Make devcontainer work in WSL and proxy environments

[olivembo]

Summary

This PR adds robust support for running the devcontainer in environments with or without a corporate proxy, including WSL2 scenarios. The setup is now fully automated and self-healing, ensuring Docker and BuildKit always use the correct proxy settings.

Key changes

• Automated proxy detection and configuration

  • Adds .devcontainer/setup-proxy.sh which configures Docker daemon, BuildKit, and Docker client for proxy or non-proxy environments.
  • Automatically detects and applies current proxy environment variables.
  • Cleans up and recreates BuildKit builder with correct proxy settings if the proxy changes.

• Post-create automation

  • Runs the setup script automatically via postCreateCommand in devcontainer.json.

• Build-time and runtime proxy support

  • Passes proxy variables as build args and runtime envs.
  • Ensures Dockerfile and all devcontainer features can access the internet through the proxy.

• WSL2 and host networking compatibility

  • Adds host.docker.internal and other runArgs for seamless networking in WSL2.

• Documentation and testing

  • Adds .devcontainer/test-proxy.sh for easy verification.
  • Adds README-PROXY.md with usage and troubleshooting instructions.

How it works

On container creation, the setup script:
Detects proxy settings.
Configures Docker daemon and BuildKit accordingly.
Verifies Docker and registry access.
Works out-of-the-box for both proxy and non-proxy environments.
Handles proxy changes and container rebuilds gracefully.

Why

Ensures reliable devcontainer builds in corporate, WSL, and direct-internet environments.
Reduces manual setup and troubleshooting for developers.
Makes onboarding and CI/CD more robust.

[AlexanderLanin]

@opajonk can you please document/explain how the split between devcontainer and features is designed?

[opajonk]

Moved to #28

[AlexanderLanin]

Will this kill any (unrelated) running dockers on the system?

[opajonk]

I think this comment is outdated.

[lurtz]

Adds README-PROXY.md with usage and troubleshooting instructions.

I guess this forgotten to be added.

We should talk about this pull request via Slack.

[lurtz]

I am a bit confused where this script is intended to be run. Per the location it should be run inside the S-CORE devcontainer. But the content assumes that docker is present, which is not installed in the S-CORE devcontainer but on the host instead.

If you intend to run it on the host, you have to use initializeCommand: https://containers.dev/implementors/json_reference/#lifecycle-scripts. However in this case you have to deal with lots of different environments.

Host environments I am aware of so far:

• Ubuntu 20.04, 22.04, 24.04
  • do not expect to have root permissions on these
• MacOS
• WSL2

[lurtz]

is this script reconfiguring my host Docker daemon from inside the S-CORE devcontainer?

[lurtz]

what is in .cache/uv? It does not exist on my host

[lurtz]

would this close the door to wayland users?

[lurtz]

I have to check how well this works with podman. At the time being I would like to be able to run the container on both docker and podman. The reason is that for being able to run bazels linux-sandbox the container needs to be run with --privileged which gives the container with docker basically root access to my notebook. With podman this can be minimized to my user.

I have so far seen containers as an easy to setup development environment and as a security / safety measure for the host system of my computer. Having to use --privileged is already a big boon to that and seeing the host docker being reconfigured from within the container seems to further tear down this wall.

[lurtz]

will this read the content of the current variable and assign it to DISPLAY inside the container?

[lurtz]

docker is not installed inside the container. How can you access it?

[lurtz]

I have setup a daemon.json so that docker works in the corporate environment of my company. Would this be overriden, if I were using one of the proxy variables?

[lurtz]

now I get very confused. I assume this requires the existence of a Dockerfile. Is this script used to build the S-CORE devcontainer with the other devcontainer of this repository?

[opajonk]

Adds README-PROXY.md with usage and troubleshooting instructions.

I guess this forgotten to be added.

We should talk about this pull request via Slack.

I agree we should have a chat. There seems to be a legitimate use-case (as I also heard during the architecture workshop last week). However, re-configuring the docker host (!) significantly - and probably unexpectedly to most other users - is a problem. Maybe we can find a less "intrusive" and still helpful solution?

[lurtz]

Works on my machine.

Now proxy related environment variables are defined in the container with empty content. I hope no software trips over that.

Have you considered using

    "runArgs": [
        "--env-file", "proxy_settings.env",
    ],

In the devcontainer.json? In proxy_settings.env you define the environment variables to be made available inside the container. Maybe even .env as filename is sufficient and no extra arguments needed (was not working for me with an already built container)

[olivembo]

Works on my machine.

Now proxy related environment variables are defined in the container with empty content. I hope no software trips over that.

Have you considered using

    "runArgs": [
        "--env-file", "proxy_settings.env",
    ],

In the devcontainer.json? In proxy_settings.env you define the environment variables to be made available inside the container. Maybe even .env as filename is sufficient and no extra arguments needed (was not working for me with an already built container)

In general, I like the .env file approach, but in that case it would mean that users behind proxies would have to create the .env file manually before they can start. The current approach does not need any user interaction, neither from user behind a proxy nor from users with direct internet connection.

Regarding the empty environment variables in case of direct internet access:
I agree it is maybe confusing, but didn't had side effects so far when I tested on my machine with direct internet access.

However, I could add a line like

"postStartCommand": "for var in HTTP_PROXY HTTPS_PROXY http_proxy https_proxy NO_PROXY no_proxy; do [ -z \"${!var}\" ] && unset $var || true; done",

to the devcontainer.json. Does that make sense from your side?

[lurtz]

I would appreciate if these are deleted if empty. Then we are sure not to get unintended side effects. I also only checked if some tools work. Would be a waste of time to discover that there is a tool which malfunctions when these variables are set but empty.

[olivembo]

I would appreciate if these are deleted if empty. Then we are sure not to get unintended side effects. I also only checked if some tools work. Would be a waste of time to discover that there is a tool which malfunctions when these variables are set but empty.

Is addressed with c81e8ed

[lurtz]

I get an error, when starting the container:

Running the postStartCommand from devcontainer.json...

[3301 ms] Start: Run in container: /bin/sh -c for var in HTTP_PROXY HTTPS_PROXY http_proxy https_proxy NO_PROXY no_proxy; do [ -z "${!var}" ] && unset $var || true; done
/bin/sh: 1: Bad substitution
[3349 ms] postStartCommand from devcontainer.json failed with exit code 2. Skipping any further user-provided commands.

I suspect the problem is that /bin/sh is used instead of bash.

[lurtz]

this still does not work. Execution is now successful, but variables are still present in a new shell:

vscode ➜ /workspaces/inc_mw_com (example_trait_impl) $ cat .devcontainer/devcontainer.json 
{
    "name": "eclipse-s-core",
    // "image": "ghcr.io/eclipse-score/devcontainer:rustup-completion-amd64"
    "image": "ghcr.io/eclipse-score/devcontainer:proxy-settings-amd64"
    // "image": "ghcr.io/eclipse-score/devcontainer:fix-setting-bazel-version-amd64"
}
vscode ➜ /workspaces/inc_mw_com (example_trait_impl) $ env | grep -i proxy
no_proxy=
https_proxy=
NO_PROXY=
HTTPS_PROXY=
HTTP_PROXY=
http_proxy=

[olivembo]

You are right. The postStartCommand runs in its own shell und unsets the environment variables only there.

The only solution I would have at the moment, would be to append unset commands to .bashrc in the postStartCommand. The .bashrc is then sourced by every new bash shell and every time unsets the environment variables. But it's not a nice solution imho. Would appreciate better proposals.

[lurtz]

I guess we can use /etc/profile.d/ for this. Here is an example where I removed using it: https://github.com/eclipse-score/devcontainer/pull/51/files#diff-e418ce180663a5c3fc806f1c352a9d737097e60cecaa9cd1724c8236a955a335R64

[olivembo]

Addressed with #102e649a40d7af70dba77453bbb984b659e5ff74

[lurtz]

@opajonk Do we really have to specify the tool version, if it just installed via apt-get? E.g. Python tooling is not installed with a specific version either: https://github.com/etas-contrib/score_devcontainer/blob/8aae83706ce51796b85894cdd2c6c0bc29901e84/src/s-core-devcontainer/.devcontainer/s-core-local/install.sh#L41

We already have a Ubuntu release set, which defines the versions of these tools. And thus defining the versions for each tool feels redundant.

[lurtz]

Specifying the Java version here is IMHO ok, because there are different versions as apt packages available for the same Ubuntu release.

[lurtz]

#52 (comment) is still relevant

[opajonk]

However, there is even more here: there are pre-defined build args in Docker (I did not know before reviewing this PR). Guess what, they are exactly those we are looking for here! Can you test if that works? Maybe the ARG declarations are not needed at all.

[lurtz]

I lean towards having them explicitly. Otherwise someone will also stumble across it and wonder how did this ever work?

[opajonk]

nice job!