Skip to content

Improve devcontainer SSH workflow and multi-arch support#2352

Merged
curtisman merged 5 commits into
mainfrom
sshcontainer
May 16, 2026
Merged

Improve devcontainer SSH workflow and multi-arch support#2352
curtisman merged 5 commits into
mainfrom
sshcontainer

Conversation

@curtisman
Copy link
Copy Markdown
Member

@curtisman curtisman commented May 16, 2026

Summary

This PR improves the TypeAgent devcontainer workflow for SSH-based agent windows and broadens local host support.

Key changes:

  • switch the devcontainer base image to mcr.microsoft.com/devcontainers/base:ubuntu-24.04
    • enables native linux/arm64 support for Apple Silicon hosts in the standard config
    • adds common-utils to restore the expected codespace user and zsh setup
  • add SSH server support and host-side SSH bootstrap scripts
    • add .devcontainer/scripts/setup-ssh-access.sh
    • add .devcontainer/scripts/start-devcontainer.sh with optional --ssh
    • configure key-only SSH auth and host ssh typeagent-devcontainer access
  • publish SSH on loopback only with 127.0.0.1:2222:2222
    • preserves host SSH access for CLI-launched devcontainers
    • avoids exposing port 2222 on the LAN
  • add writable sibling worktree volume support for agent windows at /workspaces/<repo>.worktrees
  • propagate host Git identity into container creation via LOCAL_GIT_USER_NAME / LOCAL_GIT_USER_EMAIL
  • install libsecret-1-0 and libsecret-1-dev during post-create
  • apply review fixes and config alignment
    • add missing VNC config parity: dotnet:2, SSH appPort, port 3443, missing VS Code extensions
    • remove the TypeAgent git hook helper installation
    • improve WSL Windows SSH sync warnings
    • simplify post-create/post-start command invocation by removing redundant tr -d '\r'
    • document container user behavior and split port documentation by config

Why

VS Code agent windows currently support tunnel and SSH connections, so a reliable SSH path into the devcontainer is needed. This PR makes that workflow first-class while also addressing:

  • host SSH access for CLI-launched devcontainers
  • devcontainer usability on macOS arm64
  • agent-window worktree permissions
  • host Git identity propagation
  • documentation drift and VNC config inconsistencies

Notes

  • the standard config now supports native arm64 hosts through the Ubuntu 24.04 base image
  • the VNC config still includes desktop-lite, which may still require amd64 emulation on Apple Silicon depending on feature support
  • SSH host publishing is loopback-only by design

Validation

Validated during development with:

  • bash -n .devcontainer/scripts/start-devcontainer.sh
  • bash -n .devcontainer/scripts/post-create.sh
  • bash -n .devcontainer/scripts/setup-ssh-access.sh
  • devcontainer JSON diagnostics in VS Code
  • interactive testing of host SSH connectivity and rebuild flows

Follow-ups

Potential follow-up cleanups outside this PR:

  • update deprecated typescript.tsdk setting to js/ts.tsdk.path
  • revisit terminal.integrated.defaultProfile.linux setting to match current VS Code schema

curtisman and others added 4 commits May 15, 2026 21:29
@curtisman
ssh container
612b52d
@curtisman
security: harden devcontainer sudo and SSH exposure
93a5046 
- Replace blanket NOPASSWD:ALL sudo with a minimal allowlist
  (apt-get, chown, mkdir, service ssh) applied at the end of
  post-create after setup no longer needs full root.
- Remove appPort Docker host binding for SSH (port 2222) and move
  it to forwardPorts, which tunnels through VS Code / Codespaces
  instead of exposing on the host network.
- Add portsAttributes entry for SSH port.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@curtisman
fix(devcontainer): publish SSH on loopback so host ssh works
07dd6d7 
The earlier hardening commit replaced appPort with forwardPorts for 2222. forwardPorts is only honored by the VS Code/Codespaces port-forwarding UI and does not publish a Docker port when the container is started via the devcontainer CLI, leaving localhost:2222 unreachable (Connection refused).

Restore appPort but bind to 127.0.0.1 only, so host-side 'ssh typeagent-devcontainer' works without exposing 2222 on the LAN.
@curtisman
devcontainer: apply review fixes
3f2ebaa 
- VNC config: add dotnet:2 feature, appPort 127.0.0.1:2222:2222, port 3443, missing extensions (csharp, azure-functions, rest-client)
- post-create: remove TypeAgent git hook helpers entirely; consolidate git identity warning into one message; replace em-dash header comment
- post-create: expand restricted sudoers allowlist (apt-get remove, dpkg -i / --configure, service sshd) for legitimate package operations
- setup-ssh-access: explicit warnings when WSL Windows SSH sync is skipped (missing cmd.exe / wslpath, unresolved %USERPROFILE%, wslpath translation failure)
- README: fix 'teh' typo, split forwarded-ports table by config, add Container User section explaining UID/GID 1001 choice
- devcontainer.json / vnc/devcontainer.json: drop redundant 'tr -d \r' wrapper in postCreateCommand/postStartCommand (.gitattributes already enforces eol=lf)
@curtisman curtisman enabled auto-merge May 16, 2026 07:46
@curtisman curtisman requested a deployment to development-fork May 16, 2026 07:46 — with GitHub Actions Waiting
@curtisman curtisman requested a deployment to development-fork May 16, 2026 07:46 — with GitHub Actions Waiting
@curtisman curtisman added this pull request to the merge queue May 16, 2026
Merged via the queue into main with commit 8043ab3 May 16, 2026
19 of 21 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@curtisman