containerd · elezar · Jun 7, 2023 · Jul 16, 2024 · Feb 28, 2025 · AkihiroSuda
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -350,6 +350,11 @@ jobs:
         run: |
           sudo apt-get install -y expect
           go install -v gotest.tools/gotestsum@v1
+      - name: Enable CDI in the Docker daemon.
+        run: |
+          sudo mkdir -p /etc/docker
+          echo '{ "features": {"cdi": true} }' | sudo tee /etc/docker/daemon.json
+          sudo systemctl restart docker
       - name: "Ensure that the integration test suite is compatible with Docker"
         run: WITH_SUDO=true ./hack/test-integration.sh -test.target=docker
       - name: "Ensure that the IPv6 integration test suite is compatible with Docker"

diff --git a/cmd/nerdctl/container/container_create.go b/cmd/nerdctl/container/container_create.go
@@ -21,6 +21,7 @@ import (
 	"runtime"
 
 	"github.com/spf13/cobra"
+	cdi "tags.cncf.io/container-device-interface/pkg/parser"
 
 	"github.com/containerd/nerdctl/v2/cmd/nerdctl/helpers"
 	"github.com/containerd/nerdctl/v2/pkg/api/types"
@@ -211,10 +212,18 @@ func processContainerCreateOptions(cmd *cobra.Command) (types.ContainerCreateOpt
 	if err != nil {
 		return opt, err
 	}
-	opt.Device, err = cmd.Flags().GetStringSlice("device")
+
+	allDevices, err := cmd.Flags().GetStringSlice("device")
 	if err != nil {
 		return opt, err
 	}
+	for _, device := range allDevices {
+		if cdi.IsQualifiedName(device) {
+			opt.CDIDevices = append(opt.CDIDevices, device)
+			continue
+		}
+		opt.Device = append(opt.Device, device)
+	}
 	// #endregion
 
 	// #region for intel RDT flags
@@ -431,6 +440,9 @@ func createAction(cmd *cobra.Command, args []string) error {
 	if err != nil {
 		return err
 	}
+	if len(createOpt.CDIDevices) > 0 && !createOpt.GOptions.Experimental {
+		return fmt.Errorf("specifying CDI devices in the device flag requires experimental mode to be enabled")
+	}
 
 	if (createOpt.Platform == "windows" || createOpt.Platform == "freebsd") && !createOpt.GOptions.Experimental {
 		return fmt.Errorf("%s requires experimental mode to be enabled", createOpt.Platform)

diff --git a/cmd/nerdctl/container/container_run_linux_test.go b/cmd/nerdctl/container/container_run_linux_test.go
@@ -646,3 +646,20 @@ func TestPortBindingWithCustomHost(t *testing.T) {
 
 	testCase.Run(t)
 }
+
+func TestRunDeviceCDI(t *testing.T) {
+	// Although CDI injection is supported by Docker, specifying the --cdi-spec-dirs on the command line is not.
+	testutil.DockerIncompatible(t)
+	cwd, err := os.Getwd()
+	assert.NilError(t, err)
+	cdiSpecDir := filepath.Join(cwd, "testdata", "cdi")
+
+	base := testutil.NewBase(t)
+	containerName := testutil.Identifier(t)
+	defer base.Cmd("rm", "-f", containerName).AssertOK()
+	base.Cmd("--cdi-spec-dirs", cdiSpecDir, "run",
+		"--rm",
+		"--device", "vendor1.com/device=foo",
+		testutil.AlpineImage, "env",
+	).AssertOutContains("FOO=injected")
+}
diff --git a/cmd/nerdctl/helpers/flagutil.go b/cmd/nerdctl/helpers/flagutil.go
@@ -107,6 +107,11 @@ func ProcessRootCmdFlags(cmd *cobra.Command) (types.GlobalCommandOptions, error)
 	if err != nil {
 		return types.GlobalCommandOptions{}, err
 	}
+	cdiSpecDirs, err := cmd.Flags().GetStringSlice("cdi-spec-dirs")
+	if err != nil {
+		return types.GlobalCommandOptions{}, err
+	}
+
 	return types.GlobalCommandOptions{
 		Debug:            debug,
 		DebugFull:        debugFull,
@@ -123,6 +128,7 @@ func ProcessRootCmdFlags(cmd *cobra.Command) (types.GlobalCommandOptions, error)
 		HostGatewayIP:    hostGatewayIP,
 		BridgeIP:         bridgeIP,
 		KubeHideDupe:     kubeHideDupe,
+		CDISpecDirs:      cdiSpecDirs,
 	}, nil
 }
 

diff --git a/cmd/nerdctl/main.go b/cmd/nerdctl/main.go
@@ -186,6 +186,7 @@ func initRootCmdFlags(rootCmd *cobra.Command, tomlPath string) (*pflag.FlagSet,
 	helpers.AddPersistentStringFlag(rootCmd, "host-gateway-ip", nil, nil, nil, aliasToBeInherited, cfg.HostGatewayIP, "NERDCTL_HOST_GATEWAY_IP", "IP address that the special 'host-gateway' string in --add-host resolves to. Defaults to the IP address of the host. It has no effect without setting --add-host")
 	helpers.AddPersistentStringFlag(rootCmd, "bridge-ip", nil, nil, nil, aliasToBeInherited, cfg.BridgeIP, "NERDCTL_BRIDGE_IP", "IP address for the default nerdctl bridge network")
 	rootCmd.PersistentFlags().Bool("kube-hide-dupe", cfg.KubeHideDupe, "Deduplicate images for Kubernetes with namespace k8s.io")
+	rootCmd.PersistentFlags().StringSlice("cdi-spec-dirs", cfg.CDISpecDirs, "The directories to search for CDI spec files. Defaults to /etc/cdi,/var/run/cdi")
 	return aliasToBeInherited, nil
 }
 

diff --git a/cmd/nerdctl/testdata/cdi/vendor1.yaml b/cmd/nerdctl/testdata/cdi/vendor1.yaml
@@ -0,0 +1,7 @@
+cdiVersion: "0.3.0"
+kind: "vendor1.com/device"
+devices:
+- name: foo
+  containerEdits:
+    env:
+    - FOO=injected
diff --git a/docs/config.md b/docs/config.md
@@ -47,6 +47,7 @@ experimental   = true
 | `host_gateway_ip`   | `--host-gateway-ip`                | `NERDCTL_HOST_GATEWAY_IP` | IP address that the special 'host-gateway' string in --add-host resolves to. Defaults to the IP address of the host. It has no effect without setting --add-host | Since 1.3.0      |
 | `bridge_ip`         | `--bridge-ip`                      | `NERDCTL_BRIDGE_IP`       | IP address for the default nerdctl bridge network, e.g., 10.1.100.1/24                                                                                           | Since 2.0.1      |
 | `kube_hide_dupe`    | `--kube-hide-dupe`                 |                           | Deduplicate images for Kubernetes with namespace k8s.io, no more redundant <none> ones are displayed    | Since 2.0.3      |
+| `cdi_spec_dirs`     | `--cdi-spec-dirs`                   |                          | The folders to use when searching for CDI specifications.| experimental |
 
 The properties are parsed in the following precedence:
 1. CLI flag

diff --git a/go.mod b/go.mod
@@ -10,9 +10,10 @@ require (
 	github.com/containerd/accelerated-container-image v1.3.0
 	github.com/containerd/cgroups/v3 v3.0.5
 	github.com/containerd/console v1.0.4
+	github.com/containerd/containerd v1.7.23
 	github.com/containerd/containerd/api v1.8.0
-	github.com/containerd/containerd/v2 v2.0.2
-	github.com/containerd/continuity v0.4.5
+	github.com/containerd/containerd/v2 v2.0.0
+	github.com/containerd/continuity v0.4.4
 	github.com/containerd/errdefs v1.0.0
 	github.com/containerd/fifo v1.1.0
 	github.com/containerd/go-cni v1.1.12
@@ -68,6 +69,7 @@ require (
 	golang.org/x/text v0.22.0
 	gopkg.in/yaml.v3 v3.0.1
 	gotest.tools/v3 v3.5.2
+	tags.cncf.io/container-device-interface v0.8.1
 )
 
 require (
@@ -140,7 +142,6 @@ require (
 	google.golang.org/protobuf v1.36.2 // indirect
 	lukechampine.com/blake3 v1.3.0 // indirect
 	sigs.k8s.io/yaml v1.4.0 // indirect
-	tags.cncf.io/container-device-interface v0.8.0 // indirect
 	tags.cncf.io/container-device-interface/specs-go v0.8.0 // indirect
 )
 

diff --git a/go.sum b/go.sum
@@ -31,12 +31,14 @@ github.com/containerd/cgroups/v3 v3.0.5 h1:44na7Ud+VwyE7LIoJ8JTNQOa549a8543BmzaJ
 github.com/containerd/cgroups/v3 v3.0.5/go.mod h1:SA5DLYnXO8pTGYiAHXz94qvLQTKfVM5GEVisn4jpins=
 github.com/containerd/console v1.0.4 h1:F2g4+oChYvBTsASRTz8NP6iIAi97J3TtSAsLbIFn4ro=
 github.com/containerd/console v1.0.4/go.mod h1:YynlIjWYF8myEu6sdkwKIvGQq+cOckRm6So2avqoYAk=
+github.com/containerd/containerd v1.7.23 h1:H2CClyUkmpKAGlhQp95g2WXHfLYc7whAuvZGBNYOOwQ=
+github.com/containerd/containerd v1.7.23/go.mod h1:7QUzfURqZWCZV7RLNEn1XjUCQLEf0bkaK4GjUaZehxw=
 github.com/containerd/containerd/api v1.8.0 h1:hVTNJKR8fMc/2Tiw60ZRijntNMd1U+JVMyTRdsD2bS0=
 github.com/containerd/containerd/api v1.8.0/go.mod h1:dFv4lt6S20wTu/hMcP4350RL87qPWLVa/OHOwmmdnYc=
-github.com/containerd/containerd/v2 v2.0.2 h1:GmH/tRBlTvrXOLwSpWE2vNAm8+MqI6nmxKpKBNKY8Wc=
-github.com/containerd/containerd/v2 v2.0.2/go.mod h1:wIqEvQ/6cyPFUGJ5yMFanspPabMLor+bF865OHvNTTI=
-github.com/containerd/continuity v0.4.5 h1:ZRoN1sXq9u7V6QoHMcVWGhOwDFqZ4B9i5H6un1Wh0x4=
-github.com/containerd/continuity v0.4.5/go.mod h1:/lNJvtJKUQStBzpVQ1+rasXO1LAWtUQssk28EZvJ3nE=
+github.com/containerd/containerd/v2 v2.0.0 h1:qLDdFaAykQrIyLiqwQrNLLz95wiC36bAZVwioUwqShM=
+github.com/containerd/containerd/v2 v2.0.0/go.mod h1:j25kDy9P48/ngb1sxWIFfK6GsnqOHoSqo1EpAod20VQ=
+github.com/containerd/continuity v0.4.4 h1:/fNVfTJ7wIl/YPMHjf+5H32uFhl63JucB34PlCpMKII=
+github.com/containerd/continuity v0.4.4/go.mod h1:/lNJvtJKUQStBzpVQ1+rasXO1LAWtUQssk28EZvJ3nE=
 github.com/containerd/errdefs v1.0.0 h1:tg5yIfIlQIrxYtu9ajqY42W3lpS19XqdxRQeEwYG8PI=
 github.com/containerd/errdefs v1.0.0/go.mod h1:+YBYIdtsnF4Iw6nWZhJcqGSg/dwvV7tyJ/kCkyJ2k+M=
 github.com/containerd/errdefs/pkg v0.3.0 h1:9IKJ06FvyNlexW690DXuQNx2KA2cUJXx151Xdx3ZPPE=
@@ -510,7 +512,7 @@ lukechampine.com/blake3 v1.3.0 h1:sJ3XhFINmHSrYCgl958hscfIa3bw8x4DqMP3u1YvoYE=
 lukechampine.com/blake3 v1.3.0/go.mod h1:0OFRp7fBtAylGVCO40o87sbupkyIGgbpv1+M1k1LM6k=
 sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E=
 sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY=
-tags.cncf.io/container-device-interface v0.8.0 h1:8bCFo/g9WODjWx3m6EYl3GfUG31eKJbaggyBDxEldRc=
-tags.cncf.io/container-device-interface v0.8.0/go.mod h1:Apb7N4VdILW0EVdEMRYXIDVRZfNJZ+kmEUss2kRRQ6Y=
+tags.cncf.io/container-device-interface v0.8.1 h1:c0jN4Mt6781jD67NdPajmZlD1qrqQyov/Xfoab37lj0=
+tags.cncf.io/container-device-interface v0.8.1/go.mod h1:Apb7N4VdILW0EVdEMRYXIDVRZfNJZ+kmEUss2kRRQ6Y=
 tags.cncf.io/container-device-interface/specs-go v0.8.0 h1:QYGFzGxvYK/ZLMrjhvY0RjpUavIn4KcmRmVP/JjdBTA=
 tags.cncf.io/container-device-interface/specs-go v0.8.0/go.mod h1:BhJIkjjPh4qpys+qm4DAYtUyryaTDg9zris+AczXyws=
diff --git a/pkg/api/types/container_types.go b/pkg/api/types/container_types.go
@@ -148,6 +148,8 @@ type ContainerCreateOptions struct {
 	CgroupParent string
 	// Device specifies add a host device to the container
 	Device []string
+	// CDIDevices specifies the CDI devices to add to the container
+	CDIDevices []string
 	// #endregion
 
 	// #region for intel RDT flags

diff --git a/pkg/cmd/container/create.go b/pkg/cmd/container/create.go
@@ -124,6 +124,8 @@
 	}
 	opts = append(opts, platformOpts...)
 
+	opts = append(opts, withCDIDevices(options.GOptions.CDISpecDirs, options.CDIDevices...))
+
 	if _, err := referenceutil.Parse(args[0]); errors.Is(err, referenceutil.ErrLoadOCIArchiveRequired) {
 		imageRef := args[0]
 

diff --git a/pkg/cmd/container/run_cdi.go b/pkg/cmd/container/run_cdi.go
@@ -0,0 +1,64 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package container
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/containerd/containerd/containers"
+	"github.com/containerd/containerd/oci"
+	"github.com/containerd/log"
+	"tags.cncf.io/container-device-interface/pkg/cdi"
+)
+
+// withCDIDevices creates the OCI runtime spec options for injecting CDI devices.
+// Two options are returned: The first ensures that the CDI registry is initialized with
+// refresh disabled, and the second injects the devices into the container.
+func withCDIDevices(cdiSpecDirs []string, devices ...string) oci.SpecOpts {
+	return func(ctx context.Context, _ oci.Client, c *containers.Container, s *oci.Spec) error {
+		if len(devices) == 0 {
+			return nil
+		}
+
+		// We configure the CDI registry with the configured spec dirs and disable refresh.
+		cdi.Configure(
+			cdi.WithSpecDirs(cdiSpecDirs...),
+			cdi.WithAutoRefresh(false),
+		)
+
+		// TODO: Call oci.WithCDIDevices(devices...) here once the dependencies have been updated.
+		if err := cdi.Refresh(); err != nil {
+			// We don't consider registry refresh failure a fatal error.
+			// For instance, a dynamically generated invalid CDI Spec file for
+			// any particular vendor shouldn't prevent injection of devices of
+			// different vendors. CDI itself knows better and it will fail the
+			// injection if necessary.
+			log.G(ctx).Warnf("CDI registry refresh failed: %v", err)
+		}
+
+		if _, err := cdi.InjectDevices(s, devices...); err != nil {
+			return fmt.Errorf("CDI device injection failed: %w", err)
+		}
+
+		// One crucial thing to keep in mind is that CDI device injection
+		// might add OCI Spec environment variables, hooks, and mounts as
+		// well. Therefore it is important that none of the corresponding
+		// OCI Spec fields are reset up in the call stack once we return.
+		return nil
+	}
+}
diff --git a/pkg/config/config.go b/pkg/config/config.go
@@ -41,6 +41,8 @@ type Config struct {
 	HostGatewayIP    string   `toml:"host_gateway_ip"`
 	BridgeIP         string   `toml:"bridge_ip, omitempty"`
 	KubeHideDupe     bool     `toml:"kube_hide_dupe"`
+	// CDISpecDirs is a list of directories in which CDI specifications can be found.
+	CDISpecDirs []string `toml:"cdi_spec_dirs,omitempty"`
 }
 
 // New creates a default Config object statically,
@@ -61,5 +63,6 @@ func New() *Config {
 		Experimental:     true,
 		HostGatewayIP:    ncdefaults.HostGatewayIP(),
 		KubeHideDupe:     false,
+		CDISpecDirs:      []string{"/etc/cdi", "/var/run/cdi"},
 	}
 }