config: Clarify execution environment for hooks

alban · alban · commit 60ecee74941f · 2018-03-05T16:07:41.000+01:00
The spec didn't say whether the hooks are executed in the container
environment or not (in Linux namespaces, with cgroups and rlimits
applied).

In rkt, hooks are executed in the container environment. In runc, hooks
are executed outside of the container environment.

The example with setting up the network namespace in "prestart" suggests
that the command is generic and does not have to exist in the container
rootfs. So I assume the spec was meant to say hooks are executed outside
of the container environment.

Signed-off-by: Alban Crequy &lt;alban@kinvolk.io&gt;
diff --git a/config.md b/config.md
@@ -383,7 +383,11 @@ For POSIX platforms, the configuration structure supports `hooks` for configurin
         Entries in the array have the same schema as pre-start entries.
 
 Hooks allow users to specify programs to run before or after various lifecycle events.
+Hooks are executed on the container host and not in the container.
+Therefore, the `path` refers to a path on the host and the execution environment defined in the `process` object does not apply for hooks.
+
 Hooks MUST be called in the listed order.
+
 The [state](runtime.md#state) of the container MUST be passed to hooks over stdin so that they may do work appropriate to the current state of the container.
 
 ### <a name="configHooksPrestart" />Prestart
