Add support for creating oci hook to nvidia-ctk

This change extends the nvidia-ctk runtime configure command with a --config-mode=oci-hook that creates an OCI hook json file. Signed-off-by: Evan Lezar <elezar@nvidia.com>
2025-06-26 18:18:24 +00:00 · 2023-08-11 15:23:13 +02:00
parent 30c0848487
commit f6a4986c15
5 changed files with 152 additions and 55 deletions
--- a/tools/container/crio/crio.go
+++ b/tools/container/crio/crio.go
@@ -17,7 +17,6 @@
 package main

 import (
-	"encoding/json"
 	"fmt"
 	"os"
 	"path/filepath"
@@ -25,6 +24,7 @@ import (
 	"github.com/NVIDIA/nvidia-container-toolkit/internal/config"
 	"github.com/NVIDIA/nvidia-container-toolkit/internal/info"
 	"github.com/NVIDIA/nvidia-container-toolkit/pkg/config/engine/crio"
+	"github.com/NVIDIA/nvidia-container-toolkit/pkg/config/ocihook"
 	"github.com/NVIDIA/nvidia-container-toolkit/tools/container"
 	log "github.com/sirupsen/logrus"
 	cli "github.com/urfave/cli/v2"
@@ -206,13 +206,8 @@ func Setup(c *cli.Context, o *options) error {
 func setupHook(o *options) error {
 	log.Infof("Installing prestart hook")

-	err := os.MkdirAll(o.hooksDir, 0755)
-	if err != nil {
-		return fmt.Errorf("error creating hooks directory %v: %v", o.hooksDir, err)
-	}
-
-	hookPath := getHookPath(o.hooksDir, o.hookFilename)
-	err = createHook(o.RuntimeDir, hookPath)
+	hookPath := filepath.Join(o.hooksDir, o.hookFilename)
+	err := ocihook.CreateHook(hookPath, filepath.Join(o.RuntimeDir, config.NVIDIAContainerRuntimeHookExecutable))
 	if err != nil {
 		return fmt.Errorf("error creating hook: %v", err)
 	}
@@ -262,7 +257,7 @@ func Cleanup(c *cli.Context, o *options) error {
 func cleanupHook(o *options) error {
 	log.Infof("Removing prestart hook")

-	hookPath := getHookPath(o.hooksDir, o.hookFilename)
+	hookPath := filepath.Join(o.hooksDir, o.hookFilename)
 	err := os.Remove(hookPath)
 	if err != nil {
 		return fmt.Errorf("error removing hook '%v': %v", hookPath, err)
@@ -295,46 +290,6 @@ func cleanupConfig(o *options) error {
 	return nil
 }

-func createHook(toolkitDir string, hookPath string) error {
-	hook, err := os.Create(hookPath)
-	if err != nil {
-		return fmt.Errorf("error creating hook file '%v': %v", hookPath, err)
-	}
-	defer hook.Close()
-
-	encoder := json.NewEncoder(hook)
-	err = encoder.Encode(generateOciHook(toolkitDir))
-	if err != nil {
-		return fmt.Errorf("error writing hook file '%v': %v", hookPath, err)
-	}
-	return nil
-}
-
-func getHookPath(hooksDir string, hookFilename string) string {
-	return filepath.Join(hooksDir, hookFilename)
-}
-
-func generateOciHook(toolkitDir string) podmanHook {
-	hookPath := filepath.Join(toolkitDir, config.NVIDIAContainerRuntimeHookExecutable)
-	envPath := "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:" + toolkitDir
-	always := true
-
-	hook := podmanHook{
-		Version: "1.0.0",
-		Stages:  []string{"prestart"},
-		Hook: specHook{
-			Path: hookPath,
-			Args: []string{filepath.Base(config.NVIDIAContainerRuntimeHookExecutable), "prestart"},
-			Env:  []string{envPath},
-		},
-		When: When{
-			Always:   &always,
-			Commands: []string{".*"},
-		},
-	}
-	return hook
-}
-
 // RestartCrio restarts crio depending on the value of restartModeFlag
 func RestartCrio(o *options) error {
 	return o.Restart("crio", func(string) error { return fmt.Errorf("supporting crio via signal is unsupported") })
--- a/tools/container/crio/hooks.go
+++ b/tools/container/crio/hooks.go
@@ -1,50 +0,0 @@
-/**
-# Copyright (c) 2022, NVIDIA CORPORATION.  All rights reserved.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-**/
-
-package main
-
-// podmanHook is the hook configuration structure.
-// This is taken from `Hook` at https://github.com/containers/podman/blob/3c53200e9d61fdf95fe1da825bb2a89372551350/pkg/hooks/1.0.0/hook.go#L18
-type podmanHook struct {
-	Version string   `json:"version"`
-	Hook    specHook `json:"hook"`
-	When    When     `json:"when"`
-	Stages  []string `json:"stages"`
-}
-
-// specHook specifies a command that is run at a particular event in the lifecycle of a container
-// This is taken from `Hook` at https://github.com/opencontainers/runtime-spec/blob/9ee22abf867e374c5464c7bbe0d0db01482254ab/specs-go/config.go#L128
-type specHook struct {
-	Path    string   `json:"path"`
-	Args    []string `json:"args,omitempty"`
-	Env     []string `json:"env,omitempty"`
-	Timeout *int     `json:"timeout,omitempty"`
-}
-
-// When holds hook-injection conditions.
-// This is taken from `When` at https://github.com/containers/podman/blob/3c53200e9d61fdf95fe1da825bb2a89372551350/pkg/hooks/1.0.0/when.go#L11
-type When struct {
-	Always        *bool             `json:"always,omitempty"`
-	Annotations   map[string]string `json:"annotations,omitempty"`
-	Commands      []string          `json:"commands,omitempty"`
-	HasBindMounts *bool             `json:"hasBindMounts,omitempty"`
-
-	// Or enables any-of matching.
-	//
-	// Deprecated: this property is for is backwards-compatibility with
-	// 0.1.0 hooks.  It will be removed when we drop support for them.
-	Or bool `json:"-"`
-}