runtime-rs: add CreateContainer hook support

CreateContainer hook is one kind of OCI hook. In kata, it will be executed after VM is started, before container is created, and after CreateRuntime is executed. The hook path of CreateContainer hook is in host runtime namespace, but it will be executed in host vmm namespace. Fixes: #5787 Signed-off-by: Yushuo <y-shuo@linux.alibaba.com>
2025-12-19 15:24:26 +01:00 · 2022-12-05 16:49:52 +08:00
parent 875f2db528
commit 977f281c5c
7 changed files with 44 additions and 4 deletions
--- a/src/runtime-rs/crates/runtimes/virt_container/src/container_manager/manager.rs
+++ b/src/runtime-rs/crates/runtimes/virt_container/src/container_manager/manager.rs
@@ -20,6 +20,7 @@ use common::{
 };
 use hypervisor::Hypervisor;
 use oci::Process as OCIProcess;
+use resource::network::NetnsGuard;
 use resource::ResourceManager;
 use tokio::sync::RwLock;

@@ -60,13 +61,37 @@ impl ContainerManager for VirtContainerManager {
    async fn create_container(&self, config: ContainerConfig, spec: oci::Spec) -> Result<PID> {
        let container = Container::new(
            self.pid,
-            config,
+            config.clone(),
            spec.clone(),
            self.agent.clone(),
            self.resource_manager.clone(),
        )
        .context("new container")?;

+        // CreateContainer Hooks:
+        // * should be run in vmm namespace (hook path in runtime namespace)
+        // * should be run after the vm is started, before container is created, and after CreateRuntime Hooks
+        // * spec details: https://github.com/opencontainers/runtime-spec/blob/c1662686cff159595277b79322d0272f5182941b/config.md#createcontainer-hooks
+        let vmm_master_tid = self.hypervisor.get_vmm_master_tid().await?;
+        let vmm_netns_path = format!("/proc/{}/task/{}/ns/{}", self.pid, vmm_master_tid, "net");
+        let state = oci::State {
+            version: spec.version.clone(),
+            id: config.container_id.clone(),
+            status: oci::ContainerState::Creating,
+            pid: vmm_master_tid as i32,
+            bundle: config.bundle.clone(),
+            annotations: spec.annotations.clone(),
+        };
+
+        // new scope, CreateContainer hooks in which will execute in a new network namespace
+        {
+            let _netns_guard = NetnsGuard::new(&vmm_netns_path).context("vmm netns guard")?;
+            if let Some(hooks) = spec.hooks.as_ref() {
+                let mut create_container_hook_states = HookStates::new();
+                create_container_hook_states.execute_hooks(&hooks.create_container, Some(state))?;
+            }
+        }
+
        let mut containers = self.containers.write().await;
        container.create(spec).await.context("create")?;
        containers.insert(container.container_id.to_string(), container);