Part of NVIDIA/cloud-native-team#299.
The nvidia-container-toolkit runtime container's Dockerfile uses the
same pattern as several other NVIDIA cloud-native repos: a -dev
distroless base plus an explicit /bin/sh busybox symlink — and it
does this in two build stages. NVIDIA STIG policy is dropping
-dev distroless variants as approved parent images, so this needs
to be replaced.
Scope: deployments/container/Dockerfile
- Line 58:
FROM nvcr.io/nvidia/distroless/go:v4.0.2-dev AS packaging → drop -dev
- Lines 61-62: drop
SHELL ["/busybox/sh", "-c"] and RUN ln -s /busybox/sh /bin/sh
- Line 147:
FROM nvcr.io/nvidia/distroless/go:v4.0.2-dev AS application → drop -dev
- Lines 150-151: drop
SHELL and ln -s symlink
The runtime ENTRYPOINT (/work/nvidia-ctk-installer, line 175) is
already a Go binary and doesn't need a shell. No Kubernetes manifests
in the repo use sh -c. Mechanical change.
Acceptance:
Part of NVIDIA/cloud-native-team#299.
The nvidia-container-toolkit runtime container's Dockerfile uses the
same pattern as several other NVIDIA cloud-native repos: a
-devdistroless base plus an explicit
/bin/shbusybox symlink — and itdoes this in two build stages. NVIDIA STIG policy is dropping
-devdistroless variants as approved parent images, so this needsto be replaced.
Scope:
deployments/container/DockerfileFROM nvcr.io/nvidia/distroless/go:v4.0.2-dev AS packaging→ drop-devSHELL ["/busybox/sh", "-c"]andRUN ln -s /busybox/sh /bin/shFROM nvcr.io/nvidia/distroless/go:v4.0.2-dev AS application→ drop-devSHELLandln -ssymlinkThe runtime ENTRYPOINT (
/work/nvidia-ctk-installer, line 175) isalready a Go binary and doesn't need a shell. No Kubernetes manifests
in the repo use
sh -c. Mechanical change.Acceptance:
-devdistroless tagsSHELLdirectives or/bin/shsymlinks remainconsumed by gpu-operator