[carry 1738] Clear hook environ variables on empty Env #4323
Conversation
The runtime spec has [1]:
* env (array of strings, OPTIONAL) with the same semantics as IEEE
Std 1003.1-2008's environ.
And running execle or similar with NULL env results in an empty
environent:
$ cat test.c
#include <unistd.h>
int main()
{
return execle("/usr/bin/env", "env", NULL, NULL);
}
$ cc -o test test.c
$ ./test
...no output...
Go's Cmd.Env, on the other hand, has [2]:
If Env is nil, the new process uses the current process's
environment.
This commit works around that by setting Env to an empty slice in
those cases to avoid leaking the runtime environment into the hooks.
[1]: https://github.com/opencontainers/runtime-spec/blob/v1.0.1/config.md#posix-platform-hooks
[2]: https://golang.org/pkg/os/exec/#Cmd
Signed-off-by: W. Trevor King <wking@tremily.us>
(cherry picked from commit c11bd33)
Signed-off-by: lfbzhm <lifubang@acmcoder.com>
lifubang
force-pushed
the
feat-carry-1738-hook-clear-env
branch
2 times, most recently
from
d3908aa
to
6cedbc9
Compare
| "env": ["mm=tt"] | ||
| }] | ||
| }' | ||
| mm=nn runc run "test_hook-$hook" |
There was a problem hiding this comment.
Not sure what this like is doing here. A debug leftover?
There was a problem hiding this comment.
Or maybe you wanted to check that this var is not visible? But it should be a different var name/value.
If you want a different name, what about runc_env or similar?
There was a problem hiding this comment.
In my brain, the Prestart, Poststart, CreateContainer and CreateRuntime hooks are running in the host, not in the container? So they use host's env when running the hook.
There was a problem hiding this comment.
Only StartContainer hook is running in the container.
| update_config '.hooks = { | ||
| "'$hook'": [{ | ||
| "path": "/bin/sh", | ||
| "args": ["/bin/sh", "-c", "[ \"$mm\"==\"tt\" ] && echo yes, we got tt from the env mm && exit 1 || exit 0"], |
There was a problem hiding this comment.
You can just have
"args": ["/bin/env"],
which prints all environment, and then check below that $output contains ^mm=tt$.
There was a problem hiding this comment.
My bad, I mean "path", not "args".
There was a problem hiding this comment.
In the beginning, I wanted to test it like the way you provided, but we should know that if the hook running success, there is no output. We should raise an error to get the output.
https://github.com/opencontainers/runc/blob/main/libcontainer/configs/config.go#L487-L493
| "path": "/bin/sh", | ||
| "args": ["/bin/sh", "-c", "[[ \"$mm\" == \"nn\" ]] && echo \"$mm\" && exit 1 || exit 0"] |
There was a problem hiding this comment.
Same here, you can use
"path": "/bin/env"
and check that there is no output.
tests/integration/hooks.bats
Outdated
| done | ||
| } | ||
|
|
||
| @test "runc run [hook without env]" { |
There was a problem hiding this comment.
I would add what we check here ("hook without env does not inherit host env"). Maybe add a bug reference as well.
There was a problem hiding this comment.
I guess this test fails today (without the PR), but it will be great to confirm it
There was a problem hiding this comment.
I guess this test fails today (without the PR), but it will be great to confirm it
Yes, you are right, I have tested before I submit this PR.
| "env": ["mm=tt"] | ||
| }] | ||
| }' | ||
| mm=nn runc run "test_hook-$hook" |
There was a problem hiding this comment.
Or maybe you wanted to check that this var is not visible? But it should be a different var name/value.
If you want a different name, what about runc_env or similar?
|
|
||
| @test "runc run [hook with env]" { | ||
| update_config '.process.args = ["/bin/true"]' | ||
| update_config '.process.env = ["mm=nn"]' |
There was a problem hiding this comment.
What if we use a more readable name?
| update_config '.process.env = ["mm=nn"]' | |
| update_config '.process.env = ["container_var=yes"]' |
There was a problem hiding this comment.
Because we do a test in one loop for hook in prestart createRuntime createContainer startContainer poststart; do, but as mentioned in #4323 (comment), the var may be in host, or may be in container, but we should use one var name, so we should not use a specific var name.
tests/integration/hooks.bats
Outdated
| done | ||
| } | ||
|
|
||
| @test "runc run [hook without env]" { |
There was a problem hiding this comment.
I guess this test fails today (without the PR), but it will be great to confirm it
Signed-off-by: lfbzhm <lifubang@acmcoder.com>
lifubang
force-pushed
the
feat-carry-1738-hook-clear-env
branch
from
6cedbc9
to
827bbdb
Compare
|
Even though this is a bug, but it has existed for many years, so if we merge this, it may cause a break change for docker and other tools which use runc for the container runtime. We should check a config.json file generated by containerd to see if there is a env config for hooks. |
1 similar comment
This comment was marked as duplicate.
This comment was marked as duplicate.
|
What I see is crun works the same way, ie the current environment is passed on to the hook. Which is obviously wrong, but the fix may bring in some compatibility issues. Not sure how to assess if it's going to be the case... |
I had some time to look some
cat config.json | jq .hooks
{
"prestart": [
{
"path": "/proc/1158/exe",
"args": [
"libnetwork-setkey",
"-exec-root=/var/run/docker",
"2123cdedbd057cd58fba1c9869d410fcd1e6588f705e0eda6deb345d9a9670c0",
"406aba1a8aaa"
]
}
]
}I also test the binary compiled from this PR with docker, it works fine for a normal use.
It seems that there is no compatibility issues for a normal use, but I don't know whether there are issues for some other unknown complex scenarios. |
Carry #1738
The runtime spec has:
And running
execleor similar withNULLenvresults in an empty environent:Go's
Cmd.Env, on the other hand, has:This commit works around that by setting
a single dummy environment variable[]string{}in those cases to avoid leaking the runtime environment into the hooks.