Added option to enable SSL, provide certificate/key and set server port.

[Grimeton]

---

We welcome all PR’s though this doesn’t guarantee it will be accepted.

Description:

Added option to enable SSL via environment variable "SSL_ENABLED". If it is set to anything else than "false" SSL will be enabled and the code-server will auto generate the certificate and the key (It's a feature of code-server.).

Certificate and key file can also be provided via the environment variables "HTTPS_CERT" and "HTTPS_KEY". They should contain a full path to the corresponding file inside the container. If both files exist, they will be handed to the code-server to use them. There are no special checks done on the content of the files. If they exist, they're used. Garbage in, garbage out.

Another option is to set the server's port via the environment variable "SERVER_PORT". Again: No checks are done. The port cannot be < 1024 because the server is not running as root and I didn't want to change that.

I added a bit of a description to the readme-vars.yml file, but was unsure where to put the information about the fact that code-server can auto generate the certificates on its own. I also added the volume for the certificates to the readme-vars.yml file as well as an updated log. The certificate/key could probably be put into the config volume, but wasn't sure. If that's a possibility, let me know and we can change the description.

Last but not least, I changed the Dockerfile to contain the environment variable "DEBIAN_ENVIRONMENT" with the value "noninteractive" to avoid the error messages during the setup of the container.

Benefits of this PR and context:

Advanced features, more use cases...

How Has This Been Tested?

Setup a docker-compose.yaml file and then tested by providing every variable and checking the action/reaction of the container after recreating it. Not really much to test on a few lines of shell script. It's working. If one of the files, cert/key, is missing, the certificate will be auto generated and if the port is < 1024 the server will put errors into the log file.

Source / References:

Nothing to put here.

[LinuxServer-CI]

I am a bot, here are the test results for this PR:
https://lsio-ci.ams3.digitaloceanspaces.com/lspipepr/code-server/2.1698-pkg-f3793b3c-pr-23/index.html
https://lsio-ci.ams3.digitaloceanspaces.com/lspipepr/code-server/2.1698-pkg-f3793b3c-pr-23/shellcheck-result.xml

[aptalca]

Thanks for the PR. Been pondering this ever since.

We originally didn't enable https functionality because we much prefer putting this behind a reverse proxy (like this one, which comes with a preset proxy conf for code-server).

Then I realized this would would be a perfect candidate for a docker mod: https://blog.linuxserver.io/2019/09/14/customizing-our-containers/

We already have a few mods published for code server: https://mods.linuxserver.io/?mod=code-server although we haven't yet started promoting them (fleshing out the readme updates)
Here's more info on how to create a mod: https://github.com/linuxserver/docker-mods/
I'd be happy to help you with that. Let me know.

PS. the lack of noninteractive was an oversight. We'll go ahead and add it.
PSS. the port adjustment is not necessary as changing the port can be done through mapping a different port in docker create/compose

[Grimeton]

Thanks for the PR. Been pondering this ever since.

We originally didn't enable https functionality because we much prefer putting this behind a reverse proxy (like this one, which comes with a preset proxy conf for code-server).

Yeah the reverse proxy thing is a deceiving kind of security. When running a web server you have two basic attack vectors. The network protocol, basically attacking the port itself and I think that's really hardened or the application in this case via the http requests/traffic.

So running a reverse proxy that offers SSL is basically a good thing, but the application behind it isn't protected in any way, because there is no filter in the proxy that would filter out anything that could be malicious. So the attack surface hasn't changed, but yeah, I get where you're coming from ...

The mod thing seems interesting, but I guess it's easier just to use your image as the base image and then run a docker build with a Dockerfile that replaces the one file that needs replacing. I'm going to look into it, but as far as I understand the docker philosophy when building something you could just generate a Dockerfile on the fly with multiple RUN commands that would then provide multiple layers/different images. So in theory you could just create a layer on top of the base image for every function and make it work. Basically similar to what Microsoft offers with the WIM format for Windows deployments.

The code-server seems to be a bit problematic anyway, as I'm not able to reproduce a working build from their repository and the officially published builds are all contained in their own "nbin"-format that has been created by them and doesn't allow extraction.

About the port: I run the container with its own IP address on a subnet that can be accessed directly from the local network, so there's neither a host IP nor iptables involved. I actually disabled iptables management in Docker so I doubt the "-p" option would have any effect. Let me know if I'm wrong there.

Cu

[aptalca]

Our letsencrypt image has fail2ban built-in that works for http auth. Reverse proxy over docker network and don't map a port for code server. That's the best you can do.

[Grimeton]

Yeah I'm running https://github.com/jeroennijhof/pam_script together with http://ipset.netfilter.org/iptables-extensions.man.html#lbBW . It's a more event driven approach :)

[dsbaha]

I just ended up quickly writing my own TLS reverse proxy that gets a let's encrypt certificate and layered a few files on top of this image to get TLS.

Service run file pretty much looks like this;

#!/usr/bin/with-contenv bash
exec /usr/bin/quicktlsproxy -destination http://127.0.0.1:8443 -certdir /config/certs ${TLS_DOMAIN_NAME}

Dockerfile pretty much looks like this;

FROM linuxserver/code-server:latest
COPY files /
EXPOSE 80 443

I guess I should mention I did this for two reasons;

1. TLS enabled service without the browser complaining and trusting random/temporary certs/CAs.
2. Listen and proxy requests on IPv6. My internet exposed Docker network is reachable on IPv6 only (not IPv4).

quicktlsproxy

[github-actions]

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[wchan-ranelagh]

I found this PR when looking to do the same thing (configure code-server to run with --cert and --cert-key parameters).

There was a mention that this can be done with a docker mod. Can someone tell me how in a docker mod you can override the command in the run script? As this PR shows, there are additional parameters that need to be passed to the command but in a docker mod I see that you mostly just tarball up a bunch of files to customize the additional files available. And maybe a script to install additional dependencies or start an additional service. I didn't see any mod that overrides the command in the run script, so I'm not sure how one will do this?

Is there any pointer to how one would do something similar to this PR in a docker mod? Or perhaps we can get a variation of this PR just merged to provide this option to this docker?

Thanks!

[aptalca]

Through a mod, you can add a custom service file that overwrites the default one in there. Or you can add a custom script (init file) that seds the service file to add parameters

[wchan-ranelagh]

Oh, I see! I was looking for some other mechanism to override it, but now I understand.

For those stumbling across this, the following works:

Put in a file under config/custom-cont-init.d like add_params.sh (you can name it whatever you want)

#!/usr/bin/with-contenv bash

echo "**** adding --cert and --cert-key parameters to code-server startup ****"

sed -i 's/\/bin\/code-server \\/\/bin\/code-server \\\n            --cert ${SSL_CERT_PATH} \\\n            --cert-key ${SSL_KEY_PATH} \\/g' /etc/services.d/code-server/run

The above will then expect the environment variables SSL_CERT_PATH and SSL_KEY_PATH to wherever your cert and key files are. It doesn't do anything fancy with checking if the variable is present or anything so it's not super generic, but it works for me and hope it helps someone else.

Thanks!

[github-actions]

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[dapper42]

Oh, I see! I was looking for some other mechanism to override it, but now I understand.

For those stumbling across this, the following works:

Put in a file under config/custom-cont-init.d like add_params.sh (you can name it whatever you want)

#!/usr/bin/with-contenv bash

echo "**** adding --cert and --cert-key parameters to code-server startup ****"

sed -i 's/\/bin\/code-server \\/\/bin\/code-server \\\n            --cert ${SSL_CERT_PATH} \\\n            --cert-key ${SSL_KEY_PATH} \\/g' /etc/services.d/code-server/run

The above will then expect the environment variables SSL_CERT_PATH and SSL_KEY_PATH to wherever your cert and key files are. It doesn't do anything fancy with checking if the variable is present or anything so it's not super generic, but it works for me and hope it helps someone else.

Thanks!

Do you have any idea what I have done wrong if I am getting this? New to mods, but I'm not even seeing the S option here..

**** adding --cert and --cert-key parameters to code-server startup ****

sed: -e expression #1, char 68: unknown option to `s'

[wchan-ranelagh]

Oh, I see! I was looking for some other mechanism to override it, but now I understand.
For those stumbling across this, the following works:
Put in a file under config/custom-cont-init.d like add_params.sh (you can name it whatever you want)

#!/usr/bin/with-contenv bash

echo "**** adding --cert and --cert-key parameters to code-server startup ****"

sed -i 's/\/bin\/code-server \\/\/bin\/code-server \\\n            --cert ${SSL_CERT_PATH} \\\n            --cert-key ${SSL_KEY_PATH} \\/g' /etc/services.d/code-server/run

The above will then expect the environment variables SSL_CERT_PATH and SSL_KEY_PATH to wherever your cert and key files are. It doesn't do anything fancy with checking if the variable is present or anything so it's not super generic, but it works for me and hope it helps someone else.
Thanks!

Do you have any idea what I have done wrong if I am getting this? New to mods, but I'm not even seeing the S option here..

**** adding --cert and --cert-key parameters to code-server startup ****

sed: -e expression #1, char 68: unknown option to `s'

Hi,

Looks like something during your cut and paste changed the normal single quote to one of those "smart" quotes so it doesn't like it.

Just make sure the quotes in front of the s is a normal quote (just delete that quote character you have and re-type it into the terminal or something). And there is also a quote near the end of that line that should be a normal quote as well.

[github-actions]

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[szethh]

Oh, I see! I was looking for some other mechanism to override it, but now I understand.

For those stumbling across this, the following works:

Put in a file under config/custom-cont-init.d like add_params.sh (you can name it whatever you want)

#!/usr/bin/with-contenv bash

echo "**** adding --cert and --cert-key parameters to code-server startup ****"

sed -i 's/\/bin\/code-server \\/\/bin\/code-server \\\n            --cert ${SSL_CERT_PATH} \\\n            --cert-key ${SSL_KEY_PATH} \\/g' /etc/services.d/code-server/run

The above will then expect the environment variables SSL_CERT_PATH and SSL_KEY_PATH to wherever your cert and key files are. It doesn't do anything fancy with checking if the variable is present or anything so it's not super generic, but it works for me and hope it helps someone else.

Thanks!

There was a bug that prevented this from working properly (see coder/code-server#4693), but this has been fixed as of now, with PR (coder/code-server#4840).
Will this fix be merged into Linuxserver's image? SSL capabilities are quite important for some VSCode features.

[aptalca]

Per my message above, this PR will not be merged. Recommendation is a docker mod

[aptalca]

https://github.com/linuxserver/docker-mods/tree/code-server-ssl