opengl: add /usr/share/nvidia #12840
Conversation
Codecov ReportAttention:
❗ Your organization needs to install the Codecov GitHub app to enable full functionality. Additional details and impacted files@@ Coverage Diff @@
## master #12840 +/- ##
==========================================
+ Coverage 78.69% 78.88% +0.18%
==========================================
Files 1001 1031 +30
Lines 124257 130948 +6691
==========================================
+ Hits 97788 103302 +5514
- Misses 20316 21216 +900
- Partials 6153 6430 +277
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
mvo5
added
the
Needs security review
|
No you're right I forgot to do a mount of the host fs, need to find where to do that |
|
finally got it working, change was more minor than I had thought |
ZoopOTheGoop
force-pushed
the
stage-nvidia
branch
from
bd870f4 to
62c1f2c
Compare
ZoopOTheGoop
force-pushed
the
stage-nvidia
branch
from
62c1f2c to
55b1725
Compare
There was a problem hiding this comment.
I think you're going to need additional code to add a spec.AddUpdateNSf call so that snap-update-ns's AppArmor profile will allow it to perform this mount.
We should also test that this works in the spread tests. I'd suggest updating tests/main/interfaces-opengl-nvidia/task.yaml to do:
- Create the
/usr/share/nvidiadirectory in the prepare step, and add a file inside named as you'd expect the quirks json to be named. - In the execute step, check that the gl-core16 snap can read the file from its sandbox.
- Remove the directory in the restore step.
|
I'm not sure if I got the tests right, but the changes requested should be done modulo that. I had tested the plug in the steam snap where it worked presumably due to steam interface rules compounding with the |
There was a problem hiding this comment.
It looks like the spread tests are in as good a state as we can expect.
There's one last change, and I think the branch will be ready to go: please update the opengl_test.go unit tests to:
- in the AppArmor test, check that
spec.UpdateNS()includes the rules letting snap-update-ns mount /usr/share/nvidia. - Add a
TestMountSpectest that demonstrates that the interface adds the mount rules.
You can use the tests in desktop_test.go as a guide for what these should look like.
alexmurray
removed
the
Needs security review
dirs/dirs.go
Outdated
| @@ -115,6 +115,8 @@ var ( | |||
| SnapDeviceSaveDir string | |||
| SnapDataSaveDir string | |||
|
|
|||
| NvidiaProfilesDir string | |||
There was a problem hiding this comment.
we probably shouldn't define this here, but simply compute what we need in opengl.go
This avoids making the crowded surface of dirs.go even larger. Tweak the code to differentiate between /usr/share/nvidia in the host and in the per-snap mount namespace. Signed-off-by: Zygmunt Krynicki <[email protected]>
|
@ZoopOTheGoop @pedronis I've pushed an update that removes the change from |
interfaces/builtin/opengl.go
Outdated
| @@ -172,6 +185,10 @@ unix (bind,listen) type=seqpacket addr="@cuda-uvmfd-[0-9a-f]*", | |||
| unix (send, receive) type=dgram peer=(addr="@var/run/nvidia-xdriver-*"), | |||
| ` | |||
|
|
|||
| type openGlInterface struct { | |||
There was a problem hiding this comment.
| type openGlInterface struct { | |
| type openglInterface struct { |
to be consistent with rest of the names used in this file
Signed-off-by: Zygmunt Krynicki <[email protected]>
Signed-off-by: Zygmunt Krynicki <[email protected]>
|
I will refrain from self-reviewing this but I think it is good to merge. |
* add mount rules to opengl plug * properly allow mounts in apparmor * add tests for /usr/share/nvidia * update tests * generate apparmor rules properly * fix file naming in tests * unit tests * fix tests without /usr/share/nvidia * add TearDownTest * fix apparmor test dir ordering * convert back to raw string * remove superfluous characters * i/builtin: move /usr/share/nvidia to opengl internals This avoids making the crowded surface of dirs.go even larger. Tweak the code to differentiate between /usr/share/nvidia in the host and in the per-snap mount namespace. Signed-off-by: Zygmunt Krynicki <[email protected]> * i/builtin: rename openGlInterface to openglInterface Signed-off-by: Zygmunt Krynicki <[email protected]> * tests: add details to tests/main/interfaces-opengl-nvidia/task.yaml Signed-off-by: Zygmunt Krynicki <[email protected]> --------- Signed-off-by: Zygmunt Krynicki <[email protected]> Co-authored-by: Zygmunt Krynicki <[email protected]>
* add mount rules to opengl plug * properly allow mounts in apparmor * add tests for /usr/share/nvidia * update tests * generate apparmor rules properly * fix file naming in tests * unit tests * fix tests without /usr/share/nvidia * add TearDownTest * fix apparmor test dir ordering * convert back to raw string * remove superfluous characters * i/builtin: move /usr/share/nvidia to opengl internals This avoids making the crowded surface of dirs.go even larger. Tweak the code to differentiate between /usr/share/nvidia in the host and in the per-snap mount namespace. Signed-off-by: Zygmunt Krynicki <[email protected]> * i/builtin: rename openGlInterface to openglInterface Signed-off-by: Zygmunt Krynicki <[email protected]> * tests: add details to tests/main/interfaces-opengl-nvidia/task.yaml Signed-off-by: Zygmunt Krynicki <[email protected]> --------- Signed-off-by: Zygmunt Krynicki <[email protected]> Co-authored-by: Zygmunt Krynicki <[email protected]>
This allows access to
/usr/share/nvidiain theopenglplug. Nvidia apparently requests this be available in containers as per discussion in #12794