Test: Connect to Dev Container over tunnel / SSH on Windows

[chrmarti]

Refs: #9095

• macOS @lramos15
• linux @bpasero
• windows @roblourens

Complexity: 4

Create Issue

---

Note: The 'Open Folder' picker for remote currently has a bug where you can get a Windows workspace folder without drive letter. The workaround is to manually enter the drive letter before pressing Enter to accept. (microsoft/vscode#195938)

Note 2: Make sure the CLI you use to start the tunnel (code-insiders tunnel) is at the latest version to include all bug fixes.

• Make sure you are using Dev Containers 0.319.0-pre-release or later.
• Use, e.g., a Dev Box as the remote Windows machine. https://devbox.microsoft.com
• Make sure you are using the latest Remote-SSH pre-release and Remote-Tunnels pre-release for testing.
• Connect to the remote Windows machine using a tunnel and using SSH. Test the following:
  • Reopen folder in container:
    • Open empty folder in tunnel.
    • Run Dev Containers: Reopen Folder in Container.
    • Pick a dev container config template.
    • Verify that the window reopens on that folder.
  • Open an Integrated Terminal in the dev container and git clone ... a private repository.
    • Verify that the Git credentials are forwarded from your local host.
    • If you are using ssh to clone: The ssh-agent is also forwarded into the dev container, check with ssh-add -l in the container that your key is available.
  • Command Dev Containers: Attach to Running Container.

Additional Instructions

Tunnel

• On the target Window machine:
  • Make sure you have Docker installed (e.g., Docker Desktop).
  • Install the latest Insiders (or latest Insiders CLI).
  • Run code-insiders tunnel, accept EULA, sign-in and create tunnel.
  • Keep this process running.
• On the local machine (OS as assigned above):
  • Install the latest Dev Containers and Remote-Tunnels pre-release extensions.
  • Open the Remote-Explorer and switch to Remote (Tunnels/SSH) at the top.
  • Your tunnel should be shown (make sure you are signed-in with the same account as above).
  • Connect to this tunnel. (The window will reload.)
  • Once connected, e.g., open an empty folder and runDev Containers: Reopen Folder in Container.

SSH

The main hurdle is to get ssh username@windowsmachine working in a terminal. Afterwards Remote-SSH can be used to connect to it. The main problem is reaching the SSH port depending on network rules.

Prep on Windows:

• Make sure in Windows-Key > Optional Features that OpenSSH Server is installed.
• Start the OpenSSH Server in Windows-Key > Services.

Variants to connect:

• Variant 1: Windows machine is in local network or a local VM. This should just work. (Please comment on any difficulties.)
• Variant 2: Windows machine is a devbox.
  • I got it working by using a Linux VM as SSH proxy (ProxyJump option in ~/.ssh/config).
  • I had to add a local non-domain admin user on the devbox to successfully login.
  • From Windows I used ssh -R 2222:localhost:22 linux-azure-vm to set up a tunnel.
  • In my local ~/.ssh/config I used the following to configure the proxy:

Host devbox
    # HostName as seen from the jump host
    HostName localhost
    Port 2222
    User windowsuser
    ProxyJump jumpboxuser@jumpboxip:22

[bpasero]

The lowlight here is that there were really no setup instructions and I had to go through installing Docker for Windows, OpenSSH, etc. to setup everything. TPIs need setup instructions, anything else just leaves people very frustrated...

The highlight is that I am able to open a dev container from Linux (running in Parallels VM) in Windows connected through a tunnel 🤯

I ran out of time testing SSH though.

[chrmarti]

@bpasero Sorry for the trouble and thanks for the feedback. I have added additional instructions based on that.

@roblourens I found the SSH setup especially difficult to get working, maybe you have a recipe to share for that?

[lramos15]

This does seem a bit much for a complexity 4. Even a lot to ask of a complexity 5. I'm testing macOS and I need a Windows dev box, and a Linux VM with an SSH proxy to test all the features. A lot of these things I don't have and must set up for the first time just to get into a workable state for this TPI

[chrmarti]

@lramos15 If you have an x64 Mac, you can use a Window VM on Parallels to run the SSH server. (This currently doesn't work with ARM Macs because these do not yet support nested virtualization.)

[roblourens]

@bpasero did you get this working in a dev box? I can't get the ssh server working and I wonder if they are just blocking ssh aggressively there like they do in our azure subscription.

I generally just follow https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=powershell but windows ssh is hard to troubleshoot.

[lramos15]

Tested with dev containers, could not get SSH to work with the dev box configuration. Not sure what the best approach is / how the jumpbox works

[chrmarti]

A simpler approach is to use an Azure VM. That has its own hurdles, so I underestimated the complexity of this test item.

My notes from setting up a Windows Azure VM with Docker for the future:

Create Windows Azure VM with Docker

• Create VM in Azure Portal. https://portal.azure.com
• E.g., using personal Visual Studio Ultimate with MSDN subscription to avoid port restrictions.
• Security Type: Standard (avoid secure boot, that makes nested virtualization fail)
• Image: Windows 11 Pro.
• Size: E.g., Standard D4s v3. Must support nested virtualization, see https://docs.microsoft.com/en-us/azure/virtual-machines/acu.
• Allow ports SSH and RDP.
• After creation consider setting up Auto-Shutdown, e.g., at midnight to avoid burning money.
• After creation download RDP file under the VM's Connect tab in the Azure Portal and connect.
• wsl --install
  • If this complains nested virtualization is not available, run as admin: Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All
• Install Docker, e.g.: https://docs.docker.com/desktop/install/windows-install/
• Make sure in Windows-Key > Optional Features that OpenSSH Server is installed.
• Start the OpenSSH Server in Windows-Key > Services.
• Or in PowerShell: https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=powershell
• Test from localhost: ssh <username>@<ip-address>
• Add alias to ~/.ssh/config:

Host <alias>
    HostName <ip-address>
    User <username>

• Test from localhost: ssh <alias>
• Use Remote-SSH: Connect to Host... with <alias>.

[roblourens]

Where do logs for the dev containers extension go? I set the log level to "trace" but I don't see an output channel

[bpasero]

@roblourens for this TPI I had to use a second machine, which is a full Windows machine where I was able to install Open SSH server, Docker for Windows.

[chrmarti]

The logs go to a terminal: Dev Containers: Show Container Log.

[chrmarti]

Coming to think about it: For testing with Windows as the local machine, a single Windows machine might be sufficient. Just connect to localhost as the SSH server. @roblourens Is that how you are testing?

[roblourens]

Yeah, I will test it that way, I just wanted to do a "real" remote setup at first and try dev boxes

[roblourens]

Blocked on #9128

[roblourens]

Between #9134 and #9135, nothing is really working for me. That's all I can do right now.

Also found that when I install Docker on a win11 parallels vm, it crashes. Using a win10 vm.

[chrmarti]

@roblourens Did you get ssh on the devbox working? When I try ssh redmond\\chrmarti@localhost it hangs and then terminates the network connection. I could only get it to work with an additional local user, so ssh foobar@localhost works.

[roblourens]

No, I tested it with a local VM. Thanks for the tip

[chrmarti]

Figured out how to use WSL to run the client and connect to the Windows host with SSH. So a DevBox can be used to test Windows and Linux clients connecting to a Windows SSH server. For macOS as the client, a Windows Azure VM appears to be the simplest setup (see #9123 (comment)).

DevBox Setup

• Set up a DevBox and connect with Remote Desktop: https://devbox.microsoft.com
• Install WSL for Docker: wsl --install
• Install Docker, e.g.: https://docs.docker.com/desktop/install/windows-install/
• Make sure in Windows-Key > Optional Features that OpenSSH Server is installed.
• Start the OpenSSH Server in Windows-Key > Services.
• Or in PowerShell: https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=powershell
• Add an additional user with admin rights (to access Docker). (SSH hangs logging in with the domain user.)
• Test: ssh <username>@localhost
• Add alias to ~/.ssh/config:

Host localhost
    User <username>

• Quit Docker Desktop and restart as admin (right click, Run as admin) to access the local user's folders.

Access from WSL

• If using an updated SSHd: Allow access to the SSH Server Preview (port 22) for the public profile in the Windows Firewall.
• Pick WSL IP address from ipconfig on Windows.
• Test in Windows: ssh <username>@<ip-address>.
• Test in WSL: ssh <username>@<ip-address>.
• Add alias to ~/.ssh/config in WSL:

Host windows
    HostName <ip-address>
    User <username>

• Install VS Code in WSL (https://code.visualstudio.com/docs/setup/linux).
• Start VS Code from WSL (recent WSL versions have X11 and Wayland displays configured).
• Install Remote-SSH and connect to windows SSH server.