code clean up

RomanNikitenko · RomanNikitenko · commit 324291ef5929 · 2026-02-24T21:03:49.000+02:00
Signed-off-by: Roman Nikitenko &lt;rnikiten@redhat.com&gt;
diff --git a/build/dockerfiles/linux-libc-ubi9.Dockerfile b/build/dockerfiles/linux-libc-ubi9.Dockerfile
@@ -80,12 +80,13 @@ RUN NODE_ARCH=$(echo "console.log(process.arch)" | node) \
     && VSCODE_MANGLE_WORKERS=2 NODE_OPTIONS="--max-old-space-size=8192" ./node_modules/.bin/gulp vscode-reh-web-linux-${NODE_ARCH}-min \
     && cp -r ../vscode-reh-web-linux-${NODE_ARCH} /checode \
     # cache shared libs from this image to provide them to a user's container
-    && mkdir -p /checode/ld_libs \
-    && find /usr/lib64 -name 'libbrotli*' 2>/dev/null | xargs -I {} cp -t /checode/ld_libs {} \
-    && find /usr/lib64 -name 'libnode.so*' -exec cp -P -t /checode/ld_libs/ {} + \
-    && find /usr/lib64 -name 'libz.so*' -exec cp -P -t /checode/ld_libs/ {} + \
-    && find /usr/lib64 -name 'libssl.so*' -exec cp -P -t /checode/ld_libs/ {} + \
-    && find /usr/lib64 -name 'libcrypto.so*' -exec cp -P -t /checode/ld_libs/ {} +
+    && mkdir -p /checode/ld_libs/core /checode/ld_libs/openssl \
+    && find /lib /lib64 /usr/lib64 -name 'ld-linux-*.so*' -exec cp -L -t /checode/ld_libs/core/ {} + \
+    && find /usr/lib64 -name 'libbrotli*' -exec cp -P -t /checode/ld_libs/core/ {} + \
+    && find /usr/lib64 -name 'libnode.so*' -exec cp -P -t /checode/ld_libs/core/ {} + \
+    && find /usr/lib64 -name 'libz.so*' -exec cp -P -t /checode/ld_libs/core/ {} + \
+    && find /usr/lib64 -name 'libssl.so*' -exec cp -P -t /checode/ld_libs/openssl/ {} + \
+    && find /usr/lib64 -name 'libcrypto.so*' -exec cp -P -t /checode/ld_libs/openssl/ {} +
 
 RUN chmod a+x /checode/out/server-main.js \
     && chgrp -R 0 /checode && chmod -R g+rwX /checode
diff --git a/build/scripts/entrypoint-volume.sh b/build/scripts/entrypoint-volume.sh
@@ -50,7 +50,7 @@ get_openssl_version() {
     openssl_version=$(openssl version -v | cut -d' ' -f2 | cut -d'.' -f1)
   elif command -v rpm >/dev/null 2>&1; then
     echo "[INFO] rpm command is available"
-    openssl_version=$(rpm -qa | grep openssl-libs | cut -d'-' -f3 | cut -d'.' -f1)
+    openssl_version=$(rpm -q --qf '%{VERSION}\n' openssl-libs 2>/dev/null | cut -d'.' -f1)
   else
     echo "[INFO] openssl and rpm commands are not available, trying to detect OpenSSL version..."
     get_libssl_version
@@ -73,47 +73,55 @@ ls -la /checode/
 export MACHINE_EXEC_PORT=3333
 nohup /checode/bin/machine-exec --url "127.0.0.1:${MACHINE_EXEC_PORT}" &
 
-# Start the checode component based on musl or libc
-
-# detect if we're using alpine/musl
-libc=$(ldd /bin/ls | grep 'musl' | head -1 | cut -d ' ' -f1)
-if [ -n "$libc" ]; then
-  echo "[INFO] Using linux-musl assembly..."
-  export LD_LIBRARY_PATH="/checode/checode-linux-musl/ld_libs:${LD_LIBRARY_PATH:-}"
-  echo "[INFO] LD_LIBRARY_PATH is: $LD_LIBRARY_PATH"
-  cd /checode/checode-linux-musl || exit
-else
+runtime_ld_library_path=""
 
+# detect if we're using alpine/musl (avoid grep dependency for micro images)
+ldd_output=$(ldd /bin/ls 2>/dev/null || true)
+case "$ldd_output" in
+  *musl*)
+    echo "[INFO] Using linux-musl assembly..."
+    runtime_ld_library_path="/checode/checode-linux-musl/ld_libs"
+    cd /checode/checode-linux-musl || exit
+    ;;
+  *)
+  
   get_openssl_version
   echo "[INFO] OpenSSL major version is: $openssl_version."
 
   case "${openssl_version}" in
   *"1"*)
-    export LD_LIBRARY_PATH="/checode/checode-linux-libc/ubi8/ld_libs:${LD_LIBRARY_PATH:-}"
-    echo "[INFO] LD_LIBRARY_PATH is: $LD_LIBRARY_PATH"
     echo "[INFO] Using linux-libc ubi8-based assembly..."
+    runtime_ld_library_path="/checode/checode-linux-libc/ubi8/ld_libs"
     cd /checode/checode-linux-libc/ubi8 || exit
     ;;
   *"3"*)
-    export LD_LIBRARY_PATH="/checode/checode-linux-libc/ubi9/ld_libs:${LD_LIBRARY_PATH:-}"
-    echo "[INFO] LD_LIBRARY_PATH is: $LD_LIBRARY_PATH"
     echo "[INFO] Using linux-libc ubi9-based assembly..."
+    runtime_ld_library_path="/checode/checode-linux-libc/ubi9/ld_libs/core"
+    if [ -d "/checode/checode-linux-libc/ubi9/ld_libs/openssl" ]; then
+      runtime_ld_library_path="/checode/checode-linux-libc/ubi9/ld_libs/openssl:${runtime_ld_library_path}"
+    fi
     cd /checode/checode-linux-libc/ubi9 || exit
     ;;
   *)
     echo "[WARNING] Unsupported OpenSSL major version, linux-libc ubi9-based assembly will be used by default..."
-    export LD_LIBRARY_PATH="/checode/checode-linux-libc/ubi9/ld_libs:${LD_LIBRARY_PATH:-}"
-    echo "[INFO] LD_LIBRARY_PATH is: $LD_LIBRARY_PATH"
+    runtime_ld_library_path="/checode/checode-linux-libc/ubi9/ld_libs/core"
+    if [ -d "/checode/checode-linux-libc/ubi9/ld_libs/openssl" ]; then
+      runtime_ld_library_path="/checode/checode-linux-libc/ubi9/ld_libs/openssl:${runtime_ld_library_path}"
+    fi
     cd /checode/checode-linux-libc/ubi9 || exit
     ;;
   esac
+  ;;
+esac
+
+if [ -n "$runtime_ld_library_path" ]; then
+  export LD_LIBRARY_PATH="${runtime_ld_library_path}${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}"
+  echo "[INFO] LD_LIBRARY_PATH is: $LD_LIBRARY_PATH"
 fi
 
 # Set the default path to the serverDataFolderName
 # into a persistent volume
 export VSCODE_AGENT_FOLDER=/checode/remote
-# Prevent bundled runtime LD_LIBRARY_PATH from leaking into integrated terminal shell env.
-export CHECODE_STRIP_LD_LIBRARY_PATH_FOR_SHELL_ENV=1
 
 if [ -z "$VSCODE_NODEJS_RUNTIME_DIR" ]; then
   export VSCODE_NODEJS_RUNTIME_DIR="$(pwd)"
diff --git a/build/scripts/helper/check-runtime-libs.sh b/build/scripts/helper/check-runtime-libs.sh
@@ -30,8 +30,9 @@ TMP_HAVE="$(mktemp)"
 TMP_MISS="$(mktemp)"
 trap 'rm -f "$TMP_NEEDS" "$TMP_HAVE" "$TMP_MISS"' EXIT
 
-# Collect what we have in ld_libs (basename only).
-find "${LIBS_DIR}" -maxdepth 1 -type f -name '*.so*' -exec basename {} \; | sort -u > "${TMP_HAVE}"
+# Collect what we have in ld_libs (basename only), including nested dirs
+# like ld_libs/core and ld_libs/openssl.
+find "${LIBS_DIR}" -type f -name '*.so*' -exec basename {} \; | sort -u > "${TMP_HAVE}"
 
 scan_needed() {
   f="$1"
diff --git a/code/src/vs/platform/che/utils.ts b/code/src/vs/platform/che/utils.ts
@@ -0,0 +1,63 @@
+/**********************************************************************
+ * Copyright (c) 2026 Red Hat, Inc.
+ *
+ * This program and the accompanying materials are made
+ * available under the terms of the Eclipse Public License 2.0
+ * which is available at https://www.eclipse.org/legal/epl-2.0/
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ ***********************************************************************/
+/* eslint-disable header/header */
+
+/*
+ * This file was generated using AI assistance (Cursor AI)
+ * and reviewed by the maintainers.
+ */
+
+export type LdSanitizeMode = 'all' | 'openssl' | 'none';
+
+const allLdLibPrefixes = new Set<string>([
+	'/checode/checode-linux-musl/ld_libs',
+	'/checode/checode-linux-libc/ubi8/ld_libs',
+	'/checode/checode-linux-libc/ubi9/ld_libs/core',
+	'/checode/checode-linux-libc/ubi9/ld_libs/openssl'
+]);
+
+const openSSLOnlyPrefixes = new Set<string>([
+	'/checode/checode-linux-libc/ubi9/ld_libs/openssl'
+]);
+
+export function getLdSanitizeMode(): LdSanitizeMode {
+	const mode = process.env['LD_SANITIZE_MODE'];
+	if (mode === 'all' || mode === 'openssl' || mode === 'none') {
+		return mode;
+	}
+	return 'all';
+}
+
+export function shouldStripLdLibraryPath(): boolean {
+	return getLdSanitizeMode() !== 'none';
+}
+
+export function stripLdLibraryPath(value: string | undefined, mode = getLdSanitizeMode()): string | undefined {
+	if (!value) {
+		return undefined;
+	}
+
+	const blockedPrefixes = mode === 'openssl' ? openSSLOnlyPrefixes : allLdLibPrefixes;
+	const filtered = value
+		.split(':')
+		.map(entry => entry.trim())
+		.filter(entry => entry.length > 0 && !blockedPrefixes.has(entry));
+
+	return filtered.length > 0 ? filtered.join(':') : undefined;
+}
+
+export function sanitizeLdLibraryPathInEnvironment(environment: NodeJS.ProcessEnv, mode = getLdSanitizeMode()): void {
+	const sanitizedLdLibraryPath = stripLdLibraryPath(environment['LD_LIBRARY_PATH'], mode);
+	if (sanitizedLdLibraryPath) {
+		environment['LD_LIBRARY_PATH'] = sanitizedLdLibraryPath;
+	} else {
+		delete environment['LD_LIBRARY_PATH'];
+	}
+}
diff --git a/code/src/vs/platform/shell/node/shellEnv.ts b/code/src/vs/platform/shell/node/shellEnv.ts
@@ -18,26 +18,9 @@ import { ILogService } from '../../log/common/log.js';
 import { Promises } from '../../../base/common/async.js';
 import { IConfigurationService } from '../../configuration/common/configuration.js';
 import { clamp } from '../../../base/common/numbers.js';
+import { sanitizeLdLibraryPathInEnvironment, shouldStripLdLibraryPath } from '../../che/utils.js';
 
 let unixShellEnvPromise: Promise<typeof process.env> | undefined = undefined;
-const cheCodeLdLibPrefixes = new Set<string>([
-	'/checode/checode-linux-libc/ubi8/ld_libs',
-	'/checode/checode-linux-libc/ubi9/ld_libs',
-	'/checode/checode-linux-musl/ld_libs'
-]);
-
-function stripCheCodeLdLibraryPath(value: string | undefined): string | undefined {
-	if (!value) {
-		return undefined;
-	}
-
-	const filtered = value
-		.split(':')
-		.map(entry => entry.trim())
-		.filter(entry => entry.length > 0 && !cheCodeLdLibPrefixes.has(entry));
-
-	return filtered.length > 0 ? filtered.join(':') : undefined;
-}
 
 /**
  * Resolves the shell environment by spawning a shell. This call will cache
@@ -123,7 +106,6 @@ async function doResolveUnixShellEnv(logService: ILogService, token: Cancellatio
 
 	const noAttach = process.env['ELECTRON_NO_ATTACH_CONSOLE'];
 	logService.trace('getUnixShellEnvironment#noAttach', noAttach);
-	const stripLdLibraryPath = process.env['CHECODE_STRIP_LD_LIBRARY_PATH_FOR_SHELL_ENV'] === '1';
 
 	const mark = generateUuid().replace(/-/g, '').substr(0, 12);
 	const regex = new RegExp(mark + '({.*})' + mark);
@@ -226,18 +208,9 @@ async function doResolveUnixShellEnv(logService: ILogService, token: Cancellatio
 				}
 
 				delete env['VSCODE_RESOLVING_ENVIRONMENT'];
-				logService.info('++++++ getUnixShellEnvironment', env['LD_LIBRARY_PATH'], 'stripEnabled=', stripLdLibraryPath);
-				if (stripLdLibraryPath) {
-					const sanitizedLdLibraryPath = stripCheCodeLdLibraryPath(env['LD_LIBRARY_PATH']);
-					if (sanitizedLdLibraryPath) {
-						env['LD_LIBRARY_PATH'] = sanitizedLdLibraryPath;
-						logService.info('++++++ SANITIZE');
-					} else {
-						logService.info('++++++ DELETE');
-						delete env['LD_LIBRARY_PATH'];
-					}
+				if (shouldStripLdLibraryPath()) {
+					sanitizeLdLibraryPathInEnvironment(env);
 				}
-				logService.info('++++++ AFTER', env['LD_LIBRARY_PATH']);
 
 				// https://github.com/microsoft/vscode/issues/22593#issuecomment-336050758
 				delete env['XDG_RUNTIME_DIR'];
diff --git a/code/src/vs/server/node/che/utils.ts b/code/src/vs/server/node/che/utils.ts
@@ -1,5 +1,5 @@
 /**********************************************************************
- * Copyright (c) 2024 Red Hat, Inc.
+ * Copyright (c) 2024-2026 Red Hat, Inc.
  *
  * This program and the accompanying materials are made
  * available under the terms of the Eclipse Public License 2.0
@@ -9,6 +9,7 @@
  ***********************************************************************/
 /* eslint-disable header/header */
 
+import { IProcessEnvironment } from '../../../base/common/platform.js';
 import { delimiter } from '../../../base/common/path.js';
 
 /**
@@ -36,3 +37,53 @@ export function getResolvedPathEnvVar(currentPath: string, processEnvPath?: stri
     }
     return currentPath;
 }
+
+/*
+ * The following logic was generated using AI assistance (Cursor AI)
+ * and reviewed by the maintainers.
+ */
+
+export type LdSanitizeMode = 'all' | 'openssl' | 'none';
+
+const allLdLibPrefixes = new Set<string>([
+    '/checode/checode-linux-musl/ld_libs',
+    '/checode/checode-linux-libc/ubi8/ld_libs',
+    '/checode/checode-linux-libc/ubi9/ld_libs/core',
+    '/checode/checode-linux-libc/ubi9/ld_libs/openssl'
+]);
+
+const openSSLOnlyPrefixes = new Set<string>([
+    '/checode/checode-linux-libc/ubi9/ld_libs/openssl'
+]);
+
+export function getLdSanitizeMode(): LdSanitizeMode {
+    const mode = process.env['LD_SANITIZE_MODE'];
+    if (mode === 'all' || mode === 'openssl' || mode === 'none') {
+        return mode;
+    }
+    return 'all';
+}
+
+export function shouldStripLdLibraryPath(): boolean {
+    return getLdSanitizeMode() !== 'none';
+}
+
+export function stripLdLibraryPath(environment: IProcessEnvironment, mode = getLdSanitizeMode()): void {
+    const current = environment['LD_LIBRARY_PATH'];
+    if (!current) {
+        return;
+    }
+
+    const blockedPrefixes = mode === 'openssl' ? openSSLOnlyPrefixes : allLdLibPrefixes;
+    const filtered = current
+        .split(':')
+        .map(entry => entry.trim())
+        .filter(entry => !!entry && !blockedPrefixes.has(entry))
+        .join(':');
+
+    if (filtered) {
+        environment['LD_LIBRARY_PATH'] = filtered;
+    } else {
+        delete environment['LD_LIBRARY_PATH'];
+    }
+}
diff --git a/code/src/vs/server/node/remoteTerminalChannel.ts b/code/src/vs/server/node/remoteTerminalChannel.ts
