ocihook: Add a networking namespace annotation key

With VM based runtimes (e.g. Kata), the spec.State.Pid value does not
necessarily runs in the container/pod networking namespace, but can also
be in the host one.

With those runtime, using the passed Pid to resolve the networking
namespace for OCI plugins to be used result in setting the container
network entirely in the host namespace. We add a
"nerdct/network-namespace" for runtimes to explictly tell nerdctl which
netns path to use instead of deriving it from the runtime PID.

Signed-off-by: Samuel Ortiz <s.ortiz@apple.com>

Author: Samuel Ortiz

pkg/ocihook/ocihook.go

@@ -44,6 +44,16 @@ import (
 	"github.com/sirupsen/logrus"
 )
 
+const (
+	// NetworkNamespace is the network namespace path to be passed to the CNI plugins.
+	// When this annotation is set from the runtime spec.State payload, it takes
+	// precedence over the PID based resolution (/proc/<pid>/ns/net) where pid is
+	// spec.State.Pid.
+	// This is mostly used for VM based runtime, where the spec.State PID does not
+	// necessarily lives in the created container networking namespace.
+	NetworkNamespace = labels.Prefix + "network-namespace"
+)
+
 func Run(stdin io.Reader, stderr io.Writer, event, dataStore, cniPath, cniNetconfPath string) error {
 	if stdin == nil || event == "" || dataStore == "" || cniPath == "" || cniNetconfPath == "" {
 		return errors.New("got insufficient args")