Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -169,6 +169,10 @@ spec:
- name: PASS_DEVICE_SPECS
value: {{ .Values.compatWithCPUManager | quote }}
{{- end }}
{{- if .Values.injectFuseDevice }}
- name: CW_INJECT_FUSE_DEVICE
value: "true"
{{- end }}
{{- if typeIs "string" .Values.deviceListStrategy }}
- name: DEVICE_LIST_STRATEGY
value: {{ .Values.deviceListStrategy }}
Expand Down
7 changes: 7 additions & 0 deletions deployments/helm/nvidia-device-plugin/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,13 @@ dpDisableHealthchecks: null
imexChannelIds: null
imexRequired: null

# CoreWeave: when true, inject /dev/fuse (with the device-cgroup rw rule) into every
# allocation, so rootless apptainer/squashfuse works in NON-privileged GPU pods (e.g.
# SUNK slurmd) without a privileged securityContext or a separate fuse device plugin.
# Sets CW_INJECT_FUSE_DEVICE=true on the device-plugin container. Requires a non-CDI
# device-list strategy (PassDeviceSpecs / volume-mounts); CDI strategies not yet covered.
injectFuseDevice: false

nameOverride: ""
fullnameOverride: ""
namespaceOverride: ""
Expand Down
16 changes: 16 additions & 0 deletions internal/plugin/server.go
Original file line number Diff line number Diff line change
Expand Up @@ -541,5 +541,21 @@ func (plugin *nvidiaDevicePlugin) apiDeviceSpecs(devRoot string, ids []string) [
specs = append(specs, spec)
}

// CoreWeave: optionally inject /dev/fuse into every allocation so rootless
// apptainer/squashfuse works in NON-privileged GPU pods (e.g. SUNK slurmd). This
// adds the device-cgroup rw rule that a plain hostPath mount cannot provide on
// cgroup-v2 + containerd 2.x. Opt-in via CW_INJECT_FUSE_DEVICE=true; default
// behavior is unchanged. /dev/fuse lives at the host /dev root, not under devRoot.
// NOTE: this path runs only when PassDeviceSpecs is enabled (non-CDI device-list
// strategy). CDI strategies allocate via updateResponseForCDI() and are not yet
// covered — see the chart docs / follow-up for CDI support.
if os.Getenv("CW_INJECT_FUSE_DEVICE") == "true" {
specs = append(specs, &pluginapi.DeviceSpec{
ContainerPath: "/dev/fuse",
HostPath: "/dev/fuse",
Permissions: "rw",
})
}

return specs
}