@theia/dev-container 1.71.0-next.72 → 1.71.0

package/src/electron-node/devcontainer-contributions/main-container-creation-contributions.ts

@@ -17,10 +17,13 @@ import * as Docker from 'dockerode';
 import { inject, injectable, interfaces } from '@theia/core/shared/inversify';
 import { ContainerCreationContribution } from '../docker-container-service';
 import { DevContainerConfiguration, DockerfileContainer, ImageContainer, NonComposeContainerBase } from '../devcontainer-file';
-import { Path } from '@theia/core';
+import { ILogger, Path } from '@theia/core';
 import { ContainerOutputProvider } from '../../electron-common/container-output-provider';
 import * as fs from '@theia/core/shared/fs-extra';
-import { RemotePortForwardingProvider } from '@theia/remote/lib/electron-common/remote-port-forwarding-provider';
+import * as os from 'os';
+import * as path from 'path';
+import * as cp from 'child_process';
+import { ForwardedPort, RemotePortForwardingProvider } from '@theia/remote/lib/electron-common/remote-port-forwarding-provider';
 import { RemoteDockerContainerConnection } from '../remote-container-connection-provider';
 import { WorkspaceCreationContribution } from './workspace-creation-contribution';
 import { parseWorkspaceMount } from '../dockerode-utils';
@@ -34,6 +37,8 @@ export function registerContainerCreationContributions(bind: interfaces.Bind): v
     bind(ContainerCreationContribution).to(PostCreateCommandContribution).inSingletonScope();
     bind(ContainerCreationContribution).to(ContainerEnvContribution).inSingletonScope();
     bind(ContainerCreationContribution).to(WorkspaceCreationContribution).inSingletonScope();
+    bind(ContainerCreationContribution).to(HostConfigSharingContribution).inSingletonScope();
+    bind(ContainerCreationContribution).to(DefaultShellContribution).inSingletonScope();
 }
 
 @injectable()
@@ -93,7 +98,7 @@ export class DockerFileContribution implements ContainerCreationContribution {
                 }, progress => outputprovider.onRemoteOutput(OutputHelper.parseProgress(progress))));
                 createOptions.Image = imageId;
             } catch (error) {
-                outputprovider.onRemoteOutput(`could not build dockerfile "${dockerfile}" reason: ${error.message}`);
+                outputprovider.onRemoteOutput(`Could not build dockerfile "${dockerfile}": ${error.message}`);
                 throw error;
             }
         }
@@ -122,11 +127,40 @@ export class ForwardPortsContribution implements ContainerCreationContribution {
                 port = forward;
             }
 
-            this.portForwardingProvider.forwardPort(connection.localPort, { port, address });
+            const forwardedPort: ForwardedPort = { port, address };
+            const attributes = this.getPortAttributes(containerConfig, port);
+            if (attributes) {
+                forwardedPort.label = attributes.label;
+                forwardedPort.protocol = attributes.protocol;
+                forwardedPort.onAutoForward = attributes.onAutoForward;
+            }
+            this.portForwardingProvider.forwardPort(connection.localPort, forwardedPort);
         }
 
     }
 
+    protected getPortAttributes(containerConfig: DevContainerConfiguration,
+        port: number): { label?: string; protocol?: 'http' | 'https'; onAutoForward?: ForwardedPort['onAutoForward'] } | undefined {
+        if (!containerConfig.portsAttributes) {
+            return undefined;
+        }
+        const portStr = String(port);
+        for (const [pattern, attributes] of Object.entries(containerConfig.portsAttributes)) {
+            if (pattern === portStr) {
+                return attributes;
+            }
+            const rangeMatch = pattern.match(/^(\d+)-(\d+)$/);
+            if (rangeMatch) {
+                const start = parseInt(rangeMatch[1]);
+                const end = parseInt(rangeMatch[2]);
+                if (port >= start && port <= end) {
+                    return attributes;
+                }
+            }
+        }
+        return undefined;
+    }
+
 }
 
 @injectable()
@@ -141,6 +175,7 @@ export class MountsContribution implements ContainerCreationContribution {
                 parseWorkspaceMount(mount) :
                 { Source: mount.source, Target: mount.target, Type: mount.type ?? 'bind' }) ?? []);
     }
+
 }
 
 @injectable()
@@ -170,7 +205,7 @@ export class PostCreateCommandContribution implements ContainerCreationContribut
                     const stream = await exec.start({ Tty: true });
                     stream.on('data', chunk => outputprovider.onRemoteOutput(chunk.toString()));
                 } catch (error) {
-                    outputprovider.onRemoteOutput('could not execute postCreateCommand ' + JSON.stringify(command) + ' reason:' + error.message);
+                    outputprovider.onRemoteOutput(`Could not execute postCreateCommand ${JSON.stringify(command)}: ${error.message}`);
                 }
             }
         }
@@ -191,6 +226,289 @@ export class ContainerEnvContribution implements ContainerCreationContribution {
     }
 }
 
+@injectable()
+export class HostConfigSharingContribution implements ContainerCreationContribution {
+
+    protected static readonly ISOLATED_SSH_DIR = path.join(os.homedir(), '.theia', 'dev-container', 'ssh');
+
+    @inject(ILogger)
+    protected readonly logger: ILogger;
+
+    async handleContainerCreation(createOptions: Docker.ContainerCreateOptions, containerConfig: DevContainerConfiguration): Promise<void> {
+        const mounts = createOptions.HostConfig?.Mounts ?? [];
+        const hasExistingMount = (targetSuffix: string): boolean =>
+            mounts.some(m => m.Target?.endsWith(targetSuffix));
+
+        // SSH: bind-mount an isolated SSH directory instead of the real ~/.ssh
+        const sshSigningInfo = await this.detectSshSigningKey();
+        if (!hasExistingMount('/.ssh')) {
+            const isolatedSshDir = await this.ensureIsolatedSshDir(sshSigningInfo);
+            if (isolatedSshDir) {
+                mounts.push({
+                    Source: isolatedSshDir,
+                    Target: this.getContainerHomePath(containerConfig, '.ssh'),
+                    Type: 'bind',
+                    ReadOnly: true
+                });
+            }
+        }
+
+        // Git config: bind-mount to a temp path; will be copied in post-create
+        const gitconfigPath = path.join(os.homedir(), '.gitconfig');
+        if (await fs.pathExists(gitconfigPath) && !hasExistingMount('/.gitconfig')) {
+            mounts.push({
+                Source: gitconfigPath,
+                Target: '/tmp/host_gitconfig',
+                Type: 'bind',
+                ReadOnly: true
+            });
+        }
+    }
+
+    async handlePostCreate(containerConfig: DevContainerConfiguration, container: Docker.Container, _api: Docker, outputprovider: ContainerOutputProvider): Promise<void> {
+        const user = (containerConfig.remoteUser ?? containerConfig.containerUser ?? 'root') as string;
+        const containerHome = this.getContainerHomePath(containerConfig, '');
+        const containerSshDir = `${containerHome}.ssh`;
+
+        try {
+            // Fix SSH permissions (bind-mount may not preserve them)
+            await this.execInContainer(container, 'root',
+                `if [ -d "${containerSshDir}" ]; then ` +
+                `chmod 700 "${containerSshDir}" 2>/dev/null; ` +
+                `find "${containerSshDir}" -name "id_*" ! -name "*.pub" -exec chmod 600 {} \\; 2>/dev/null; ` +
+                `find "${containerSshDir}" -name "*.pub" -exec chmod 644 {} \\; 2>/dev/null; ` +
+                `chmod 644 "${containerSshDir}/known_hosts" "${containerSshDir}/config" 2>/dev/null; ` +
+                // Also fix signing key permissions if present
+                `find "${containerSshDir}" -name "git_signing_key*" ! -name "*.pub" -exec chmod 600 {} \\; 2>/dev/null; ` +
+                'true; fi'
+            );
+
+            // Copy host gitconfig into container user's home so the container user owns it
+            const sshSigningInfo = await this.detectSshSigningKey();
+            let gitConfigCmd =
+                'if [ -f /tmp/host_gitconfig ]; then ' +
+                `cp /tmp/host_gitconfig "${containerHome}.gitconfig" && ` +
+                `chown ${user}:$(id -gn ${user}) "${containerHome}.gitconfig" 2>/dev/null; ` +
+                'fi';
+
+            if (sshSigningInfo?.format === 'ssh' && sshSigningInfo.keyFile) {
+                // SSH signing: rewrite the signing key path to point to the container's SSH dir
+                const containerKeyPath = `${containerSshDir}/git_signing_key`;
+                gitConfigCmd += ` && git config --global user.signingkey "${containerKeyPath}"`;
+            } else {
+                // GPG signing or no format: disable (GPG keys aren't available in containers)
+                gitConfigCmd += ' && git config --global commit.gpgsign false 2>/dev/null' +
+                    ' && git config --global tag.gpgsign false 2>/dev/null';
+            }
+            gitConfigCmd += '; true';
+
+            await this.execInContainer(container, user, gitConfigCmd);
+
+            // Install an SSH agent startup script in /etc/profile.d/ so that
+            // login shells (bash -l, started by THEIA_SHELL_ARGS=-l) reuse a
+            // single agent. The agent socket lives in /tmp so it works even
+            // when ~/.ssh is mounted read-only.
+            // The agent starts empty — keys are added automatically on first use
+            // via AddKeysToAgent=yes in the SSH config. This avoids passphrase
+            // prompts during non-interactive shell initialization.
+            const agentScript = [
+                '#!/bin/sh',
+                'SSH_AGENT_SOCK="/tmp/theia-ssh-agent.sock"',
+                'if [ ! -S "$SSH_AGENT_SOCK" ]; then',
+                '    eval $(ssh-agent -a "$SSH_AGENT_SOCK") > /dev/null 2>&1',
+                'fi',
+                'export SSH_AUTH_SOCK="$SSH_AGENT_SOCK"',
+            ].join('\n');
+
+            await this.execInContainer(container, 'root',
+                `mkdir -p /etc/profile.d && printf '%s\\n' '${agentScript.replace(/'/g, "'\\''")}' > /etc/profile.d/ssh-agent.sh && chmod 644 /etc/profile.d/ssh-agent.sh`
+            );
+        } catch (error) {
+            outputprovider?.onRemoteOutput(`Host config sharing: ${error.message}`);
+        }
+    }
+
+    protected async detectSshSigningKey(): Promise<{ format: string; keyFile?: string } | undefined> {
+        try {
+            const format = await this.gitConfigGet('gpg.format');
+            if (format !== 'ssh') {
+                return format ? { format } : undefined;
+            }
+            const signingKey = await this.gitConfigGet('user.signingkey');
+            return { format: 'ssh', keyFile: signingKey || undefined };
+        } catch (error) {
+            // Git config not available or command failed
+            return undefined;
+        }
+    }
+
+    protected gitConfigGet(key: string): Promise<string> {
+        return new Promise<string>((resolve, reject) => {
+            cp.exec(`git config --global --get ${key}`, (err, stdout) => {
+                if (err) {
+                    resolve('');
+                } else {
+                    resolve(stdout.trim());
+                }
+            });
+        });
+    }
+
+    protected async ensureIsolatedSshDir(sshSigningInfo?: { format: string; keyFile?: string }): Promise<string | undefined> {
+        const isolatedDir = HostConfigSharingContribution.ISOLATED_SSH_DIR;
+        try {
+            await fs.mkdirs(isolatedDir);
+
+            // Copy known_hosts from real ~/.ssh so host verification works
+            const realKnownHosts = path.join(os.homedir(), '.ssh', 'known_hosts');
+            const isolatedKnownHosts = path.join(isolatedDir, 'known_hosts');
+            if (await fs.pathExists(realKnownHosts) && !await fs.pathExists(isolatedKnownHosts)) {
+                await fs.copy(realKnownHosts, isolatedKnownHosts);
+            }
+
+            // Copy SSH config and all keys it references via IdentityFile
+            const realConfig = path.join(os.homedir(), '.ssh', 'config');
+            const isolatedConfig = path.join(isolatedDir, 'config');
+            if (await fs.pathExists(realConfig)) {
+                // Always refresh the config — rewrite IdentityFile paths so they
+                // resolve inside the container (where ~/.ssh is a different user's home)
+                const rawConfig = await fs.readFile(realConfig, 'utf-8');
+                // Parse IdentityFile entries from the ORIGINAL config and copy referenced keys
+                const identityFiles = rawConfig.match(/^\s*IdentityFile\s+(.+)$/gm);
+                // Rewrite absolute and ~/ paths to just the filename under ~/.ssh/
+                let rewrittenConfig = rawConfig.replace(
+                    /^(\s*IdentityFile\s+)(.+)$/gm,
+                    (_match, prefix, filePath) => `${prefix}~/.ssh/${path.basename(filePath.trim())}`
+                );
+                // Prepend AddKeysToAgent so that after the user enters a passphrase
+                // once, the key is automatically cached in the running ssh-agent
+                if (!/^\s*AddKeysToAgent\s/m.test(rewrittenConfig)) {
+                    rewrittenConfig = 'Host *\n    AddKeysToAgent yes\n\n' + rewrittenConfig;
+                }
+                await fs.writeFile(isolatedConfig, rewrittenConfig);
+                if (identityFiles) {
+                    for (const line of identityFiles) {
+                        const keyRef = line.replace(/^\s*IdentityFile\s+/, '').trim()
+                            .replace(/^~\//, os.homedir() + '/');
+                        const keyName = path.basename(keyRef);
+                        const isolatedKey = path.join(isolatedDir, keyName);
+                        if (await fs.pathExists(keyRef) && !await fs.pathExists(isolatedKey)) {
+                            await fs.copy(keyRef, isolatedKey);
+                            if (await fs.pathExists(keyRef + '.pub')) {
+                                await fs.copy(keyRef + '.pub', isolatedKey + '.pub');
+                            }
+                        }
+                    }
+                }
+            }
+
+            // Generate a dedicated ed25519 keypair if none exists
+            const keyPath = path.join(isolatedDir, 'id_ed25519');
+            if (!await fs.pathExists(keyPath)) {
+                await new Promise<void>((resolve, reject) => {
+                    cp.exec(`ssh-keygen -t ed25519 -f "${keyPath}" -N "" -C "theia-dev-container"`, err => {
+                        if (err) {
+                            reject(err);
+                        } else {
+                            resolve();
+                        }
+                    });
+                });
+                const pubKey = await fs.readFile(keyPath + '.pub', 'utf-8');
+                this.logger.info('Dev Container SSH: generated new keypair. Register this public key with your Git provider:\n' + pubKey.trim());
+            }
+
+            // Copy the SSH signing key if git is configured for SSH signing
+            if (sshSigningInfo?.format === 'ssh' && sshSigningInfo.keyFile) {
+                const signingKeyPath = sshSigningInfo.keyFile.replace(/^~\//, os.homedir() + '/');
+                const isolatedSigningKey = path.join(isolatedDir, 'git_signing_key');
+                if (await fs.pathExists(signingKeyPath) && !await fs.pathExists(isolatedSigningKey)) {
+                    await fs.copy(signingKeyPath, isolatedSigningKey);
+                    // Also copy the .pub if it exists
+                    if (await fs.pathExists(signingKeyPath + '.pub')) {
+                        await fs.copy(signingKeyPath + '.pub', isolatedSigningKey + '.pub');
+                    }
+                }
+            }
+
+            return isolatedDir;
+        } catch (error) {
+            this.logger.error('Failed to set up isolated SSH directory:', error);
+            return undefined;
+        }
+    }
+
+    protected async execInContainer(container: Docker.Container, user: string, cmd: string): Promise<void> {
+        const exec = await container.exec({
+            Cmd: ['sh', '-c', cmd],
+            User: user,
+            AttachStdout: true,
+            AttachStderr: true
+        });
+        await exec.start({});
+    }
+
+    protected getContainerHomePath(containerConfig: DevContainerConfiguration, relativePath: string): string {
+        const user = containerConfig.remoteUser ?? containerConfig.containerUser;
+        if (user && user !== 'root') {
+            return `/home/${user}/${relativePath}`;
+        }
+        return `/root/${relativePath}`;
+    }
+}
+
+@injectable()
+export class DefaultShellContribution implements ContainerCreationContribution {
+    async handleContainerCreation(createOptions: Docker.ContainerCreateOptions, containerConfig: DevContainerConfiguration, api: Docker): Promise<void> {
+        // Set shell and terminal env vars at container creation time so they are
+        // inherited by ALL processes (including docker exec calls).
+        // The remote Theia server is launched via `sh -c` (non-login shell), so
+        // env vars must be baked into the container environment.
+        if (!createOptions.Env) {
+            createOptions.Env = [];
+        }
+        const setIfMissing = (key: string, value: string): void => {
+            if (!createOptions.Env!.some(e => e.startsWith(key + '='))) {
+                createOptions.Env!.push(`${key}=${value}`);
+            }
+        };
+        // Prefer bash; fall back to /bin/sh for minimal images (e.g. Alpine) that don't ship bash.
+        const shell = createOptions.Image && (await this.isBashAvailable(api, createOptions.Image)) === false
+            ? '/bin/sh'
+            : '/bin/bash';
+        setIfMissing('THEIA_SHELL', shell);
+        // Start as login shell so /etc/profile.d/ and ~/.bashrc are sourced,
+        // giving the user a proper prompt and SSH agent env vars.
+        setIfMissing('THEIA_SHELL_ARGS', '-l');
+        setIfMissing('SHELL', shell);
+        setIfMissing('TERM', 'xterm-256color');
+        setIfMissing('COLORTERM', 'truecolor');
+    }
+
+    protected async isBashAvailable(api: Docker, image: string): Promise<boolean | undefined> {
+        let probe: Docker.Container | undefined;
+        try {
+            probe = await api.createContainer({
+                Image: image,
+                Cmd: ['sh', '-c', 'command -v bash']
+            });
+            await probe.start();
+            const { StatusCode } = await probe.wait();
+            return StatusCode === 0;
+        } catch {
+            return undefined;
+        } finally {
+            if (probe) {
+                try {
+                    await probe.remove();
+                } catch {
+                    // ignore — container may already be gone
+                }
+            }
+        }
+    }
+}
+
 export namespace OutputHelper {
     export interface Progress {
         id?: string;

package/src/electron-node/devcontainer-contributions/variable-resolver-contribution.ts

@@ -31,7 +31,6 @@ export function registerVariableResolverContributions(bind: interfaces.Bind): vo
 @injectable()
 export class LocalEnvVariableResolver implements VariableResolverContribution {
     canResolve(type: string): boolean {
-        console.log(`Resolving localEnv variable: ${type}`);
         return type === 'localEnv';
     }
 

package/src/electron-node/devcontainer-file.ts

@@ -255,7 +255,7 @@ export interface DevContainerCommon {
      * Remote environment variables to set for processes spawned in the container including lifecycle scripts and any remote editor/IDE server process.
      */
     remoteEnv?: {
-        [k: string]: string | null
+        [k: string]: string | undefined
     }
     /**
      * The username to use for spawning processes in the container including lifecycle scripts and any remote editor/IDE server process.
@@ -413,3 +413,15 @@ export interface MountConfig {
     target: string,
     type: 'volume' | 'bind',
 }
+
+export namespace DevContainerConfiguration {
+    /**
+     * Creates an empty DevContainerConfiguration with minimal valid properties.
+     * Used when attaching to existing containers where no devcontainer.json is available.
+     */
+    export function empty(): DevContainerConfiguration {
+        return {
+            image: 'unknown'
+        } as DevContainerConfiguration;
+    }
+}

package/src/electron-node/remote-container-connection-provider.spec.ts

@@ -0,0 +1,152 @@
+// *****************************************************************************
+// Copyright (C) 2026 EclipseSource and others.
+//
+// This program and the accompanying materials are made available under the
+// terms of the Eclipse Public License v. 2.0 which is available at
+// http://www.eclipse.org/legal/epl-2.0.
+//
+// This Source Code may also be made available under the following Secondary
+// Licenses when the conditions for such availability set forth in the Eclipse
+// Public License v. 2.0 are satisfied: GNU General Public License, version 2
+// with the GNU Classpath Exception which is available at
+// https://www.gnu.org/software/classpath/license.html.
+//
+// SPDX-License-Identifier: EPL-2.0 OR GPL-2.0-only WITH Classpath-exception-2.0
+// *****************************************************************************
+
+import { expect } from 'chai';
+import { RemoteDockerContainerConnection } from './remote-container-connection-provider';
+import { DevContainerConfiguration } from './devcontainer-file';
+import { ILogger } from '@theia/core';
+import * as Docker from 'dockerode';
+
+class TestableDockerContainerConnection extends RemoteDockerContainerConnection {
+    public testGetRemoteEnv(): string[] | undefined {
+        return this.getRemoteEnv();
+    }
+}
+
+function createConnection(config: DevContainerConfiguration): TestableDockerContainerConnection {
+    const mockDocker = {
+        getEvents: () => Promise.resolve({ on: () => { } })
+    } as unknown as Docker;
+    const mockContainer = {} as unknown as Docker.Container;
+    const mockLogger = {} as ILogger;
+    return new TestableDockerContainerConnection({
+        id: 'test-id',
+        name: 'test',
+        type: 'Dev Container',
+        docker: mockDocker,
+        container: mockContainer,
+        config,
+        logger: mockLogger
+    });
+}
+
+describe('RemoteDockerContainerConnection', () => {
+
+    describe('getRemoteEnv', () => {
+
+        it('should return undefined when remoteEnv is not set', () => {
+            const connection = createConnection({
+                image: 'test'
+            } as DevContainerConfiguration);
+
+            expect(connection.testGetRemoteEnv()).to.be.undefined;
+        });
+
+        it('should return undefined when remoteEnv is empty', () => {
+            const connection = createConnection({
+                image: 'test',
+                remoteEnv: {}
+            } as DevContainerConfiguration);
+
+            expect(connection.testGetRemoteEnv()).to.be.undefined;
+        });
+
+        it('should convert remoteEnv entries to KEY=value format', () => {
+            const connection = createConnection({
+                image: 'test',
+                remoteEnv: {
+                    'MY_VAR': 'my_value',
+                    'ANOTHER_VAR': 'another_value'
+                }
+            } as DevContainerConfiguration);
+
+            const env = connection.testGetRemoteEnv();
+            expect(env).to.have.lengthOf(2);
+            expect(env).to.include('MY_VAR=my_value');
+            expect(env).to.include('ANOTHER_VAR=another_value');
+        });
+
+        it('should filter out entries with undefined values', () => {
+            const connection = createConnection({
+                image: 'test',
+                remoteEnv: {
+                    'KEEP_VAR': 'value',
+                    'REMOVE_VAR': undefined
+                }
+            } as DevContainerConfiguration);
+
+            const env = connection.testGetRemoteEnv();
+            expect(env).to.have.lengthOf(1);
+            expect(env).to.include('KEEP_VAR=value');
+        });
+
+        it('should return undefined when all entries have undefined values', () => {
+            const connection = createConnection({
+                image: 'test',
+                remoteEnv: {
+                    'VAR1': undefined,
+                    'VAR2': undefined
+                }
+            } as DevContainerConfiguration);
+
+            const env = connection.testGetRemoteEnv();
+            expect(env).to.have.lengthOf(0);
+        });
+
+        it('should handle values containing equals signs', () => {
+            const connection = createConnection({
+                image: 'test',
+                remoteEnv: {
+                    'CONNECTION_STRING': 'host=localhost;port=5432'
+                }
+            } as DevContainerConfiguration);
+
+            const env = connection.testGetRemoteEnv();
+            expect(env).to.have.lengthOf(1);
+            expect(env).to.include('CONNECTION_STRING=host=localhost;port=5432');
+        });
+
+        it('should handle empty string values', () => {
+            const connection = createConnection({
+                image: 'test',
+                remoteEnv: {
+                    'EMPTY_VAR': ''
+                }
+            } as DevContainerConfiguration);
+
+            const env = connection.testGetRemoteEnv();
+            expect(env).to.have.lengthOf(1);
+            expect(env).to.include('EMPTY_VAR=');
+        });
+
+        it('should handle values with special characters', () => {
+            const connection = createConnection({
+                image: 'test',
+                remoteEnv: {
+                    'PATH_EXTRA': '/usr/local/bin:/custom/path',
+                    'QUOTED': 'hello "world"',
+                    'SPACED': 'hello world'
+                }
+            } as DevContainerConfiguration);
+
+            const env = connection.testGetRemoteEnv();
+            expect(env).to.have.lengthOf(3);
+            expect(env).to.include('PATH_EXTRA=/usr/local/bin:/custom/path');
+            expect(env).to.include('QUOTED=hello "world"');
+            expect(env).to.include('SPACED=hello world');
+        });
+    });
+});