config: Clarify execution environment for hooks

The spec didn't say whether the hooks are executed in the container environment or not (in Linux namespaces, with cgroups and rlimits applied). In rkt, hooks are executed in the container environment. In runc, hooks are executed outside of the container environment. The example with setting up the network namespace in "prestart" suggests that the command is generic and does not have to exist in the container rootfs. So I assume the spec was meant to say hooks are executed outside of the container environment.
opencontainers · Mar 5, 2018 · 38bdc43 · 38bdc43
1 parent fa4b36a
commit 38bdc43
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/config.md b/config.md
@@ -383,7 +383,11 @@ For POSIX platforms, the configuration structure supports `hooks` for configurin
         Entries in the array have the same schema as pre-start entries.
 
 Hooks allow users to specify programs to run before or after various lifecycle events.
+Hooks are executed on the container host and not in the container.
+Therefore, the `path` refers to a path on the host and the execution environment defined in the `process` object does not apply for hooks.
+
 Hooks MUST be called in the listed order.
+
 The [state](runtime.md#state) of the container MUST be passed to hooks over stdin so that they may do work appropriate to the current state of the container.
 
 ### <a name="configHooksPrestart" />Prestart