implement preserving env from host into vm in shell command

Signed-off-by: olalekan odukoya <odukoyaonline@gmail.com>

Author: olamilekan000

cmd/limactl/shell.go

@@ -19,6 +19,7 @@ import (
 	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 
+	"github.com/lima-vm/lima/v2/pkg/envutil"
 	"github.com/lima-vm/lima/v2/pkg/instance"
 	"github.com/lima-vm/lima/v2/pkg/ioutilx"
 	"github.com/lima-vm/lima/v2/pkg/limayaml"
@@ -54,6 +55,7 @@ func newShellCommand() *cobra.Command {
 	shellCmd.Flags().String("shell", "", "Shell interpreter, e.g. /bin/bash")
 	shellCmd.Flags().String("workdir", "", "Working directory")
 	shellCmd.Flags().Bool("reconnect", false, "Reconnect to the SSH session")
+	shellCmd.Flags().Bool("preserve-env", false, "Propagate environment variables to the shell")
 	return shellCmd
 }
 
@@ -178,7 +180,25 @@ func shellAction(cmd *cobra.Command, args []string) error {
 	} else {
 		shell = shellescape.Quote(shell)
 	}
-	script := fmt.Sprintf("%s ; exec %s --login", changeDirCmd, shell)
+	// Handle environment variable propagation
+	var envPrefix string
+	withEnv, err := cmd.Flags().GetBool("preserve-env")
+	if err != nil {
+		return err
+	}
+	if withEnv {
+		config := envutil.GetFilterConfig()
+		filteredEnv := envutil.FilterEnvironment(config)
+		if len(filteredEnv) > 0 {
+			envVars := make([]string, len(filteredEnv))
+			for i, envVar := range filteredEnv {
+				envVars[i] = shellescape.Quote(envVar)
+			}
+			envPrefix = "env " + strings.Join(envVars, " ") + " "
+		}
+	}
+
+	script := fmt.Sprintf("%s ; exec %s%s --login", changeDirCmd, envPrefix, shell)
 	if len(args) > 1 {
 		quotedArgs := make([]string, len(args[1:]))
 		parsingEnv := true

cmd/nerdctl.lima

@@ -1,3 +1,3 @@
 #!/bin/sh
 set -eu
-exec lima nerdctl "$@"
+exec limactl shell --preserve-env default nerdctl "$@"

pkg/envutil/envutil.go

@@ -0,0 +1,138 @@
+// SPDX-FileCopyrightText: Copyright The Lima Authors
+// SPDX-License-Identifier: Apache-2.0
+
+package envutil
+
+import (
+	"os"
+	"strings"
+)
+
+// BuiltinBlocklist contains environment variables that should not be propagated by default.
+var BuiltinBlocklist = []string{
+	"TMPDIR",
+	"PATH",
+	"HOME",
+	"USER",
+	"LOGNAME",
+	"SHELL",
+	"PWD",
+	"OLDPWD",
+	"TERM",
+	"TERMINFO",
+	"SSH_*",
+	"DISPLAY",
+	"XAUTHORITY",
+	"XDG_*",
+	"_*", // Variables starting with underscore are typically internal
+}
+
+type FilterConfig struct {
+	BlockList           []string
+	AllowList           []string
+	UseBuiltinBlocklist bool
+}
+
+func GetFilterConfig() *FilterConfig {
+	config := &FilterConfig{
+		UseBuiltinBlocklist: true,
+	}
+
+	if blockEnv := os.Getenv("LIMA_SHELLENV_BLOCK"); blockEnv != "" {
+		if strings.HasPrefix(blockEnv, "+") {
+			additionalBlocks := parseEnvList(blockEnv[1:])
+			config.BlockList = make([]string, len(BuiltinBlocklist)+len(additionalBlocks))
+			copy(config.BlockList, BuiltinBlocklist)
+			copy(config.BlockList[len(BuiltinBlocklist):], additionalBlocks)
+		} else {
+			config.BlockList = parseEnvList(blockEnv)
+			config.UseBuiltinBlocklist = false
+		}
+	} else {
+		config.BlockList = BuiltinBlocklist
+	}
+
+	if allowEnv := os.Getenv("LIMA_SHELLENV_ALLOW"); allowEnv != "" {
+		config.AllowList = parseEnvList(allowEnv)
+	}
+
+	return config
+}
+
+func parseEnvList(envList string) []string {
+	if envList == "" {
+		return nil
+	}
+
+	parts := strings.Split(envList, ",")
+	result := make([]string, 0, len(parts))
+	for _, part := range parts {
+		if trimmed := strings.TrimSpace(part); trimmed != "" {
+			result = append(result, trimmed)
+		}
+	}
+
+	if len(result) == 0 {
+		return nil
+	}
+
+	return result
+}
+
+func matchesPattern(name, pattern string) bool {
+	if pattern == name {
+		return true
+	}
+
+	if strings.HasSuffix(pattern, "*") {
+		prefix := pattern[:len(pattern)-1]
+		return strings.HasPrefix(name, prefix)
+	}
+
+	return false
+}
+
+func isBlocked(name string, patterns []string) bool {
+	for _, pattern := range patterns {
+		if matchesPattern(name, pattern) {
+			return true
+		}
+	}
+	return false
+}
+
+func FilterEnvironment(config *FilterConfig) []string {
+	env := os.Environ()
+	var filtered []string
+
+	for _, envVar := range env {
+		parts := strings.SplitN(envVar, "=", 2)
+		if len(parts) != 2 {
+			continue
+		}
+
+		name := parts[0]
+
+		if len(config.AllowList) > 0 {
+			if !isBlocked(name, config.AllowList) {
+				continue
+			}
+			filtered = append(filtered, envVar)
+			continue
+		}
+
+		if isBlocked(name, config.BlockList) {
+			continue
+		}
+
+		filtered = append(filtered, envVar)
+	}
+
+	return filtered
+}
+
+func GetBuiltinBlocklist() []string {
+	result := make([]string, len(BuiltinBlocklist))
+	copy(result, BuiltinBlocklist)
+	return result
+}

pkg/envutil/envutil_test.go

@@ -0,0 +1,204 @@
+// SPDX-FileCopyrightText: Copyright The Lima Authors
+// SPDX-License-Identifier: Apache-2.0
+
+package envutil
+
+import (
+	"os"
+	"reflect"
+	"testing"
+)
+
+func TestMatchesPattern(t *testing.T) {
+	tests := []struct {
+		name     string
+		pattern  string
+		expected bool
+	}{
+		{"PATH", "PATH", true},
+		{"PATH", "HOME", false},
+		{"SSH_AUTH_SOCK", "SSH_*", true},
+		{"SSH_AGENT_PID", "SSH_*", true},
+		{"HOME", "SSH_*", false},
+		{"XDG_CONFIG_HOME", "XDG_*", true},
+		{"_LIMA_TEST", "_*", true},
+		{"LIMA_HOME", "_*", false},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name+"_matches_"+tt.pattern, func(t *testing.T) {
+			result := matchesPattern(tt.name, tt.pattern)
+			if result != tt.expected {
+				t.Errorf("matchesPattern(%q, %q) = %v, want %v", tt.name, tt.pattern, result, tt.expected)
+			}
+		})
+	}
+}
+
+func TestIsBlocked(t *testing.T) {
+	patterns := []string{"PATH", "SSH_*", "XDG_*"}
+
+	tests := []struct {
+		name     string
+		expected bool
+	}{
+		{"PATH", true},
+		{"HOME", false},
+		{"SSH_AUTH_SOCK", true},
+		{"XDG_CONFIG_HOME", true},
+		{"USER", false},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := isBlocked(tt.name, patterns)
+			if result != tt.expected {
+				t.Errorf("isBlocked(%q, %v) = %v, want %v", tt.name, patterns, result, tt.expected)
+			}
+		})
+	}
+}
+
+func TestParseEnvList(t *testing.T) {
+	tests := []struct {
+		input    string
+		expected []string
+	}{
+		{"", nil},
+		{"PATH", []string{"PATH"}},
+		{"PATH,HOME", []string{"PATH", "HOME"}},
+		{"PATH, HOME , USER", []string{"PATH", "HOME", "USER"}},
+		{" , , ", nil},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.input, func(t *testing.T) {
+			result := parseEnvList(tt.input)
+			if !reflect.DeepEqual(result, tt.expected) {
+				t.Errorf("parseEnvList(%q) = %v, want %v", tt.input, result, tt.expected)
+			}
+		})
+	}
+}
+
+func TestGetFilterConfig(t *testing.T) {
+	originalBlock := os.Getenv("LIMA_SHELLENV_BLOCK")
+	originalAllow := os.Getenv("LIMA_SHELLENV_ALLOW")
+	defer func() {
+		if originalBlock != "" {
+			t.Setenv("LIMA_SHELLENV_BLOCK", originalBlock)
+		}
+		if originalAllow != "" {
+			t.Setenv("LIMA_SHELLENV_ALLOW", originalAllow)
+		}
+	}()
+
+	t.Run("default config", func(t *testing.T) {
+		os.Unsetenv("LIMA_SHELLENV_BLOCK")
+		os.Unsetenv("LIMA_SHELLENV_ALLOW")
+
+		config := GetFilterConfig()
+		if !config.UseBuiltinBlocklist {
+			t.Error("Expected UseBuiltinBlocklist to be true")
+		}
+		if !reflect.DeepEqual(config.BlockList, BuiltinBlocklist) {
+			t.Error("Expected BlockList to equal BuiltinBlocklist")
+		}
+		if len(config.AllowList) != 0 {
+			t.Error("Expected AllowList to be empty")
+		}
+	})
+
+	t.Run("custom blocklist", func(t *testing.T) {
+		t.Setenv("LIMA_SHELLENV_BLOCK", "PATH,HOME")
+		os.Unsetenv("LIMA_SHELLENV_ALLOW")
+
+		config := GetFilterConfig()
+		if config.UseBuiltinBlocklist {
+			t.Error("Expected UseBuiltinBlocklist to be false")
+		}
+		expected := []string{"PATH", "HOME"}
+		if !reflect.DeepEqual(config.BlockList, expected) {
+			t.Errorf("Expected BlockList to be %v, got %v", expected, config.BlockList)
+		}
+	})
+
+	t.Run("additive blocklist", func(t *testing.T) {
+		t.Setenv("LIMA_SHELLENV_BLOCK", "+CUSTOM_VAR")
+		os.Unsetenv("LIMA_SHELLENV_ALLOW")
+
+		config := GetFilterConfig()
+		if !config.UseBuiltinBlocklist {
+			t.Error("Expected UseBuiltinBlocklist to be true")
+		}
+		expected := make([]string, len(BuiltinBlocklist)+1)
+		copy(expected, BuiltinBlocklist)
+		expected[len(BuiltinBlocklist)] = "CUSTOM_VAR"
+		if !reflect.DeepEqual(config.BlockList, expected) {
+			t.Errorf("Expected BlockList to include builtin + custom, got %v", config.BlockList)
+		}
+	})
+
+	t.Run("allowlist", func(t *testing.T) {
+		os.Unsetenv("LIMA_SHELLENV_BLOCK")
+		t.Setenv("LIMA_SHELLENV_ALLOW", "FOO,BAR")
+
+		config := GetFilterConfig()
+		expected := []string{"FOO", "BAR"}
+		if !reflect.DeepEqual(config.AllowList, expected) {
+			t.Errorf("Expected AllowList to be %v, got %v", expected, config.AllowList)
+		}
+	})
+}
+
+func TestFilterEnvironment(t *testing.T) {
+	testEnv := []string{
+		"PATH=/usr/bin",
+		"HOME=/home/user",
+		"USER=testuser",
+		"FOO=bar",
+		"SSH_AUTH_SOCK=/tmp/ssh",
+		"XDG_CONFIG_HOME=/config",
+	}
+
+	originalEnviron := os.Environ
+	defer func() {
+		_ = originalEnviron
+	}()
+
+	t.Run("default blocklist", func(_ *testing.T) {
+		config := &FilterConfig{
+			BlockList:           BuiltinBlocklist,
+			UseBuiltinBlocklist: true,
+		}
+
+		_ = config
+		_ = testEnv
+	})
+}
+
+func TestGetBuiltinBlocklist(t *testing.T) {
+	blocklist := GetBuiltinBlocklist()
+
+	if &blocklist[0] == &BuiltinBlocklist[0] {
+		t.Error("GetBuiltinBlocklist should return a copy, not the original slice")
+	}
+
+	if !reflect.DeepEqual(blocklist, BuiltinBlocklist) {
+		t.Error("GetBuiltinBlocklist should return the same content as BuiltinBlocklist")
+	}
+
+	expectedItems := []string{"PATH", "HOME", "SSH_*"}
+	for _, item := range expectedItems {
+		found := false
+		for _, blocked := range blocklist {
+			if blocked == item {
+				found = true
+				break
+			}
+		}
+		if !found {
+			t.Errorf("Expected builtin blocklist to contain %q", item)
+		}
+	}
+}