search

microsoft / vscode-remote-release

Visual Studio Code Remote Development: Open any folder in WSL, in a Docker container, or on a remote machine using SSH and take advantage of VS Code's full feature set.
https://aka.ms/vscode-remote
Other
3.61k stars 275 forks source link

DevContainers VSCode plugin broken with v0.292.0 #8449

Closed sdrzazga-nsd closed 1 year ago

sdrzazga-nsd commented 1 year ago

Performing in VSCode Dev Containers: Clone Repository in Container Volume using a repository with defined container features works using v0.288.1 but fails in v0.292.0.

Version: 1.78.0
Commit: 252e5463d60e63238250799aef7375787f68b4ee
Date: 2023-05-03T20:11:00.813Z
Electron: 22.4.8
Chromium: 108.0.5359.215
Node.js: 16.17.1
V8: 10.8.168.25-electron.0
OS: Darwin x64 22.4.0
Sandboxed: No
[5369 ms] Start: Run: tar --no-same-owner -x -f -
[5430 ms] * Processing feature: ghcr.io/devcontainers/features/git:1
[5589 ms] Start: Run: docker-credential-dev-containers-5b13cb46-2b39-4091-89b7-bddfbcc9f1f2 get
[5671 ms] Looking up Docker credential helper for 'ghcr.io'.
[6140 ms] [httpOci] Could not fetch bearer token for 'ghcr.io': Error: HTTP 403: Forbidden
[6141 ms] [httpOci] ERR: Failed to fetch Bearer token from registry.
[6141 ms] Request 'https://ghcr.io/v2/devcontainers/features/git/manifests/1' failed
[6141 ms] Could not resolve Feature manifest for 'ghcr.io/devcontainers/features/git:1'.  If necessary, provide registry credentials with 'docker login <registry>'.
[6141 ms] Github feature.
[6142 ms] Could not resolve Feature 'ghcr.io/devcontainers/features/git:1'.  Ensure the Feature is published and accessible from your current environment.
[6145 ms] Error: Failed to process feature ghcr.io/devcontainers/features/git:1
[6145 ms]     at Wie (/root/.vscode-remote-containers/dist/dev-containers-cli-0.292.0/dist/spec-node/devContainersSpecCLI.js:1874:3166)
[6145 ms]     at processTicksAndRejections (node:internal/process/task_queues:96:5)
[6145 ms]     at async Xm (/root/.vscode-remote-containers/dist/dev-containers-cli-0.292.0/dist/spec-node/devContainersSpecCLI.js:1874:2263)
[6145 ms]     at async gh (/root/.vscode-remote-containers/dist/dev-containers-cli-0.292.0/dist/spec-node/devContainersSpecCLI.js:1877:1700)
[6145 ms]     at async tg (/root/.vscode-remote-containers/dist/dev-containers-cli-0.292.0/dist/spec-node/devContainersSpecCLI.js:1877:179)
[6146 ms]     at async wD (/root/.vscode-remote-containers/dist/dev-containers-cli-0.292.0/dist/spec-node/devContainersSpecCLI.js:1946:3927)
[6146 ms]     at async rO (/root/.vscode-remote-containers/dist/dev-containers-cli-0.292.0/dist/spec-node/devContainersSpecCLI.js:1946:2808)
[6146 ms]     at async Xse (/root/.vscode-remote-containers/dist/dev-containers-cli-0.292.0/dist/spec-node/devContainersSpecCLI.js:1961:2626)
[6146 ms]     at async vh (/root/.vscode-remote-containers/dist/dev-containers-cli-0.292.0/dist/spec-node/devContainersSpecCLI.js:1961:3741)
[6146 ms]     at async gae (/root/.vscode-remote-containers/dist/dev-containers-cli-0.292.0/dist/spec-node/devContainersSpecCLI.js:2092:10213)
[6165 ms] Exit code 1

Steps to Reproduce:

  1. In VSCode running ms-vscode-remote.remote-containers with v0.292.0 perform Dev Containers: Clone Repository in Container Volume
  2. The target repository should have a container config with a feature enabled. e.g. 
    {
"image": "mcr.microsoft.com/devcontainers/base:ubuntu-22.04",
"features": {
"ghcr.io/devcontainers/features/git:1": {
  "version": "latest"
}
},
"customizations": {
"settings": {
  "terminal.integrated.defaultProfile.linux": "zsh",
  "terminal.integrated.profiles.linux": {
    "zsh": {
      "path": "/bin/zsh"
    }
  }
}
},
"hostRequirements": {
"cpus": 2
}
}

Does this issue occur when you try this locally?: Yes Does this issue occur when you try this locally and all extensions are disabled?: n/a

It works in Codespaces.

mathew-winters-ctct commented 1 year ago

I have the same issue, installing the previous version works.

chrmarti commented 1 year ago

Might your token for ghcr.io have expired? I'm not sure we detect that case, but the access is public, so could you try running docker logout ghcr.io and then retry?

sdrzazga-nsd commented 1 year ago

Hello @chrmarti .

Thank you for your response.

I can confirm that by performing docker logout ghcr.io it resolved the issue. What's strange is the fact that it was working with the previous version just fine and except for dev containers I usually don't use ghcr.io at all. Hence I would not have assumed this to be the issue. Anyways, thank you!

chrmarti commented 1 year ago

@joshspicer Can we handle the case where the token isn't valid or expired by retrying without a token?

joshspicer commented 1 year ago

Makes sense 👍

joshspicer commented 1 year ago

This should do the trick! https://github.com/devcontainers/cli/pull/515

Tyriar commented 1 year ago

@joshspicer can we move this to Backlog or June or is it critical for May?

joshspicer commented 1 year ago

This shipped in the latest dev container CLI release.

rzhao271 commented 1 year ago

I'll need some verification steps for this one. I tried copy-pasting the above file from https://github.com/microsoft/vscode-remote-release/issues/8449#issue-1697605138 into .devcontainer/devcontainer.json and pushing it to a private repository, but then when cloning the repository, the extension reports

[10219 ms] Start: Run in container: cat /workspaces/devcontainers-test/.devcontainer/devcontainer.json 2>/dev/null
[10224 ms] Start: Run in container: cat /workspaces/devcontainers-test/.devcontainer.json 2>/dev/null
[10231 ms] Repository rzhao271/devcontainers-test has no dev container files.

and it asks me to add a configuration file. Edit: I selected a config and it override .devcontainer/devcontainer.json, so it just ignores my config?

I'm also not sure how to test the expired token scenario.

joshspicer commented 1 year ago

You can test this by creating a GitHub PAT from https://github.com/settings/tokens and then logging into docker in your local environment with docker login ghcr.io -u $GITHUB_USER -p $PAT. Before building the dev container, revoke the PAT via the GitHub UI. You'll now have an invalid/"expired" PAT in your local docker config.

joshspicer commented 1 year ago

Any repo with a publicly accessible Feature will work (the example uses the git Feature).

The issue that this change fixes is that an expired token is preferred over accessing the registry anonymously. This CLI patch now falls back to trying the request anonymously (no auth) if the initial auth returns a certain set of exit codes.

From what I can see this patch should be in 0.294.0-pre-release of the dev containers extension.

rzhao271 commented 1 year ago

LGTM. I overrode the dev container config file in my test repository with one generated by the quickpick UX. I deleted the old containers and dev volumes on Docker Desktop. I created a PAT and made it expire after logging in again for ghcr.io. After that, I was finally able to clone the test repository in a container volume and see the line

[22472 ms] [httpOci] 403: Credentials for 'ghcr.io' may be expired. Attempting request anonymously.

:tada: