Skip to content

GitLab

Switch branch/tag
Find file Normal viewHistoryPermalink
hook_remover.go 2.31 KB
Newer Older
songlinfeng's avatar
add dtk-container-toolkit  
songlinfeng committed
1
2
3
4
5
6
7 
/**
# Copyright (c) 2024, HCUOpt CORPORATION.  All rights reserved.
**/

package modifier

import (
songlinfeng's avatar
rename dcu-ctk dcu-container-toolkit  
songlinfeng committed
8
9 
	"dcu-container-toolkit/internal/logger"
	"dcu-container-toolkit/internal/oci"
songlinfeng's avatar
add dtk-container-toolkit  
songlinfeng committed
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94 
	"path/filepath"

	"github.com/opencontainers/runtime-spec/specs-go"
)

func NewNvidiaContainerRuntimeHookRemover(logger logger.Interface) oci.SpecModifier {
	m := nvidiaContainerRuntimeHookRemover{
		logger: logger,
	}

	return &m
}

// nvidiaContainerRuntimeHookRemover is a spec modifier that detects and removes inserted nvidia-container-runtime hooks
type nvidiaContainerRuntimeHookRemover struct {
	logger logger.Interface
}

var _ oci.SpecModifier = (*nvidiaContainerRuntimeHookRemover)(nil)

// Modify removes any NVIDIA Container Runtime hooks from the provided spec
func (m nvidiaContainerRuntimeHookRemover) Modify(spec *specs.Spec) error {
	if spec == nil || spec.Hooks == nil {
		return nil
	}

	if len(spec.Hooks.Prestart) == 0 {
		return nil
	}

	var hooks []specs.Hook
	for _, hook := range spec.Hooks.Prestart {
		hook := hook
		if isNVIDIAContainerRuntimeHook(&hook) {
			m.logger.Debugf("Removing hook %v", hook)
			continue
		}
		hooks = append(hooks, hook)
	}

	if len(hooks) != len(spec.Hooks.Prestart) {
		m.logger.Debugf("Updating 'prestart' hooks to %v", hooks)
		spec.Hooks.Prestart = hooks
	}
	return nil
}

// isNVIDIAContainerRuntimeHook checks if the provided hook is an nvidia-container-runtime-hook
// or nvidia-container-toolkit hook. These are included, for example, by the non-experimental
// nvidia-container-runtime or docker when specifying the --gpus flag.
func isNVIDIAContainerRuntimeHook(hook *specs.Hook) bool {
	bins := map[string]struct{}{
		"nvidia-container-runtime-hook": {},
		"nvidia-container-toolkit":      {},
	}

	_, exists := bins[filepath.Base(hook.Path)]

	return exists
}

func NewSeccompRemover(logger logger.Interface) oci.SpecModifier {
	m := seccompRemover{
		logger: logger,
	}

	return &m
}

// seccompRemover is a spec modifer that disable seccomp
type seccompRemover struct {
	logger logger.Interface
}

var _ oci.SpecModifier = (*seccompRemover)(nil)

func (m seccompRemover) Modify(spec *specs.Spec) error {
	if spec == nil || spec.Linux == nil {
		return nil
	}
	spec.Linux.Seccomp = nil
	spec.Process.ApparmorProfile = ""
	m.logger.Info("Remove linux.seccomp in OCI spec and Process.ApparmorProfile")
	return nil
}