David
David
PostsComments
CCoder.com
Created by David on 4/10/2025 in #help
envbuilder clone a private git repository?
- I've added my Coder SSH public key to github. - I'm using a template based on the aws-devcontainer template. - I set repo_url to [email protected]:foo/bar Envbuilder fails to authenticate: 
envbuilder v1.1.0+a3a6a83 - Build development environments from repositories in a container
#1: 📦 Cloning [email protected]:foo/bar to /workspaces/bar...
#1: 🔑 Using SSH authentication!
#1: 🔑 No SSH key found, falling back to agent!
#1: ❌ Failed to connect to SSH agent: error creating SSH agent: "SSH agent requested but SSH_AUTH_SOCK not-specified"
#1: Parsed Git URL as "ssh://[email protected]/foo/bar"
Failed to clone repository: clone "[email protected]:foo/bar": error creating SSH agent: "SSH agent requested but SSH_AUTH_SOCK not-specified"
Falling back to the default image...
envbuilder v1.1.0+a3a6a83 - Build development environments from repositories in a container
#1: 📦 Cloning [email protected]:foo/bar to /workspaces/bar...
#1: 🔑 Using SSH authentication!
#1: 🔑 No SSH key found, falling back to agent!
#1: ❌ Failed to connect to SSH agent: error creating SSH agent: "SSH agent requested but SSH_AUTH_SOCK not-specified"
#1: Parsed Git URL as "ssh://[email protected]/foo/bar"
Failed to clone repository: clone "[email protected]:foo/bar": error creating SSH agent: "SSH agent requested but SSH_AUTH_SOCK not-specified"
Falling back to the default image...
After the fall back image starts, I can git clone and the agent ssh successfully authenticates. I'm guessing envbuilder is trying to clone the repo before the agent is pulled by the ENVBUILDER_INIT_SCRIPT. I think the logs corroborate that. Is there a way to get the clone to work the first startup?
4 replies
CCoder.com
Created by David on 4/4/2025 in #help
EKS/ECR envbuilder layer cache
I'm trying to setup devcontainer layer caching. I started out with the aws-devcontainer starter template, and I have a repo in ECR which I have filled in to the "cache_repo" variable. But when I start the workspace, I see the following: 
Failed to find cached image in repository "[aws-acct-id].dkr.ecr.us-west-2.amazonaws.com/envbuilder-cache". It will be rebuilt in the next apply. Error: failed to fetch the envbuilder binary from the builder image: check remote image: check remote image: GET https://[aws-acct-id].dkr.ecr.us-west-2.amazonaws.com/v2/custom-envbuilder/manifests/latest: unexpected status code 401 Unauthorized: Not Authorized
Failed to find cached image in repository "[aws-acct-id].dkr.ecr.us-west-2.amazonaws.com/envbuilder-cache". It will be rebuilt in the next apply. Error: failed to fetch the envbuilder binary from the builder image: check remote image: check remote image: GET https://[aws-acct-id].dkr.ecr.us-west-2.amazonaws.com/v2/custom-envbuilder/manifests/latest: unexpected status code 401 Unauthorized: Not Authorized
As this is coming from terraform, this is running in the coder pod which is running with the "coder" service account. I have a pod identity association that should be giving this service account access to ECR, with full read access and write to the envbuilder-cache repo. I had a hypothesis that the pod identity association was not sufficient to access ECR, only to retrieve credentials. So I adjusted the template to add a data "aws_ecr_authorization_token" and to use that to render a docker_config_base64 for the "envbuilder_cached_image": I can see with coder state pull that it is getting an authorization token. Yet the 401 error persists. Anything I should be checking?
13 replies