More changes to support VS Code (local) to Devworkspace over SSH.

- Custom image based on UDI that contains the non-root SSH daemon, basic
  web server to show webpage on startup to guide the user
- che-code-sshd.yaml file as entrypoint to configure the custom image

Signed-off-by: Roland Grunberg <[email protected]>

Author: rgrunber

.github/workflows/pr-check-build-che-code-image.yaml

@@ -13,7 +13,7 @@
 name: Pull Request Check
 
 # Trigger the workflow on pull request
-on: [pull_request]
+on: [workflow_dispatch]
 
 jobs:
   # build:
@@ -124,32 +124,17 @@ jobs:
 
       - name: Build Che-Code Docker image
         run: |
-          PR_NUMBER="${{ github.event.number }}"
-          echo "Pull request $PR_NUMBER"
-          
-          DEV_IMAGE_NAME="quay.io/che-incubator-pull-requests/che-code-dev:pr-$PR_NUMBER-dev-amd64"
+          DEV_IMAGE_NAME="quay.io/rgrunber/che-code-sshd:latest"
           echo "Dev image $DEV_IMAGE_NAME"
           echo "_DEV_IMAGE_NAME=${DEV_IMAGE_NAME}" >> $GITHUB_ENV
           
           docker buildx build \
             --platform linux/amd64 \
             --progress=plain \
             --push \
-            -f build/dockerfiles/dev.ssh.Dockerfile \
+            -f build/dockerfiles/dev.sshd.Dockerfile \
             -t ${DEV_IMAGE_NAME} .
 
       - name: Display docker images
         run: |
           docker images
-
-      - name: 'Comment PR'
-        uses: actions/github-script@v6
-        with:
-         script: |
-           const { repo: { owner, repo } } = context;
-           await github.rest.issues.createComment({
-              issue_number: context.issue.number,
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              body: `Pull Request Dev image published:\n👉 [${process.env._DEV_IMAGE_NAME}](https://${process.env._DEV_IMAGE_NAME})`
-            })

build/dockerfiles/dev.ssh.Dockerfile

@@ -0,0 +1,63 @@
+# Copyright (c) 2025 Red Hat, Inc.
+# This program and the accompanying materials are made
+# available under the terms of the Eclipse Public License 2.0
+# which is available at https://www.eclipse.org/legal/epl-2.0/
+#
+# SPDX-License-Identifier: EPL-2.0
+#
+
+FROM quay.io/devfile/universal-developer-image:latest
+
+USER 0
+
+RUN dnf -y install libsecret openssh-server && \
+    dnf -y clean all --enablerepo='*'
+
+# Step 1. Generate SSH Host keys
+RUN mkdir /opt/ssh
+RUN chmod 755 /opt/ssh
+RUN chown -R root:root /opt/ssh/
+
+RUN ssh-keygen -q -N "" -t dsa -f /opt/ssh/ssh_host_dsa_key && \
+    ssh-keygen -q -N "" -t rsa -b 4096 -f /opt/ssh/ssh_host_rsa_key && \
+    ssh-keygen -q -N "" -t ecdsa -f /opt/ssh/ssh_host_ecdsa_key && \
+    ssh-keygen -q -N "" -t ed25519 -f /opt/ssh/ssh_host_ed25519_key
+
+# Step 2. Configure SSH as non-root user
+RUN cp /etc/ssh/sshd_config /opt/ssh/
+
+# Step 3. Fix permissions
+RUN chmod 644 /opt/ssh/ssh_host_* /opt/ssh/sshd_config
+
+# Use non-privileged port, set user authorized keys, disable strict checks
+RUN sed -i \
+-e 's|#Port 22|Port 2022|' \
+-e 's|AuthorizedKeysFile	.ssh/authorized_keys|AuthorizedKeysFile /home/user/ssh/authorized_keys|' \
+-e 's|#StrictModes yes|StrictModes=no|' \
+-e 's|#PidFile /var/run/sshd.pid|PidFile /tmp/sshd.pid|' \
+-e 's|#LogLevel INFO|LogLevel DEBUG3|' \
+  /opt/ssh/sshd_config
+
+# Provide new path containing host keys
+RUN sed -i \
+-e 's|#HostKey /etc/ssh/ssh_host_rsa_key|HostKey /opt/ssh/ssh_host_rsa_key|' \
+-e 's|#HostKey /etc/ssh/ssh_host_ecdsa_key|HostKey /opt/ssh/ssh_host_ecdsa_key|' \
+-e 's|#HostKey /etc/ssh/ssh_host_ed25519_key|HostKey /opt/ssh/ssh_host_ed25519_key|' \
+  /opt/ssh/sshd_config
+
+# Prepare SSH Keys
+RUN mkdir -p /home/user/ssh
+RUN ssh-keygen -q -N "" -t ed25519 -f /opt/ssh/ssh_client_ed25519_key
+RUN chmod 644 /opt/ssh/ssh_client_*
+
+# Add script to start and stop the service
+COPY --chown=0:0 /build/scripts/sshd.start /
+
+RUN mkdir /opt/www
+COPY /build/scripts/server.js /opt/www/
+
+ENV USER_NAME=dev
+
+EXPOSE 2022 3400
+
+USER 10001

build/dockerfiles/dev.sshd.Dockerfile

@@ -0,0 +1,59 @@
+const http = require('http');
+const fs = require('fs');
+const hostname = '127.0.0.1';
+const port = 3400;
+
+const server = http.createServer((req, res) => {
+    // Set the response header
+    res.statusCode = 200;
+    res.setHeader('Content-Type', 'text/html'); // Specify HTML content
+
+    let keyContent = "PRIVATE KEY NOT FOUND";
+    try {
+      keyContent = fs.readFileSync('/opt/ssh/ssh_client_ed25519_key', 'utf8');
+    } catch (err) {
+     // continue
+    }
+    // Send the HTML content
+    res.end(`
+<!DOCTYPE html>
+<html>
+  <head>
+    <title>${process.env["DEVWORKSPACE_NAME"]}</title>
+  </head>
+  <body>
+    <h1>Workspace ${process.env["DEVWORKSPACE_NAME"]} is running</h1>
+    <div class="border">
+      <ol>
+        <li>Make sure your local oc client is logged in to your OpenShift cluster</li>
+        <li><p class="center">Run <code>oc port-forward ${process.env["HOSTNAME"]} 2022:2022</code></p></li>
+        <li>
+        <p>In VS Code, connect to <code>localhost</code> on port <code>2022</code> with user <code>${process.env["USER_NAME"]}</code> and the following identity file :</p>
+        <p>
+        <pre>
+${keyContent}
+        </pre>
+        </p>
+        <p>
+        This can also be configured locally in <code>$HOME/.ssh/config</code> with the following :
+        </p>
+        <p>
+        <pre>
+Host localhost
+  HostName 127.0.0.1
+  User dev
+  Port 2022
+  IdentityFile /path/to/the/ssh_client_ed25519_key
+        </pre>
+        </p>
+        </li>
+      </ol>
+    </div>
+  </body>
+</html>
+    `);
+});
+
+server.listen(port, hostname, () => {
+    console.log(`Server running at http://${hostname}:${port}/`);
+});

build/scripts/server.js

@@ -0,0 +1,8 @@
+#!/bin/bash
+
+rm -rf /home/user/ssh
+mkdir -p /home/user/ssh
+cp /opt/ssh/ssh_client_ed25519_key.pub /home/user/ssh/authorized_keys
+
+# start
+/usr/sbin/sshd -D -f /opt/ssh/sshd_config -E /tmp/sshd.log

build/scripts/sshd.start

@@ -0,0 +1,59 @@
+#
+# Copyright (c) 2025 Red Hat, Inc.
+# This program and the accompanying materials are made
+# available under the terms of the Eclipse Public License 2.0
+# which is available at https://www.eclipse.org/legal/epl-2.0/
+#
+# SPDX-License-Identifier: EPL-2.0
+#
+# Contributors:
+#   Red Hat, Inc. - initial API and implementation
+#
+
+schemaVersion: 2.3.0
+metadata:
+  name: che-code-sshd
+  displayName: Visual Studio Code (desktop) (SSH)
+  description: Visual Studio Code server for Eclipse Che over SSH - latest
+  tags:
+    - ssh
+    - CLI
+    - vscode
+  attributes:
+    arch:
+      - x86_64
+      - arm64
+      - s390x
+      - ppc64le
+    publisher: che-incubator
+    version: latest
+    provider: Provided by [Microsoft](https://www.microsoft.com/) under [License](https://code.visualstudio.com/License)
+    title: Visual Studio Code server for Eclipse Che over SSH - latest
+    repository: https://github.com/rgrunber/che-code
+    firstPublicationDate: '2025-08-01'
+
+components:
+  - name: che-code-sshd
+    container:
+      image: quay.io/rgrunber/che-code-sshd:latest
+      memoryLimit: 1024Mi
+      memoryRequest: 256Mi
+      cpuLimit: 500m
+      cpuRequest: 30m
+      command:
+        - sh
+        - -c
+        - "nohup /entrypoint.sh & nohup /sshd.start & nohup node /opt/www/server.js & tail -f /dev/null"
+      endpoints:
+        - name: che-code-sshd
+          attributes:
+            type: main
+            discoverable: false
+            urlRewriteSupported: true
+          targetPort: 3400
+          exposure: public
+          secure: true
+          protocol: https
+    attributes:
+      app.kubernetes.io/component: che-code-sshd
+      app.kubernetes.io/part-of: che-code-server.eclipse.org

build/sshd.connect

@@ -10,7 +10,6 @@
 schemaVersion: 2.2.2
 metadata:
   name: che-code
-
 components:
 
   - name: dev