Drop LD_LIBRARY_PATH env var for SSH shellout #2778
Conversation
Signed-off-by: aiordache <anca.iordache@docker.com>
|
|
||
| # drop LD_LIBRARY_PATH and SSL_CERT_FILE | ||
| env.pop('LD_LIBRARY_PATH', None) | ||
| env.pop('SSL_CERT_FILE', None) |
There was a problem hiding this comment.
curious; would this mean that if I have set SSL_CERT_FILE as a user, that it would be ignored?
There was a problem hiding this comment.
@thaJeztah yes, it would. It appears that PyInstaller sets it so this is just reversing what it does. We only use this for the environment that we shell out to the SSH client with and from what I can see, the SSH client doesn't care about this env var
There was a problem hiding this comment.
@chris-crone you posted this link on slack; https://pyinstaller.readthedocs.io/en/stable/runtime-information.html#ld-library-path-libpath-considerations, which mentions;
If it exists, PyInstaller saves the original value to
*_ORIG, then modifies the search path so that the bundled libraries are found first by the bundled code.
Does that only apply to LD_LIBRARY_PATH, or also to SSL_CERT_FILE ? (if the latter, we could restore the value by setting SSL_CERT_FILE back to SSL_CERT_FILE_ORIG, correct?)
from what I can see, the SSH client doesn't care about this env var
That's w.r.t LD_LIBRARY_PATH or SSL_CERT_FILE ? (or both?)
There was a problem hiding this comment.
From what I can tell it's not actually setting _ORIG for LD_LIBRARY_PATH or SSL_CERT_FILE. Test rig:
docker run --rm -it ubuntu:20.04- Download docker-compose 1.28.4
- Add an ssh script that just writes the environment [1]
- export
DOCKER_HOST=ssh://localhostand add ssh script toPATH - Create dummy
docker-compose.yml - Run
./docker-compose ps - Cat
env[2]
[1] ssh script:
#!/usr/bin/env bash
env > env[2] env:
OLDPWD=/
PATH=/test:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
DOCKER_HOST=ssh://localhost
SSL_CERT_FILE=/tmp/_MEI9R1bkR/certifi/cacert.pem
LD_LIBRARY_PATH=/tmp/_MEI9R1bkR
SHLVL=2
TERM=xterm
LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=00:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc=01;31:*.arj=01;31:*.taz=01;31:*.lha=01;31:*.lz4=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.tzo=01;31:*.t7z=01;31:*.zip=01;31:*.z=01;31:*.dz=01;31:*.gz=01;31:*.lrz=01;31:*.lz=01;31:*.lzo=01;31:*.xz=01;31:*.zst=01;31:*.tzst=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.alz=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.cab=01;31:*.wim=01;31:*.swm=01;31:*.dwm=01;31:*.esd=01;31:*.jpg=01;35:*.jpeg=01;35:*.mjpg=01;35:*.mjpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=00;36:*.au=00;36:*.flac=00;36:*.m4a=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.oga=00;36:*.opus=00;36:*.spx=00;36:*.xspf=00;36:
HOME=/root
_=/usr/bin/env
PWD=/test
HOSTNAME=48b9fcc42f5cOriginal env:
_=/usr/bin/env
OLDPWD=/
PATH=/test:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
DOCKER_HOST=ssh://localhost
SHLVL=1
TERM=xterm
LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=00:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc=01;31:*.arj=01;31:*.taz=01;31:*.lha=01;31:*.lz4=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.tzo=01;31:*.t7z=01;31:*.zip=01;31:*.z=01;31:*.dz=01;31:*.gz=01;31:*.lrz=01;31:*.lz=01;31:*.lzo=01;31:*.xz=01;31:*.zst=01;31:*.tzst=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.alz=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.cab=01;31:*.wim=01;31:*.swm=01;31:*.dwm=01;31:*.esd=01;31:*.jpg=01;35:*.jpeg=01;35:*.mjpg=01;35:*.mjpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=00;36:*.au=00;36:*.flac=00;36:*.m4a=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.oga=00;36:*.opus=00;36:*.spx=00;36:*.xspf=00;36:
HOME=/root
PWD=/test
HOSTNAME=48b9fcc42f5cThere was a problem hiding this comment.
Do you still have your environment set up? Could you do a quick test and before ./docker-compose ps do
export SSL_CERT_FILE=/some/path
Then check if it perhaps sets _ORIG conditionally (so only if it was set before?)
There was a problem hiding this comment.
(and same for LD_LIBRARY_PATH, so export LD_LIBRARY_PATH=/some/other/path before running)
There was a problem hiding this comment.
Ah yes, that would've been a better test.
I don't have it setup unfortunately :( Since this is us providing SSH using the user's SSH client, I think it's not unreasonable to unset these variables though and rely on the system's settings.
Issue docker/compose#7686 reports an openssl mismatch error when shelling out to the ssh client in docker-compose. The root cause seems to be pyinstaller setting the LD_LIBRARY_PATH which is inherited on the shell out to ssh.