Use just-in-time CDI spec generation by default in the NVIDIA Container Runtime

[elezar]

This PR changes the default behaviour of the NVIDIA Container Runtime to use an in-memory CDI specification to make changes to the incoming OCI runtime specification instead of invoking the nvidia-container-runtime-hook (i.e. "legacy" mode). This was previously available as an opt-in option when a user would request a CDI device using the predefined runtime.nvidia.com/gpu CDI device class as part of the CDI device name.

With this change, all device requests (annotations, volume mounts, environment variables) are mapped to runtime.nvidia.com/gpu={{ .DeviceID }} requests if they are not already CDI device requests. This means that CDI specifications for these defices are generated as the container is being created and these specifications are used to modify the incomming OCI runtime specification.

When the nvidia runtime is invoked in this mode, any existing nvidia-container-runtime-hook in the OCI runtime specification is removed so as to not use the legacy injection mechanism.

Note that when only the nvidia-container-runtime-hook is used (as is the case with the Docker --gpus flag or the default crio configuration), the default runtime mode is set to legacy to ensure that this mode of operation is not changed.

This means that:

$ docker run --rm -ti --runtime=runc --gpus=all ubuntu nvidia-smi -L
GPU 0: Tesla V100-SXM2-16GB-N (UUID: GPU-edfee158-11c1-52b8-0517-92f30e7fac88)
GPU 1: Tesla V100-SXM2-16GB-N (UUID: GPU-f22fb098-d1b3-3806-2655-ba25f02229c1)
GPU 2: Tesla V100-SXM2-16GB-N (UUID: GPU-f613f823-1032-b3ec-a876-50f2e35e6f9e)
GPU 3: Tesla V100-SXM2-16GB-N (UUID: GPU-3109fa37-4445-73c7-b695-1b5a4d13f58e)
GPU 4: Tesla V100-SXM2-16GB-N (UUID: GPU-e28a6529-288c-7ddf-8fea-68c4833cda70)
GPU 5: Tesla V100-SXM2-16GB-N (UUID: GPU-a27fb382-bad2-c02a-95ba-f6a1da38e76c)
GPU 6: Tesla V100-SXM2-16GB-N (UUID: GPU-f5bb8d07-ee19-1787-4d9a-a84c4ac6b086)
GPU 7: Tesla V100-SXM2-16GB-N (UUID: GPU-1ba0ca0e-6d1d-d9db-07d8-c1c5a8c32814)

works as expected

(without the change of the default this would return an error similar to):

$ docker run --rm -ti --runtime=runc --gpus="device=runtime.nvidia.com/gpu=0" ubuntu nvidia-smi -L
docker: Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: error running hook #0: error running hook: exit status 1, stdout: , stderr: Auto-detected mode as 'cdi'
invoking the NVIDIA Container Runtime Hook directly (e.g. specifying the docker --gpus flag) is not supported. Please use the NVIDIA Container Runtime (e.g. specify the --runtime=nvidia flag) instead: unknown.

[jgehrcke]

Maybe add a code comment showing an example of what this function is doing (supposed to do).

[jgehrcke]

let's invert the world

[jgehrcke]

I know this is a drafty draft and I don't know what I am talking about. But we need to make progress here and you know what you are doing. So, approved!

[cdesiniotis]

LGTM

[cdesiniotis]

Suggested change

	require.Empty(t, spec.Hooks, "there should be hooks in config.json")
	require.Empty(t, spec.Hooks, "there should be no hooks in config.json")

[cdesiniotis]

Suggested change

	require.Equal(t, 0, nvidiaHookCount(spec.Hooks), "exactly one nvidia prestart hook should be inserted correctly into config.json")
	require.Equal(t, 0, nvidiaHookCount(spec.Hooks), "no nvidia prestart hook should be inserted into config.json")

[cdesiniotis]

Suggested change

	require.Equal(t, 0, nvidiaHookCount(spec.Hooks), "exactly one nvidia prestart hook should be inserted correctly into config.json")
	require.Equal(t, 0, nvidiaHookCount(spec.Hooks), "no nvidia prestart hook should be inserted into config.json")

[cdesiniotis]

Before this change I notice that we were only calling container.CDIDevicesFromMounts() to construct the list of devices specified as volume mounts, but now we are also calling container.DeviceFromMounts() -- is there a reason we weren't calling both functions prior?

[ArangoGutierrez]

++

[ArangoGutierrez]

@elezar is this PR Ready for review, or why is it still set as Draft?

[ArangoGutierrez]

LGTM
Just a couple comments

[ArangoGutierrez]

++

[coveralls]

Pull Request Test Coverage Report for Build 15677002794

Details

• 59 of 127 (46.46%) changed or added relevant lines in 7 files are covered.
• 6 unchanged lines in 4 files lost coverage.
• Overall coverage increased (+0.04%) to 33.666%

---

Changes Missing Coverage	Covered Lines	Changed/Added Lines	%
cmd/nvidia-container-runtime-hook/main.go	0	3	0.0%
cmd/nvidia-container-runtime-hook/container_config.go	0	11	0.0%
internal/info/auto.go	32	45	71.11%
cmd/nvidia-container-runtime-hook/hook_config.go	3	18	16.67%
internal/modifier/cdi.go	0	26	0.0%

Files with Coverage Reduction	New Missed Lines	%
cmd/nvidia-container-runtime-hook/main.go	1	0.0%
internal/info/auto.go	1	75.44%
internal/modifier/cdi.go	1	8.74%
cmd/nvidia-container-runtime-hook/hook_config.go	3	55.32%

Totals
Change from base Build 15640396854:	0.04%
Covered Lines:	4353
Relevant Lines:	12930

---

💛 - Coveralls

force-push

[elezar]

Do we have a preference on what to call this mode?