Public bug reported: [ Impact ]
* NVIDIA ERD drivers provide userspace libraries for consumption. * One of them is pkcs11 plugin compiled against openssl v3 or openssl v1.1 abi * A host system only needs one of them, that matches the host os OpenSSL ABI * However, if a given host system launches containers of a different releases series, it may require the other abi pkcs11 plugin. * It is common to pass userspace libraries from host to container guest (i.e. docker, k8s, lxd all have tooling to do so). * Thus to better support running ancient and obsolete containers on modern hostos; or vice versa run modern containers on ancient hostos; ship both variants of the library always in the ERD drivers. * Most urgently this affects the longterm ERD driver production branch 535-server * Shipping this update as packaging revision only, allows releasing this update without rebuilding LRM packages. [ Test Plan ] * Observe that ERD driver packages ship all available libnvidia-pkcs11-openssl*.so* libraries * Check that launching a docker container with userspace libraries passthrough results in both available in the guest * Ensuring that matching libssl/libcrypto is available in the guest container, remains exercise for the container operator. [ Where problems could occur ] * Lintian warnings will be generated w.r.t. missing library dependencies * One must ensure shlib dependency is not generated for the other library, as those will not be satisfied. [ Other Info ] * All other projects that try to be universal against multiple openssl ABIs typically use dlopen and make appropriate function calls from a single library build. I encourage NVIDIA upstream to adapt this strategy. A C language example of achieving this, licensed under MIT license, is available here https://github.com/golang-fips/openssl ** Affects: nvidia-graphics-drivers-535-server (Ubuntu) Importance: Undecided Status: New ** Affects: nvidia-graphics-drivers-535-server (Ubuntu Bionic) Importance: Undecided Status: New ** Affects: nvidia-graphics-drivers-535-server (Ubuntu Focal) Importance: Undecided Status: New ** Affects: nvidia-graphics-drivers-535-server (Ubuntu Jammy) Importance: Undecided Status: New ** Affects: nvidia-graphics-drivers-535-server (Ubuntu Mantic) Importance: Undecided Status: New ** Affects: nvidia-graphics-drivers-535-server (Ubuntu Noble) Importance: Undecided Status: New ** Also affects: nvidia-graphics-drivers-535-server (Ubuntu Noble) Importance: Undecided Status: New ** Also affects: nvidia-graphics-drivers-535-server (Ubuntu Jammy) Importance: Undecided Status: New ** Also affects: nvidia-graphics-drivers-535-server (Ubuntu Mantic) Importance: Undecided Status: New ** Also affects: nvidia-graphics-drivers-535-server (Ubuntu Focal) Importance: Undecided Status: New ** Also affects: nvidia-graphics-drivers-535-server (Ubuntu Bionic) Importance: Undecided Status: New -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to nvidia-graphics-drivers-535-server in Ubuntu. https://bugs.launchpad.net/bugs/2052967 Title: Provide all available pkcs11 userspace binaries for container consumption Status in nvidia-graphics-drivers-535-server package in Ubuntu: New Status in nvidia-graphics-drivers-535-server source package in Bionic: New Status in nvidia-graphics-drivers-535-server source package in Focal: New Status in nvidia-graphics-drivers-535-server source package in Jammy: New Status in nvidia-graphics-drivers-535-server source package in Mantic: New Status in nvidia-graphics-drivers-535-server source package in Noble: New Bug description: [ Impact ] * NVIDIA ERD drivers provide userspace libraries for consumption. * One of them is pkcs11 plugin compiled against openssl v3 or openssl v1.1 abi * A host system only needs one of them, that matches the host os OpenSSL ABI * However, if a given host system launches containers of a different releases series, it may require the other abi pkcs11 plugin. * It is common to pass userspace libraries from host to container guest (i.e. docker, k8s, lxd all have tooling to do so). * Thus to better support running ancient and obsolete containers on modern hostos; or vice versa run modern containers on ancient hostos; ship both variants of the library always in the ERD drivers. * Most urgently this affects the longterm ERD driver production branch 535-server * Shipping this update as packaging revision only, allows releasing this update without rebuilding LRM packages. [ Test Plan ] * Observe that ERD driver packages ship all available libnvidia-pkcs11-openssl*.so* libraries * Check that launching a docker container with userspace libraries passthrough results in both available in the guest * Ensuring that matching libssl/libcrypto is available in the guest container, remains exercise for the container operator. [ Where problems could occur ] * Lintian warnings will be generated w.r.t. missing library dependencies * One must ensure shlib dependency is not generated for the other library, as those will not be satisfied. [ Other Info ] * All other projects that try to be universal against multiple openssl ABIs typically use dlopen and make appropriate function calls from a single library build. I encourage NVIDIA upstream to adapt this strategy. A C language example of achieving this, licensed under MIT license, is available here https://github.com/golang-fips/openssl To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nvidia-graphics-drivers-535-server/+bug/2052967/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
