Open lifubang opened 2 weeks ago
Even though this is a bug, but it has existed for many years, so if we merge this, it may cause a break change for docker and other tools which use runc for the container runtime. We should check a config.json file generated by containerd to see if there is a env config for hooks.
Even though this is a bug, but it has existed for many years, so if we merge this, it may cause a break change for docker and other tools which use runc for the container runtime. We should check a config.json file generated by containerd to see if there is a env config for hooks.
What I see is crun works the same way, ie the current environment is passed on to the hook. Which is obviously wrong, but the fix may bring in some compatibility issues. Not sure how to assess if it's going to be the case...
We should check a config.json file generated by containerd to see if there is a env config for hooks.
I had some time to look some config.json
files in my company's cluster:
prestart
hook, and using a absolute path:
cat config.json | jq .hooks
{
"prestart": [
{
"path": "/proc/1158/exe",
"args": [
"libnetwork-setkey",
"-exec-root=/var/run/docker",
"2123cdedbd057cd58fba1c9869d410fcd1e6588f705e0eda6deb345d9a9670c0",
"406aba1a8aaa"
]
}
]
}
I also test the binary compiled from this PR with docker, it works fine for a normal use.
but the fix may bring in some compatibility issues.
It seems that there is no compatibility issues for a normal use, but I don't know whether there are issues for some other unknown complex scenarios.
Carry #1738
The runtime spec has:
And running
execle
or similar withNULL
env
results in an empty environent:Go's
Cmd.Env
, on the other hand, has:This commit works around that by setting
a single dummy environment variable[]string{}
in those cases to avoid leaking the runtime environment into the hooks.