-
Notifications
You must be signed in to change notification settings - Fork 308
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Self signed SSL Certificate support for DevContainers #6092
Comments
Hi @bamurtaugh , This feature is especially important for GitHub Enterprise Customers with own instances. Best, |
Thanks @egnerfl! We'll be sure to provide an update if/when this is added to an iteration plan. |
I hope its soon! |
Hi, this still seems to be a challenge, roughly a year later. Has this been added to an iteration plan? |
I'd love to have an update!!! |
This would be great since the corporate MITM attack completely prevents the use of dev containers right now |
@bdsoha - so it sure seems like it would be worth somebody looking into this :( |
Thank you all for your continued patience and interest in this issue, we really appreciate it. I've made a note for us to discuss this further during our next month's planning cycle, and you'll be able to see it on an iteration plan if we have a chance to prioritize it (this month's plan as example). |
@bamurtaugh - I'm at a 10k person company and frankly only a handful of people have implemented dev containers due to the annoyance of our self-signed certs... |
@jeeftor I find myself in a very similar situation, at a company with 6k employees. |
Same, 5k-10K employee company and this issue prevents good adoption of dev containers. @bamurtaugh. Ty for considering. |
One additional point: I can make things work if I do a Dockerfile explicitly. (I can copy our certificate into the container, etc.). I can then manually add "features" in the Dockerfile, (i.e. "code explicitly"). But I cannot make things like the "features" section of devcontainer.json work, because that stuff is evaluated in a context where I have not fixed the cert issue. @bamurtaugh. So the whole features section does not work. |
@dkwgit I published a feature that is supposed to transparently handle the CA installation into the container during startup. |
Great feature idea @bdsoha. Hope we get to the point where that is doable!! |
I've been hitting this issue as well. We use a data loss prevention tool that directs all HTTPs traffic through a set of servers that issue self signed certs. I've written up instructions for our company on how to address the issue with lots of different tools but the dev container of VS code is problematic. The way we normally address node programs is to set the environment variable NODE_EXTRA_CA_CERTS to point to the location of the root self signed cert. In fact if I install the devcontainer cli I can run it and have it generate configs for containers. It's like however VS Code is running node it's ignoring that environment variable. Hope this information helps in troubleshooting. Oh, and I ran a bunch of different versions, looks like it started around .262.3. Version .255.4 behaves as I would expect. |
@bamurtaugh Been thinking about this issue a lot. I'm new to dev containers, so there is a lot I don't yet understand and my thoughts may be "off" as a result. But what is impressing itself on me is; This is not so much about certificate support (that's the symptom here) as it is about a missing lifecycle hook in the devcontainer spec. There is no hook such as initializeCommand that targets the bootstrapping of the devcontainer system (as far as I can tell). If there were such a hook, users could do things like inject their certificates into node at that stage. They could also do other needed things. I realize that the faster (and helpful!) thing to do is provide a way to deal with the certificate issue. (I'd welcome that). But long term, what would really make sense is to have a hook that allows customization at the right moment, imo. |
@dkwgit Yeah, we ran into that after we build containers and try to install software. We've been copying the root cert into projects and using the Docker build process to copy the cert into the container when it's being built. But the current problem I have is what seems to be a regression in behavior between versions of the extension. I was pretty happy once I discovered I can run the CLI to generate the config, but it's not nearly as nice as using the VSCode UI. |
How you add a certificate seems to vary by distro (reading https://technotes.shemyak.com/posts/docker-behind-ssl-proxy/). Features are added after any user-provided Dockerfile runs, so that Dockerfile should be able to add custom certificates. A feature should be able to add custom certificates too, but since there is no way for the feature to say it wants to run first among any other features, only features that happen to install afterwards benefit from it. If you have a CI environment without the proxy restriction: You could pre-build the Docker image in CI ( |
unfortunately this isn‘t the case for more than a year. the features are downloaded outside of this dockerfile after a change in the extension. it worked before. as far as certificates go. may be just support to import the local trusted certificates into the bootstrap container. this way you don‘t need to support multiple linux distributions. |
There are multiple points where custom certificates are needed:
|
@chrmarti In my version of dev container extension, v0.295.0, it does something to resolve features (and fails because of the certificate issue) before it even gets to my Dockerfile. I successfully add the cert in the Dockerfile, so that things inside the container work)--but enabling the features section of my devcontainer.json with any feature immediately causes a failure before the Dockerfile is built. Can post logs if that would help. |
Just released Dev Containers 0.339.0-pre-release which will check the env variable Let me know if that works for you. If it doesn't immediately work, please check that you have indeed set |
@chrmarti just saw that there are already libs in vscode which handle the collection of certs from the local cert stores. any reason you don't use that for devcontainers as well? there's the @vscode/proxy-agent library which uses the @vscode/windows-ca-certs lib on windows to get the certs. |
@OneCyrus I will look into using that. (It is not surfaced in the extension API.) |
Dev Containers 0.340.0-pre-release now loads the same certificates as VS Code and passes these along to the Dev Containers CLI locally and in the bootstrap container when using |
@chrmarti wow awesome! that's a big step forward. first tests are really promising. I'll test it some more and try to revert all our workarounds to see if something is still missing. one thing that that would be cool is if we could also consume this cert bundle in our own containers. maybe a devcontainer option to mount this bundle? or is ther already a hidden way to get to this bundle? |
Great, thanks!
You could probably pick it up from |
Can confirm, this worked great in my corporate environment as well! |
today i tested also with devcontainer features and that worked as well 👍 the only issue i hit was with the node feature which also is invoking npm which failed with a not trusted self signed certificate error. as far as i can tell npm doesn't use the node settings (would have been too easy ;)). there are a couple of ways to handle this though. great that we have this now. it will simplify so many things here. |
Any chance someone can share a link on how we elect to use "Dev Containers 0.340.0-pre-release"; my searchfoo is failing me. Thanks. |
Find the extension to install as you normally would and right click on it in the list and select use pre release |
I see NPM can be configured to use the system's CA file (assuming you have your CAs already added there): @NebraskaCoder I missed that in the bootstrap container, I will change that line to: RUN npm config set cafile /etc/ssl/certs/ca-certificates.crt && cd && npm i node-pty Thanks! |
Dev Containers 0.342.0-pre-release is available with the latest fixes. |
So, after updating to 0.342.0-pre-release, it still had the same error. I looked into my company's developer "getting started" guide and we block access to the public npm registry. I added |
The following still seems to fail when in a corporate MITM certificate scenario. Could this be related to this issue? .devcontainer: {
"name": "Dev Java",
"image": "mcr.microsoft.com/devcontainers/java:1-21-bullseye",
"features": {
"ghcr.io/devcontainers/features/java:1": {
"installMaven": "true"
}
}
}
|
@NebraskaCoder The NPM extension would be good place for such a setting, unfortunately that request didn't get any traction when it was filed previously: microsoft/vscode#7430. We could use @lucaspottersky Have you configured your proxy for Docker? (https://docs.docker.com/network/proxy/) |
Yup. Our company has us define a |
@chrmarti Thanks for this fix. It works great. Can I request the same fix for InspectVolume as well? I tried following to test it manually and it's working.
|
@NebraskaCoder @tusv Adding that, thanks. |
The two mentioned changes are available in Dev Containers 0.356.0-pre-release. |
For some reason, this is still not working for me. When I try to build my dev container using "Rebuild and Reopen container" option, it seems to read my
I have my company's private ca certs loaded on the remote host OS, which is bringing up the dev container. It seems like vscode creates a container from |
@dal13002 Not sure where |
@chrmarti Thank you so much! It seems like I was using a custom builder. I changed the builder back to default and everything works without a problem |
Hello, Things are getting better for data loss preventions services that use self signed certs. I am hitting one additional issue though when installing the terraform feature. I'm trying to do this using only the devcontainer.json file. I am using WSL environment on Windows 10. Below is an example devcontainer.json file I'm using.
The issue is that the terraform feature is running curl commands which fail on certificate verification. I'm trying to see if there is a way to get the self signed cert mounted and installed in the container so that curl can see it. It appears that the, Thanks, |
@shaneholder You need to add the certificates before the features are built. You can do that by using a Dockerfile like, e.g., #6092 (comment). There is also documentation on using the devcontainer.json with a Dockerfile: https://containers.dev/guide/dockerfile . HTH! |
@chrmarti thanks for that. It's what I ended up doing yesterday. Turns out you can do it with a very minimal Dockerfile and compose.yml file and continue to use the features in devcontainer.json. That last part was an unexpected bonus! |
I'm working behind a corporate network that uses SSL inspection and I have thus far been unable to use DevContainers due to SSL issues at work. I'd love the ability to have a trusted cert be able to be inserted into the devcontainers somehow.
Thanks
The text was updated successfully, but these errors were encountered: