can set up the hooks at • Prestart • Poststart • Poststop ⚫From OCI runtime spec, the state of the container which includes container initial PID must be passed to hooks over stdin ⚫More hooks are currently proposed. • https://github.com/opencontainers/runtime-spec/pull/1008
high level runtime • containerd is currently developing option for setting OCI hook – https://github.com/containerd/cri/pull/1248 – https://github.com/containerd/cri/issues/405 2. Control OCI hooks per Pod using Kubernetes annotations • containerd supported for passing annotations to low level runtime – https://github.com/containerd/cri/pull/1084 ◦ ×
high level runtime • CRI-O and Podman have already provided their own solution "oci- hooks“ 2. Control OCI hooks per Pod using Kubernetes annotations • CRI-O is currently developing passing annotations to low level runtime – https://github.com/cri-o/cri-o/issues/2402 ◦ ×
to trace system calls inside containers without any debug tools in Pod. • https://speakerdeck.com/kentatada/debug-application-inside- kubernetes-using-linux-kernel-tools • https://github.com/KentaTada/oci-ftrace-syscall-analyzer ⚫ This tool uses OCI hooks to trace system calls from apps startup.
systemd, we needed to set up LimitRTPRIO in service file. –https://superuser.com/questions/403184/configuring-systemd-to- allow-daemon-to-set-rt-priority ⚫Kernel side issue • With systemd, we needed to consider CONFIG_RT_GROUP_SCHED. –https://blog.cybozu.io/entry/2018/06/22/080000 But these issues don’t depend on ROS.
from Kubernetes for now. ⚫Container tracer is useful. • Contribute new facilities from our internal tool. –Ex. Linux capability checker –Ex. negative dentry snoop –https://qiita.com/kentaost/items/5f03ea32a2b2ef80270f • I want to discuss use cases of the container tracer among various industries.