Skip to content

Commit 35824b6

Browse files
openshift-merge-robotopenshift-merge-robot
authored
Merge pull request #20148 from vrothberg/conmon-env
libpod: pass entire environment to conmon
2 parents 31f9e67 + 7ade972 commit 35824b6

File tree

3 files changed

+25
-64
lines changed

3 files changed

+25
-64
lines changed

libpod/oci_conmon_common.go

Lines changed: 18 additions & 55 deletions
Original file line numberDiff line numberDiff line change
@@ -35,7 +35,6 @@ import (
3535
"github.com/containers/podman/v4/pkg/specgenutil"
3636
"github.com/containers/podman/v4/pkg/util"
3737
"github.com/containers/podman/v4/utils"
38-
"github.com/containers/storage/pkg/homedir"
3938
spec "github.com/opencontainers/runtime-spec/specs-go"
4039
"github.com/sirupsen/logrus"
4140
"golang.org/x/sys/unix"
@@ -1042,11 +1041,6 @@ func (r *ConmonOCIRuntime) getLogTag(ctr *Container) (string, error) {
10421041
func (r *ConmonOCIRuntime) createOCIContainer(ctr *Container, restoreOptions *ContainerCheckpointOptions) (int64, error) {
10431042
var stderrBuf bytes.Buffer
10441043

1045-
runtimeDir, err := util.GetRuntimeDir()
1046-
if err != nil {
1047-
return 0, err
1048-
}
1049-
10501044
parentSyncPipe, childSyncPipe, err := newPipe()
10511045
if err != nil {
10521046
return 0, fmt.Errorf("creating socket pair: %w", err)
@@ -1189,7 +1183,10 @@ func (r *ConmonOCIRuntime) createOCIContainer(ctr *Container, restoreOptions *Co
11891183
}
11901184

11911185
// 0, 1 and 2 are stdin, stdout and stderr
1192-
conmonEnv := r.configureConmonEnv(runtimeDir)
1186+
conmonEnv, err := r.configureConmonEnv()
1187+
if err != nil {
1188+
return 0, fmt.Errorf("configuring conmon env: %w", err)
1189+
}
11931190

11941191
var filesToClose []*os.File
11951192
if preserveFDs > 0 {
@@ -1251,7 +1248,7 @@ func (r *ConmonOCIRuntime) createOCIContainer(ctr *Container, restoreOptions *Co
12511248
if restoreOptions != nil {
12521249
runtimeRestoreStarted = time.Now()
12531250
}
1254-
err = startCommand(cmd, ctr)
1251+
err = cmd.Start()
12551252

12561253
// regardless of whether we errored or not, we no longer need the children pipes
12571254
childSyncPipe.Close()
@@ -1311,38 +1308,23 @@ func (r *ConmonOCIRuntime) createOCIContainer(ctr *Container, restoreOptions *Co
13111308
}
13121309

13131310
// configureConmonEnv gets the environment values to add to conmon's exec struct
1314-
// TODO this may want to be less hardcoded/more configurable in the future
1315-
func (r *ConmonOCIRuntime) configureConmonEnv(runtimeDir string) []string {
1316-
var env []string
1317-
for _, e := range os.Environ() {
1318-
if strings.HasPrefix(e, "LC_") {
1319-
env = append(env, e)
1320-
}
1321-
if strings.HasPrefix(e, "LANG=") {
1322-
env = append(env, e)
1311+
func (r *ConmonOCIRuntime) configureConmonEnv() ([]string, error) {
1312+
env := os.Environ()
1313+
res := make([]string, 0, len(env))
1314+
for _, v := range env {
1315+
if strings.HasPrefix(v, "NOTIFY_SOCKET=") {
1316+
// The NOTIFY_SOCKET must not leak into the environment.
1317+
continue
13231318
}
1319+
res = append(res, v)
13241320
}
1325-
if path, ok := os.LookupEnv("PATH"); ok {
1326-
env = append(env, fmt.Sprintf("PATH=%s", path))
1327-
}
1328-
if conf, ok := os.LookupEnv("CONTAINERS_CONF"); ok {
1329-
env = append(env, fmt.Sprintf("CONTAINERS_CONF=%s", conf))
1330-
}
1331-
if conf, ok := os.LookupEnv("CONTAINERS_CONF_OVERRIDE"); ok {
1332-
env = append(env, fmt.Sprintf("CONTAINERS_CONF_OVERRIDE=%s", conf))
1333-
}
1334-
if conf, ok := os.LookupEnv("CONTAINERS_HELPER_BINARY_DIR"); ok {
1335-
env = append(env, fmt.Sprintf("CONTAINERS_HELPER_BINARY_DIR=%s", conf))
1336-
}
1337-
env = append(env, fmt.Sprintf("XDG_RUNTIME_DIR=%s", runtimeDir))
1338-
env = append(env, fmt.Sprintf("_CONTAINERS_USERNS_CONFIGURED=%s", os.Getenv("_CONTAINERS_USERNS_CONFIGURED")))
1339-
env = append(env, fmt.Sprintf("_CONTAINERS_ROOTLESS_UID=%s", os.Getenv("_CONTAINERS_ROOTLESS_UID")))
1340-
home := homedir.Get()
1341-
if home != "" {
1342-
env = append(env, fmt.Sprintf("HOME=%s", home))
1321+
runtimeDir, err := util.GetRuntimeDir()
1322+
if err != nil {
1323+
return nil, err
13431324
}
13441325

1345-
return env
1326+
res = append(res, "XDG_RUNTIME_DIR="+runtimeDir)
1327+
return res, nil
13461328
}
13471329

13481330
// sharedConmonArgs takes common arguments for exec and create/restore and formats them for the conmon CLI
@@ -1422,25 +1404,6 @@ func (r *ConmonOCIRuntime) sharedConmonArgs(ctr *Container, cuuid, bundlePath, p
14221404
return args
14231405
}
14241406

1425-
func startCommand(cmd *exec.Cmd, ctr *Container) error {
1426-
// Make sure to unset the NOTIFY_SOCKET and reset it afterwards if needed.
1427-
switch ctr.config.SdNotifyMode {
1428-
case define.SdNotifyModeContainer, define.SdNotifyModeIgnore:
1429-
if prev := os.Getenv("NOTIFY_SOCKET"); prev != "" {
1430-
if err := os.Unsetenv("NOTIFY_SOCKET"); err != nil {
1431-
logrus.Warnf("Error unsetting NOTIFY_SOCKET %v", err)
1432-
}
1433-
defer func() {
1434-
if err := os.Setenv("NOTIFY_SOCKET", prev); err != nil {
1435-
logrus.Errorf("Resetting NOTIFY_SOCKET=%s", prev)
1436-
}
1437-
}()
1438-
}
1439-
}
1440-
1441-
return cmd.Start()
1442-
}
1443-
14441407
// newPipe creates a unix socket pair for communication.
14451408
// Returns two files - first is parent, second is child.
14461409
func newPipe() (*os.File, *os.File, error) {

libpod/oci_conmon_exec_common.go

Lines changed: 5 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -17,7 +17,6 @@ import (
1717
"github.com/containers/podman/v4/libpod/define"
1818
"github.com/containers/podman/v4/pkg/errorhandling"
1919
"github.com/containers/podman/v4/pkg/lookup"
20-
"github.com/containers/podman/v4/pkg/util"
2120
spec "github.com/opencontainers/runtime-spec/specs-go"
2221
"github.com/sirupsen/logrus"
2322
"golang.org/x/sys/unix"
@@ -374,11 +373,6 @@ func (r *ConmonOCIRuntime) startExec(c *Container, sessionID string, options *Ex
374373
}
375374
}()
376375

377-
runtimeDir, err := util.GetRuntimeDir()
378-
if err != nil {
379-
return nil, nil, err
380-
}
381-
382376
finalEnv := make([]string, 0, len(options.Env))
383377
for k, v := range options.Env {
384378
finalEnv = append(finalEnv, fmt.Sprintf("%s=%s", k, v))
@@ -438,7 +432,10 @@ func (r *ConmonOCIRuntime) startExec(c *Container, sessionID string, options *Ex
438432
// }
439433
// }
440434

441-
conmonEnv := r.configureConmonEnv(runtimeDir)
435+
conmonEnv, err := r.configureConmonEnv()
436+
if err != nil {
437+
return nil, nil, fmt.Errorf("configuring conmon env: %w", err)
438+
}
442439

443440
var filesToClose []*os.File
444441
if options.PreserveFDs > 0 {
@@ -461,7 +458,7 @@ func (r *ConmonOCIRuntime) startExec(c *Container, sessionID string, options *Ex
461458
Setpgid: true,
462459
}
463460

464-
err = startCommand(execCmd, c)
461+
err = execCmd.Start()
465462

466463
// We don't need children pipes on the parent side
467464
errorhandling.CloseQuiet(childSyncPipe)

test/system/030-run.bats

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1288,7 +1288,7 @@ search | $IMAGE |
12881288
done < <(parse_table "$tests")
12891289
}
12901290

1291-
@test "podman --syslog passed to conmon" {
1291+
@test "podman --syslog and environment passed to conmon" {
12921292
skip_if_remote "--syslog is not supported for remote clients"
12931293
skip_if_journald_unavailable
12941294

@@ -1298,6 +1298,7 @@ search | $IMAGE |
12981298
run_podman container inspect $cid --format "{{ .State.ConmonPid }}"
12991299
conmon_pid="$output"
13001300
is "$(< /proc/$conmon_pid/cmdline)" ".*--exit-command-arg--syslog.*" "conmon's exit-command has --syslog set"
1301+
assert "$(< /proc/$conmon_pid/environ)" =~ "BATS_TEST_TMPDIR" "entire env is passed down to conmon (incl. BATS variables)"
13011302

13021303
run_podman rm -f -t0 $cid
13031304
}

0 commit comments

Comments
 (0)