fix: use process env for StartContainer hooks when without explicit hook env

Signed-off-by: bells17 <bells171@gmail.com>

Author: bells17

crates/libcontainer/src/container/container_delete.rs

@@ -98,11 +98,17 @@ impl Container {
                     })?;
 
                     if let Some(hooks) = config.hooks.as_ref() {
-                        hooks::run_hooks(hooks.poststop().as_ref(), Some(&self.state), None, None)
-                            .map_err(|err| {
-                                tracing::error!(err = ?err, "failed to run post stop hooks");
-                                err
-                            })?;
+                        hooks::run_hooks(
+                            hooks.poststop().as_ref(),
+                            Some(&self.state),
+                            None,
+                            None,
+                            None,
+                        )
+                        .map_err(|err| {
+                            tracing::error!(err = ?err, "failed to run post stop hooks");
+                            err
+                        })?;
                     }
                 }
                 Err(err) => {

crates/libcontainer/src/container/container_start.rs

@@ -59,6 +59,7 @@ impl Container {
                 Some(&self.state),
                 Some(&self.root),
                 None,
+                None,
             )
             .map_err(|err| {
                 tracing::error!("failed to run post start hooks: {}", err);

crates/libcontainer/src/hooks.rs

@@ -39,6 +39,7 @@ pub fn run_hooks(
     // TODO: Remove the following parameters. To comply with the OCI State, hooks should only depend on structures defined in oci-spec-rs. Cleaning these up ensures proper functional isolation.
     cwd: Option<&Path>,
     pid: Option<Pid>,
+    default_env: Option<&HashMap<String, String>>,
 ) -> Result<()> {
     let base_state = state.ok_or(HookError::MissingContainerState)?;
 
@@ -77,6 +78,8 @@ pub fn run_hooks(
 
             let envs: HashMap<String, String> = if let Some(env) = hook.env() {
                 utils::parse_env(env)
+            } else if let Some(default) = default_env {
+                default.clone()
             } else {
                 HashMap::new()
             };
@@ -195,7 +198,7 @@ mod test {
     fn test_run_hook() -> Result<()> {
         {
             let default_container: Container = Default::default();
-            run_hooks(None, Some(&default_container.state), None, None)
+            run_hooks(None, Some(&default_container.state), None, None, None)
                 .context("Failed simple test")?;
         }
 
@@ -205,8 +208,14 @@ mod test {
 
             let hook = HookBuilder::default().path("true").build()?;
             let hooks = Some(vec![hook]);
-            run_hooks(hooks.as_ref(), Some(&default_container.state), None, None)
-                .context("Failed true")?;
+            run_hooks(
+                hooks.as_ref(),
+                Some(&default_container.state),
+                None,
+                None,
+                None,
+            )
+            .context("Failed true")?;
         }
 
         {
@@ -226,8 +235,14 @@ mod test {
                 .env(vec![String::from("key=value")])
                 .build()?;
             let hooks = Some(vec![hook]);
-            run_hooks(hooks.as_ref(), Some(&default_container.state), None, None)
-                .context("Failed printenv test")?;
+            run_hooks(
+                hooks.as_ref(),
+                Some(&default_container.state),
+                None,
+                None,
+                None,
+            )
+            .context("Failed printenv test")?;
         }
 
         {
@@ -250,6 +265,7 @@ mod test {
                 Some(&default_container.state),
                 Some(tmp.path()),
                 None,
+                None,
             )
             .context("Failed pwd test")?;
         }
@@ -272,6 +288,7 @@ mod test {
                 Some(&default_container.state),
                 None,
                 Some(expected_pid),
+                None,
             )
             .context("Failed pid test")?;
         }
@@ -296,7 +313,13 @@ mod test {
             .timeout(1)
             .build()?;
         let hooks = Some(vec![hook]);
-        match run_hooks(hooks.as_ref(), Some(&default_container.state), None, None) {
+        match run_hooks(
+            hooks.as_ref(),
+            Some(&default_container.state),
+            None,
+            None,
+            None,
+        ) {
             Ok(_) => {
                 bail!(
                     "The test expects the hook to error out with timeout. Should not execute cleanly"
@@ -313,4 +336,82 @@ mod test {
 
         Ok(())
     }
+
+    #[test]
+    #[serial]
+    fn test_run_hook_default_env() -> Result<()> {
+        // Test: hook without explicit env uses default_env
+        {
+            let default_container: Container = Default::default();
+            let hook = HookBuilder::default()
+                .path("bash")
+                .args(vec![
+                    String::from("bash"),
+                    String::from("-c"),
+                    String::from("printenv TEST_ENV > /dev/null"),
+                ])
+                .build()?;
+            let hooks = Some(vec![hook]);
+            let mut default_env = HashMap::new();
+            default_env.insert("TEST_ENV".to_string(), "default_value".to_string());
+            run_hooks(
+                hooks.as_ref(),
+                Some(&default_container.state),
+                None,
+                None,
+                Some(&default_env),
+            )
+            .context("Failed: hook without explicit env should use default_env")?;
+        }
+
+        // Test: hook with explicit env takes priority over default_env
+        {
+            let default_container: Container = Default::default();
+            let hook = HookBuilder::default()
+                .path("bash")
+                .args(vec![
+                    String::from("bash"),
+                    String::from("-c"),
+                    String::from("test \"$TEST_ENV\" = 'explicit_value'"),
+                ])
+                .env(vec![String::from("TEST_ENV=explicit_value")])
+                .build()?;
+            let hooks = Some(vec![hook]);
+            let mut default_env = HashMap::new();
+            default_env.insert("TEST_ENV".to_string(), "default_value".to_string());
+            run_hooks(
+                hooks.as_ref(),
+                Some(&default_container.state),
+                None,
+                None,
+                Some(&default_env),
+            )
+            .context("Failed: hook with explicit env should ignore default_env")?;
+        }
+
+        // Test: hook without explicit env and no default_env gets empty environment
+        {
+            let default_container: Container = Default::default();
+            let hook = HookBuilder::default()
+                .path("bash")
+                .args(vec![
+                    String::from("bash"),
+                    String::from("-c"),
+                    // Verify that the environment is empty (no TEST_ENV, etc.)
+                    String::from("test -z \"$TEST_ENV\""),
+                ])
+                .build()?;
+            let hooks = Some(vec![hook]);
+            run_hooks(
+                hooks.as_ref(),
+                Some(&default_container.state),
+                None,
+                None,
+                None,
+            )
+            .context("Failed: hook without env and without default_env should have empty env")?;
+        }
+
+        Ok(())
+    }
 }

crates/libcontainer/src/process/container_main_process.rs

@@ -161,6 +161,7 @@ pub fn container_main_process(container_args: &ContainerArgs) -> Result<(Pid, bo
                     Some(&container_for_hooks.state),
                     None,
                     Some(init_pid),
+                    None,
                 )
                 .map_err(|err| {
                     tracing::error!("failed to run prestart hooks: {}", err);
@@ -172,6 +173,7 @@ pub fn container_main_process(container_args: &ContainerArgs) -> Result<(Pid, bo
                     Some(&container_for_hooks.state),
                     None,
                     Some(init_pid),
+                    None,
                 )
                 .map_err(|err| {
                     tracing::error!("failed to run create runtime hooks: {}", err);

crates/libcontainer/src/process/init/process.rs

@@ -108,6 +108,7 @@ pub fn container_init_process(
                 ctx.container.map(|c| &c.state),
                 None,
                 None,
+                None,
             )
             .map_err(|err| {
                 tracing::error!(?err, "failed to run create container hooks");
@@ -407,6 +408,12 @@ pub fn container_init_process(
     // add HOME into envs if not exists
     set_home_env_if_not_exists(&mut ctx.envs, ctx.process.user().uid().into());
 
+    // Save a copy of the process environment for StartContainer hooks before
+    // setup_envs consumes ctx.envs. This matches runc's behavior where
+    // StartContainer hooks without explicit env use the container init
+    // process's environment.
+    let start_container_env = ctx.envs.clone();
+
     args.executor.validate(ctx.spec)?;
     args.executor.setup_envs(ctx.envs)?;
 
@@ -447,6 +454,7 @@ pub fn container_init_process(
                 ctx.container.map(|c| &c.state),
                 None,
                 None,
+                Some(&start_container_env),
             )
             .map_err(|err| {
                 tracing::error!(?err, "failed to run start container hooks");