Skip to content

Nvidia

build-ublue

The purpose of these images is to provide community Fedora images with Nvidia drivers built-in. This approach can lead to greater reliability as failures can be caught at the build level instead of the client machine. This also allows for individual sets of images for each series of Nvidia drivers, allowing users to remain current with their OS but on an older, known working driver. Performance regression with a recent driver update? Reboot into a known-working driver after one command. That's the goal!

These images are based on the experimental ostree native container images hosted at quay.io (repo).

Note

This project is a work-in-progress. You should at a minimum be familiar with the Fedora documentation on how to administer an ostree system.

Core image features

Setup

1. Installation

Check the installation instructions for fresh installations. Use the images documentation for rebase instructions.

2. Set kargs after rebasing

Use this only if you are rebasing, fresh installations can skip this step. Setting kargs to disable nouveau and enabling nvidia early at boot is currently not supported within container builds. They must be set after rebasing:

rpm-ostree kargs \
    --append=rd.driver.blacklist=nouveau \
    --append=modprobe.blacklist=nouveau \
    --append=nvidia-drm.modeset=1

And then reboot one more time!

3. Enable Secure Boot support

IMPORTANT NOTE:

On June 17, 00:00 UTC, we changed the key used to sign nvidia kernel modules. If your nvidia kernel modules are not loading, you need to import the new key.

Secure Boot support for the nvidia kernel modules can be enabled by enrolling the signing key:

sudo mokutil --import /etc/pki/akmods/certs/akmods-ublue.der

Alternatively, the key can be enrolled from within this repo:

sudo mokutil --import ./certs/public_key.der

Rolling back and rebasing

Generally you can perform a rollback with the following:

rpm-ostree rollback

To rebase onto a specific date, use a date tag:

rpm-ostree rebase ostree-image-signed:docker://ghcr.io/ublue-os/silverblue-nvidia:20230720

Or to rebase onto a specific release, driver, and date:

rpm-ostree rebase ostree-image-signed:docker://ghcr.io/ublue-os/silverblue-nvidia:38-535-20230720

More options for image tags can be found on the container catalog.

Support

Note

The Fedora release and Nvidia version can be set with the image tag as well (see table below). Some older Nvidia cards (GTX 700 series or older) REQUIRE Driver version 470.

535xx series (latest, best supported) 530xx series (deprecated) 470xx series (Kepler 2012-2014 support)
F37 :37 / :37-535 / :37-current :37-470
F38 :latest / :38 / :38-535 / :38-current :38-530 :38-470

Driver Support Subject to Change

  • Drivers are provided by Nvidia and packaged by RPMFusion, therefore we cannot make any guarantees on support outside of the support these two organizations provide.
  • Due to the nature of third party kernel modules, support for older versions is best effort.
  • It is strongly encouraged for you to subscribe to the Nvidia driver announcements section of the forums to keep up with the latest changes and news.

TL;DR:

We do the best we can but sometimes need to drop support depending on what's going with Nvidia, RPMFusion, Fedora, and/or the Linux kernel.

Verification

These images are signed with sigstore's cosign. You can verify the signature by downloading the cosign.pub key from this repo and running the following command:

cosign verify --key cosign.pub ghcr.io/ublue-os/silverblue-nvidia

If you're forking this repo you should read the docs on keeping secrets in github. You need to generate a new keypair with cosign. The public key can be in your public repo (your users need it to check the signatures), and you can paste the private key in Settings -> Secrets -> Actions with the name SIGNING_SECRET.

Building locally

  1. Build container

    A container build can be invoked by simply running:

    podman build \
        --file build.Containerfile \
        --tag build-test:latest
    podman build \
        --file install.Containerfile \
        --tag install-test:latest
    

    Or, to specify the version of Fedora and/or Nvidia driver, run:

    podman build \
        --build-arg IMAGE_NAME=silverblue \
        --build-arg FEDORA_MAJOR_VERSION=37 \
        --build-arg NVIDIA_MAJOR_VERSION=525 \
        --file build.Containerfile \
        --tag build-test:37-525
    
    podman build \
        --build-arg IMAGE_NAME=silverblue \
        --build-arg FEDORA_MAJOR_VERSION=37 \
        --build-arg NVIDIA_MAJOR_VERSION=525 \
        --build-arg AKMODS_CACHE=build-test \
        --build-arg AKMODS_VERSION=37 \
        --file install.Containerfile \
        --tag build-test:latest
    
  2. Generate signing keys

    If you are forking this repo, then you should add a private key to the repository secrets:

    ./generate-akmod-key
    gh secret set AKMOD_PRIVKEY < certs/private_key.priv.prod
    cp certs/public_key.der.prod certs/public_key.der
    

Using Nvidia GPUs in containers

There is support for enabling Nvidia GPUs in containers. This can can be verified by running the following:

podman run \
    --user 1000:1000 \
    --security-opt=no-new-privileges \
    --cap-drop=ALL \
    --security-opt label=type:nvidia_container_t  \
    docker.io/mirrorgooglecontainers/cuda-vector-add:v0.1

Video playback

Additional runtime packages are added for enabling hardware-accelerated video playback. This can the enabled in Firefox (RPM or flatpak) by setting the following options to true in about:config:

  • gfx.webrender.all
  • media.ffmpeg.vaapi.enabled
  • widget.dmabuf.force-enabled

Extensive host access and reduced sand-boxing is needed for Firefox flatpak to use /usr/lib64/dri/nvidia_drv_video.so:

flatpak override \
    --user \
    --filesystem=host-os \
    --env=LIBVA_DRIVER_NAME=nvidia \
    --env=LIBVA_DRIVERS_PATH=/run/host/usr/lib64/dri \
    --env=LIBVA_MESSAGING_LEVEL=1 \
    --env=MOZ_DISABLE_RDD_SANDBOX=1 \
    --env=NVD_BACKEND=direct \
    --env=MOZ_ENABLE_WAYLAND=1 \
    org.mozilla.firefox

Acknowledgements

Thanks to Alex Diaz for advice, and who got this working first, check out this repo:

Contributor Metrics

Nvidia