dev-environments icon indicating copy to clipboard operation
dev-environments copied to clipboard
verified publisher icon docker

Cannot clone dev environment from behind company firewall

Open rmorasse415 opened this issue 4 years ago • 3 comments

Description

When accessing a server from behind a corporate firewall using https, often self-signed certificates are used. Docker Desktop does not appear to be using the windows certificate stores and doesn't seem to have a way to add a trusted certificate.

When trying to clone you get this error:

Preparing to clone inside a volume Installing credential helpers... done Cloning into '/code'... fatal: unable to access 'https://<git-url>.git': SSL certificate problem: self signed certificate in certificate chain

Steps to reproduce the issue:

  1. Try to clone from a git repository over HTTPS when behind a firewall using a self-signed certificate such as a corporate firewall.

Describe the results you received: SSL certificate problem: self signed certificate in certificate chain

Describe the results you expected: Project clones correctly

Output of docker version:

Client:
 Cloud integration: 1.0.17
 Version:           20.10.7
 API version:       1.41
 Go version:        go1.16.4
 Git commit:        f0df350
 Built:             Wed Jun  2 12:00:56 2021
 OS/Arch:           windows/amd64
 Context:           desktop-linux
 Experimental:      true

Server: Docker Engine - Community
 Engine:
  Version:          20.10.7
  API version:      1.41 (minimum version 1.12)
  Go version:       go1.13.15
  Git commit:       b0f5bc3
  Built:            Wed Jun  2 11:54:58 2021
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.4.6
  GitCommit:        d71fcd7d8303cbf684402823e425e9dd2e99285d
 runc:
  Version:          1.0.0-rc95
  GitCommit:        b9ee9c6314599f1b4a7f497e1f1f856fe433d3b7
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

Output of docker context show: You can also run docker context inspect context-name to give us more details but don't forget to remove sensitive content.

desktop-linux

Output of docker info:

Client:
 Context:    desktop-linux
 Debug Mode: false
 Plugins:
  buildx: Build with BuildKit (Docker Inc., v0.5.1-docker)
  compose: Docker Compose (Docker Inc., 2.0.0-beta.4)
  scan: Docker Scan (Docker Inc., v0.8.0)

Server:
 Containers: 10
  Running: 3
  Paused: 0
  Stopped: 7
 Images: 35
 Server Version: 20.10.7
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 1
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 io.containerd.runtime.v1.linux runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: d71fcd7d8303cbf684402823e425e9dd2e99285d
 runc version: b9ee9c6314599f1b4a7f497e1f1f856fe433d3b7
 init version: de40ad0
 Security Options:
  seccomp
   Profile: default
 Kernel Version: 4.19.128-microsoft-standard
 Operating System: Docker Desktop
 OSType: linux
 Architecture: x86_64
 CPUs: 12
 Total Memory: 24.91GiB
 Name: docker-desktop
 ID: ZKC6:CTO7:OUMC:UKQH:VSSO:KQGB:NK2J:EMSS:36JX:34G2:ND66:QISM
 Docker Root Dir: /var/lib/docker
 Debug Mode: true
  File Descriptors: 59
  Goroutines: 61
  System Time: 2021-06-30T20:25:12.8911353Z
  EventsListeners: 4
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

WARNING: No blkio throttle.read_bps_device support
WARNING: No blkio throttle.write_bps_device support
WARNING: No blkio throttle.read_iops_device support
WARNING: No blkio throttle.write_iops_device support
WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled

rmorasse415 avatar Jun 30 '21 20:06 rmorasse415

Same issue, Is there a way to provide CA certs to the Dev Environment docker images?

I encountered the same issue with VSCode's implementation of remote containers also, however there is an (hacky) option to modify the Dockerfile that VSCode uses to bootstrap and clone the repo into a Volume, which then will build whatever image you specify from the .devcontainer in the repo itself. The problem with that approach is that the bootstrap Dockerfile lives in the extension directory and whenever a new version of the Remote-Containers extension is released the manual changes are reverted. I currently modify the bootstrap to:

FROM alpine:3.13.2

COPY certs /certs/
RUN for filename in /certs/*.pem; do cat $filename >> /etc/ssl/certs/ca-certificates.crt; done && \
apk add --no-cache \
nodejs \
git \
openssh-client \
docker-cli \
docker-compose && \
for filename in /certs/*.pem; do cat $filename >> /etc/ssl/certs/ca-certificates.crt; done

but the COPY fails if the certs don't exist in the build context, I solved by putting a README into the dir so it has something to copy even if certs aren't added. You also have to run the for loop before and after apk so git doesn't SSL fail, as apk installing resets the certs (arg!).

There are two opportunities to solve here on Docker's side.

  1. Provide a mechanism for making CA certs available to Dev Environment bootstrap images. This can be achieved using my current solve, but might be better achieved by having an option in the Settings UI to select CA certs/path, attach a volume containing the certs to the alpine image, and then running update-ca-certificates. Clean.

  2. Provide an way to specify an existing Container as the Dev Environment image, or to build one from within the repo itself. This is almost a duplication of what VSCode is already doing with .devcontainers, but straight from the horses mouth. Select a pre-built image with Git and Node/R/Python or whatever installed and dev away. Even better, store the dev container in the repo, so all you need to do is specify the repo URL and build time later you are in the same environment.

w0otness avatar Jul 21 '21 01:07 w0otness

I have the same problem @w0otness could you provide the path (even if the last digits could change since a new folder is created everytime we update) ?

If the creation of the env. could take the existing git configuration or a way to specify one we could specify the certs or even set https verify to false would resolve this problem. (just like the creation of the dev environment takes the ssh keys added in the agent)

EDIT: Ok I found a workaround with ssh url. First time I try to create the Dev Environments I have in the log:

Preparing to clone inside a volume
Installing credential helpers... done
Cloning into '/code'...
[email protected]'s password:

If I let this one up and create another dev environnment with the same ssh url I get:

Preparing to clone inside a volume
Installing credential helpers... done
Cloning into '/code'...
remote: Enumerating objects: 24090, done.
remote: Counting objects: 100% (100/100), done.
remote: Compressing objects: 100% (59/59), done.remote: Compressing objects:  74% (44/59)remote: Compressing objects:  20% (12/59)
remote: Total 24090 (delta 52), reused 85 (delta 41), pack-reused 23990 759.00 KiB/s
Receiving objects: 100% (24090/24090), 6.84 MiB | 1.58 MiB/s, done.Receiving objects: 100% (24090/24090), 6.23 MiB | 1.54 MiB/s
Resolving deltas: 100% (16168/16168), done.
Docker socket permission set to allow in container docker

I tried again these steps and didn't worked again... then starts working again. Can't figure out why sometimes it works and other times it doesn't.

patrick-mota avatar Aug 10 '21 10:08 patrick-mota

Hi..

same problem here. I'm using WSL2 and Docker Desktop. If I try to create my dev environment from an existing repo, I get stucked.

Using a SSH url, docker is telling me, I should use the ssh agent. I set up this agent stuff in my WSL2 linux system. But this did not work.

If I try to use a HTTPS url, I got stuck, because the CA certifiacte is unknown.

mgrossmann avatar Mar 14 '22 10:03 mgrossmann