Investigate attaching to container when connected with Remote-SSH

[chrmarti]

Following up on an earlier discussion. /cc @bamurtaugh

[chrmarti]

Got it working with the following limitations:

• It works from the Remote-Explorer and Attach to Running Container command, but not from the remotely installed Docker extension's viewlet. Tracked with Pass objects with commands.executeCommand when remote vscode#111238.
• It works when a folder is open in the Remote-SSH window, but not in an empty Remote-SSH window. Tracked with Way to discover remote authority in empty window vscode#111371.
• It only works when the SSH connection requires no user input (using public key auth). Tracked with Support SSH connection with password entry #4154.
• A local Docker client is still required.

An easy to configure performance improvement is #3938.

[PavelSosin-320]

@chrmarti Docker engine is only a secured server. The correct DOCKER_HOST doesn't promise connectivity. Port 2375 and no-tls are not the default.
In any place in VS Code dev-container documentation I have found which SSH version and the user should be used when working with remote Docker engine via SSH. It can't be any user. On one hand, this user must belong to the Docker User Group to fulfill Docker security requirements. On another hand, it can't be the root user because Linux prohibits remote root access due to safety common sense.
Also using SSH version is not obvious because Docker engine v 19.03 doesn't serve REST API with SSL on port ssh://host:2376, but only TLS 1.1 as it is mentioned in dockerd documentation (Is Windows OpenSSH compatible? The same version Docker CLI 19.03 is OK ! ) It can be changed to TLS 1.3 any day if Docker Linux package providers will need network security compliance from Cloud / Enterprise infrastructure providers. Ubuntu LTS 18.04, 20.04, and CentOS 7,8 have passed this point.

[JacksonKearl]

Hey how can we verify this?

[chrmarti]

You need an SSH server with Docker installed. If you don't have one you can (works on Mac / Linux, I need to check on Windows):

• If you don't have an ~/.ssh/id_rsa yet:
  • ssh-keygen -t rsa -b 4096 -C "your_email@example.com"
• Checkout microsoft/vscode-remote-containers
• cd dind, docker-compose up -d --build sshd-ubuntu
• Check you can ssh in without password:
  • ssh-add ~/.ssh/id_rsa
  • ssh root@localhost -p 2222

Once you have an SSH server with Docker installed:

• Use Remote-SSH to connect to it (e.g., root@localhost:2222).
• In the Remote-SSH session, start a new container: docker run -d debian sleep infinity
• From the Remote-Explorer viewlet, verify you can attach to that new container.

[lszomoru]

Thanks @chrmarti. I am looking at this one now.

[lszomoru]

@chrmarti, I am not seeing the newly started container in the Remote Explorer viewlet:

[chrmarti]

@lszomoru I forgot: You need to open a folder on the SSH server. (tracked with microsoft/vscode#111371)

[lszomoru]

@chrmarti, now I see the container but when I try to attach I get in this loop as the container does not seem to be running:

[chrmarti]

@lszomoru My bad, you need to start it with a process that keeps running: docker run -d debian sleep infinity