runc vs crun: different behavior when poststart hook fails and poststop hook creates a file

[eriksjolund]

1. Create hooks dir

   mkdir $HOME/hooks.d
   

2. Create policy file $HOME/hooks.d/foobar1.json containing

   {
     "version": "1.0.0",
     "hook": {
       "path": "/bin/false"
     },
     "when": {
       "annotations": {
       "^myannotation$": "yes"
       }
     },
     "stages": ["poststart"]
   }
   

3. Create policy file $HOME/hooks.d/foobar2.json containing

   {
     "version": "1.0.0",
     "hook": {
       "path": "/bin/touch",
       "args": ["/bin/touch", "/tmp/poststop-created"]
     },
     "when": {
       "annotations": {
       "^myannotation$": "yes"
       }
     },
     "stages": ["poststop"]
   }
   

4. Create file $HOME/test.bash containing

   #!/bin/bash
   set -o nounset
   runtime=$1
   podman \
     --runtime $runtime \
     --hooks-dir ~/hooks.d \
     run \
     --rm \
     --annotation myannotation=yes \
     docker.io/library/alpine \
     sh -c "sleep 1 && echo hello && sleep 1"
   

5. Test with crun

   $ ls -l /tmp/poststop-created
   ls: cannot access '/tmp/poststop-created': No such file or directory
   $ bash test.bash /tmp/crun/crun
   2026-03-14T08:25:31.178231Z: error executing hook `/bin/false` (exit code: 1)
   Error: `/tmp/crun/crun start a3035173b6311e002171be689725f2e63f23f31d4c329cf9e4b4cb38d76dc224` failed: exit status 1
   $ ls -l /tmp/poststop-created
   -rw-r--r--. 1 test test 0 Mar 14 09:25 /tmp/poststop-created
   $
   

   result: The file /tmp/poststop-created was created
6. Test with runc

   $ ls -l /tmp/poststop-created
   ls: cannot access '/tmp/poststop-created': No such file or directory
   $ bash test.bash runc
   Error: OCI runtime error: runc: runc create failed: error running poststart hook #0: exit status 1, stdout: , stderr: 
   $ ls -l /tmp/poststop-created
   ls: cannot access '/tmp/poststop-created': No such file or directory
   $
   

   result: The file /tmp/poststop-created was not created

discussion

It's interesting that crun and runc have different behaviour.
I don't know which behaviour is correct.

about the system

The executable /tmp/crun/crun was built from the git main branch (git commit: c07aadc)

runc version 1.4.0

podman version 5.8.0

test@fedora:~$ /tmp/crun/crun --version
crun version 1.26.0.0.0.146-c07a
commit: c07aadc344aacc867c1a334e5c0c1914da13365c
rundir: /run/user/1060/crun
spec: 1.0.0
+SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL
test@fedora:~$ podman --version
podman version 5.8.0
test@fedora:~$ runc --version
runc version 1.4.0
spec: 1.3.0
go: go1.25.4 X:nodwarf5
libseccomp: 2.6.0
test@fedora:~$ cat /etc/fedora-release 
Fedora release 43 (Forty Three)

[giuseppe]

from my understanding of the OCI specs, the poststop hooks must be called in this case, so the crun behavior is correct

[jnovy]

@eriksjolund runc skipping the poststop hooks in this scenario appears to be a spec compliance issue on runc's side. Do you mind filing issue on their side?

[eriksjolund]

Sure, I opened opencontainers/runc#5182