libpod: pass entire environment to conmon #20148
Conversation
openshift-ci
bot
added
release-note-none
do-not-merge/work-in-progress
openshift-ci
bot
added
approved
vrothberg
force-pushed
the
conmon-env
branch
from
76922b2 to
cb6bebf
Compare
libpod/oci_conmon_common.go
Outdated
| env = append(env, fmt.Sprintf("XDG_RUNTIME_DIR=%s", runtimeDir)) | ||
| env = append(env, fmt.Sprintf("_CONTAINERS_USERNS_CONFIGURED=%s", os.Getenv("_CONTAINERS_USERNS_CONFIGURED"))) | ||
| env = append(env, fmt.Sprintf("_CONTAINERS_ROOTLESS_UID=%s", os.Getenv("_CONTAINERS_ROOTLESS_UID"))) | ||
| home := homedir.Get() | ||
| if home != "" { | ||
| if home := homedir.Get(); home != "" { | ||
| env = append(env, fmt.Sprintf("HOME=%s", home)) |
There was a problem hiding this comment.
libpod always sets XDG_RUNTIME_DIR so I don't think we need that at all and can leave the env just nil so that the golang API just passes down the env as is
vrothberg
force-pushed
the
conmon-env
branch
2 times, most recently
from
c02cd14 to
c2934cc
Compare
|
Cockpit tests failed for commit c02cd14eee9ab81672e967960eeacd3263fa3546. @martinpitt, @jelly, @mvollmer please check. |
|
Cockpit tests failed for commit c2934cc0373625304dbebb49e69aa6bbcaffe66d. @martinpitt, @jelly, @mvollmer please check. |
|
@vrothberg : That breakage of |
libpod/oci_conmon_common.go
Outdated
| if strings.HasPrefix(v, "NOTIFY_SOCKET=") { | ||
| // The NOTIFY_SOCKET cannot leak into the environment. | ||
| continue |
There was a problem hiding this comment.
-
I think you can remove the startCommand() function workaround with this change
-
Looking at the test failure I think we also need to unset XDG_RUNTIME_DIR when run as root, the problem is that when you login with ssh for example we also get
XDG_RUNTIME_DIR=/run/user/0as root so this makes crun store its files under a different location thus failing to find it.
Thanks for checking, Martin! I will take a look |
Pass the _entire_ environment to conmon instead of selectively enabling only specific variables. The main reasoning is to make sure that conmon and the podman-cleanup callback process operate in the exact same environment than the initial podman process. Some configuration files may be passed via environment variables. Podman not passing those down to conmon has led to subtle and hard to debug issues in the past, so passing all down will avoid such kinds of issues in the future. Signed-off-by: Valentin Rothberg <[email protected]>
vrothberg
force-pushed
the
conmon-env
branch
from
c2934cc to
7ade972
Compare
|
Code changes LGTM |
| conmonEnv, err := r.configureConmonEnv() | ||
| if err != nil { | ||
| return 0, fmt.Errorf("configuring conmon env: %w", err) | ||
| } |
There was a problem hiding this comment.
LGTM. I've been trying my best to find a way to break this, like setting IFS or other nasties, and can't find any problems.
One suggestion for cleanup: if you scroll down a few lines, to 1200, cmd.Env = r.conmonEnv, that seems to be a NOP. r.conmonEnv is set above to .Engine.ConmonEnvVars, which in turn is defined in
Lines 191 to 192 in 94f47d6
There was a problem hiding this comment.
Great catch! Ough ... I really don't like how we threw containers.conf over the wall and years after still find (on a weekly basis) that many options are not tested at all :( Rushed things turn into ghosts 👻
There was a problem hiding this comment.
@edsantiago, I made a note to fix this in another PR. I think it's time to sit down and check which containers.conf options/fields are actually used and then decide case-by-case what to do with them.
There was a problem hiding this comment.
@baude something for 5.0.
|
Changes LGTM |
|
@Luap99 PTAL |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: Luap99, vrothberg The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
github-actions
bot
added
the
locked - please file new issue/PR
Pass the entire environment to conmon instead of selectively enabling only specific variables. The main reasoning is to make sure that conmon and the podman-cleanup callback process operate in the exact same environment than the initial podman process. Some configuration files may be passed via environment variables. Podman not passing those down to conmon has led to subtle and hard to debug issues in the past, so passing all down will avoid such kinds of issues in the future.
Does this PR introduce a user-facing change?