Silently ignore container update failure when the container is already gone

.gitignore

@@ -10,3 +10,4 @@
 /manifests/generated/*
 /wasp
 /manifest-generator
+/OCI-hook/testData/rendered-hook.sh

Makefile

@@ -15,6 +15,7 @@
 .PHONY: manifests \
 		cluster-up cluster-down cluster-sync \
 		test test-functional test-unit test-lint \
+		lint-hook-script \
 		publish \
 		wasp \
 		fmt \
@@ -85,6 +86,9 @@ clean:
 	rm -f ./wasp
 	rm -f ./bin/ginkgo
 
+lint-hook-script:
+	./hack/build/shellcheck-hook.sh
+
 fmt:
 	go fmt .
 

OCI-hook/hookscript.template

@@ -4,11 +4,30 @@ echo "WASP SWAP hook"
 
 set -x
 
+PROC_DIR="${PROC_DIR:-/proc}"
+
 CG_PATH=$(jq -er '.linux.cgroupsPath' < config.json)
-POD_NAMESPACE=$(jq -er '.annotations["io.kubernetes.pod.namespace"]' < config.json)
+if [[ ! "$CG_PATH" =~ .*"burst".* ]]; then
+  exit 0
+fi
 
-if [[ "$CG_PATH" =~ .*"burst".* ]];
-then
-  CONTAINERID=$(jq -er '.linux.cgroupsPath | split(":")[2]' < config.json)
-  {{ .RuntimeCmd }}
+PID=$(jq -er '.pid' < status)
+CONTAINERID=$(jq -er '.linux.cgroupsPath | split(":")[2]' < config.json)
+rc=$({{ .RuntimeCmd }})
+if [ "$rc" -eq 0 ]; then
+  exit 0
+fi
+
+proc_state=$(cut -d' ' -f3 "${PROC_DIR}/$PID/stat" 2>/dev/null)
+if [ -z "$proc_state" ]; then
+  # Process fully gone (already reaped) or stat unreadable
+  # Container finished — expected
+  exit 0
+fi
+if [ "$proc_state" = "Z" ]; then
+  # Container exited normally (zombie, awaiting reap)
+  # Cgroup gone because container finished — expected
+  exit 0
 fi
+# Process is alive but update failed — genuine error
+exit "$rc"

OCI-hook/testData/README.md

@@ -0,0 +1,76 @@
+# OCI Hook Script Test Data
+
+End-to-end test fixtures for the rendered OCI hook script. The test runner
+renders the final hook script using the `oci-hook-render` tool and exercises
+it against each scenario with fake procfs entries and fake crun binaries.
+
+## Directory Structure
+
+```
+testData/
+├── run-tests.sh                              # Test runner
+├── rendered-hook.sh                          # Generated by run-tests.sh (gitignored)
+├── bin/
+│   ├── crun-success/crun                     # Fake crun that exits 0
+│   └── crun-fail/crun                        # Fake crun that exits 1
+└── scenarios/
+    ├── 01-non-burstable/                     # cgroupsPath without "burst" → exit 0
+    │   ├── config.json
+    │   ├── status
+    │   ├── expected_exit_code
+    │   └── use_crun
+    ├── 02-burstable-crun-success/            # crun succeeds → exit 0
+    │   ├── config.json
+    │   ├── status
+    │   ├── expected_exit_code
+    │   └── use_crun
+    ├── 03-burstable-crun-fail-process-gone/  # crun fails, /proc/PID gone → exit 0
+    │   ├── config.json
+    │   ├── status
+    │   ├── proc/                             # Empty (no PID directory)
+    │   ├── expected_exit_code
+    │   └── use_crun
+    ├── 04-burstable-crun-fail-zombie/        # crun fails, process is zombie → exit 0
+    │   ├── config.json
+    │   ├── status
+    │   ├── proc/12345/stat                   # State field = "Z"
+    │   ├── expected_exit_code
+    │   └── use_crun
+    └── 05-burstable-crun-fail-alive/         # crun fails, process is alive → exit 1
+        ├── config.json
+        ├── status
+        ├── proc/12345/stat                   # State field = "S"
+        ├── expected_exit_code
+        └── use_crun
+```
+
+## Scenario Files
+
+Each scenario directory contains:
+
+| File                 | Description                                                    |
+|----------------------|----------------------------------------------------------------|
+| `config.json`        | Fake OCI bundle config with `linux.cgroupsPath`                |
+| `status`             | Fake container status with `pid`                               |
+| `proc/`              | Fake procfs tree (optional, with `PID/stat` if process exists) |
+| `expected_exit_code` | The expected exit code of the hook script                      |
+| `use_crun`           | Which fake crun to use: `success` or `fail`                    |
+
+## Flows Covered
+
+1. **Non-burstable** — cgroupsPath does not contain "burst", hook exits immediately
+2. **Burstable, crun succeeds** — swap update works, hook exits 0
+3. **Burstable, crun fails, process gone** — PID directory missing from procfs, treated as expected container exit
+4. **Burstable, crun fails, zombie** — Process is a zombie (state "Z"), treated as expected container exit
+5. **Burstable, crun fails, alive** — Process is alive (state "S"), treated as genuine error
+
+## Usage
+
+```bash
+./OCI-hook/testData/run-tests.sh
+```
+
+The test runner:
+1. Renders the hook script from `OCI-hook/hookscript.template` using the `oci-hook-render` tool
+2. For each scenario, runs the rendered script with `PROC_DIR` pointing to the scenario's fake procfs and `PATH` prepended with the appropriate fake crun
+3. Compares the actual exit code against the expected exit code

OCI-hook/testData/bin/crun-fail/crun

@@ -0,0 +1,3 @@
+#!/usr/bin/bash
+echo "1"
+exit 1

OCI-hook/testData/bin/crun-success/crun

@@ -0,0 +1,3 @@
+#!/usr/bin/bash
+echo "0"
+exit 0

OCI-hook/testData/run-tests.sh

@@ -0,0 +1,84 @@
+#!/usr/bin/env bash
+
+#Copyright 2023 The WASP Authors.
+#
+#Licensed under the Apache License, Version 2.0 (the "License");
+#you may not use this file except in compliance with the License.
+#You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+#Unless required by applicable law or agreed to in writing, software
+#distributed under the License is distributed on an "AS IS" BASIS,
+#WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#See the License for the specific language governing permissions and
+#limitations under the License.
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd -P)"
+REPO_ROOT="$(cd "${SCRIPT_DIR}/../.." && pwd -P)"
+TESTDATA_DIR="${SCRIPT_DIR}"
+SCENARIOS_DIR="${TESTDATA_DIR}/scenarios"
+CRIO_TESTDATA="${REPO_ROOT}/tools/cmd/oci-hook-render/testdata/crun/crio.conf.d"
+TEMPLATE="${REPO_ROOT}/OCI-hook/hookscript.template"
+RENDERED_SCRIPT="${TESTDATA_DIR}/rendered-hook.sh"
+
+echo "=== Rendering OCI hook script ==="
+go run "${REPO_ROOT}/tools/cmd/oci-hook-render/" \
+    -crio-config-dir "${CRIO_TESTDATA}" \
+    -template "${TEMPLATE}" \
+    -o "${RENDERED_SCRIPT}" 2>/dev/null
+chmod +x "${RENDERED_SCRIPT}"
+echo "Rendered to ${RENDERED_SCRIPT}"
+echo
+
+failures=0
+total=0
+
+for scenario_dir in "${SCENARIOS_DIR}"/*/; do
+    scenario=$(basename "${scenario_dir}")
+    total=$((total + 1))
+
+    expected_exit_code=$(tr -d '[:space:]' < "${scenario_dir}/expected_exit_code")
+    use_crun=$(tr -d '[:space:]' < "${scenario_dir}/use_crun")
+    crun_bin_dir="${TESTDATA_DIR}/bin/crun-${use_crun}"
+
+    proc_dir="${scenario_dir}/proc"
+    if [ ! -d "${proc_dir}" ]; then
+        proc_dir=$(mktemp -d)
+        trap_cleanup="rm -rf ${proc_dir}"
+    else
+        trap_cleanup=""
+    fi
+
+    echo "--- ${scenario}"
+    echo "    crun: ${use_crun}, expected exit: ${expected_exit_code}, PROC_DIR: ${proc_dir}"
+
+    set +e
+    (
+        cd "${scenario_dir}"
+        PATH="${crun_bin_dir}:${PATH}" PROC_DIR="${proc_dir}" "${RENDERED_SCRIPT}"
+    ) > /dev/null 2>&1
+    actual_exit_code=$?
+    set -e
+
+    [ -n "${trap_cleanup}" ] && eval "${trap_cleanup}"
+
+    if [ "${actual_exit_code}" -eq "${expected_exit_code}" ]; then
+        echo "    PASS (exit code: ${actual_exit_code})"
+    else
+        echo "    FAIL (expected: ${expected_exit_code}, got: ${actual_exit_code})"
+        failures=$((failures + 1))
+    fi
+    echo
+done
+
+echo "=== Results: $((total - failures))/${total} passed ==="
+
+if [ "${failures}" -gt 0 ]; then
+    echo "FAILED: ${failures} scenario(s) failed"
+    exit 1
+fi
+
+echo "All scenarios passed"

OCI-hook/testData/scenarios/01-non-burstable/config.json

@@ -0,0 +1,5 @@
+{
+  "linux": {
+    "cgroupsPath": "kubepods:besteffort:container123"
+  }
+}

OCI-hook/testData/scenarios/01-non-burstable/expected_exit_code

@@ -0,0 +1 @@
+0

OCI-hook/testData/scenarios/01-non-burstable/status

@@ -0,0 +1,3 @@
+{
+  "pid": 12345
+}

OCI-hook/testData/scenarios/01-non-burstable/use_crun

@@ -0,0 +1 @@
+success

OCI-hook/testData/scenarios/02-burstable-crun-success/config.json

@@ -0,0 +1,5 @@
+{
+  "linux": {
+    "cgroupsPath": "kubepods:burstable:container456"
+  }
+}

OCI-hook/testData/scenarios/02-burstable-crun-success/expected_exit_code

@@ -0,0 +1 @@
+0

OCI-hook/testData/scenarios/02-burstable-crun-success/status

@@ -0,0 +1,3 @@
+{
+  "pid": 12345
+}

OCI-hook/testData/scenarios/02-burstable-crun-success/use_crun

@@ -0,0 +1 @@
+success

OCI-hook/testData/scenarios/03-burstable-crun-fail-process-gone/config.json

@@ -0,0 +1,5 @@
+{
+  "linux": {
+    "cgroupsPath": "kubepods:burstable:container789"
+  }
+}

OCI-hook/testData/scenarios/03-burstable-crun-fail-process-gone/expected_exit_code

@@ -0,0 +1 @@
+0

OCI-hook/testData/scenarios/03-burstable-crun-fail-process-gone/status

@@ -0,0 +1,3 @@
+{
+  "pid": 99999
+}

OCI-hook/testData/scenarios/03-burstable-crun-fail-process-gone/use_crun

@@ -0,0 +1 @@
+fail

OCI-hook/testData/scenarios/04-burstable-crun-fail-zombie/config.json

@@ -0,0 +1,5 @@
+{
+  "linux": {
+    "cgroupsPath": "kubepods:burstable:container321"
+  }
+}

OCI-hook/testData/scenarios/04-burstable-crun-fail-zombie/expected_exit_code

@@ -0,0 +1 @@
+0

OCI-hook/testData/scenarios/04-burstable-crun-fail-zombie/proc/12345/stat

@@ -0,0 +1 @@
+12345 (test) Z 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

OCI-hook/testData/scenarios/04-burstable-crun-fail-zombie/status

@@ -0,0 +1,3 @@
+{
+  "pid": 12345
+}

OCI-hook/testData/scenarios/04-burstable-crun-fail-zombie/use_crun

@@ -0,0 +1 @@
+fail

OCI-hook/testData/scenarios/05-burstable-crun-fail-alive/config.json

@@ -0,0 +1,5 @@
+{
+  "linux": {
+    "cgroupsPath": "kubepods:burstable:container654"
+  }
+}

OCI-hook/testData/scenarios/05-burstable-crun-fail-alive/expected_exit_code

@@ -0,0 +1 @@
+1

OCI-hook/testData/scenarios/05-burstable-crun-fail-alive/proc/12345/stat

@@ -0,0 +1 @@
+12345 (test) S 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

OCI-hook/testData/scenarios/05-burstable-crun-fail-alive/status

@@ -0,0 +1,3 @@
+{
+  "pid": 12345
+}

OCI-hook/testData/scenarios/05-burstable-crun-fail-alive/use_crun

@@ -0,0 +1 @@
+fail

hack/build/run-unit-tests.sh

@@ -32,3 +32,7 @@ ginkgo_dirs=$(go list -f '{{.Dir}}' ${pkgs} 2>/dev/null)
 test_command="env OPERATOR_DIR=${WASP_DIR} ${GINKGO} -v -coverprofile=.coverprofile ${ginkgo_dirs} ${test_args:+-args $test_args}"
 echo "${test_command}"
 ${test_command}
+
+echo ""
+echo "=== Running OCI hook script tests ==="
+"${WASP_DIR}/OCI-hook/testData/run-tests.sh"

hack/build/shellcheck-hook.sh

@@ -0,0 +1,60 @@
+#!/usr/bin/env bash
+
+#Copyright 2023 The WASP Authors.
+#
+#Licensed under the Apache License, Version 2.0 (the "License");
+#you may not use this file except in compliance with the License.
+#You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+#Unless required by applicable law or agreed to in writing, software
+#distributed under the License is distributed on an "AS IS" BASIS,
+#WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#See the License for the specific language governing permissions and
+#limitations under the License.
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd -P)"
+REPO_ROOT="$(cd "${SCRIPT_DIR}/../.." && pwd -P)"
+
+TESTDATA_DIR="${REPO_ROOT}/tools/cmd/oci-hook-render/testdata"
+TEMPLATE="${REPO_ROOT}/OCI-hook/hookscript.template"
+OUT_DIR=$(mktemp -d)
+trap 'rm -rf "${OUT_DIR}"' EXIT
+
+if ! command -v shellcheck &>/dev/null; then
+    echo "Error: shellcheck is not installed"
+    echo "Install it with: dnf install ShellCheck / apt install shellcheck / brew install shellcheck"
+    exit 1
+fi
+
+failures=0
+
+for config_dir in "${TESTDATA_DIR}"/*/crio.conf.d; do
+    fixture=$(basename "$(dirname "${config_dir}")")
+    output="${OUT_DIR}/hook-${fixture}.sh"
+
+    echo "--- Rendering hook script for fixture: ${fixture}"
+    go run "${REPO_ROOT}/tools/cmd/oci-hook-render/" \
+        -crio-config-dir "${config_dir}" \
+        -template "${TEMPLATE}" \
+        -o "${output}" 2>/dev/null
+
+    echo "--- Running shellcheck on: ${fixture}"
+    if shellcheck -x "${output}"; then
+        echo "    PASS: ${fixture}"
+    else
+        echo "    FAIL: ${fixture}"
+        failures=$((failures + 1))
+    fi
+    echo
+done
+
+if [ "${failures}" -gt 0 ]; then
+    echo "shellcheck failed for ${failures} fixture(s)"
+    exit 1
+fi
+
+echo "All hook scripts passed shellcheck"

pkg/wasp/oci-hook-render/render.go

@@ -33,9 +33,9 @@ func (r *Renderer) Render() error {
 
 	switch r.runtimeCmd {
 	case RuncBinary:
-		data.RuntimeCmd = fmt.Sprintf("%s update $CONTAINERID --memory-swap -1\n", RuncBinary)
+		data.RuntimeCmd = fmt.Sprintf("%s update \"$CONTAINERID\" --memory-swap -1\n", RuncBinary)
 	case CrunBinary:
-		data.RuntimeCmd = fmt.Sprintf("%s update --memory-swap=-1 $CONTAINERID\n", CrunBinary)
+		data.RuntimeCmd = fmt.Sprintf("%s update --memory-swap=-1 \"$CONTAINERID\"\n", CrunBinary)
 	default:
 		return fmt.Errorf("unsupported OCI runtime %s", r.runtimeCmd)
 	}