services/hardware: add nvidia-container-toolkit

2024-01-28 13:00:32 +01:00
parent fd464f0543
commit 8ba61ebb8a
9 changed files with 145 additions and 29 deletions
--- a/nixos/modules/virtualisation/containers.nix
+++ b/nixos/modules/virtualisation/containers.nix
@@ -28,29 +28,39 @@ in
      description = lib.mdDoc "Enable the OCI seccomp BPF hook";
    };

-    cdi = mkOption {
-      type = types.attrs;
-      default = { };
-      description = lib.mdDoc ''
-        Declarative CDI specification. Each key of the attribute set
-        will be mapped to a file in /etc/cdi. It is required for every
-        key to be provided in JSON format.
-      '';
-      example = {
-        some-vendor = builtins.fromJSON ''
-            {
-              "cdiVersion": "0.5.0",
-              "kind": "some-vendor.com/foo",
-              "devices": [],
-              "containerEdits": []
-            }
-          '';
+    cdi = {
+      dynamic.nvidia.enable = mkOption {
+        type = types.bool;
+        default = false;
+        description = lib.mdDoc ''
+          Enable dynamic CDI configuration for NVidia devices by running nvidia-container-toolkit on boot.
+        '';
+      };

-        some-other-vendor = {
-          cdiVersion = "0.5.0";
-          kind = "some-other-vendor.com/bar";
-          devices = [];
-          containerEdits = [];
+      static = mkOption {
+        type = types.attrs;
+        default = { };
+        description = lib.mdDoc ''
+          Declarative CDI specification. Each key of the attribute set
+          will be mapped to a file in /etc/cdi. It is required for every
+          key to be provided in JSON format.
+        '';
+        example = {
+          some-vendor = builtins.fromJSON ''
+              {
+                "cdiVersion": "0.5.0",
+                "kind": "some-vendor.com/foo",
+                "devices": [],
+                "containerEdits": []
+              }
+            '';
+
+          some-other-vendor = {
+            cdiVersion = "0.5.0";
+            kind = "some-other-vendor.com/bar";
+            devices = [];
+            containerEdits = [];
+          };
        };
      };
    };
@@ -140,6 +150,8 @@ in

  config = lib.mkIf cfg.enable {

+    hardware.nvidia-container-toolkit-cdi-generator.enable = lib.mkIf cfg.cdi.dynamic.nvidia.enable true;
+
    virtualisation.containers.containersConf.cniPlugins = [ pkgs.cni-plugins ];

    virtualisation.containers.containersConf.settings = {
@@ -152,11 +164,11 @@ in
    };

    environment.etc = let
-      cdiConfigurationFiles = (lib.attrsets.mapAttrs'
+      cdiStaticConfigurationFiles = (lib.attrsets.mapAttrs'
        (name: value:
          lib.attrsets.nameValuePair "cdi/${name}.json"
            { text = builtins.toJSON value; })
-        cfg.cdi);
+        cfg.cdi.static);
    in {
      "containers/containers.conf".source =
        toml.generate "containers.conf" cfg.containersConf.settings;
@@ -171,7 +183,7 @@ in
      "containers/policy.json".source =
        if cfg.policy != { } then pkgs.writeText "policy.json" (builtins.toJSON cfg.policy)
        else "${pkgs.skopeo.policy}/default-policy.json";
-    } // cdiConfigurationFiles;
+    } // cdiStaticConfigurationFiles;

  };

--- a/nixos/modules/virtualisation/docker.nix
+++ b/nixos/modules/virtualisation/docker.nix
@@ -72,6 +72,8 @@ in
        type = types.bool;
        default = false;
        description = lib.mdDoc ''
+          **Deprecated**, please use virtualisation.containers.cdi.dynamic.nvidia.enable instead.
+
          Enable nvidia-docker wrapper, supporting NVIDIA GPUs inside docker containers.
        '';
      };
@@ -185,6 +187,16 @@ in
      users.groups.docker.gid = config.ids.gids.docker;
      systemd.packages = [ cfg.package ];

+      # Docker 25.0.0 supports CDI by default
+      # (https://docs.docker.com/engine/release-notes/25.0/#new). Encourage
+      # moving to CDI as opposed to having deprecated runtime
+      # wrappers.
+      warnings = lib.optionals (cfg.enableNvidia && (lib.strings.versionAtLeast cfg.package.version "25")) [
+        ''
+          You have set virtualisation.docker.enableNvidia. This option is deprecated, please set virtualisation.containers.cdi.dynamic.nvidia.enable instead.
+        ''
+      ];
+
      systemd.services.docker = {
        wantedBy = optional cfg.enableOnBoot "multi-user.target";
        after = [ "network.target" "docker.socket" ];
--- a/nixos/modules/virtualisation/podman/default.nix
+++ b/nixos/modules/virtualisation/podman/default.nix
@@ -82,6 +82,8 @@ in
      type = types.bool;
      default = false;
      description = lib.mdDoc ''
+        **Deprecated**, please use virtualisation.containers.cdi.dynamic.nvidia.enable instead.
+
        Enable use of NVidia GPUs from within podman containers.
      '';
    };
@@ -166,6 +168,12 @@ in
      inherit (networkConfig) dns_enabled network_interface;
    in
    lib.mkIf cfg.enable {
+      warnings = lib.optionals cfg.enableNvidia [
+        ''
+          You have set virtualisation.podman.enableNvidia. This option is deprecated, please set virtualisation.containers.cdi.dynamic.nvidia.enable instead.
+        ''
+      ];
+
      environment.systemPackages = [ cfg.package ]
        ++ lib.optional cfg.dockerCompat dockerCompat;