When switching to a setup with a separate task-runners container, I noticed that in the default n8n-task-runners.json, the environment variables NODE_FUNCTION_ALLOW_BUILTIN and NODE_FUNCTION_ALLOW_EXTERNAL (and equivalents for Python) are not passed from the launcher to the runner because they are explicitly defined in env-overrides and they are not mentioned in allowed-env.
As a result, the simple configuration of the environment variables for the task-runners Docker container is useless without changing the n8n-task-runners.json file.
Why were these defaults chosen with env-overrides, which explicitly do not allow configuration via the environment variables of the task-runners Docker container?
Or is there an urgent reason (possibly security-related) not to pass these variables from the task-runners Docker container and instead define them explicitly in the json file?
I would have understood if defaults had been defined in case the env variables were not defined for the task-runners Docker container.
Information on your n8n setup
n8n version: 2.10.1
Running n8n via (Docker, npm, n8n cloud, desktop app): Docker
Hi @dipu, welcome to the n8n community!
You need to configure the permissions directly in the n8n-task-runners.json file according to the isolation model defined by the launcher. Sensitive execution permissions should not rely on container-level environment variables. Configuring queue mode | n8n Docs
Yeah this is a known pain point, the env-overrides in the default config literally overwrite whatever you set at the container level so those env vars just get ignored. It’s a security-by-default design choice but pretty much everyone agrees it’s unintuitive for Docker setups. The workaround is to mount your own custom n8n-task-runners.json into the runner container at /etc/n8n-task-runners.json with the modules you need listed in there. There’s actually a feature request open for exactly this if you want to upvote it: Allow N8N_RUNNERS_STDLIB_ALLOW and alike to override n8n-task-runners.json config
Yeah this is intentional, the env-overrides in the JSON always win so setting those env vars on the container does nothing. You need to mount your own n8n-task-runners.json at /etc/n8n-task-runners.json with the modules you want allowed. Kind of annoying but it’s a security decision, there’s a feature request open to let env vars override it though.