poststart hook with /bin/false gives different results for crun and runc #1943
Description
- Create hooks dir
mkdir $HOME/hooks.d - Create policy file
$HOME/hooks.d/foobar.jsoncontaining{ "version": "1.0.0", "hook": { "path": "/bin/false" }, "when": { "annotations": { "^myannotation$": "yes" } }, "stages": ["poststart"] } - Create file
$HOME/test.bashcontaining#!/bin/bash set -o nounset runtime=$1 count=0 for i in {1..10}; do if podman \ --runtime $runtime \ --hooks-dir ~/hooks.d \ run \ --pull never \ --rm \ --annotation myannotation=yes \ docker.io/library/alpine \ sh -c "sleep 1 && echo hello && sleep 1" then ((count++)) fi done echo successful execution rate = $count / 10 - Test with
crunresult: successful execution rate = 8 / 10$ bash test.bash crun hello Error: `/usr/bin/crun start 97d10fc0eca36d7b5533784bd2784cccab83478c97435c4cb1fa1bcc94dd6e28` failed: signal: broken pipe hello hello hello hello hello hello Error: `/usr/bin/crun start 7fca6b7f0464f77849accbd39fdc02ce5423f88fb898f1169a1d1deef7de708c` failed: signal: broken pipe hello successful execution rate = 8 / 10 - Test with
runcresult: successful execution rate = 0 / 10$ bash test.bash runc Error: OCI runtime error: runc: runc create failed: error running poststart hook #0: exit status 1, stdout: , stderr: Error: OCI runtime error: runc: runc create failed: error running poststart hook #0: exit status 1, stdout: , stderr: Error: OCI runtime error: runc: runc create failed: error running poststart hook #0: exit status 1, stdout: , stderr: Error: OCI runtime error: runc: runc create failed: error running poststart hook #0: exit status 1, stdout: , stderr: Error: OCI runtime error: runc: runc create failed: error running poststart hook #0: exit status 1, stdout: , stderr: Error: OCI runtime error: runc: runc create failed: error running poststart hook #0: exit status 1, stdout: , stderr: Error: OCI runtime error: runc: runc create failed: error running poststart hook #0: exit status 1, stdout: , stderr: Error: OCI runtime error: runc: runc create failed: error running poststart hook #0: exit status 1, stdout: , stderr: Error: OCI runtime error: runc: runc create failed: error running poststart hook #0: exit status 1, stdout: , stderr: Error: OCI runtime error: runc: runc create failed: error running poststart hook #0: exit status 1, stdout: , stderr: successful execution rate = 0 / 10
discussion
disclaimer: I just started to learn about OCI hooks so this all new to me.
I thought was interesting that crun and runc give different results.
| oci runtime | successful execution rate |
|---|---|
| crun | 8 / 10 |
| runc | 0 / 10 |
Should the result be non-deterministic or does crun have a bug?
about the system
crun version 1.25.1
runc version 1.4.0
podman version 5.7.1
test@localhost:~$ crun --version
crun version 1.25.1
commit: 156ae065d4a322d149c7307034f98d9637aa92a2
rundir: /run/user/1005/crun
spec: 1.0.0
+SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL
test@localhost:~$ podman --version
podman version 5.7.1
test@localhost:~$ runc --version
runc version 1.4.0
spec: 1.3.0
go: go1.25.4 X:nodwarf5
libseccomp: 2.6.0
test@localhost:~$ rpm-ostree status
State: idle
warning: Failed to query journal: couldn't find current boot in journal
Deployments:
● ostree-image-signed:docker://quay.io/fedora/fedora-coreos:rawhide
Digest: sha256:32e07fd28e5fa8a9417334ed11b227670c95321eaf8194e2451410438e424502
Version: 44.20251219.91.0 (2025-12-19T07:37:08Z)
LayeredPackages: docker-buildkit docker-buildx emacs-nox golang make
ostree-image-signed:docker://quay.io/fedora/fedora-coreos:rawhide
Digest: sha256:32e07fd28e5fa8a9417334ed11b227670c95321eaf8194e2451410438e424502
Version: 44.20251219.91.0 (2025-12-19T07:37:08Z)