{"id":13562834,"url":"https://github.com/sar/code-container","last_synced_at":"2025-04-03T19:31:35.268Z","repository":{"id":43662628,"uuid":"321562158","full_name":"sar/code-container","owner":"sar","description":"Launch your own Code Server container with preloaded SDKs for React, Python, C#, Cloud CLIs, secured by SSL Reverse Proxy.","archived":false,"fork":false,"pushed_at":"2023-01-17T18:21:35.000Z","size":78,"stargazers_count":61,"open_issues_count":1,"forks_count":15,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-04-02T01:48:16.957Z","etag":null,"topics":["aws","azure","code-server","codespaces","debian","docker","docker-compose","dotnet-core","homelab","linux","nginx","podman","reactjs","ssl","typescript","vs-code"],"latest_commit_sha":null,"homepage":"","language":"Dockerfile","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sar.png","metadata":{"files":{"readme":"readme.md","changelog":null,"contributing":null,"funding":null,"license":"license.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2020-12-15T05:24:55.000Z","updated_at":"2024-11-01T23:46:33.000Z","dependencies_parsed_at":"2023-01-24T13:45:12.493Z","dependency_job_id":null,"html_url":"https://github.com/sar/code-container","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sar%2Fcode-container","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sar%2Fcode-container/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sar%2Fcode-container/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sar%2Fcode-container/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sar","download_url":"https://codeload.github.com/sar/code-container/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247065256,"owners_count":20877743,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","azure","code-server","codespaces","debian","docker","docker-compose","dotnet-core","homelab","linux","nginx","podman","reactjs","ssl","typescript","vs-code"],"created_at":"2024-08-01T13:01:12.672Z","updated_at":"2025-04-03T19:31:34.893Z","avatar_url":"https://github.com/sar.png","language":"Dockerfile","readme":"# Containerized Code Server with SSL \u0026 Dev Tooling\n\nLaunch your own [Code Server](https://github.com/cdr/code-server) container with preloaded dev tools (sdks, npm packages, CLIs etc) for an efficient and securely accessible Web IDE in your homelab!\n\n![code-server](https://raw.githubusercontent.com/cdr/code-server/main/docs/assets/screenshot.png)\n\n## Getting Started\n\nClone this repo on the server with `docker` or `podman` configured. It's recommended to attach mount points for storing your codebase isolated from the container runtime for redundancy and failover management.\n\nNext, set the required environment variables and data paths using the provided [.env.template](.env.template) replicated to `.env` (note: default exclude declared in .gitignore).\n\nPersistent storage for extensions and vscode settings can also be enabled by mapping `HOST_*` variables for convenience against container restarts.\n\nHere's an example of what you'll need to define in `.env`:\n```\nVIRTUAL_HOST=10.0.0.1\nVIRTUAL_PORT=8555\n\nHOST_CONFIG_PATH=./config\nHOST_LOG_PATH=./logs\n\nHOST_CODE_PATH=/mnt/codebase\nCODE_PATH=/code\n\nTZ=America/New_York\nSUDO_PASSWORD=\u003cSUDO_PASSWORD\u003e\n```\n\nAn additional [config.yaml](config.yaml) is required for `code-server` mapped using `path:ro` volume. The container will auto-generate a file if none is provided.\n\n```\nbind-addr: 0.0.0.0:8080\nauth: password\npassword: \u003c\u003cPASSWORD\u003e\u003e\ncert: false\n```\n\nNginx is used to reroute traffic from `[::]:80` to upstream HTTPS port `[::]:8443` with self-signed SSL certificates. Checkout and run the [generate_certs.sh](scripts/generate_certs.sh) script to emit the required certificates with signing key using `openssl`.\n\nPlace both the [nginx.conf](config/nginx.conf) and certs under the paths defined in `code-server.yaml`.\n\n```nginx.conf\nlisten [::]:443 ssl default_server;\n        ssl_certificate /etc/nginx/certs/ssl.crt;\n        ssl_certificate_key /etc/nginx/certs/ssl.key;\n        ssl_protocols TLSv1.1 TLSv1.2;\n        ssl_prefer_server_ciphers on;\n        ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DHE+AES128:!ADH:!AECDH:!MD5;\n```\n\nFinally, deploy the container stack on the docker host using the command `docker-compose -f code-server.yaml up`. It may take 15-20 minutes depending on your hardware and network bandwidth for the initial build. The dockerfile pre-configures a number of devtools and updates the base image packages.\n\nTo comply with Docker CIS, resource limits are defined on each of the containers but can be customized to your hardware in the compose [code-server.yaml](code-server.yaml) file.\n\nAn alternative compose file [code-server.https.yaml](code-server.https.yaml) is provided with automatic configuration of NGINX proxy using [steveltn/https-portal](https://hub.docker.com/r/steveltn/https-portal).\n\n## Pre-Installed Dev Tools\n\nHere's a quick overview of what the `dockerfile` does to extend [debian:buster](https://hub.docker.com/_/debian) base image. This allows containers to be rapidly deployed and scaled up for usage on dev teams with tooling ready to go.\n\nThe output image includes SDKs for cloud native app development workloads such as React, Node, C#, AWS and Azure Cloud CLIs. \n\n```\n* Cloud CLIs\n    * AWS CLI Tools\n        * aws-shell\n        * amplify cli\n    * Azure CLI\n* NPM packages\n    * yarn (upstream)\n    * gatsby-cli\n    * gulp\n    * create-react-app\n    * @storybook/cli\n* .NET Core SDK and Runtime\n    * 5.0.0\n    * 3.1.0\n    * 2.1.0\n* Python global env\n    * python3 python3-pip python3-dev\n* Ubuntu apt packages\n    * Networking\n        * wget\n        * apt-transport-https\n        * libssl-dev libffi-dev\n    * Tools\n        * ranger\n        * tree\n        * unzip\n        * ansible\n        * vim\n        * htop\n        * iputils-ping\n    * OS/Misc\n        * systemd\n        * build-essential\n        * ffmpeg\n        * youtube-dl\n        * chromium-browser\n    * Default shell --\u003e zsh/oh-my-zsh\n        * zsh-syntax-highlighting\n        * zsh-autosuggestions\n        * zsh-completions\n        * history-search-multi-word\n```\n\nRefer to the [Dockerfile](dockerfile) for image layers.\n\n### Remote Debugging\n\nBy default the `dockerfile` and `code-server.yaml` are set to expose port ranges `5000-5010` and `8000-8010` commonly used for web app development. Customize this for your workload such as React, Gatsby, Angular, Django, etc. to allow for remote debugging HTTP instances that are running inside the container.\n\nTo allow external access on node frameworks that depend `http-server` (instantiated with `npm` or `yarn`) you may need to also update your `package.json` and bind the runtime to the host ip instead of localhost. \n\nHere are a few common examples:\n\n```json\n{\n    \"scripts\": {\n        \"ng:start\": \"ng serve --host 0.0.0.0\",\n        \"npm:start\": \"http-server --host 0.0.0.0\",\n        \"gatsby:start\": \"gatsby develop --host 0.0.0.0\"\n    }\n}\n```\n\nAlternatively, if you'd prefer not to expose ports, check out the [vscode-browser-preview](https://github.com/auchenberg/vscode-browser-preview/) extension which enables `chromium` based inspection and debugging within the container itself.\n\n## Security Considerations\n\nAs the base image extends `debian:buster`, additional steps have been taken to add security measures with `hosts` file, `fail2ban` and `clamav` packages preloaded. These are precautionary against attacks but insufficient against (un)known breaches.\n\n**APT over HTTP(s)**\n\nMITM attacks while unlikely by default due to PGP signature verification of repos, can be further averted with `apt-transport-https` package. Vulnerable networks can still reveal user transmit/receive of debian updates, to further anonymize traffic install the package `apt-transport-tor` and use for `tor://` prefix on repos for apt over `tor.service` socks proxy.\n\n**Log Analytics**\n\nIt's strongly recommended to configure a remote syslog daemon for log analytics with `auditd` enabled, here's our guide on using solutions such as [Graylog2](https://ix.quant.one/GraylogAnsible).\n\n**Ports**\n\nThere's a wide range of tcp ports exposed and mapped directly to the host for remote debugging apps running inside the container. By default, only the `code-server` is allocated on ports `8443` and `localhost:8080`.\n\n```bash\n$ netstat -tnlp\n\nActive Internet connections (only servers)\nProto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    \ntcp        0      0 0.0.0.0:8443            0.0.0.0:*               LISTEN      299/node            \ntcp        0      0 127.0.0.1:8080          0.0.0.0:*               LISTEN      -     \n```\n\nFor dev workloads outside of a homelab or private cloud behind firewalls, using an nginx reverse proxy with HTTPS and auth redirects is vital to preventing sensitive code exposure.\n\n### Workarounds\n\n**File Watcher Limit**\n\nContainers inherit the default file watcher limit from the docker host. To set an increased value persistently, run the following command on the server and reboot.\n\n```bash\n$ echo \"fs.inotify.max_user_watches = 524288\" \u003e\u003e /etc/sysctl.conf\n$ sudo sysctl -p\n```\n\n**Docker in Docker**\n\nTo run containers using rootless mode inside the `code-server` container itself, set `gid` as an environment variable (in `.env`) matching the docker host before building the image. This will add the default `$USER` to the `docker` group with the correct permissions to the `docker.sock`.\n\n```env\nDOCKER_HOST_GID=999\n```\n\n```bash\n$ ls -l /var/run/docker.sock\nsrw-rw----. 1 root docker 0 Dec 22 17:52 /var/run/docker.sock\n\n$ id $USER\n...999(docker)\n\n# Manually rebuild\n$ docker build --build-arg DOCKER_HOST_GID=999 --build-arg DEFAULT_USER=abc -t \u003cimage_tag\u003e .\n\n# Use docker-compose to build and deploy automatically\n$ docker-compose -f code-server.yaml up\n```\n\nInside the container, you should no longer receive permission errors upon calling docker comands without sudo.\n\n```bash\n$ docker run hello-world\ndocker: Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Post http://%2Fvar%2Frun%2Fdocker.sock/v1.24/containers/create: dial unix /var/run/docker.sock: connect: permission denied.\nSee 'docker run --help'.\n\n# Built with GID=\u003cdocker_host_gid\u003e\n$ docker run hello-world\n```\n\n## Contributing\n\nContributions including forks and reporting issues are welcome. Be sure to include the output of `$ uname -a` of your container host or `docker-compose` configuration and a detailed description to allow for replication.\n\n## License\n\nThis project is made available under the MIT License. For more information, refer to [license.md](license.md).\n","funding_links":[],"categories":["Dockerfile"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsar%2Fcode-container","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsar%2Fcode-container","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsar%2Fcode-container/lists"}