Add poststop_fail hook test

[fspv]

Description

This implements a test similar to https://github.com/opencontainers/runtime-tools/blob/master/validation/poststop_fail/poststop_fail.go as a part of the #361

NOTE: I believe that the current behaviour is incorrect. See "Additional Context" section for more details. I have left TODOs in the code to highlight the problem.

Type of Change

• Bug fix (non-breaking change that fixes an issue)
• New feature (non-breaking change that adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation update
• Refactoring (no functional changes)
• Performance improvement
• Test updates
• CI/CD related changes
• Other (please describe):

Testing

• Added new unit tests
• Added new integration tests
• Ran existing test suite
• Tested manually (please provide steps)

Related Issues

#361

Additional Context

When a poststop hook exits with a non-zero status, youki stops executing subsequent hooks and propagates the error, causing the delete operation to fail. This contradicts the OCI runtime spec.

The spec (https://github.com/opencontainers/runtime-spec/blob/main/runtime.md#lifecycle) states:

The poststop hooks MUST be invoked by the runtime. If any poststop hook fails, the runtime MUST log a warning, but the remaining hooks and lifecycle continue as if the hook had succeeded.

Where https://github.com/opencontainers/runtime-spec/blob/main/runtime.md#warnings is defined as:

logging a warning does not change the flow of the operation; it MUST continue as if the warning had not been logged.

Note that poststop is the only hook type with this "warn and continue" requirement. All other hooks (prestart, createRuntime, createContainer, startContainer, poststart) require generating an error on failure.

Current behavior:

Given three poststop hooks where the second one exits with status 1:

• Hook 1 runs successfully
• Hook 2 runs, fails with exit code 1
• Hook 3 never runs
• delete returns an error

Expected behavior:

• All three hooks run regardless of individual failures
• Failures are logged as warnings
• delete succeeds

Bug: https://github.com/youki-dev/youki/blob/d541c752/crates/libcontainer/src/hooks.rs#L149-L156 uses ? at the end of the match block inside the loop, which returns immediately on the first hook failure:

The caller in https://github.com/youki-dev/youki/blob/d541c752/crates/libcontainer/src/container/container_delete.rs#L100-L106 then propagates the error, failing the delete.

This bug (or rather divergence from the spec) exists in runc as well. So maybe the spec instead should be aligned to the actual behaviour?

[fspv]

This problem has been reported to runc a long time ago, but it seems like runc devs decided to keep things as they are opencontainers/runc#1765

[utam0k]

This problem has been reported to runc a long time ago, but it seems like runc devs decided to keep things as they are opencontainers/runc#1765

Should we probably change the OCI spec itself?

[fspv]

I've opened an issue in the spec repo: opencontainers/runtime-spec#1309

[utam0k]

I've opened an issue in the spec repo: opencontainers/runtime-spec#1309

Thanks. Please refer this link in your TODO comment.

[fspv]

added link to the TODO comment