New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[bug] subsystem.Popen() should be called with a clean env #16118
Comments
Do not allow the user's shell environment to leak into the build environment. Instead, create a clean environment with just white-listed environment keys.
Hi @paulharris I am not sure this is a bug, this is how Conan and recipes in ConanCenter are designed to work:
If this is not what you want, there are some ways to inhibit some of this behavior:
|
I think the old conan1 had to be run in a vcvars shell, or at least that was how I was running it. It seems to work fine from within msys shell. To be clear, I run in there so I can use the other msys tools. I don't want to use my msys as part of the build chain. So I want conan2 to create its own little bubble of a tightly controlled and repeatable environment each time it runs. I thought that was what conanbuild.bat was for... Otherwise, is everyone expected to run a CI build farm or build in docker or something? How are other people doing this? How exactly do you spin up a clean environment that doesn't involve building on a VM or container? And if this is what we should be doing as standard, shouldn't it be in the tutorials? |
This would be a good opt-in conan conf option to have, I think. |
I am a Windows user, and I didn't have to run in a vcvars shell in Conan 1 either. Most modern Conan generators in Conan 1 have been generating/calling
It is the recipes or the profiles that can alter the environment the way they want, they can even unset defined environment variables. But it is not the responsibility of Conan to provide isolation from the system, because actually a lot of users rely on the system environment, and use it together with Conan. An extremely common situation is Conan adding
No, it shouldn't be necessarily the default or standard Conan behavior. C++ devs have been working without isolated "virtualenvs" since always, and they are used to often rely, at least partially on the environment. |
I am not sure this works as a "feature" to opt-in, and it sounds to me like the typical rabbit hole, where users need more and more configurability because the implemented behavior is not good as there are too many different use cases, like: "Hey, why are you unsetting the variable "Program Files", I need it for my recipes to work, can you add a new I think having a |
Firstly, thanks for engaging in this debate. I think it is important, at least if all it does is educate me. I didn't run this through a chatgpt politeness filter, I'm just trying to lay out the arguments for and against so please just read it as the Arguments for the Opposed. I look forward to your rebuttal. The tool-require approach feels like a hack for only me, when I'm sure other people have this same problem.
For this specific example, cmake should be defined in tool_requires (as you say), Any other environ variables should be in the profile, that is the job of the profile. And when I need the environ to be different for a release build, then that is why there is more than one profile. I think the whole point of conan builds is to have repeatable builds. There was even a blog post about deterministic builds. https://blog.conan.io/2019/09/02/Deterministic-builds-with-C-C++.html IMO it would be a lot more reliable and predictable for conan to start with a blank environment, and add things IN explicitly. I don't even use libvpx directly, but now I've had to spend time hacking on that recipe understanding what is going on, when it was something in the environment unrelated to conan or the recipe. I also want repeatability. The PR of mine only has whitelisted items because I found nothing would work at all in a Popen call with a completely blank env. So I added what looked like the most basic environment elements that you would get in a blank machine. And it worked brilliantly. If something extra is needed, I can add it in the profile or recipe. I would go one step further and remove the added path to the python executable (my second commit in the PR).
Note that "giving access to ninja" is a negative, not a positive. The Ninja exe should be specified by conan, not whatever is in my PATH today. The I didn't make the same changes for Linux (yet) because I'm currently in Windows mode. |
I should mention that I don't think the PR is finished. eg running Git.clone() fails without the shell's env, but I would like to see a more controlled environment. |
In one of my recipes, I execute git and some other commands in the However, eg, I was not able to run |
The |
I've adjusted my approach and moved the environment-cleaner to the start of the conan process, otherwise EnvVars.apply() doesn't work - as @memsharded would've guessed. To make it work with EnvVars.apply would likely cause too much change in the conan code, so now I'm looking at clearing the env while calling conan. |
I'm not sure this would deal with all the issues, ie shouldn't conanbuild.bat be clearing stuff out so that cmake-executions and ninja-builds will also get a clean environment? |
Thanks very much for your feedback. I am closing #16119, based on the comments in #16119 (review). This is not considered a bug, but this is totally the intended and expected behavior of Conan. If users want to enforce a "curated" set of environment variables, this is a responsibility that is outside of Conan scope, and specific to every user, so this is not something that Conan can implement by default. |
I think the biggest problem was I understand why it can't be merged, I'll see if I can find a workaround along the lines of what you've suggested above. |
There was a recent fix for Conan 2.3, that avoids some internal uppercasing that Conan was doing in Windows for all env-vars, check #16122, or try running from the |
Describe the bug
OS: Windows
Compiler: msvc-19 2022
Conan version: 2.2.3
Conan profile:
There are many problems caused by unclean environments during the build step.
I get a variety of different behaviours depending on if I use CMD, or MSVC-CMD, or my own msys (git-sdk + pacman), or my msys was started after loading the MSVC vcvars environment.
This is especially visible when running autotools builds, which uses the msys environment during the build.
Example: ICU would not build in some of those environments: conan-io/conan-center-index#23679
Moving straight on from that, a nicer example is libvpx, which loudly trips over the
!ExitCode
environment variable (making this easier to reason about).When running conan from within my msvc+msys shell, the build ends up running in an environment that has many layers:
bash --login
bash --login
introduces more variables (in particular!ExitCode=00000001
). devenv/Scripts/activate
introduces more items into the environment.conan create
is executed ...!ExitCode
env variable is now!EXITCODE=00000001
bash --login
.!ExitCode=00000000
... interestingly, the value is different (0, not 1), and somehow it ended up in the environment instead of replacing the existing value.Crazy, but true. This is what (part of) the environment looks like at this point:
Finally, conan can execute autotools make, which executes and then fails with:
Note that this is a really nice example, but plenty of other packages will change behaviour (sometimes non-fatally) with unclean environments.
For example, libvpx WILL build with a slightly different environment, but it won't produce debug libraries as requested! So the package installs with errors, only headers and no libs.
NOTE: To debug this, I added a
breakpoint()
to libvpx's recipe, before autotools.make(), then hand-edited the conan/bat files in the cache, adding a bunch of printouts of the environment.How to reproduce it
K:\git-sdk-64\bin\bash --login
env | grep -i exit
---->!ExitCode=00000001
cd /k/conan-center/recipes/libvpx/all
The text was updated successfully, but these errors were encountered: