test: add e2e tests for startContainer hook env inheritance

Add two integration tests to verify startContainer hook environment
variable behavior:
- start_container_env_inherit: verifies hooks inherit process.env when
  no explicit env is set
- start_container_env_explicit: verifies hooks use only their explicit
  env and do not inherit process.env

Author: bells17

tests/contest/contest/src/main.rs

@@ -17,7 +17,7 @@ use crate::tests::example::get_example_test;
 use crate::tests::exec::get_exec_test;
 use crate::tests::exec_cpu_affinity::get_exec_cpu_affinity_test;
 use crate::tests::fd_control::get_fd_control_test;
-use crate::tests::hooks::get_hooks_tests;
+use crate::tests::hooks::{get_hooks_tests, get_start_container_env_tests};
 use crate::tests::hostname::get_hostname_test;
 use crate::tests::intel_rdt::get_intel_rdt_test;
 use crate::tests::io_priority::get_io_priority_test;
@@ -124,6 +124,7 @@ fn main() -> Result<()> {
     let pidfile = get_pidfile_test();
     let ns_itype = get_ns_itype_tests();
     let hooks = get_hooks_tests();
+    let start_container_env = get_start_container_env_tests();
     let poststart = get_poststart_tests();
     let poststop = get_poststop_tests();
     let poststart_fail = get_poststart_fail_tests();
@@ -177,6 +178,7 @@ fn main() -> Result<()> {
     tm.add_test_group(Box::new(pidfile));
     tm.add_test_group(Box::new(ns_itype));
     tm.add_test_group(Box::new(hooks));
+    tm.add_test_group(Box::new(start_container_env));
     tm.add_test_group(Box::new(poststart));
     tm.add_test_group(Box::new(poststart_fail));
     tm.add_test_group(Box::new(poststop));

tests/contest/contest/src/tests/hooks/mod.rs

@@ -1,2 +1,4 @@
 mod invoke;
+mod start_container_env;
 pub use invoke::get_hooks_tests;
+pub use start_container_env::get_start_container_env_tests;

tests/contest/contest/src/tests/hooks/start_container_env.rs

@@ -0,0 +1,140 @@
+use std::time::Duration;
+
+use anyhow::anyhow;
+use oci_spec::runtime::{HookBuilder, HooksBuilder, ProcessBuilder, SpecBuilder};
+use test_framework::{Test, TestGroup, TestResult};
+
+use crate::utils::{
+    CreateOptions, LifecycleStatus, WaitTarget, create_container, delete_container, generate_uuid,
+    kill_container, prepare_bundle, set_config, start_container, wait_for_state,
+};
+
+const STATE_WAIT_TIMEOUT_SECS: u64 = 5;
+const STATE_POLL_INTERVAL_MILLIS: u64 = 100;
+
+fn wait_for_target(id: &str, bundle_path: &std::path::Path, target: WaitTarget) {
+    wait_for_state(
+        id,
+        bundle_path,
+        target,
+        Duration::from_secs(STATE_WAIT_TIMEOUT_SECS),
+        Duration::from_millis(STATE_POLL_INTERVAL_MILLIS),
+    )
+    .unwrap();
+}
+
+fn run_hook_env_test(
+    shell_condition: &str,
+    process_env: Vec<String>,
+    hook_env: Option<Vec<String>>,
+) -> TestResult {
+    let id = generate_uuid();
+    let id_str = id.to_string();
+    let bundle = prepare_bundle().unwrap();
+
+    let shell_cmd = format!("if {shell_condition}; then exit 0; else exit 1; fi");
+    let hook_args = vec!["sh".to_string(), "-c".to_string(), shell_cmd];
+    let hook = if let Some(env) = hook_env {
+        HookBuilder::default()
+            .path("/bin/sh")
+            .args(hook_args)
+            .env(env)
+    } else {
+        HookBuilder::default().path("/bin/sh").args(hook_args)
+    };
+
+    let mut process = ProcessBuilder::default()
+        .args(vec!["true".to_string()])
+        .build()
+        .unwrap();
+    let mut env = process.env().clone().unwrap();
+    for e in process_env {
+        env.push(e);
+    }
+    process.set_env(Some(env));
+
+    let spec = SpecBuilder::default()
+        .process(process)
+        .hooks(
+            HooksBuilder::default()
+                .start_container(vec![
+                    hook.build().expect("could not build startContainer hook"),
+                ])
+                .build()
+                .expect("could not build hooks"),
+        )
+        .build()
+        .unwrap();
+    set_config(&bundle, &spec).unwrap();
+
+    create_container(&id_str, &bundle, &CreateOptions::default())
+        .unwrap()
+        .wait()
+        .unwrap();
+    wait_for_target(
+        &id_str,
+        bundle.path(),
+        WaitTarget::Status(LifecycleStatus::Created),
+    );
+    let start_result =
+        start_container(&id_str, &bundle).and_then(|mut child| child.wait().map_err(Into::into));
+    let test_passed = match &start_result {
+        Ok(status) => status.success(),
+        Err(_) => false,
+    };
+
+    let _ = kill_container(&id_str, &bundle).and_then(|mut c| c.wait().map_err(Into::into));
+    let _ = delete_container(&id_str, &bundle).and_then(|mut c| c.wait().map_err(Into::into));
+    let _ = wait_for_state(
+        &id_str,
+        bundle.path(),
+        WaitTarget::Deleted,
+        Duration::from_secs(STATE_WAIT_TIMEOUT_SECS),
+        Duration::from_millis(STATE_POLL_INTERVAL_MILLIS),
+    );
+
+    if test_passed {
+        TestResult::Passed
+    } else {
+        TestResult::Failed(anyhow!(
+            "startContainer hook env check failed — hook exited non-zero \
+             (start result: {:?})",
+            start_result
+        ))
+    }
+}
+
+fn get_test_inherit_env() -> Test {
+    Test::new(
+        "start_container_env_inherit",
+        Box::new(|| {
+            run_hook_env_test(
+                r#"test "$ONE" = "two" && test "$FOO" = "bar""#,
+                vec!["ONE=two".to_string(), "FOO=bar".to_string()],
+                None,
+            )
+        }),
+    )
+}
+
+fn get_test_explicit_env() -> Test {
+    Test::new(
+        "start_container_env_explicit",
+        Box::new(|| {
+            run_hook_env_test(
+                r#"test "$HOOK_VAR" = "hook_value" && test -z "$PROC_VAR""#,
+                vec!["PROC_VAR=should_not_appear".to_string()],
+                Some(vec!["HOOK_VAR=hook_value".to_string()]),
+            )
+        }),
+    )
+}
+
+pub fn get_start_container_env_tests() -> TestGroup {
+    let mut tg = TestGroup::new("start_container_env");
+    tg.add(vec![
+        Box::new(get_test_inherit_env()),
+        Box::new(get_test_explicit_env()),
+    ]);
+    tg
+}