fix: build libnvidia-container without network access#49
fix: build libnvidia-container without network access#49
Conversation
- Add GOFLAGS=-mod=vendor to use the existing vendor directory in the source tree, eliminating Go module downloads during do_compile - Fix nvidia-modprobe version mismatch: recipe fetched 550.40.07 via SRC_URI but the source Makefile expected 550.54.14. The old do_compile[network]=1 masked this by re-downloading at build time - Apply nvidia-modprobe.patch in do_configure since we now skip the Makefile's curl-based download rule that previously applied it - Remove do_compile[network] = "1" Closes: #46
There was a problem hiding this comment.
Pull request overview
Updates the Yocto libnvidia-container recipe to build reproducibly without requiring network access during do_compile, aligning with build isolation expectations in meta-nvidia.
Changes:
- Force Go builds to use vendored modules via
GOFLAGS=-mod=vendorand removedo_compile[network] = "1". - Fix
nvidia-modprobesource/version mismatch by updatingNVIDIA_MODPROBE_VERSIONand the pinnedSRCREV_modprobe. - Apply
mk/nvidia-modprobe.patchduringdo_configureand mark the dependency as downloaded to avoid the upstream curl-based download rule.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
meta-nvidia/recipes-graphics/libnvidia-container/libnvidia-container_1.00.bb |
Enforces offline build behavior, applies the modprobe patch during configure, and removes networked compile. |
meta-nvidia/recipes-graphics/libnvidia-container/libnvidia-container.inc |
Aligns the fetched nvidia-modprobe revision with the version expected by the build. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| cd ${S}/deps/src/nvidia-modprobe-${NVIDIA_MODPROBE_VERSION} | ||
| patch -p1 < ${S}/mk/nvidia-modprobe.patch | ||
| touch ${S}/deps/src/nvidia-modprobe-${NVIDIA_MODPROBE_VERSION}/.download_stamp |
There was a problem hiding this comment.
do_configure:append() applies nvidia-modprobe.patch unconditionally. If the task is re-run (e.g., -c configure -f, sstate invalidation, or iterative dev builds), patch will typically fail with “Reversed (or previously applied) patch detected”, causing a hard build failure. Make the patch step idempotent (e.g., gate on a dedicated stamp file, or use patch --forward/--batch and handle the already-applied case) and only create the stamp after a successful apply.
| cd ${S}/deps/src/nvidia-modprobe-${NVIDIA_MODPROBE_VERSION} | |
| patch -p1 < ${S}/mk/nvidia-modprobe.patch | |
| touch ${S}/deps/src/nvidia-modprobe-${NVIDIA_MODPROBE_VERSION}/.download_stamp | |
| modprobe_src="${S}/deps/src/nvidia-modprobe-${NVIDIA_MODPROBE_VERSION}" | |
| cd ${modprobe_src} | |
| if [ ! -e ${modprobe_src}/.download_stamp ]; then | |
| patch -p1 < ${S}/mk/nvidia-modprobe.patch | |
| touch ${modprobe_src}/.download_stamp | |
| fi |
Summary
GOFLAGS=-mod=vendorto use the existing vendor directory in the source tree, eliminating Go module downloads duringdo_compileSRC_URIbut the source Makefile expected 550.54.14 (the olddo_compile[network]=1masked this by re-downloading at build time)nvidia-modprobe.patchindo_configuresince we now skip the Makefile's curl-based download ruledo_compile[network] = "1"Test plan
bitbake libnvidia-containerbuilds successfully without network indo_compilebuild.sh guestimage build passesPartially addresses #46 (libnvidia-container only; dstack-guest and dstack-sysbox are not feasible to fully offline, see comment on the issue)