agent: add support for guest-hooks#365
agent: add support for guest-hooks#365eguzman3 wants to merge 1 commit intokata-containers:masterfrom
Conversation
Blocked on (kata-containers/agent#365), will need to revendor.
621bbf8 to
289e877
Compare
Adds support for running OCI hooks within the guest. A 'drop-in' path (guest_hook_path) is specified in the cli configuration file and if set, the agent will look for OCI hooks in this directory and inject them into the container life cycle. Fixes kata-containers#348 Signed-off-by: Edward Guzman <eguzman@nvidia.com>
289e877 to
0a6b119
Compare
Blocked on (kata-containers/agent#365), will need to revendor.
bergwolf
left a comment
There was a problem hiding this comment.
@eguzman3 Thanks for the updates. It looks mostly good. I only have one comment inline.
Another question, since you are relying on the rootfs layout, is there a matching osbuilder PR that allows you to build a rootfs with customized hooks? Or do you simply add the hooks by hand between the rootfs creation and image creation steps? I'm asking because we might want to test this infrastructure by adding a simple hook and making sure it executes in CI, so that we can make sure the special use case is not broken by some future change.
| a.sandbox.guestHooksPresent = false | ||
|
|
||
| if req.GuestHookPath != "" { | ||
| a.sandbox.scanGuestHooks(req.GuestHookPath) |
There was a problem hiding this comment.
So it is silently ignored if the path doesn't exist or if there are no hooks in the hook path, which is mostly because a user have installed a wrong rootfs image. I wonder if you want to return failure here since otherwise users have no idea if the hooks are executed or not unless they somehow check it in their container. OTOH, if you return failure here, such errors can be found early when creating the sandbox.
There was a problem hiding this comment.
Another question, since you are relying on the rootfs layout, is there a matching osbuilder PR that allows you to build a rootfs with customized hooks? Or do you simply add the hooks by hand between the rootfs creation and image creation steps?
Currently I am using scripts to add the hooks and other files needed for my use case between rootfs and image creation.
I wonder if you want to return failure here since otherwise users have no idea if the hooks are executed or not unless they somehow check it in their container.
What about the case where a user wants to swap between images (some with hooks, some without) without having to change the configuration option?
There was a problem hiding this comment.
I agree with @bergwolf - if a user switches images, I'd say they should expect to have to update the config if one has hooks and the other doesn't.
As an absolute minimum, can you add a log call showing if the user requested hooks or not (if GuestHookPath is set or not we should log something).
I do wonder if we want to add either a second bool field in the proto file (bool require_hooks = n), or maybe even a kernel cmdline option for the agent to consume (the former is cleaner though):
That way, the agent can clearly establish whether the user wants hooks or not allowing the value (and validity) of GuestHookPath to be more clearly determined.
There was a problem hiding this comment.
I suggest we log this call for now. I was thinking if we would want to support using a different rootfs for different pods in the future similar to how we support different kernels for k8s @bergwolf @jodh-intel
There was a problem hiding this comment.
@amshinde In that case, I think the GuestHookPath config should also be passed by spec (e.g., through labels or annotations).
@eguzman3 I would prefer a fail-early strategy to let users know that they have pointed to a wrong rootfs image. For your mentioned use case, right now users have to remove GuestHookPath if they switch to a rootfs image w/o hooks. In future we might support to specify all kata configs through labels or annotations, and then there is no dependency on a fixed cli configuration and each pod can be customized.
There was a problem hiding this comment.
| } | ||
|
|
||
| // ChangeToBundlePath changes the cwd to the bundle path defined in the OCI spec | ||
| func ChangeToBundlePath(spec *specs.Spec) (string, error) { |
There was a problem hiding this comment.
These utils functions might be better to move out from grpc package.
You know, this package can be vendored later to kata-runtime, because kata-runtime will be client and communicate with kata-agent via GRPC protocol, they share same GRPC protocol definitions.
So if these functions do no help to runtime, which means it can't help kata-runtime do GRPC client operations, it might be better to move out from this package.
| } | ||
|
|
||
| defer f.Close() | ||
| err = json.NewEncoder(f).Encode(&spec) |
There was a problem hiding this comment.
Question: spec is already a pointer, why need &spec here?
|
|
||
| // FindHooks searches guestHookPath for any OCI hooks for a given hookType | ||
| func FindHooks(guestHookPath, hookType string) (hooksFound []specs.Hook) { | ||
| hooksPath := path.Join(guestHookPath, hookType) |
There was a problem hiding this comment.
So prestart hook will be in guestHookPath/prestart and poststart hook will be in guestHookPath/poststart,
and guestHookPath is specified by kata-runtime cli configuration, right?
I think we need some documents to teach user, we can't expect user can find this hidden advanced feature.
There was a problem hiding this comment.
I agree, but I feel this should be documented in the configuration.toml template, so in the PR against kata-containers/runtime. Do you agree?
|
This implementation looks good, but there's one missing part is that we can't specify arguments for each hook, I can't be sure that if there will be any requirements for this regarding to some unknown scenarios. |
jodh-intel
left a comment
There was a problem hiding this comment.
Thanks @eguzman3 - This is getting close now! 😄 Just a few comments remaining. As they show, we do need to make sure it is really easy to determine whether:
- hooks were enabled.
- the agent found hooks in the requested location.
- the hooks were valid.
- the hooks were usable.
- the hooks ran.
|
|
||
| // FindHooks searches guestHookPath for any OCI hooks for a given hookType | ||
| func FindHooks(guestHookPath, hookType string) (hooksFound []specs.Hook) { | ||
| hooksPath := path.Join(guestHookPath, hookType) |
| return err | ||
| } | ||
|
|
||
| func isValidHook(file os.FileInfo) bool { |
There was a problem hiding this comment.
This is a nice clean function. However, I think it would be worth considering "polluting it" a bit with some log calls to help debug hook setup issues (basically a log call for every failure scenario).
| a.sandbox.guestHooksPresent = false | ||
|
|
||
| if req.GuestHookPath != "" { | ||
| a.sandbox.scanGuestHooks(req.GuestHookPath) |
There was a problem hiding this comment.
I agree with @bergwolf - if a user switches images, I'd say they should expect to have to update the config if one has hooks and the other doesn't.
As an absolute minimum, can you add a log call showing if the user requested hooks or not (if GuestHookPath is set or not we should log something).
I do wonder if we want to add either a second bool field in the proto file (bool require_hooks = n), or maybe even a kernel cmdline option for the agent to consume (the former is cleaner though):
That way, the agent can clearly establish whether the user wants hooks or not allowing the value (and validity) of GuestHookPath to be more clearly determined.
| } | ||
|
|
||
| defer f.Close() | ||
| err = json.NewEncoder(f).Encode(&spec) |
jodh-intel
left a comment
There was a problem hiding this comment.
Thanks @eguzman3 - This is getting close now! 😄 Just a few comments remaining. As they show, we do need to make sure it is really easy to determine whether:
- hooks were enabled.
- the agent found hooks in the requested location.
- the hooks were valid.
- the hooks were usable.
- the hooks ran.
|
Hi @eguzman3 - do you think you'll get a chance to look over the final review comments some time this week? As mentioned, this is very close now I think 😄 |
|
Ping @eguzman3 😄 |
|
@jodh-intel I will take over the patch since Edward finished his internship. Sorry for the delay! |
|
Hi @flx42 - no problem! Do let us know if we can help in any way. |
Adds support for running OCI hooks within the guest. A 'drop-in' path (guest_hook_path) is specified in the cli configuration file and if set, the agent will look for OCI hooks in this directory and inject them into the container life cycle. Fixes: kata-containers#348 Replaces: kata-containers#365 Co-authored-by: Edward Guzman <eguzman@nvidia.com> Co-authored-by: Felix Abecassis <fabecassis@nvidia.com> Signed-off-by: Edward Guzman <eguzman@nvidia.com> Signed-off-by: Felix Abecassis <fabecassis@nvidia.com>
Adds support for running OCI hooks within the guest. A 'drop-in' path (guest_hook_path) is specified in the cli configuration file and if set, the agent will look for OCI hooks in this directory and inject them into the container life cycle. Fixes: kata-containers#348 Replaces: kata-containers#365 Co-authored-by: Edward Guzman <eguzman@nvidia.com> Co-authored-by: Felix Abecassis <fabecassis@nvidia.com> Signed-off-by: Edward Guzman <eguzman@nvidia.com> Signed-off-by: Felix Abecassis <fabecassis@nvidia.com>
|
This one is superseded by #393 , so I'll mark it as DNM so we don't try to review or accidentally merge it ;-) |
|
Closing this PR, as it has been superseded by #393. |
|
Nudging the CIs that failed. One is due to the nested glitch. The other had what look like maybe real errors (but anything doing |
Adds support for running OCI hooks within the guest. A 'drop-in' path (guest_hook_path) is specified in the cli configuration file and if set, the agent will look for OCI hooks in this directory and inject them into the container life cycle. Fixes: kata-containers#348 Replaces: kata-containers#365 Co-authored-by: Edward Guzman <eguzman@nvidia.com> Co-authored-by: Felix Abecassis <fabecassis@nvidia.com> Signed-off-by: Edward Guzman <eguzman@nvidia.com> Signed-off-by: Felix Abecassis <fabecassis@nvidia.com>
Adds support for running OCI hooks within the guest.
A 'drop-in' path (guest_hook_path) is specified in
the cli configuration file and if set, the agent will
look for OCI hooks in this directory and inject them
into the container life cycle.
Old Discussion: #346, #347
Runtime Change: kata-containers/runtime#720
Fixes #348
Signed-off-by: Edward Guzman eguzman@nvidia.com