Added Nvidia GPU support to the buildah-remote task

[syedriko]

Added Nvidia GPU support to the buildah-remote task

[brianwcook]

I left you a couple reviews. The buildah-remote tasks are generated by running /hack/generate-buildah-remote.sh in this repo. This ensures they stay consistent with the normal buildah task. You need to modify the main.go called by generate-buildah-remote.sh so that when you run it, it produces the same diff this PR has. Once you run it, the PR should have 3 changed files: the generate script, buildah-remote/0.1/buildah-remote.yaml and buildah-remote/0.2/buildah-remote.yaml.

After that, you also need to run the /hack/generate-ta-tasks.sh. which will update 2 more files (trusted artifacts versions of the 2 buildah remote tasks).

Summary: you will modify 1 file (main.go), run two generate commands and add all those changes here.

[syedriko]

Thanks, @brianwcook! PTAL

[brianwcook]

/ok-to-test

[arewm]

I have tried in the past to not depend on the semantics of the PLATFORM parameter. @ifireball @mshaposhnik, what do you think?

The use of the PLATFORM parameter like this would fall in line with the functionality requested in https://issues.redhat.com/browse/KONFLUX-4073.

[chmeliik]

Could you describe what these changes do, how and why? The code change on its own doesn't give me much to work with

[chmeliik]

What are the implications of --security-opt=label=disable?

[chmeliik]

I would also consider dropping this PR in favor of #1530, although that one seems like it potentially gives the user too much control

[syedriko]

Could you describe what these changes do, how and why? The code change on its own doesn't give me much to work with

The goal here is to allow Konflux builds to access Nvidia GPUs on machines so equipped. An example is running PyTorch during container build - https://github.com/openshift/lightspeed-rag-content/blob/main/Containerfile.

This PR is a building block towards support of this scenario. The others are AWS instance type(s) in multi-platform controller https://github.com/redhat-appstudio/infra-deployments/blob/0b936310854c7b4031b967eda33ad8399f12da60/components/multi-platform-controller/production/common/host-config.yaml#L528 and an AMI with Nvidia drivers.

This PR, for platforms that start with "linux-g", tells podman to pass though Nvidia GPU devices to the containers it runs.

What are the implications of --security-opt=label=disable?

Not too sure about it beyond the obvious, but this came from Nvidia docs https://docs.nvidia.com/datacenter/cloud-native/container-toolkit/1.14.2/cdi-support.html

Upd: attempted dropping --security-opt=label=disable, build container couldn't access the GPU device.

[brianwcook]

/ok-to-test

[syedriko]

@brianwcook @chmeliik @arewm It looks to me like #1530 has morphed into something we can't use instead of this PR. Could you PTAL and see if we can revive this PR.

[brianwcook]

I am +1 to merging this. We can revisit the enablement logic (vm's with instance types starting with 'g') at a later date if / when MPC changes how to label platforms, probably with no impact to end users. In addition the impact from disabling security labeling looks minimal since we 1) do not reuse build VMs 2) we do not run concurrent builds on a VM and 3) this only applies to remote builders, not OpenShift based builds.

[chmeliik]

/ok-to-test

[chmeliik]

LGTM 👍