Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add check/mkdir for apt keyrings in nvidia-container role #226

Merged
merged 1 commit into from
Oct 22, 2024
Merged

Add check/mkdir for apt keyrings in nvidia-container role #226

merged 1 commit into from
Oct 22, 2024

Conversation

cdunbar13
Copy link
Collaborator

Adds keyring directory for OSs that do not have it by default. Tested on Ubuntu 20.04 and 22.04, Deb 11 and12.

@cdunbar13 cdunbar13 requested a review from tpdownes October 21, 2024 20:48
tpdownes
tpdownes reviewed Oct 21, 2024
View reviewed changes
Copy link
Member

@tpdownes tpdownes left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I cannot find any evidence that this directory is used on versions of apt below 2.4

https://manpages.debian.org/bookworm/apt/apt-key.8.en.html#DEPRECATION

Debian 11 uses apt 2.2.4. e.g. compare

https://manpages.debian.org/bullseye/apt/sources.list.5.en.html

and

https://manpages.debian.org/bookworm/apt/sources.list.5.en.html

Can you show me the output of apt-get update && apt-get install nvidia-container-toolkit on Debian 11 and/or any other OS using a version of apt below 2.4?

@tpdownes tpdownes removed their assignment Oct 21, 2024
@tpdownes
Copy link
Member

tpdownes commented Oct 21, 2024
edited
Loading

I cannot find any evidence that this directory is used on versions of apt below 2.4

https://manpages.debian.org/bookworm/apt/apt-key.8.en.html#DEPRECATION

Debian 11 uses apt 2.2.4. e.g. compare

https://manpages.debian.org/bullseye/apt/sources.list.5.en.html

and

https://manpages.debian.org/bookworm/apt/sources.list.5.en.html

Can you show me the output of apt-get update && apt-get install nvidia-container-toolkit on Debian 11 and/or any other OS using a version of apt below 2.4?

It doesn't show up in the GitHub PR diff, but after expanding I see that you're pointing to the directory explicitly with signed-by. Is that why you believe this code works?

@cdunbar13
Copy link
Collaborator Author

cdunbar13 commented Oct 21, 2024
edited
Loading

Yes that is why I think the code works, regardless of the apt version (at least the versions present on the relevant OS images).

@cdunbar13 cdunbar13 requested a review from tpdownes October 21, 2024 21:01
@tpdownes
Copy link
Member

Yes that is why I think the code works, regardless of the apt version (at least the versions present on the relevant OS images).

I would still like to see the output of apt-get update && apt-get install nvidia-container-toolkit recorded in this PR. My concern is that the documentation isn't explicit about ASCII (armored) key files being OK. This can be done manually in a vanilla Debian 11 VM.

@cdunbar13
Copy link
Collaborator Author

Relevant output:

root@instance-20241021-211744:~# echo "deb [arch=amd64 signed-by=/etc/apt/keyrings/nvidia-container-toolkit-keyr
ing.asc https://nvidia.github.io/libnvidia-container/stable/deb/\$(ARCH) /" > /etc/apt/sources.list.d/nvidia-con
tainer-toolkit.list
root@instance-20241021-211744:~# wget https://nvidia.github.io/libnvidia-container/gpgkey -O /etc/apt/keyrings/n
vidia-container-toolkit-keyring.asc
--2024-10-21 21:27:34--  https://nvidia.github.io/libnvidia-container/gpgkey
Resolving nvidia.github.io (nvidia.github.io)... 185.199.108.153, 185.199.110.153, 185.199.109.153, ...
Connecting to nvidia.github.io (nvidia.github.io)|185.199.108.153|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3195 (3.1K) [application/octet-stream]
Saving to: ‘/etc/apt/keyrings/nvidia-container-toolkit-keyring.asc’

/etc/apt/keyrings/nvidia-co 100%[===========================================>]   3.12K  --.-KB/s    in 0s      

2024-10-21 21:27:34 (30.4 MB/s) - ‘/etc/apt/keyrings/nvidia-container-toolkit-keyring.asc’ saved [3195/3195]

root@instance-20241021-211744:~# apt-get update
Hit:1 https://packages.cloud.google.com/apt google-compute-engine-bullseye-stable InRelease
Get:2 https://nvidia.github.io/libnvidia-container/stable/deb/amd64  InRelease [1477 B]
Hit:3 https://deb.debian.org/debian bullseye InRelease                       
Hit:4 https://packages.cloud.google.com/apt cloud-sdk-bullseye InRelease
Hit:5 https://deb.debian.org/debian-security bullseye-security InRelease
Hit:6 https://deb.debian.org/debian bullseye-updates InRelease
Hit:7 https://deb.debian.org/debian bullseye-backports InRelease
Get:8 https://nvidia.github.io/libnvidia-container/stable/deb/amd64  Packages [12.0 kB]
Fetched 13.5 kB in 1s (16.2 kB/s) 
Reading package lists... Done
root@instance-20241021-211744:~# apt-get install nvidia-container-toolkit
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
  libnvidia-container-tools libnvidia-container1 nvidia-container-toolkit-base
The following NEW packages will be installed:
  libnvidia-container-tools libnvidia-container1 nvidia-container-toolkit nvidia-container-toolkit-base
0 upgraded, 4 newly installed, 0 to remove and 5 not upgraded.
Need to get 5783 kB of archives.
After this operation, 27.6 MB of additional disk space will be used.
Do you want to continue? [Y/n] 
Get:1 https://nvidia.github.io/libnvidia-container/stable/deb/amd64  libnvidia-container1 1.16.2-1 [926 kB]
Get:2 https://nvidia.github.io/libnvidia-container/stable/deb/amd64  libnvidia-container-tools 1.16.2-1 [20.0 kB]
Get:3 https://nvidia.github.io/libnvidia-container/stable/deb/amd64  nvidia-container-toolkit-base 1.16.2-1 [3652 kB]
Get:4 https://nvidia.github.io/libnvidia-container/stable/deb/amd64  nvidia-container-toolkit 1.16.2-1 [1184 kB]
Fetched 5783 kB in 0s (17.7 MB/s)              
Selecting previously unselected package libnvidia-container1:amd64.
(Reading database ... 67810 files and directories currently installed.)
Preparing to unpack .../libnvidia-container1_1.16.2-1_amd64.deb ...
Unpacking libnvidia-container1:amd64 (1.16.2-1) ...
Selecting previously unselected package libnvidia-container-tools.
Preparing to unpack .../libnvidia-container-tools_1.16.2-1_amd64.deb ...
Unpacking libnvidia-container-tools (1.16.2-1) ...
Selecting previously unselected package nvidia-container-toolkit-base.
Preparing to unpack .../nvidia-container-toolkit-base_1.16.2-1_amd64.deb ...
Unpacking nvidia-container-toolkit-base (1.16.2-1) ...
Selecting previously unselected package nvidia-container-toolkit.
Preparing to unpack .../nvidia-container-toolkit_1.16.2-1_amd64.deb ...
Unpacking nvidia-container-toolkit (1.16.2-1) ...
Setting up nvidia-container-toolkit-base (1.16.2-1) ...
Setting up libnvidia-container1:amd64 (1.16.2-1) ...
Setting up libnvidia-container-tools (1.16.2-1) ...
Setting up nvidia-container-toolkit (1.16.2-1) ...
Processing triggers for libc-bin (2.31-13+deb11u11) ...

This output was modified to remove some error I made in retrieving the key correctly and creating a poorly formed sources file.

@cdunbar13 cdunbar13 removed their assignment Oct 21, 2024
tpdownes
tpdownes approved these changes Oct 21, 2024
View reviewed changes
Copy link
Member

@tpdownes tpdownes left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you. The approach surrounding binary/ASCII key files has been in flux as have the recommendations surrounding storage of non-packaged keys. I think this threads the needle appropriately across old and new Debian + derivatives.

@tpdownes tpdownes assigned cdunbar13 and unassigned tpdownes Oct 21, 2024
@cdunbar13 cdunbar13 merged commit d0f2b36 into master Oct 22, 2024
2 checks passed
@cdunbar13 cdunbar13 deleted the fix-nvidia-container-folder branch October 22, 2024 14:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tpdownes tpdownes tpdownes approved these changes

Assignees

@cdunbar13 cdunbar13

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@cdunbar13 @tpdownes