Dev container workflow & security concerns with tunnel.
Hello 👋🏻 .
I am trying to migrate my workflow to fully remote development using a home server. Currently, I develop everything in dev containers on a local host, and Coder seems to be especially fit to replace this as it supports dev containers in conjunction with the VSCode Web UI.
I have two questions to this end:
1. Dev containers seem to work fine with the provided template, but is there a way to access a UI (terminal or graphical) similar to VSCode's
Add dev container configuration files? (See attached image.)
2. Am I paranoid for disabling the tunnel and putting everything behind a VPN? My projects aren't high value targets or anything, but something about allowing a tunnel into my home server feels irresponsible to me.
Thanks!
11 Replies
<#1279192049517723658>
Category
Help needed
Product
Coder OSS (v2)
Platform
Linux
Logs
Please post any relevant logs/error messages.
hello, regarding your first question, what goal are you trying to achieve?
this menu in VSCode is here to bootstrap a new devcontainer spec for your repo, so you should also be able to use this within VSCode web
---
for the tunnel vs VPN, in this case they're pretty much the same thing
Coder uses Tailscale which uses Wireguard for the VPN tunnel
security between something like OpenVPN and Wireguard should be pretty much the same
keep in mind that this tunnel is locked down behind authentication, just as your VPN would be
this is basically the same thing as using a VPN but more integrated in the product
Thanks for the replies!
1.
Correct me if I'm wrong, but this menu shouldn't be available in VSCode Web, since it does not support the dev container extension (which is the reason I personally want to use Coder).
Additionally, even if it did, the Coder dev container template requires a repository to be bootstrapped before instantiation, so you would need an additional workspace just to set up the dev container files.
The current workflow I am imagining would be to set up a repository with VSCode desktop or the dev container CLI before opening it in Coder to create my actual workspace. Not a deal breaker by any means, but it's just a few extra steps to get started.
2.
I see, makes sense.
From what I understand, the moment you open the Coder URL, you are "in contact" with my local instance through the tunnel, right? Maybe I am just overly paranoid, but this seems less secure than CloudFlare Tunnel's model of requiring authentication through CloudFlare Access before a single request is even passed on to the actual server.
Again, not really a dealbreaker since I can use CloudFlare Tunnel instead, but I am severly out of by depth here 😅 .
VSCode web does support devcontainers, just differently
basically, Coder's support for devcontainers means that you have 1 Coder workspace per devcontainer spec (usually per project/repo)
whereas the VSCode support is usually 1 devcontainer spec per project/repo within the same "workspace" (usually your computer)
so you can technically open devcontainers in VSCode Web like you would in regular VSCode outside of Coder, your workspace just needs to be able to run Docker
2. depends on what you mean by your "local instance", if you mean the Coder server, then yes
Cloudflare Access gates requests to your web server
Coder's tunnel gates requests to your Coder workspaces
so both of these have the same principle and amount of security, they just don't gate the same thing
and you could use Coder's tunnel through Cloudflare Access (if you access Coder through the web, otherwise the Coder tunnel uses DERP when applicable for better performance, but still authenticated)
let me know if you have any other questions
Thanks for these answers! I spent the last few days setting up a home server based around Coder and CloudFlare Tunnel/Access. Do you think there would in any interest in a short write-up on how to set this up, or is it too niche considering Coder's own tunnel?
we have other people interested in using CF Access alongside with Coder so go ahead!
it' sdefinitely appreciated :)
Haha, nice to know I'm not doing anything too weird.
There are some caveats in particular if you want to run the official VSCode Web due to its dependence on wildcard subdomains, but I'll turn my current setup into a basic Terraform config to get everything up and running.
One thing I still haven't gotten around to solving is getting the WebSocket to work with Access without a blanket IP bypass — CloudFlare ignores its special authentication headers for WebSocket traffic, and Warp is quite a mess to set up programmatically.
--
That aside, I have an unrelated question if you don't mind:
The docs recommend mounting your host's Docker socket if you are going to be developing within "local" Docker containers. This works perfectly fine of course, but it clutters my top level containers with workspaces, and something feels off about giving a container direct access to the host like that.
What is the best way to put all workspace containers into a container of their own, and would this be a bad idea? Maybe just Docker in Docker will do the trick?
(This doesn't actually matter for the purposes of my home server, but I'm trying to learn best practices as I go.)
hey @Caspertje, I'm not sure I'm understanding your question
is this about running your workspaces in Docker or running Docker in your workspaces?
I mean running my workspaces in Docker.
okay so
you can't really avoid polluting the Docker host, since it's not really pollution in the first place
well, Coder needs access to your Docker socket if you're deploying stuff in Docker, if you don't like that you can do either one of these :
- Set up an external Docker host (I would advise a dedicated VM and not a container, because doing Docker-in-Docker-in-Docker isn't great)
- Use a docker socket proxy to only give Coder access to what it needs (though this isn't really documented iirc)
but honestly if you really want isolation I'd recommend going with Kubernetes and having Coder workspaces be in a specific namespace
Noted, thanks! I will look into Kubernetes 🙂.