libcontainer: Set 'status' in hook stdin

[wking]

Finish off the work started in #1201 to bring hook stdin into compliance with runtime-spec.

Also:

• Drop HookState, since there's no need for a local alias for specs.State.
• Add len guards to avoid computing the state when .Hooks is non-nil but the particular phase we're looking at is empty. I had to drop these to satisfy @cyphar here.
• Also set c.initProcess in newInitProcess to support OCIState calls from within initProcess.start(). I think the cyclic references between linuxContainer and initProcess are unfortunate, but didn't want to address that here.
• I've also left the timing of the Prestart hooks alone, although the spec calls for them to happen before start (not as part of creation, 'prestart/poststart' hooks are done in the 'create' operation #1710). Once the timing gets fixed we can drop the initProcessStartTime hacks which initProcess.start currently needs.

I'm not sure why we trigger the prestart hooks in response to both procReady and procHooks. But we've had two prestart rounds in initProcess.start since #568. I've left that alone too.

[cyphar]

I'm not sure why we trigger the prestart hooks in response to both procReady and procHooks. But we've had two prestart rounds in initProcess.start since #568.

That is almost definitely a bug, since the change you refer to was meant to move the hooks to be run earlier rather than duplicate running them. I'm a little confused why nobody has opened a bug about this (maybe pre-start just isn't used as often as post-start). /cc @mrunalp

Once the timing gets fixed we can drop the initProcessStartTime hacks which initProcess.start currently needs.

I'm not sure this is correct, but will take a proper look when I get a chance.

[dongsupark]

This PR looks good to me.
However, even with this PR, the runtime-tools validation/hooks_stdin.t test still fails with an empty status, as mentioned in opencontainers/runtime-tools#608.
Is this PR not sufficient to fix the issue?

[wking]

However, even with this PR, the runtime-tools validation/hooks_stdin.t test still fails with an empty status, as mentioned in opencontainers/runtime-tools#608.

Can you post the error you see after this patch? In the list in my topic post here I point out some issues I'm not addressing; maybe you're hitting #1710?

[dongsupark]

Basically the same as one from opencontainers/runtime-tools#608 (comment).

TAP version 13
not ok 1 - the state of the container MUST be passed to "prestart" hook over stdin
  ---
  {
    "error": "1 error occurred:\n\n* wrong status \"\" in the stdin of prestart hook, expected \"created\"",
    "reference": "https://github.com/opencontainers/runtime-spec/blob/v1.0.0/config.md#posix-platform-hooks"
  }
  ...
not ok 2 - the state of the container MUST be passed to "poststart" hook over stdin
  ---
  {
    "error": "1 error occurred:\n\n* wrong status \"\" in the stdin of poststart hook, expected \"running\"",
    "reference": "https://github.com/opencontainers/runtime-spec/blob/v1.0.0/config.md#posix-platform-hooks"
  }
  ...
not ok 3 - the state of the container MUST be passed to "poststop" hook over stdin
  ---
  {
    "error": "1 error occurred:\n\n* status in the stdin of poststop hook should not be empty",
    "reference": "https://github.com/opencontainers/runtime-spec/blob/v1.0.0/config.md#posix-platform-hooks"
  }
  ...
1..3

[wking]

* wrong status \"\" in the stdin of prestart hook, expected \"created\"

Huh. I'll have to dig deeper later today. Right now I don't see how this is possible.

[dongsupark]

@wking Sorry, ignore my comment above. There was a test setup issue.

Now with a correct test setup, I'm getting the following errors:

TAP version 13
not ok 1 - the state of the container MUST be passed to "prestart" hook over stdin
  ---
  {
    "error": "1 error occurred:\n\n* wrong status \"creating\" in the stdin of prestart hook, expected \"created\"",
    "reference": "https://github.com/opencontainers/runtime-spec/blob/v1.0.0/config.md#posix-platform-hooks"
  }
  ...
not ok 2 - the state of the container MUST be passed to "poststart" hook over stdin
  ---
  {
    "error": "1 error occurred:\n\n* wrong status \"created\" in the stdin of poststart hook, expected \"running\"",
    "reference": "https://github.com/opencontainers/runtime-spec/blob/v1.0.0/config.md#posix-platform-hooks"
  }
  ...
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x18 pc=0x4f5a02]

goroutine 1 [running]:
github.com/opencontainers/runtime-tools/vendor/github.com/hashicorp/go-multierror.(*Error).Error(0x0, 0x7dfc20, 0xc420224480)
	/home/dpark/go/src/github.com/opencontainers/runtime-tools/vendor/github.com/hashicorp/go-multierror/multierror.go:15 +0x22
main.main()
	/home/dpark/go/src/github.com/opencontainers/runtime-tools/validation/hooks_stdin.go:154 +0x11ba

The first two failures happen because of #1710, right?
The last panic is rather a runtime-tools issue. I'll create a PR to fix it in runtime-tools.

[wking]

The first two failures happen because of #1710, right?

Yeah.

[cyphar]

So it looks like this has been merged into #1811. I'm going to close this and I'll get #1811 merged (hopefully for 1.0).

[cyphar]

The len additions is really not necessary, and I think it should be removed from all the patches.

If you want, I can just combine this and #1811 in a new PR that I will rebase and fix so we can get 1.0 sooner.

[wking]

The len additions is really not necessary...

From my commit message and topic post:

Add len guards to avoid computing the state when .Hooks is non-nil but the particular phase we're looking at is empty.

Are you saying that state computation is so cheap that it's not worth a len(c.config.Hooks.Poststart) > 0 guard?

[cyphar]

Yeah, I don't think the state computation is expensive enough that it makes sense to have likely-to-be-incorrectly-copy-pasted checks.

[wking]

... likely-to-be-incorrectly-copy-pasted checks.

Wouldn't we expect unit testing to catch this? If it's not covered now, I think it should be. The runtime-tools compliance suite should already cover it.

[wking]

And building the status hits the filesystem for at least this, and probably more.

[wking]

So they seem like a slam dunk to me, but if you're still unconvinced when I wake back up, I'll drop the guards ;).

[cyphar]

/proc reading is quite cheap, and it should be noted that it will only be hit if config.Hooks != nil which IIRC would require having at least one hook defined... I mean, whatever. My main gripe with it is that it looks a bit ugly and I guarantee someone will screw it up in a copy-paste.

[wking]

/proc reading is quite cheap...

Compared to, say hitting a disk. Certainly not compared to a len call.

My main gripe with it is that it looks a bit ugly and I guarantee someone will screw it up in a copy-paste.

And get that screw-up through CI and review? I'm sceptical ;). But whatever, I'm not a maintainer. Rebased onto master (because I'm touching it anyway) and dropped the len guards with 6ff5804 -> e238686.

[cyphar]

This is one of two final PRs for 1.0. Thanks!

/cc @opencontainers/runc-maintainers

[cyphar]

/cc @mrunalp

You said you wanted to test this.

[cyphar]

LGTM LGTM LGTM LGTM.

(Yoohoo! PullApprove! Time to wake up!)

[crosbymichael]

LGTM

[cyphar]

I'll wait until @mrunalp checks this before merging.

[cyphar]

/cc @RenaudWasTaken @flx42

Does this break you folks as well? This one is pretty critical for OCI compliance.

[RenaudWasTaken]

Does this break you folks as well? This one is pretty critical for OCI compliance.

Thanks for asking!
My understanding of this PR is that you are adding the status field in the struct / json a hook can read from stdin.
In this case, this is a non breaking change in the "hook API" and it won't affect us, as we only rely on getting the Bundle to read the spec.

[cyphar]

@RenaudWasTaken Yeah, that's right.

Merging since the change is won't break existing users.