From a4331425d46b9a01c3b7043123315e901bec2f7a Mon Sep 17 00:00:00 2001 From: Shivkumar Ople Date: Sat, 9 May 2026 19:26:21 +0530 Subject: [PATCH] [vgpu-manager] support custom CA certificate injection at build time Add an opt-in CUSTOM_CA_CERTS_DIR build arg to all four vGPU Manager Dockerfiles (rhel8, rhel9, ubuntu20.04, ubuntu22.04) and wire it through the Makefile build-vgpuhost-% target. Users behind a TLS-intercepting corporate proxy can drop *.crt files into vgpu-manager//certs/ and rebuild without editing the Dockerfile. The directory is empty by default, so out-of-the-box builds are unchanged. Signed-off-by: Shivkumar Ople --- Makefile | 6 ++++++ vgpu-manager/README.md | 28 +++++++++++++++++++++++++ vgpu-manager/rhel8/Dockerfile | 9 ++++++++ vgpu-manager/rhel8/certs/.gitkeep | 0 vgpu-manager/rhel9/Dockerfile | 9 ++++++++ vgpu-manager/rhel9/certs/.gitkeep | 0 vgpu-manager/ubuntu20.04/Dockerfile | 9 ++++++++ vgpu-manager/ubuntu20.04/certs/.gitkeep | 0 vgpu-manager/ubuntu22.04/Dockerfile | 9 ++++++++ vgpu-manager/ubuntu22.04/certs/.gitkeep | 0 10 files changed, 70 insertions(+) create mode 100644 vgpu-manager/rhel8/certs/.gitkeep create mode 100644 vgpu-manager/rhel9/certs/.gitkeep create mode 100644 vgpu-manager/ubuntu20.04/certs/.gitkeep create mode 100644 vgpu-manager/ubuntu22.04/certs/.gitkeep diff --git a/Makefile b/Makefile index ee633db42..8f5be436f 100644 --- a/Makefile +++ b/Makefile @@ -276,6 +276,11 @@ push-vgpuguest-%: DIST = $(word 3,$(subst -, ,$@)) # The vGPU host driver .run file is assumed to be present in the $SUBDIR/drivers/ directory. # VGPU_HOST_DRIVER_VERSION must be defined in the environment when invoking this target. VGPU_HOST_DRIVER_VERSION ?= "" +# CUSTOM_CA_CERTS_DIR is the path (relative to the build context +# vgpu-manager/$(SUBDIR)) of a directory containing custom CA certificates to +# trust at build time. Default is "certs", an empty directory shipped in the +# repo so the COPY in the Dockerfile is a no-op out of the box. +CUSTOM_CA_CERTS_DIR ?= certs build-vgpuhost-%: $(if $(VGPU_HOST_DRIVER_VERSION),,$(error "VGPU_HOST_DRIVER_VERSION is not set")) build-vgpuhost-%: DRIVER_VERSION := $(VGPU_HOST_DRIVER_VERSION) build-vgpuhost-%: DRIVER_BRANCH = $(word 1,$(subst ., ,${DRIVER_VERSION})) @@ -297,6 +302,7 @@ $(VGPU_HOST_DRIVER_BUILD_TARGETS): --build-arg GOLANG_VERSION="$(GOLANG_VERSION)" \ --build-arg CVE_UPDATES="$(CVE_UPDATES)" \ --build-arg CUDA_VERSION="$(CUDA_VERSION)" \ + --build-arg CUSTOM_CA_CERTS_DIR="$(CUSTOM_CA_CERTS_DIR)" \ $(DOCKER_BUILD_ARGS) \ --file $(DOCKERFILE) \ $(CURDIR)/vgpu-manager/$(SUBDIR) diff --git a/vgpu-manager/README.md b/vgpu-manager/README.md index 4d01a426f..230ecd65d 100644 --- a/vgpu-manager/README.md +++ b/vgpu-manager/README.md @@ -56,3 +56,31 @@ $ docker build \ --build-arg CUDA_VERSION=${CUDA_VERSION} \ -t ${PRIVATE_REGISTRY}/vgpu-manager:${VERSION}-${OS_TAG} . ``` + +### Building behind a TLS-intercepting (MITM) proxy + +If your build environment sits behind a corporate proxy that intercepts TLS +connections with a private CA, package manager steps (``dnf``/``yum`` on RHEL, +``apt`` on Ubuntu) will fail with SSL certificate verification errors. + +To trust additional CAs at build time, drop one or more PEM-encoded +``*.crt`` files into the ``certs/`` directory inside the OS-specific build +context (``vgpu-manager//certs/``) and rebuild — no Dockerfile edits +required. The directory is empty by default, so the trust update is a no-op +when no certificates are provided. + +Example: + +``` +$ cp /path/to/CorporateRootCA.crt vgpu-manager//certs/ +$ docker build \ + --build-arg DRIVER_VERSION=${VERSION} \ + --build-arg CUDA_VERSION=${CUDA_VERSION} \ + -t ${PRIVATE_REGISTRY}/vgpu-manager:${VERSION}-${OS_TAG} \ + vgpu-manager/ +``` + +To use a directory other than ``certs/``, override the ``CUSTOM_CA_CERTS_DIR`` +build arg with a path relative to the build context. When invoking the +top-level ``Makefile`` ``build-vgpuhost-`` target, set the +``CUSTOM_CA_CERTS_DIR`` make variable to the same effect. diff --git a/vgpu-manager/rhel8/Dockerfile b/vgpu-manager/rhel8/Dockerfile index ae8e731a0..67f0af09b 100644 --- a/vgpu-manager/rhel8/Dockerfile +++ b/vgpu-manager/rhel8/Dockerfile @@ -5,6 +5,15 @@ ENV DRIVER_VERSION=$DRIVER_VERSION ARG DRIVER_ARCH=x86_64 ENV DRIVER_ARCH=$DRIVER_ARCH +# Optional: inject custom CA certificates so package managers (dnf/yum) can +# verify TLS when building behind a corporate MITM proxy. Drop one or more +# *.crt files into the build context's "certs/" directory (the default), or +# override CUSTOM_CA_CERTS_DIR with a path to a different directory inside +# the build context. When the directory is empty, this is a no-op. +ARG CUSTOM_CA_CERTS_DIR=certs +COPY ${CUSTOM_CA_CERTS_DIR}/ /etc/pki/ca-trust/source/anchors/ +RUN update-ca-trust + RUN mkdir -p /driver WORKDIR /driver COPY NVIDIA-Linux-${DRIVER_ARCH}-${DRIVER_VERSION}-vgpu-kvm.run . diff --git a/vgpu-manager/rhel8/certs/.gitkeep b/vgpu-manager/rhel8/certs/.gitkeep new file mode 100644 index 000000000..e69de29bb diff --git a/vgpu-manager/rhel9/Dockerfile b/vgpu-manager/rhel9/Dockerfile index e620a758f..0c179f160 100644 --- a/vgpu-manager/rhel9/Dockerfile +++ b/vgpu-manager/rhel9/Dockerfile @@ -18,6 +18,15 @@ ENV DRIVER_VERSION=$DRIVER_VERSION ARG DRIVER_ARCH=x86_64 ENV DRIVER_ARCH=$DRIVER_ARCH +# Optional: inject custom CA certificates so package managers (dnf/yum) can +# verify TLS when building behind a corporate MITM proxy. Drop one or more +# *.crt files into the build context's "certs/" directory (the default), or +# override CUSTOM_CA_CERTS_DIR with a path to a different directory inside +# the build context. When the directory is empty, this is a no-op. +ARG CUSTOM_CA_CERTS_DIR=certs +COPY ${CUSTOM_CA_CERTS_DIR}/ /etc/pki/ca-trust/source/anchors/ +RUN update-ca-trust + RUN mkdir -p /driver WORKDIR /driver COPY NVIDIA-Linux-${DRIVER_ARCH}-${DRIVER_VERSION}-vgpu-kvm.run . diff --git a/vgpu-manager/rhel9/certs/.gitkeep b/vgpu-manager/rhel9/certs/.gitkeep new file mode 100644 index 000000000..e69de29bb diff --git a/vgpu-manager/ubuntu20.04/Dockerfile b/vgpu-manager/ubuntu20.04/Dockerfile index ded5b1250..1270b9961 100644 --- a/vgpu-manager/ubuntu20.04/Dockerfile +++ b/vgpu-manager/ubuntu20.04/Dockerfile @@ -5,6 +5,15 @@ ENV DRIVER_VERSION=$DRIVER_VERSION ARG DRIVER_ARCH=x86_64 ENV DRIVER_ARCH=$DRIVER_ARCH +# Optional: inject custom CA certificates so apt can verify TLS when building +# behind a corporate MITM proxy. Drop one or more *.crt files into the build +# context's "certs/" directory (the default), or override CUSTOM_CA_CERTS_DIR +# with a path to a different directory inside the build context. When the +# directory is empty, this is a no-op. +ARG CUSTOM_CA_CERTS_DIR=certs +COPY ${CUSTOM_CA_CERTS_DIR}/ /usr/local/share/ca-certificates/ +RUN update-ca-certificates + # Remove cuda repository to avoid GPG errors RUN rm /etc/apt/sources.list.d/cuda.list diff --git a/vgpu-manager/ubuntu20.04/certs/.gitkeep b/vgpu-manager/ubuntu20.04/certs/.gitkeep new file mode 100644 index 000000000..e69de29bb diff --git a/vgpu-manager/ubuntu22.04/Dockerfile b/vgpu-manager/ubuntu22.04/Dockerfile index 2ea043a33..a4730582a 100644 --- a/vgpu-manager/ubuntu22.04/Dockerfile +++ b/vgpu-manager/ubuntu22.04/Dockerfile @@ -5,6 +5,15 @@ ENV DRIVER_VERSION=$DRIVER_VERSION ARG DRIVER_ARCH=x86_64 ENV DRIVER_ARCH=$DRIVER_ARCH +# Optional: inject custom CA certificates so apt can verify TLS when building +# behind a corporate MITM proxy. Drop one or more *.crt files into the build +# context's "certs/" directory (the default), or override CUSTOM_CA_CERTS_DIR +# with a path to a different directory inside the build context. When the +# directory is empty, this is a no-op. +ARG CUSTOM_CA_CERTS_DIR=certs +COPY ${CUSTOM_CA_CERTS_DIR}/ /usr/local/share/ca-certificates/ +RUN update-ca-certificates + # Remove cuda repository to avoid GPG errors RUN rm /etc/apt/sources.list.d/cuda*.list diff --git a/vgpu-manager/ubuntu22.04/certs/.gitkeep b/vgpu-manager/ubuntu22.04/certs/.gitkeep new file mode 100644 index 000000000..e69de29bb