pin nvidia major ver

Author: prateekchaudhry

NVIDIA_DRIVER_VERSION

@@ -1,16 +1,15 @@
 # NVIDIA Driver and CUDA Version Tracking
 # ----------------------------------------
-# IMPORTANT: This file is for INFORMATIONAL AND TRACKING PURPOSES ONLY.
+# IMPORTANT: DO NOT EDIT THIS FILE MANUALLY. It is automatically updated
+# by the check-update.sh script. Manual changes will be overwritten.
 #
-# DO NOT EDIT THIS FILE MANUALLY. It is automatically updated by the
-# check-update.sh script. Manual changes will be overwritten.
 # Format: nvidia_driver_version_<ami_type> = "<version>"
 #         cuda_version_<ami_type> = "<version>" (AL2 only)
 #
-# This file tracks the latest NVIDIA driver and CUDA versions detected for different
-# Amazon Linux AMIs. It does not affect the actual driver installations.
-# For driver installations or updates, please refer to the appropriate
-# documentation or automation scripts.
+# This file tracks the latest NVIDIA driver and CUDA versions detected for
+# different Amazon Linux AMIs. For AL2023 GPU, the version in this file is
+# used by the install script during AMI builds (sourced via Packer file
+# provisioner). The pinned major version is defined in variables.pkr.hcl.
 
 nvidia_driver_version_al2 = "550.163.01"
 nvidia_driver_version_al2023 = "580.126.09"

al2023.pkr.hcl

@@ -200,6 +200,12 @@ build {
     only        = ["amazon-ebs.al2023gpu"]
   }
 
+  provisioner "file" {
+    source      = "NVIDIA_DRIVER_VERSION"
+    destination = "/tmp/NVIDIA_DRIVER_VERSION"
+    only        = ["amazon-ebs.al2023gpu"]
+  }
+
   provisioner "shell" {
     environment_vars = [
       "AMI_TYPE=${source.name}",

scripts/al2023/gpu/install-nvidia-driver.sh

@@ -47,8 +47,17 @@ fi
 # open, and GRID) in /var/lib/dkms-archive. All three must be on the same driver
 # version to ensure proper functionality. The GRID kmod comes from the EC2 GRID
 # .run file in S3, while proprietary and open come from the AL2023 nvidia repo.
-# If the repo and S3 versions differ, we use the lower of the two to ensure both
-# sources can provide it.
+#
+# The exact driver version is determined by the security check script
+# (check-update-security.sh) as min(repo, S3 GRID) within the pinned major,
+# and tracked in the NVIDIA_DRIVER_VERSION file uploaded by Packer.
+
+NVIDIA_DRIVER_FULL_VERSION=$(grep "^nvidia_driver_version_al2023" /tmp/NVIDIA_DRIVER_VERSION | awk -F'"' '{print $2}')
+if [[ -z "$NVIDIA_DRIVER_FULL_VERSION" ]]; then
+  echo "ERROR: Could not read nvidia_driver_version_al2023 from /tmp/NVIDIA_DRIVER_VERSION"
+  exit 1
+fi
+echo "Using NVIDIA driver version: ${NVIDIA_DRIVER_FULL_VERSION}"
 
 # Some regions do not have access to the GRID driver S3 bucket, skip GRID driver
 skip_grid_driver=""
@@ -59,38 +68,6 @@ fi
 
 EC2_GRID_DRIVER_S3_BUCKET="ec2-linux-nvidia-drivers"
 
-if [[ -z "$skip_grid_driver" ]]; then
-  LATEST_GRID_DRIVER_VERSION=$(aws s3 ls --recursive s3://${EC2_GRID_DRIVER_S3_BUCKET}/ --no-sign-request \
-    | grep -Eo "(NVIDIA-Linux-x86_64-)[0-9]+\.[0-9]+\.[0-9]+(-grid-aws\.run)" \
-    | cut -d'-' -f4 \
-    | sort -V \
-    | tail -1)
-
-  if [[ -z "$LATEST_GRID_DRIVER_VERSION" ]]; then
-    echo "ERROR: Could not determine NVIDIA GRID driver version from S3"
-    exit 1
-  fi
-  echo "Latest GRID .run version in S3: ${LATEST_GRID_DRIVER_VERSION}"
-fi
-
-LATEST_OPEN_MODULE_VERSION=$(dnf repoquery --latest=1 --arch=noarch --queryformat "%{version}" "kmod-nvidia-open-dkms" 2>/dev/null | sort -V | tail -1)
-
-if [[ -z "$LATEST_OPEN_MODULE_VERSION" ]]; then
-  echo "ERROR: Could not determine NVIDIA open module version from repo"
-  exit 1
-fi
-echo "Latest open kmod version in repo: ${LATEST_OPEN_MODULE_VERSION}"
-
-if [[ -n "$skip_grid_driver" ]]; then
-  # No GRID driver available in this region, use open module version directly
-  NVIDIA_DRIVER_FULL_VERSION="$LATEST_OPEN_MODULE_VERSION"
-else
-  # Use the lower version to ensure both sources can provide it
-  NVIDIA_DRIVER_FULL_VERSION=$(printf '%s\n%s\n' "$LATEST_GRID_DRIVER_VERSION" "$LATEST_OPEN_MODULE_VERSION" | sort -V | head -1)
-fi
-
-echo "Selected NVIDIA driver version: ${NVIDIA_DRIVER_FULL_VERSION}"
-
 ### Kernel Module Archive Functions ###
 # These functions pre-compile and archive different NVIDIA driver variants
 # This allows runtime switching between proprietary, open-source, and GRID drivers

scripts/al2023/gpu/nvidia-kmod-load.sh

@@ -16,6 +16,7 @@ readonly NVIDIA_GRID_SUBDEVICES=(
 )
 readonly NVIDIA_PROPRIETARY_SUBDEVICES=(
   "1db1:1212" # P3 instances
+  "1db5:1249" # P3dn instances
   "13f2:113a" # G3 instances
 )
 

scripts/check-update-security.sh

@@ -139,13 +139,29 @@ instance_id=$(aws ec2 run-instances \
     --tag-specifications 'ResourceType=instance,Tags=[{Key=Name,Value='$platform-check-update-security'}]' |
     jq -r '.Instances[0].InstanceId')
 
+# Read pinned major version for AL2023 GPU filtering
+pinned_major=""
+if [ "$platform" = "al2023_gpu" ]; then
+    pinned_major=$(sed -n '/variable "nvidia_driver_major_al2023" {/,/}/p' variables.pkr.hcl | grep "default" | awk -F '"' '{ print $2 }')
+    if [ -z "$pinned_major" ]; then
+        echo "ERROR: Could not read nvidia_driver_major_al2023 from variables.pkr.hcl"
+        exit 1
+    fi
+fi
+
 # check-update based on platform
 if [[ $platform == al2023* ]]; then
     check_upgrade_options="--sec-severity Critical --exclude=$EXCLUDE_SEC_UPDATES_PKGS"
     if [[ $platform == *gpu ]]; then
-        check_upgrade_options="nvidia-driver-cuda"
+        # dnf check-upgrade only reports the single latest version across all majors,
+        # so it can't detect updates within a pinned major. Instead, query the installed
+        # version and the latest available within the pinned major, then compare locally.
+        gpu_cmd_installed="dnf repoquery --installed --arch=x86_64 --queryformat '%{version}' nvidia-driver-cuda"
+        gpu_cmd_latest="dnf repoquery --disableplugin=versionlock --arch=x86_64 --queryformat '%{version}' nvidia-driver-cuda | grep '^${pinned_major}[.]' | sort -V | tail -1"
+        command_params="commands=[\"echo INSTALLED=\$(${gpu_cmd_installed})\",\"echo LATEST=\$(${gpu_cmd_latest})\"]"
+    else
+        command_params="commands=[\"dnf --refresh check-upgrade --releasever=latest --disableplugin=versionlock $check_upgrade_options -q\"]"
     fi
-    command_params="commands=[\"dnf --refresh check-upgrade --releasever=latest --disableplugin=versionlock $check_upgrade_options -q\"]"
 elif [ "$platform" = "al2_gpu" ]; then
     # The amzn2-nvidia repository does not provide updateinfo metadata (updateinfo.xml),
     # which YUM relies on to classify updates as security-related. The --security flag
@@ -229,6 +245,55 @@ std_output=$(echo "$cmd_output" | jq -r '.StandardOutputContent')
 # Delete the instance
 terminate_out=$(aws ec2 terminate-instances --instance-ids $instance_id)
 
+# AL2023 GPU uses repoquery instead of check-upgrade, handle separately
+if [ "$platform" = "al2023_gpu" ]; then
+    if [ "$cmd_response_code" -ne "$SUCCESS_CODE" ]; then
+        echo "Unknown issue with the command execution"
+        exit 1
+    fi
+
+    installed_version=$(echo "$std_output" | grep "^INSTALLED=" | cut -d'=' -f2)
+    latest_repo_version=$(echo "$std_output" | grep "^LATEST=" | cut -d'=' -f2)
+
+    if [ -z "$installed_version" ] || [ -z "$latest_repo_version" ]; then
+        echo "ERROR: Could not determine installed or latest NVIDIA driver version"
+        exit 1
+    fi
+
+    # Compare installed vs latest within pinned major
+    newer=$(printf '%s\n%s' "$installed_version" "$latest_repo_version" | sort -V | tail -1)
+    if [ "$newer" = "$installed_version" ]; then
+        echo "false"
+        exit 0
+    fi
+
+    # The AMI build installs min(repo, S3 GRID .run), so check the GRID bucket
+    # to determine the actual version that would be installed.
+    grid_driver_version=$(aws s3 ls --recursive s3://ec2-linux-nvidia-drivers/ --no-sign-request |
+        grep -Eo "(NVIDIA-Linux-x86_64-)[0-9]+\.[0-9]+\.[0-9]+(-grid-aws\.run)" |
+        cut -d'-' -f4 |
+        grep "^${pinned_major}\." |
+        sort -V |
+        tail -1)
+    if [ -z "$grid_driver_version" ]; then
+        echo "ERROR: Could not determine NVIDIA GRID driver version from S3 for major ${pinned_major}"
+        exit 1
+    fi
+
+    # Use min(repo, GRID) as the effective version, same as the install script
+    effective_version=$(printf '%s\n%s' "$latest_repo_version" "$grid_driver_version" | sort -V | head -1)
+
+    # Only trigger a release if the effective version is newer than installed
+    newer=$(printf '%s\n%s' "$installed_version" "$effective_version" | sort -V | tail -1)
+    if [ "$newer" = "$installed_version" ]; then
+        echo "false"
+        exit 0
+    fi
+
+    echo "true $effective_version"
+    exit 0
+fi
+
 # Return whether update is necessary
 if [ "$cmd_response_code" -eq "$UPDATE_EXISTS_CODE" ]; then
     if [ "$platform" = "al2_gpu" ]; then
@@ -259,20 +324,9 @@ if [ "$cmd_response_code" -eq "$UPDATE_EXISTS_CODE" ]; then
             ;;
         esac
     elif [ "$platform" = "al2023_gpu" ]; then
-        nvidia_driver_version=$(echo "$std_output" | grep "nvidia-driver-cuda" | awk '{print $2}' | cut -d'-' -f1 | sed 's/^[0-9]://')
-        # The AMI build pins to min(repo, S3 GRID .run) so all three driver
-        # variants can be built at the same version. Mirror that logic here.
-        grid_driver_version=$(aws s3 ls --recursive s3://ec2-linux-nvidia-drivers/ --no-sign-request |
-            grep -Eo "(NVIDIA-Linux-x86_64-)[0-9]+\.[0-9]+\.[0-9]+(-grid-aws\.run)" |
-            cut -d'-' -f4 |
-            sort -V |
-            tail -1)
-        if [ -z "$grid_driver_version" ]; then
-            echo "ERROR: Could not determine NVIDIA GRID driver version from S3"
-            exit 1
-        fi
-        nvidia_driver_version=$(printf '%s\n%s\n' "$nvidia_driver_version" "$grid_driver_version" | sort -V | head -1)
-        echo "true $nvidia_driver_version"
+        # This path should not be reached; al2023_gpu is handled above via repoquery
+        echo "ERROR: Unexpected al2023_gpu in check-upgrade result path"
+        exit 1
     else
         echo "true"
     fi

variables.pkr.hcl

@@ -258,3 +258,9 @@ variable "custom_endpoint_ec2" {
   description = "Custom EC2 endpoint to use for building AMIs"
   default     = ""
 }
+
+variable "nvidia_driver_major_al2023" {
+  type        = string
+  description = "Pinned NVIDIA driver major version for AL2023 GPU AMIs. Only driver versions within this major will be installed."
+  default     = "580"
+}