Skip to content

Using VS Code Devcontainers (docker-from-docker) with Non Root User Failing Docker Daemon Credentials Check #376

Open
@ghost

Description

  • VSCode Version:
    Version: 1.74.2
    Commit: e8a3071ea4344d9d48ef8a4df2c097372b0c5161
    Date: 2022-12-20T10:32:21.587Z
    Electron: 19.1.8
    Chromium: 102.0.5005.167
    Node.js: 16.14.2
    V8: 10.2.154.15-electron.0
    OS: Darwin arm64 21.6.0
    Sandboxed: No

  • Local OS Version:
    Mac OS X Version 12.6

  • Local chip architecture: <x86, arm64, Apple Silicon>
    Apple M1

  • Reproduces in: <Codespaces | Remote - Containers | Both>
    Remote Containers

  • Name of Dev Container Definition with Issue:

old location:
https://github.com/microsoft/vscode-dev-containers/tree/main/containers/docker-from-docker

new location:
https://github.com/devcontainers/features/tree/main/src/docker-from-docker

The entry from our devcontainer.json:

    "docker-from-docker": {
      "version": "latest",
      "moby": true
    },

I also tried updating the above to the "new format":

"features": {
    "ghcr.io/devcontainers/features/docker-from-docker:1": {}
}

to no effect.

I posted a question here:
devcontainers/community#20

to find out where this issue/bug should be created - but this seems like the best place for it.

Steps to Reproduce:

Hi there, we've been successfully using devcontainers (non root user spinning up docker containers) for over a year now.

A new version of docker was pushed out in late December - with a new version of credential helper and it appears to have broken our usage of visual studio code devcontainer's. Our usage of devcontainers is with a non root user using the "docker from docker" workflow.

This technique has been working for over a year now using the documentation here:
https://code.visualstudio.com/remote/advancedcontainers/add-nonroot-user

We added our non root user to the group docker.

When the issue first started happening we got the following error:

failed to solve with frontend dockerfile.v0: failed to create LLB definition: rpc error: code = Unknown desc = error getting credentials - err: exit status 255, out: `

So we blew away all data (containers, images + volumes) using the docker purge data.

Then when we re-ran docker-compose - we started getting python errors like this:

Pulling <docker image name> (<docker image name>:)...
Traceback (most recent call last):
  File "/usr/local/pipx/venvs/docker-compose/lib/python3.9/site-packages/docker/credentials/store.py", line 76, in _execute
    output = subprocess.check_output(
  File "/usr/lib/python3.9/subprocess.py", line 424, in check_output
    return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
  File "/usr/lib/python3.9/subprocess.py", line 528, in run
    raise CalledProcessError(retcode, process.args,
subprocess.CalledProcessError: Command '['/usr/local/bin/docker-credential-dev-containers-f90694ffd4ef7d23592ec24c6172cf511d70ae8b', 'get']' returned non-zero exit status 255.

Along with a few other python errors - which appear to be similarly just trying to run some command line executables.

After a lot of reading online - it seems the issue is that the

/home/<non root user>/.docker/config.json

is getting populated with invalid credentials in the following format:

{
        "credsStore": "dev-containers-<hash number>"
}

After removing this entry from the config.json - everything "just works" - the non root user is once again able to talk to the docker daemon, create images + subsequently containers.

I'm not sure if this issue needs to be "cross posted" to a docker issue repository since this may be in the realm of an integration issue.

Metadata

Metadata

Assignees

No one assigned

    Labels

    cli-bugNeeds an upstream @devcontainers/cli bug fix.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions