qm icon indicating copy to clipboard operation
qm copied to clipboard
verified publisher icon containers

Remove oci-hooks from QM

Open aesteve-rh opened this issue 4 months ago • 12 comments

After pushing the hooks into QM, we realized (thanks to @alexlarsson) that the scripts were actually quite generic, and could be just moved to its own standalone project/library.

We are working on it at the moment. As soon as it is ready, and ideally after moving it to the containers namespace, we should remove the oci-hooks from the qm container and make the main package depend on the new hook project.

I will link the new repository here once we get there.

aesteve-rh avatar Sep 12 '25 11:09 aesteve-rh

cc: @telemaco @dougsland @Yarboa

aesteve-rh avatar Sep 12 '25 11:09 aesteve-rh

Sure once new home for OCI-hooks is ready, @lsm5 can you help us with that ? are you aware of that plan? There is a request to migrate that directory https://github.com/containers/qm/tree/main/oci-hooks https://github.com/containers/qm/blob/main/subsystems/qm-oci-hooks/Makefile under https://github.com/containers/oci-hooks

In order to use it a generic way under containers

Yarboa avatar Sep 13 '25 18:09 Yarboa

under https://github.com/containers/oci-hooks

It would be something like oci-dev-binder-hook. Similar to https://github.com/containers/oci-seccomp-bpf-hook.

aesteve-rh avatar Sep 15 '25 13:09 aesteve-rh

Sure once new home for OCI-hooks is ready, @lsm5 can you help us with that ?

I don't have access. @Luap99 @baude PTAL

lsm5 avatar Sep 15 '25 13:09 lsm5

What should the repo name be, just checking the hook scripts I see things like org.containers.qm.device.audio as annotation names so that doesn't sounds very generic? Will these names be changed?

Second looking at https://github.com/containers/qm/blob/main/SECURITY.md that just points at the generic podman list which I think is incorrect. None of the podman maintainers maintain this here. I think projects like this should have their own security policy instead of going through the podman maintainers.

Luap99 avatar Sep 15 '25 13:09 Luap99

Also for creating new repos it would be best to involve more people I think. It is not clear to me what the end goal of a generic oci-hooks repo would be? What kind of hooks should be there? Most hooks are by design special purpose so I am not sure what kind of things you would want to add into such a repo. Maybe it would be best to discus the use case at the podman community meetings?

cc @TomSweeneyRedHat @rhatdan @baude @mheon

Luap99 avatar Sep 15 '25 13:09 Luap99

@Luap99 The purpose of the hook is to dynamically discover devices leveraging udev. The reasoning is that QM needs to support certain scenarios that depend on, e.g., the gpus, the video devices, drm cards, sound devices, or input devices. That is, we need to support configurations that are agnostic of the underlying hardware, and can discover and mount those devices inside the container.

However, this is hardly a QM specific feature. Other containers could benefit from this dynamic device discovery hooks. Thus, the ask to have a repository in containers.

The hook will be named oci-dev-binder-hook.

aesteve-rh avatar Sep 15 '25 15:09 aesteve-rh

@Luap99 while we discuss the repo in containers we have created https://github.com/telemaco/oci-dev-binder-hook as a temporary repository to work on.

The name of the hook, as you can see in the url, will be oci-dev-binder-hook, which is a lot more descriptive than oci-hooks. But we're on time to change it if we find something better.

The annotation is probably going to be something similar to io.dev-binder.udev.seat as can be seen in https://github.com/telemaco/oci-dev-binder-hook/pull/5.

The idea is to be able to mount all devices discovered by udev based on some information (i.e., in principle it is going to be the tag value) in batch. In the context of QM (and potentially other containers), allows mounting devices by discovering them at precreation time, without having them hardcoded in the settings or setting them explicitely (and one by one) in the command line with --add-device. Mainly for our usecase, it allows having quadlet files that are agnostic from the underlying hardware. But we think mounting devices in batch is generally useful.

aesteve-rh avatar Sep 19 '25 13:09 aesteve-rh

Ok yeah repo with a specific hook sounds good to me, I Was thinking you wanted one generic repo where you add many different hooks which seemed odd to me. I am ok with adding this repo as long as it is clear who maintains it.

Luap99 avatar Sep 19 '25 14:09 Luap99

@Luap99 so what are the next steps to achieve this? Should we move this discussion to a broader audience?

aesteve-rh avatar Oct 01 '25 14:10 aesteve-rh

I think a larger broader would be nice, since there have been no comments from the people I pinged I have no idea what they think about it.

Do you have time to present your hook at the Podman community meeting next Tuesday? Feel free to edit the Agenda and add yourself https://hackmd.io/fc1zraYdS0-klJ2KJcfC7w. Then maybe that could generate some interest from other users as well that are looking for something like this and we can get the feedback from the other owners in the org here.

Luap99 avatar Oct 01 '25 14:10 Luap99

Update: https://github.com/containers/oci-dev-binder-hook created.

We will soon clean the hooks from QM.

aesteve-rh avatar Nov 26 '25 14:11 aesteve-rh