Open ai opened 2 months ago
"dev.containers.forwardWSLServices": false
is only for WSL. If you have an ssh-agent
running locally, that will still be forwarded. You could clear the SSH_AUTH_SOCK
env variable when starting VS Code (mainly applies if your local machine is Linux).
Are you trying to isolate the container? The extension also forwards the X11 display, the Wayland display, the gpg-agent
(if GPG is available in the container) and the Docker credential helper (if Docker is available in the container).
The extension also forwards the X11 display, the Wayland display, the gpg-agent (if GPG is available in the container) and the Docker credential helper (if Docker is available in the container).
Yes. I try to use Dev Container to prevent been hacked from node_module
. So I need an option to remove GPG. X11/Wayland, Docker sync.
Seems like we have UI issue. It was unclear to me what WSL is in the context of Dev Container plugin (I am using Linux). Maybe we can rename option to explain that they do not protect Linux/Mac machine.
Also, can we add options to disable forwarding ssh-agent
(I may need SSH_AUTH_SOCK
on local machine for another tools), gpg-agent
, X11/Wayland? Is it possible to disable them (for experienced users of course, disabling by default will reduce DX)?
My understanding is that Docker containers are not a security boundary. So even with all these features disabled, you won't have a "secure" setup. There might be ways to harden the container I'm not familiar with.
SSH inside container can connect to GitHub even if I disable
forwardWSLServices
andgitCredentialHelperConfigLocation
.There are no keys in
~/.ssh
(inside container) and nohelper
ingit config -l
My settings:
VSCode Version: 1.89.1
Local OS Version: Fedora 40
Remote OS Version: ubuntu:24.04
Remote Extension/Connection Type: Containers
Logs:
Steps to Reproduce:
forwardWSLServices
, andgitCredentialHelperConfigLocation
ssh -T git@github.com