cli: add guest hook path option

Fixes: kata-containers#720

Co-authored-by: Edward Guzman <eguzman@nvidia.com>
Co-authored-by: Felix Abecassis <fabecassis@nvidia.com>
Signed-off-by: Felix Abecassis <fabecassis@nvidia.com>

Makefile

@@ -149,6 +149,7 @@ DEFENABLEDEBUG := false
 DEFDISABLENESTINGCHECKS := false
 DEFMSIZE9P := 8192
 DEFHOTPLUGVFIOONROOTBUS := false
+DEFGUESTHOOKPATH :=
 
 SED = sed
 
@@ -225,6 +226,7 @@ USER_VARS += DEFDISABLENESTINGCHECKS
 USER_VARS += DEFMSIZE9P
 USER_VARS += DEFHOTPLUGVFIOONROOTBUS
 USER_VARS += DEFENTROPYSOURCE
+USER_VARS += DEFGUESTHOOKPATH
 
 
 V              = @
@@ -328,6 +330,7 @@ const defaultDisableNestingChecks bool = $(DEFDISABLENESTINGCHECKS)
 const defaultMsize9p uint32 = $(DEFMSIZE9P)
 const defaultHotplugVFIOOnRootBus bool = $(DEFHOTPLUGVFIOONROOTBUS)
 const defaultEntropySource = "$(DEFENTROPYSOURCE)"
+const defaultGuestHookPath string = "$(DEFGUESTHOOKPATH)"
 
 // Default config file used by stateless systems.
 var defaultRuntimeConfiguration = "$(CONFIG_PATH)"
@@ -419,6 +422,7 @@ $(GENERATED_FILES): %: %.in Makefile VERSION
 		-e "s|@DEFMSIZE9P@|$(DEFMSIZE9P)|g" \
 		-e "s|@DEFHOTPLUGONROOTBUS@|$(DEFHOTPLUGVFIOONROOTBUS)|g" \
 		-e "s|@DEFENTROPYSOURCE@|$(DEFENTROPYSOURCE)|g" \
+		-e "s|@DEFGUESTHOOKPATH@|$(DEFGUESTHOOKPATH)|g" \
 		$< > $@
 
 generate-config: $(CONFIG)

cli/config.go

@@ -98,6 +98,7 @@ type hypervisor struct {
 	UseVSock              bool   `toml:"use_vsock"`
 	HotplugVFIOOnRootBus  bool   `toml:"hotplug_vfio_on_root_bus"`
 	DisableVhostNet       bool   `toml:"disable_vhost_net"`
+	GuestHookPath         string `toml:"guest_hook_path"`
 }
 
 type proxy struct {
@@ -302,6 +303,13 @@ func (h hypervisor) useVSock() bool {
 	return h.UseVSock
 }
 
+func (h hypervisor) guestHookPath() string {
+	if h.GuestHookPath == "" {
+		return defaultGuestHookPath
+	}
+	return h.GuestHookPath
+}
+
 func (p proxy) path() string {
 	if p.Path == "" {
 		return defaultProxyPath
@@ -426,6 +434,7 @@ func newQemuHypervisorConfig(h hypervisor) (vc.HypervisorConfig, error) {
 		UseVSock:              useVSock,
 		HotplugVFIOOnRootBus:  h.HotplugVFIOOnRootBus,
 		DisableVhostNet:       h.DisableVhostNet,
+		GuestHookPath:         h.guestHookPath(),
 	}, nil
 }
 
@@ -547,6 +556,7 @@ func loadConfiguration(configPath string, ignoreLogging bool) (resolvedConfigPat
 		EnableIOThreads:       defaultEnableIOThreads,
 		Msize9p:               defaultMsize9p,
 		HotplugVFIOOnRootBus:  defaultHotplugVFIOOnRootBus,
+		GuestHookPath:         defaultGuestHookPath,
 	}
 
 	err = config.InterNetworkModel.SetModel(defaultInterNetworkingModel)

cli/config/configuration.toml.in

@@ -167,6 +167,13 @@ enable_iothreads = @DEFENABLEIOTHREADS@
 # all practical purposes.
 #entropy_source= "@DEFENTROPYSOURCE@"
 
+# If set to an absolute path within the guest rootfs, the agent will search
+# this directory for OCI hooks and add them to the guest container's lifecycle.
+# https://github.com/opencontainers/runtime-spec/blob/v1.0.1/config.md#posix-platform-hooks
+# Hooks must be stored in a subdirectory of guest_hook_path named after the
+# hook type, e.g. prestart hooks must be in "guest_hook_path/prestart/"
+#guest_hook_path = "@DEFGUESTHOOKPATH@"
+
 [factory]
 # VM templating support. Once enabled, new VMs are created from template
 # using vm cloning. They will share the same initial kernel, initramfs and

cli/config_test.go

@@ -61,6 +61,7 @@ func makeRuntimeConfigFileData(hypervisor, hypervisorPath, kernelPath, imagePath
 	hotplug_vfio_on_root_bus =  ` + strconv.FormatBool(hotplugVFIOOnRootBus) + `
 	msize_9p = ` + strconv.FormatUint(uint64(defaultMsize9p), 10) + `
 	enable_debug = ` + strconv.FormatBool(hypervisorDebug) + `
+	guest_hook_path = "` + defaultGuestHookPath + `"
 
 	[proxy.kata]
 	enable_debug = ` + strconv.FormatBool(proxyDebug) + `
@@ -161,6 +162,7 @@ func createAllRuntimeConfigFiles(dir, hypervisor string) (config testRuntimeConf
 		Msize9p:               defaultMsize9p,
 		MemSlots:              defaultMemSlots,
 		EntropySource:         defaultEntropySource,
+		GuestHookPath:         defaultGuestHookPath,
 	}
 
 	agentConfig := vc.KataAgentConfig{}
@@ -596,6 +598,7 @@ func TestMinimalRuntimeConfig(t *testing.T) {
 		Mlock:                 !defaultEnableSwap,
 		BlockDeviceDriver:     defaultBlockDeviceDriver,
 		Msize9p:               defaultMsize9p,
+		GuestHookPath:         defaultGuestHookPath,
 	}
 
 	expectedAgentConfig := vc.KataAgentConfig{}
@@ -1078,6 +1081,21 @@ func TestHypervisorDefaultsImage(t *testing.T) {
 	assert.Equal(p, "")
 }
 
+func TestHypervisorDefaultsGuestHookPath(t *testing.T) {
+	assert := assert.New(t)
+
+	h := hypervisor{}
+	guestHookPath := h.guestHookPath()
+	assert.Equal(guestHookPath, defaultGuestHookPath, "default guest hook path wrong")
+
+	testGuestHookPath := "/test/guest/hook/path"
+	h = hypervisor{
+		GuestHookPath: testGuestHookPath,
+	}
+	guestHookPath = h.guestHookPath()
+	assert.Equal(guestHookPath, testGuestHookPath, "custom guest hook path wrong")
+}
+
 func TestProxyDefaults(t *testing.T) {
 	p := proxy{}
 

virtcontainers/hypervisor.go

@@ -250,6 +250,9 @@ type HypervisorConfig struct {
 
 	// DisableVhostNet is used to indicate if host supports vhost_net
 	DisableVhostNet bool
+
+	// GuestHookPath is the path within the VM that will be used for 'drop-in' hooks
+	GuestHookPath string
 }
 
 func (conf *HypervisorConfig) checkTemplateConfig() error {

virtcontainers/kata_agent.go

@@ -631,10 +631,11 @@ func (k *kataAgent) startSandbox(sandbox *Sandbox) error {
 	}
 
 	req := &grpc.CreateSandboxRequest{
-		Hostname:     hostname,
-		Storages:     storages,
-		SandboxPidns: sandbox.sharePidNs,
-		SandboxId:    sandbox.id,
+		Hostname:      hostname,
+		Storages:      storages,
+		SandboxPidns:  sandbox.sharePidNs,
+		SandboxId:     sandbox.id,
+		GuestHookPath: sandbox.config.HypervisorConfig.GuestHookPath,
 	}
 
 	_, err = k.sendReq(req)