Skip to main content
NVIDIA container runtime packages belong on the host, not inside the image.

Description

Detects RUN instructions that install NVIDIA Container Toolkit host-side packages (nvidia-container-toolkit, nvidia-docker2, libnvidia-container*) inside the container image via a package manager (apt, apt-get, yum, dnf, microdnf, apk). These packages are part of the NVIDIA Container Toolkit, which hooks into the container runtime on the host to expose GPUs to containers. Installing them inside the image does not make the image GPU-enabled, wastes image layers, and can mask the real requirement: that the host or cluster runtime must have the toolkit configured.

Why this matters

  • Wrong layer — the toolkit runs on the host/node, not in the container
  • Does not enable GPU access — GPU device injection is handled by the container runtime (e.g., nvidia-container-runtime, CDI), not by packages inside the image
  • Bloats the image — the toolkit pulls in host-specific libraries that serve no purpose in the container filesystem
  • Hides requirements — a working GPU setup depends on the host runtime configuration, not on image contents

Examples

Violation

No violation

Matched packages

Configuration

This rule has no rule-specific options.

References