Add aws-k8s-1.21-nvidia variant

[arnaldo2792]

Issue number:
N / A

Description of changes:

Draft PR for aws-k8s-1.21-nvidia variant.

This PR adds the aws-k8s-1.21-nvidia variant, along with all the building blocks required to support NVIDIA GPUs in future releases. This variant includes all the configurations and software required to leverage GPUs in containerized workloads. In this variant, the default containerd runtime's name is nvidia, and uses the shimpei helper program as the OCI runtime binary.

kmod-5.10-nvidia

The drivers are subpackages of kmod-5.10-nvidia, since we don't want to have a spec file per driver type per driver version. The spec file for kmod-5.10-nvidia will hold the drivers that are compatible with the 5.10 kernel. New spec files should be added for newer kernel and driver versions. The kmod-5.10-nvidia package provides a tmpfilesd conf file to create the lib modules directory where the kernel modules will be created.

Each subpackage installs the libraries and binaries underneath %{_cross_bindir}/nvidia/<type> and %{_cross_libdir}/nvidia/<type> respectively to prevent collisions while building the subpackages. Kernel module objects are installed in %{_cross_datadir}/nvidia/<type>/modules, so that driverdog can link them at runtime.

Each subpackage provides a drop-in configuration file for containerd, that sets the NVIDIA_PATH environment variable. This environment variable must be set to the directory that contains the NVIDIA userland tools, which will be mounted on the containers by libnvidia-container. The environment variable is set for containerd, since libnvidia-container is called by the runtime to set up the containers.

variants: add aws-k8s-1.21-nvidia
actions: add matrix `fetch-upstream` variable
containerd: add configuration for NVIDIA runtime
packages: add NVIDIA tesla 470 driver

Remaining tasks:

• Use oci-add-hooks instead of nvidia-container-runtime
• Add documentation for driverdog
• Check that Node Feature Discovery, GPU feature Discovery, and DCGM work as expected
• Check aarch64 build works
• Add documentation for variant

Testing done:
I launched p3/g4dn/g5g instances and deployed the vectoradd-cuda sample app, I had access to nvidia-smi and I ran the sample app:

apiVersion: v1
kind: Pod
metadata:
  name: cuda-vectoradd
spec:
  restartPolicy: OnFailure
  containers:
  - name: cuda-vectoradd
    image: nvidia/samples:vectoradd-cuda11.2.1
    resources:
      limits:
         nvidia.com/gpu: 1
    command: ['sh', '-c', 'sleep infinity']

root@cuda-vectoradd:/# nvidia-smi
Tue Nov  2 01:59:52 2021
+-----------------------------------------------------------------------------+
| NVIDIA-SMI 470.57.02    Driver Version: 470.57.02    CUDA Version: 11.4     |
|-------------------------------+----------------------+----------------------+
| GPU  Name        Persistence-M| Bus-Id        Disp.A | Volatile Uncorr. ECC |
| Fan  Temp  Perf  Pwr:Usage/Cap|         Memory-Usage | GPU-Util  Compute M. |
|                               |                      |               MIG M. |
|===============================+======================+======================|
|   0  Tesla V100-SXM2...  Off  | 00000000:00:1E.0 Off |                    0 |
| N/A   34C    P0    22W / 300W |      0MiB / 16160MiB |      0%      Default |
|                               |                      |                  N/A |
+-------------------------------+----------------------+----------------------+

+-----------------------------------------------------------------------------+
| Processes:                                                                  |
|  GPU   GI   CI        PID   Type   Process name                  GPU Memory |
|        ID   ID                                                   Usage      |
|=============================================================================|
|  No running processes found                                                 |
+-----------------------------------------------------------------------------+

root@cuda-vectoradd:/# /tmp/sample
[Vector addition of 50000 elements]
Copy input data from the host memory to the CUDA device
CUDA kernel launch with 196 blocks of 256 threads
Copy output data from the CUDA device to the host memory
Test PASSED
Done

Terms of contribution:

By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.

[arnaldo2792]

Forced push includes:

• Cleaned containerd-config-toml_k8s, there were some leftover configurations
• Remove nvidia-container-runtime and use shimpei instead
• Modify containerd.service to read /etc/containerd/containerd.env file for additional env variables
• Comments in kmod-5.10-nvidia spec file that explains the included files
• Use shimpei + oci-add-hooks as the nvidia runtime for aws-k8s-1.21-nvidia
• Documentation for driverdog
• Cleaned driverdog, there were some leftover errors

[arnaldo2792]

Forced push includes:

• Update Github Actions to build the variant
• Add missing symlinks for NVIDIA libraries, used by workloads like the GPU Feature Discovery
• Add NVIDIA tesla 470 license to package
• Add /etc/kubernetes/node-feature-discovery/features.d for GPU Feature Discovery to work
• Remove unnecessary patch in libnvidia-container
• Create the nvidia-container-toolkit configuration in /etc/nvidia-container-runtime/config.toml, otherwise it isn't read, even though it was specified with the -config flag

[arnaldo2792]

Forced push includes:

• Removed leftover packages from kmod-5.10-nvidia Cargo.toml
• Removed driver-tmpfiles.conf leftover file from os package
• Cleaned up kmod-5.10-nvidia spec file and driverdog Cargo.toml

[samuelkarp]

@bcressey should we add anything specific to the SELinux policy covering files in /var/lib/kernel-modules?

[bcressey]

Yes, this would be good to do for all the host directories we create for overlayfs mechanics.

[samuelkarp]

Why the extra indent? That shows up in the readme too.

[samuelkarp]

Since this is actually vendor-specific, it might be worthwhile to hard-code the (only) vendor path we have today: /usr/share/oci-add-hooks/nvidia.json. When we get to the point of adding a second vendor, we'd need a second compiled version of shimpei pointing to that second path anyway.

[arnaldo2792]

I could make this change, but I would prefer if we don't hard-code the vendor specific name in shimpei. I understand that the contents of the hook.json file are vendor specific, but there won't be any case in which we have two "vendor runtimes" enabled in the same AMI, and shimpei doesn't really care about the hook that will be executed, it only knows that there is a hook.json file that oci-add-hooks will use.

The hook.json file can be provided by a kmod-<kernel>-<vendor> package, just like I did with kmod-5.10-nvidia, and we will save ourselves the N shimpei compilations, per vendor.

[bcressey]

We could avoid a second copy of shimpei by doing the multicall / busybox thing where we inspect arg0 and see if we're called as nvidia-oci-hook, amdgpupro-hook, etc, and use the matching /usr/share/oci-add-hooks/<prefix>.json as our input.

Then packages that wanted to use shimpei could just install a symlink, e.g. /usr/bin/nvidia-oci-hook -> /usr/bin/shimpei.

[samuelkarp]

GO111MODULE=off go build -buildmode=pie -ldflags="-linkmode=external" -o oci-add-hooks .

[samuelkarp]

Why are we setting this as the default? Wouldn't the typical experience be to have it available as an option set through RuntimeClass?

[arnaldo2792]

The typical experience with EKS Optimzed AMI, CO'OS, and the GPU Operator is that the users don't have to set a RuntimeClass to run their workloads. This settings helps us have parity with at least the EKS Optimized AMI.

[arnaldo2792]

Forced pushed includes:

• Use the same binutils version as the one in the SDK, along with a check to prevent drifts
• Optional nvidia.env file in containerd.service
• Change dependency order for oci-add-hooks and nvidia-container-toolkit
• Replaced /etc with %_corss_sysconfigdir in glibc.spec
• Set IPMI_HANDLER as a module in the kernel config
• Templated files in kmod-5.10-nvidia package
• Leave just the bare minimum NVIDIA libraries for me to test, the libraries will be added in a different PR
• Removed nvidia-persistenced, will be added in a different PR
• Load i2c_core and impi_msghandler at boot with a modules-load.d drop-in
• Changed driver's configuration file shape
• Separate linking and loading kernel modules sets in driverdog, and use two subsequent oneshot services
• Add node-feature-discovery/features.d to all k8s variants
• Use the SDK's LD linker in libnvidia-containerd
• Moved drop-in to delay ldconfig.service to kmod-5.10-nvidia

[arnaldo2792]

Forced push includes:

• Remove variant from github actions
• Fix both bintuils.spec description and licenses
• Add a check to fail if the binutils version is different from the one in the SDK
• Exclude files in bintuils.spec instead of deleting them
• Change shimpei to use the 0 argument as a prefix to look for the <prefix>-hook.json file
• Add the nvidia-oci symlink to shimpei in nvidia-container-toolkit
• Update containerd's configuration file to use nvidia-oci as the runtime binary
• Update libnvidia-container's licenses
• Use the ld and strip binaries in the SDK
• Install NVIDIA binaries in %{_cross_libexecdir}
• Use templated files in kmod-5.10-nvidia
• Build nvidia-drm but exclude it in kmod-5.10-nvidia
• List all the objects instead of using the * in kmod-5.10-nvidia
• Delay ldconfig.service in release.spec instead of kmod-5.10-nvidia
• Move link-kernel-modules and load-kernel-modules to preconfigured.target
• driverdog now reads all the files in /etc/drivers , instead of looking for one specific file
• Add binutils as a dependency of release but only include it in variants that include driverdog

[arnaldo2792]

Rebased develop to fix conflicts

[bcressey]

Reviewed everything except the kmod packaging and driverdog.

[arnaldo2792]

Forced push includes:

• Fixed containerd's configuration file
• Removed unused linked files from nvidia-5.10-kmod.spec file
• Simplified tmpfilesd conf file to copy ld.so.conf.d files
• Added underscores to templated variables
• Refactored driverdog to simplify build configuration file
• Removed binutils and nvidia-container-toolkit from specs where they aren't needed
• Added missing build flag in oci-add-hooks spec file
• Use expect in shimpei constant strings

[arnaldo2792]

Forced push to rebase changes in libnvidia-container + k8s-device plugin

[arnaldo2792]

Forced push to fix build for aarch64 + add k8s device plugin to nvidia variant

[bcressey]

Do we have to override this for each item in the list, even if the default isn't changing?

[arnaldo2792]

I could try removing it and see if it works 👍

[arnaldo2792]

It didn't 😄 , I changed it back per our offline conversation.

[bcressey]

Suggested change

	%global spdx_id %(bottlerocket-license-tool -l $PWD/rpmbuild/BUILD/Licenses.toml spdx-id nvidia)
	%global license_file %(bottlerocket-license-tool -l $PWD/rpmbuild/BUILD/Licenses.toml path nvidia -p ./licenses)
	%global spdx_id %(bottlerocket-license-tool -l %{_builddir}/Licenses.toml spdx-id nvidia)
	%global license_file %(bottlerocket-license-tool -l %{_builddir}/Licenses.toml path nvidia -p ./licenses)

[bcressey]

nit: it is considered bad form to conditionally include files like this in the spec file since then a source RPM won't be complete - whether it includes the x86 or arm64 run file will depend on what it was built for rather than what the end user of the srpm wants to build for.

In the context of our distro, it's fine since we don't build source RPMs, but I'd still prefer to include both .run files and conditionally invoke the right one, just as a stylistic twitch.

[bcressey]

nit:

Suggested change

	D /lib/modules/KERNEL_VERSION/kernel/drivers/extra/video/nvidia/tesla 0755 root root -
	D /lib/modules/__KERNEL_VERSION__/kernel/drivers/extra/video/nvidia/tesla 0755 root root -

[bcressey]

obligatory nit:

Suggested change

	sed -e "s|KERNEL_VERSION|$KERNEL_VERSION|" %{S:200} > nvidia.conf
	sed -e "s|KERNEL_VERSION|${KERNEL_VERSION}|" %{S:200} > nvidia.conf

[bcressey]

Suggested change

	# TODO: add remaining libraries once we implement "image per variant" in the rpm2img script
	# TODO: add remaining libraries

[bcressey]

nit:

Suggested change

	install -m755 libnvidia-ml.so.%{nvidia_tesla_470_version} %{buildroot}%{_cross_libdir}/nvidia/tesla/%{nvidia_tesla_470_version}
	install -m755 libnvidia-ml.so.%{nvidia_tesla_470_version} %{buildroot}%{_cross_libdir}/nvidia/tesla/%{nvidia_tesla_470_version}

[arnaldo2792]

Forced push includes documentation changes

[arnaldo2792]

Forced push to rebase the upstream

[bcressey]

It seems cleaner just to document using the HTML license file; then we won't have driver links that go out of date.

[bcressey]

nit: I like the cleanup but I tend to want it in a separate commit - can still be in this PR though

[bcressey]

Suggested change

	It also includes the [NVIDIA k8s device plugin](https://github.com/NVIDIA/k8s-device-plugin), so please make sure you don't have a daemonset running the device plugin in your cluster before launching a new node using this variant.
	It also includes the [NVIDIA k8s device plugin](https://github.com/NVIDIA/k8s-device-plugin).
	If you already have a daemonset for the device plugin in your cluster, you may need to use taints and tolerations to keep it from running on Bottlerocket nodes.

[bcressey]

Suggested change

	With this variant, most of the existing NVIDIA tools (like [DCGM](https://github.com/NVIDIA/dcgm-exporter) and the [GPU Feature Discovery](https://github.com/NVIDIA/gpu-feature-discovery)) work as you would expect, you can install them in your cluster following the instructions provided for each project.
	Additional NVIDIA tools such as [DCGM](https://github.com/NVIDIA/dcgm-exporter) and [GPU Feature Discovery](https://github.com/NVIDIA/gpu-feature-discovery) will work as expected.
	You can install them in your cluster by following the `helm install` instructions provided for each project.

[bcressey]

This is hard to understand without more details. I'd suggest saying something like:

Suggested change

	Even though you could use the [GPU Operator](https://docs.nvidia.com/datacenter/cloud-native/gpu-operator/getting-started.html#install-nvidia-gpu-operator) to install these tools, we recommend installing these tools individually via `helm install` since the Operator could break your workloads on upgrades.
	The [GPU Operator](https://docs.nvidia.com/datacenter/cloud-native/gpu-operator/getting-started.html#install-nvidia-gpu-operator) can also be used to install these tools.
	However, it is cumbersome to select the right subset of features to avoid conflicts with the software included in the variant.
	Therefore we recommend installing the tools individually if they are required.

[bcressey]

I'd prefer not to link to variant specifics here, or else we'll be doing that everywhere on this page. In general, we need to figure out a more structured approach to getting started with particular variants, since this isn't scaling very well.

[bcressey]

Suggested change

	**Note:** the `aws-k8s-1.21-nvidia` variant includes the NVIDIA k8s device plugin which is compiled without the `-wl,-z,now` flags, and other precompiled NVIDIA libraries that could haven't been compiled with hardening flags.
	**Note:** Certain variants, such as the ones for NVIDIA, include precompiled binaries that may not have been built with these hardening flags.

[arnaldo2792]

Forced push uses %{_builddir} macro in kmod-5.10-nvidia spec

[bcressey]

Suggested change

	3. Build your image, setting the `BUILDSYS_UPSTREAM_SOURCE_FALLBACK` flag to `true`, if you haven't cache the driver's sources:
	3. Build your image, setting the `BUILDSYS_UPSTREAM_SOURCE_FALLBACK` flag to `true`, if you haven't cached the driver's sources:

[arnaldo2792]

Forced push fixes:

• KERNEL_VERSION to KERNEL_VERSION
• Type in BUILDING.md

[jpculp]

We should include a releases-url, but not necessarily this PR.

[jpculp]

nit. our previous booleans (and values) were unquoted, but these ones are quoted. I think I would unquote these for consistency.

[arnaldo2792]

The previous booleans values were used within the context of the github workflows, which are literal booleans. Since GH worklflows are defined in YAML, I can't use false and expect it to get translated to "false", I could get a 1, or another value that doesn't work for the environment variables passed to cargo make

[zmrow]

🌃