agent: add support for custom OCI hooks inside guest#347
agent: add support for custom OCI hooks inside guest#347eguzman3 wants to merge 1 commit intokata-containers:masterfrom
Conversation
14ac102 to
af39f5e
Compare
Codecov Report
@@ Coverage Diff @@
## master #347 +/- ##
==========================================
- Coverage 47.21% 44.05% -3.17%
==========================================
Files 15 15
Lines 2442 2454 +12
==========================================
- Hits 1153 1081 -72
- Misses 1140 1228 +88
+ Partials 149 145 -4 |
|
Who will put the hooks into /usr/share/oci/hooks/ ? |
|
@eguzman3 Same question as @caoruidong. Can you explain in your commit how these hooks are placed in the said location as well as the use case you are trying to solve that makes it necessary to run hooks in the guest. |
|
@caoruidong @amshinde These hooks are intended to be executed on the guest and are separate from those executed on the host. I am assuming the hooks will be added to that directory at the time of rootfs image creation. The use case for this is trying to leverage this existing OCI hook: https://github.com/NVIDIA/nvidia-container-runtime |
|
Just chiming in to point out that this drop-in hook mechanism was inspired by what Project Atomic's fork of Docker is doing: As @eguzman3 said, we want to ship one or multiple pre-start hooks in our guest rootfs. |
af39f5e to
c45ee4a
Compare
|
@eguzman3 Could you combine your two PRs into one? I see that they already share some common change. They are in fact adding the same functionality to the agent. There is no need to separate them. Within one PR, you can still have multiple commits. |
| return nil | ||
| } | ||
|
|
||
| func finishCreateContainer(a *agentGRPC, ctr *container, req *pb.CreateContainerRequest, config *configs.Config) (resp *gpb.Empty, err error) { |
There was a problem hiding this comment.
The same function is also added in #346. Please try to combine your two PRs and apply the two commits one on top of the other.
grpc.go
Outdated
| NoPivotRoot: a.sandbox.noPivotRoot, | ||
| }) | ||
| // Add any custom OCI hooks to the spec | ||
| err = addHooks(ociSpec) |
There was a problem hiding this comment.
The hooks are static afaics. So it is more efficient to just scan once during agent startup, and do the OCI spec/hook dance only when there are real hooks to add.
c45ee4a to
d0e1d48
Compare
In order to allow OCI hooks to be executed during the lifecycle of the container inside the guest the path "/usr/share/oci/hooks/" has been designated to allow for 'drop-in' hooks.
Signed-off-by: Edward Guzman eguzman@nvidia.com