NVIDIA / gpu-operator / 26115885474
29%
main: 29%

LAST BUILD BRANCH: release-26.3
DEFAULT BRANCH: main
Ran
Jobs 1
Files 57
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 28.318% (+0.03%) from 28.287%
26115885474

push

github

rajathagasthya 
Remove shell dependency from validator image

NVIDIA's distroless-cc `-dev` tag (the gpu-operator image base) will no
longer be approved as a STIG parent image. The non-`-dev` variant ships
no shell, so the validator pods and the operand-asset DaemonSet init
containers that wrap `nvidia-validator` (or use `until [-f X]; sleep`
file-wait loops) would break on the new base. Re-adding a shell to the
image would only swap one CVE source for another.

Replace shell wrappers with direct binary invocation:

- Operator-validator and sandbox-validator init containers invoke
  `nvidia-validator` directly. Pause containers use a new top-level
  `--sleep` flag that prints the validator-success message and blocks
  on SIGTERM. Workload pod main containers run `nvidia-validator
  --version` as a no-op exit-0; per-workload success now prints from
  `(c *CUDA).runWorkload` and `(p *Plugin).runWorkload` after the
  validation pod reaches `Succeeded`.

- Operand-asset init containers that previously polled for a
  validator-ready file via `until [-f X]; sleep 5; done` now use a new
  `--wait-for-file <path>` flag on `nvidia-validator`. Covers
  `toolkit-validation` across state-{dcgm,dcgm-exporter,device-plugin,
  mig-manager,mps-control-daemon}, gpu-feature-discovery, and the
  `vgpu-manager-validation` init in state-vgpu-device-manager.

- The conditional shell sequence in state-{kata,sandbox}-device-plugin
  ("wait for workload-type, skip if contents != expected, then wait
  for the component-ready file") is replaced by a companion
  `--workload-type-gate <expected>` flag.

- `state-container-toolkit/0500_daemonset.yaml`'s `driver-validation`
  init drops its `sh -c "nvidia-validator"` wrapper; the binary is
  invoked directly.

- `state-mig-manager`'s main container drops `/bin/sh -c
  /bin/entrypoint.sh` in favor of `nvidia-mig-manager` directly,
  picking up `WAIT_FOR_DRIVER_READY` and `DRIVER_ENV_FILE` env vars.
  The `nvidia-mig-manager-entrypoint` ConfigMap
  ... (continued)

27 of 132 new or added lines in 2 files covered. (20.45%)

2 existing lines in 1 file now uncovered.

3563 of 12582 relevant lines covered (28.32%)

0.32 hits per line

Uncovered Changes

Lines Coverage File
80
11.79
 1.88% cmd/nvidia-validator/main.go
25
0.0
 cmd/rmglob/main.go

Coverage Regressions

Lines Coverage File
2
11.79
 1.88% cmd/nvidia-validator/main.go
Jobs
ID Job ID Ran Files Coverage
1 26115885474.1 57
28.32
 GitHub Action Run
Source Files on build 26115885474