From 229eb19bd6d8b823ae7254b983eb41486ed6cf48 Mon Sep 17 00:00:00 2001 From: Phil Estes Date: Wed, 18 Sep 2019 23:49:12 -0400 Subject: [PATCH] Add back default UNIX env to container config Due to changes to the defaults in containerd, the CRI path to creating a container OCI config needs to add back in the default UNIX $PATH (and any other defaults) as that is the expected behavior from other runtimes. Signed-off-by: Phil Estes --- pkg/server/container_create_unix.go | 1 + pkg/server/container_create_unix_test.go | 21 +++++++++++++++++++++ 2 files changed, 22 insertions(+) diff --git a/pkg/server/container_create_unix.go b/pkg/server/container_create_unix.go index 718806c04..d7993bf63 100644 --- a/pkg/server/container_create_unix.go +++ b/pkg/server/container_create_unix.go @@ -112,6 +112,7 @@ func (c *criService) containerSpec(id string, sandboxID string, sandboxPid uint3 customopts.WithoutDefaultSecuritySettings, customopts.WithRelativeRoot(relativeRootfsPath), customopts.WithProcessArgs(config, imageConfig), + oci.WithDefaultPathEnv, // this will be set based on the security context below oci.WithNewPrivileges, } diff --git a/pkg/server/container_create_unix_test.go b/pkg/server/container_create_unix_test.go index 15073a680..f72bc48dd 100644 --- a/pkg/server/container_create_unix_test.go +++ b/pkg/server/container_create_unix_test.go @@ -269,6 +269,27 @@ func TestContainerSpecTty(t *testing.T) { } } +func TestContainerSpecDefaultPath(t *testing.T) { + testID := "test-id" + testSandboxID := "sandbox-id" + testPid := uint32(1234) + expectedDefault := "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" + containerConfig, sandboxConfig, imageConfig, specCheck := getCreateContainerTestData() + ociRuntime := config.Runtime{} + c := newTestCRIService() + for _, pathenv := range []string{"", "PATH=/usr/local/bin/games"} { + expected := expectedDefault + if pathenv != "" { + imageConfig.Env = append(imageConfig.Env, pathenv) + expected = pathenv + } + spec, err := c.containerSpec(testID, testSandboxID, testPid, "", containerConfig, sandboxConfig, imageConfig, nil, ociRuntime) + require.NoError(t, err) + specCheck(t, testID, testSandboxID, testPid, spec) + assert.Contains(t, spec.Process.Env, expected) + } +} + func TestContainerSpecReadonlyRootfs(t *testing.T) { testID := "test-id" testSandboxID := "sandbox-id"