From adce41c43295767b5c60f3ccff2389ce76ab4c4a Mon Sep 17 00:00:00 2001 From: Zvonko Kaiser Date: Thu, 15 Jan 2026 01:43:09 +0000 Subject: [PATCH] gpu: Bump NVRC Version The new NVRC version works for CC and non-CC use cases, no --feature confidential needed anymore. Bump versions.yaml and adjust deployment instructions. Signed-off-by: Zvonko Kaiser --- .../rootfs-builder/nvidia/nvidia_rootfs.sh | 72 ++++++++----------- versions.yaml | 2 +- 2 files changed, 32 insertions(+), 42 deletions(-) diff --git a/tools/osbuilder/rootfs-builder/nvidia/nvidia_rootfs.sh b/tools/osbuilder/rootfs-builder/nvidia/nvidia_rootfs.sh index 8ecd2c9d4d..e54067c4d7 100644 --- a/tools/osbuilder/rootfs-builder/nvidia/nvidia_rootfs.sh +++ b/tools/osbuilder/rootfs-builder/nvidia/nvidia_rootfs.sh @@ -41,29 +41,27 @@ fi readonly stage_one="${BUILD_DIR:?}/rootfs-${VARIANT:?}-stage-one" setup_nvidia-nvrc() { - local rootfs_type=${1:-""} + local url ver + local nvrc=NVRC-${machine_arch}-unknown-linux-musl + url=$(get_package_version_from_kata_yaml "externals.nvrc.url") + ver=$(get_package_version_from_kata_yaml "externals.nvrc.version") - BIN="NVRC${rootfs_type:+"-${rootfs_type}"}" - TARGET=${machine_arch}-unknown-linux-musl - URL=$(get_package_version_from_kata_yaml "externals.nvrc.url") - VER=$(get_package_version_from_kata_yaml "externals.nvrc.version") + local dl="${url}/${ver}" + curl -fsSL -o "${BUILD_DIR}/${nvrc}.tar.xz" "${dl}/${nvrc}.tar.xz" + curl -fsSL -o "${BUILD_DIR}/${nvrc}.tar.xz.sig" "${dl}/${nvrc}.tar.xz.sig" + curl -fsSL -o "${BUILD_DIR}/${nvrc}.tar.xz.cert" "${dl}/${nvrc}.tar.xz.cert" - local DL="${URL}/${VER}" - curl -fsSL -o "${BUILD_DIR}/${BIN}-${TARGET}.tar.xz" "${DL}/${BIN}-${TARGET}.tar.xz" - curl -fsSL -o "${BUILD_DIR}/${BIN}-${TARGET}.tar.xz.sig" "${DL}/${BIN}-${TARGET}.tar.xz.sig" - curl -fsSL -o "${BUILD_DIR}/${BIN}-${TARGET}.tar.xz.cert" "${DL}/${BIN}-${TARGET}.tar.xz.cert" - - ID="^https://github.com/NVIDIA/nvrc/.github/workflows/.+@refs/heads/main$" - OIDC="https://token.actions.githubusercontent.com" + local id="^https://github.com/NVIDIA/nvrc/.github/workflows/.+@refs/heads/main$" + local oidc="https://token.actions.githubusercontent.com" # Only allow releases from the NVIDIA/nvrc main branch and build by github actions - cosign verify-blob \ - --rekor-url https://rekor.sigstore.dev \ - --certificate "${BUILD_DIR}/${BIN}-${TARGET}.tar.xz.cert" \ - --signature "${BUILD_DIR}/${BIN}-${TARGET}.tar.xz.sig" \ - --certificate-identity-regexp "${ID}" \ - --certificate-oidc-issuer "${OIDC}" \ - "${BUILD_DIR}/${BIN}-${TARGET}.tar.xz" + cosign verify-blob \ + --rekor-url https://rekor.sigstore.dev \ + --certificate "${BUILD_DIR}/${nvrc}.tar.xz.cert" \ + --signature "${BUILD_DIR}/${nvrc}.tar.xz.sig" \ + --certificate-identity-regexp "${id}" \ + --certificate-oidc-issuer "${oidc}" \ + "${BUILD_DIR}/${nvrc}.tar.xz" } setup_nvidia_gpu_rootfs_stage_one() { @@ -81,12 +79,11 @@ setup_nvidia_gpu_rootfs_stage_one() { chmod +x ./nvidia_chroot.sh - local BIN="NVRC${rootfs_type:+"-${rootfs_type}"}" - local TARGET=${machine_arch}-unknown-linux-musl - if [[ ! -e "${BUILD_DIR}/${BIN}-${TARGET}.tar.xz" ]]; then - setup_nvidia-nvrc "${rootfs_type}" + local nvrc=NVRC-${machine_arch}-unknown-linux-musl + if [[ ! -e "${BUILD_DIR}/${nvrc}.tar.xz" ]]; then + setup_nvidia-nvrc fi - tar -xvf "${BUILD_DIR}/${BIN}-${TARGET}.tar.xz" -C ./bin/ + tar -xvf "${BUILD_DIR}/${nvrc}.tar.xz" -C ./bin/ local appendix="${rootfs_type:+"-${rootfs_type}"}" if echo "${NVIDIA_GPU_STACK}" | grep -q '\'; then @@ -229,19 +226,13 @@ chisseled_gpudirect() { } setup_nvrc_init_symlinks() { - local rootfs_type=${1:-""} - - local bin="NVRC${rootfs_type:+"-${rootfs_type}"}" - local target=${machine_arch}-unknown-linux-musl - + local nvrc="NVRC-${machine_arch}-unknown-linux-musl" # make sure NVRC is the init process for the initrd and image case - ln -sf /bin/"${bin}-${target}" init - ln -sf /bin/"${bin}-${target}" sbin/init + ln -sf /bin/"${nvrc}" init + ln -sf /bin/"${nvrc}" sbin/init } chisseled_init() { - local rootfs_type=${1:-""} - echo "nvidia: chisseling init" tar --zstd -xvf "${BUILD_DIR}"/kata-static-busybox.tar.zst -C . @@ -255,14 +246,13 @@ chisseled_init() { libdir=lib/"${machine_arch}"-linux-gnu cp -a "${stage_one}"/"${libdir}"/libgcc_s.so.1* "${libdir}"/. - bin="NVRC${rootfs_type:+"-${rootfs_type}"}" - target=${machine_arch}-unknown-linux-musl + local nvrc="NVRC-${machine_arch}-unknown-linux-musl" - cp -a "${stage_one}/bin/${bin}-${target}" bin/. - cp -a "${stage_one}/bin/${bin}-${target}".cert bin/. - cp -a "${stage_one}/bin/${bin}-${target}".sig bin/. + cp -a "${stage_one}/bin/${nvrc}" bin/. + cp -a "${stage_one}/bin/${nvrc}".cert bin/. + cp -a "${stage_one}/bin/${nvrc}".sig bin/. - setup_nvrc_init_symlinks "${rootfs_type}" + setup_nvrc_init_symlinks cp -a "${stage_one}"/usr/bin/kata-agent usr/bin/. if [[ "${AGENT_POLICY}" == "yes" ]]; then @@ -357,7 +347,7 @@ setup_nvidia_gpu_rootfs_stage_two() { pushd "${stage_two}" >> /dev/null # Only step needed from stage_two (see chisseled_init) - setup_nvrc_init_symlinks "${type}" + setup_nvrc_init_symlinks else echo "nvidia: chisseling the following stack components: ${stack}" @@ -368,7 +358,7 @@ setup_nvidia_gpu_rootfs_stage_two() { pushd "${stage_two}" >> /dev/null - chisseled_init "${type}" + chisseled_init chisseled_iptables IFS=',' read -r -a stack_components <<< "${NVIDIA_GPU_STACK}" diff --git a/versions.yaml b/versions.yaml index a5dad106f4..bfd4a9c743 100644 --- a/versions.yaml +++ b/versions.yaml @@ -242,7 +242,7 @@ externals: nvrc: # yamllint disable-line rule:line-length desc: "The NVRC project provides a Rust binary that implements a simple init system for microVMs" - version: "v0.0.1" + version: "v0.1.1" url: "https://github.com/NVIDIA/nvrc/releases/download/" nvidia: