Switch to distroless Base image

[elezar]

This change switches to the nvcr.io/nvidia/distroless/go:v3.1.9-dev distroless go image for both the application image and the packaging image.

[coveralls]

Pull Request Test Coverage Report for Build 15753213707

Details

• 0 of 0 changed or added relevant lines in 0 files are covered.
• No unchanged relevant lines lost coverage.
• Overall coverage remained the same at 33.644%

---

Totals
Change from base Build 15744214901:	0.0%
Covered Lines:	4366
Relevant Lines:	12977

---

💛 - Coveralls

[cdesiniotis]

Note, the shell included in the -dev tags is located at /busybox/sh. I would recommend creating a symlink at /bin/sh so that in the operator we can use #! /bin/sh as the shebang for the entrypoint script. By using /bin/sh we remain backwards compatible with older toolkit images that are not built on distroless. We have tested this with other operands, e.g. https://github.com/NVIDIA/k8s-kata-manager/blob/f58e4dad0695043a545b17e3e159e24828816a62/deployments/container/Dockerfile#L50-L51

Suggested change

	FROM nvcr.io/nvidia/distroless/go:v3.1.9-dev AS application
	FROM nvcr.io/nvidia/distroless/go:v3.1.9-dev AS application
	SHELL ["/busybox/sh", "-c"]
	RUN ln -s /busybox/sh /bin/sh

[cdesiniotis]

Also, should we explicitly set USER 0:0 in the Dockerfile as the default user in distroless is uid 1000? I assume the toolkit requires running as root (for restarting containerd).

[elezar]

Thanks for the shell tip. Will update.

I'm not sure on the user preference. Does the GPU Operator not set the user in general? Would using the current user (USER 1000:1000) not be more "compliant"?

[elezar]

I've updated the user to 0:0 below.

[cdesiniotis]

I'm not sure on the user preference. Does the GPU Operator not set the user in general? Would using the current user (USER 1000:1000) not be more "compliant"?

The GPU Operator does not explicitly set the runAsUser / runAsGroup fields when deploying Daemonsets, so we currently depend on the user / group defined in the image itself.

[cdesiniotis]

I have performed a quick sanity check of the toolkit image built in this PR. Looks good.

Besides having to change the entrypoint script to be a POSIX shell script (and not bash), I also had to change https://github.com/NVIDIA/gpu-operator/blob/6324d2aca562edf46d93cbf9d2a0837ab5c12e59/assets/state-container-toolkit/0400_configmap.yaml#L34 from

exec nvidia-toolkit

to

exec nvidia-ctk-installer

I see the name of the executable has changed. This is a breaking change that will need to be made when we bump the version of the toolkit to 1.18.0 in the GPU Operator.

[cdesiniotis]

I have raised NVIDIA/gpu-operator#1496 which updates our entrypoint scripts in the operator to use sh instead of bash.

[elezar]

I think we can include an nvidia-toolkit symlink so that we maintain backward compatibility.

Also on:

I've updated the user to 0:0 below.

I had to set the user before we create the /bin/sh symlink since the default user doesn't have permissions to write to /bin.

[elezar]

I have updated the image to include a /work/nvidia-toolkit -> /work/nvidia-ctk-installer symlink. This should allow compatibility with the GPU Operator.

[cdesiniotis]

Thanks!