Use a tmpfs to store the modified params file

elezar · elezar · commit 6b3a5fa192a8 · 2025-02-13T17:10:53.000+01:00
Instead of creating the params file on the host, we use a tmpfs
mounted into the container instead.

Signed-off-by: Evan Lezar &lt;elezar@nvidia.com&gt;
diff --git a/cmd/nvidia-cdi-hook/update-nvidia-params/mount_linux.go b/cmd/nvidia-cdi-hook/update-nvidia-params/mount_linux.go
@@ -20,10 +20,16 @@
 package nvidiaparams
 
 import (
+	"fmt"
+
 	"golang.org/x/sys/unix"
 )
 
+func createTmpFs(target string, size uint64) error {
+	// return unix.Mount("tmpfs", target, "tmpfs", 0, fmt.Sprintf("ro,nosuid,nodev,noexec,size=%d", size))
+	return unix.Mount("tmpfs", target, "tmpfs", 0, fmt.Sprintf("size=%d", size))
+}
+
 func bindMountReadonly(source string, target string) error {
 	return unix.Mount(source, target, "", unix.MS_BIND|unix.MS_RDONLY|unix.MS_NOSYMFOLLOW, "")
-
 }
diff --git a/cmd/nvidia-cdi-hook/update-nvidia-params/mount_other.go b/cmd/nvidia-cdi-hook/update-nvidia-params/mount_other.go
@@ -23,6 +23,10 @@ import (
 	"fmt"
 )
 
+func createTmpFs(target string, size uint64) error {
+	return fmt.Errorf("not supported")
+}
+
 func bindMountReadonly(source string, target string) error {
 	return fmt.Errorf("not supported")
 }
diff --git a/cmd/nvidia-cdi-hook/update-nvidia-params/update-nvidia-params.go b/cmd/nvidia-cdi-hook/update-nvidia-params/update-nvidia-params.go
@@ -115,6 +115,7 @@ func (m command) updateNvidiaParamsFromReader(r io.Reader, containerRoot string)
 	var newLines []string
 	scanner := bufio.NewScanner(r)
 	var requiresModification bool
+	var requiredSize uint64
 	for scanner.Scan() {
 		line := scanner.Text()
 		if strings.HasPrefix(line, "ModifyDeviceFiles: ") {
@@ -128,6 +129,7 @@ func (m command) updateNvidiaParamsFromReader(r io.Reader, containerRoot string)
 			}
 		}
 		newLines = append(newLines, line)
+		requiredSize += uint64(len(line) + 5)
 	}
 	if err := scanner.Err(); err != nil {
 		return fmt.Errorf("failed to read params file: %w", err)
@@ -137,7 +139,15 @@ func (m command) updateNvidiaParamsFromReader(r io.Reader, containerRoot string)
 		return nil
 	}
 
-	containerParamsFile, err := os.CreateTemp("", "nvct-params-*")
+	tmpRoot, err := os.MkdirTemp("", "nvct-empty-dir*")
+	if err != nil {
+		return fmt.Errorf("failed to create temporary folder: %w", err)
+	}
+	if err := createTmpFs(tmpRoot, requiredSize); err != nil {
+		return fmt.Errorf("failed to create tmpfs mount for params file: %w", err)
+	}
+
+	containerParamsFile, err := os.Create(filepath.Join(tmpRoot, "nvct-params"))
 	if err != nil {
 		return fmt.Errorf("failed to create temporary params file: %w", err)
 	}
@@ -147,7 +157,7 @@ func (m command) updateNvidiaParamsFromReader(r io.Reader, containerRoot string)
 		return fmt.Errorf("failed to write temporary params file: %w", err)
 	}
 
-	if err := containerParamsFile.Chmod(0o644); err != nil {
+	if err := containerParamsFile.Chmod(0o444); err != nil {
 		return fmt.Errorf("failed to set permissions on temporary params file: %w", err)
 	}
 
diff --git a/cmd/nvidia-ctk-installer/container/toolkit/toolkit_test.go b/cmd/nvidia-ctk-installer/container/toolkit/toolkit_test.go
@@ -87,6 +87,11 @@ containerEdits:
     - /lib/x86_64-linux-gnu
     hookName: createContainer
     path: {{ .toolkitRoot }}/nvidia-cdi-hook
+  - args:
+    - nvidia-cdi-hook
+    - update-nvidia-params
+    hookName: createContainer
+    path: {{ .toolkitRoot }}/nvidia-cdi-hook
   mounts:
   - containerPath: /lib/x86_64-linux-gnu/libcuda.so.999.88.77
     hostPath: /host/driver/root/lib/x86_64-linux-gnu/libcuda.so.999.88.77

Original file line number	Diff line number	Diff line change
`@@ -23,6 +23,10 @@ import (`
`23`	`23`	`"fmt"`
`24`	`24`	`)`
`25`	`25`
	`26`	`+func createTmpFs(target string, size uint64) error {`
	`27`	`+ return fmt.Errorf("not supported")`
	`28`	`+}`
	`29`	`+`
`26`	`30`	`func bindMountReadonly(source string, target string) error {`
`27`	`31`	`return fmt.Errorf("not supported")`
`28`	`32`	`}`
Original file line number	Diff line number	Diff line change
`@@ -115,6 +115,7 @@ func (m command) updateNvidiaParamsFromReader(r io.Reader, containerRoot string)`
`115`	`115`	`var newLines []string`
`116`	`116`	`scanner := bufio.NewScanner(r)`
`117`	`117`	`var requiresModification bool`
	`118`	`+ var requiredSize uint64`
`118`	`119`	`for scanner.Scan() {`
`119`	`120`	`line := scanner.Text()`
`120`	`121`	`if strings.HasPrefix(line, "ModifyDeviceFiles: ") {`
`@@ -128,6 +129,7 @@ func (m command) updateNvidiaParamsFromReader(r io.Reader, containerRoot string)`
`128`	`129`	`}`
`129`	`130`	`}`
`130`	`131`	`newLines = append(newLines, line)`
	`132`	`+ requiredSize += uint64(len(line) + 5)`
`131`	`133`	`}`
`132`	`134`	`if err := scanner.Err(); err != nil {`
`133`	`135`	`return fmt.Errorf("failed to read params file: %w", err)`
`@@ -137,7 +139,15 @@ func (m command) updateNvidiaParamsFromReader(r io.Reader, containerRoot string)`
`137`	`139`	`return nil`
`138`	`140`	`}`
`139`	`141`
`140`		`- containerParamsFile, err := os.CreateTemp("", "nvct-params-*")`
	`142`	`+ tmpRoot, err := os.MkdirTemp("", "nvct-empty-dir*")`
	`143`	`+ if err != nil {`
	`144`	`+ return fmt.Errorf("failed to create temporary folder: %w", err)`
	`145`	`+ }`
	`146`	`+ if err := createTmpFs(tmpRoot, requiredSize); err != nil {`
	`147`	`+ return fmt.Errorf("failed to create tmpfs mount for params file: %w", err)`
	`148`	`+ }`
	`149`	`+`
	`150`	`+ containerParamsFile, err := os.Create(filepath.Join(tmpRoot, "nvct-params"))`
`141`	`151`	`if err != nil {`
`142`	`152`	`return fmt.Errorf("failed to create temporary params file: %w", err)`
`143`	`153`	`}`
`@@ -147,7 +157,7 @@ func (m command) updateNvidiaParamsFromReader(r io.Reader, containerRoot string)`
`147`	`157`	`return fmt.Errorf("failed to write temporary params file: %w", err)`
`148`	`158`	`}`
`149`	`159`
`150`		`- if err := containerParamsFile.Chmod(0o644); err != nil {`
	`160`	`+ if err := containerParamsFile.Chmod(0o444); err != nil {`
`151`	`161`	`return fmt.Errorf("failed to set permissions on temporary params file: %w", err)`
`152`	`162`	`}`
`153`	`163`