validate: add Hooks validation

[Mashimiao]

Signed-off-by: Ma Shimiao mashimiao.fnst@cn.fujitsu.com

[wking]

process is a strange name for this variable. How about hooks? And hooks are in the host mount namespace, so I don't think we need rootfs.

[Mashimiao]

@wking change process to hooks is fine.
hooks are in the host mount namespace I'm not sure what it means.
Do you mean hooks is not in OCI bundle?

[wking]

On Thu, Apr 28, 2016 at 07:54:26PM -0700, Ma Shimiao wrote:

hooks are in the host mount namespace I'm not sure what it means.
Do you mean hooks is not in OCI bundle?

The may be in the bundle, but if they are, the path will be
/path/to/bundle/and/hook, not /and/hook. Specs are 1:

“Hook paths are absolute and are executed from the host's
filesystem.”

Although I'd be happier if the wording used “runtime namespace” 2 so
it was explicit about other namespaces as well (e.g. hooks are also in
the host network namepace, the host ipc namespace, …).

[wking]

This sort of validation would be easier if we could recycle the
process validator 1.

 Subject: Unify container-process and hook-process structures
 Date: Mon, 4 Jan 2016 21:56:37 -0800
 Message-ID: <20160105055637.GG6362@odin.tremily.us>

[liangchenye]

Thanks @Mashimiao,
if we want to check hook, we can just check hook.Path directly, there is no need to join the rootfs.

Hook paths are absolute and are executed from the host's filesystem.

Also, since the hook command exists in the host's filesystem, we can not check that in bundle validation.go. (But we reuse this code in runtime test.)

[wking]

On Tue, May 03, 2016 at 02:36:04AM -0700, 梁辰晔 (Liang Chenye) wrote:

Also, since the hook command exists in the host's filesystem, we can
not check that in bundle validation.go.

We can check “Does the hook command exist in the host's filesystem?”,
it's just that the check will not be portable. I think it's still
worth performing the check (e.g. see opencontainers/runtime-spec#418),
but it's probably worth putting that sort of thing behind a flag
(--host-checks?). I don't really have a preference for the flag name
or whether it's opt-in or opt-out.

[Mashimiao]

@wking @liangchenye
This validation, as @wking said we can check “Does the hook command exist in the host's filesystem?”.
config.json belongs to OCI bundle. I think we check hook command exist or not is to check whether config.json is configured correct or not, is to check OCI bundle.
@wking I'm not sure what portability problem exists. If there was no hooks configured, the hook validation would not be executed.

[liangchenye]

The hook configuration is a little tricky, it is not portable.
If it was verified on hostA, it could still fail on hostB.
If it fails on hostA, it is hard to say this is an invalid bundle.
But it is helpful to a user who tries to use it, so agree with WKing, we can add a flag to bundle validate.

[Mashimiao]

@wking @liangchenye PR updated

[wking]

I'd have gone with --hook-paths or some such, but I expect folks will get the idea regardless. It's probably worth detailing what the hook checks are and why this is optional. The only check that needs to be toggle-able is “Does the path exist (and point to an executable)?”, and there is other validation that you can do beyond that (e.g. “Are there equals signs in all the env values?”).

[Mashimiao]

ping @liangchenye

[wking]

Listing specific options here rolls back part of c1df0ce (Fixup man pages for consistency, 2016-05-07, #65). I like the shorter [OPTIONS] for generate (see #42) because it has lots of options. I don't care either way for validate, but we probably want to pick one approach and not flip back and forth without motivation ;).

[liangchenye]

Thanks @Mashimiao

LGTM

[wking]

Ah, I'd missed the responses to my earlier comments. f54700d looks good to me too.

[Mashimiao]

ping @mrunalp

[liangchenye]

Hi @Mashimiao,
I added another task to #66
'Hooks paths are absolute'.
It is different but related to this PR. We need to check if a path is absolute by default (without hooksCheck set to true). If you like to implement it (in this PR maybe), I'll add a WIP link.

[Mashimiao]

@liangchenye OK, I can implement it in this PR.
implemented, please review.

[wking]

51d1cc6 still looks good to me.

[wking]

Ah, actually 51d1cc6 does not look good to me ;). The absolute-path
check needs to happen regardless of whether folks have set the
host-specific switch 1. Maybe we want to lump all of the
host-specific checks behind a --host-specific option?

[Mashimiao]

@wking Ah, yes. I did not read @liangchenye 's words carefully. How about now?

[wking]

On Fri, May 20, 2016 at 01:30:20AM -0700, Ma Shimiao wrote:

How about now?

ce49f78 looks great :).

[mrunalp]

nit: Check specified hooks exist and are executable on the host.

[Mashimiao]

@mrunalp fixed.

[mrunalp]

Can you change it here as well? Thanks!

[Mashimiao]

@mrunalp sorry, miss it. fixed.

[mrunalp]

Needs rebase

[Mashimiao]

@mrunalp rebased.

[mrunalp]

LGTM