GPU access in the sandbox

[SomeoneSerge]

Description of changes

The PR introduces a way to expose devices and drivers (e.g. GPUs and /run/opengl-driver/lib) in the Nix build's sandbox for specially marked derivations. The approach is that described in #225912: we introduce a pre-build-hook which would scan the .drv being built for the presence of a chosen tag in the requiredSystemFeatures attribute and, upon a match, instruct Nix to mount a list of device-related paths. E.g. one could mark the derivation as mkDerivation { ...; requiredSystemFeatures = [ "cuda" ]; } to indicate that it would need to use CUDA during the build. Untagged derivations would still observe "pure" environment without any devices. Further, the requiredSystemFeatures attribute is special, Nix uses it to determine whether a host is capable of building the derivation, and which remote builders to choose. A host that hasn't been set up with nix.settings.system-features (system-features in nix.conf(5)) would refuse to build the marked derivation

One application of this hook is to implement GPU tests as normal derivations (cf. the torch example in the diff).
Another use could be to use Nix to run ML/DL/NumberCrunching pipelines that utilize GPUs (e.g. https://github.com/SomeoneSerge/pkgs/blob/5bf5ea2b16696e70ade5a68063042dcf2e8f033b/python-packages/by-name/om/omnimotion/package.nix#L270-L291). Similarly, one could write derivations that render things using OpenGL or Vulkan

How to test:

1. Take a NixOS machine with an nvidia GPU and hardware.opengl.enable = true.

2. Try building python3Packages.torch.tests.cudaAvailable, observe it's refused evaluation

3. Rebulid with programs.nix-required-mounts.enable = true (

   # Note: nix-required-sandbox-paths extends system-features,
   # but they won't be merged with the nixos defaults, because they got a different priority
   # -> set manually:
   nix.settings.system-features = [
     "nixos-test"
     "benchmark"
     "big-parallel"
     "kvm"
   ];
   programs.nix-required-sandbox-paths.enable = true;
   

4. Build python3Packages.torch.gpuChecks.cudaAvailable successfully

5. Try dropping cuda from gpuChecks.cudaAvailable's requiredSystemFeatures, and observe the test fail

CC @NixOS/cuda-maintainers

Alternatives and related work

@tomberek suggests that one could have derivations ask for specific paths using __impureHostDeps, currently undocumented and being used for Darwin builds

For GPU tests, @Kiskae suggests one could instead use NixOS tests with the PCI passthrough

We could also possibly consider supporting variables like CUDA_VISIBLE_DEVICES and/or re-using nvidia-docker/nvidia-container-toolkit because that's the interface many (singularity, docker) rely on. These currently do not support any static configuration, and in particular they rely on glibc internals to discover the host drivers in a very non-cross-platform way.

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 23.11 Release Notes (or backporting 23.05 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md.

[SomeoneSerge]

A slightly more involved usage example: https://github.com/SomeoneSerge/pkgs/blob/a23cebfa6c183538a89b7aedceccd1702400b9e2/python-packages/by-name/om/omnimotion/package.nix#L270-L288

[SomeoneSerge]

• Added a test for blender as suggested by @the-furry-hubofeverything in cudaPackages: GPU-enabled tests #225912 (comment)
• Updated the PR description to reflect that the approach can be used (is already being used) to manage generic GPU workloads, addressing cudaPackages: GPU-enabled tests #225912 (comment)
• I'm going to rewrite the structure of the NixOS module and of the hook's config in a bit
• I'd like to switch to the approach described by @Kiskae in cudaPackages: GPU-enabled tests #225912 (comment). Specifically, I want to expose the GPU checks such that they can be run outside the sandbox (what we use to verify our builds are correct, the user may utilize to verify the host configuration). These checks can then be wrapped to be exposed in passthru.tests to run with requiredSystemFeatures, or to be run as NixOS tests with PCI passthrough when somebody comes around to implement that

[SomeoneSerge]

• Added a NixOS test verifying that the sandbox is relaxed if and only if the derivation has asked for the respective requiredSystemFeature

[SomeoneSerge]

IIRC this requires the nix-command experimental feature. Should I just assume the 1st argument to always be the path to the .drv and read it directly?

[SomeoneSerge]

When using remote builds, the .drv apparently isn't available on the remote builder by the time when the pre-build-hook executes.

Thoughts?

[layus]

I think it boils down to this feature/optimization:

When you are privileged (or building a content-addressed derivation), you can build a derivation without uploading all the .drv closure first. This is of course less secure (because you can forge arbitrary output hashes) but faster if the closure contains very large files as inputs. Or if the closure is large. The .drv you send is not trusted, nor trustable, and not written to the builder store. Just used for building and sending back the result.

When you are not privileged (and not building a content-addressed derivation), you need to send the whole closure, and the .drv file will be present, as its validity can be recursively verified.

See https://github.com/NixOS/nix/blob/d12c614ac75171421844f3706d89913c3d841460/src/build-remote/build-remote.cc#L302-L334 And the referenced comment https://github.com/NixOS/nix/blob/d12c614ac75171421844f3706d89913c3d841460/src/libstore/daemon.cc#L589-L622

[layus]

It bugged me too much :-D NixOS/nix#9272

[SomeoneSerge]

Oh gosh, thanks a bunch @layus!

[samuela]

you a real og for this one @SomeoneSerge !! 🚀

[samuela]

is there a way we could avoid having a stringly-typed API here? eg something like

Suggested change

	requiredSystemFeatures = [ "cuda" ];
	requiredSystemFeatures = [ system-features.cuda ];

I'm a fan of whatever works, but I think avoiding a stringly-typed interface would be preferable, ceteris paribus.

[SomeoneSerge]

There's no precedent for that AFAIK, but we could introduce some attribute in cudaPackages.
A related concern that I have (mentioned in the linked issue) is that in principle I'd like to have the feature name indicate the relevant cuda capabilities, but there are obvious complications...

[SomeoneSerge]

Actually, let me clarify: I made a preset with "cuda" because it seemed like the simplest string I could come up with. I'm wary of introducing other names or more infra around these names, because it's easy to slip down the rabbit hole. One obvious rabbit hole is that you could start making derivations that ask for requiredSystemFeatures = let formatFeature = capabilities: (concatStringsMapSep "-or-" (x: "sm_{x}") capabilities); [ (formatFeature cudaCapabilities) ] and deploying hosts that declare programs.nix-required-mounts.allowedPatterns.cuda.onFeatures = map allowformatFeature (genSubsets cudaCapabilities)

[SomeoneSerge]

The final value, at least for now, would still be a string, but we could define somewhere a dictionary of valid literals and have people reference them rather than write the strings directly. Could be as silly as cudaPackages.cudaFeature = "cuda" and requiredSystemFeatures = [ cudaPackages.cudaFeature ].

We then could even extend this to cudaFeature = f cudaFlags

[SomeoneSerge]

But what are your thoughts on modeling the capabilities?

[SomeoneSerge]

I think (import <nixpkgs> { config.cudaCapabilities = [ "8.6" ]; }).blender.tests.cuda-available.requiredSystemFeatures = [ "cuda-sm_86" ] would be really great, but we run into the limitations of this mechanism very soon

[SomeoneSerge]

(Nix with an external scheduler when)

[ConnorBaker]

I think we should model capabilities -- they're essentially features of the hardware which determine how different pieces of software should be built and whether or not they can run on the system.

I do think it's a bit out of scope of this PR though; @SomeoneSerge would you make an issue so we can track this and have a longer discussion there?

[SomeoneSerge]

...merge this PR by next Monday

Wrong Monday. I now fixed the /dev/video* issue and added release notes. I also changed slightly the paths for these "gpu tests" (cf the commit message for d6b3abc). The exportReferencesGraph logic can be rewritten later as part of the effort for making nvidia's CDI integration work.

Waiting for ofborg and merging in the morning.

[GaetanLepage]

Result of nixpkgs-review pr 256230 run on x86_64-linux 1

2 packages blacklisted:

• nixos-install-tools
• tests.nixos-functions.nixos-test

2 packages built:

• nix-required-mounts
• nix-required-mounts.dist

[SomeoneSerge]

This time around Ofborg dismisses passthru.tests (in bulk) based on licenses rather than requiredSystemFeatures. There are precedents for this already in Nixpkgs, e.g. python3Packages.jax.tests, so I'm not going to delay anymore. Properly resolving this depends either on NixOS/ofborg#678 or on NixOS/ofborg#644

❯ nix build --impure .#blender.tests.tester-cudaAvailable.gpuCheck -L # --impure is for the global allowUnfreePredicate
test-cuda> Blender 4.1.1
test-cuda> could not get a list of mounted file-systems
test-cuda> CUDA is available
test-cuda> Blender quit

🚅 🚄 🚄

[trofi]

In some locations test-cuda.nix is not present, fails the eval as:

$ nix build --no-link -f. python3Packages.pytorch-bin.gpuChecks
error:
       … while evaluating a branch condition
         at lib/customisation.nix:263:8:
          262|
          263|     in if missingArgs == {}
             |        ^
          264|        then makeOverridable f allArgs

       … while calling the 'listToAttrs' builtin
         at lib/attrsets.nix:647:5:
          646|     set:
          647|     listToAttrs (concatMap (name: let v = set.${name}; in if pred name v then [(nameValuePair name v)] else []) (attrNames set));
             |     ^
          648|

       (stack trace truncated; use '--show-trace' to show the full, detailed trace)

       error: path 'pkgs/development/python-modules/torch/test-cuda.nix' does not exist