-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add option --unsetenv to remove default environment variables #12100
Conversation
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: rhatdan The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Fixes: #11836 |
@@ -1037,6 +1037,12 @@ Remote connections use local containers.conf for defaults | |||
Set the umask inside the container. Defaults to `0022`. | |||
Remote connections use local containers.conf for defaults | |||
|
|||
#### **--unsetenv**=*env* | |||
|
|||
Unset default environment variables. These can be configured via buildin, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"Unset default environment variables for the container. Default environment variables include variables provided natively by Podman, environment variables configured by the image, and environment variables from containers.conf
"
pkg/specgen/specgen.go
Outdated
@@ -194,6 +194,9 @@ type ContainerBasicConfig struct { | |||
// The execution domain system allows Linux to provide limited support | |||
// for binaries compiled under other UNIX-like operating systems. | |||
Personality *spec.LinuxPersonality `json:"personality,omitempty"` | |||
// Unsetenv is a unset default environment variables from the image or from buildin | |||
// Optional. | |||
Unsetenv []string `json:"unsetenv,omitempty"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please rename to UnsetEnv
@@ -332,6 +331,7 @@ func SpecGenToOCI(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.Runt | |||
|
|||
BlockAccessToKernelFilesystems(s.Privileged, s.PidNS.IsHost(), s.Mask, s.Unmask, &g) | |||
|
|||
g.ClearProcessEnv() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This seems dangerous, you're clearing all the default environment variables?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
All the defaults set in runtime-tools, Which sets TERM and PATH. We set both of those and currently override what runtime-tools sets.
@@ -88,9 +89,6 @@ func CompleteSpec(ctx context.Context, r *libpod.Runtime, s *specgen.SpecGenerat | |||
if err != nil { | |||
return nil, errors.Wrap(err, "error parsing fields in containers.conf") | |||
} | |||
if defaultEnvs["container"] == "" { | |||
defaultEnvs["container"] = "podman" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Where is this getting set now? You've removed every instance of container=podman
I can find.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It is set in pkg/env/DefaultEnvVariables()
Fixes: #11566 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
minor quibbles
test/system/030-run.bats
Outdated
@test "podman run defaultenv" { | ||
run_podman run --rm $IMAGE printenv | ||
is "$output" ".*TERM=xterm" "output matches TERM" | ||
is "$output" ".*container=podman" "output matches TERM" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks suspiciously like copy-paste inaccuracy (line 745 too).
test/system/030-run.bats
Outdated
|
||
run_podman run --unsetenv=TERM --rm $IMAGE printenv | ||
is "$output" ".*container=podman" "output matches TERM" | ||
run grep TERM <(echo "$output") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Suggestion: <<<"$output"
(three anglebrackets) instead of <(...)
test/system/030-run.bats
Outdated
|
||
run_podman run --unsetenv=all --rm $IMAGE /bin/printenv | ||
run grep TERM <(echo "$output") | ||
is "$output" "" "unwanted TERM environment variable" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
(very minor nit): Suggestion here and below: "unwanted ... environment variable despite --unsetenv=all"
I don't know if it's possible, as it looks like you're clearing all, but it would be nice to get a confirmation from the user for each variable unset unless they also pass in the I don't think either is required for this PR, just thought I'd throw the suggestions out there for rumination. |
I think it is better two have two command-line options, Using two command-line options, for instance
will make it more straight-forward to describe the command-line options A very hypothetical scenario: If you are writing some other software interacting with pseudo code: I see that the special value style has been used before: --group-add=group|keep-groups --network=mode Special-value style used in documentationExample 1: --networkSee When listing the valid mode values: bridge, none, container:id, network, ns:path, ... network: Connect to a user-defined network, multiple networks should be comma-separated. I often have to read the line twice before realizing that I need to substitute network with the network name. Example 2: --envDocumentation of |
8efbe5b
to
59e6f0e
Compare
0eee79a
to
2ec1531
Compare
LGTM |
libpod/define/container_inspect.go
Outdated
@@ -30,6 +30,8 @@ type InspectContainerConfig struct { | |||
StdinOnce bool `json:"StdinOnce"` | |||
// Container environment variables | |||
Env []string `json:"Env"` | |||
// Unset container environment variables | |||
UnsetEnv []string `json:"UnsetEnv"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you make this OmitEmpty
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also - where's this getting set? I don't see any changes to container_inspect.go
in libpod
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I removed it, since we only want to see the actual Env in the container. Unsetenv and UnsetenvAll have already done their thing.
Podman adds a few environment variables by default, and currently there is no way to get rid of them from your container. This option will allow you to specify which defaults you don't want. --unsetenv-all will remove all default environment variables. Default environment variables can come from podman builtin, containers.conf or from the container image. Fixes: containers#11836 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Just a few minor nits.
@@ -174,10 +174,14 @@ function check_listen_env() { | |||
if is_remote; then | |||
is "$output" "$stdenv" "LISTEN Environment did not pass: $context" | |||
else | |||
is "$output" "$stdenv | |||
out=$(for o in $output; do echo $o; done| sort) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If for any reason you need to resubmit, could I suggest this instead?
out=$(sort <<<"$output")
Reason: if there's ever an environment variable whose value includes a space (unlikely), the for
loop will print each space-separated token on a new line.
echo "<$out>" | ||
echo "<$std>" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You probably don't need these, since the is
will display them on failure.
LGTM |
Flake is #12273, restarting. |
Yet another new flake, filed #12306 and restarted. |
/lgtm |
/hold cancel |
Podman adds a few environment variables by default, and
currently there is no way to get rid of them from your container.
This option will allow you to specify which defaults you don't
want.
--unsetenv-all will remove all default environment variables.
Default environment variables can come from podman builtin,
containers.conf or from the container image.
Fixes: #11836
Signed-off-by: Daniel J Walsh dwalsh@redhat.com
What this PR does / why we need it:
How to verify it
Which issue(s) this PR fixes:
Special notes for your reviewer: