Filter already tracked directories from ldcache update

This change fixes the behavior where the order of precedence
of existing folders are changed because they are added to the
.conf file for ldconfig.

Signed-off-by: Evan Lezar <elezar@nvidia.com>

Author: elezar

internal/ldconfig/ldconfig.go

@@ -18,6 +18,7 @@
 package ldconfig
 
 import (
+	"bufio"
 	"fmt"
 	"os"
 	"os/exec"
@@ -75,21 +76,81 @@ func (l *Ldconfig) UpdateLDCache(directories ...string) error {
 		return err
 	}
 
+	// Explicitly specify using /etc/ld.so.conf since the host's ldconfig may
+	// be configured to use a different config file by default.
+	configFilePath := "/etc/ld.so.conf"
+	filteredDirectories, err := filterDirectories(configFilePath, directories...)
+	if err != nil {
+		return err
+	}
+
 	args := []string{
 		filepath.Base(ldconfigPath),
-		// Explicitly specify using /etc/ld.so.conf since the host's ldconfig may
-		// be configured to use a different config file by default.
-		"-f", "/etc/ld.so.conf",
+		"-f", configFilePath,
 		"-C", "/etc/ld.so.cache",
 	}
 
-	if err := createLdsoconfdFile(ldsoconfdFilenamePattern, directories...); err != nil {
+	if err := createLdsoconfdFile(ldsoconfdFilenamePattern, filteredDirectories...); err != nil {
 		return fmt.Errorf("failed to update ld.so.conf.d: %w", err)
 	}
 
 	return SafeExec(ldconfigPath, args, nil)
 }
 
+func filterDirectories(configFilePath string, directories ...string) ([]string, error) {
+	processedConfFiles := make(map[string]bool)
+	ldconfigFilenames := []string{configFilePath}
+
+	ldconfigDirs := make(map[string]string)
+	for len(ldconfigFilenames) > 0 {
+		ldconfigFilename := ldconfigFilenames[0]
+		ldconfigFilenames = ldconfigFilenames[1:]
+		if processedConfFiles[ldconfigFilename] {
+			continue
+		}
+		processedConfFiles[ldconfigFilename] = true
+
+		if len(ldconfigFilename) == 0 {
+			continue
+		}
+
+		ldsoconf, err := os.Open(ldconfigFilename)
+		if os.IsNotExist(err) {
+			continue
+		}
+		if err != nil {
+			return nil, err
+		}
+		defer ldsoconf.Close()
+
+		scanner := bufio.NewScanner(ldsoconf)
+		for scanner.Scan() {
+			line := strings.TrimSpace(scanner.Text())
+			switch {
+			case strings.HasPrefix(line, "#") || len(line) == 0:
+				continue
+			case strings.HasPrefix(line, "include "):
+				includes, err := filepath.Glob(strings.TrimPrefix(line, "include "))
+				if err != nil {
+					return nil, err
+				}
+				ldconfigFilenames = append(ldconfigFilenames, includes...)
+			default:
+				ldconfigDirs[line] = ldconfigFilename
+			}
+		}
+	}
+
+	var filtered []string
+	for _, d := range directories {
+		if _, ok := ldconfigDirs[d]; ok {
+			continue
+		}
+		filtered = append(filtered, d)
+	}
+	return filtered, nil
+}
+
 func (l *Ldconfig) prepareRoot() (string, error) {
 	// To prevent leaking the parent proc filesystem, we create a new proc mount
 	// in the specified root.

internal/ldconfig/ldconfig_test.go

@@ -0,0 +1,123 @@
+/**
+# SPDX-FileCopyrightText: Copyright (c) 2025 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+**/
+
+package ldconfig
+
+import (
+	"os"
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestFilterDirectories(t *testing.T) {
+	const topLevelConf = "TOPLEVEL.conf"
+
+	testCases := []struct {
+		description string
+		confs       map[string]string // map[filename]content, must have topLevelConf key
+		input       []string
+		expected    []string
+	}{
+		{
+			description: "all filtered",
+			confs: map[string]string{
+				topLevelConf: `
+# some comment
+/tmp/libdir1
+/tmp/libdir2
+`,
+			},
+			input:    []string{"/tmp/libdir1", "/tmp/libdir2"},
+			expected: nil,
+		},
+		{
+			description: "partially filtered",
+			confs: map[string]string{
+				topLevelConf: `
+/tmp/libdir1
+`,
+			},
+			input:    []string{"/tmp/libdir1", "/tmp/libdir2"},
+			expected: []string{"/tmp/libdir2"},
+		},
+		{
+			description: "none filtered",
+			confs: map[string]string{
+				topLevelConf: `
+# empty config
+`,
+			},
+			input:    []string{"/tmp/libdir1", "/tmp/libdir2"},
+			expected: []string{"/tmp/libdir1", "/tmp/libdir2"},
+		},
+		{
+			description: "filter with include and comments",
+			confs: map[string]string{
+				topLevelConf: `
+# comment
+/tmp/libdir1
+include /nonexistent/pattern*
+`,
+			},
+			input:    []string{"/tmp/libdir1", "/tmp/libdir2"},
+			expected: []string{"/tmp/libdir2"},
+		},
+		{
+			description: "include directive picks up more dirs to filter",
+			confs: map[string]string{
+				topLevelConf: `
+# top-level
+include INCLUDED_PATTERN*
+/tmp/libdir3
+`,
+				"INCLUDED_PATTERN0.conf": `
+/tmp/libdir2
+# another comment
+/tmp/libdir4
+`,
+				"INCLUDED_PATTERN1.conf": `
+/tmp/libdir1
+`,
+			},
+			input:    []string{"/tmp/libdir1", "/tmp/libdir2", "/tmp/libdir3", "/tmp/libdir4", "/tmp/libdir5"},
+			expected: []string{"/tmp/libdir5"},
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.description, func(t *testing.T) {
+			tmpDir := t.TempDir()
+
+			// Prepare file contents, adjusting include globs to be absolute and unique within tmpDir
+			for name, content := range tc.confs {
+				if name == topLevelConf && len(tc.confs) > 1 {
+					content = strings.ReplaceAll(content, "include INCLUDED_PATTERN*", "include "+tmpDir+"/INCLUDED_PATTERN*")
+				}
+				err := os.WriteFile(tmpDir+"/"+name, []byte(content), 0600)
+				require.NoError(t, err)
+			}
+
+			topLevelConfPath := tmpDir + "/" + topLevelConf
+			filtered, err := filterDirectories(topLevelConfPath, tc.input...)
+
+			require.NoError(t, err)
+			require.Equal(t, tc.expected, filtered)
+		})
+	}
+}

tests/e2e/nvidia-container-toolkit_test.go

@@ -533,4 +533,31 @@ EOF`)
 			Expect(err).ToNot(HaveOccurred())
 		})
 	})
+
+	When("running a container an ubuntu container with specific ld.so.conf ordering", Ordered, func() {
+		var (
+			expectedOutput string
+		)
+		BeforeAll(func(ctx context.Context) {
+			_, _, err := runner.Run(`docker build -t libordering \
+            - <<EOF
+FROM ubuntu
+ENV NVIDIA_VISIBLE_DEVICES=all
+RUN mkdir -p /extra/lib
+RUN cp /usr/lib/$(uname -m)-linux-gnu/libc.so.? /extra/lib/
+RUN echo "/extra/lib" > /etc/ld.so.conf.d/00-xxx.conf
+RUN ldconfig
+EOF`)
+			Expect(err).ToNot(HaveOccurred())
+
+			expectedOutput, _, err = runner.Run(`docker run --rm --runtime=runc libordering bash -c "ldconfig -p | grep libc.so."`)
+			Expect(err).ToNot(HaveOccurred())
+		})
+
+		It("should not change the ordering of libraries", func(ctx context.Context) {
+			output, _, err := runner.Run(`docker run --rm --runtime=nvidia libordering bash -c "ldconfig -p | grep libc.so."`)
+			Expect(err).ToNot(HaveOccurred())
+			Expect(output).To(Equal(expectedOutput))
+		})
+	})
 })