Add rhel9 base for vGPU-manager containers

Close #453

Signed-off-by: Michele Valsecchi <[email protected]>

Author: mvalsecchi-nv

Makefile

@@ -243,7 +243,32 @@ build-vgpuguest-%: DOCKERFILE = $(CURDIR)/$(SUBDIR)/Dockerfile
 # Remove '-grid' substring in the image tag
 build-vgpuguest-%: DRIVER_TAG = $(DRIVER_VERSION:-grid=)
 
-build-vgpuguest-rhcos%: SUBDIR = rhel8
+# Source of truth https://access.redhat.com/articles/6907891
+build-vgpuguest-rhcos4.12: SUBDIR = rhel8
+build-vgpuguest-rhcos4.13: SUBDIR = rhel8
+build-vgpuguest-rhcos4.14: SUBDIR = rhel8
+build-vgpuguest-rhcos4.15: SUBDIR = rhel9
+build-vgpuguest-rhcos4.16: SUBDIR = rhel9
+build-vgpuguest-rhcos4.17: SUBDIR = rhel9
+build-vgpuguest-rhcos4.18: SUBDIR = rhel9
+build-vgpuguest-rhcos4.19: SUBDIR = rhel9
+build-vgpuguest-rhcos4.20: SUBDIR = rhel9
+
+build-vgpuguest-rhcos%:
+	DOCKER_BUILDKIT=1 \
+		$(DOCKER) $(BUILDX) build --pull \
+				$(DOCKER_BUILD_OPTIONS) \
+				$(DOCKER_BUILD_PLATFORM_OPTIONS) \
+				--tag $(IMAGE) \
+				--build-arg DRIVER_TYPE=vgpu \
+				--build-arg VGPU_LICENSE_SERVER_TYPE=NLS \
+				--build-arg DRIVER_VERSION="$(DRIVER_VERSION)" \
+				--build-arg DRIVER_BRANCH="$(DRIVER_BRANCH)" \
+				--build-arg GOLANG_VERSION="$(GOLANG_VERSION)" \
+				--build-arg CVE_UPDATES="$(CVE_UPDATES)" \
+				$(DOCKER_BUILD_ARGS) \
+				--file $(DOCKERFILE) \
+				$(CURDIR)/$(SUBDIR)
 
 $(VGPU_GUEST_DRIVER_BUILD_TARGETS):
 	DOCKER_BUILDKIT=1 \
@@ -280,9 +305,19 @@ build-vgpuhost-%: DIST = $(word 3,$(subst -, ,$@))
 build-vgpuhost-%: SUBDIR = $(word 3,$(subst -, ,$@))
 build-vgpuhost-%: DOCKERFILE = $(CURDIR)/vgpu-manager/$(SUBDIR)/Dockerfile
 
-build-vgpuhost-rhcos%: SUBDIR = rhel8
-
-$(VGPU_HOST_DRIVER_BUILD_TARGETS):
+# Source of truth https://access.redhat.com/articles/6907891
+build-vgpuhost-rhcos4.12: SUBDIR = rhel8
+build-vgpuhost-rhcos4.13: SUBDIR = rhel8
+build-vgpuhost-rhcos4.14: SUBDIR = rhel8
+build-vgpuhost-rhcos4.15: SUBDIR = rhel9
+build-vgpuhost-rhcos4.16: SUBDIR = rhel9
+build-vgpuhost-rhcos4.17: SUBDIR = rhel9
+build-vgpuhost-rhcos4.18: SUBDIR = rhel9
+build-vgpuhost-rhcos4.19: SUBDIR = rhel9
+build-vgpuhost-rhcos4.20: SUBDIR = rhel9
+
+# TODO(mvalsecchi): find a better way than just duplicate the recipe
+build-vgpuhost-rhcos%:
 	DOCKER_BUILDKIT=1 \
 		$(DOCKER) $(BUILDX) build --pull \
 				$(DOCKER_BUILD_OPTIONS) \
@@ -297,7 +332,20 @@ $(VGPU_HOST_DRIVER_BUILD_TARGETS):
 				--file $(DOCKERFILE) \
 				$(CURDIR)/vgpu-manager/$(SUBDIR)
 
-
+$(VGPU_HOST_DRIVER_BUILD_TARGETS):
+	DOCKER_BUILDKIT=1 \
+                $(DOCKER) $(BUILDX) build --pull \
+                                $(DOCKER_BUILD_OPTIONS) \
+                                $(DOCKER_BUILD_PLATFORM_OPTIONS) \
+                                --tag $(IMAGE) \
+                                --build-arg DRIVER_BRANCH="$(DRIVER_BRANCH)" \
+                                --build-arg DRIVER_VERSION="$(DRIVER_VERSION)" \
+                                --build-arg GOLANG_VERSION="$(GOLANG_VERSION)" \
+                                --build-arg CVE_UPDATES="$(CVE_UPDATES)" \
+                                --build-arg CUDA_VERSION="$(CUDA_VERSION)" \
+                                $(DOCKER_BUILD_ARGS) \
+                                --file $(DOCKERFILE) \
+                                $(CURDIR)/vgpu-manager/$(SUBDIR)
 
 # $(VGPU_HOST_DRIVER_PUSH_TARGETS) is in the form of push-vgpuhost-$(DIST)
 # VGPU_HOST_DRIVER_VERSION must be defined in the environment when invoking this target.

vgpu-manager/rhel9/Dockerfile

@@ -0,0 +1,34 @@
+FROM nvcr.io/nvidia/cuda:13.0.1-base-ubi9
+
+ARG DRIVER_VERSION
+ENV DRIVER_VERSION=$DRIVER_VERSION
+ARG DRIVER_ARCH=x86_64
+ENV DRIVER_ARCH=$DRIVER_ARCH
+
+RUN mkdir -p /driver
+WORKDIR /driver
+COPY NVIDIA-Linux-${DRIVER_ARCH}-${DRIVER_VERSION}-vgpu-kvm.run .
+RUN chmod +x NVIDIA-Linux-${DRIVER_ARCH}-${DRIVER_VERSION}-vgpu-kvm.run
+
+COPY nvidia-driver /usr/local/bin
+COPY ocp_dtk_entrypoint /usr/local/bin
+
+LABEL io.k8s.display-name="NVIDIA vGPU Manager Container"
+LABEL name="NVIDIA vGPU Manager Container"
+LABEL vendor="NVIDIA"
+LABEL version="${DRIVER_VERSION}"
+LABEL release="N/A"
+LABEL summary="Provision the NVIDIA vGPU Manager through containers"
+LABEL description="See summary"
+
+# Install / upgrade packages here that are required to resolve CVEs
+ARG CVE_UPDATES
+RUN if [ -n "${CVE_UPDATES}" ]; then \
+        yum update -y ${CVE_UPDATES} && \
+        rm -rf /var/cache/yum/*; \
+    fi
+
+# Add NGC DL license from the CUDA image
+RUN mkdir /licenses && mv /NGC-DL-CONTAINER-LICENSE /licenses/NGC-DL-CONTAINER-LICENSE
+
+ENTRYPOINT ["nvidia-driver", "init"]

vgpu-manager/rhel9/nvidia-driver

@@ -0,0 +1,252 @@
+#!/bin/bash
+# Copyright (c) 2022, NVIDIA CORPORATION. All rights reserved.
+
+set -xe
+
+DRIVER_VERSION=${DRIVER_VERSION:?"Missing driver version"}
+DRIVER_RESET_RETRIES=10
+DELAY_BEFORE_VF_CREATION=${DELAY_BEFORE_VF_CREATION:-15}
+RUN_DIR=/run/nvidia
+
+# Mount the driver rootfs into the run directory with the exception of sysfs.
+_mount_rootfs() {
+    echo "Mounting NVIDIA driver rootfs..."
+    mount --make-runbindable /sys
+    mount --make-private /sys
+    mkdir -p ${RUN_DIR}/driver
+    mount --rbind / ${RUN_DIR}/driver
+
+    echo "Change device files security context for selinux compatibility"
+    chcon -R -t container_file_t ${RUN_DIR}/driver/dev
+}
+
+# Unmount the driver rootfs from the run directory.
+_unmount_rootfs() {
+    echo "Unmounting NVIDIA driver rootfs..."
+    if findmnt -r -o TARGET | grep "${RUN_DIR}/driver" > /dev/null; then
+        umount -l -R ${RUN_DIR}/driver
+    fi
+}
+
+# Create /dev/char directory if it doesn't exist inside the container.
+# Without this directory, nvidia-vgpu-mgr will fail to create symlinks
+# under /dev/char for new devices nodes.
+_create_dev_char_directory() {
+	if [ ! -d "/dev/char" ]; then
+		echo "Creating '/dev/char' directory"
+		mkdir -p /dev/char
+	fi
+}
+
+_set_fw_search_path() {
+    local nv_fw_search_path="$RUN_DIR/driver/lib/firmware"
+    local fw_path_config_file="/sys/module/firmware_class/parameters/path"
+
+    if [[ ! -z $(grep '[^[:space:]]' $fw_path_config_file) ]]; then
+        echo "WARNING: A search path is already configured in $fw_path_config_file"
+        echo "         Retaining the current configuration. Note, GSP firmware may not be found and thus won't be used by the NVIDIA driver."
+        return
+    fi
+
+    echo "Configuring the following firmware search path in '$fw_path_config_file': $nv_fw_search_path"
+    echo -n "$nv_fw_search_path" > $fw_path_config_file
+}
+
+_install_driver() {
+    local tmp_dir=$(mktemp -d)
+
+    sh NVIDIA-Linux-${DRIVER_ARCH}-${DRIVER_VERSION}-vgpu-kvm.run --ui=none --no-questions --tmpdir ${tmp_dir} --no-systemd
+}
+
+# Currently _install_driver() takes care of loading nvidia modules. Just need to start necessary vgpu daemons
+_load_driver() {
+    /usr/bin/nvidia-vgpud
+    /usr/bin/nvidia-vgpu-mgr &
+
+    # check nvidia drivers are loaded
+    if [ ! -f /sys/module/nvidia_vgpu_vfio/refcnt ] || [ ! -f /sys/module/nvidia/refcnt ]; then
+        echo "Failed to load nvidia driver"
+        return 1
+    fi
+    return 0
+}
+
+# Enable virtual functions for all physical GPUs on the node that support SR-IOV.
+# Retry logic is to account for when the driver is busy (i.e. during driver initialization)
+_enable_vfs() {
+    # Wait before attempting to create VFs to ensure the driver has finished initializing.
+    # This is a WAR for a bug in vGPU 17.2 where sriov-manage does not return a non-zero
+    # exit code even though VF creation fails.
+    sleep $DELAY_BEFORE_VF_CREATION
+
+    local retry
+    for ((retry = 0 ; retry <= $DRIVER_RESET_RETRIES ; retry++)); do
+        if /usr/lib/nvidia/sriov-manage -e ALL; then
+            return 0
+        fi
+        if [ $retry == $DRIVER_RESET_RETRIES ]; then
+            echo "Failed to enable VFs"
+        fi
+    done
+    return 1
+}
+
+# Disable virtual functions for all physical GPUs on the node that support SR-IOV.
+# Retry logic is to account for when the driver is busy (i.e. during driver initialization)
+_disable_vfs() {
+    local retry
+    for ((retry = 0 ; retry <= $DRIVER_RESET_RETRIES ; retry++)); do
+        if /usr/lib/nvidia/sriov-manage -d ALL; then
+            return 0
+        fi
+        if [ $retry == $DRIVER_RESET_RETRIES ]; then
+            echo "Failed to disable VFs"
+        fi
+    done
+    return 1
+}
+
+_unload_driver() {
+    local rmmod_args=()
+    local nvidia_deps=0
+    local nvidia_refs=0
+    local nvidia_vgpu_vfio_refs=0
+
+    if [ -f /var/run/nvidia-vgpu-mgr/nvidia-vgpu-mgr.pid ]; then
+        echo "Stopping NVIDIA vGPU Manager..."
+        local pid=$(< /var/run/nvidia-vgpu-mgr/nvidia-vgpu-mgr.pid)
+
+        kill -TERM "${pid}"
+        for i in $(seq 1 50); do
+            kill -0 "${pid}" 2> /dev/null || break
+            sleep 0.1
+        done
+        if [ $i -eq 50 ]; then
+            echo "Could not stop NVIDIA vGPU Manager" >&2
+            return 1
+        fi
+    fi
+
+    echo "Unloading NVIDIA driver kernel modules..."
+    if [ -f /sys/module/nvidia_vgpu_vfio/refcnt ]; then
+        nvidia_vgpu_vfio_refs=$(< /sys/module/nvidia_vgpu_vfio/refcnt)
+        rmmod_args+=("nvidia_vgpu_vfio")
+        ((++nvidia_deps))
+    fi
+    if [ -f /sys/module/nvidia/refcnt ]; then
+        nvidia_refs=$(< /sys/module/nvidia/refcnt)
+        rmmod_args+=("nvidia")
+    fi
+
+    # TODO: check if nvidia module is in use by checking refcnt
+
+    if [ ${#rmmod_args[@]} -gt 0 ]; then
+        rmmod ${rmmod_args[@]}
+        if [ "$?" != "0" ]; then
+            return 1
+        fi
+    fi
+    return 0
+}
+
+_shutdown() {
+    if _disable_vfs && _unload_driver; then
+        _unmount_rootfs
+        return 0
+    fi
+    echo "Failed to cleanup driver"
+    return 1
+}
+
+build() {
+  echo "build() not implemented"
+}
+
+load() {
+  echo "load() not implemented"
+}
+
+update() {
+  echo "update() not implemented"
+}
+
+init() {
+  trap "echo 'Caught signal'; exit 1" HUP INT QUIT PIPE TERM
+  trap "_shutdown" EXIT
+
+  if ! _unload_driver; then
+    echo "Previous NVIDIA driver installation cannot be removed. Exiting"
+    exit 1
+  fi
+  _unmount_rootfs
+  _create_dev_char_directory
+  _set_fw_search_path
+  _install_driver
+  _load_driver || exit 1
+  _mount_rootfs
+  _enable_vfs
+
+  # In certain scenarios, /sys/class/mdev_bus is not populated with the correct list of devices (PFs and possible VFs)  at this point.
+  # Re-run nvdidia-vgpud to ensure /sys/class/mdev_bus is populated correctly. And restart nvidia-vgpu-mgr if previously killed.
+  nvidia-vgpud &
+  pgrep nvidia-vgpu-mgr >/dev/null || (echo "Restarting nvidia-vgpu-mgr after previously killed" && nvidia-vgpu-mgr &)
+
+  set +x
+  echo "Done, now waiting for signal"
+  trap "echo 'Caught signal'; _shutdown; trap - EXIT; exit" HUP INT QUIT PIPE TERM
+
+  while true; do
+      sleep 15
+      pgrep nvidia-vgpu-mgr >/dev/null || (echo "ERROR: nvidia-vgpu-mgr daemon is no longer running. Exiting." && exit 1)
+  done
+}
+
+
+usage() {
+    cat >&2 <<EOF
+Usage: $0 COMMAND [ARG...]
+
+Commands:
+  init   [-a | --accept-license]
+  build  [-a | --accept-license]
+  load
+  update [-k | --kernel VERSION] [-s | --sign KEYID] [-t | --tag TAG]
+EOF
+    exit 1
+}
+
+if [ $# -eq 0 ]; then
+    usage
+fi
+command=$1; shift
+case "${command}" in
+    init) options=$(getopt -l accept-license -o a -- "$@") ;;
+    build) options=$(getopt -l accept-license,tag: -o a:t -- "$@") ;;
+    load) options="" ;;
+    update) options=$(getopt -l kernel:,sign:,tag: -o k:s:t: -- "$@") ;;
+    *) usage ;;
+esac
+if [ $? -ne 0 ]; then
+    usage
+fi
+eval set -- "${options}"
+
+ACCEPT_LICENSE=""
+KERNEL_VERSION=$(uname -r)
+PRIVATE_KEY=""
+PACKAGE_TAG=""
+
+for opt in ${options}; do
+    case "$opt" in
+    -a | --accept-license) ACCEPT_LICENSE="yes"; shift 1 ;;
+    -k | --kernel) KERNEL_VERSION=$2; shift 2 ;;
+    -s | --sign) PRIVATE_KEY=$2; shift 2 ;;
+    -t | --tag) PACKAGE_TAG=$2; shift 2 ;;
+    --) shift; break ;;
+    esac
+done
+if [ $# -ne 0 ]; then
+    usage
+fi
+
+$command