Configuring Sarus for OCI hooks

In order to extend the core functionality provided by a container runtime, the OCI Runtime Specification allows for components to be hooked into the container’s lifecycle, performing custom actions. These OCI hooks are especially amenable to HPC use cases, where the dedicated hardware and highly-tuned software adopted by high-performance systems are in contrast with the platform-agnostic nature of software containers. Effectively, OCI hooks provide solutions for the container runtime to allow access to system-specific features and specialized resources within container instances.

To enable the use of hooks in Sarus, the hooksDir directory specified in sarus.json must be populated with OCI hook JSON configuration files. Sarus currently supports the OCI hook schema version 1.0.0.

Sarus parses the JSON files in hooksDir (subdirectories excluded) and, if the when conditions specified in a JSON are all true, the corresponding OCI hook is inserted into the OCI bundle’s configuration file that is generated by Sarus.

The hooks will effectively be called by the OCI-compliant runtime specified with the runcPath parameter in sarus.json.

The hooks are inserted into the OCI bundle’s configuration file and executed by the OCI-compliant runtime in the order obtained by lexicographically sorting the JSON file names.

All the hooks configured in the hooksDir directory must satisfy the security requirements for critical files and directories.

Hooks use cases

In the following pages, we will provide guidance on how to enable hooks for specific use cases:

• Native MPI hook (MPICH-based)
• NVIDIA Container Toolkit
• Native glibc hook
• SSH hook
• Slurm global sync hook
• Timestamp hook