runtime-rs: add StartContainer hook

StartContainer will be execute in guest container namespace in Kata. The Hook Path of this kind of hook is also in guest container namespace. StartContainer is executed after start operation is called, and it should be executed before user-specific command is executed. Fixes: #5787 Signed-off-by: Yushuo <y-shuo@linux.alibaba.com>
2025-12-17 14:24:27 +01:00 · 2022-12-05 17:20:18 +08:00
parent 977f281c5c
commit e80c9f7b74
7 changed files with 53 additions and 9 deletions
--- a/src/runtime-rs/crates/agent/src/types.rs
+++ b/src/runtime-rs/crates/agent/src/types.rs
@@ -124,7 +124,6 @@ pub struct CreateContainerRequest {
    pub devices: Vec<Device>,
    pub storages: Vec<Storage>,
    pub oci: Option<oci::Spec>,
-    pub guest_hooks: Option<oci::Hooks>,
    pub sandbox_pidns: bool,
    pub rootfs_mounts: Vec<oci::Mount>,
 }
--- a/src/runtime-rs/crates/runtimes/virt_container/src/container_manager/container.rs
+++ b/src/runtime-rs/crates/runtimes/virt_container/src/container_manager/container.rs
@@ -396,8 +396,20 @@ impl Container {
 }

 fn amend_spec(spec: &mut oci::Spec, disable_guest_seccomp: bool) -> Result<()> {
-    // hook should be done on host
-    spec.hooks = None;
+    // Only the StartContainer hook needs to be reserved for execution in the guest
+    let start_container_hooks = match spec.hooks.as_ref() {
+        Some(hooks) => hooks.start_container.clone(),
+        None => Vec::new(),
+    };
+
+    spec.hooks = if start_container_hooks.is_empty() {
+        None
+    } else {
+        Some(oci::Hooks {
+            start_container: start_container_hooks,
+            ..Default::default()
+        })
+    };

    // special process K8s ephemeral volumes.
    update_ephemeral_storage_type(spec);