Today, container registration for the learning phase relies on the NRI StartContainer hook. While NRI fires before the container's processes begin, it operates at the containerd/CRI-O level, and the low-level runtime (runc/crun) may still start the container entrypoint before the agent has finished updating the eBPF cgroup tracker map.
OCI runtime hooks such as CreateRuntime execute synchronously within the low-level runtime's container lifecycle, after the cgroup is created but before the container's init process starts. By injecting an OCI CreateRuntime hook via NRI's container adjustment capability, we can guarantee that the agent's eBPF maps are populated before any process runs, closing the race window and ensuring the learning phase captures every executable.
The hook binary would be a small executable deployed alongside the agent (e.g. mounted from the DaemonSet into the host). When invoked by runc/crun, it would notify the agent (e.g. via a Unix socket) to register the container's cgroup, then block until the agent confirms readiness.
Acceptance criteria
Today, container registration for the learning phase relies on the NRI StartContainer hook. While NRI fires before the container's processes begin, it operates at the containerd/CRI-O level, and the low-level runtime (runc/crun) may still start the container entrypoint before the agent has finished updating the eBPF cgroup tracker map.
OCI runtime hooks such as CreateRuntime execute synchronously within the low-level runtime's container lifecycle, after the cgroup is created but before the container's init process starts. By injecting an OCI CreateRuntime hook via NRI's container adjustment capability, we can guarantee that the agent's eBPF maps are populated before any process runs, closing the race window and ensuring the learning phase captures every executable.
The hook binary would be a small executable deployed alongside the agent (e.g. mounted from the DaemonSet into the host). When invoked by runc/crun, it would notify the agent (e.g. via a Unix socket) to register the container's cgroup, then block until the agent confirms readiness.
Acceptance criteria
CreateContainerhook injects the OCI CreateRuntime hook into the container's runtime spec via NRI container adjustment, pointing at the hook binary on the host filesystem.