search

devcontainers / cli

A reference implementation for the specification that can create and configure a dev container from a devcontainer.json.
https://containers.dev
MIT License
1.61k stars 225 forks source link

Unable to open devcontainer in VSCode on local machine behind Cloudflare Zero Trust proxy #847

Open husterk opened 10 months ago

husterk commented 10 months ago

My local network is behind a Cloudflare Zero Trust proxy. Typically, I would need to install the Cloudflare CA certificate on any container running on my local M1 Macbook Pro that needs external internet access.

However, I am unsure how to do this for devcontainers that install "features" such as the devcontainer in this template repository. I have attempted to define my own Dockerfile that installs the necessary cert but the feature installation still fails. When I attempt to start the devcontainer, I receive the following error.

[2024-01-07T23:37:20.400Z] Resolving Feature dependencies for 'ghcr.io/devcontainers/features/docker-in-docker:2'...
[2024-01-07T23:37:20.400Z] * Processing feature: ghcr.io/devcontainers/features/docker-in-docker:2
[2024-01-07T23:37:20.474Z] Error: unable to get local issuer certificate
[2024-01-07T23:37:20.474Z]     at TLSSocket.onConnectSecure (node:_tls_wrap:1543:34)
[2024-01-07T23:37:20.475Z]     at TLSSocket.emit (node:events:513:28)
[2024-01-07T23:37:20.475Z]     at TLSSocket._finishInit (node:_tls_wrap:962:8)
[2024-01-07T23:37:20.475Z]     at ssl.onhandshakedone (node:_tls_wrap:746:12)

Would you happen to have a recommendation for resolving this issue? I can't seem to get past this on my own.

husterk commented 10 months ago

Update: While this is technically still an issue, I was able to implement a workaround.

Workaround: In Cloudflare Zero Trust, I had to define a Gateway -> Firewall policies -> HTTP policy to "Do Not Inspect" each of the URLs that were being impacted by this issue. This includes Docker container registries, NPM registries, VSCode extension registries, etc.

While a bit tedious to determine and implement, this workaround does bypass the reported issue. However, it would still be nice to find a way to not have to manually identify each URL that needs to effectively be allow-listed.

eljog commented 10 months ago

@joshspicer / @chrmarti do you have any suggestions on getting features to work behind a network proxy?

joshspicer commented 5 months ago

This may not be exactly what you're looking for, but you may be able to leverage some tips from the discussion here and utilize the NODE_EXTRA_CA_CERTS environment variable to feed your Cloudflare CA certificate into the CLI