nvidia-k8s-device-plugin: configure driver root for container path normalization

Set containerDriverRoot to the Bottlerocket sysroot path so the device
plugin discovers libraries correctly and generates CDI specs with
normalized /usr/lib/ container paths.

Add --additional-symlinks support patches (1002, 1003) to the device
plugin vendored nvidia-container-toolkit code.

Signed-off-by: Maher Homsi <maherhom@amazon.com>

Author: maherthomsi

packages/nvidia-k8s-device-plugin/1002-Enable-library-path-compatibility-symlinks.patch

@@ -0,0 +1,27 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Maher Homsi <maherhom@amazon.com>
+Date: Wed, 16 Apr 2025 00:00:00 +0000
+Subject: [PATCH] Enable library path compatibility symlinks
+
+Enable the CreateLibSymlinksHook to generate backwards-compatibility
+symlinks in containers for library paths that have moved.
+
+Signed-off-by: Maher Homsi <maherhom@amazon.com>
+---
+ internal/cdi/cdi.go | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/internal/cdi/cdi.go b/internal/cdi/cdi.go
+index bee83c6e4..a1b2c3d4e 100644
+--- a/internal/cdi/cdi.go
++++ b/internal/cdi/cdi.go
+@@ -127,6 +127,7 @@ func New(infolib info.Interface, nvmllib nvml.Interface, devicelib device.Interf
+ 		nvcdi.WithNvmlLib(c.nvmllib),
+ 		nvcdi.WithVendor(c.vendor),
+ 		nvcdi.WithDisabledHook(nvcdi.HookEnableCudaCompat),
++		nvcdi.WithEnabledHooks(nvcdi.CreateLibSymlinksHook),
+ 	}
+ 
+ 	c.cdilibs = make(map[string]nvcdi.SpecGenerator)
+-- 
+2.52.0

packages/nvidia-k8s-device-plugin/1003-vendor-add-CreateLibSymlinksHook.patch

@@ -0,0 +1,163 @@
+From 71fc7cb6a3c15ca99e7a9de859c2ace90a197f16 Mon Sep 17 00:00:00 2001
+From: Maher Homsi <maherhom@amazon.com>
+Date: Tue, 28 Apr 2026 22:35:11 +0000
+Subject: [PATCH] vendor: add CreateLibSymlinksHook to vendored
+ nvidia-container-toolkit
+
+Update the vendored nvidia-container-toolkit to include the
+CreateLibSymlinksHook feature. This is needed because patch 1002 enables
+this hook in the device plugin, but the vendored toolkit code does not
+include it.
+
+Signed-off-by: Maher Homsi <maherhom@amazon.com>
+---
+ .../internal/discover/hooks.go                | 15 +++-
+ .../internal/discover/lib_path_symlinks.go    | 57 +++++++++++++++++++
+ .../nvidia-container-toolkit/pkg/nvcdi/api.go |  2 +
+ .../pkg/nvcdi/driver-nvml.go                  |  3 +
+ 4 files changed, 74 insertions(+), 3 deletions(-)
+ create mode 100644 vendor/github.com/NVIDIA/nvidia-container-toolkit/internal/discover/lib_path_symlinks.go
+
+diff --git a/vendor/github.com/NVIDIA/nvidia-container-toolkit/internal/discover/hooks.go b/vendor/github.com/NVIDIA/nvidia-container-toolkit/internal/discover/hooks.go
+index 66bef75..a1f608a 100644
+--- a/vendor/github.com/NVIDIA/nvidia-container-toolkit/internal/discover/hooks.go
++++ b/vendor/github.com/NVIDIA/nvidia-container-toolkit/internal/discover/hooks.go
+@@ -36,6 +36,8 @@ const (
+ 	ChmodHook = HookName("chmod")
+ 	// A CreateSymlinksHook is used to create symlinks in the container.
+ 	CreateSymlinksHook = HookName("create-symlinks")
++	// A CreateLibSymlinksHook is used to create library path compatibility symlinks.
++	CreateLibSymlinksHook = HookName("create-lib-symlinks")
+ 	// DisableDeviceNodeModificationHook refers to the hook used to ensure that
+ 	// device nodes are not created by libnvidia-ml.so or nvidia-smi in a
+ 	// container.
+@@ -57,6 +59,8 @@ var defaultDisabledHooks = []HookName{
+ 	// ChmodHook is disabled by default as it was a workaround for older
+ 	// versions of crun that has since been fixed.
+ 	ChmodHook,
++	// CreateLibSymlinksHook is disabled by default; opt-in for backwards compat.
++	CreateLibSymlinksHook,
+ }
+ 
+ var _ Discover = (*Hook)(nil)
+@@ -204,19 +208,24 @@ func (c cdiHookCreator) isDisabled(name HookName, args ...string) bool {
+ 
+ 	// still reject hooks that require args if none were provided
+ 	switch name {
+-	case CreateSymlinksHook, ChmodHook:
++	case CreateSymlinksHook, CreateLibSymlinksHook, ChmodHook:
+ 		return len(args) == 0
+ 	}
+ 	return false
+ }
+ 
+ func (c cdiHookCreator) requiredArgs(name HookName) []string {
+-	return append(c.fixedArgs, string(name))
++	cliName := name
++	switch name {
++	case CreateLibSymlinksHook:
++		cliName = CreateSymlinksHook
++	}
++	return append(c.fixedArgs, string(cliName))
+ }
+ 
+ func (c cdiHookCreator) transformArgs(name HookName, args ...string) []string {
+ 	switch name {
+-	case CreateSymlinksHook:
++	case CreateSymlinksHook, CreateLibSymlinksHook:
+ 		var transformedArgs []string
+ 		for _, arg := range args {
+ 			transformedArgs = append(transformedArgs, "--link", arg)
+diff --git a/vendor/github.com/NVIDIA/nvidia-container-toolkit/internal/discover/lib_path_symlinks.go b/vendor/github.com/NVIDIA/nvidia-container-toolkit/internal/discover/lib_path_symlinks.go
+new file mode 100644
+index 0000000..7cbf052
+--- /dev/null
++++ b/vendor/github.com/NVIDIA/nvidia-container-toolkit/internal/discover/lib_path_symlinks.go
+@@ -0,0 +1,57 @@
++package discover
++
++import (
++	"fmt"
++	"path/filepath"
++)
++
++const defaultLegacyLibPath = "/usr/lib/nvidia/tesla"
++
++type libPathSymlinks struct {
++	Discover
++	hookCreator   HookCreator
++	legacyLibPath string
++}
++
++// WithLibPathSymlinks decorates the provided discoverer to add a hook that
++// creates backwards-compatibility symlinks from legacyLibPath/<lib> to the
++// actual library paths.
++func WithLibPathSymlinks(mounts Discover, hookCreator HookCreator, legacyLibPath string) Discover {
++	if legacyLibPath == "" {
++		legacyLibPath = defaultLegacyLibPath
++	}
++	return &libPathSymlinks{
++		Discover:      mounts,
++		hookCreator:   hookCreator,
++		legacyLibPath: legacyLibPath,
++	}
++}
++
++// Hooks returns hooks from the wrapped discoverer plus a hook to create
++// library path compatibility symlinks.
++func (d *libPathSymlinks) Hooks() ([]Hook, error) {
++	hooks, err := d.Discover.Hooks()
++	if err != nil {
++		return nil, fmt.Errorf("failed to get hooks: %v", err)
++	}
++
++	mounts, err := d.Mounts()
++	if err != nil {
++		return nil, fmt.Errorf("failed to get library mounts: %v", err)
++	}
++
++	var links []string
++	for _, mount := range mounts {
++		basename := filepath.Base(mount.Path)
++		link := fmt.Sprintf("%s::%s", mount.Path, filepath.Join(d.legacyLibPath, basename))
++		links = append(links, link)
++	}
++
++	symlinkHook := d.hookCreator.Create(CreateLibSymlinksHook, links...)
++	if symlinkHook != nil {
++		hookList, _ := symlinkHook.Hooks()
++		hooks = append(hooks, hookList...)
++	}
++
++	return hooks, nil
++}
+diff --git a/vendor/github.com/NVIDIA/nvidia-container-toolkit/pkg/nvcdi/api.go b/vendor/github.com/NVIDIA/nvidia-container-toolkit/pkg/nvcdi/api.go
+index fce32bc..d827c06 100644
+--- a/vendor/github.com/NVIDIA/nvidia-container-toolkit/pkg/nvcdi/api.go
++++ b/vendor/github.com/NVIDIA/nvidia-container-toolkit/pkg/nvcdi/api.go
+@@ -63,6 +63,8 @@ const (
+ 	EnableCudaCompatHook = discover.EnableCudaCompatHook
+ 	// An UpdateLDCacheHook is used to update the ldcache in the container.
+ 	UpdateLDCacheHook = discover.UpdateLDCacheHook
++	// A CreateLibSymlinksHook is used to create library path compatibility symlinks.
++	CreateLibSymlinksHook = discover.CreateLibSymlinksHook
+ 
+ 	// Deprecated: Use CreateSymlinksHook instead.
+ 	HookCreateSymlinks = CreateSymlinksHook
+diff --git a/vendor/github.com/NVIDIA/nvidia-container-toolkit/pkg/nvcdi/driver-nvml.go b/vendor/github.com/NVIDIA/nvidia-container-toolkit/pkg/nvcdi/driver-nvml.go
+index e145a2d..32ed643 100644
+--- a/vendor/github.com/NVIDIA/nvidia-container-toolkit/pkg/nvcdi/driver-nvml.go
++++ b/vendor/github.com/NVIDIA/nvidia-container-toolkit/pkg/nvcdi/driver-nvml.go
+@@ -104,6 +104,9 @@ func (l *nvcdilib) NewDriverLibraryDiscoverer(version string, libcudaSoParentDir
+ 	cudaCompatLibHookDiscoverer := discover.NewCUDACompatHookDiscoverer(l.logger, l.hookCreator, version)
+ 	discoverers = append(discoverers, cudaCompatLibHookDiscoverer)
+ 
++	libPathSymlinksDiscoverer := discover.WithLibPathSymlinks(libraries, l.hookCreator, "")
++	discoverers = append(discoverers, libPathSymlinksDiscoverer)
++
+ 	updateLDCache, _ := discover.NewLDCacheUpdateHook(l.logger, libraries, l.hookCreator, l.ldconfigPath)
+ 	discoverers = append(discoverers, updateLDCache)
+ 
+-- 
+2.53.0
+

packages/nvidia-k8s-device-plugin/nvidia-k8s-device-plugin-conf

@@ -33,7 +33,7 @@ flags:
     deviceListStrategy: "volume-mounts"
     {{/if}}
     deviceIDStrategy: {{default "index" settings.kubelet-device-plugins.nvidia.device-id-strategy}}
-    containerDriverRoot: "/"
+    containerDriverRoot: "/x86_64-bottlerocket-linux-gnu/sys-root"
 {{#if settings.kubelet-device-plugins.nvidia.device-sharing-strategy}}
 {{#if (eq settings.kubelet-device-plugins.nvidia.device-sharing-strategy "time-slicing")}}
 sharing:

packages/nvidia-k8s-device-plugin/nvidia-k8s-device-plugin.spec

@@ -22,6 +22,8 @@ Source6: nvidia-mps-control-daemon-exec-start-conf
 
 Patch0001: 0001-Update-MPS-roots-for-immutable-host-OS.patch
 Patch1001: 1001-Ensure-that-generated-CDI-specs-do-not-contain-enabl.patch
+Patch1002: 1002-Enable-library-path-compatibility-symlinks.patch
+Patch1003: 1003-vendor-add-CreateLibSymlinksHook.patch
 
 BuildRequires: %{_cross_os}glibc-devel