroot}%{_cross_bindir}/ -install -p -m 0755 nvidia-cdi-hook %{buildroot}%{_cross_bindir}/ -install -p -m 0755 nvidia-container-runtime %{buildroot}%{_cross_bindir}/ -install -p -m 0755 nvidia-container-runtime.cdi %{buildroot}%{_cross_bindir}/ -install -p -m 0755 nvidia-container-runtime.legacy %{buildroot}%{_cross_bindir}/ + +for bin in \ + nvidia-cdi-hook \ + nvidia-container-runtime-hook \ + nvidia-container-runtime \ + nvidia-container-runtime.cdi \ + nvidia-container-runtime.legacy \ + nvidia-ctk ; +do + install -p -m 0755 ${bin} %{buildroot}%{_cross_bindir} + install -p -m 0755 fips/${bin} %{buildroot}%{_cross_fips_bindir} +done + install -m 0644 %{S:1} %{buildroot}%{_cross_factorydir}/nvidia-container-runtime/ install -m 0644 %{S:2} %{buildroot}%{_cross_factorydir}/nvidia-container-runtime/ install -p -m 0644 %{S:3} %{buildroot}%{_cross_udevrulesdir}/90-nvidia-gpu-devices.rules @@ -93,14 +124,24 @@ install -m 0644 %{S:7} %{buildroot}%{_cross_unitdir}/ %files %license LICENSE %{_cross_attribution_file} +%{_cross_udevrulesdir}/90-nvidia-gpu-devices.rules +%{_cross_unitdir}/generate-cdi-specs.service + +%files bin %{_cross_bindir}/nvidia-container-runtime-hook -%{_cross_bindir}/nvidia-ctk %{_cross_bindir}/nvidia-cdi-hook %{_cross_bindir}/nvidia-container-runtime %{_cross_bindir}/nvidia-container-runtime.cdi %{_cross_bindir}/nvidia-container-runtime.legacy -%{_cross_udevrulesdir}/90-nvidia-gpu-devices.rules -%{_cross_unitdir}/generate-cdi-specs.service +%{_cross_bindir}/nvidia-ctk + +%files fips-bin +%{_cross_fips_bindir}/nvidia-container-runtime-hook +%{_cross_fips_bindir}/nvidia-cdi-hook +%{_cross_fips_bindir}/nvidia-container-runtime +%{_cross_fips_bindir}/nvidia-container-runtime.cdi +%{_cross_fips_bindir}/nvidia-container-runtime.legacy +%{_cross_fips_bindir}/nvidia-ctk %files ecs %{_cross_factorydir}/nvidia-container-runtime/nvidia-container-toolkit-config-ecs.toml From 496f117d203e534620e3cb217dad3084cc03f7f7 Mon Sep 17 00:00:00 2001 From: Piyush Jena Date: Wed, 5 Nov 2025 07:08:08 +0000 Subject: [PATCH 3/3] packages: update nvidia-k8s-device-plugin to v0.18.0 With this update, we add a patch to disable `enable-cuda-compat` oci hook as nvidia-k8s-device-plugin doesn't provide any config option to drop it from the CDI spec as suggested in https://www.wiz.io/blog/nvidia-ai-vulnerability-cve-2025-23266-nvidiascape Signed-off-by: Piyush Jena --- ...rated-CDI-specs-do-not-contain-enabl.patch | 36 +++++++++++++++++++ packages/nvidia-k8s-device-plugin/Cargo.toml | 6 ++-- .../nvidia-k8s-device-plugin.spec | 4 ++- 3 files changed, 42 insertions(+), 4 deletions(-) create mode 100644 packages/nvidia-k8s-device-plugin/1001-Ensure-that-generated-CDI-specs-do-not-contain-enabl.patch diff --git a/packages/nvidia-k8s-device-plugin/1001-Ensure-that-generated-CDI-specs-do-not-contain-enabl.patch b/packages/nvidia-k8s-device-plugin/1001-Ensure-that-generated-CDI-specs-do-not-contain-enabl.patch new file mode 100644 index 000000000..5571b9086 --- /dev/null +++ b/packages/nvidia-k8s-device-plugin/1001-Ensure-that-generated-CDI-specs-do-not-contain-enabl.patch @@ -0,0 +1,36 @@ +From 0ae23f93ef41d348a489e9dd2fbc76ef0468005e Mon Sep 17 00:00:00 2001 +From: Evan Lezar +Date: Mon, 10 Mar 2025 14:44:45 +0200 +Subject: [PATCH] Ensure that generated CDI specs do not contain + enable-cuda-compat hooks + +Signed-off-by: Evan Lezar +--- + internal/cdi/cdi.go | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/internal/cdi/cdi.go b/internal/cdi/cdi.go +index 2b3761d9..810e4395 100644 +--- a/internal/cdi/cdi.go ++++ b/internal/cdi/cdi.go +@@ -126,6 +126,8 @@ func New(infolib info.Interface, nvmllib nvml.Interface, devicelib device.Interf + nvcdi.WithDeviceNamers(deviceNamer), + nvcdi.WithVendor(c.vendor), + nvcdi.WithClass("gpu"), ++ // TODO: This should be removed once the use of a NVIDIA Container Toolkit >= v1.17.5 is commonplace. ++ nvcdi.WithDisabledHook(nvcdi.HookEnableCudaCompat), + ) + if err != nil { + return nil, fmt.Errorf("failed to create nvcdi library: %v", err) +@@ -154,6 +156,8 @@ func New(infolib info.Interface, nvmllib nvml.Interface, devicelib device.Interf + nvcdi.WithDevRoot(c.devRoot), + nvcdi.WithVendor(c.vendor), + nvcdi.WithMode(mode), ++ // TODO: This should be removed once the use of a NVIDIA Container Toolkit >= v1.17.5 is commonplace. ++ nvcdi.WithDisabledHook(nvcdi.HookEnableCudaCompat), + ) + if err != nil { + return nil, fmt.Errorf("failed to create nvcdi library: %v", err) +-- +2.51.0 + diff --git a/packages/nvidia-k8s-device-plugin/Cargo.toml b/packages/nvidia-k8s-device-plugin/Cargo.toml index aefcb8731..99f3e7254 100644 --- a/packages/nvidia-k8s-device-plugin/Cargo.toml +++ b/packages/nvidia-k8s-device-plugin/Cargo.toml @@ -12,9 +12,9 @@ path = "../packages.rs" releases-url = "https://github.com/NVIDIA/k8s-device-plugin/releases" [[package.metadata.build-package.external-files]] -url = "https://github.com/NVIDIA/k8s-device-plugin/archive/v0.17.3/v0.17.3.tar.gz" -path = "k8s-device-plugin-0.17.3.tar.gz" -sha512 = "18715703dfce6a6e986295dfbdc78180dd5c30566db2b44abc7fc030e6981ada5fd411488564594454a840c3c67b933e0c7e849c2938aa837ac32dd41b3a0140" +url = "https://github.com/NVIDIA/k8s-device-plugin/archive/v0.18.0/v0.18.0.tar.gz" +path = "k8s-device-plugin-0.18.0.tar.gz" +sha512 = "4da24e4e75667209bc1b1ec98cf9895fe0af182934c3867c60ebed154f73d4703d23ff72f44edc2fb2d07cc14c42bb4c19e274628cbbee045ef6b6e1e7b2f0d8" [build-dependencies] glibc = { path = "../glibc" } diff --git a/packages/nvidia-k8s-device-plugin/nvidia-k8s-device-plugin.spec b/packages/nvidia-k8s-device-plugin/nvidia-k8s-device-plugin.spec index 9e959f3f7..92b556ce9 100644 --- a/packages/nvidia-k8s-device-plugin/nvidia-k8s-device-plugin.spec +++ b/packages/nvidia-k8s-device-plugin/nvidia-k8s-device-plugin.spec @@ -2,7 +2,7 @@ %global gorepo k8s-device-plugin %global goimport %{goproject}/%{gorepo} -%global gover 0.17.3 +%global gover 0.18.0 %global rpmver %{gover} Name: %{_cross_os}nvidia-k8s-device-plugin @@ -18,6 +18,8 @@ Source2: nvidia-k8s-device-plugin-conf Source3: nvidia-k8s-device-plugin-exec-start-conf Source4: nvidia-k8s-device-plugin-mig-conf +Patch0001: 1001-Ensure-that-generated-CDI-specs-do-not-contain-enabl.patch + BuildRequires: %{_cross_os}glibc-devel Requires: %{name}(binaries)