is it possible to use hooks to modify content on container disk before the build steps are executed?

[AnthonyPoschen]

I am trying to provide a CI/CD capability for other developers in an organisation which is air gapped and want to remove "headaches" in configuration for developers.

For example i would like to ensure every container that is being built from a dockerfile that the developers do not need to include configuration details to get package managers working when building inside the CI/CD network, this will be things along the lines of modifying files ideally with a script to "sed" changes into files and setting environment variables. The buildah configuration file can help me achieve these things however i know for many developers who aren't across something like buildah, allowing someone to design an includable template that runs defines and runs a hook script before the container starts the build steps allows someone to pre layout a file configuration before.

TL;DR
I am wanting to modify the disk and environment of a container being built before the build steps start with hooks but am unable to achieve it when i attempt it as i see no edits with all stage's attempted. If this is not possible, i am wondering what value hooks have and where they should be used.

[AnthonyPoschen]

i am able to get it running from a linux VM with buildah installed.

However when using the buildah image quay.io/buildah/stable:latest it does not work.
dockerfile:

FROM node:latest
RUN ls /tmp

hook file

{
  "version": "1.0.0",
  "hook": {
    "path": "/usr/bin/touch",
    "args": ["touch", "/tmp/hook-file"]
  },
  "when": {
    "always": true
  },
  "stages": ["startContainer"]
}

run command

buildah build --hooks-dir="$(pwd)/hooks" --no-cache -f ./dockerfile -t testing .

Debug logs show it gets added as a hook in the container but never executed. Is something configured to skip hooks from the container?

[rhatdan]

Not that I know of. Are you using crun or runc?

[rhatdan]

@giuseppe PTAL

[giuseppe]

when we use buildah inside a container, we are likely using the "chroot" execution model that doesn't honor hooks. You should use "oci" that uses a real OCI runtime to run the command, but you might need to relax the security constraints for your environment

[AnthonyPoschen]

I will give that a go thank you.

[AnthonyPoschen]

it was set to the chroot execution model, going to "oci" did allow it work as expected inside the container thanks you, however i need to figure out what security constraints need to be relaxed, i verified it worked by ensuring the container ran with privileged.

Without privileged the example dockerfile gets this when running with oci

STEP 2/3: RUN npm config get registry
error running container: from /usr/bin/crun creating container for [/bin/sh -c npm config get registry]: opening file `/sys/fs/cgroup/cgroup.subtree_control` for writing: Read-only file system