NVIDIA
diff --git a/‎cmd/nvidia-ctk-installer/toolkit/toolkit_test.go‎
Lines changed: 2 additions & 0 deletions b/‎cmd/nvidia-ctk-installer/toolkit/toolkit_test.go‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎cmd/nvidia-ctk/cdi/generate/generate.go‎
Lines changed: 9 additions & 8 deletions b/‎cmd/nvidia-ctk/cdi/generate/generate.go‎
Lines changed: 9 additions & 8 deletions
diff --git a/‎cmd/nvidia-ctk/cdi/generate/generate_test.go‎
Lines changed: 40 additions & 40 deletions b/‎cmd/nvidia-ctk/cdi/generate/generate_test.go‎
Lines changed: 40 additions & 40 deletions
diff --git a/‎internal/config/features.go‎
Lines changed: 0 additions & 6 deletions b/‎internal/config/features.go‎
Lines changed: 0 additions & 6 deletions
diff --git a/‎internal/config/features_test.go‎
Lines changed: 0 additions & 87 deletions b/‎internal/config/features_test.go‎
Lines changed: 0 additions & 87 deletions
diff --git a/‎internal/discover/hooks.go‎
Lines changed: 36 additions & 24 deletions b/‎internal/discover/hooks.go‎
Lines changed: 36 additions & 24 deletions
@@ -84,6 +84,8 @@ devices:
               hostPath: /host/driver/root/dev/nvidia-caps-imex-channels/channel1
             - path: /dev/nvidia-caps-imex-channels/channel2047
               hostPath: /host/driver/root/dev/nvidia-caps-imex-channels/channel2047
+            - path: /dev/nvidia-caps/nvidia-cap1
+              hostPath: /host/driver/root/dev/nvidia-caps/nvidia-cap1
 containerEdits:
     env:
         - NVIDIA_CTK_LIBCUDA_DIR=/lib/x86_64-linux-gnu
 
@@ -62,7 +62,7 @@ type options struct {
 	configSearchPaths  []string
 	librarySearchPaths []string
 	disabledHooks      []string
-	enableChmodHook    bool
+	enabledHooks       []string
 
 	csv struct {
 		files          []string
@@ -215,11 +215,12 @@ func (m command) build() *cli.Command {
 				Destination: &opts.disabledHooks,
 				Sources:     cli.EnvVars("NVIDIA_CTK_CDI_GENERATE_DISABLED_HOOKS"),
 			},
-			&cli.BoolFlag{
-				Name:        "enable-chmod-hook",
-				Usage:       "Enable the chmod hook for device folder permissions. This hook is disabled by default.",
-				Destination: &opts.enableChmodHook,
-				Sources:     cli.EnvVars("NVIDIA_CTK_CDI_GENERATE_ENABLE_CHMOD_HOOK"),
+			&cli.StringSliceFlag{
+				Name:        "enable-hook",
+				Aliases:     []string{"enable-hooks"},
+				Usage:       "Explicitly enable a hook in the generated CDI specification. This overrides disabled hooks. This can be specified multiple times.",
+				Destination: &opts.enabledHooks,
+				Sources:     cli.EnvVars("NVIDIA_CTK_CDI_GENERATE_ENABLED_HOOKS"),
 			},
 		},
 	}
@@ -328,8 +329,8 @@ func (m command) generateSpec(opts *options) (spec.Interface, error) {
 		cdiOptions = append(cdiOptions, nvcdi.WithDisabledHook(hook))
 	}
 
-	if opts.enableChmodHook {
-		cdiOptions = append(cdiOptions, nvcdi.WithEnableChmodHook(true))
+	for _, hook := range opts.enabledHooks {
+		cdiOptions = append(cdiOptions, nvcdi.WithEnabledHook(hook))
 	}
 
 	cdilib, err := nvcdi.New(cdiOptions...)
 
@@ -364,43 +364,59 @@ containerEdits:
 		{
 			description: "enableChmodHook",
 			options: options{
-				format:          "yaml",
-				mode:            "nvml",
-				vendor:          "example.com",
-				class:           "device",
-				driverRoot:      driverRoot,
-				enableChmodHook: true,
+				format:        "yaml",
+				mode:          "management",
+				vendor:        "example.com",
+				class:         "device",
+				driverRoot:    driverRoot,
+				enabledHooks:  []string{"chmod"},
+				disabledHooks: []string{"enable-cuda-compat", "update-ldcache", "disable-device-node-modification"},
 			},
 			expectedOptions: options{
 				format:            "yaml",
-				mode:              "nvml",
+				mode:              "management",
 				vendor:            "example.com",
 				class:             "device",
 				nvidiaCDIHookPath: "/usr/bin/nvidia-cdi-hook",
 				driverRoot:        driverRoot,
-				enableChmodHook:   true,
+				enabledHooks:      []string{"chmod"},
+				disabledHooks:     []string{"enable-cuda-compat", "update-ldcache", "disable-device-node-modification"},
 			},
 			expectedSpec: `---
 cdiVersion: 0.5.0
 kind: example.com/device
 devices:
-    - name: "0"
-      containerEdits:
-        deviceNodes:
-            - path: /dev/nvidia0
-              hostPath: {{ .driverRoot }}/dev/nvidia0
     - name: all
       containerEdits:
         deviceNodes:
             - path: /dev/nvidia0
               hostPath: {{ .driverRoot }}/dev/nvidia0
+            - path: /dev/nvidiactl
+              hostPath: {{ .driverRoot }}/dev/nvidiactl
+            - path: /dev/nvidia-caps-imex-channels/channel0
+              hostPath: {{ .driverRoot }}/dev/nvidia-caps-imex-channels/channel0
+            - path: /dev/nvidia-caps-imex-channels/channel1
+              hostPath: {{ .driverRoot }}/dev/nvidia-caps-imex-channels/channel1
+            - path: /dev/nvidia-caps-imex-channels/channel2047
+              hostPath: {{ .driverRoot }}/dev/nvidia-caps-imex-channels/channel2047
+            - path: /dev/nvidia-caps/nvidia-cap1
+              hostPath: {{ .driverRoot }}/dev/nvidia-caps/nvidia-cap1
+        hooks:
+            - hookName: createContainer
+              path: /usr/bin/nvidia-cdi-hook
+              args:
+                - nvidia-cdi-hook
+                - chmod
+                - --mode
+                - "755"
+                - --path
+                - /dev/nvidia-caps
+              env:
+                - NVIDIA_CTK_DEBUG=false
 containerEdits:
     env:
         - NVIDIA_CTK_LIBCUDA_DIR=/lib/x86_64-linux-gnu
         - NVIDIA_VISIBLE_DEVICES=void
-    deviceNodes:
-        - path: /dev/nvidiactl
-          hostPath: {{ .driverRoot }}/dev/nvidiactl
     hooks:
         - hookName: createContainer
           path: /usr/bin/nvidia-cdi-hook
@@ -411,30 +427,6 @@ containerEdits:
             - libcuda.so.1::/lib/x86_64-linux-gnu/libcuda.so
           env:
             - NVIDIA_CTK_DEBUG=false
-        - hookName: createContainer
-          path: /usr/bin/nvidia-cdi-hook
-          args:
-            - nvidia-cdi-hook
-            - enable-cuda-compat
-            - --host-driver-version=999.88.77
-          env:
-            - NVIDIA_CTK_DEBUG=false
-        - hookName: createContainer
-          path: /usr/bin/nvidia-cdi-hook
-          args:
-            - nvidia-cdi-hook
-            - update-ldcache
-            - --folder
-            - /lib/x86_64-linux-gnu
-          env:
-            - NVIDIA_CTK_DEBUG=false
-        - hookName: createContainer
-          path: /usr/bin/nvidia-cdi-hook
-          args:
-            - nvidia-cdi-hook
-            - disable-device-node-modification
-          env:
-            - NVIDIA_CTK_DEBUG=false
     mounts:
         - hostPath: {{ .driverRoot }}/lib/x86_64-linux-gnu/libcuda.so.999.88.77
           containerPath: /lib/x86_64-linux-gnu/libcuda.so.999.88.77
@@ -444,6 +436,14 @@ containerEdits:
             - nodev
             - rbind
             - rprivate
+        - hostPath: {{ .driverRoot }}/lib/x86_64-linux-gnu/vdpau/libvdpau_nvidia.so.999.88.77
+          containerPath: /lib/x86_64-linux-gnu/vdpau/libvdpau_nvidia.so.999.88.77
+          options:
+            - ro
+            - nosuid
+            - nodev
+            - rbind
+            - rprivate
 `,
 		},
 	}
 
@@ -42,12 +42,6 @@ type features struct {
 	// possibly bypassing other checks by an orchestration system such as
 	// kubernetes.
 	IgnoreImexChannelRequests *feature `toml:"ignore-imex-channel-requests,omitempty"`
-	// EnableChmodHook allows the chmod hook to be injected for device folder permissions.
-	// This hook was originally added as a workaround for a specific crun issue with device
-	// nodes in subdirectories of /dev (e.g., /dev/dri/*, /dev/nvidia-caps/*).
-	// Since this issue has been resolved in newer versions of crun, this hook is disabled
-	// by default. Users who still require this functionality can explicitly enable it.
-	EnableChmodHook *feature `toml:"enable-chmod-hook,omitempty"`
 }
 
 type feature bool
 
@@ -50,6 +50,14 @@ const (
 	defaultNvidiaCDIHookPath = "/usr/bin/nvidia-cdi-hook"
 )
 
+// defaultDisabledHooks defines hooks that are disabled by default.
+// These hooks can be explicitly enabled using the WithEnabledHooks option.
+var defaultDisabledHooks = []HookName{
+	// ChmodHook is disabled by default as it was a workaround for older
+	// versions of crun that has since been fixed.
+	ChmodHook,
+}
+
 var _ Discover = (*Hook)(nil)
 
 // Devices returns an empty list of devices for a Hook discoverer.
@@ -82,7 +90,7 @@ type Option func(*cdiHookCreator)
 type cdiHookCreator struct {
 	nvidiaCDIHookPath string
 	disabledHooks     map[HookName]bool
-	enableChmodHook   bool
+	enabledHooks      map[HookName]bool
 
 	fixedArgs    []string
 	debugLogging bool
@@ -101,7 +109,7 @@ type HookCreator interface {
 	Create(HookName, ...string) *Hook
 }
 
-// WithDisabledHooks sets the set of hooks that are disabled for the CDI hook creator.
+// WithDisabledHooks explicitly disables the specified hooks.
 // This can be specified multiple times.
 func WithDisabledHooks(hooks ...HookName) Option {
 	return func(c *cdiHookCreator) {
@@ -111,31 +119,45 @@ func WithDisabledHooks(hooks ...HookName) Option {
 	}
 }
 
-// WithNVIDIACDIHookPath sets the path to the nvidia-cdi-hook binary.
-func WithNVIDIACDIHookPath(nvidiaCDIHookPath string) Option {
+// WithEnabledHooks explicitly enables the specified hooks.
+// This is useful for enabling hooks that are disabled by default.
+func WithEnabledHooks(hooks ...HookName) Option {
 	return func(c *cdiHookCreator) {
-		c.nvidiaCDIHookPath = nvidiaCDIHookPath
+		for _, hook := range hooks {
+			c.enabledHooks[hook] = true
+		}
 	}
 }
 
-// WithEnableChmodHook allows the chmod hook to be enabled.
-// By default, the chmod hook is disabled as it was a workaround for older
-// versions of crun that has since been fixed.
-func WithEnableChmodHook(enabled bool) Option {
+// WithNVIDIACDIHookPath sets the path to the nvidia-cdi-hook binary.
+func WithNVIDIACDIHookPath(nvidiaCDIHookPath string) Option {
 	return func(c *cdiHookCreator) {
-		c.enableChmodHook = enabled
+		c.nvidiaCDIHookPath = nvidiaCDIHookPath
 	}
 }
 
 func NewHookCreator(opts ...Option) HookCreator {
+	disabledHooks := make(map[HookName]bool)
+	enabledHooks := make(map[HookName]bool)
+	for _, hook := range defaultDisabledHooks {
+		disabledHooks[hook] = true
+	}
+
 	cdiHookCreator := &cdiHookCreator{
 		nvidiaCDIHookPath: defaultNvidiaCDIHookPath,
-		disabledHooks:     make(map[HookName]bool),
+		disabledHooks:     disabledHooks,
+		enabledHooks:      enabledHooks,
 	}
 	for _, opt := range opts {
 		opt(cdiHookCreator)
 	}
 
+	// Correct the disabledHooks map to ensure that explicitly enabled hooks
+	// are not disabled.
+	for hook := range enabledHooks {
+		cdiHookCreator.disabledHooks[hook] = false
+	}
+
 	if cdiHookCreator.disabledHooks[AllHooks] {
 		return &allDisabledHookCreator{}
 	}
@@ -160,25 +182,15 @@ func (c cdiHookCreator) Create(name HookName, args ...string) *Hook {
 	}
 }
 
-// isDisabled checks if the specified hook name is disabled.
 func (c cdiHookCreator) isDisabled(name HookName, args ...string) bool {
 	if c.disabledHooks[name] {
 		return true
 	}
 
+	// still reject hooks that require args if none were provided
 	switch name {
-	case CreateSymlinksHook:
-		if len(args) == 0 {
-			return true
-		}
-	case ChmodHook:
-		// ChmodHook is disabled by default unless explicitly enabled
-		if !c.enableChmodHook {
-			return true
-		}
-		if len(args) == 0 {
-			return true
-		}
+	case CreateSymlinksHook, ChmodHook:
+		return len(args) == 0
 	}
 	return false
 }