automatically detect CODER_USR_LIB_DIR

Author: johnstcn

README.md

@@ -20,7 +20,7 @@ The environment variables can be used to configure various aspects of the inner
 | `CODER_IMAGE_PULL_SECRET`      | The docker credentials to use when pulling the inner container. The recommended way to do this is to create an [Image Pull Secret](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#create-a-secret-by-providing-credentials-on-the-command-line) and then reference the secret using an [environment variable](https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#define-container-environment-variables-using-secret-data). See below for example. | false    |
 | `CODER_DOCKER_BRIDGE_CIDR`     | The bridge CIDR to start the Docker daemon with.                                                                                                                                                                                                                                                                                                                                                                                                                                                                               | false    |
 | `CODER_MOUNTS`                 | A list of mounts to mount into the inner container. Mounts default to `rw`. Ex: `CODER_MOUNTS=/home/coder:/home/coder,/var/run/mysecret:/var/run/mysecret:ro`                                                                                                                                                                                                                                                                                                                                                                  | false    |
-| `CODER_USR_LIB_DIR`            | The mountpoint of the host `/usr/lib` directory. Only required when using GPUs.                                                                                                                                                                                                                                                                                                                                                                                                                                                | false    |
+| `CODER_USR_LIB_DIR`            | The location under which GPU drivers can be found, either if mounted manually from the host or automatically by the container runtime. Only required when using GPUs. If not set, Envbox will try to automatically set this to a sensible value.                                                                                                                                                                                                                                                                               | false    |
 | `CODER_ADD_TUN`                | If `CODER_ADD_TUN=true` add a TUN device to the inner container.                                                                                                                                                                                                                                                                                                                                                                                                                                                               | false    |
 | `CODER_ADD_FUSE`               | If `CODER_ADD_FUSE=true` add a FUSE device to the inner container.                                                                                                                                                                                                                                                                                                                                                                                                                                                             | false    |
 | `CODER_ADD_GPU`                | If `CODER_ADD_GPU=true` add detected GPUs and related files to the inner container. Requires setting `CODER_USR_LIB_DIR` and mounting in the hosts `/usr/lib/` directory.                                                                                                                                                                                                                                                                                                                                                      | false    |

cli/docker.go

@@ -502,7 +502,27 @@ func runDockerCVM(ctx context.Context, log slog.Logger, client dockerutil.Client
 
 	if flags.addGPU {
 		if flags.hostUsrLibDir == "" {
-			return xerrors.Errorf("when using GPUs, %q must be specified", EnvUsrLibDir)
+			// If the user didn't specify CODER_USR_LIB_DIR, try to default to a
+			// sensible value.
+			log.Info(ctx, EnvUsrLibDir+" not specified, determining from /etc/os-release (best-effort)")
+			osReleaseFile, err := fs.Open("/etc/os-release")
+			if err != nil {
+				return xerrors.Errorf("open /etc/os-release: %w", err)
+			}
+			defer osReleaseFile.Close()
+			contents, err := io.ReadAll(osReleaseFile)
+			if err != nil {
+				return xerrors.Errorf("read /etc/os-release: %w", err)
+			}
+			rid := dockerutil.GetOSReleaseID(contents)
+			found, ok := dockerutil.UsrLibDirs[rid]
+			if !ok {
+				// This should actually be impossible as GetOSReleaseID will return
+				// "linux" as a fallback.
+				return xerrors.Errorf("developer error: no UsrLibDir for os-release id %q", rid)
+			}
+			log.Info(ctx, "automatically set CODER_USR_LIB_DIR", slog.F("path", found))
+			flags.hostUsrLibDir = found
 		}
 
 		// Unmount GPU drivers in /proc as it causes issues when creating any
@@ -534,6 +554,8 @@ func runDockerCVM(ctx context.Context, log slog.Logger, client dockerutil.Client
 		slog.F("uid", imgMeta.UID),
 		slog.F("gid", imgMeta.GID),
 		slog.F("has_init", imgMeta.HasInit),
+		slog.F("os_release", imgMeta.OsReleaseID),
+		slog.F("home_dir", imgMeta.HomeDir),
 	)
 
 	uid, err := strconv.ParseInt(imgMeta.UID, 10, 32)

cli/docker_test.go

@@ -532,21 +532,6 @@ func TestDocker(t *testing.T) {
 		require.True(t, called, "create function was not called for inner container")
 	})
 
-	t.Run("GPUNoUsrLibDir", func(t *testing.T) {
-		t.Parallel()
-
-		ctx, cmd := clitest.New(t, "docker",
-			"--image=ubuntu",
-			"--username=root",
-			"--agent-token=hi",
-			"--add-gpu=true",
-		)
-
-		err := cmd.ExecuteContext(ctx)
-		require.Error(t, err)
-		require.ErrorContains(t, err, fmt.Sprintf("when using GPUs, %q must be specified", cli.EnvUsrLibDir))
-	})
-
 	t.Run("GPU", func(t *testing.T) {
 		t.Parallel()
 

dockerutil/image.go

@@ -29,13 +29,13 @@ var usrLibMultiarchDir = map[string]string{
 }
 
 // Adapted from https://github.com/NVIDIA/libnvidia-container/blob/v1.15.0/src/nvc_container.c#L152-L165
-var usrLibDirs = map[string]string{
+var UsrLibDirs = map[string]string{
 	// Debian-based distros use a multi-arch directory.
 	"debian": usrLibMultiarchDir[goruntime.GOARCH],
 	"ubuntu": usrLibMultiarchDir[goruntime.GOARCH],
 	// Fedora and Redhat use the standard /usr/lib64.
 	"fedora": "/usr/lib64",
-	"redhat": "/usr/lib64",
+	"rhel":   "/usr/lib64",
 	// Fall back to the standard /usr/lib.
 	"linux": "/usr/lib",
 }
@@ -259,18 +259,7 @@ func GetImageMetadata(ctx context.Context, client Client, img, username string)
 		Args:        []string{etcOsRelease},
 	})
 	if err == nil {
-		for _, line := range strings.Split(string(out), "\n") {
-			if strings.HasPrefix(line, "ID=") {
-				osReleaseID = strings.TrimPrefix(line, "ID=")
-				// The value may be quoted.
-				osReleaseID = strings.Trim(osReleaseID, "\"")
-				break
-			}
-		}
-	}
-	if osReleaseID == "" {
-		// The default value is just "linux" if we can't find the ID.
-		osReleaseID = "linux"
+		osReleaseID = GetOSReleaseID(out)
 	}
 
 	return ImageMetadata{
@@ -285,10 +274,28 @@ func GetImageMetadata(ctx context.Context, client Client, img, username string)
 // UsrLibDir returns the path to the /usr/lib directory for the given
 // operating system determined by the /etc/os-release file.
 func (im ImageMetadata) UsrLibDir() string {
-	if val, ok := usrLibDirs[im.OsReleaseID]; ok {
+	if val, ok := UsrLibDirs[im.OsReleaseID]; ok {
 		return val
 	}
-	return usrLibDirs["linux"] // fallback
+	return UsrLibDirs["linux"] // fallback
+}
+
+// GetOSReleaseID returns the ID of the operating system from the
+// raw contents of /etc/os-release.
+func GetOSReleaseID(raw []byte) string {
+	var osReleaseID string
+	for _, line := range strings.Split(string(raw), "\n") {
+		if strings.HasPrefix(line, "ID=") {
+			osReleaseID = strings.TrimPrefix(line, "ID=")
+			// The value may be quoted.
+			osReleaseID = strings.Trim(osReleaseID, "\"")
+			break
+		}
+	}
+	if osReleaseID == "" {
+		return "linux"
+	}
+	return osReleaseID
 }
 
 func DefaultLogImagePullFn(log buildlog.Logger) func(ImagePullEvent) error {

integration/docker_test.go

@@ -22,7 +22,7 @@ import (
 func TestDocker(t *testing.T) {
 	t.Parallel()
 	if val, ok := os.LookupEnv("CODER_TEST_INTEGRATION"); !ok || val != "1" {
-		t.Skip("integration tests are skipped unless CODER_TEST_INTEGRATION=true")
+		t.Skip("integration tests are skipped unless CODER_TEST_INTEGRATION=1")
 	}
 
 	// Dockerd just tests that dockerd can spin up and function correctly.

integration/gpu_test.go

@@ -17,7 +17,7 @@ import (
 func TestDocker_Nvidia(t *testing.T) {
 	t.Parallel()
 	if val, ok := os.LookupEnv("CODER_TEST_INTEGRATION"); !ok || val != "1" {
-		t.Skip("integration tests are skipped unless CODER_TEST_INTEGRATION=true")
+		t.Skip("integration tests are skipped unless CODER_TEST_INTEGRATION=1")
 	}
 	// Only run this test if the nvidia container runtime is detected.
 	// Check if the nvidia runtime is available using `docker info`.
@@ -44,6 +44,23 @@ func TestDocker_Nvidia(t *testing.T) {
 		require.NoError(t, err, "failed to run nvidia-smi in the inner container")
 	})
 
+	t.Run("Ubuntu_NoUsrLibDir", func(t *testing.T) {
+		t.Parallel()
+		ctx, cancel := context.WithCancel(context.Background())
+		t.Cleanup(cancel)
+
+		// Start the envbox container.
+		ctID := startEnvboxCmd(ctx, t, integrationtest.UbuntuImage, "root",
+			"--env", "CODER_ADD_GPU=true",
+			"--runtime=nvidia",
+			"--gpus=all",
+		)
+
+		// Assert that we can run nvidia-smi in the inner container.
+		_, err := execContainerCmd(ctx, t, ctID, "docker", "exec", "workspace_cvm", "nvidia-smi")
+		require.NoError(t, err, "failed to run nvidia-smi in the inner container")
+	})
+
 	t.Run("Redhat", func(t *testing.T) {
 		t.Parallel()
 		ctx, cancel := context.WithCancel(context.Background())
@@ -61,6 +78,23 @@ func TestDocker_Nvidia(t *testing.T) {
 		_, err := execContainerCmd(ctx, t, ctID, "docker", "exec", "workspace_cvm", "nvidia-smi")
 		require.NoError(t, err, "failed to run nvidia-smi in the inner container")
 	})
+
+	t.Run("Redhat_NoUsrLibDir", func(t *testing.T) {
+		t.Parallel()
+		ctx, cancel := context.WithCancel(context.Background())
+		t.Cleanup(cancel)
+
+		// Start the envbox container.
+		ctID := startEnvboxCmd(ctx, t, integrationtest.RedhatImage, "root",
+			"--env", "CODER_ADD_GPU=true",
+			"--runtime=nvidia",
+			"--gpus=all",
+		)
+
+		// Assert that we can run nvidia-smi in the inner container.
+		_, err := execContainerCmd(ctx, t, ctID, "docker", "exec", "workspace_cvm", "nvidia-smi")
+		require.NoError(t, err, "failed to run nvidia-smi in the inner container")
+	})
 }
 
 // dockerRuntimes returns the list of container runtimes available on the host.
@@ -78,6 +112,11 @@ func dockerRuntimes(t *testing.T) []string {
 	return strings.Split(raw, "\n")
 }
 
+// startEnvboxCmd starts the envbox container with the given arguments.
+// Ideally we would use ory/dockertest for this, but it doesn't support
+// specifying the runtime. We have alternatively used the docker client library,
+// but a nice property of using the docker cli is that if a test fails, you can
+// just run the command manually to debug!
 func startEnvboxCmd(ctx context.Context, t *testing.T, innerImage, innerUser string, addlArgs ...string) (containerID string) {
 	t.Helper()