Issue creating oci hooks with Minikube about cri-o HOT 12 CLOSED

The hooks of the runtime spec are implemented by runc / crun, while OCI hooks are a thing supported by CRI-O itself.

from cri-o.

@ChucklesDroid Thank you for raising this issue. Upon reviewing the crio logs, it appears that the following error occurred:

level=error msg="Failed loading hooks for /usr/share/containers/oci/hooks.d/hooks.json: parsing hook \"/usr/share/containers/oci/hooks.d/hooks.json\": 1.0.0: json: cannot unmarshal string into Go struct field When.when.always of type bool" file="hooks/monitor.go:55"

It seems like the value of always in the hooks.json file needs to be a boolean. Please consider updating it accordingly. I believe this adjustment should address the issue.

from cri-o.

@ChucklesDroid, try running CRI-O with the the debug log level set.

Perhaps you can spot something in the more verbose output.

That said, you can also update your script such that there is some logging added. For example:

#!/usr/bin/env bash
exec 1> /tmp/hook.log 2>&1
set -ex

env

KUBEARMOR_LOG_FILE="/tmp/kubearmor.log"
echo "create-container-executed": $(date -I) $(date +%T) >> $KUBEARMOR_LOG_FILE

However, just looking at your original script, I am sure that the $USER variable might be set to a different user that you expect (or even unset in some cases as there is no guarantee for it to be present), since it's CRI-O that would run this script in the end, and you might have no permission to write to the location where the directory is pointing to (also, I assume that there is no /home/root on your file system at the moment). You have no error control enabled in your script (the set -e), as such, it will fail silently.

from cri-o.

@ChucklesDroid, now that you have things working, can we close this issue?

from cri-o.

yes lets close this @kwilczynski. Thank you everyone for your help, I appreciate that

from cri-o.

Hi I was able to get log data using journalctl -u crio. I have added the data in this gist file: https://gist.github.com/ChucklesDroid/d3285f7ef1dd262223b2044918aeec01

from cri-o.

That definitley helped out. However I am still unable to run the script. So after I changed it to boolean value. It complained about missing property hook:path. So I had to update json to the following:

{
  "version": "1.0.0",
  "hook": {
    "path": "/usr/share/containers/oci/hooks.d/create-container.sh"
  },
  "when": {
    "always": true
  },
  "stages": ["createContainer"]
}

• So a question arises is this outdated or am I understanding it wrong ? I have also referenced this hooks schema
• Also I can now see that hooks.json was accepted however my script still didnt run:

Feb 18 03:22:59 minikube crio[714]: time="2024-02-18 03:22:59.057434927Z" level=debug msg="hook hooks.json matched; adding to stages [createContainer]" file="hooks/hooks.go:111"

The pod was created using kubectl run pd-a --image=k8s.gcr.io/pause
Also 0755 permissions were given to the bash script specified above, is there something wrong with the bash script used?
Also this is the update gist
Your help has been amazing so far 🙌🙌

from cri-o.

@ChucklesDroid, some documentation around hooks can be found at the following:

• containers/common/pkg/hooks/README.md
• containers/common/pkg/hooks/docs/oci-hooks.5.md

Would this help?

from cri-o.

Hi @kwilczynski , Thanks for responding !
I have gone through both of those resources and found 2 conflicting docs which mentioned about the schema related to hooks. posix-platform-hooks and the hooks schema like I mentioned in my previous comment.

Looking at the logs the hooks.json seem to be accepted as noted by this line in the log:

Feb 18 03:22:59 minikube crio[714]: time="2024-02-18 03:22:59.057434927Z" level=debug msg="hook hooks.json matched; adding to stages [createContainer]" file="hooks/hooks.go:111"

However the bash script didn't run.(The bash script can be found above specified in the issue). So I am a bit confused what might be going wrong on my end with the script

from cri-o.

I am in tears Thank you for your help @kwilczynski it finally works !! You were right about $USER variable. I found this in the log file:

+ export KUBEARMOR_LOG_FILE=/home//kubearmor.log
+ KUBEARMOR_LOG_FILE=/home//kubearmor.log

Just one more thing I need to clarify. Whats the difference between posix-platform-hooks and hooks-schema?

from cri-o.

Just one more thing I need to clarify. Whats the difference between posix-platform-hooks and hooks-schema?

Yeah, this is an interesting question. CRI-O follows the hooks-schema in containers/common to execute OCI hooks in Kubernetes. The schema details haven't changed for more than four years now. I suspect there might be a slight divergence from OpenContainers/runtime-spec concerning the hooks aspect, at least.

@cri-o/cri-o-maintainers Any idea here?

from cri-o.

/assign kwilczynski
/assign sohankunkerkar

from cri-o.