Comments (12)
The hooks of the runtime spec are implemented by runc / crun, while OCI hooks are a thing supported by CRI-O itself.
from cri-o.
@ChucklesDroid Thank you for raising this issue. Upon reviewing the crio logs, it appears that the following error occurred:
level=error msg="Failed loading hooks for /usr/share/containers/oci/hooks.d/hooks.json: parsing hook \"/usr/share/containers/oci/hooks.d/hooks.json\": 1.0.0: json: cannot unmarshal string into Go struct field When.when.always of type bool" file="hooks/monitor.go:55"
It seems like the value of always
in the hooks.json file needs to be a boolean. Please consider updating it accordingly. I believe this adjustment should address the issue.
from cri-o.
@ChucklesDroid, try running CRI-O with the the debug
log level set.
Perhaps you can spot something in the more verbose output.
That said, you can also update your script such that there is some logging added. For example:
#!/usr/bin/env bash
exec 1> /tmp/hook.log 2>&1
set -ex
env
KUBEARMOR_LOG_FILE="/tmp/kubearmor.log"
echo "create-container-executed": $(date -I) $(date +%T) >> $KUBEARMOR_LOG_FILE
However, just looking at your original script, I am sure that the $USER
variable might be set to a different user that you expect (or even unset in some cases as there is no guarantee for it to be present), since it's CRI-O that would run this script in the end, and you might have no permission to write to the location where the directory is pointing to (also, I assume that there is no /home/root
on your file system at the moment). You have no error control enabled in your script (the set -e
), as such, it will fail silently.
from cri-o.
@ChucklesDroid, now that you have things working, can we close this issue?
from cri-o.
yes lets close this @kwilczynski. Thank you everyone for your help, I appreciate that
from cri-o.
Hi I was able to get log data using journalctl -u crio
. I have added the data in this gist file: https://gist.github.com/ChucklesDroid/d3285f7ef1dd262223b2044918aeec01
from cri-o.
That definitley helped out. However I am still unable to run the script. So after I changed it to boolean value. It complained about missing property hook:path
. So I had to update json to the following:
{
"version": "1.0.0",
"hook": {
"path": "/usr/share/containers/oci/hooks.d/create-container.sh"
},
"when": {
"always": true
},
"stages": ["createContainer"]
}
- So a question arises is this outdated or am I understanding it wrong ? I have also referenced this hooks schema
- Also I can now see that hooks.json was accepted however my script still didnt run:
Feb 18 03:22:59 minikube crio[714]: time="2024-02-18 03:22:59.057434927Z" level=debug msg="hook hooks.json matched; adding to stages [createContainer]" file="hooks/hooks.go:111"
The pod was created using kubectl run pd-a --image=k8s.gcr.io/pause
Also 0755 permissions were given to the bash script specified above, is there something wrong with the bash script used?
Also this is the update gist
Your help has been amazing so far 🙌🙌
from cri-o.
@ChucklesDroid, some documentation around hooks can be found at the following:
Would this help?
from cri-o.
Hi @kwilczynski , Thanks for responding !
I have gone through both of those resources and found 2 conflicting docs which mentioned about the schema related to hooks. posix-platform-hooks and the hooks schema like I mentioned in my previous comment.
Looking at the logs the hooks.json seem to be accepted as noted by this line in the log:
Feb 18 03:22:59 minikube crio[714]: time="2024-02-18 03:22:59.057434927Z" level=debug msg="hook hooks.json matched; adding to stages [createContainer]" file="hooks/hooks.go:111"
However the bash script didn't run.(The bash script can be found above specified in the issue). So I am a bit confused what might be going wrong on my end with the script
from cri-o.
I am in tears Thank you for your help @kwilczynski it finally works !! You were right about $USER variable. I found this in the log file:
+ export KUBEARMOR_LOG_FILE=/home//kubearmor.log
+ KUBEARMOR_LOG_FILE=/home//kubearmor.log
Just one more thing I need to clarify. Whats the difference between posix-platform-hooks and hooks-schema?
from cri-o.
Just one more thing I need to clarify. Whats the difference between posix-platform-hooks and hooks-schema?
Yeah, this is an interesting question. CRI-O follows the hooks-schema in containers/common to execute OCI hooks in Kubernetes. The schema details haven't changed for more than four years now. I suspect there might be a slight divergence from OpenContainers/runtime-spec concerning the hooks
aspect, at least.
@cri-o/cri-o-maintainers Any idea here?
from cri-o.
/assign kwilczynski
/assign sohankunkerkar
from cri-o.
Related Issues (20)
- Memory Growth Discrepancy: CRIO vs. Containerd handled Workloads 🐳🔍 HOT 8
- crictl -D image failed -> choosing image instance: no image found in manifest list for architecture arm64 ,variant "v8", OS linux HOT 14
- Refactor sandbox creation function arguments HOT 16
- conmon not a dependency in cri-o APT package HOT 9
- Ubuntu 24.04 LTS Noble Numbat support HOT 3
- Wrong systemd service definition in .deb package HOT 4
- Pass-through resource allocations from runtime-config (CRI) to oci-spec HOT 3
- Storage option changes in CRI-O configuration requires a reboot to be taken into account HOT 14
- Flaky test on Kata runtime (reload_config) HOT 3
- [packit] Propose downstream failed for release v1.30.3 HOT 3
- Documentation for Upgrading CRI-O on Ubuntu: From One Version to a Higher Version HOT 4
- Documentation should use stable releases instead of prerelease HOT 4
- Documentation deb repository links do not work HOT 4
- Possible problem with go 1.23 (rc1) HOT 4
- Updated from PRERELEASE and now k8s node does not start any containers due to error Error: fork/exec /usr/bin/crio-conmon: no such file or directory HOT 9
- `Ping pod from the host / another pod` integration test fails on `arm64` HOT 9
- Integration tests fails randomly on NRI TestContainerEvents
- Some tests fails with an error on SSH connection HOT 1
- When the machine restarts and enters the restore operation, if the sandbox fails to load, the historical container may not be able to be deleted HOT 1
- Test: OCI Image volume mount lifecycle is failing HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cri-o.