fix: use process env for StartContainer hooks when without explicit hook env

bells17 · bells17 · commit f15f234b9e9b · 2026-03-23T16:53:01.000+09:00
Signed-off-by: bells17 &lt;bells171@gmail.com&gt;
diff --git a/crates/libcontainer/src/container/container_delete.rs b/crates/libcontainer/src/container/container_delete.rs
@@ -98,7 +98,7 @@ impl Container {
                     })?;
 
                     if let Some(hooks) = config.hooks.as_ref() {
-                        hooks::run_hooks(hooks.poststop().as_ref(), Some(&self.state), None, None)
+                        hooks::run_hooks(hooks.poststop().as_ref(), Some(&self.state), None, None, None)
                             .map_err(|err| {
                                 tracing::error!(err = ?err, "failed to run post stop hooks");
                                 err
diff --git a/crates/libcontainer/src/container/container_start.rs b/crates/libcontainer/src/container/container_start.rs
@@ -59,6 +59,7 @@ impl Container {
                 Some(&self.state),
                 Some(&self.root),
                 None,
+                None,
             )
             .map_err(|err| {
                 tracing::error!("failed to run post start hooks: {}", err);
diff --git a/crates/libcontainer/src/hooks.rs b/crates/libcontainer/src/hooks.rs
@@ -39,6 +39,7 @@ pub fn run_hooks(
     // TODO: Remove the following parameters. To comply with the OCI State, hooks should only depend on structures defined in oci-spec-rs. Cleaning these up ensures proper functional isolation.
     cwd: Option<&Path>,
     pid: Option<Pid>,
+    default_env: Option<&HashMap<String, String>>,
 ) -> Result<()> {
     let base_state = state.ok_or(HookError::MissingContainerState)?;
 
@@ -77,6 +78,8 @@ pub fn run_hooks(
 
             let envs: HashMap<String, String> = if let Some(env) = hook.env() {
                 utils::parse_env(env)
+            } else if let Some(default) = default_env {
+                default.clone()
             } else {
                 HashMap::new()
             };
@@ -195,7 +198,7 @@ mod test {
     fn test_run_hook() -> Result<()> {
         {
             let default_container: Container = Default::default();
-            run_hooks(None, Some(&default_container.state), None, None)
+            run_hooks(None, Some(&default_container.state), None, None, None)
                 .context("Failed simple test")?;
         }
 
@@ -205,7 +208,7 @@ mod test {
 
             let hook = HookBuilder::default().path("true").build()?;
             let hooks = Some(vec![hook]);
-            run_hooks(hooks.as_ref(), Some(&default_container.state), None, None)
+            run_hooks(hooks.as_ref(), Some(&default_container.state), None, None, None)
                 .context("Failed true")?;
         }
 
@@ -226,7 +229,7 @@ mod test {
                 .env(vec![String::from("key=value")])
                 .build()?;
             let hooks = Some(vec![hook]);
-            run_hooks(hooks.as_ref(), Some(&default_container.state), None, None)
+            run_hooks(hooks.as_ref(), Some(&default_container.state), None, None, None)
                 .context("Failed printenv test")?;
         }
 
@@ -250,6 +253,7 @@ mod test {
                 Some(&default_container.state),
                 Some(tmp.path()),
                 None,
+                None,
             )
             .context("Failed pwd test")?;
         }
@@ -272,6 +276,7 @@ mod test {
                 Some(&default_container.state),
                 None,
                 Some(expected_pid),
+                None,
             )
             .context("Failed pid test")?;
         }
@@ -296,7 +301,7 @@ mod test {
             .timeout(1)
             .build()?;
         let hooks = Some(vec![hook]);
-        match run_hooks(hooks.as_ref(), Some(&default_container.state), None, None) {
+        match run_hooks(hooks.as_ref(), Some(&default_container.state), None, None, None) {
             Ok(_) => {
                 bail!(
                     "The test expects the hook to error out with timeout. Should not execute cleanly"
@@ -313,4 +318,82 @@ mod test {
 
         Ok(())
     }
+
+    #[test]
+    #[serial]
+    fn test_run_hook_default_env() -> Result<()> {
+        // Test: hook without explicit env uses default_env
+        {
+            let default_container: Container = Default::default();
+            let hook = HookBuilder::default()
+                .path("bash")
+                .args(vec![
+                    String::from("bash"),
+                    String::from("-c"),
+                    String::from("printenv TEST_ENV > /dev/null"),
+                ])
+                .build()?;
+            let hooks = Some(vec![hook]);
+            let mut default_env = HashMap::new();
+            default_env.insert("TEST_ENV".to_string(), "default_value".to_string());
+            run_hooks(
+                hooks.as_ref(),
+                Some(&default_container.state),
+                None,
+                None,
+                Some(&default_env),
+            )
+            .context("Failed: hook without explicit env should use default_env")?;
+        }
+
+        // Test: hook with explicit env takes priority over default_env
+        {
+            let default_container: Container = Default::default();
+            let hook = HookBuilder::default()
+                .path("bash")
+                .args(vec![
+                    String::from("bash"),
+                    String::from("-c"),
+                    String::from("test \"$TEST_ENV\" = 'explicit_value'"),
+                ])
+                .env(vec![String::from("TEST_ENV=explicit_value")])
+                .build()?;
+            let hooks = Some(vec![hook]);
+            let mut default_env = HashMap::new();
+            default_env.insert("TEST_ENV".to_string(), "default_value".to_string());
+            run_hooks(
+                hooks.as_ref(),
+                Some(&default_container.state),
+                None,
+                None,
+                Some(&default_env),
+            )
+            .context("Failed: hook with explicit env should ignore default_env")?;
+        }
+
+        // Test: hook without explicit env and no default_env gets empty environment
+        {
+            let default_container: Container = Default::default();
+            let hook = HookBuilder::default()
+                .path("bash")
+                .args(vec![
+                    String::from("bash"),
+                    String::from("-c"),
+                    // Verify that the environment is empty (no TEST_ENV, etc.)
+                    String::from("test -z \"$TEST_ENV\""),
+                ])
+                .build()?;
+            let hooks = Some(vec![hook]);
+            run_hooks(
+                hooks.as_ref(),
+                Some(&default_container.state),
+                None,
+                None,
+                None,
+            )
+            .context("Failed: hook without env and without default_env should have empty env")?;
+        }
+
+        Ok(())
+    }
 }
diff --git a/crates/libcontainer/src/process/container_main_process.rs b/crates/libcontainer/src/process/container_main_process.rs
@@ -161,6 +161,7 @@ pub fn container_main_process(container_args: &ContainerArgs) -> Result<(Pid, bo
                     Some(&container_for_hooks.state),
                     None,
                     Some(init_pid),
+                    None,
                 )
                 .map_err(|err| {
                     tracing::error!("failed to run prestart hooks: {}", err);
@@ -172,6 +173,7 @@ pub fn container_main_process(container_args: &ContainerArgs) -> Result<(Pid, bo
                     Some(&container_for_hooks.state),
                     None,
                     Some(init_pid),
+                    None,
                 )
                 .map_err(|err| {
                     tracing::error!("failed to run create runtime hooks: {}", err);
diff --git a/crates/libcontainer/src/process/init/process.rs b/crates/libcontainer/src/process/init/process.rs
@@ -108,6 +108,7 @@ pub fn container_init_process(
                 ctx.container.map(|c| &c.state),
                 None,
                 None,
+                None,
             )
             .map_err(|err| {
                 tracing::error!(?err, "failed to run create container hooks");
@@ -407,6 +408,11 @@ pub fn container_init_process(
     // add HOME into envs if not exists
     set_home_env_if_not_exists(&mut ctx.envs, ctx.process.user().uid().into());
 
+    // Save a copy of the process environment for StartContainer hooks before
+    // setup_envs consumes ctx.envs. In runc, StartContainer hooks without
+    // explicit env inherit the container init process's environment.
+    let start_container_env = ctx.envs.clone();
+
     args.executor.validate(ctx.spec)?;
     args.executor.setup_envs(ctx.envs)?;
 
@@ -438,15 +444,16 @@ pub fn container_init_process(
         err
     })?;
 
-    // start_container hook needs to be called after the namespace setup, but
-    // before pivot_root is called. This runs in the container namespaces.
+    // start_container hook needs to be called in the container namespaces,
+    // after the container start signal is received.
     if matches!(args.container_type, ContainerType::InitContainer) {
         if let Some(hooks) = ctx.hooks {
             hooks::run_hooks(
                 hooks.start_container().as_ref(),
                 ctx.container.map(|c| &c.state),
                 None,
                 None,
+                Some(&start_container_env),
             )
             .map_err(|err| {
                 tracing::error!(?err, "failed to run start container hooks");

Original file line number	Diff line number	Diff line change
`@@ -59,6 +59,7 @@ impl Container {`
`59`	`59`	`Some(&self.state),`
`60`	`60`	`Some(&self.root),`
`61`	`61`	`None,`
	`62`	`+ None,`
`62`	`63`	`)`
`63`	`64`	`.map_err(\|err\| {`
`64`	`65`	`tracing::error!("failed to run post start hooks: {}", err);`