Meaning of env_whitelist and passing vars from os.environ.

[GrahamDumpleton]

When using kernel_gateway on RHEL/CentOS with SCL (www.softwarecollections.org) versions of Python, there is a dependency on LD_LIBRARY_PATH being passed through to process created which use Python. If this isn't done, you end up with error such as:

[KernelGatewayApp] KernelRestarter: restarting kernel (3/5), new random ports
[KernelGatewayApp] Starting kernel: ['/opt/app-root/bin/python3', '-m', 'ipykernel_launcher', '-f', '/opt/app-root/src/.local/share/jupyter/runtime/kernel-5f5bb348-3c3a-4ec5-aea2-fafba2c0cf3a.json']
/opt/app-root/bin/python3: error while loading shared libraries: libpython3.5m.so.rh-python35-1.0: cannot open shared object file: No such file or directory

There does exist the configuration setting:

--JupyterWebsocketPersonality.env_whitelist=<List>
    Default: []
    Environment variables allowed to be set when a client requests a new kernel

but it doesn't have the desired affect of allowing you to white list additional environment variables from os.environ so they get passed. Instead, the white list is applied to the model['env'] in code which am presuming is some description of the kernel being run.

• https://github.com/jupyter/kernel_gateway/blob/1bb6cb2d67493c16785d1aea20fc3543171a50e0/kernel_gateway/services/kernels/handlers.py#L57

            env.update({key: value for key, value in model['env'].items()
                   if key.startswith('KERNEL_') or key in self.env_whitelist})

What is model['env'] in this situation? It comes through as empty.

Should the code perhaps be:

            env.update({key: value for key, value in os.environ.items()
                   if key.startswith('KERNEL_') or key in self.env_whitelist})

Or is there some other way of being able to white list environment variables that will be passed through to the kernel application process?

[GrahamDumpleton]

So this model['env'] is environment variables passed across from the remote client triggering the creation of the kernel instance. It seems therefore need to look for a separate configuration setting which allows process environment variables from the process starting the kernel sub process to be passed through. Right now only PATH is passed through.

            # Start with the PATH from the current env. Do not provide the entire environment
            # which might contain server secrets that should not be passed to kernels.
            env = {'PATH': os.getenv('PATH', '')}

So add after this:

            env.update({key: value for key, value in os.environ.items()
                   if key.startswith('KERNEL_') or key in NEW_WHITELIST_ENV_SETTING})

where NEW_WHITELIST_ENV_SETTING is replaced with reference to new configuration setting.

[GrahamDumpleton]

So propose adding new configuration:

--KernelGatewayApp.env_whitelist=<List>
    Default: []
    Environment variables to be inherited by a new kernel

Thus have:

            # Start with the PATH from the current env. Do not provide the entire environment
            # which might contain server secrets that should not be passed to kernels.
            env = {'PATH': os.getenv('PATH', '')}
            # Inherit whitelist environment variables from current process environment
            env.update({key: value for key, value in os.environ.items()
                   if key in self.settings['kf_env_whitelist']})
            # Whitelist KERNEL_* args and those allowed by configuration from client
            env.update({key: value for key, value in model['env'].items()
                   if key.startswith('KERNEL_') or key in self.env_whitelist})

[rolweber]

I see that in the PR, you already changed the name of the configuration value to env_process_whitelist. That addresses my concern about having two parameters with the same name in different App namespaces.

[kevin-bates]

This was fixed by #280 - closing.