Honour Docker image environment metadata

Invert the order in which environment variables are accumulated in Docker
layers so that the upper layers take precedence over lower layers.

A $PATH in the environment now overrides wshd's default.

Represent environments using process.Env instead of []string. This change
brings some additional error checking to the format of the environment
variables. Duplicate environment variables are removed as soon as they occur
rather than being passed down and removed later causing confusion.

[finishes #86540096]

Signed-off-by: Chris Brown <[email protected]>

Author: glyn

Diff for: fences/fake_fences/fake_fences.go

@@ -2,12 +2,12 @@ package fake_fences
 
 import (
 	"encoding/json"
-	"fmt"
 	"net"
 
 	"github.com/cloudfoundry-incubator/garden"
 	"github.com/cloudfoundry-incubator/garden-linux/fences"
 	"github.com/cloudfoundry-incubator/garden-linux/old/sysconfig"
+	"github.com/cloudfoundry-incubator/garden-linux/process"
 )
 
 type FakeFences struct {
@@ -83,8 +83,8 @@ func (f *FakeAllocation) Dismantle() error {
 func (f *FakeAllocation) Info(i *garden.ContainerInfo) {
 }
 
-func (f *FakeAllocation) ConfigureProcess(env *[]string) error {
-	*env = append(*env, fmt.Sprintf("fake_fences_env=%s", f.Subnet))
+func (f *FakeAllocation) ConfigureProcess(env process.Env) error {
+	env["fake_fences_env"] = f.Subnet
 	return nil
 }
 

Diff for: fences/netfence/fence.go

@@ -5,12 +5,14 @@ import (
 	"encoding/json"
 	"fmt"
 	"net"
+	"strconv"
 	"strings"
 
 	"github.com/cloudfoundry-incubator/garden"
 	"github.com/cloudfoundry-incubator/garden-linux/fences"
 	"github.com/cloudfoundry-incubator/garden-linux/fences/netfence/network/subnets"
 	"github.com/cloudfoundry-incubator/garden-linux/old/sysconfig"
+	"github.com/cloudfoundry-incubator/garden-linux/process"
 	"github.com/pivotal-golang/lager"
 )
 
@@ -41,7 +43,7 @@ type FlatFence struct {
 // address is statically allocated. In all cases, if an IP cannot be allocated which
 // meets the requirements, an error is returned.
 //
-// The given allocation is stored in the returned fence.
+// The given fence builder is stored in the returned fence.
 func (f *fenceBuilder) Build(spec string, sysconfig *sysconfig.Config, containerID string) (fences.Fence, error) {
 	var ipSelector subnets.IPSelector = subnets.DynamicIPSelector
 	var subnetSelector subnets.SubnetSelector = subnets.DynamicSubnetSelector
@@ -171,17 +173,17 @@ func (a *Fence) MarshalJSON() ([]byte, error) {
 	return json.Marshal(ff)
 }
 
-func (a *Fence) ConfigureProcess(env *[]string) error {
+func (a *Fence) ConfigureProcess(env process.Env) error {
 	suff, _ := a.IPNet.Mask.Size()
 
-	*env = append(*env, fmt.Sprintf("network_host_ip=%s", subnets.GatewayIP(a.IPNet)),
-		fmt.Sprintf("network_container_ip=%s", a.containerIP),
-		fmt.Sprintf("network_cidr_suffix=%d", suff),
-		fmt.Sprintf("container_iface_mtu=%d", a.fenceBldr.mtu),
-		fmt.Sprintf("subnet_shareable=%v", a.subnetShareable),
-		fmt.Sprintf("network_cidr=%s", a.IPNet.String()),
-		fmt.Sprintf("external_ip=%s", a.fenceBldr.externalIP.String()),
-		fmt.Sprintf("network_ip_hex=%s", hexIP(a.IPNet.IP))) // suitable for short bridge interface names
+	env["network_host_ip"] = subnets.GatewayIP(a.IPNet).String()
+	env["network_container_ip"] = a.containerIP.String()
+	env["network_cidr_suffix"] = strconv.Itoa(suff)
+	env["container_iface_mtu"] = strconv.FormatUint(uint64(a.fenceBldr.mtu), 10)
+	env["subnet_shareable"] = strconv.FormatBool(a.subnetShareable)
+	env["network_cidr"] = a.IPNet.String()
+	env["external_ip"] = a.fenceBldr.externalIP.String()
+	env["network_ip_hex"] = hexIP(a.IPNet.IP) // suitable for short bridge interface names
 
 	return nil
 }

Diff for: fences/netfence/fence_test.go

@@ -9,6 +9,7 @@ import (
 	"github.com/cloudfoundry-incubator/garden"
 	"github.com/cloudfoundry-incubator/garden-linux/fences/netfence/network/subnets"
 	"github.com/cloudfoundry-incubator/garden-linux/old/sysconfig"
+	"github.com/cloudfoundry-incubator/garden-linux/process"
 	. "github.com/onsi/ginkgo"
 	. "github.com/onsi/gomega"
 	"github.com/pivotal-golang/lager"
@@ -320,7 +321,7 @@ var _ = Describe("Fence", func() {
 		Describe("ConfigureProcess", func() {
 			Context("With a /29", func() {
 				var (
-					env []string
+					env process.Env
 				)
 
 				BeforeEach(func() {
@@ -329,33 +330,33 @@ var _ = Describe("Fence", func() {
 
 					fence.mtu = 123
 
-					env = []string{"foo", "bar"}
+					env = process.Env{"foo": "bar"}
 					allocation := &Fence{ipn, net.ParseIP("4.5.6.1"), "", "host", false, "bridge", fence, lagertest.NewTestLogger("allocation")}
-					allocation.ConfigureProcess(&env)
+					allocation.ConfigureProcess(env)
 				})
 
 				It("configures with the correct network_cidr", func() {
-					Ω(env).Should(ContainElement("network_cidr=4.5.6.0/29"))
+					Ω(env.Array()).Should(ContainElement("network_cidr=4.5.6.0/29"))
 				})
 
 				It("configures with the correct gateway ip", func() {
-					Ω(env).Should(ContainElement("network_host_ip=4.5.6.6"))
+					Ω(env.Array()).Should(ContainElement("network_host_ip=4.5.6.6"))
 				})
 
 				It("configures with the correct container ip", func() {
-					Ω(env).Should(ContainElement("network_container_ip=4.5.6.1"))
+					Ω(env.Array()).Should(ContainElement("network_container_ip=4.5.6.1"))
 				})
 
 				It("configures with the correct cidr suffix", func() {
-					Ω(env).Should(ContainElement("network_cidr_suffix=29"))
+					Ω(env.Array()).Should(ContainElement("network_cidr_suffix=29"))
 				})
 
 				It("configures with the correct MTU size", func() {
-					Ω(env).Should(ContainElement("container_iface_mtu=123"))
+					Ω(env.Array()).Should(ContainElement("container_iface_mtu=123"))
 				})
 
 				It("configures with the correct external IP", func() {
-					Ω(env).Should(ContainElement("external_ip=1.2.3.4"))
+					Ω(env.Array()).Should(ContainElement("external_ip=1.2.3.4"))
 				})
 			})
 		})

Diff for: fences/registry.go

@@ -7,6 +7,7 @@ import (
 
 	"github.com/cloudfoundry-incubator/garden"
 	"github.com/cloudfoundry-incubator/garden-linux/old/sysconfig"
+	"github.com/cloudfoundry-incubator/garden-linux/process"
 )
 
 var ErrNoFencesRegistered = errors.New("no fences have been registered")
@@ -32,7 +33,7 @@ type Builder interface {
 
 type Fence interface {
 	json.Marshaler
-	ConfigureProcess(*[]string) error
+	ConfigureProcess(process.Env) error
 	Dismantle() error
 	Info(*garden.ContainerInfo)
 	String() string

Diff for: fences/registry_test.go

@@ -8,6 +8,7 @@ import (
 	"github.com/cloudfoundry-incubator/garden"
 	. "github.com/cloudfoundry-incubator/garden-linux/fences"
 	"github.com/cloudfoundry-incubator/garden-linux/old/sysconfig"
+	"github.com/cloudfoundry-incubator/garden-linux/process"
 
 	. "github.com/onsi/ginkgo"
 	. "github.com/onsi/gomega"
@@ -300,7 +301,7 @@ func (a *FakeAllocation) MarshalJSON() ([]byte, error) {
 	return nil, nil
 }
 
-func (a *FakeAllocation) ConfigureProcess(env *[]string) error {
+func (a *FakeAllocation) ConfigureProcess(env process.Env) error {
 	return nil
 }
 

Diff for: integration/lifecycle/lifecycle_test.go

@@ -134,18 +134,21 @@ var _ = Describe("Creating a container", func() {
 			})
 		})
 
-		FContext("when the docker image specifies $HOME and $PATH", func() {
+		Context("when the docker image specifies $PATH", func() {
 			BeforeEach(func() {
-				// dockerfile contains `ENV /usr/local/bin:/usr/bin:/bin:/from-ENV`,
+				// Dockerfile contains:
+				//   ENV PATH /usr/local/bin:/usr/bin:/bin:/from-dockerfile
+				//   ENV TEST test-from-dockerfile
+				//   ENV TEST second-test-from-dockerfile:$TEST
 				// see diego-dockerfiles/with-volume
 				rootfs = "docker:///cloudfoundry/with-volume"
 			})
 
-			It("$HOME is taken from the docker image", func() {
+			It("$PATH is taken from the docker image", func() {
 				stdout := gbytes.NewBuffer()
 				process, err := container.Run(garden.ProcessSpec{
 					Path: "/bin/sh",
-					Args: []string{"-c", "echo $HOME"},
+					Args: []string{"-c", "echo $PATH"},
 				}, garden.ProcessIO{
 					Stdout: io.MultiWriter(GinkgoWriter, stdout),
 					Stderr: GinkgoWriter,
@@ -154,14 +157,14 @@ var _ = Describe("Creating a container", func() {
 				Ω(err).ShouldNot(HaveOccurred())
 
 				process.Wait()
-				Ω(stdout).Should(gbytes.Say("/home-from-ENV"))
+				Ω(stdout).Should(gbytes.Say("/usr/local/bin:/usr/bin:/bin:/from-dockerfile"))
 			})
 
-			PIt("$PATH is taken from the docker image", func() {
+			It("$TEST is taken from the docker image", func() {
 				stdout := gbytes.NewBuffer()
 				process, err := container.Run(garden.ProcessSpec{
 					Path: "/bin/sh",
-					Args: []string{"-c", "echo $PATH"},
+					Args: []string{"-c", "echo $TEST"},
 				}, garden.ProcessIO{
 					Stdout: io.MultiWriter(GinkgoWriter, stdout),
 					Stderr: GinkgoWriter,
@@ -170,7 +173,7 @@ var _ = Describe("Creating a container", func() {
 				Ω(err).ShouldNot(HaveOccurred())
 
 				process.Wait()
-				Ω(stdout).Should(gbytes.Say("/usr/local/bin:/usr/bin:/bin:/from-ENV"))
+				Ω(stdout).Should(gbytes.Say("second-test-from-dockerfile:test-from-dockerfile"))
 			})
 		})
 	})

Diff for: old/integration/wshd/main_test.go

@@ -452,7 +452,6 @@ setup_fs
 			ls := exec.Command(wsh,
 				"--socket", socketPath,
 				"--user", "vcap",
-				"--env", "PATH=nada",
 				"ls",
 			)
 
@@ -464,7 +463,6 @@ setup_fs
 			onlyInSbin := exec.Command(wsh,
 				"--socket", socketPath,
 				"--user", "vcap",
-				"--env", "PATH=nada",
 				"ifconfig",
 			)
 
@@ -537,7 +535,6 @@ setup_fs
 			onlyInSbin := exec.Command(wsh,
 				"--socket", socketPath,
 				"--user", "root",
-				"--env", "PATH=nada",
 				"ifconfig",
 			)
 

Diff for: old/linux_backend/container_pool/container_pool.go

@@ -250,23 +250,22 @@ func (p *LinuxContainerPool) Create(spec garden.ContainerSpec) (c linux_backend.
 		return nil, err
 	}
 
-	rootFSEnvVars, err := p.acquireSystemResources(id, containerPath, spec.RootFSPath, resources, spec.BindMounts, pLog)
+	rootFSEnv, err := p.acquireSystemResources(id, containerPath, spec.RootFSPath, resources, spec.BindMounts, pLog)
 	if err != nil {
 		return nil, err
 	}
 
 	pLog.Info("created")
 
-	ctrEnv, err := process.NewEnv(rootFSEnvVars)
-	if err != nil {
-		return nil, err
-	}
-
 	specEnv, err := process.NewEnv(spec.Env)
 	if err != nil {
 		return nil, err
 	}
 
+	pLog.Debug("calculate-environment", lager.Data{
+		"rootfs-env": rootFSEnv,
+		"create-env": specEnv,
+	})
 	return linux_backend.NewLinuxContainer(
 		pLog,
 		id,
@@ -281,7 +280,7 @@ func (p *LinuxContainerPool) Create(spec garden.ContainerSpec) (c linux_backend.
 		p.quotaManager,
 		bandwidth_manager.New(containerPath, id, p.runner),
 		process_tracker.New(containerPath, p.runner),
-		ctrEnv.Merge(specEnv),
+		rootFSEnv.Merge(specEnv),
 		p.filterProvider.ProvideFilter(id),
 	), nil
 }
@@ -531,7 +530,7 @@ func (p *LinuxContainerPool) releasePoolResources(resources *linux_backend.Resou
 	}
 }
 
-func (p *LinuxContainerPool) acquireSystemResources(id, containerPath, rootFSPath string, resources *linux_backend.Resources, bindMounts []garden.BindMount, pLog lager.Logger) ([]string, error) {
+func (p *LinuxContainerPool) acquireSystemResources(id, containerPath, rootFSPath string, resources *linux_backend.Resources, bindMounts []garden.BindMount, pLog lager.Logger) (process.Env, error) {
 	rootfsURL, err := url.Parse(rootFSPath)
 	if err != nil {
 		pLog.Error("parse-rootfs-path-failed", err, lager.Data{
@@ -556,14 +555,15 @@ func (p *LinuxContainerPool) acquireSystemResources(id, containerPath, rootFSPat
 
 	createCmd := path.Join(p.binPath, "create.sh")
 	create := exec.Command(createCmd, containerPath)
-	create.Env = []string{
-		"id=" + id,
-		"rootfs_path=" + rootfsPath,
-		fmt.Sprintf("user_uid=%d", resources.UserUID),
-		fmt.Sprintf("root_uid=%d", resources.RootUID),
-		"PATH=" + os.Getenv("PATH"),
-	}
-	resources.Network.ConfigureProcess(&create.Env)
+	env := process.Env{
+		"id":          id,
+		"rootfs_path": rootfsPath,
+		"user_uid":    strconv.FormatUint(uint64(resources.UserUID), 10),
+		"root_uid":    strconv.FormatUint(uint64(resources.RootUID), 10),
+		"PATH":        os.Getenv("PATH"),
+	}
+	resources.Network.ConfigureProcess(env)
+	create.Env = env.Array()
 
 	pRunner := logging.Runner{
 		CommandRunner: p.runner,