libct: we should set envs after we are in the jail of the container

Because we have to set a default HOME env for the current container user, so we should set it after we are in the jail of the container, or else we'll use host's `/etc/passwd` to get a wrong HOME value. Please see: #4688. Signed-off-by: lifubang <lifubang@acmcoder.com> (cherry picked from commit bf38646497) Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-10-31 11:06:21 +08:00 · 2025-03-25 02:48:44 +00:00
parent 73973fb03a
commit a56f2bc836
1 changed files with 8 additions and 6 deletions
--- a/libcontainer/init_linux.go
+++ b/libcontainer/init_linux.go
@@ -233,12 +233,6 @@ func startInitialization() (retErr error) {
 }

 func containerInit(t initType, config *initConfig, pipe *syncSocket, consoleSocket, pidfdSocket, fifoFile, logPipe *os.File) error {
-	env, err := prepareEnv(config.Env, config.UID)
-	if err != nil {
-		return err
-	}
-	config.Env = env
-
 	// Clean the RLIMIT_NOFILE cache in go runtime.
 	// Issue: https://github.com/opencontainers/runc/issues/4195
 	maybeClearRlimitNofileCache(config.Rlimits)
@@ -325,6 +319,14 @@ func finalizeNamespace(config *initConfig) error {
 		}
 	}

+	// We should set envs after we are in the jail of the container.
+	// Please see https://github.com/opencontainers/runc/issues/4688
+	env, err := prepareEnv(config.Env, config.UID)
+	if err != nil {
+		return err
+	}
+	config.Env = env
+
 	w, err := capabilities.New(config.Capabilities)
 	if err != nil {
 		return err