Merge pull request #3996 from kolyshkin/double-hooks

Fix for host mount ns containers
opencontainers · Aug 29, 2023 · 24ae5c2 · 24ae5c2
2 parents b322e31 + e852523
commit 24ae5c2
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 30 deletions.
diff --git a/libcontainer/process_linux.go b/libcontainer/process_linux.go
@@ -514,36 +514,6 @@ func (p *initProcess) start() (retErr error) {
 			if err := setupRlimits(p.config.Rlimits, p.pid()); err != nil {
 				return fmt.Errorf("error setting rlimits for ready process: %w", err)
 			}
-			// call prestart and CreateRuntime hooks
-			if !p.config.Config.Namespaces.Contains(configs.NEWNS) {
-				// Setup cgroup before the hook, so that the prestart and CreateRuntime hook could apply cgroup permissions.
-				if err := p.manager.Set(p.config.Config.Cgroups.Resources); err != nil {
-					return fmt.Errorf("error setting cgroup config for ready process: %w", err)
-				}
-				if p.intelRdtManager != nil {
-					if err := p.intelRdtManager.Set(p.config.Config); err != nil {
-						return fmt.Errorf("error setting Intel RDT config for ready process: %w", err)
-					}
-				}
-
-				if len(p.config.Config.Hooks) != 0 {
-					s, err := p.container.currentOCIState()
-					if err != nil {
-						return err
-					}
-					// initProcessStartTime hasn't been set yet.
-					s.Pid = p.cmd.Process.Pid
-					s.Status = specs.StateCreating
-					hooks := p.config.Config.Hooks
-
-					if err := hooks.Run(configs.Prestart, s); err != nil {
-						return err
-					}
-					if err := hooks.Run(configs.CreateRuntime, s); err != nil {
-						return err
-					}
-				}
-			}
 
 			// generate a timestamp indicating when the container was started
 			p.container.created = time.Now().UTC()

diff --git a/tests/integration/host-mntns.bats b/tests/integration/host-mntns.bats
@@ -0,0 +1,33 @@
+#!/usr/bin/env bats
+
+load helpers
+
+function setup() {
+	requires root
+	setup_busybox
+}
+
+function teardown() {
+	[ ! -v ROOT ] && return 0 # nothing to teardown
+
+	# XXX runc does not unmount a container which
+	# shares mount namespace with the host.
+	umount -R --lazy "$ROOT"/bundle/rootfs
+
+	teardown_bundle
+}
+
+@test "runc run [host mount ns + hooks]" {
+	update_config '	  .process.args = ["/bin/echo", "Hello World"]
+			| .hooks |= . + {"createRuntime": [{"path": "/bin/sh", "args": ["/bin/sh", "-c", "touch createRuntimeHook.$$"]}]}
+			| .linux.namespaces -= [{"type": "mount"}]
+			| .linux.maskedPaths = []
+			| .linux.readonlyPaths = []'
+	runc run test_host_mntns
+	[ "$status" -eq 0 ]
+	runc delete -f test_host_mntns
+
+	# There should be one such file.
+	run -0 ls createRuntimeHook.*
+	[ "$(echo "$output" | wc -w)" -eq 1 ]
+}