opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-06-04 21:55:24 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
podman/pkg/hooks
History
W. Trevor King f6a2b6bf2b hooks: Add pre-create hooks for runtime-config manipulation 
There's been a lot of discussion over in [1] about how to support the
NVIDIA folks and others who want to be able to create devices
(possibly after having loaded kernel modules) and bind userspace
libraries into the container.  Currently that's happening in the
middle of runc's create-time mount handling before the container
pivots to its new root directory with runc's incorrectly-timed
prestart hook trigger [2].  With this commit, we extend hooks with a
'precreate' stage to allow trusted parties to manipulate the config
JSON before calling the runtime's 'create'.

I'm recycling the existing Hook schema from pkg/hooks for this,
because we'll want Timeout for reliability and When to avoid the
expense of fork/exec when a given hook does not need to make config
changes [3].

[1]: https://github.com/opencontainers/runc/pull/1811
[2]: https://github.com/opencontainers/runc/issues/1710
[3]: https://github.com/containers/libpod/issues/1828#issuecomment-439888059

Signed-off-by: W. Trevor King <wking@tremily.us>
2019-01-08 21:06:17 -08:00
..
0.1.0
Change references to cri-o to point at new repository
2018-09-07 17:47:45 +00:00
1.0.0
Fix a bug with hook ALWAYS matching with a process
2018-08-22 11:48:43 +00:00
docs
hooks/docs: Fix 1.0.0 Nvidia example (adding version, etc.)
2018-06-04 13:01:56 +00:00
exec
hooks: Add pre-create hooks for runtime-config manipulation
2019-01-08 21:06:17 -08:00
hooks_test.go
switch projectatomic to containers
2018-08-16 17:12:36 +00:00
hooks.go
switch projectatomic to containers
2018-08-16 17:12:36 +00:00
monitor_test.go
hooks: Fix monitoring of multiple directories
2018-05-17 22:39:13 +00:00
monitor.go
hooks: Fix monitoring of multiple directories
2018-05-17 22:39:13 +00:00
read_test.go
switch projectatomic to containers
2018-08-16 17:12:36 +00:00
read.go
switch projectatomic to containers
2018-08-16 17:12:36 +00:00
README.md
hooks/README: Fix some Markdown typos (e.g. missing runc target)
2018-05-21 14:09:25 +00:00
version.go
pkg/hooks: Version the hook structure and add 1.0.0 hooks
2018-05-11 16:26:35 +00:00

README.md

OCI Hooks Configuration

For POSIX platforms, the OCI runtime configuration supports hooks for configuring custom actions related to the life cycle of the container. The way you enable the hooks above is by editing the OCI runtime configuration before running the OCI runtime (e.g. runc). CRI-O and podman create create the OCI configuration for you, and this documentation allows developers to configure them to set their intended hooks.

One problem with hooks is that the runtime actually stalls execution of the container before running the hooks and stalls completion of the container, until all hooks complete. This can cause some performance issues. Also a lot of hooks just check if certain configuration is set and then exit early, without doing anything. For example the oci-systemd-hook only executes if the command is init or systemd, otherwise it just exits. This means if we automatically enabled all hooks, every container would have to execute oci-systemd-hook, even if they don't run systemd inside of the container. Performance would also suffer if we exectuted each hook at each stage (pre-start, post-start, and post-stop).

The hooks configuration is documented in oci-hooks.5.