Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add option --unsetenv to remove default environment variables #12100

Merged
merged 1 commit into from
Nov 16, 2021

Conversation

rhatdan
Copy link
Member

@rhatdan rhatdan commented Oct 26, 2021

Podman adds a few environment variables by default, and
currently there is no way to get rid of them from your container.
This option will allow you to specify which defaults you don't
want.

--unsetenv-all will remove all default environment variables.

Default environment variables can come from podman builtin,
containers.conf or from the container image.

Fixes: #11836

Signed-off-by: Daniel J Walsh [email protected]

What this PR does / why we need it:

How to verify it

Which issue(s) this PR fixes:

Special notes for your reviewer:

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Oct 26, 2021

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: rhatdan

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Oct 26, 2021
@rhatdan
Copy link
Member Author

rhatdan commented Oct 26, 2021

Fixes: #11836

@@ -1037,6 +1037,12 @@ Remote connections use local containers.conf for defaults
Set the umask inside the container. Defaults to `0022`.
Remote connections use local containers.conf for defaults

#### **--unsetenv**=*env*

Unset default environment variables. These can be configured via buildin,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"Unset default environment variables for the container. Default environment variables include variables provided natively by Podman, environment variables configured by the image, and environment variables from containers.conf"

@@ -194,6 +194,9 @@ type ContainerBasicConfig struct {
// The execution domain system allows Linux to provide limited support
// for binaries compiled under other UNIX-like operating systems.
Personality *spec.LinuxPersonality `json:"personality,omitempty"`
// Unsetenv is a unset default environment variables from the image or from buildin
// Optional.
Unsetenv []string `json:"unsetenv,omitempty"`
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please rename to UnsetEnv

@@ -332,6 +331,7 @@ func SpecGenToOCI(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.Runt

BlockAccessToKernelFilesystems(s.Privileged, s.PidNS.IsHost(), s.Mask, s.Unmask, &g)

g.ClearProcessEnv()
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems dangerous, you're clearing all the default environment variables?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All the defaults set in runtime-tools, Which sets TERM and PATH. We set both of those and currently override what runtime-tools sets.

@@ -88,9 +89,6 @@ func CompleteSpec(ctx context.Context, r *libpod.Runtime, s *specgen.SpecGenerat
if err != nil {
return nil, errors.Wrap(err, "error parsing fields in containers.conf")
}
if defaultEnvs["container"] == "" {
defaultEnvs["container"] = "podman"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Where is this getting set now? You've removed every instance of container=podman I can find.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is set in pkg/env/DefaultEnvVariables()

@rhatdan
Copy link
Member Author

rhatdan commented Oct 26, 2021

Fixes: #11566

Copy link
Member

@edsantiago edsantiago left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

minor quibbles

@test "podman run defaultenv" {
run_podman run --rm $IMAGE printenv
is "$output" ".*TERM=xterm" "output matches TERM"
is "$output" ".*container=podman" "output matches TERM"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks suspiciously like copy-paste inaccuracy (line 745 too).


run_podman run --unsetenv=TERM --rm $IMAGE printenv
is "$output" ".*container=podman" "output matches TERM"
run grep TERM <(echo "$output")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestion: <<<"$output" (three anglebrackets) instead of <(...)


run_podman run --unsetenv=all --rm $IMAGE /bin/printenv
run grep TERM <(echo "$output")
is "$output" "" "unwanted TERM environment variable"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(very minor nit): Suggestion here and below: "unwanted ... environment variable despite --unsetenv=all"

@TomSweeneyRedHat
Copy link
Member

I don't know if it's possible, as it looks like you're clearing all, but it would be nice to get a confirmation from the user for each variable unset unless they also pass in the --force option. It would also be nice to have a list command to see the set environment variables.

I don't think either is required for this PR, just thought I'd throw the suggestions out there for rumination.

@eriksjolund
Copy link
Contributor

eriksjolund commented Oct 26, 2021

I think it is better two have two command-line options,
instead of using the special value "all" because "all"
is also a valid environment variable name.

Using two command-line options, for instance

  • --unsetenv
  • --unsetenv-all

will make it more straight-forward to describe the command-line options
to somebody and also to document them. Using a valid value from the value space to
have a special meaning might lead to other software having to handle this special case.

A very hypothetical scenario:

If you are writing some other software interacting with
Podman, you might need to write

pseudo code:
if user_input_env_name == "all" then print error "Podman does not support unsetting the environment variable 'all' "


I see that the special value style has been used before:

--group-add=group|keep-groups

--network=mode

Special-value style used in documentation

Example 1: --network

See
https://docs.podman.io/en/latest/markdown/podman-run.1.html#network-mode-net

When listing the valid mode values: bridge, none, container:id, network, ns:path, ...
it's not obvious that network need to be replaced by the network name. When I read the line

network: Connect to a user-defined network, multiple networks should be comma-separated.

I often have to read the line twice before realizing that I need to substitute network with the network name.

Example 2: --env

Documentation of --env is a bit complicated due to the special value-style
https://docs.podman.io/en/latest/markdown/podman-run.1.html#env-e-env

@rhatdan rhatdan force-pushed the env branch 3 times, most recently from 8efbe5b to 59e6f0e Compare October 27, 2021 18:15
@rhatdan rhatdan force-pushed the env branch 4 times, most recently from 0eee79a to 2ec1531 Compare November 12, 2021 18:30
@umohnani8
Copy link
Member

LGTM
@mheon @TomSweeneyRedHat PTAL

@@ -30,6 +30,8 @@ type InspectContainerConfig struct {
StdinOnce bool `json:"StdinOnce"`
// Container environment variables
Env []string `json:"Env"`
// Unset container environment variables
UnsetEnv []string `json:"UnsetEnv"`
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you make this OmitEmpty?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also - where's this getting set? I don't see any changes to container_inspect.go in libpod

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I removed it, since we only want to see the actual Env in the container. Unsetenv and UnsetenvAll have already done their thing.

Podman adds a few environment variables by default, and
currently there is no way to get rid of them from your container.
This option will allow  you to specify which defaults you don't
want.

--unsetenv-all will remove all default environment variables.

Default environment variables can come from podman builtin,
containers.conf or from the container image.

Fixes: containers#11836

Signed-off-by: Daniel J Walsh <[email protected]>
Copy link
Member

@edsantiago edsantiago left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Just a few minor nits.

@@ -174,10 +174,14 @@ function check_listen_env() {
if is_remote; then
is "$output" "$stdenv" "LISTEN Environment did not pass: $context"
else
is "$output" "$stdenv
out=$(for o in $output; do echo $o; done| sort)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If for any reason you need to resubmit, could I suggest this instead?

    out=$(sort <<<"$output")

Reason: if there's ever an environment variable whose value includes a space (unlikely), the for loop will print each space-separated token on a new line.

Comment on lines +182 to +183
echo "<$out>"
echo "<$std>"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You probably don't need these, since the is will display them on failure.

@TomSweeneyRedHat
Copy link
Member

LGTM
assuming happy tests. @mheon?

@edsantiago
Copy link
Member

Flake is #12273, restarting.

@edsantiago
Copy link
Member

Yet another new flake, filed #12306 and restarted.

@mheon
Copy link
Member

mheon commented Nov 15, 2021

/lgtm
/hold

@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Nov 15, 2021
@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Nov 15, 2021
@edsantiago
Copy link
Member

/hold cancel

@openshift-ci openshift-ci bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Nov 16, 2021
@openshift-merge-robot openshift-merge-robot merged commit f031bd2 into containers:main Nov 16, 2021
@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Sep 22, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 22, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

container=podman environment variable
7 participants