Provide all available pkcs11 userspace binaries for container consumption
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
nvidia-graphics-drivers-535 (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Bionic |
New
|
Undecided
|
Unassigned | ||
Focal |
Fix Released
|
Undecided
|
Unassigned | ||
Jammy |
Fix Released
|
Undecided
|
Unassigned | ||
Mantic |
Fix Released
|
Undecided
|
Unassigned | ||
Noble |
Fix Released
|
Undecided
|
Unassigned | ||
nvidia-graphics-drivers-535-server (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Bionic |
New
|
Undecided
|
Unassigned | ||
Focal |
Fix Released
|
Undecided
|
Unassigned | ||
Jammy |
Fix Released
|
Undecided
|
Unassigned | ||
Mantic |
Fix Released
|
Undecided
|
Unassigned | ||
Noble |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[ Impact ]
* NVIDIA ERD drivers provide userspace libraries for consumption.
* One of them is pkcs11 plugin compiled against openssl v3 or openssl v1.1 abi
* A host system only needs one of them, that matches the host os OpenSSL ABI
* However, if a given host system launches containers of a different releases series, it may require the other abi pkcs11 plugin.
* It is common to pass userspace libraries from host to container guest (i.e. docker, k8s, lxd all have tooling to do so).
* Thus to better support running ancient and obsolete containers on modern hostos; or vice versa run modern containers on ancient hostos; ship both variants of the library always in the ERD drivers.
* Most urgently this affects the longterm ERD driver production branch 535-server
* Shipping this update as packaging revision only, allows releasing this update without rebuilding LRM packages.
[ Test Plan ]
* Observe that ERD driver packages ship all available libnvidia-
* Check that launching a docker container with userspace libraries passthrough results in both available in the guest
* Ensuring that matching libssl/libcrypto is available in the guest container, remains exercise for the container operator.
[ Where problems could occur ]
* Lintian warnings will be generated w.r.t. missing library dependencies
* One must ensure shlib dependency is not generated for the other library, as those will not be satisfied.
[ Other Info ]
* All other projects that try to be universal against multiple openssl ABIs typically use dlopen and make appropriate function calls from a single library build. I encourage NVIDIA upstream to adapt this strategy. A C language example of achieving this, licensed under MIT license, is available here https:/
Changed in nvidia-graphics-drivers-535-server (Ubuntu Noble): | |
status: | New → Fix Committed |
Changed in nvidia-graphics-drivers-535-server (Ubuntu Mantic): | |
status: | New → In Progress |
Changed in nvidia-graphics-drivers-535-server (Ubuntu Jammy): | |
status: | New → In Progress |
Changed in nvidia-graphics-drivers-535-server (Ubuntu Focal): | |
status: | New → In Progress |
Hello Dimitri, or anyone else affected,
Accepted nvidia- graphics- drivers- 535-server into mantic-proposed. The package will build now and be available at https:/ /launchpad. net/ubuntu/ +source/ nvidia- graphics- drivers- 535-server/ 535.154. 05-0ubuntu0. 23.10.2 in a few hours, and then in the -proposed repository.
Please help us by testing this new package. See https:/ /wiki.ubuntu. com/Testing/ EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification- needed- mantic to verification- done-mantic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification- failed- mantic. In either case, without details of your testing we will not be able to proceed.
Further information regarding the verification process can be found at https:/ /wiki.ubuntu. com/QATeam/ PerformingSRUVe rification . Thank you in advance for helping!
N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.