[carry 1738] Clear hook environ variables on empty Env

[lifubang]

Carry #1738

---

The runtime spec has:

• env (array of strings, OPTIONAL) with the same semantics as IEEE Std 1003.1-2008's environ.

And running execle or similar with NULL env results in an empty environent:

$ cat test.c
#include <unistd.h>

int main()
{
  return execle("/usr/bin/env", "env", NULL, NULL);
}
$ cc -o test test.c
$ ./test
…no output…

Go's Cmd.Env, on the other hand, has:

If Env is nil, the new process uses the current process's environment.

This commit works around that by setting a single dummy environment variable []string{} in those cases to avoid leaking the runtime environment into the hooks.

[kolyshkin]

Not sure what this like is doing here. A debug leftover?

[rata]

Or maybe you wanted to check that this var is not visible? But it should be a different var name/value.

If you want a different name, what about runc_env or similar?

[lifubang]

In my brain, the Prestart, Poststart, CreateContainer and CreateRuntime hooks are running in the host, not in the container? So they use host's env when running the hook.

[lifubang]

Only StartContainer hook is running in the container.

[kolyshkin]

You can just have

"args": ["/bin/env"],

which prints all environment, and then check below that $output contains ^mm=tt$.

[kolyshkin]

My bad, I mean "path", not "args".

[lifubang]

In the beginning, I wanted to test it like the way you provided, but we should know that if the hook running success, there is no output. We should raise an error to get the output.
https://github.com/opencontainers/runc/blob/main/libcontainer/configs/config.go#L487-L493

[kolyshkin]

Same here, you can use

"path": "/bin/env"

and check that there is no output.

[lifubang]

#4323 (comment)

[kolyshkin]

I would add what we check here ("hook without env does not inherit host env"). Maybe add a bug reference as well.

[rata]

I guess this test fails today (without the PR), but it will be great to confirm it

[lifubang]

I guess this test fails today (without the PR), but it will be great to confirm it

Yes, you are right, I have tested before I submit this PR.

[rata]

Thanks for carrying the fix!

[rata]

Or maybe you wanted to check that this var is not visible? But it should be a different var name/value.

If you want a different name, what about runc_env or similar?

[rata]

What if we use a more readable name?

Suggested change

	update_config '.process.env = ["mm=nn"]'
	update_config '.process.env = ["container_var=yes"]'

[lifubang]

Because we do a test in one loop for hook in prestart createRuntime createContainer startContainer poststart; do, but as mentioned in #4323 (comment), the var may be in host, or may be in container, but we should use one var name, so we should not use a specific var name.

[kolyshkin]

What about self-descriptive names such as TEST_VAR for variable name, and host_value and TEST_VAR=container_value (for values), or some such, to increase the test code readability.

[rata]

I guess this test fails today (without the PR), but it will be great to confirm it

[lifubang]

Even though this is a bug, but it has existed for many years, so if we merge this, it may cause a break change for docker and other tools which use runc for the container runtime. We should check a config.json file generated by containerd to see if there is a env config for hooks.

[kolyshkin]

What I see is crun works the same way, ie the current environment is passed on to the hook. Which is obviously wrong, but the fix may bring in some compatibility issues. Not sure how to assess if it's going to be the case...

[lifubang]

We should check a config.json file generated by containerd to see if there is a env config for hooks.

I had some time to look some config.json files in my company's cluster:

1. In k8s cluster: no hooks;
2. In docker swarm cluster: only one prestart hook, and using a absolute path:

cat config.json | jq .hooks
{
  "prestart": [
    {
      "path": "/proc/1158/exe",
      "args": [
        "libnetwork-setkey",
        "-exec-root=/var/run/docker",
        "2123cdedbd057cd58fba1c9869d410fcd1e6588f705e0eda6deb345d9a9670c0",
        "406aba1a8aaa"
      ]
    }
  ]
}

I also test the binary compiled from this PR with docker, it works fine for a normal use.

but the fix may bring in some compatibility issues.

It seems that there is no compatibility issues for a normal use, but I don't know whether there are issues for some other unknown complex scenarios.

[kolyshkin]

Left a few comments, mostly about the test.

We also need a changelog entry as this might bring compatibility issues.

@opencontainers/runc-maintainers PTAL

[kolyshkin]

Maybe add a comment like

Suggested change

	cmd.Env = []string{}
	// If Env is not specified, do not inherit the current environment.
	cmd.Env = []string{}

[kolyshkin]

So, this test case checks that hooks.$name.env is set as expected ($TEST_VAR == "val", but the test code also sets the same TEST_ENV=val for

1. process.env
2. host env

It's not clear why 1 and 2 are needed, and why they use the same name and value.

To me, if you want to check that host env and/or process env is not leaking into hook's env, you should use different names, and check they are not present.

Or, just don't set either host or process env, and merely check that hook env is exactly the same as specified.

[kolyshkin]

Why not test poststop?

[kolyshkin]

Unlike the previous @test, this one actually makes sense (but maybe add a comment that here we set TEST_VAR=val for runc run and for the process spec, and check that neither one leaks to hook's env.

[kolyshkin]

Why not test poststop?