implement preserving env from host into vm in shell command #3830
Conversation
olamilekan000
force-pushed
the
implement-preserving-env-to-shell
branch
2 times, most recently
from
810b261 to
d9e9da9
Compare
| "XAUTHORITY", | ||
| "XDG_*", | ||
| "_*", // Variables starting with underscore are typically internal | ||
| } |
There was a problem hiding this comment.
I would sort the builtin list alphabetically, so it is easier to see which variables are filtered.
And I think we should add more variables, but it is of course subject to discussion. Some suggestions:
LD_*
DYLD_*
SHLVL
UID
EUID
GROUP
GID
HOSTNAME
Edit: I had LINES and COLUMNS in the list originally, but changed my mind and removed them.
Not sure about excluding shell-specific variables:
BASH*
ZSH*
FPATH
ZDOTDIR
98e8fb3 to
523b2bf
Compare
There was a problem hiding this comment.
Pull Request Overview
This PR implements environment variable propagation from the host machine to the guest VM in shell commands, addressing the ability to preserve selected environment variables when executing commands within Lima VMs.
- Adds environment filtering utilities with configurable blocklist/allowlist support
- Introduces
--preserve-envflag to shell commands for controlled environment propagation - Updates nerdctl.lima wrapper script to use the new preserve-env functionality
Reviewed Changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| pkg/envutil/envutil.go | New utility package for filtering environment variables with builtin blocklist and pattern matching |
| pkg/envutil/envutil_test.go | Comprehensive test coverage for environment filtering functionality |
| pkg/limainfo/limainfo.go | Adds shell environment blocklist to Lima info structure |
| cmd/limactl/shell.go | Implements --preserve-env flag and environment variable injection in shell commands |
| cmd/nerdctl.lima | Updates wrapper script to use --preserve-env flag |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
olamilekan000
force-pushed
the
implement-preserving-env-to-shell
branch
from
523b2bf to
53e21f5
Compare
olamilekan000
force-pushed
the
implement-preserving-env-to-shell
branch
from
53e21f5 to
dd731fa
Compare
olamilekan000
force-pushed
the
implement-preserving-env-to-shell
branch
from
dd731fa to
35c0bb5
Compare
|
@lima-vm/maintainers I think this PR is almost ready to be merged. Please add some feedback about the default block list! Do you agree with all the entries, or should some not be blocked (like the shell-specific ones)? Or are there setting that are missing? We can still update the list after the PR is merged, but I think once 2.0.0 is released, any further changes would be breaking backwards compatibility. |
olamilekan000
force-pushed
the
implement-preserving-env-to-shell
branch
from
35c0bb5 to
71e227b
Compare
There was a problem hiding this comment.
Thanks, LGTM
One thing I stumbled over when reviewing the latest test update was that I expected allowList to come before blockList in the arguments:
filterEnvironmentWithLists(env, blockList, allowList []string)
Both because the allow list takes precedence, and because it comes alphabetically first.
But maybe that is just a personal preference. Feel free to either change or ignore, I'm also fine with merging as-is.
I will leave the PR open for another day or so to give other maintainers a chance to comment on the DefaultBlockList.
Signed-off-by: olalekan odukoya <[email protected]>
olamilekan000
force-pushed
the
implement-preserving-env-to-shell
branch
from
71e227b to
35d82ea
Compare
| // GetDefaultBlockList returns a copy of the default block list. | ||
| func GetDefaultBlockList() []string { | ||
| return slices.Clone(defaultBlockList) | ||
| } |
There was a problem hiding this comment.
Could we move this function to the top, right after the var defaultBlockList?
Usually, unexported functions go below exported ones.
There was a problem hiding this comment.
I agree that it makes sense to have this function close to the definition because it is a small exported function directly tied to the variable.
In general we don't follow a rules that unexported functions go to the bottom. Most of the code seems to follow the pattern of defining helper functions before the exported function that uses them.
| "ZDOTDIR", | ||
| "ZSH*", | ||
| "_*", // Variables starting with underscore are typically internal | ||
| } |
There was a problem hiding this comment.
Was this list taken from somewhere else?
Where is the upstream of this list?
There was a problem hiding this comment.
There is no upstream afaik, we just made it up. Which is why I asked for feedback on it. Did check it against my own setup on macOS, and the blocks make sense to me. I'm unsure if we are blocking too much with the BASH* and ZSH* blocks.
| @@ -1,3 +1,3 @@ | |||
| #!/bin/sh | |||
| set -eu | |||
| exec lima nerdctl "$@" | |||
| exec limactl shell --preserve-env default nerdctl "$@" | |||
There was a problem hiding this comment.
Needs a comment to explain the reason
There was a problem hiding this comment.
What about docker.lima, etc. ?
There was a problem hiding this comment.
It was an oversight. I only mentioned nerdctl.lima because it always runs in the VM, but didn't think about docker.lima because I always have a local client.
So yes, docker.lima needs it too. I don't know about the others, but maybe we should add it to all of them.
In some ways you could argue that --preserve-env should be the default unless the instance is --plain, but I don't think we want to make this change because it is not backwards compatible (and having it work differently based on instance type is confusing).
There was a problem hiding this comment.
--preserve-env should be the default
Scary to leak the credentials by default
| @@ -54,6 +55,7 @@ func newShellCommand() *cobra.Command { | |||
| shellCmd.Flags().String("shell", "", "Shell interpreter, e.g. /bin/bash") | |||
| shellCmd.Flags().String("workdir", "", "Working directory") | |||
| shellCmd.Flags().Bool("reconnect", false, "Reconnect to the SSH session") | |||
| shellCmd.Flags().Bool("preserve-env", false, "Propagate environment variables to the shell") | |||
There was a problem hiding this comment.
Needs an integration test and the document to clarify the block list
| } | ||
|
|
||
| func getBlockList() []string { | ||
| blockEnv := os.Getenv("LIMA_SHELLENV_BLOCK") |
There was a problem hiding this comment.
Please update https://lima-vm.io/docs/config/environment-variables/
|
Late to the party, but please check the comments |
implements issue