Add support for ssh

[steve28]

As of Docker 18.09, you can now connect to remote daemons via SSH. For example:

docker -H ssh://server.example.com ps

Also setting DOCKER_HOST works as well:

$ export DOCKER_HOST=ssh://server.example.com
$ docker ps

More info here at the end of the Examples->Daemon socket option section.

At present, you cannot enter the protocol portion of the DOCKER_HOST setting in vscode-docker. Also, setting the environment variable DOCKER_HOST outside of vscode does not work either.

This is a request to add support for ssh in DOCKER_HOST.

[PrashanthCorp]

Would you like this to be a host-daemon setting in the extension, so that we add -H ssh://..... to each docker command that's run? (I'm assuming you could want this on multiple commands, not just docker ps).

[steve28]

Yes, I think that's what I would want as I do currently have my DOCKER_HOST environment variable set to:

DOCKER_HOST=ssh://server.example.com

and I get the desired behavior at the command line, but the vscode-docker extension doesn't seem to be honoring it.

[diablodale]

Agreed, SSH support brings secure authentication in a commonly installed/maintained manner. The old-school custom CA/cert method is quite complex.

Currently, from WSL I can use docker -H ssh://user@servername info with great success.
From the docker extension I receive a vscode error popup of:

Unable to connect to Docker. Please make sure you have
installed Docker and that it is running. Details: connect
ECONNREFUSED 127.0.0.1:80

On the output tab, in the (mysterious two duplicate) Docker pulldown choice is...nothing. There is no output or diagnostic information.

SOP for docker commands are to first honor the DOCKER_HOST env variable. Then if a -H command is provided, to use that host as an override. I would prefer that this vscode extension also first honor the DOCKER_HOST env variable, and if the user/workplace setting of docker.host is configured to then honor that host override.

Some minor refactoring will be needed to allow ssh connection strings at
https://github.com/Microsoft/vscode-docker/blob/6204e4c685efe3f044536535aa2f1237d44b6c07/commands/utils/docker-endpoint.ts#L34
For example, SSH connection path can have @ within them, can not have a colon, etc. SSH is often configured with the ~/.ssh/config file and therefore ports can be non-standard and also not provided in the connection string. All the following are legal and should be supported:

ssh://servername
ssh://servername:portnum
ssh://user@servername
ssh://user@servername:portnum

[Rob-Wal]

I see that this is on the road map, but wanted to point out that on Microsoft Windows 10 pro 1809 [Version 10.0.17763.253], VSC 1.31.0 and vscode-docker 0.5.2 when the env variable is set for ssh the extension does not work at all.

For example DOCKER_HOST=ssh://user@server allows me to connect from the VSC terminal or cmd console but the docker extension does not load properly. The items under DOCKER: EXPLORER are missing and no IntelliSense. There is an error that command 'vscode-docker.explorer.refresh' not found.

Dev Tools Console:

notificationsAlerts.ts:38 Error: command 'vscode-docker.explorer.refresh' not found
    at Proxy.t._tryExecuteCommand (commandService.ts:59)
    at commandService.ts:52
t.onDidNotificationChange @ notificationsAlerts.ts:38
(anonymous) @ notificationsAlerts.ts:26
e.fire @ event.ts:567
t.notify @ notifications.ts:113
t.error @ notificationService.ts:48
(anonymous) @ compositePart.ts:268
e.fire @ event.ts:567
(anonymous) @ actions.ts:204
Promise.then (async)
t.run @ actions.ts:201
t.onClick @ menuItemActionItem.ts:266
(anonymous) @ actionbar.ts:139
runCallback @ timers.js:696
tryOnImmediate @ timers.js:667
processImmediate @ timers.js:649

[x13machine]

The underlying docker module dockerode doesn't seem to support ssh connections.

[steve28]

I see this is was added in 0.7.0, but it is not working for me. If use:

ssh://server.host.com

I get:

So then I use (which I shouldn't have to):

ssh://server.host.com:22

and get:

Which is clearly not correct

I should add that on my system, it works fine from the command line if I do:

docker -H ssh://server.host.com ps

[ejizba]

@steve28 I did some work related to this in 0.7.0, but this issue has not been fixed yet. As @x13machine mentioned, we need one of our underlying dependencies to implement ssh support - tracked in apocas/docker-modem#99 and apocas/docker-modem#102

[Rob-Wal]

I personally have moved my workflow to remote-ssh once it became available in the regular channel and set the docker plugin to work remotely. I love the workflow now. The setup requires using SSH keys so logon is not a hassle. Also had to set the docker extension to remote. By adding the below to settings.json
#put a comma after last setting then add below.

"remote.extensionKind": {
"ms-azuretools.vscode-docker": "workspace"
}

It used to be "peterjausovec.vscode-docker": "workspace", but the publisher name got updated in June.

[steve28]

@RobTiki - thanks for the pointer! works great! will the docker extension "break" at each update since the above was manually added?

[ejizba]

@steve28 it should update just fine, even with that setting

[Rob-Wal]

@steve28 I have updated vscode and the extension several times with no issues.

[ptr727]

Ah, no wonder I could not get SSH to work :(

Would be fantastic to get SSH working, I only have access to Docker on Ubuntu Server hosts over SSH with keys.

Please do try to share, or improve (key management), the implementation with the ms-vscode-remote.remote-ssh extension, such that I can use key based authentication, and not have to enter passwords.

Btw, it looks like the dependencies mentioned by @EricJizbaMSFT in docker-modem have been implemented.

[bwateratmsft]

SSH support was recently added in docker-modem, and we have updated our reference to it. I think more changes are needed on this side, but I'll check it out and see.

[bwateratmsft]

Ok, so good news, this is actually possible now! You need the Remote Development extension pack.

1. Run command Remote-SSH: Add new SSH host... and follow the prompts to set up a connection to the target host.
2. Run command Remote-SSH: Connect to host... and connect to the host.
3. A new VSCode window opens, remoted to the target machine. If using password auth, the password will be prompted here. I'd recommend setting up key auth because constantly typing in a password is annoying. In Extensions tab, install the Docker extension (on the remote host) (a reload may be required after this step):
   
4. Enjoy!

NOTE: If you are using the Extension to build Docker images, etc. (and thus you have source code for something)--the above approach probably means you have to have your source enlistment on the remote host, rather than your local machine. If you are just using the extension for the Explorer features then you can disregard this.

It is also probably possible in the next release of this extension to do it via DOCKER_HOST (or the corresponding setting), as long as auth is configured properly. Unfortunately docker-modem removes the user from the host and doesn't allow agent config: apocas/docker-modem#107

[mcauto]

Ok, so good news, this is actually possible now! You need the Remote Development extension pack.

1. Run command Remote-SSH: Add new SSH host... and follow the prompts to set up a connection to the target host.
2. Run command Remote-SSH: Connect to host... and connect to the host.
3. A new VSCode window opens, remoted to the target machine. If using password auth, the password will be prompted here. I'd recommend setting up key auth because constantly typing in a password is annoying. In Extensions tab, install the Docker extension (on the remote host) (a reload may be required after this step):
   
4. Enjoy!

It is also probably possible in the next release of this extension to do it via DOCKER_HOST (or the corresponding setting), as long as auth is configured properly. Unfortunately docker-modem removes the user from the host: apocas/docker-modem#107

Nice ! It's work on me.

Is Remote-WSL not support?

[bwateratmsft]

@mcauto WSL will work automatically in the next release (see #1199). Unfortunately it cannot be configured to work in 0.8.1, as the version of Dockerode in use has a now-fixed issue where it disallows npipe:// values in DOCKER_HOST: apocas/docker-modem#106

[bwateratmsft]

Support that is not via the Remote - SSL extension is blocked on apocas/docker-modem#107. This is needed if, for example, you want your enlistment to be on your local machine, with Docker on remote. In contrast, to use with Remote - SSL would require the enlistment to be on the remote machine.

EDIT: no longer blocked

[bwateratmsft]

DISCLAIMER: There are two "flavors" of using the Docker extension with a remote daemon over SSH:
Remote - SSH setup:
The best and easiest is to use the Remote - SSH extension. See this comment for how to do that. If you aren't sure which flavor to use, you should use this one. It is available now.

DOCKER_HOST setup:
The other way is to configure your Docker client to talk to the remote daemon over SSH. This will be available with version 0.9.0 of the Docker extension; at the time of writing that is not yet released. Setup for this is not particularly fun. You should only use this approach if you need to keep your source code off of the Docker host / SSH target.

I have a working prototype in the bmw/ssh branch, it requires downloading the latest modem.js for docker-modem and replacing it in node_modules (until 2.0.4 is published), after you do npm install.

1. Use ssh-keygen or similar to get and configure a public/private key pair for SSH authentication: https://www.ssh.com/ssh/keygen/. Password auth is not supported by Docker and not possible with a DOCKER_HOST-based configuration. If you've already set up a key pair you can use that.
2. Configure ssh-agent on the local system with the private key file produced above.
   1. Windows (OpenSSH): the latest version(s) of Windows 10 include OpenSSH by default. There is a Windows service, ssh-agent that is disabled by default, and needs to be re-enabled and set to automatic start. From an admin command prompt, run sc config ssh-agent start=auto and net start ssh-agent. Then, do ssh-add <keyfile>.
   2. Windows (Pageant): You can use Pageant instead of OpenSSH, in which case you need to set the environment variable SSH_AUTH_SOCK=pageant. Making that a user or system environment variable will be easiest.
   3. Linux (I did Ubuntu, your mileage may vary): ssh-agent is present by default. Do ssh-add <keyfile>.
   4. Mac: ssh-agent is present by default, but ssh-add does not persist across logins. Do ssh-add <keyfile>. I suggest configuring VSCode to run this command on terminal startup with terminal.integrated.shellArgs.osx, or otherwise configuring a startup script, or otherwise just manually running that command each time you log in. Good luck!
3. Verify that your identity is available to the agent with ssh-add -l. It should list one or more identities that look something like 2048 SHA256:abcdefghijk somethingsomething (RSA). If it does not list any identity, you will not be able to connect. Also, it needs to have the right identity, of course. The Docker CLI working does not mean that the Explorer window will work--the Explorer window uses dockerode (which in turn uses ssh2), whereas the Docker CLI uses simply the ssh command, and benefits from a lot more automagic.
4. Configure VSCode with your DOCKER_HOST to ssh://username@host. If you don't include username, it will use your current local user name, which may be wrong.
   1. You can simply use the DOCKER_HOST environment variable, or
   2. There's a setting docker.host in VSCode which has the same effect, but allows for user or workspace settings instead of machine settings.
5. I'd recommend changing the refresh rate to something a bit longer with the docker.explorerRefreshInterval setting. The connection over SSH is kinda slow, and you don't want it trying to refresh again before the previous refresh even finished. I used 3000 ms instead of 1000 ms.

[ptr727]

I still can't get remote docker over SSH working, but remote workspaces over SSH works fine.
Error reported is docker_host env should be something like tcp://localhost:1234.

My docker.host user config is:

ssh://[email protected]

My SSH config is:

Host Docker-on-Ubuntu
  User pieter
  HostName docker.home.insanegenius.net
  IdentityFile C:\Users\piete\.ssh\id_rsa

I'm running:

Version: 1.41.0-insider (user setup)
Commit: bf7d03bf88732af0b46e473c663c49e18e839f9c
Date: 2019-11-15T05:40:12.201Z
Electron: 6.1.4
Chrome: 76.0.3809.146
Node.js: 12.4.0
V8: 7.6.303.31-electron.0
OS: Windows_NT x64 10.0.18362

Any more help on how to debug?

Can the remote docker be enhanced to use the same configuration as the remote workspaces, where the connection details is configured in the ssh targets config file, that I know works?

[bwateratmsft]

@ptr727 the error you're seeing is an issue with docker-modem. We have an updated version of it that will release with 0.9.0. That said, if you can use Remote - SSH instead, we recommend that over using DOCKER_HOST.

[ptr727]

I am a bit confused with the version nomenclature, i.e. version 0.9.0 vs. 1.41?
What version should I wait to be bumped to 0.9.0?

At my desk VM development over SSH is not an issue, problem is that the docker hosts in our cloud are just for docker, they are not for source, thus the need for remote docker but local code.

This could get more interesting in code server style development, where e.g. VSCode is over HTTP on a docker container with source access, but docker server (the one where we want to test deploy code) is over SSH in a different environment where source code is not allowed, but network connectivity to other services is available.

But, I agree that the complexity may not be warranted, especially when considering the rights required to manipulate docker server, vs. the threat model of such access in a production environment.

[karolz-ms]

@ptr727 the version 0.9.0 @bwateratmsft mentioned is the version of the VS Code Docker extension. We are very close to releasing it.