The hooks used by run_oci
follow the Open Container Initiative spec for POSIX-platform Hooks, with a Chrome OS-specific extension that allows a hook to be installed after all the mounts have been processed, but prior to calling chroot(2)
.
All the hooks are run by calling fork(2)
+ execve(2)
from the run_oci
process (which is the parent of the container process), and within the intermediate mount namespace.
In order to avoid paying the price of creating several processes and switching back and forth between namespaces (which added several milliseconds to the boot time when done naïvely), we have consolidated all of the hook execution to two hooks: pre-create and pre-chroot.
The pre-create hook invokes arc-setup
with the --mode=setup
flag and creates host-side files and directories that will be bind-mounted to the container via config.json
.
The pre-chroot hook invokes arc-setup
with the --mode=pre-chroot
flag and performs several operations:
binfmt_misc
to perform ARM binary translation on Intel devices.run_oci
, since these are not handled by either the build system, or the first invocation of arc-setup
that occurs before run_oci
is invoked./dev/.coldboot_done
, which is used by Android as a signal that it has reached a certain point during the boot sequence. This is normally done by Android's init
during its first stage, but we do not use it and boot Android directly into init
's second stage.