poststop hook is not run if poststart hook fails

[eriksjolund]

Description

A poststop hook is not run if a poststart hook fails.
crun and runc do not have the same behaviour.

I first opened an issue in the crun project:

• runc vs crun: different behavior when poststart hook fails and poststop hook creates a file containers/crun#2047

Steps to reproduce the issue

On a Fedora 43 system do the following steps:

1. Create hooks dir

   mkdir $HOME/hooks.d
   

2. Create policy file $HOME/hooks.d/foobar1.json containing

   {
     "version": "1.0.0",
     "hook": {
       "path": "/bin/false"
     },
     "when": {
       "annotations": {
       "^myannotation$": "yes"
       }
     },
     "stages": ["poststart"]
   }
   

3. Create policy file $HOME/hooks.d/foobar2.json containing

   {
     "version": "1.0.0",
     "hook": {
       "path": "/bin/touch",
       "args": ["/bin/touch", "/tmp/poststop-created"]
     },
     "when": {
       "annotations": {
       "^myannotation$": "yes"
       }
     },
     "stages": ["poststop"]
   }
   

4. Create file $HOME/test.bash containing

   #!/bin/bash
   set -o nounset
   runtime=$1
   podman \
     --runtime $runtime \
     --hooks-dir ~/hooks.d \
     run \
     --rm \
     --annotation myannotation=yes \
     docker.io/library/alpine \
     sh -c "sleep 1 && echo hello && sleep 1"
   

5. Test with crun (that was built from the git main branch a few days ago: git commit d268d5375bea4ba692cd8e96040a770da78868e5)

   $ ls -l /tmp/poststop-created
   ls: cannot access '/tmp/poststop-created': No such file or directory
   $ bash test.bash /tmp/crun/crun
   2026-03-14T08:25:31.178231Z: error executing hook `/bin/false` (exit code: 1)
   Error: `/tmp/crun/crun start a3035173b6311e002171be689725f2e63f23f31d4c329cf9e4b4cb38d76dc224` failed: exit status 1
   $ ls -l /tmp/poststop-created
   -rw-r--r--. 1 test test 0 Mar 14 09:25 /tmp/poststop-created
   $
   

   result: The file /tmp/poststop-created was created
6. Test with runc (version 1.5.0-rc.1). The executable was installed to /tmp/runc.amd64

   $ ls -l /tmp/poststop-created
   ls: cannot access '/tmp/poststop-created': No such file or directory
   $ bash test.bash /tmp/runc.amd64
   Error: OCI runtime error: /tmp/runc.amd64: time="2026-03-17T17:38:38+01:00" level=error msg="runc create failed: error running poststart hook #0: exit status 1, stdout: , stderr: "
   $ ls -l /tmp/poststop-created
   ls: cannot access '/tmp/poststop-created': No such file or directory
   $
   

   result: The file /tmp/poststop-created was not created

Describe the results you received and expected

In step 6, I would have expected the file /tmp/poststop-created to be created.

What version of runc are you using?

runc version 1.5.0-rc.1
commit: v1.5.0-rc.1-0-g5d2588d3
spec: 1.3.0
go: go1.25.8
libseccomp: 2.6.0

Host OS information

NAME="Fedora Linux"
VERSION="43 (Forty Three)"
RELEASE_TYPE=stable
ID=fedora
VERSION_ID=43
VERSION_CODENAME=""
PRETTY_NAME="Fedora Linux 43 (Forty Three)"
ANSI_COLOR="0;38;2;60;110;180"
LOGO=fedora-logo-icon
CPE_NAME="cpe:/o:fedoraproject:fedora:43"
DEFAULT_HOSTNAME="fedora"
HOME_URL="https://fedoraproject.org/"
DOCUMENTATION_URL="https://docs.fedoraproject.org/en-US/fedora/f43/"
SUPPORT_URL="https://ask.fedoraproject.org/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_BUGZILLA_PRODUCT="Fedora"
REDHAT_BUGZILLA_PRODUCT_VERSION=43
REDHAT_SUPPORT_PRODUCT="Fedora"
REDHAT_SUPPORT_PRODUCT_VERSION=43
SUPPORT_END=2026-12-02

Host kernel information

Linux asus 6.19.8-200.fc43.x86_64 #1 SMP PREEMPT_DYNAMIC Fri Mar 13 22:06:06 UTC 2026 x86_64 GNU/Linux

[lifubang]

In fact, if I use runc directly, I can't reproduce this issue:

root@acmcoder:/opt/ubuntu# ls -l /tmp/poststop-created
ls: cannot access '/tmp/poststop-created': No such file or directory
root@acmcoder:/opt/ubuntu# ./runc -v
runc version 1.5.0-rc.1
commit: v1.5.0-rc.1-0-g5d2588d3
spec: 1.3.0
go: go1.26.1
libseccomp: 2.5.5
root@acmcoder:/opt/ubuntu# ./runc run test
ERRO[0000] runc run failed: error running poststart hook #0: exit status 1, stdout: , stderr:  
root@acmcoder:/opt/ubuntu# ls -l /tmp/poststop-created
-rw-r--r-- 1 root root 0 Mar 18 06:46 /tmp/poststop-created

[kolyshkin]

Can't reproduce this either with runc run, but easily with runc create followed by runc start, which is what podman does. Here's the repro in bats:

[kir@kir-tp1 runc]$ cat tests/integration/hooks-cs.bats
#!/usr/bin/env bats

load helpers

function setup() {
	setup_busybox
}

function teardown() {
	teardown_bundle
}

# https://github.com/opencontainers/runc/issues/5182
@test "runc create/start [poststop hook runs when poststart hook fails]" {
	update_config '	  .process.args = ["/bin/true"]
			| .hooks |= {
				"poststart": [{"path": "/bin/sh", "args": ["sh", "-c", "touch post-start; false"]}],
				"poststop":  [{"path": "/bin/sh", "args": ["sh", "-c", "touch post-stop"]}]
			  }'
	runc create --console-socket "$CONSOLE_SOCKET" ct1
	ls -l post-start post-stop || true
#	[ "$status" -eq 0 ]

	runc start ct1
#	[ "$status" -ne 0 ]
#	[[ "$output" == *" error running poststart hook "* ]]
	# Check that poststop hook ran.
	ls -l post-start post-stop || true

	runc delete -f ct1
	ls -l post-start post-stop || true

	false
}

You can play with this using something like

$ sudo -E RUNC=/usr/bin/crun bats tests/integration/hooks-cs.bats
$ sudo -E RUNC=/usr/bin/runc bats tests/integration/hooks-cs.bats

And here's the difference:

• runc create exits with 1, because it runs the poststart hooks and it fails, and the container is not created. So, podman do not run runc start ever;
• crun create exits with 0, as it does not run poststart hooks yet. So, podman runs crun start which runs the poststart hook, which fails (btw crun doesn't report it). So, podman runs crun delete and it runs the post-stop script.

Oh well, there's a lot of differences here. Meaning, I guess, that hooks are not properly documented in the runtime-spec, nor they are properly validated by runtime-tools. I don't even know how it all works (either hooks are not videly used, or their authors are accustomed to differences between implementations, or those differences are not that important in practice, or most people just stick to one implementation).

[kolyshkin]

Tackling this in #5186; @eriksjolund PTAL

[kolyshkin]

This is actually just another manifestation of the issue reported earlier as #4347.