RA489
diff --git a/‎README.md‎
Lines changed: 4 additions & 1 deletion b/‎README.md‎
Lines changed: 4 additions & 1 deletion
diff --git a/‎cmd/crio/main.go‎
Lines changed: 26 additions & 8 deletions b/‎cmd/crio/main.go‎
Lines changed: 26 additions & 8 deletions
diff --git a/‎docs/crio.8.md‎
Lines changed: 11 additions & 1 deletion b/‎docs/crio.8.md‎
Lines changed: 11 additions & 1 deletion
diff --git a/‎hooks.md‎
Lines changed: 0 additions & 71 deletions b/‎hooks.md‎
Lines changed: 0 additions & 71 deletions
diff --git a/‎lib/config.go‎
Lines changed: 2 additions & 4 deletions b/‎lib/config.go‎
Lines changed: 2 additions & 4 deletions
diff --git a/‎lib/container_server.go‎
Lines changed: 58 additions & 46 deletions b/‎lib/container_server.go‎
Lines changed: 58 additions & 46 deletions
@@ -69,7 +69,7 @@ Note that kpod and its container management and debugging commands have moved to
 
 ## OCI Hooks Support
 
-[CRI-O configures OCI Hooks to run when launching a container](./hooks.md)
+[You can configure CRI-O][libpod-hooks] to inject [OCI Hooks][spec-hooks] when creating containers.
 
 ## CRI-O Usage Transfer
 
@@ -224,3 +224,6 @@ To run a full cluster, see [the instructions](kubernetes.md).
 1. Support for exec/attach (done)
 1. Target fully automated kubernetes testing without failures [e2e status](https://github.com/kubernetes-incubator/cri-o/issues/533)
 1. Track upstream k8s releases
+
+[libpod-hooks]: https://github.com/projectatomic/libpod/blob/v0.6.2/pkg/hooks/README.md
+[spec-hooks]: https://github.com/opencontainers/runtime-spec/blob/v1.0.1/config.md#posix-platform-hooks
@@ -20,6 +20,8 @@ import (
 	"github.com/kubernetes-incubator/cri-o/pkg/signals"
 	"github.com/kubernetes-incubator/cri-o/server"
 	"github.com/kubernetes-incubator/cri-o/version"
+	"github.com/projectatomic/libpod/pkg/hooks"
+	_ "github.com/projectatomic/libpod/pkg/hooks/0.1.0"
 	"github.com/sirupsen/logrus"
 	"github.com/soheilhy/cmux"
 	"github.com/urfave/cli"
@@ -172,7 +174,7 @@ func mergeConfig(config *server.Config, ctx *cli.Context) error {
 	return nil
 }
 
-func catchShutdown(gserver *grpc.Server, sserver *server.Server, hserver *http.Server, signalled *bool) {
+func catchShutdown(ctx context.Context, cancel context.CancelFunc, gserver *grpc.Server, sserver *server.Server, hserver *http.Server, signalled *bool) {
 	sig := make(chan os.Signal, 10)
 	signal.Notify(sig, signals.Interrupt, signals.Term)
 	go func() {
@@ -186,11 +188,11 @@ func catchShutdown(gserver *grpc.Server, sserver *server.Server, hserver *http.S
 				continue
 			}
 			*signalled = true
-			ctx := context.Background()
 			gserver.GracefulStop()
 			hserver.Shutdown(ctx)
 			sserver.StopStreamServer()
 			sserver.StopMonitors()
+			cancel()
 			if err := sserver.Shutdown(ctx); err != nil {
 				logrus.Warnf("error shutting down main service %v", err)
 			}
@@ -347,7 +349,7 @@ func main() {
 		cli.StringFlag{
 			Name:   "hooks-dir-path",
 			Usage:  "set the OCI hooks directory path",
-			Value:  lib.DefaultHooksDirPath,
+			Value:  hooks.DefaultDir,
 			Hidden: true,
 		},
 		cli.StringSliceFlag{
@@ -456,7 +458,8 @@ func main() {
 	}
 
 	app.Action = func(c *cli.Context) error {
-		ctx := context.Background()
+		ctx, cancel := context.WithCancel(context.Background())
+
 		if c.GlobalBool("profile") {
 			profilePort := c.GlobalInt("profile-port")
 			profileEndpoint := fmt.Sprintf("localhost:%v", profilePort)
@@ -534,9 +537,17 @@ func main() {
 		go func() {
 			service.StartExitMonitor()
 		}()
-		go func() {
-			service.StartHooksMonitor()
-		}()
+		hookSync := make(chan error, 2)
+		if service.ContainerServer.Hooks == nil {
+			hookSync <- err // so we don't block during cleanup
+		} else {
+			go service.ContainerServer.Hooks.Monitor(ctx, hookSync)
+			err = <-hookSync
+			if err != nil {
+				cancel()
+				logrus.Fatal(err)
+			}
+		}
 
 		m := cmux.New(lis)
 		grpcL := m.Match(cmux.HTTP2HeaderField("content-type", "application/grpc"))
@@ -549,7 +560,7 @@ func main() {
 		}
 
 		graceful := false
-		catchShutdown(s, service, srv, &graceful)
+		catchShutdown(ctx, cancel, s, service, srv, &graceful)
 
 		go s.Serve(grpcL)
 		go srv.Serve(httpL)
@@ -575,11 +586,18 @@ func main() {
 		}
 
 		service.Shutdown(ctx)
+		cancel()
 
 		<-streamServerCloseCh
 		logrus.Debug("closed stream server")
 		<-serverMonitorsCh
 		logrus.Debug("closed monitors")
+		err = <-hookSync
+		if err == nil || err == context.Canceled {
+			logrus.Debug("closed hook monitor")
+		} else {
+			logrus.Errorf("hook monitor failed: %v", err)
+		}
 		<-serverCloseCh
 		logrus.Debug("closed main server")
 
 
@@ -148,6 +148,16 @@ it later with **--config**. Global options will modify the output.
 **crio.conf** (`/etc/crio/crio.conf`)
   `cri-o` configuration file for all of the available command-line options for the crio(8) program, but in a TOML format that can be more easily modified and versioned.
 
+**hook JSON** (`/etc/containers/oci/hooks.d/*.json`, `/usr/share/containers/oci/hooks.d/*.json`)
+
+  Each `*.json` file in `/etc/containers/oci/hooks.d` and `/usr/share/containers/oci/hooks.d` configures a hook for CRI-O containers, with `/etc/containers/oci/hooks.d` having higher precedence.  `crio(8)` monitors the hook directories for changes, so there is no need to restart the server after adjusting the hook configuration.  For more details on the syntax of the JSON files and the semantics of hook injection, see `oci-hooks(5)`.
+
+  CRI-O currently supports both the 1.0.0 and 0.1.0 hook schemas, although the 0.1.0 schema is deprecated.
+
+  For the annotation conditions, CRI-O uses the Kubernetes annotations, which are a subset of the annotations passed to the OCI runtime.  For example, io.kubernetes.cri-o.Volumes is part of the OCI runtime configuration annotations, but it is not part of the Kubernetes annotations being matched for hooks.
+
+  For the bind-mount conditions, only mounts explicitly requested by Kubernetes configuration are considered.  Bind mounts that CRI-O inserts by default (e.g. `/dev/shm`) are not considered.
+
 **policy.json** (`/etc/containers/policy.json`)
   Signature verification policy files are used to specify policy, e.g. trusted keys, applicable when deciding whether to accept an image, or individual signatures of that image, as valid.
 
@@ -158,7 +168,7 @@ it later with **--config**. Global options will modify the output.
   Storage configuration file specifies all of the available container storage options for tools using shared container storage.
 
 # SEE ALSO
-crio.conf(5),policy.json(5),registries.conf(5),storage.conf(5)
+`crio.conf(5)`, `oci-hooks(5)`, `policy.json(5)`, `registries.conf(5)`, `storage.conf(5)`
 
 # HISTORY
 Sept 2016, Originally compiled by Dan Walsh <[email protected]> and Aleksa Sarai <[email protected]>
@@ -9,6 +9,7 @@ import (
 	"github.com/containers/image/types"
 	"github.com/containers/storage"
 	"github.com/kubernetes-incubator/cri-o/oci"
+	"github.com/projectatomic/libpod/pkg/hooks"
 )
 
 // Defaults if none are specified
@@ -162,9 +163,6 @@ type RuntimeConfig struct {
 	// Note, for testing purposes mainly
 	DefaultMountsFile string `toml:"default_mounts_file"`
 
-	// Hooks List of hooks to run with container
-	Hooks map[string]HookParams
-
 	// PidsLimit is the number of processes each container is restricted to
 	// by the cgroup process number controller.
 	PidsLimit int64 `toml:"pids_limit"`
@@ -333,7 +331,7 @@ func DefaultConfig() *Config {
 			CgroupManager:       cgroupManager,
 			PidsLimit:           DefaultPidsLimit,
 			ContainerExitsDir:   containerExitsDir,
-			HooksDirPath:        DefaultHooksDirPath,
+			HooksDirPath:        hooks.DefaultDir,
 			LogSizeMax:          DefaultLogSizeMax,
 			DefaultMountsFile:   "",
 			DefaultCapabilities: DefaultCapabilities,
 
@@ -6,6 +6,7 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
+	"strings"
 	"sync"
 	"time"
 
@@ -21,11 +22,22 @@ import (
 	rspec "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/opencontainers/selinux/go-selinux/label"
 	"github.com/pkg/errors"
+	"github.com/projectatomic/libpod/pkg/hooks"
 	"github.com/sirupsen/logrus"
+	"golang.org/x/text/language"
 	pb "k8s.io/kubernetes/pkg/kubelet/apis/cri/runtime/v1alpha2"
 	"k8s.io/kubernetes/pkg/kubelet/dockershim/network/hostport"
 )
 
+var (
+	// localeToLanguage maps from locale values to language tags.
+	localeToLanguage = map[string]string{
+		"":      "und-u-va-posix",
+		"c":     "und-u-va-posix",
+		"posix": "und-u-va-posix",
+	}
+)
+
 // ContainerServer implements the ImageServer
 type ContainerServer struct {
 	runtime              *oci.Runtime
@@ -37,8 +49,7 @@ type ContainerServer struct {
 	ctrIDIndex           *truncindex.TruncIndex
 	podNameIndex         *registrar.Registrar
 	podIDIndex           *truncindex.TruncIndex
-	hooks                map[string]HookParams
-	hooksLock            sync.Mutex
+	Hooks                *hooks.Manager
 
 	imageContext *types.SystemContext
 	stateLock    sync.Locker
@@ -51,40 +62,6 @@ func (c *ContainerServer) Runtime() *oci.Runtime {
 	return c.runtime
 }
 
-// Hooks returns the oci hooks for the ContainerServer
-func (c *ContainerServer) Hooks() map[string]HookParams {
-	hooks := map[string]HookParams{}
-	c.hooksLock.Lock()
-	defer c.hooksLock.Unlock()
-	for key, h := range c.hooks {
-		hooks[key] = h
-	}
-	return hooks
-}
-
-// RemoveHook removes an hook by name
-func (c *ContainerServer) RemoveHook(hook string) (ok bool) {
-	c.hooksLock.Lock()
-	defer c.hooksLock.Unlock()
-	_, ok = c.hooks[hook]
-	if ok {
-		delete(c.hooks, hook)
-	}
-	return ok
-}
-
-// AddHook adds an hook by hook's path
-func (c *ContainerServer) AddHook(hookPath string) (err error) {
-	c.hooksLock.Lock()
-	defer c.hooksLock.Unlock()
-	hook, err := readHook(hookPath)
-	if err != nil {
-		return err
-	}
-	c.hooks[filepath.Base(hookPath)] = hook
-	return nil
-}
-
 // Store returns the Store for the ContainerServer
 func (c *ContainerServer) Store() cstorage.Store {
 	return c.store
@@ -168,21 +145,56 @@ func New(ctx context.Context, config *Config) (*ContainerServer, error) {
 		lock = new(sync.Mutex)
 	}
 
-	hooks := make(map[string]HookParams)
+	hookDirectories := []string{}
+	missingHookDirectoryFatal := false
+
 	// If hooks directory is set in config use it
 	if config.HooksDirPath != "" {
-		if err := readHooks(config.HooksDirPath, hooks); err != nil {
-			return nil, err
-		}
+		hookDirectories = append(hookDirectories, config.HooksDirPath)
+
 		// If user overrode default hooks, this means it is in a test, so don't
 		// use OverrideHooksDirPath
-		if config.HooksDirPath == DefaultHooksDirPath {
-			if err := readHooks(OverrideHooksDirPath, hooks); err != nil {
-				return nil, err
-			}
+		if config.HooksDirPath == hooks.DefaultDir {
+			hookDirectories = append(hookDirectories, hooks.OverrideDir)
+		} else {
+			missingHookDirectoryFatal = true
+		}
+	}
+
+	var locale string
+	var ok bool
+	for _, envVar := range []string{
+		"LC_ALL",
+		"LC_COLLATE",
+		"LANG",
+	} {
+		locale, ok = os.LookupEnv(envVar)
+		if ok {
+			break
+		}
+	}
+
+	langString, ok := localeToLanguage[strings.ToLower(locale)]
+	if !ok {
+		langString = locale
+	}
+
+	lang, err := language.Parse(langString)
+	if err != nil {
+		logrus.Warnf("failed to parse language %q: %s", langString, err)
+		lang, err = language.Parse("und-u-va-posix")
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	hooks, err := hooks.New(ctx, hookDirectories, []string{}, lang)
+	if err != nil {
+		if missingHookDirectoryFatal || !os.IsNotExist(err) {
+			return nil, err
 		}
+		logrus.Warnf("failed to load hooks: {}", err)
 	}
-	logrus.Debugf("hooks %+v", hooks)
 
 	return &ContainerServer{
 		runtime:              runtime,
@@ -194,7 +206,7 @@ func New(ctx context.Context, config *Config) (*ContainerServer, error) {
 		podNameIndex:         registrar.NewRegistrar(),
 		podIDIndex:           truncindex.NewTruncIndex([]string{}),
 		imageContext:         &types.SystemContext{SignaturePolicyPath: config.SignaturePolicyPath},
-		hooks:                hooks,
+		Hooks:                hooks,
 		stateLock:            lock,
 		state: &containerServerState{
 			containers:      oci.NewMemoryStore(),