Update NVIDIA signing key for package repos

See https://developer.nvidia.com/blog/updating-the-cuda-linux-gpg-repository-key/ for details on the key changes. This commit: - Removes the nvidia-ml repo, which is deprecated and will not be updated - Updates the nvidia_cuda and nvidia_dcgm roles to use the new key and install workflow - Updates roles/requirements.txt to point to an updated version of nvidia.nvidia_driver
NVIDIA · May 2, 2022 · 5d9c75c · 5d9c75c
1 parent b6b4ea2
commit 5d9c75c
Show file tree

Hide file tree

Showing 13 changed files with 33 additions and 134 deletions.
diff --git a/playbooks/nvidia-software/nvidia-ml.yml b/playbooks/nvidia-software/nvidia-ml.yml
diff --git a/roles/nvidia-ml/defaults/main.yml b/roles/nvidia-ml/defaults/main.yml
diff --git a/roles/nvidia-ml/tasks/main.yml b/roles/nvidia-ml/tasks/main.yml
diff --git a/roles/nvidia-ml/tasks/redhat-pre-install.yml b/roles/nvidia-ml/tasks/redhat-pre-install.yml
diff --git a/roles/nvidia-ml/tasks/ubuntu-pre-install.yml b/roles/nvidia-ml/tasks/ubuntu-pre-install.yml
diff --git a/roles/nvidia-ml/vars/main.yml b/roles/nvidia-ml/vars/main.yml
diff --git a/roles/nvidia_cuda/defaults/main.yml b/roles/nvidia_cuda/defaults/main.yml
@@ -21,9 +21,10 @@ cuda_toolkit_add_profile_script: yes
 epel_package: "https://dl.fedoraproject.org/pub/epel/epel-release-latest-{{ ansible_distribution_major_version }}.noarch.rpm"
 epel_key_url: "https://getfedora.org/static/fedora.gpg"
 nvidia_driver_rhel_cuda_repo_baseurl: "https://developer.download.nvidia.com/compute/cuda/repos/{{ _rhel_repo_dir }}/"
-nvidia_driver_rhel_cuda_repo_gpgkey: "https://developer.download.nvidia.com/compute/cuda/repos/{{ _rhel_repo_dir }}/7fa2af80.pub"
+nvidia_driver_rhel_cuda_repo_gpgkey: "https://developer.download.nvidia.com/compute/cuda/repos/{{ _rhel_repo_dir }}/D42D0685.pub"
 
 # Ubuntu
-nvidia_driver_ubuntu_cuda_repo_gpgkey_url: "https://developer.download.nvidia.com/compute/cuda/repos/{{ _ubuntu_repo_dir }}/7fa2af80.pub"
-nvidia_driver_ubuntu_cuda_repo_gpgkey_id: "7fa2af80"
+old_nvidia_driver_ubuntu_cuda_repo_gpgkey_id: "7fa2af80"
 nvidia_driver_ubuntu_cuda_repo_baseurl: "https://developer.download.nvidia.com/compute/cuda/repos/{{ _ubuntu_repo_dir }}"
+nvidia_driver_ubuntu_cuda_keyring_package: "cuda-keyring_1.0-1_all.deb"
+nvidia_driver_ubuntu_cuda_keyring_url: "{{ nvidia_driver_ubuntu_cuda_repo_baseurl }}/{{ nvidia_driver_ubuntu_cuda_keyring_package }}"
diff --git a/roles/nvidia_cuda/files/cuda-ubuntu.pin b/roles/nvidia_cuda/files/cuda-ubuntu.pin
diff --git a/roles/nvidia_cuda/tasks/install-ubuntu.yml b/roles/nvidia_cuda/tasks/install-ubuntu.yml
@@ -4,25 +4,22 @@
     repo: ppa:graphics-drivers/ppa
     state: absent
 
-- name: Ubuntu | add pin file
-  copy:
-    src: "cuda-ubuntu.pin"
-    dest: "/etc/apt/preferences.d/cuda-repository-pin-600"
-    owner: "root"
-    group: "root"
-    mode: "0644"
-
-- name: Ubuntu | add key
+- name: Ubuntu | ensure old key is absent
   apt_key:
-    url: "{{ nvidia_driver_ubuntu_cuda_repo_gpgkey_url }}"
-    id: "{{ nvidia_driver_ubuntu_cuda_repo_gpgkey_id }}"
+    id: "{{ old_nvidia_driver_ubuntu_cuda_repo_gpgkey_id }}"
+    state: "absent"
+
+- name: Ubuntu | install CUDA keyring
+  apt:
+    deb: "{{ nvidia_driver_ubuntu_cuda_keyring_url }}"
+    state: "present"
   environment: "{{ proxy_env if proxy_env is defined else {} }}"
 
-- name: Ubuntu | add CUDA repo
-  apt_repository:
-    repo: "deb {{ nvidia_driver_ubuntu_cuda_repo_baseurl }} /"
-    update_cache: yes
+- name: Ubuntu | force apt update
+  apt:
+    update_cache: true
   environment: "{{ proxy_env if proxy_env is defined else {} }}"
+  changed_when: false
 
 - name: Ubuntu | install cuda
   package:

diff --git a/roles/nvidia_dcgm/defaults/main.yml b/roles/nvidia_dcgm/defaults/main.yml
@@ -5,9 +5,10 @@ dcgm_pkg_name: "datacenter-gpu-manager"
 epel_package: "https://dl.fedoraproject.org/pub/epel/epel-release-latest-{{ ansible_distribution_major_version }}.noarch.rpm"
 epel_key_url: "https://getfedora.org/static/fedora.gpg"
 nvidia_driver_rhel_cuda_repo_baseurl: "https://developer.download.nvidia.com/compute/cuda/repos/{{ _rhel_repo_dir }}/"
-nvidia_driver_rhel_cuda_repo_gpgkey: "https://developer.download.nvidia.com/compute/cuda/repos/{{ _rhel_repo_dir }}/7fa2af80.pub"
+nvidia_driver_rhel_cuda_repo_gpgkey: "https://developer.download.nvidia.com/compute/cuda/repos/{{ _rhel_repo_dir }}/D42D0685.pub"
 
 # Ubuntu
-nvidia_driver_ubuntu_cuda_repo_gpgkey_url: "https://developer.download.nvidia.com/compute/cuda/repos/{{ _ubuntu_repo_dir }}/7fa2af80.pub"
-nvidia_driver_ubuntu_cuda_repo_gpgkey_id: "7fa2af80"
+old_nvidia_driver_ubuntu_cuda_repo_gpgkey_id: "7fa2af80"
 nvidia_driver_ubuntu_cuda_repo_baseurl: "https://developer.download.nvidia.com/compute/cuda/repos/{{ _ubuntu_repo_dir }}"
+nvidia_driver_ubuntu_cuda_keyring_package: "cuda-keyring_1.0-1_all.deb"
+nvidia_driver_ubuntu_cuda_keyring_url: "{{ nvidia_driver_ubuntu_cuda_repo_baseurl }}/{{ nvidia_driver_ubuntu_cuda_keyring_package }}"
diff --git a/roles/nvidia_dcgm/files/cuda-ubuntu.pin b/roles/nvidia_dcgm/files/cuda-ubuntu.pin
diff --git a/roles/nvidia_dcgm/tasks/install-ubuntu.yml b/roles/nvidia_dcgm/tasks/install-ubuntu.yml
@@ -1,23 +1,20 @@
 ---
-- name: Ubuntu | add pin file
-  copy:
-    src: "cuda-ubuntu.pin"
-    dest: "/etc/apt/preferences.d/cuda-repository-pin-600"
-    owner: "root"
-    group: "root"
-    mode: "0644"
-
-- name: Ubuntu | add key
+- name: Ubuntu | remove old key
   apt_key:
-    url: "{{ nvidia_driver_ubuntu_cuda_repo_gpgkey_url }}"
-    id: "{{ nvidia_driver_ubuntu_cuda_repo_gpgkey_id }}"
+    id: "{{ old_nvidia_driver_ubuntu_cuda_repo_gpgkey_id }}"
+    state: "absent"
+
+- name: Ubuntu | install CUDA keyring
+  apt:
+    deb: "{{ nvidia_driver_ubuntu_cuda_keyring_url }}"
+    state: "present"
   environment: "{{ proxy_env if proxy_env is defined else {} }}"
 
-- name: Ubuntu | add CUDA repo
-  apt_repository:
-    repo: "deb {{ nvidia_driver_ubuntu_cuda_repo_baseurl }} /"
-    update_cache: yes
+- name: Ubuntu | force apt update
+  apt:
+    update_cache: true
   environment: "{{ proxy_env if proxy_env is defined else {} }}"
+  changed_when: false
 
 - name: Ubuntu | install package
   apt:

diff --git a/roles/requirements.yml b/roles/requirements.yml
@@ -30,7 +30,7 @@ roles:
   version: "v5.2.6"
 
 - src: nvidia.nvidia_driver
-  version: "v2.2.0"
+  version: "v2.2.1"
 
 - src: nvidia.nvidia_docker
   version: "v1.2.4"