opencontainers
runc's poststart behaviour doesn't match the runtime-spec
Description
poststart run into runc create stage. doesn't match the runtime-spec the spec say "poststart after the user-specified process is executed but before the start operation returns" https://github.com/opencontainers/runtime-spec/blob/v1.2.0/config.md#poststart
Steps to reproduce the issue
config.json
{
"ociVersion": "1.0.2-dev",
"process": {
"terminal": false,
"user": {
"uid": 0,
"gid": 0
},
"args": [
"sh"
],
"env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"TERM=xterm"
],
"cwd": "/",
"capabilities": {
"bounding": [
"CAP_AUDIT_WRITE",
"CAP_KILL",
"CAP_NET_BIND_SERVICE"
],
"effective": [
"CAP_AUDIT_WRITE",
"CAP_KILL",
"CAP_NET_BIND_SERVICE"
],
"permitted": [
"CAP_AUDIT_WRITE",
"CAP_KILL",
"CAP_NET_BIND_SERVICE"
],
"ambient": [
"CAP_AUDIT_WRITE",
"CAP_KILL",
"CAP_NET_BIND_SERVICE"
]
},
"rlimits": [
{
"type": "RLIMIT_NOFILE",
"hard": 1024,
"soft": 1024
}
],
"noNewPrivileges": true
},
"root": {
"path": "rootfs",
"readonly": false
},
"hostname": "runc",
"mounts": [
{
"destination": "/proc",
"type": "proc",
"source": "proc"
},
{
"destination": "/dev",
"type": "tmpfs",
"source": "tmpfs",
"options": [
"nosuid",
"strictatime",
"mode=755",
"size=65536k"
]
},
{
"destination": "/dev/pts",
"type": "devpts",
"source": "devpts",
"options": [
"nosuid",
"noexec",
"newinstance",
"ptmxmode=0666",
"mode=0620"
]
},
{
"destination": "/dev/shm",
"type": "tmpfs",
"source": "shm",
"options": [
"nosuid",
"noexec",
"nodev",
"mode=1777",
"size=65536k"
]
},
{
"destination": "/dev/mqueue",
"type": "mqueue",
"source": "mqueue",
"options": [
"nosuid",
"noexec",
"nodev"
]
},
{
"destination": "/sys",
"type": "sysfs",
"source": "sysfs",
"options": [
"nosuid",
"noexec",
"nodev",
"ro"
]
},
{
"destination": "/sys/fs/cgroup",
"type": "cgroup",
"source": "cgroup",
"options": [
"nosuid",
"noexec",
"nodev",
"relatime",
"ro"
]
}
],
"hooks": {
"poststart": [
{
"path": "/usr/bin/sleep",
"args": ["/usr/bin/sleep","10"]
}
]
},
"linux": {
"resources": {
"devices": [
{
"allow": false,
"access": "rwm"
}
]
},
"uidMappings": [
{
"containerID": 0,
"hostID": 1000,
"size": 1
}
],
"gidMappings": [
{
"containerID": 0,
"hostID": 1000,
"size": 1
}
],
"namespaces": [
{
"type": "pid"
},
{
"type": "network"
},
{
"type": "ipc"
},
{
"type": "uts"
},
{
"type": "mount"
}
],
"maskedPaths": [
"/proc/acpi",
"/proc/asound",
"/proc/kcore",
"/proc/keys",
"/proc/latency_stats",
"/proc/timer_list",
"/proc/timer_stats",
"/proc/sched_debug",
"/sys/firmware",
"/proc/scsi"
],
"readonlyPaths": [
"/proc/bus",
"/proc/fs",
"/proc/irq",
"/proc/sys",
"/proc/sysrq-trigger"
]
}
}
I set
"Poststart": [
{
"path": "/usr/bin/sleep",
"args": ["/usr/bin/sleep","10"]
}
[root@localhost mycontainer]# time runc create test0001
real 0m10.199s
user 0m0.010s
sys 0m0.035s
that means poststart run in create stage.
Describe the results you received and expected
match runtime-spec
What version of runc are you using?
1.1.12
Host OS information
linux
Host kernel information
any
Previous discussion in runtime-spec: https://github.com/opencontainers/runtime-spec/pull/1259
Moved the milestone to 1.3.0. Dealing with this is going to take a while, and we should just get 1.2.0 out (this is a pre-existing issue anyway).
This completely dropped off my radar. We can try to consider this a bugfix for 1.3.0, or fix it in 1.4.0-rc.1 and see if it's worth backporting the fix.
@kolyshkin Am I correct with understanding that with opencontainers/runtime-spec#1262 merged, runc's behaviour is correct and we no longer need any PRs to fix this (including #4348)?
Can we close this now? Can someone confirm if the spec updated to match runc behavior and this is not longer an issue?
My understanding is we can close it, I was hoping to get confirmation from @kolyshkin first since he did the spec PRs.
Hi all - I got here while looking at https://github.com/moby/moby/issues/51077 ... it's reporting the same thing as the initial description here, the "poststart" hook is called before the user process is started.
I think the discussion about error handling in https://github.com/opencontainers/runc/pull/4348 that resulted in https://github.com/opencontainers/runtime-spec/pull/1262 is a bit separate? So, the part of https://github.com/opencontainers/runc/pull/4348 that moves the call to poststart might still be relevant?
Yeah, looking at https://github.com/opencontainers/runc/pull/4348#discussion_r1679586846 again, I think I misremembered the error case as being the main point of contention. We can probably carry the PR...
This won't be able to make it in 1.4.0 at this point, so I'll slate it for 1.5. I'll sit down and do the backport in the coming weeks so we (read: I) don't forget...