Merge branch 'ignore-nvidia-visible-devices' into 'master'

klueska · klueska · commit e8aa3cc8c30f · 2021-01-25T10:25:00.000Z
Ignore NVIDIA_VISIBLE_DEVICES for containers with insufficent privileges

See merge request nvidia/container-toolkit/container-toolkit!25
diff --git a/pkg/container_config.go b/pkg/container_config.go
@@ -295,8 +295,8 @@ func getDevices(hookConfig *HookConfig, env map[string]string, mounts []Mount, p
 		return devices
 	}
 
-	// Error out otherwise
-	log.Panicln("insufficient privileges to read device list from NVIDIA_VISIBLE_DEVICES envvar")
+	configName := hookConfig.getConfigOption("AcceptEnvvarUnprivileged")
+	log.Printf("Ignoring devices specified in NVIDIA_VISIBLE_DEVICES (privileged=%v, %v=%v) ", privileged, configName, hookConfig.AcceptEnvvarUnprivileged)
 
 	return nil
 }
diff --git a/pkg/container_test.go b/pkg/container_test.go
@@ -540,7 +540,6 @@ func TestDeviceListSourcePriority(t *testing.T) {
 		acceptUnprivileged bool
 		acceptMounts       bool
 		expectedDevices    *string
-		expectedPanic      bool
 	}{
 		{
 			description: "Mount devices, unprivileged, no accept unprivileged",
@@ -567,7 +566,7 @@ func TestDeviceListSourcePriority(t *testing.T) {
 			privileged:         false,
 			acceptUnprivileged: false,
 			acceptMounts:       true,
-			expectedPanic:      true,
+			expectedDevices:    nil,
 		},
 		{
 			description:        "No mount devices, privileged, no accept unprivileged",
@@ -621,7 +620,7 @@ func TestDeviceListSourcePriority(t *testing.T) {
 			privileged:         false,
 			acceptUnprivileged: false,
 			acceptMounts:       false,
-			expectedPanic:      true,
+			expectedDevices:    nil,
 		},
 	}
 	for _, tc := range tests {
@@ -638,12 +637,6 @@ func TestDeviceListSourcePriority(t *testing.T) {
 				devices = getDevices(&hookConfig, env, tc.mountDevices, tc.privileged, false)
 			}
 
-			// For any tests that are expected to panic, make sure they do.
-			if tc.expectedPanic {
-				mustPanic(t, getDevices)
-				return
-			}
-
 			// For all other tests, just grab the devices and check the results
 			getDevices()
 			if !reflect.DeepEqual(devices, tc.expectedDevices) {
diff --git a/pkg/hook_config.go b/pkg/hook_config.go
@@ -4,6 +4,7 @@ import (
 	"log"
 	"os"
 	"path"
+	"reflect"
 
 	"github.com/BurntSushi/toml"
 )
@@ -86,3 +87,18 @@ func getHookConfig() (config HookConfig) {
 
 	return config
 }
+
+// getConfigOption returns the toml config option associated with the
+// specified struct field.
+func (c HookConfig) getConfigOption(fieldName string) string {
+	t := reflect.TypeOf(c)
+	f, ok := t.FieldByName(fieldName)
+	if !ok {
+		return fieldName
+	}
+	v, ok := f.Tag.Lookup("toml")
+	if !ok {
+		return fieldName
+	}
+	return v
+}

Original file line number	Diff line number	Diff line change
`@@ -295,8 +295,8 @@ func getDevices(hookConfig *HookConfig, env map[string]string, mounts []Mount, p`
`295`	`295`	`return devices`
`296`	`296`	`}`
`297`	`297`
`298`		`- // Error out otherwise`
`299`		`- log.Panicln("insufficient privileges to read device list from NVIDIA_VISIBLE_DEVICES envvar")`
	`298`	`+ configName := hookConfig.getConfigOption("AcceptEnvvarUnprivileged")`
	`299`	`+ log.Printf("Ignoring devices specified in NVIDIA_VISIBLE_DEVICES (privileged=%v, %v=%v) ", privileged, configName, hookConfig.AcceptEnvvarUnprivileged)`
`300`	`300`
`301`	`301`	`return nil`
`302`	`302`	`}`