Skip to main content
CUDA packages are already provided by the nvidia/cuda base image.
PropertyValue
SeverityWarning
CategoryCorrectness
DefaultEnabled
Auto-fixNo

Description

Detects RUN instructions that install CUDA userspace packages via a package manager (apt, apt-get, yum, dnf, microdnf, apk) in stages that already inherit from nvidia/cuda:*. The rule is flavor-aware: it parses the image tag to determine the variant (base, runtime, or devel) and only flags packages that the variant already includes. For example, installing cuda-toolkit on a runtime image is legitimate (runtime does not include the toolkit), but installing cuda-runtime on a runtime image is redundant.

Why this matters

  • Redundant work — the base image already provides the CUDA stack for the selected variant
  • Version drift — the package manager may install a different CUDA version than the one baked into the base image, causing subtle incompatibilities
  • Image bloat — duplicate CUDA libraries waste space in the image layers
  • Maintenance burden — two sources of truth for the CUDA version make upgrades harder

Examples

Violation

# devel includes the full toolkit -- reinstalling is redundant
FROM nvidia/cuda:12.2.0-devel-ubuntu22.04
RUN apt-get update && apt-get install -y cuda-toolkit

# cudnn tag already includes cuDNN -- reinstalling is redundant
FROM nvidia/cuda:12.2.0-cudnn-devel-ubuntu22.04
RUN apt-get update && apt-get install -y libcudnn8

# runtime includes cuda-runtime -- reinstalling is redundant
FROM nvidia/cuda:12.2.0-runtime-centos7
RUN yum install -y cuda-runtime-12-2

No violation

# runtime does NOT include the toolkit -- this install is legitimate
FROM nvidia/cuda:12.2.0-runtime-ubuntu22.04
RUN apt-get update && apt-get install -y cuda-toolkit

# nvidia/cuda base with application packages only
FROM nvidia/cuda:12.2.0-runtime-ubuntu22.04
RUN apt-get update && apt-get install -y python3 python3-pip

# Non-nvidia/cuda base -- intentional CUDA install is not flagged
FROM ubuntu:22.04
RUN apt-get update && apt-get install -y nvidia-cuda-toolkit

Flavor-aware matching

The rule maps packages to the nvidia/cuda image variant that includes them:
PackageIncluded inMatch type
cuda, cuda-runtimebase, runtime, develExact
cuda-runtime-*, cuda-compat-*base, runtime, develPrefix
cuda-libraries, cuda-libraries-*runtime, develExact/Prefix
nvidia-cuda-toolkit, cuda-toolkit, cuda-nvccdevelExact
cuda-toolkit-*, cuda-nvcc-*develPrefix
libcudnn*cudnn tags onlyPrefix
TensorRT packages (tensorrt*) are never flagged because standard nvidia/cuda tags do not include TensorRT. When the tag cannot be parsed (e.g., digest-only or ARG-based), the rule defaults to devel to avoid false positives.

Applicability

This rule only fires on stages where the base image is nvidia/cuda:* (or docker.io/nvidia/cuda:*). It does not fire on:
  • Stages with a non-NVIDIA base image (e.g., ubuntu:22.04)
  • Stages using other NVIDIA images (e.g., nvcr.io/nvidia/pytorch:*, nvidia/cudagl:*)
  • Stages that reference another build stage (FROM builder)

Configuration

This rule has no rule-specific options. 
[rules.tally."gpu/no-redundant-cuda-install"]
severity = "warning"

References