microsoft / vscode-tools-for-ai

Azure Machine Learning for Visual Studio Code, previously called Visual Studio Code Tools for AI, is an extension to easily build, train, and deploy machine learning models to the cloud or the edge with Azure Machine Learning service.
Other
325 stars 95 forks source link

Is there a way to host the remote web socket server privately? #2469

Open zachgalvin opened 2 weeks ago

zachgalvin commented 2 weeks ago

In order to get the ML VSCode extension to work in a locked down network, you have to allow the following endpoint:

https://github.com/microsoft/vscode-tools-for-ai/tree/master/azureml_remote_websocket_server/*

According to this documentation:

https://learn.microsoft.com/en-us/azure/machine-learning/how-to-access-azureml-behind-firewall?view=azureml-api-2&tabs=ipaddress%2Cpublic#scenario-visual-studio-code

But in order to limit to just that path, you have to have some proxy or firewall that decrypts traffic so that it can check the path. Is there a way to host the web socket server instead so that you don’t have to do any of that?

Siglud commented 2 weeks ago

So, the problem is the extension need to download this server binary from https://github.com/microsoft/vscode-tools-for-ai/tree/master/azureml_remote_websocket_server/. This is a URL from GitHub with TLS, you cannot decode the HTTP request the limit the server access only when remote host equals github.com and the path match the /microsoft/vscode-tools-for-ai/tree/master/azureml_remote_websocket_server/. Right?

I think the only way is SSL decrypt. Or maybe we move those binary files to the other site belongs to Microsoft can help you easier this work?

zachgalvin commented 2 weeks ago

Thanks for the response @Siglud! Yes, that is the problem I’m hitting, and I think those are the two potential solutions, but I’m curious about if we can host the binary files internally because I think that would be easier for me.

I know I could just download all the files at that path and then host them, but how would I tell VSCode to look at my self hosted location rather than trying to go to GitHub? And are there any other caveats with that approach?

zachgalvin commented 1 week ago

@Siglud and @JerryYangKai any thoughts on if that is an option?

Siglud commented 1 week ago

@zachgalvin Sorry, there is no way to customize this setting for now.

@yaoleo34 Could be a feature request.

yaoleo34 commented 1 week ago

@zachgalvin Is https://github.com/microsoft/vscode-remote-release/issues/9454 similar to the issue that you described here?

zachgalvin commented 1 week ago

I’m not sure @yaoleo34. Is libstdcpp_path where the path for this is stored? I’m not familiar with the code, but it doesn’t initially appear related.

@Siglud just to confirm, even if there was a custom Microsoft domain for this instead of GitHub, it still wouldn’t work right? Or are you just saying I can’t self host it?

Also, two more questions on this:

  1. Do you know how often we need to pull files from there? If we only need it when we initially install or update, I could temporarily allow GitHub on the firewall during those periods.
  2. If I do have to go down the route of decrypting SSL, do you know if VSCode does any SSL pinning or has plans to? That would prevent the decrypting traffic from working, so just wanted to double check.
Siglud commented 1 week ago

@zachgalvin Sorry, I've checked the install script again. I think like @yaoleo34 said, the web socket server also can be pre-installed if you put your binary files in the right place.

First, you need to get last version of the socket server from https://github.com/microsoft/vscode-tools-for-ai/tree/master/azureml_remote_websocket_server

Currently, the last version is v0.2 (this will be referred to as <version>)

Copy the binary file to specific directories.

mkdir -p ~/.azureml_remote_websocket_server/bin/<version>
cd ~/.azureml_remote_websocket_server/bin/<version>

# Download and extract
# wget https://github.com/microsoft/vscode-tools-for-ai/raw/refs/heads/master/azureml_remote_websocket_server/v0.2/azureml_websocket_server.tgz
tar -xzf azureml_websocket_server.tgz  # This creates a folder called "package"
mv package/* ./ && rm -r package

After running this script, start/restart the Remote SSH from Host to Destination and it will skip download and start the socket server directly.