cdi: use worker cdi manager when generating devices oci spec

Signed-off-by: CrazyMax <[email protected]>

Author: crazy-max

cmd/buildkitd/main.go

@@ -74,6 +74,7 @@ import (
 	"google.golang.org/grpc/health"
 	healthv1 "google.golang.org/grpc/health/grpc_health_v1"
 	"google.golang.org/grpc/reflection"
+	"tags.cncf.io/container-device-interface/pkg/cdi"
 )
 
 func init() {
@@ -1044,3 +1045,30 @@ func newMeterProvider(ctx context.Context) (*sdkmetric.MeterProvider, error) {
 	}
 	return sdkmetric.NewMeterProvider(opts...), nil
 }
+
+// getCDIManager returns a new CDI registry with disabled auto-refresh.
+func getCDIManager(disabled *bool, specDirs []string) (*cdi.Cache, error) {
+	if disabled != nil && *disabled {
+		return nil, nil
+	}
+	if len(specDirs) == 0 {
+		return nil, errors.New("No CDI specification directories specified")
+	}
+	cdiCache, err := func() (*cdi.Cache, error) {
+		cdiCache, err := cdi.NewCache(
+			cdi.WithSpecDirs(specDirs...),
+			cdi.WithAutoRefresh(false),
+		)
+		if err != nil {
+			return nil, err
+		}
+		if err := cdiCache.Refresh(); err != nil {
+			return nil, err
+		}
+		return cdiCache, nil
+	}()
+	if err != nil {
+		return nil, errors.Wrapf(err, "CDI registry initialization failure")
+	}
+	return cdiCache, nil
+}

cmd/buildkitd/main_containerd_worker.go

@@ -282,6 +282,11 @@ func containerdWorkerInitializer(c *cli.Context, common workerInitializerOpt) ([
 
 	dns := getDNSConfig(common.config.DNS)
 
+	cdiManager, err := getCDIManager(common.config.CDI.Disabled, common.config.CDI.SpecDirs)
+	if err != nil {
+		return nil, err
+	}
+
 	nc := netproviders.Opt{
 		Mode: common.config.Workers.Containerd.NetworkConfig.Mode,
 		CNI: cniprovider.Opt{
@@ -339,6 +344,7 @@ func containerdWorkerInitializer(c *cli.Context, common workerInitializerOpt) ([
 		ParallelismSem:  parallelismSem,
 		TraceSocket:     common.traceSocket,
 		Runtime:         runtime,
+		CDIManager:      cdiManager,
 	}
 
 	opt, err := containerd.NewWorkerOpt(workerOpts, ctd.WithTimeout(60*time.Second))

cmd/buildkitd/main_oci_worker.go

@@ -48,7 +48,6 @@ import (
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/backoff"
 	"google.golang.org/grpc/credentials/insecure"
-	"tags.cncf.io/container-device-interface/pkg/cdi"
 )
 
 func init() {
@@ -299,6 +298,11 @@ func ociWorkerInitializer(c *cli.Context, common workerInitializerOpt) ([]worker
 
 	dns := getDNSConfig(common.config.DNS)
 
+	cdiManager, err := getCDIManager(common.config.CDI.Disabled, common.config.CDI.SpecDirs)
+	if err != nil {
+		return nil, err
+	}
+
 	nc := netproviders.Opt{
 		Mode: common.config.Workers.OCI.NetworkConfig.Mode,
 		CNI: cniprovider.Opt{
@@ -316,28 +320,14 @@ func ociWorkerInitializer(c *cli.Context, common workerInitializerOpt) ([]worker
 		parallelismSem = semaphore.NewWeighted(int64(cfg.MaxParallelism))
 	}
 
-	opt, err := runc.NewWorkerOpt(common.config.Root, snFactory, cfg.Rootless, processMode, cfg.Labels, idmapping, nc, dns, cfg.Binary, cfg.ApparmorProfile, cfg.SELinux, parallelismSem, common.traceSocket, cfg.DefaultCgroupParent)
+	opt, err := runc.NewWorkerOpt(common.config.Root, snFactory, cfg.Rootless, processMode, cfg.Labels, idmapping, nc, dns, cfg.Binary, cfg.ApparmorProfile, cfg.SELinux, parallelismSem, common.traceSocket, cfg.DefaultCgroupParent, cdiManager)
 	if err != nil {
 		return nil, err
 	}
 	opt.GCPolicy = getGCPolicy(cfg.GCConfig, common.config.Root)
 	opt.BuildkitVersion = getBuildkitVersion()
 	opt.RegistryHosts = hosts
 
-	if common.config.CDI.Disabled == nil || !*common.config.CDI.Disabled {
-		if len(common.config.CDI.SpecDirs) == 0 {
-			return nil, errors.New("No CDI specification directories specified")
-		}
-		cdiCache, err := cdi.NewCache(cdi.WithSpecDirs(common.config.CDI.SpecDirs...))
-		if err != nil {
-			return nil, errors.Wrapf(err, "CDI registry initialization failure")
-		}
-		if err := cdiCache.Refresh(); err != nil {
-			return nil, errors.Wrapf(err, "CDI registry initialization failure")
-		}
-		opt.CDIManager = cdiCache
-	}
-
 	if platformsStr := cfg.Platforms; len(platformsStr) != 0 {
 		platforms, err := parsePlatforms(platformsStr)
 		if err != nil {

executor/containerdexecutor/executor.go

@@ -13,6 +13,7 @@ import (
 	"github.com/moby/buildkit/util/bklog"
 	"go.opentelemetry.io/otel/attribute"
 	"go.opentelemetry.io/otel/trace"
+	"tags.cncf.io/container-device-interface/pkg/cdi"
 
 	ctd "github.com/containerd/containerd/v2/client"
 	"github.com/containerd/containerd/v2/core/mount"
@@ -40,6 +41,7 @@ type containerdExecutor struct {
 	traceSocket      string
 	rootless         bool
 	runtime          *RuntimeInfo
+	cdiManager       *cdi.Cache
 }
 
 // OnCreateRuntimer provides an alternative to OCI hooks for applying network
@@ -72,6 +74,7 @@ type ExecutorOptions struct {
 	TraceSocket      string
 	Rootless         bool
 	Runtime          *RuntimeInfo
+	CDIManager       *cdi.Cache
 }
 
 // New creates a new executor backed by connection to containerd API
@@ -92,6 +95,7 @@ func New(executorOpts ExecutorOptions) executor.Executor {
 		traceSocket:      executorOpts.TraceSocket,
 		rootless:         executorOpts.Rootless,
 		runtime:          executorOpts.Runtime,
+		cdiManager:       executorOpts.CDIManager,
 	}
 }
 

executor/containerdexecutor/executor_unix.go

@@ -145,7 +145,7 @@ func (w *containerdExecutor) createOCISpec(ctx context.Context, id, resolvConf,
 	}
 
 	processMode := oci.ProcessSandbox // FIXME(AkihiroSuda)
-	spec, cleanup, err := oci.GenerateSpec(ctx, meta, mounts, id, resolvConf, hostsFile, namespace, w.cgroupParent, processMode, nil, w.apparmorProfile, w.selinux, w.traceSocket, opts...)
+	spec, cleanup, err := oci.GenerateSpec(ctx, meta, mounts, id, resolvConf, hostsFile, namespace, w.cgroupParent, processMode, nil, w.apparmorProfile, w.selinux, w.traceSocket, w.cdiManager, opts...)
 	if err != nil {
 		releaseAll()
 		return nil, nil, err

executor/containerdexecutor/executor_windows.go

@@ -88,7 +88,7 @@ func (w *containerdExecutor) createOCISpec(ctx context.Context, id, _, _ string,
 	}
 
 	processMode := oci.ProcessSandbox // FIXME(AkihiroSuda)
-	spec, cleanup, err := oci.GenerateSpec(ctx, meta, mounts, id, "", "", namespace, "", processMode, nil, "", false, w.traceSocket, opts...)
+	spec, cleanup, err := oci.GenerateSpec(ctx, meta, mounts, id, "", "", namespace, "", processMode, nil, "", false, w.traceSocket, nil, opts...)
 	if err != nil {
 		releaseAll()
 		return nil, nil, err

executor/oci/spec.go

@@ -24,6 +24,7 @@ import (
 	specs "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/opencontainers/selinux/go-selinux"
 	"github.com/pkg/errors"
+	"tags.cncf.io/container-device-interface/pkg/cdi"
 )
 
 // ProcessMode configures PID namespaces
@@ -59,7 +60,7 @@ func (pm ProcessMode) String() string {
 
 // GenerateSpec generates spec using containerd functionality.
 // opts are ignored for s.Process, s.Hostname, and s.Mounts .
-func GenerateSpec(ctx context.Context, meta executor.Meta, mounts []executor.Mount, id, resolvConf, hostsFile string, namespace network.Namespace, cgroupParent string, processMode ProcessMode, idmap *idtools.IdentityMapping, apparmorProfile string, selinuxB bool, tracingSocket string, opts ...oci.SpecOpts) (*specs.Spec, func(), error) {
+func GenerateSpec(ctx context.Context, meta executor.Meta, mounts []executor.Mount, id, resolvConf, hostsFile string, namespace network.Namespace, cgroupParent string, processMode ProcessMode, idmap *idtools.IdentityMapping, apparmorProfile string, selinuxB bool, tracingSocket string, cdiManager *cdi.Cache, opts ...oci.SpecOpts) (*specs.Spec, func(), error) {
 	c := &containers.Container{
 		ID: id,
 	}
@@ -110,12 +111,6 @@ func GenerateSpec(ctx context.Context, meta executor.Meta, mounts []executor.Mou
 		return nil, nil, err
 	}
 
-	if cdiOpts, err := generateCDIOpts(ctx, meta.CDIDevices); err == nil {
-		opts = append(opts, cdiOpts...)
-	} else {
-		return nil, nil, err
-	}
-
 	hostname := defaultHostname
 	if meta.Hostname != "" {
 		hostname = meta.Hostname
@@ -135,6 +130,14 @@ func GenerateSpec(ctx context.Context, meta executor.Meta, mounts []executor.Mou
 		oci.WithHostname(hostname),
 	)
 
+	if cdiManager != nil {
+		if cdiOpts, err := generateCDIOpts(cdiManager, meta.CDIDevices); err == nil {
+			opts = append(opts, cdiOpts...)
+		} else {
+			return nil, nil, err
+		}
+	}
+
 	s, err := oci.GenerateSpec(ctx, nil, c, opts...)
 	if err != nil {
 		return nil, nil, errors.WithStack(err)

executor/oci/spec_darwin.go

@@ -1,15 +1,14 @@
 package oci
 
 import (
-	"context"
-
 	"github.com/containerd/containerd/v2/core/mount"
 	"github.com/containerd/containerd/v2/pkg/oci"
 	"github.com/containerd/continuity/fs"
 	"github.com/docker/docker/pkg/idtools"
 	"github.com/moby/buildkit/solver/pb"
 	"github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/pkg/errors"
+	"tags.cncf.io/container-device-interface/pkg/cdi"
 )
 
 func withProcessArgs(args ...string) oci.SpecOpts {
@@ -65,7 +64,7 @@ func sub(m mount.Mount, subPath string) (mount.Mount, func() error, error) {
 	return m, func() error { return nil }, nil
 }
 
-func generateCDIOpts(ctx context.Context, devices []*pb.CDIDevice) ([]oci.SpecOpts, error) {
+func generateCDIOpts(_ *cdi.Cache, devices []*pb.CDIDevice) ([]oci.SpecOpts, error) {
 	if len(devices) == 0 {
 		return nil, nil
 	}

executor/oci/spec_freebsd.go

@@ -1,15 +1,14 @@
 package oci
 
 import (
-	"context"
-
 	"github.com/containerd/containerd/v2/core/mount"
 	"github.com/containerd/containerd/v2/pkg/oci"
 	"github.com/containerd/continuity/fs"
 	"github.com/docker/docker/pkg/idtools"
 	"github.com/moby/buildkit/solver/pb"
 	specs "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/pkg/errors"
+	"tags.cncf.io/container-device-interface/pkg/cdi"
 )
 
 func withProcessArgs(args ...string) oci.SpecOpts {
@@ -73,7 +72,7 @@ func sub(m mount.Mount, subPath string) (mount.Mount, func() error, error) {
 	return m, func() error { return nil }, nil
 }
 
-func generateCDIOpts(ctx context.Context, devices []*pb.CDIDevice) ([]oci.SpecOpts, error) {
+func generateCDIOpts(_ *cdi.Cache, devices []*pb.CDIDevice) ([]oci.SpecOpts, error) {
 	if len(devices) == 0 {
 		return nil, nil
 	}

executor/oci/spec_linux.go

@@ -14,7 +14,6 @@ import (
 	"github.com/containerd/containerd/v2/pkg/oci"
 	cdseccomp "github.com/containerd/containerd/v2/pkg/seccomp"
 	"github.com/containerd/continuity/fs"
-	"github.com/containerd/log"
 	"github.com/docker/docker/pkg/idtools"
 	"github.com/docker/docker/profiles/seccomp"
 	"github.com/moby/buildkit/snapshot"
@@ -153,10 +152,8 @@ func generateRlimitOpts(ulimits []*pb.Ulimit) ([]oci.SpecOpts, error) {
 }
 
 // genereateCDIOptions creates the OCI runtime spec options for injecting CDI
-// devices. Two options are returned: The first ensures that the CDI registry
-// is initialized with refresh disabled, and the second injects the devices
-// into the container.
-func generateCDIOpts(ctx context.Context, devices []*pb.CDIDevice) ([]oci.SpecOpts, error) {
+// devices.
+func generateCDIOpts(manager *cdi.Cache, devices []*pb.CDIDevice) ([]oci.SpecOpts, error) {
 	if len(devices) == 0 {
 		return nil, nil
 	}
@@ -171,38 +168,16 @@ func generateCDIOpts(ctx context.Context, devices []*pb.CDIDevice) ([]oci.SpecOp
 		dd = append(dd, d.Name)
 	}
 
-	// withStaticCDIRegistry inits the CDI registry and disables auto-refresh.
-	// This is used from the `run` command to avoid creating a registry with
-	// auto-refresh enabled. It also provides a way to override the CDI spec
-	// file paths if required.
-	withStaticCDIRegistry := func() oci.SpecOpts {
-		return func(ctx context.Context, _ oci.Client, _ *containers.Container, s *oci.Spec) error {
-			_ = cdi.Configure(cdi.WithAutoRefresh(false))
-			// TODO: this should use worker CDIManager
-			if err := cdi.Refresh(); err != nil {
-				// We don't consider registry refresh failure a fatal error.
-				// For instance, a dynamically generated invalid CDI Spec file
-				// for any particular vendor shouldn't prevent injection of
-				// devices of different vendors. CDI itself knows better, and
-				// it will fail the injection if necessary.
-				bklog.G(ctx).Warnf("CDI registry refresh failed: %v", err)
-			}
-			return nil
-		}
-	}
-
-	// withCDIDevices injects the requested CDI devices into the OCI specification.
-	// FIXME: Use oci.WithCDIDevices once we switch to containerd 2.0.
 	withCDIDevices := func(devices ...string) oci.SpecOpts {
 		return func(ctx context.Context, _ oci.Client, c *containers.Container, s *specs.Spec) error {
 			if len(devices) == 0 {
 				return nil
 			}
-			if err := cdi.Refresh(); err != nil {
-				log.G(ctx).Warnf("CDI registry refresh failed: %v", err)
+			if err := manager.Refresh(); err != nil {
+				bklog.G(ctx).Warnf("CDI registry refresh failed: %v", err)
 			}
 			bklog.G(ctx).Debugf("Injecting CDI devices %v", devices)
-			if _, err := cdi.InjectDevices(s, devices...); err != nil {
+			if _, err := manager.InjectDevices(s, devices...); err != nil {
 				return errors.Wrapf(err, "CDI device injection failed")
 			}
 			// One crucial thing to keep in mind is that CDI device injection
@@ -214,7 +189,6 @@ func generateCDIOpts(ctx context.Context, devices []*pb.CDIDevice) ([]oci.SpecOp
 	}
 
 	return []oci.SpecOpts{
-		withStaticCDIRegistry(),
 		withCDIDevices(dd...),
 	}, nil
 }