aboutsummaryrefslogtreecommitdiff
path: root/libpod
diff options
context:
space:
mode:
Diffstat (limited to 'libpod')
-rw-r--r--libpod/container_internal.go60
-rw-r--r--libpod/options.go14
-rw-r--r--libpod/runtime.go4
-rw-r--r--libpod/testdata/config.toml28
4 files changed, 106 insertions, 0 deletions
diff --git a/libpod/container_internal.go b/libpod/container_internal.go
index f75df8c28..f3247b1c0 100644
--- a/libpod/container_internal.go
+++ b/libpod/container_internal.go
@@ -7,6 +7,7 @@ import (
"io/ioutil"
"os"
"path/filepath"
+ "regexp"
"strings"
"syscall"
"time"
@@ -22,6 +23,7 @@ import (
"github.com/pkg/errors"
crioAnnotations "github.com/projectatomic/libpod/pkg/annotations"
"github.com/projectatomic/libpod/pkg/chrootuser"
+ "github.com/projectatomic/libpod/pkg/hooks"
"github.com/projectatomic/libpod/pkg/secrets"
"github.com/projectatomic/libpod/pkg/util"
"github.com/sirupsen/logrus"
@@ -931,6 +933,9 @@ func (c *Container) generateSpec() (*spec.Spec, error) {
}
}
+ if err := c.setupOCIHooks(&g); err != nil {
+ return nil, errors.Wrapf(err, "error setting up OCI Hooks")
+ }
// Bind builtin image volumes
if c.config.ImageVolumes {
if err := c.addImageVolumes(&g); err != nil {
@@ -1103,3 +1108,58 @@ func (c *Container) saveSpec(spec *spec.Spec) error {
return nil
}
+
+func (c *Container) setupOCIHooks(g *generate.Generator) error {
+ addedHooks := map[string]struct{}{}
+ ocihooks, err := hooks.SetupHooks(c.runtime.config.HooksDir)
+ if err != nil {
+ return err
+ }
+ addHook := func(hook hooks.HookParams) error {
+ // Only add a hook once
+ if _, ok := addedHooks[hook.Hook]; !ok {
+ if err := hooks.AddOCIHook(g, hook); err != nil {
+ return err
+ }
+ addedHooks[hook.Hook] = struct{}{}
+ }
+ return nil
+ }
+ for _, hook := range ocihooks {
+ logrus.Debugf("SetupOCIHooks", hook)
+ if hook.HasBindMounts && len(c.config.Spec.Mounts) > 0 {
+ if err := addHook(hook); err != nil {
+ return err
+ }
+ continue
+ }
+ for _, cmd := range hook.Cmds {
+ match, err := regexp.MatchString(cmd, c.config.Spec.Process.Args[0])
+ if err != nil {
+ logrus.Errorf("Invalid regex %q:%q", cmd, err)
+ continue
+ }
+ if match {
+ if err := addHook(hook); err != nil {
+ return err
+ }
+ }
+ }
+ annotations := c.Spec().Annotations
+ for _, annotationRegex := range hook.Annotations {
+ for _, annotation := range annotations {
+ match, err := regexp.MatchString(annotationRegex, annotation)
+ if err != nil {
+ logrus.Errorf("Invalid regex %q:%q", annotationRegex, err)
+ continue
+ }
+ if match {
+ if err := addHook(hook); err != nil {
+ return err
+ }
+ }
+ }
+ }
+ }
+ return nil
+}
diff --git a/libpod/options.go b/libpod/options.go
index 8fb6c8d2e..f9d6cb211 100644
--- a/libpod/options.go
+++ b/libpod/options.go
@@ -172,6 +172,20 @@ func WithStaticDir(dir string) RuntimeOption {
}
}
+// WithHooksDir sets the directory to look for OCI runtime hooks config
+// Note we are not saving this in database, since this is really just for used
+// for testing
+func WithHooksDir(hooksDir string) RuntimeOption {
+ return func(rt *Runtime) error {
+ if rt.valid {
+ return ErrRuntimeFinalized
+ }
+
+ rt.config.HooksDir = hooksDir
+ return nil
+ }
+}
+
// WithTmpDir sets the directory that temporary runtime files which are not
// expected to survive across reboots will be stored
// This should be located on a tmpfs mount (/tmp or /var/run for example)
diff --git a/libpod/runtime.go b/libpod/runtime.go
index 869727f38..94d412c84 100644
--- a/libpod/runtime.go
+++ b/libpod/runtime.go
@@ -15,6 +15,7 @@ import (
"github.com/docker/docker/pkg/namesgenerator"
"github.com/pkg/errors"
"github.com/projectatomic/libpod/libpod/image"
+ "github.com/projectatomic/libpod/pkg/hooks"
"github.com/sirupsen/logrus"
"github.com/ulule/deepcopier"
)
@@ -127,6 +128,8 @@ type RuntimeConfig struct {
// CNIPluginDir sets a number of directories where the CNI network
// plugins can be located
CNIPluginDir []string `toml:"cni_plugin_dir"`
+ // HooksDir Path to the directory containing hooks configuration files
+ HooksDir string `toml:"hooks_dir"`
}
var (
@@ -153,6 +156,7 @@ var (
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
},
CgroupManager: "cgroupfs",
+ HooksDir: hooks.DefaultHooksDir,
StaticDir: filepath.Join(storage.DefaultStoreOptions.GraphRoot, "libpod"),
TmpDir: "/var/run/libpod",
MaxLogSize: -1,
diff --git a/libpod/testdata/config.toml b/libpod/testdata/config.toml
new file mode 100644
index 000000000..e19d36017
--- /dev/null
+++ b/libpod/testdata/config.toml
@@ -0,0 +1,28 @@
+[crio]
+ root = "/var/lib/containers/storage"
+ runroot = "/var/run/containers/storage"
+ storage_driver = "overlay2"
+ log_dir = "/var/log/crio/pods"
+ file_locking = true
+ [crio.runtime]
+ runtime = "/usr/bin/runc"
+ runtime_untrusted_workload = ""
+ default_workload_trust = "trusted"
+ conmon = "/usr/local/libexec/crio/conmon"
+ conmon_env = ["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"]
+ selinux = true
+ seccomp_profile = "/etc/crio/seccomp.json"
+ apparmor_profile = "crio-default"
+ cgroup_manager = "cgroupfs"
+ hooks_dir_path = "/usr/share/containers/oci/hooks.d"
+ pids_limit = 2048
+ container_exits_dir = "/var/run/podman/exits"
+ [crio.image]
+ default_transport = "docker://"
+ pause_image = "kubernetes/pause"
+ pause_command = "/pause"
+ signature_policy = ""
+ image_volumes = "mkdir"
+ [crio.network]
+ network_dir = "/etc/cni/net.d/"
+ plugin_dir = "/opt/cni/bin/"