Add hooks support to podman

Signed-off-by: Daniel J Walsh <[email protected]>

Closes: #155
Approved by: mheon

Author: rhatdan

cmd/podman/main.go

@@ -7,6 +7,7 @@ import (
 
 	"github.com/containers/storage/pkg/reexec"
 	"github.com/pkg/errors"
+	"github.com/projectatomic/libpod/pkg/hooks"
 	"github.com/projectatomic/libpod/version"
 	"github.com/sirupsen/logrus"
 	"github.com/urfave/cli"
@@ -122,6 +123,12 @@ func main() {
 			Name:  "cpu-profile",
 			Usage: "path for the cpu profiling results",
 		},
+		cli.StringFlag{
+			Name:   "hooks-dir-path",
+			Usage:  "set the OCI hooks directory path",
+			Value:  hooks.DefaultHooksDir,
+			Hidden: true,
+		},
 		cli.StringFlag{
 			Name:  "log-level",
 			Usage: "log messages above specified level: debug, info, warn, error (default), fatal or panic",

cmd/podman/spec.go

@@ -378,7 +378,6 @@ func createConfigToOCISpec(config *createConfig) (*spec.Spec, error) {
 	}
 
 	/*
-			Hooks: &configSpec.Hooks{},
 			//Annotations
 				Resources: &configSpec.LinuxResources{
 					BlockIO: &blkio,

cmd/podman/utils.go

@@ -48,6 +48,7 @@ func getRuntime(c *cli.Context) (*libpod.Runtime, error) {
 	if c.GlobalIsSet("cni-config-dir") {
 		options = append(options, libpod.WithCNIConfigDir(c.GlobalString("cni-config-dir")))
 	}
+	options = append(options, libpod.WithHooksDir(c.GlobalString("hooks-dir-path")))
 
 	// TODO flag to set CNI plugins dir?
 

libpod/container_internal.go

@@ -7,6 +7,7 @@ import (
 	"io/ioutil"
 	"os"
 	"path/filepath"
+	"regexp"
 	"strings"
 	"syscall"
 	"time"
@@ -22,6 +23,7 @@ import (
 	"github.com/pkg/errors"
 	crioAnnotations "github.com/projectatomic/libpod/pkg/annotations"
 	"github.com/projectatomic/libpod/pkg/chrootuser"
+	"github.com/projectatomic/libpod/pkg/hooks"
 	"github.com/projectatomic/libpod/pkg/secrets"
 	"github.com/projectatomic/libpod/pkg/util"
 	"github.com/sirupsen/logrus"
@@ -931,6 +933,9 @@ func (c *Container) generateSpec() (*spec.Spec, error) {
 		}
 	}
 
+	if err := c.setupOCIHooks(&g); err != nil {
+		return nil, errors.Wrapf(err, "error setting up OCI Hooks")
+	}
 	// Bind builtin image volumes
 	if c.config.ImageVolumes {
 		if err := c.addImageVolumes(&g); err != nil {
@@ -1103,3 +1108,58 @@ func (c *Container) saveSpec(spec *spec.Spec) error {
 
 	return nil
 }
+
+func (c *Container) setupOCIHooks(g *generate.Generator) error {
+	addedHooks := map[string]struct{}{}
+	ocihooks, err := hooks.SetupHooks(c.runtime.config.HooksDir)
+	if err != nil {
+		return err
+	}
+	addHook := func(hook hooks.HookParams) error {
+		// Only add a hook once
+		if _, ok := addedHooks[hook.Hook]; !ok {
+			if err := hooks.AddOCIHook(g, hook); err != nil {
+				return err
+			}
+			addedHooks[hook.Hook] = struct{}{}
+		}
+		return nil
+	}
+	for _, hook := range ocihooks {
+		logrus.Debugf("SetupOCIHooks", hook)
+		if hook.HasBindMounts && len(c.config.Spec.Mounts) > 0 {
+			if err := addHook(hook); err != nil {
+				return err
+			}
+			continue
+		}
+		for _, cmd := range hook.Cmds {
+			match, err := regexp.MatchString(cmd, c.config.Spec.Process.Args[0])
+			if err != nil {
+				logrus.Errorf("Invalid regex %q:%q", cmd, err)
+				continue
+			}
+			if match {
+				if err := addHook(hook); err != nil {
+					return err
+				}
+			}
+		}
+		annotations := c.Spec().Annotations
+		for _, annotationRegex := range hook.Annotations {
+			for _, annotation := range annotations {
+				match, err := regexp.MatchString(annotationRegex, annotation)
+				if err != nil {
+					logrus.Errorf("Invalid regex %q:%q", annotationRegex, err)
+					continue
+				}
+				if match {
+					if err := addHook(hook); err != nil {
+						return err
+					}
+				}
+			}
+		}
+	}
+	return nil
+}

libpod/options.go

@@ -172,6 +172,20 @@ func WithStaticDir(dir string) RuntimeOption {
 	}
 }
 
+// WithHooksDir sets the directory to look for OCI runtime hooks config
+// Note we are not saving this in database, since this is really just for used
+// for testing
+func WithHooksDir(hooksDir string) RuntimeOption {
+	return func(rt *Runtime) error {
+		if rt.valid {
+			return ErrRuntimeFinalized
+		}
+
+		rt.config.HooksDir = hooksDir
+		return nil
+	}
+}
+
 // WithTmpDir sets the directory that temporary runtime files which are not
 // expected to survive across reboots will be stored
 // This should be located on a tmpfs mount (/tmp or /var/run for example)

libpod/runtime.go

@@ -15,6 +15,7 @@ import (
 	"github.com/docker/docker/pkg/namesgenerator"
 	"github.com/pkg/errors"
 	"github.com/projectatomic/libpod/libpod/image"
+	"github.com/projectatomic/libpod/pkg/hooks"
 	"github.com/sirupsen/logrus"
 	"github.com/ulule/deepcopier"
 )
@@ -127,6 +128,8 @@ type RuntimeConfig struct {
 	// CNIPluginDir sets a number of directories where the CNI network
 	// plugins can be located
 	CNIPluginDir []string `toml:"cni_plugin_dir"`
+	// HooksDir Path to the directory containing hooks configuration files
+	HooksDir string `toml:"hooks_dir"`
 }
 
 var (
@@ -153,6 +156,7 @@ var (
 			"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
 		},
 		CgroupManager: "cgroupfs",
+		HooksDir:      hooks.DefaultHooksDir,
 		StaticDir:     filepath.Join(storage.DefaultStoreOptions.GraphRoot, "libpod"),
 		TmpDir:        "/var/run/libpod",
 		MaxLogSize:    -1,

libpod/testdata/config.toml

@@ -0,0 +1,28 @@
+[crio]
+  root = "/var/lib/containers/storage"
+  runroot = "/var/run/containers/storage"
+  storage_driver = "overlay2"
+  log_dir = "/var/log/crio/pods"
+  file_locking = true
+  [crio.runtime]
+    runtime = "/usr/bin/runc"
+    runtime_untrusted_workload = ""
+    default_workload_trust = "trusted"
+    conmon = "/usr/local/libexec/crio/conmon"
+    conmon_env = ["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"]
+    selinux = true
+    seccomp_profile = "/etc/crio/seccomp.json"
+    apparmor_profile = "crio-default"
+    cgroup_manager = "cgroupfs"
+    hooks_dir_path = "/usr/share/containers/oci/hooks.d"
+    pids_limit = 2048
+    container_exits_dir = "/var/run/podman/exits"
+  [crio.image]
+    default_transport = "docker://"
+    pause_image = "kubernetes/pause"
+    pause_command = "/pause"
+    signature_policy = ""
+    image_volumes = "mkdir"
+  [crio.network]
+    network_dir = "/etc/cni/net.d/"
+    plugin_dir = "/opt/cni/bin/"

pkg/hooks/hooks.go

@@ -0,0 +1,141 @@
+package hooks
+
+import (
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"regexp"
+	"strings"
+	"syscall"
+
+	spec "github.com/opencontainers/runtime-spec/specs-go"
+	"github.com/opencontainers/runtime-tools/generate"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+)
+
+const (
+	// DefaultHooksDir Default directory containing hooks config files
+	DefaultHooksDir = "/usr/share/containers/oci/hooks.d"
+	// OverrideHooksDir Directory where admin can override the default configuration
+	OverrideHooksDir = "/etc/containers/oci/hooks.d"
+)
+
+// HookParams is the structure returned from read the hooks configuration
+type HookParams struct {
+	Hook          string   `json:"hook"`
+	Stage         []string `json:"stage"`
+	Cmds          []string `json:"cmd"`
+	Annotations   []string `json:"annotation"`
+	HasBindMounts bool     `json:"hasbindmounts"`
+	Arguments     []string `json:"arguments"`
+}
+
+// readHook reads hooks json files, verifies it and returns the json config
+func readHook(hookPath string) (HookParams, error) {
+	var hook HookParams
+	raw, err := ioutil.ReadFile(hookPath)
+	if err != nil {
+		return hook, errors.Wrapf(err, "error Reading hook %q", hookPath)
+	}
+	if err := json.Unmarshal(raw, &hook); err != nil {
+		return hook, errors.Wrapf(err, "error Unmarshalling JSON for %q", hookPath)
+	}
+	if _, err := os.Stat(hook.Hook); err != nil {
+		return hook, errors.Wrapf(err, "unable to stat hook %q in hook config %q", hook.Hook, hookPath)
+	}
+	validStage := map[string]bool{"prestart": true, "poststart": true, "poststop": true}
+	for _, cmd := range hook.Cmds {
+		if _, err = regexp.Compile(cmd); err != nil {
+			return hook, errors.Wrapf(err, "invalid cmd regular expression %q defined in hook config %q", cmd, hookPath)
+		}
+	}
+	for _, cmd := range hook.Annotations {
+		if _, err = regexp.Compile(cmd); err != nil {
+			return hook, errors.Wrapf(err, "invalid cmd regular expression %q defined in hook config %q", cmd, hookPath)
+		}
+	}
+	for _, stage := range hook.Stage {
+		if !validStage[stage] {
+			return hook, errors.Wrapf(err, "unknown stage %q defined in hook config %q", stage, hookPath)
+		}
+	}
+	return hook, nil
+}
+
+// readHooks reads hooks json files in directory to setup OCI Hooks
+// adding hooks to the passedin hooks map.
+func readHooks(hooksPath string, hooks map[string]HookParams) error {
+	if _, err := os.Stat(hooksPath); err != nil {
+		if os.IsNotExist(err) {
+			logrus.Warnf("hooks path: %q does not exist", hooksPath)
+			return nil
+		}
+		return errors.Wrapf(err, "unable to stat hooks path %q", hooksPath)
+	}
+
+	files, err := ioutil.ReadDir(hooksPath)
+	if err != nil {
+		return err
+	}
+
+	for _, file := range files {
+		if !strings.HasSuffix(file.Name(), ".json") {
+			continue
+		}
+		hook, err := readHook(filepath.Join(hooksPath, file.Name()))
+		if err != nil {
+			return err
+		}
+		for key, h := range hooks {
+			// hook.Hook can only be defined in one hook file, unless it has the
+			// same name in the override path.
+			if hook.Hook == h.Hook && key != file.Name() {
+				return errors.Wrapf(syscall.EINVAL, "duplicate path,  hook %q from %q already defined in %q", hook.Hook, hooksPath, key)
+			}
+		}
+		hooks[file.Name()] = hook
+	}
+	return nil
+}
+
+// SetupHooks takes a hookspath and reads all of the hooks in that directory.
+// returning a map of the configured hooks
+func SetupHooks(hooksPath string) (map[string]HookParams, error) {
+	hooksMap := make(map[string]HookParams)
+	if err := readHooks(hooksPath, hooksMap); err != nil {
+		return nil, err
+	}
+	if hooksPath == DefaultHooksDir {
+		if err := readHooks(OverrideHooksDir, hooksMap); err != nil {
+			return nil, err
+		}
+	}
+
+	return hooksMap, nil
+}
+
+// AddOCIHook generates OCI specification using the included hook
+func AddOCIHook(g *generate.Generator, hook HookParams) error {
+	for _, stage := range hook.Stage {
+		h := spec.Hook{
+			Path: hook.Hook,
+			Args: append([]string{hook.Hook}, hook.Arguments...),
+			Env:  []string{fmt.Sprintf("stage=%s", stage)},
+		}
+		logrus.Debugf("AddOCIHook", h)
+		switch stage {
+		case "prestart":
+			g.AddPreStartHook(h)
+
+		case "poststart":
+			g.AddPostStartHook(h)
+
+		case "poststop":
+			g.AddPostStopHook(h)
+		}
+	}
+	return nil
+}

test/hooks/checkhook.json test/e2e/hooks/checkhook.jsontest/hooks/checkhook.json renamed to test/e2e/hooks/checkhook.json

@@ -1,5 +1,5 @@
 {
     "cmd" : [".*"],
-    "hook" : "HOOKSDIR/checkhook.sh",
+    "hook" : "/tmp/checkhook.sh",
     "stage" : [ "prestart" ]
 }