From 11764302786eb2bd2448af7a3e24e0cc1daad6f6 Mon Sep 17 00:00:00 2001
From: Evan Lezar <elezar@nvidia.com>
Date: Fri, 10 Jan 2025 10:44:11 +0100
Subject: [PATCH 1/3] Disable mounting of compat libs from container

This change passes the --no-cntlibs argument to the nvidia-container-cli
from the nvidia-container-runtime-hook to disable overwriting host
drivers with the compat libs from a container being started.

Note that this may be a breaking change for some applications.

Signed-off-by: Evan Lezar <elezar@nvidia.com>
---
 cmd/nvidia-container-runtime-hook/main.go | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/cmd/nvidia-container-runtime-hook/main.go b/cmd/nvidia-container-runtime-hook/main.go
index cf2322efb..c93808007 100644
--- a/cmd/nvidia-container-runtime-hook/main.go
+++ b/cmd/nvidia-container-runtime-hook/main.go
@@ -114,6 +114,8 @@ func doPrestart() {
 	}
 	args = append(args, "configure")
 
+	args = append(args, "--no-cntlibs")
+
 	if ldconfigPath := cli.NormalizeLDConfigPath(); ldconfigPath != "" {
 		args = append(args, fmt.Sprintf("--ldconfig=%s", ldconfigPath))
 	}

From ed3b52eb8d9bc5d001d1fda5d206f5765947bed2 Mon Sep 17 00:00:00 2001
From: Evan Lezar <elezar@nvidia.com>
Date: Fri, 10 Jan 2025 10:30:39 +0100
Subject: [PATCH 2/3] Add allow-cuda-compat-libs-from-container feature flag

This change adds an allow-cuda-compat-libs-from-container feature flag
to the NVIDIA Container Toolkit config. This allows a user to opt-in
to the previous default behaviour of overriding certain driver
libraries with CUDA compat libraries from the container.

Signed-off-by: Evan Lezar <elezar@nvidia.com>
---
 cmd/nvidia-container-runtime-hook/main.go | 5 +++--
 internal/config/features.go               | 3 +++
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/cmd/nvidia-container-runtime-hook/main.go b/cmd/nvidia-container-runtime-hook/main.go
index c93808007..e864a51d8 100644
--- a/cmd/nvidia-container-runtime-hook/main.go
+++ b/cmd/nvidia-container-runtime-hook/main.go
@@ -114,8 +114,9 @@ func doPrestart() {
 	}
 	args = append(args, "configure")
 
-	args = append(args, "--no-cntlibs")
-
+	if !hook.Features.AllowCUDACompatLibsFromContainer.IsEnabled() {
+		args = append(args, "--no-cntlibs")
+	}
 	if ldconfigPath := cli.NormalizeLDConfigPath(); ldconfigPath != "" {
 		args = append(args, fmt.Sprintf("--ldconfig=%s", ldconfigPath))
 	}
diff --git a/internal/config/features.go b/internal/config/features.go
index 396e0b8cd..0d5113988 100644
--- a/internal/config/features.go
+++ b/internal/config/features.go
@@ -18,6 +18,9 @@ package config
 
 // features specifies a set of named features.
 type features struct {
+	// AllowCUDACompatLibsFromContainer allows CUDA compat libs from a container
+	// to override certain driver library mounts from the host.
+	AllowCUDACompatLibsFromContainer *feature `toml:"allow-cuda-compat-libs-from-container,omitempty"`
 	// AllowLDConfigFromContainer allows non-host ldconfig paths to be used.
 	// If this feature flag is not set to 'true' only host-rooted config paths
 	// (i.e. paths starting with an '@' are considered valid)

From 6b236746ce65ec7d4f2f67bbff3ee7ba81ca5142 Mon Sep 17 00:00:00 2001
From: Evan Lezar <elezar@nvidia.com>
Date: Wed, 15 Jan 2025 13:31:58 +0100
Subject: [PATCH 3/3] Bump libnvidia-container to f23e5e55

Signed-off-by: Evan Lezar <elezar@nvidia.com>
---
 third_party/libnvidia-container | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/third_party/libnvidia-container b/third_party/libnvidia-container
index 16f37fcaf..f23e5e55e 160000
--- a/third_party/libnvidia-container
+++ b/third_party/libnvidia-container
@@ -1 +1 @@
-Subproject commit 16f37fcafcbdaf67525135104d60d98d36688ba9
+Subproject commit f23e5e55ea27b3680aef363436d4bcf7659e0bfc