diff options
Diffstat (limited to 'libpod')
-rw-r--r-- | libpod/container_internal.go | 60 | ||||
-rw-r--r-- | libpod/options.go | 14 | ||||
-rw-r--r-- | libpod/runtime.go | 4 | ||||
-rw-r--r-- | libpod/testdata/config.toml | 28 |
4 files changed, 106 insertions, 0 deletions
diff --git a/libpod/container_internal.go b/libpod/container_internal.go index f75df8c28..f3247b1c0 100644 --- a/libpod/container_internal.go +++ b/libpod/container_internal.go @@ -7,6 +7,7 @@ import ( "io/ioutil" "os" "path/filepath" + "regexp" "strings" "syscall" "time" @@ -22,6 +23,7 @@ import ( "github.com/pkg/errors" crioAnnotations "github.com/projectatomic/libpod/pkg/annotations" "github.com/projectatomic/libpod/pkg/chrootuser" + "github.com/projectatomic/libpod/pkg/hooks" "github.com/projectatomic/libpod/pkg/secrets" "github.com/projectatomic/libpod/pkg/util" "github.com/sirupsen/logrus" @@ -931,6 +933,9 @@ func (c *Container) generateSpec() (*spec.Spec, error) { } } + if err := c.setupOCIHooks(&g); err != nil { + return nil, errors.Wrapf(err, "error setting up OCI Hooks") + } // Bind builtin image volumes if c.config.ImageVolumes { if err := c.addImageVolumes(&g); err != nil { @@ -1103,3 +1108,58 @@ func (c *Container) saveSpec(spec *spec.Spec) error { return nil } + +func (c *Container) setupOCIHooks(g *generate.Generator) error { + addedHooks := map[string]struct{}{} + ocihooks, err := hooks.SetupHooks(c.runtime.config.HooksDir) + if err != nil { + return err + } + addHook := func(hook hooks.HookParams) error { + // Only add a hook once + if _, ok := addedHooks[hook.Hook]; !ok { + if err := hooks.AddOCIHook(g, hook); err != nil { + return err + } + addedHooks[hook.Hook] = struct{}{} + } + return nil + } + for _, hook := range ocihooks { + logrus.Debugf("SetupOCIHooks", hook) + if hook.HasBindMounts && len(c.config.Spec.Mounts) > 0 { + if err := addHook(hook); err != nil { + return err + } + continue + } + for _, cmd := range hook.Cmds { + match, err := regexp.MatchString(cmd, c.config.Spec.Process.Args[0]) + if err != nil { + logrus.Errorf("Invalid regex %q:%q", cmd, err) + continue + } + if match { + if err := addHook(hook); err != nil { + return err + } + } + } + annotations := c.Spec().Annotations + for _, annotationRegex := range hook.Annotations { + for _, annotation := range annotations { + match, err := regexp.MatchString(annotationRegex, annotation) + if err != nil { + logrus.Errorf("Invalid regex %q:%q", annotationRegex, err) + continue + } + if match { + if err := addHook(hook); err != nil { + return err + } + } + } + } + } + return nil +} diff --git a/libpod/options.go b/libpod/options.go index 8fb6c8d2e..f9d6cb211 100644 --- a/libpod/options.go +++ b/libpod/options.go @@ -172,6 +172,20 @@ func WithStaticDir(dir string) RuntimeOption { } } +// WithHooksDir sets the directory to look for OCI runtime hooks config +// Note we are not saving this in database, since this is really just for used +// for testing +func WithHooksDir(hooksDir string) RuntimeOption { + return func(rt *Runtime) error { + if rt.valid { + return ErrRuntimeFinalized + } + + rt.config.HooksDir = hooksDir + return nil + } +} + // WithTmpDir sets the directory that temporary runtime files which are not // expected to survive across reboots will be stored // This should be located on a tmpfs mount (/tmp or /var/run for example) diff --git a/libpod/runtime.go b/libpod/runtime.go index 869727f38..94d412c84 100644 --- a/libpod/runtime.go +++ b/libpod/runtime.go @@ -15,6 +15,7 @@ import ( "github.com/docker/docker/pkg/namesgenerator" "github.com/pkg/errors" "github.com/projectatomic/libpod/libpod/image" + "github.com/projectatomic/libpod/pkg/hooks" "github.com/sirupsen/logrus" "github.com/ulule/deepcopier" ) @@ -127,6 +128,8 @@ type RuntimeConfig struct { // CNIPluginDir sets a number of directories where the CNI network // plugins can be located CNIPluginDir []string `toml:"cni_plugin_dir"` + // HooksDir Path to the directory containing hooks configuration files + HooksDir string `toml:"hooks_dir"` } var ( @@ -153,6 +156,7 @@ var ( "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", }, CgroupManager: "cgroupfs", + HooksDir: hooks.DefaultHooksDir, StaticDir: filepath.Join(storage.DefaultStoreOptions.GraphRoot, "libpod"), TmpDir: "/var/run/libpod", MaxLogSize: -1, diff --git a/libpod/testdata/config.toml b/libpod/testdata/config.toml new file mode 100644 index 000000000..e19d36017 --- /dev/null +++ b/libpod/testdata/config.toml @@ -0,0 +1,28 @@ +[crio] + root = "/var/lib/containers/storage" + runroot = "/var/run/containers/storage" + storage_driver = "overlay2" + log_dir = "/var/log/crio/pods" + file_locking = true + [crio.runtime] + runtime = "/usr/bin/runc" + runtime_untrusted_workload = "" + default_workload_trust = "trusted" + conmon = "/usr/local/libexec/crio/conmon" + conmon_env = ["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"] + selinux = true + seccomp_profile = "/etc/crio/seccomp.json" + apparmor_profile = "crio-default" + cgroup_manager = "cgroupfs" + hooks_dir_path = "/usr/share/containers/oci/hooks.d" + pids_limit = 2048 + container_exits_dir = "/var/run/podman/exits" + [crio.image] + default_transport = "docker://" + pause_image = "kubernetes/pause" + pause_command = "/pause" + signature_policy = "" + image_volumes = "mkdir" + [crio.network] + network_dir = "/etc/cni/net.d/" + plugin_dir = "/opt/cni/bin/" |