Add support for creating oci hook to nvidia-ctk

This change extends the nvidia-ctk runtime configure command with a --config-mode=oci-hook that creates an OCI hook json file. Signed-off-by: Evan Lezar <elezar@nvidia.com>
2025-06-26 18:18:24 +00:00 · 2023-08-11 15:23:13 +02:00
parent 30c0848487
commit f6a4986c15
5 changed files with 152 additions and 55 deletions
--- a/pkg/config/ocihook/hooks.go
+++ b/pkg/config/ocihook/hooks.go
@@ -0,0 +1,50 @@
+/**
+# Copyright (c) 2022, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+**/
+
+package ocihook
+
+// podmanHook is the hook configuration structure.
+// This is taken from `Hook` at https://github.com/containers/podman/blob/3c53200e9d61fdf95fe1da825bb2a89372551350/pkg/hooks/1.0.0/hook.go#L18
+type podmanHook struct {
+	Version string   `json:"version"`
+	Hook    specHook `json:"hook"`
+	When    When     `json:"when"`
+	Stages  []string `json:"stages"`
+}
+
+// specHook specifies a command that is run at a particular event in the lifecycle of a container
+// This is taken from `Hook` at https://github.com/opencontainers/runtime-spec/blob/9ee22abf867e374c5464c7bbe0d0db01482254ab/specs-go/config.go#L128
+type specHook struct {
+	Path    string   `json:"path"`
+	Args    []string `json:"args,omitempty"`
+	Env     []string `json:"env,omitempty"`
+	Timeout *int     `json:"timeout,omitempty"`
+}
+
+// When holds hook-injection conditions.
+// This is taken from `When` at https://github.com/containers/podman/blob/3c53200e9d61fdf95fe1da825bb2a89372551350/pkg/hooks/1.0.0/when.go#L11
+type When struct {
+	Always        *bool             `json:"always,omitempty"`
+	Annotations   map[string]string `json:"annotations,omitempty"`
+	Commands      []string          `json:"commands,omitempty"`
+	HasBindMounts *bool             `json:"hasBindMounts,omitempty"`
+
+	// Or enables any-of matching.
+	//
+	// Deprecated: this property is for is backwards-compatibility with
+	// 0.1.0 hooks.  It will be removed when we drop support for them.
+	Or bool `json:"-"`
+}
--- a/pkg/config/ocihook/oci-hook.go
+++ b/pkg/config/ocihook/oci-hook.go
@@ -0,0 +1,89 @@
+/**
+# Copyright (c) NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+**/
+
+package ocihook
+
+import (
+	"encoding/json"
+	"fmt"
+	"io"
+	"os"
+	"path/filepath"
+	"strings"
+)
+
+// CreateHook creates an OCI hook file for the specified NVIDIA Container Runtime hook path
+func CreateHook(hookFilePath string, nvidiaContainerRuntimeHookExecutablePath string) error {
+	var output io.Writer
+	if hookFilePath == "" {
+		output = os.Stdout
+	} else {
+		if hooksDir := filepath.Dir(hookFilePath); hooksDir != "" {
+			err := os.MkdirAll(hooksDir, 0755)
+			if err != nil {
+				return fmt.Errorf("error creating hooks directory %v: %v", hooksDir, err)
+			}
+		}
+
+		hookFile, err := os.Create(hookFilePath)
+		if err != nil {
+			return fmt.Errorf("error creating hook file '%v': %v", hookFilePath, err)
+		}
+		defer hookFile.Close()
+		output = hookFile
+	}
+
+	encoder := json.NewEncoder(output)
+	encoder.SetIndent("", "  ")
+	if err := encoder.Encode(generateOciHook(nvidiaContainerRuntimeHookExecutablePath)); err != nil {
+		return fmt.Errorf("error writing hook file: %v", err)
+	}
+	return nil
+}
+
+func generateOciHook(executablePath string) podmanHook {
+	pathParts := []string{"/usr/local/sbin", "/usr/local/bin", "/usr/sbin", "/usr/bin", "/sbin", "/bin"}
+
+	dir := filepath.Dir(executablePath)
+	var found bool
+	for _, pathPart := range pathParts {
+		if pathPart == dir {
+			found = true
+			break
+		}
+	}
+	if !found {
+		pathParts = append(pathParts, dir)
+	}
+
+	envPath := "PATH=" + strings.Join(pathParts, ":")
+	always := true
+
+	hook := podmanHook{
+		Version: "1.0.0",
+		Stages:  []string{"prestart"},
+		Hook: specHook{
+			Path: executablePath,
+			Args: []string{filepath.Base(executablePath), "prestart"},
+			Env:  []string{envPath},
+		},
+		When: When{
+			Always:   &always,
+			Commands: []string{".*"},
+		},
+	}
+	return hook
+}