** Also affects: nvidia-graphics-drivers-535 (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to nvidia-graphics-drivers-535-server in
Ubuntu.
https://bugs.launchpad.net/bugs/2052967
Title:
Provide all available pkcs11 userspace binaries for container
consumption
Status in nvidia-graphics-drivers-535 package in Ubuntu:
New
Status in nvidia-graphics-drivers-535-server package in Ubuntu:
Fix Committed
Status in nvidia-graphics-drivers-535 source package in Bionic:
New
Status in nvidia-graphics-drivers-535-server source package in Bionic:
New
Status in nvidia-graphics-drivers-535 source package in Focal:
New
Status in nvidia-graphics-drivers-535-server source package in Focal:
Fix Committed
Status in nvidia-graphics-drivers-535 source package in Jammy:
New
Status in nvidia-graphics-drivers-535-server source package in Jammy:
Fix Committed
Status in nvidia-graphics-drivers-535 source package in Mantic:
New
Status in nvidia-graphics-drivers-535-server source package in Mantic:
Fix Committed
Status in nvidia-graphics-drivers-535 source package in Noble:
New
Status in nvidia-graphics-drivers-535-server source package in Noble:
Fix Committed
Bug description:
[ Impact ]
* NVIDIA ERD drivers provide userspace libraries for consumption.
* One of them is pkcs11 plugin compiled against openssl v3 or openssl v1.1
abi
* A host system only needs one of them, that matches the host os OpenSSL ABI
* However, if a given host system launches containers of a different
releases series, it may require the other abi pkcs11 plugin.
* It is common to pass userspace libraries from host to container guest
(i.e. docker, k8s, lxd all have tooling to do so).
* Thus to better support running ancient and obsolete containers on modern
hostos; or vice versa run modern containers on ancient hostos; ship both
variants of the library always in the ERD drivers.
* Most urgently this affects the longterm ERD driver production branch
535-server
* Shipping this update as packaging revision only, allows releasing this
update without rebuilding LRM packages.
[ Test Plan ]
* Observe that ERD driver packages ship all available
libnvidia-pkcs11-openssl*.so* libraries
* Check that launching a docker container with userspace libraries
passthrough results in both available in the guest
* Ensuring that matching libssl/libcrypto is available in the guest
container, remains exercise for the container operator.
[ Where problems could occur ]
* Lintian warnings will be generated w.r.t. missing library dependencies
* One must ensure shlib dependency is not generated for the other library,
as those will not be satisfied.
[ Other Info ]
* All other projects that try to be universal against multiple openssl ABIs
typically use dlopen and make appropriate function calls from a single library
build. I encourage NVIDIA upstream to adapt this strategy. A C language example
of achieving this, licensed under MIT license, is available here
https://github.com/golang-fips/openssl
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nvidia-graphics-drivers-535/+bug/2052967/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
