Container Tools Tips and Tricks
This article covers troubleshooting tips and tricks for the Visual Studio CodeContainer Tools extension. See theOverview and quickstart articles forNode.js,Python, orASP.NET for details on setting up and working with containers.
Running as a non-root user
For security reasons, we recommend selecting the default ports when executing theContainers: Add Docker Files to Workspace... command, or otherwise opting for a portgreater than 1023 whenever possible. This will allow VS Code to configure the Dockerfile with non-root access and prevent a malicious user from elevating permissions in the container. In some cases, there is no port selection, so the Container Tools extension configures non-root access by default. In all cases, you must ensure each resource (such as ports and files) modified or used by your application can be accessed by a non-root user in your container.
If you select a port less than 1024 when adding Dockerfiles to the workspace, the Container Tools extensioncannot create a Dockerfile that runs the container as a non-root user. This is because ports in this range are calledwell-known orsystem ports and must execute with root privileges in order to bind a network socket to an IP address.
TheContainers: Add Docker Files to Workspace... command sets up non-root privileges if you choose a non-system port. If your current Dockerfile andtasks.json is not set up for non-root usage, try running the commandContainers: Add Docker Files to Workspace..., and select a portgreater than 1023. This command overwrites your current Dockerfile andtasks.json. For some project types, such asPython: General, you might still need to modify your Dockerfile andtasks.json. Within the Dockerfile, you must expose anon-system port, create a working directory for your app code, and then add a non-root user with access to the app directory. Ensure that your exposed port is updated wherever it is referenced. In the example below, the Gunicorn port had to be updated to match the exposed port:
# 1024 or higherEXPOSE 1024# ... other directives such as installing requirements.txt file# Creates /app in container if it does not already exist# Ports code into /appWORKDIR /appADD . /app# Creates a non-root user and adds permission to access the /app folderRUN adduser -u 5678 --disabled-password --gecos"" appuser && chown -R appuser /appUSER appuserCMD ["gunicorn","--bind","0.0.0.0:1024","pythonPath.to.wsgi"]Next, ensure thedocker run task intasks.json also expects the same port. You can usually search for any occurrences of the old port number intasks.json and replace it with the new port number. The following example shows the required changes in the case of a Python Django app:
{ "type":"docker-run", "label":"docker-run: debug", "dependsOn": ["docker-build"], "python": { "args": [ "runserver", "0.0.0.0:1024",//<- Change the number after the colon "--nothreading", "--noreload" ], "file":"manage.py" }}Error "connect EACCES /var/run/docker.sock" on Linux
Since VS Code runs as a non-root user, you will need to follow the steps in "Manage Docker as a non-root user" fromPost-installation steps for Linux to access Docker from the extension.
Containers and images have disappeared from Container Explorer
This is most likely caused by a conflict with another extension calledDocker Explorer (not authored by Microsoft). To resolve this issue, use a workaround describedvscode-docker issue #1609.
The extension does not find Docker on a remote machine
Error message "Failed to connect. Is Docker installed and running?"
- Make sure Docker engineis installed on the remote machine and that Docker CLI works (run
docker psfrom the terminal and ensure it does not return any errors). - If you are using a remote development environment (remote machine via SSH, WSL subsystem, GitHub Codespace), make sure the Container Tools extension is installed remotely as well as locally.
Invalid URL errors
If you have a need to connect to a remote Docker daemon, we recommend using Docker contexts instead of acontainers.environment attribute in the settings. Check out this guide to learn how tocreate and use a context to communicate with a remote Docker daemon.
If you still need to override the Docker context you are currently using, make sure yourDOCKER_HOST environment variable orcontainers.environment.DOCKER_HOST attribute includes a protocol in the URL (for example,ssh://myuser@mymachine ortcp://1.2.3.4).
Note: Keep in mind that your
containers.environment.DOCKER_HOSTattribute will override your Docker context and theDOCKER_HOSTenvironment variable will override both thecontainers.environment.DOCKER_HOSTattribute and your Docker context.
Tip: In Powershell you can change your Docker environment variable with
$ENV:DOCKER_HOST = 'ssh://username@1.2.3.4'
Questions and feedback
We love your feedback! If you have any ideas or suggestions,report an issue.