nvidia-container-toolkit: normalize library paths in containers

Add --additional-symlinks flag to nvidia-ctk cdi generate that creates
symlinks in a specified directory pointing to each discovered library.

Configure generate-cdi-specs.service with:
- --driver-root /x86_64-bottlerocket-linux-gnu/sys-root
- --dev-root /
- --additional-symlinks /usr/lib/nvidia/tesla

This ensures libraries appear at /usr/lib/ in containers with
backwards-compat symlinks at /usr/lib/nvidia/tesla/.

Signed-off-by: Maher Homsi <maherhom@amazon.com>

Author: maherthomsi

packages/nvidia-container-toolkit/0002-add-additional-symlinks-flag.patch

@@ -0,0 +1,176 @@
+From 350bb9de88647d807651402d04701bafa98fc2c1 Mon Sep 17 00:00:00 2001
+From: Maher Homsi <maherhom@amazon.com>
+Date: Wed, 29 Apr 2026 00:32:03 +0000
+Subject: [PATCH] Add --additional-symlinks flag for library path compatibility
+
+Add a --additional-symlinks flag to `nvidia-ctk cdi generate` that takes
+a directory path. When specified, for each discovered nvidia library
+mounted into the container, a symlink is created from
+<additional-symlinks-dir>/<lib> pointing to the actual library path.
+
+This enables backwards compatibility for workloads that expect nvidia
+libraries at /usr/lib/nvidia/tesla/ after libraries move to /usr/lib/.
+
+Usage:
+  nvidia-ctk cdi generate --additional-symlinks /usr/lib/nvidia/tesla
+
+Signed-off-by: Maher Homsi <maherhom@amazon.com>
+---
+ cmd/nvidia-ctk/cdi/generate/generate.go | 14 +++++++++
+ internal/discover/lib_path_symlinks.go  | 44 +++++++++++++++++++++++++++++++++
+ pkg/nvcdi/driver-nvml.go               | 10 ++++++
+ pkg/nvcdi/lib.go                       |  1 +
+ pkg/nvcdi/options.go                   |  8 +++++
+ 5 files changed, 77 insertions(+)
+ create mode 100644 internal/discover/lib_path_symlinks.go
+
+diff --git a/cmd/nvidia-ctk/cdi/generate/generate.go b/cmd/nvidia-ctk/cdi/generate/generate.go
+index 3c4d5e6..7a8b9c0 100644
+--- a/cmd/nvidia-ctk/cdi/generate/generate.go
++++ b/cmd/nvidia-ctk/cdi/generate/generate.go
+@@ -66,6 +66,7 @@ type options struct {
+ 	enabledHooks       []string
+ 
+ 	featureFlags []string
++	libDirSymlinksDir string
+ 
+ 	csv struct {
+ 		files          []string
+@@ -231,6 +232,12 @@ func (m command) build() *cli.Command {
+ 				Destination: &opts.featureFlags,
+ 				Sources:     cli.EnvVars("NVIDIA_CTK_CDI_GENERATE_FEATURE_FLAGS"),
+ 			},
++			&cli.StringFlag{
++				Name:        "additional-symlinks",
++				Destination: &opts.libDirSymlinksDir,
++				Usage:       "Create symlinks in the specified directory pointing to each nvidia library. This enables backwards compatibility for workloads expecting libraries at a legacy path.",
++				Sources:     cli.EnvVars("NVIDIA_CTK_CDI_GENERATE_ADDITIONAL_SYMLINKS"),
++			},
+ 		},
+ 	}
+ 
+@@ -363,6 +370,7 @@ func (m command) generateSpec(opts *options) (spec.Interface, error) {
+ 		nvcdi.WithDisabledHooks(opts.disabledHooks...),
+ 		nvcdi.WithEnabledHooks(opts.enabledHooks...),
+ 		nvcdi.WithFeatureFlags(opts.featureFlags...),
++		nvcdi.WithLibDirSymlinksDir(opts.libDirSymlinksDir),
+ 		// We set the following to allow for dependency injection:
+ 		nvcdi.WithNvmlLib(opts.nvmllib),
+ 	}
+diff --git a/internal/discover/lib_path_symlinks.go b/internal/discover/lib_path_symlinks.go
+new file mode 100644
+index 0000000..a1b2c3d
+--- /dev/null
++++ b/internal/discover/lib_path_symlinks.go
+@@ -0,0 +1,56 @@
++package discover
++
++import (
++	"fmt"
++	"path/filepath"
++)
++
++type libDirSymlinks struct {
++	Discover
++	hookCreator HookCreator
++	symlinkDir  string
++}
++
++// WithLibDirSymlinks decorates the provided discoverer to add a hook that
++// creates symlinks in symlinkDir pointing to each discovered library.
++// For each library at /usr/lib/<lib>, a symlink <symlinkDir>/<lib> -> /usr/lib/<lib>
++// is created inside the container.
++func WithLibDirSymlinks(mounts Discover, hookCreator HookCreator, symlinkDir string) Discover {
++	if symlinkDir == "" {
++		return mounts
++	}
++	return &libDirSymlinks{
++		Discover:    mounts,
++		hookCreator: hookCreator,
++		symlinkDir:  symlinkDir,
++	}
++}
++
++// Hooks returns hooks from the wrapped discoverer plus a create-symlinks hook
++// that creates symlinks in the configured directory.
++func (d *libDirSymlinks) Hooks() ([]Hook, error) {
++	hooks, err := d.Discover.Hooks()
++	if err != nil {
++		return nil, fmt.Errorf("failed to get hooks: %v", err)
++	}
++
++	mounts, err := d.Mounts()
++	if err != nil {
++		return nil, fmt.Errorf("failed to get library mounts: %v", err)
++	}
++
++	var links []string
++	for _, mount := range mounts {
++		basename := filepath.Base(mount.Path)
++		link := fmt.Sprintf("%s::%s", mount.Path, filepath.Join(d.symlinkDir, basename))
++		links = append(links, link)
++	}
++
++	symlinkHook := d.hookCreator.Create(CreateSymlinksHook, links...)
++	if symlinkHook != nil {
++		hookList, _ := symlinkHook.Hooks()
++		hooks = append(hooks, hookList...)
++	}
++
++	return hooks, nil
++}
++}
+diff --git a/pkg/nvcdi/driver-nvml.go b/pkg/nvcdi/driver-nvml.go
+index e145a2d..f8a9b12 100644
+--- a/pkg/nvcdi/driver-nvml.go
++++ b/pkg/nvcdi/driver-nvml.go
+@@ -104,6 +104,16 @@ func (l *nvcdilib) NewDriverLibraryDiscoverer(version string, libcudaSoParentDir
+ 	cudaCompatLibHookDiscoverer := discover.NewCUDACompatHookDiscoverer(l.logger, l.hookCreator, version)
+ 	discoverers = append(discoverers, cudaCompatLibHookDiscoverer)
+ 
++	if l.libDirSymlinksDir != "" {
++		l.logger.Infof("Adding additional symlinks discoverer for directory %q", l.libDirSymlinksDir)
++		libDirSymlinksDiscoverer := discover.WithLibDirSymlinks(
++			libraries,
++			l.hookCreator,
++			l.libDirSymlinksDir,
++		)
++		discoverers = append(discoverers, libDirSymlinksDiscoverer)
++	}
++
+ 	updateLDCache, _ := discover.NewLDCacheUpdateHook(l.logger, libraries, l.hookCreator, l.ldconfigPath)
+ 	discoverers = append(discoverers, updateLDCache)
+ 
+diff --git a/pkg/nvcdi/lib.go b/pkg/nvcdi/lib.go
+index 1a2b3c4..5d6e7f8 100644
+--- a/pkg/nvcdi/lib.go
++++ b/pkg/nvcdi/lib.go
+@@ -61,6 +61,7 @@ type nvcdilib struct {
+ 	disabledHooks []discover.HookName
+ 	enabledHooks  []discover.HookName
+ 	hookCreator   discover.HookCreator
++	libDirSymlinksDir string
+ }
+ 
+ // New creates a new nvcdi library
+diff --git a/pkg/nvcdi/options.go b/pkg/nvcdi/options.go
+index 2a3b4c5..6d7e8f9 100644
+--- a/pkg/nvcdi/options.go
++++ b/pkg/nvcdi/options.go
+@@ -177,6 +177,14 @@ func WithEnabledHooks[T string | HookName](hooks ...T) Option {
+ 	}
+ }
+ 
++// WithLibDirSymlinksDir sets the directory where additional library
++// symlinks should be created in the container.
++func WithLibDirSymlinksDir(dir string) Option {
++	return func(l *nvcdilib) {
++		l.libDirSymlinksDir = dir
++	}
++}
++
+ // WithFeatureFlags allows the specified set of features to be toggled on.
+ func WithFeatureFlags[T string | FeatureFlag](featureFlags ...T) Option {
+ 	return func(o *nvcdilib) {
+-- 
+2.53.0

packages/nvidia-container-toolkit/generate-cdi-specs.service

@@ -25,14 +25,10 @@ RefuseManualStop=true
 
 [Service]
 Type=oneshot
-# Explanation of the options:
-# --format json: to be consistent across Bottlerocket's variants
-# --mode nvml: the default mode ("auto") resolves to this already, make it explicit
-# --device-name-strategy uuid: the ECS agent only supports device UUIDs; for k8s
-#                              this is irrelevant because these specs will be used
-#                              only when NVIDIA_VISIBLE_DEVICES is "all"
-# --output /etc/cdi/nvidia.json: store the CDI specifications at this location
 ExecStart=/usr/bin/nvidia-ctk cdi generate --format json \
+  --driver-root /x86_64-bottlerocket-linux-gnu/sys-root \
+  --dev-root / \
+  --additional-symlinks /usr/lib/nvidia/tesla \
   --mode nvml \
   --device-name-strategy uuid \
   --output /etc/cdi/nvidia.json

packages/nvidia-container-toolkit/nvidia-container-toolkit.spec

@@ -24,6 +24,7 @@ Source5: nvidia-container-toolkit-tmpfiles-k8s.conf
 Source6: nvidia-container-toolkit-config-k8s
 Source7: generate-cdi-specs.service
 Patch0001: 0001-discover-reduce-missing-resource-warnings-to-debug-l.patch
+Patch0002: 0002-add-additional-symlinks-flag.patch
 
 BuildRequires: %{_cross_os}glibc-devel
 Requires: %{_cross_os}libnvidia-container