Attached Networks are missing in "poststart" hook >= 28

[HESS-BEA]

Description

Hello all

Simple all, i wrote some magic which injects some stuff into the OCI Config that postStart hook is gonna be called.
In there i do some network magic within the container network namespace.

Until Version 28, when the Poststart got fired, every network interfaces were initalized, but beginning with 28, the network interfaces are just there after the container is started.

It seems to be wrong, because in every Spec. or Comment (also every AI) stands:

• postStart will have the initalized interfaces

https://specs.opencontainers.org/runtime-spec/config/?v=v1.0.2#poststart
https://specs.opencontainers.org/runtime-spec/runtime/?v=v1.0.2#lifecycle

I tried on my ubuntu VM the versions:

• 5:27.5.1-1 -> Working as expected
• 5:28.0.0-1 -> Not working, interfaces are missing in postStart

Regards
Benjamin

Reproduce

• Install package jq
• Working installation of python3
• Download the python script below somewhere (remember the path) runc-hooked.py
• Make it executable
• Modify the daemon.json to include our custom runtime

{
  "runtimes": {
    "runc-hooks": {
      "path": "/root/runc-hooked.py"
    }
  }
}

• Create a internal network

docker network create --driver bridge --internal buggy

• Run a dummy container with the network and custom runtime

docker run --rm --runtime runc-hooks --network buggy alpine:3.20 ip a s

With version above 28 the /tmp/hook.log will look like this

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever

While the container executed will report

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0@if380: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue state UP 
    link/ether fe:99:f3:9c:fd:89 brd ff:ff:ff:ff:ff:ff
    inet 172.18.0.2/16 brd 172.18.255.255 scope global eth0
       valid_lft forever preferred_lft forever

Expected behavior

When called from poststart hook, executing ip a s in the containers namespace, the added interfaces are printed.

Version below 28 (used 27) works as expected.

docker version

Client: Docker Engine - Community
 Version:           28.4.0
 API version:       1.47 (downgraded from 1.51)
 Go version:        go1.24.7
 Git commit:        d8eb465
 Built:             Wed Sep  3 20:57:32 2025
 OS/Arch:           linux/amd64
 Context:           default

Server: Docker Engine - Community
 Engine:
  Version:          27.5.1
  API version:      1.47 (minimum version 1.24)
  Go version:       go1.22.11
  Git commit:       4c9b3b0
  Built:            Wed Jan 22 13:41:48 2025
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          v1.7.28
  GitCommit:        b98a3aace656320842a23f4a392a33f46af97866
 runc:
  Version:          1.3.0
  GitCommit:        v1.3.0-0-g4ca628d1
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

docker info

Client: Docker Engine - Community
 Version:    28.4.0
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.28.0
    Path:     /usr/libexec/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.39.4
    Path:     /usr/libexec/docker/cli-plugins/docker-compose

Server:
 Containers: 0
  Running: 0
  Paused: 0
  Stopped: 0
 Images: 1
 Server Version: 27.5.1
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 runc runc-hooks
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: b98a3aace656320842a23f4a392a33f46af97866
 runc version: v1.3.0-0-g4ca628d1
 init version: de40ad0
 Security Options:
  apparmor
  seccomp
   Profile: builtin
  cgroupns
 Kernel Version: 6.8.0-84-generic
 Operating System: Ubuntu 24.04.3 LTS
 OSType: linux
 Architecture: x86_64
 CPUs: 6
 Total Memory: 7.755GiB
 Name: linux
 ID: 694a72ee-694c-44d0-b82c-eb28570741a5
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

Additional Info

When you using ubuntu like me, you can easly switch between the version like that:

Version 27 (working)

sudo apt-get install -y docker-ce=5:27.5.1-1~ubuntu.24.04~noble docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin --allow-downgrades

Version 28 (not working)

sudo apt-get install -y docker-ce=5:28.0.0-1~ubuntu.24.04~noble docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin --allow-downgrades

PRETTY_NAME="Ubuntu 24.04.3 LTS"
NAME="Ubuntu"
VERSION_ID="24.04"
VERSION="24.04.3 LTS (Noble Numbat)"
VERSION_CODENAME=noble
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=noble
LOGO=ubuntu-logo```

[HESS-BEA]

Added steps to reproduce

[robmry]

Hi @HESS-BEA - thank you for reporting this.

Until 28.0, network configuration happened in a "prestart" hook. Since 28.0, it happens after the task is created, before it's started - in the initializeCreatedTask call here ...

moby/daemon/start.go

Lines 227 to 248 in d4d93bf

	tsk, err := ctr.NewTask(context.WithoutCancel(ctx), // passing a cancelable ctx caused integration tests to be stuck in the cleanup phase
	checkpointDir, container.StreamConfig.Stdin() != nil || container.Config.Tty,
	container.InitializeStdio)
	if err != nil {
	return setExitCodeFromError(container.State.SetExitCode, err)
	}
	defer func() {
	if retErr != nil {
	if err := tsk.ForceDelete(context.WithoutCancel(ctx)); err != nil {
	log.G(ctx).WithError(err).WithField("container", container.ID).
	Error("failed to delete task after fail start")
	}
	}
	}()
	if err := daemon.initializeCreatedTask(ctx, &daemonCfg.Config, tsk, container, spec); err != nil {
	return err
	}
	if err := tsk.Start(context.WithoutCancel(ctx)); err != nil { // passing a cancelable ctx caused integration tests to be stuck in the cleanup phase
	return setExitCodeFromError(container.State.SetExitCode, err)
	}

But, as you say, the "poststart" hook seems to be called before network config happens (so, before the task is started). That's surprising, will need to do some digging.

[robmry]

I just gave it a go with crun instead of runc and it worked as expected - networking is configured before "poststart" is called ... perhaps useful as a workaround?

[HESS-BEA]

Do you have any clue why?

Because i tried also older runc versions (some which were running correctly ok a old system), but got the same issue.

I give it a try tomorrow, and also explain more my use case...

But i hope, we are getting the same behaviour as in 27, because all my work depends on the hooking system...

[HESS-BEA]

@robmry

Did you test with crun exactly the same way as with runc?
I tried it now, v28 with my hooked python script, which will run crun 1.24

But there i have the issue

root@linux:~# cat /tmp/hook.log 
nsenter: cannot open /proc/259356/ns/net: No such file or directory

It seems, that the namespace does not already exists in poststart ...

[HESS-BEA]

I'll try to explain what i'm doing (knowing it's a hackish way)

I wrote a whole wrapper system around the "runc" Runtime.
In the Docker Daemon i say, may Runtime Wrapper is the default one, every creation of containers etc. goes trough the wrapper.
In there, i inject hooks into the OCI Config (because docker still not support these... -.-).

In the following hooks i do stuff:

createRuntime:
Setup some CAN interfaces based on configuration of the container labels, so there is no need that the container himself need to have more priviliges.
Also setup some Network stuff with Routing (same as with CAN, the Container himself does not need permissions to that)

Until 28, everything was working as i programmed and tested, but now as i said, the interfaces are not present while createRuntime.

postStart:
Doing only some debugging output with ip a s etc., so the container himself does not need the packages for ip configuration and everything can be done over namespaces. Benefit is, also scratch images got debug output with their interfaces, although they don't have any ip CLI.

Soooo, its really important for me / us, to have these abilities to do stuff to the container, BEFORE they start to execute.
Is it in any way understandable?

[robmry]

Thanks for the extra context.

I just gave it a go with crun instead of runc and it worked as expected - networking is configured before "poststart" is called ... perhaps useful as a workaround?

Do you have any clue why?

Implementations of the container lifecycle are just different in runc and crun ... the runc issue linked above is about changing runc to match the spec (which is newer than runc itself). I guess that change might be difficult if there are runc users depending on the current behaviour.

Did you test with crun exactly the same way as with runc? I tried it now, v28 with my hooked python script, which will run crun 1.24

I used your script and swapped the exec from runc to crun - initially with crun 1.21, but just tried 1.24 and that worked too.

But, I was stopping Docker in a debugger or using docker run -ti <...> ash to drop into a shell in the container - rather than running ip a s and exiting.

The new/different error message you got from crun, nsenter: cannot open /proc/259356/ns/net: No such file or directory is the result of a race - the container's ip a s command ran and exited before the poststart hook tried to inspect the namespace.

That's in-line with the container lifecycle spec, poststart hooks run after the process starts ... but may not be what you need?

The "startContainer" hook runs after networking is configured and before the task starts, but in the container namespace. So, to run something in the runtime (host) namespace after networking is configured, before the user process in the container starts - you could catch the "start" command in your Python script, just like you're catching the "create"? That should work with runc as well as crun.

[HESS-BEA]

hi @robmry

I will do some more research on the new 28, maybe the Hooks are now better than then.
I began with the Work for my System 1-1.5 Years ago, and then i tried every hook.

Because i need to inject network Interfaces into the Container, BUT before the entrypoint is called and stuff like that...

So in theorie "postStart" was wrong (but was only way working last 1.5 years), "createRuntime" should be the right one? right?
There should i inject some network stuff (BUT it should be ready as in 27)

[HESS-BEA]

Okey i did some more tests on 28... i can say, currently its not usable for me in that state.

Here an output of my programm of "ip" calls with runc:

root@linux:~# docker run --rm --network buggy --runtime octobus-runtime --label octobus=true   --label octobus.debug-output=true alpine:3.20 sh -c 'ip a s && ip r s'
octobus-hook (DEBUG): hook='createRuntime', container_pid=8094, date='2025-10-03T07:55:55.836240+00:00'

START DEBUG OUTPUT FOR "createruntime"

-- Output of: 'ip a s' ---
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
--------------------------

-- Output of: 'ip r s' ---
<EMPTY>
--------------------------

END DEBUG OUTPUT


octobus-hook (DEBUG): hook='postStart', container_pid=8094, date='2025-10-03T07:55:55.929321+00:00'

START DEBUG OUTPUT FOR "poststart"

-- Output of: 'ip a s' ---
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
--------------------------

-- Output of: 'ip r s' ---
<EMPTY>
--------------------------

END DEBUG OUTPUT


1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0@if98: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue state UP 
    link/ether 9a:fd:86:54:16:5f brd ff:ff:ff:ff:ff:ff
    inet 172.18.0.2/16 brd 172.18.255.255 scope global eth0
       valid_lft forever preferred_lft forever
172.18.0.0/16 dev eth0 scope link  src 172.18.0.2 

If im using crun 1.24 instead, the postStart hook doesn't even exists

root@linux:~# ./crun-1.24-linux-amd64 --version
crun version 1.24
commit: 54693209039e5e04cbe3c8b1cd5fe2301219f0a1
rundir: /run/crun
spec: 1.0.0
+SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
root@linux:~# docker run --rm --network buggy --runtime octobus-runtime --label octobus=true   --label octobus.debug-output=true alpine:3.20 sh -c 'ip a s && ip r s'
octobus-hook (DEBUG): hook='createRuntime', container_pid=8204, date='2025-10-03T07:56:18.342518+00:00'

START DEBUG OUTPUT FOR "createruntime"

-- Output of: 'ip a s' ---
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
--------------------------

-- Output of: 'ip r s' ---
<EMPTY>
--------------------------

END DEBUG OUTPUT


1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0@if100: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue state UP 
    link/ether 1a:5c:ea:c6:ea:78 brd ff:ff:ff:ff:ff:ff
    inet 172.18.0.2/16 brd 172.18.255.255 scope global eth0
       valid_lft forever preferred_lft forever
172.18.0.0/16 dev eth0 scope link  src 172.18.0.2 

In version 27 everything would work, runc ir crun

octobus-hook (DEBUG): hook='createRuntime', container_pid=8989, date='2025-10-03T07:59:33.566007+00:00'

START DEBUG OUTPUT FOR "createruntime"

-- Output of: 'ip a s' ---
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
110: eth0@if111: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:ac:12:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 172.18.0.2/16 brd 172.18.255.255 scope global eth0
       valid_lft forever preferred_lft forever
--------------------------

-- Output of: 'ip r s' ---
172.18.0.0/16 dev eth0 proto kernel scope link src 172.18.0.2
--------------------------

END DEBUG OUTPUT


1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
110: eth0@if111: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue state UP 
    link/ether 02:42:ac:12:00:02 brd ff:ff:ff:ff:ff:ff
    inet 172.18.0.2/16 brd 172.18.255.255 scope global eth0
       valid_lft forever preferred_lft forever
172.18.0.0/16 dev eth0 scope link  src 172.18.0.2 ```

[robmry]

This is my understanding ...

• In moby 27.x and older, moby used the "prestart" hook to set up networking.
• Since moby 28.0, moby no longer uses "prestart".
  • Networking is configured after the task is created, before it's started (before the user process runs).
• Your script depends on runc calling "poststart" after networking has been configured.

But, runc calls "poststart" before the "start" call has been made.

• So runc+poststart cannot be used in your script.

Also, crun calls "poststart" after "start".

• That's after networking has been configured.
• But, crun calls "poststart" after the user process has started, which matches the OCI container lifecycle spec.
• So, when the container is short-lived (only running "ip a"), it exits before the hook runs, so the script finds no container.

So ...

The behaviour in the previous comment is what I'd expect:

• networking has not been configured when runc calls poststart
• a short-lived container can exit before crun calls poststart

Your script currently looks for a "create" command and sets up OCI hooks.

Could it also look for a "start" command, and use that instead of an OCI hook as the trigger to make networking changes in the container? At that point, networking will be configured in the container, and the user process will not be running.

[HESS-BEA]

Hey @robmry

Thank you very much for the detailed text.

Forgive me, i looked wrong... Currently i do all the special network stuff within the createRuntime hook.
Injecting custom CAN interfaces when needed, default routes etc.
These are important to exists before any running ENTRYPOINT or CMD.

In the postStart hook i only do debug stuff, like ip a s.

Soo summary, i need a way to modify the environment inside the container with host commands (because the container dont need to be worried of CAPs or IP Tools)

Do i explained my needs correct? 😅 Sometimes in english is difficult.