Coder.com•5mo ago

Blocking extensions for shared environment

We're currently running code-server in an HPC environment and would like to prevent users from installing specific extensions. Is there a way to do that? If so, how?

Solution:

It looks like having files.watcherExclude may be the thing that blocks extensions.allowed from working. Removed that and everything looks to be working now!

Jump to solution

35 Replies

Codercord•5mo ago

<#1380227082147074131>

Category

Help needed

Product

code-server

Platform

Linux

Logs

Please post any relevant logs/error messages.

zhongtiao1OP•5mo ago

Also run into this error when trying to block extensions in 4.100.3: [2025-06-05T17:52:03.853Z] error error reading settings.json: Unknown option --extensions.allowed=[object Object]

zhongtiao1OP•5mo ago

Which should work according to the vscode docs: https://code.visualstudio.com/docs/setup/enterprise#_configure-allowed-extensions

Enterprise support

Learn about Visual Studio Code's enterprise support features, such as group policies or restricting allowed extensions.

Phorcys•5mo ago

how are you setting it?

zhongtiao1OP•5mo ago

Adding the values to settings.json directly, then booting with that as the config

Phorcys•5mo ago

can you send the settings?

zhongtiao1OP•4mo ago

{
    "extensions.allowed": {
            "twxs.cmake": false
    }
}

{
    "extensions.allowed": {
            "twxs.cmake": false
    }
}

@Phorcys apologies for the ping, but any updates on this?

Phorcys•4mo ago

hey, no worries! i haven't been able to take a look yet but i should be able to give you a reply this week, apologies on the delay

zhongtiao1OP•4mo ago

Great! Thanks for the response!

Phorcys•4mo ago

@zhongtiao1 sorry for the delay -- are you able to test this in regular VSCode and does it work? i'll hopefully have some time tomorrow to debug on my end, this week hasn't been great :-(

zhongtiao1OP•4mo ago

It works for me in at least windows and macos. Don't have a linux desktop to test at the moment. And no worries! Thank you for looking into it! I know it's not a breaking issue or anything 🙂 @Phorcys Just wanted to follow up and see if there's any update/ticket open beyond this 🙂

Phorcys•4mo ago

hey! really sorry! taking a look now :) can you send the full path of the settings.json file you are editing?

zhongtiao1OP•4mo ago

$HOME/.local/share/code-server/Machine/settings.json

Phorcys•4mo ago

@zhongtiao1 i found the cause of your issue

Phorcys•4mo ago

so you'll want to add it to $HOME/.local/share/code-server/User/settings.json instead though to avoid overwriting the user settings i'd suggest using jq to merge your "default" file with the user's file

zhongtiao1OP•4mo ago

It already is The full contents of the settings.json file is this:

{
    "extensions.ignoreRecommentations": true,
    "remote.autoForwardPortsSource": "output",
    "remote.autoForwardPorts": false,
    "files.watcherExclude":{
        "**": true,
    }
    "extensions.allowed":{
        "twxs.cmake": false,
    }
}

{
    "extensions.ignoreRecommentations": true,
    "remote.autoForwardPortsSource": "output",
    "remote.autoForwardPorts": false,
    "files.watcherExclude":{
        "**": true,
    }
    "extensions.allowed":{
        "twxs.cmake": false,
    }
}

Phorcys•4mo ago

sorry, that was the wrong path use User instead of Machine the Machine config file doesn't support that config entry

zhongtiao1OP•4mo ago

Awesome! That seems to be working! Thanks! Is there a setting/way to restrict users from editing that settings.json and preventing them from setting a different one? Because there's still an "edit in settings.json" button that pops up when you view the allow list

Phorcys•4mo ago

not really, well you could restrict permissions on the file but the issue is they won't be able to edit any settings so either you have a sub-par thing that you run on boot every time, or a hacky workaround would be to watch the settings file and add that extensions.allowed key every time the file changes

zhongtiao1OP•4mo ago

Is it possible to have multiple settings.json files then? One could allow user edits and one could not

Phorcys•4mo ago

let me look into it actually i don't think so but i have another idea i thought you could edit the default settings file but you can't it doesn't seem that VSCode allows this sadly

zhongtiao1OP•4mo ago

Shoot :/ Alright, we'll probably need to go with the changing perms solution, as unfortunate as that is Thanks for looking into this! I really appreciate it 🙂

Phorcys•4mo ago

no worries! and sorry again for the delay 😅 i was at school for the last 2 weeks and i'm preparing for finals, so i've been running short on time lately!

zhongtiao1OP•4mo ago

One more question actually, I've put together a (rather large) list of publishers/extensions that are approved, but it won't let me actually install any of the extensions. It just says that the extensions "aren't available for Linux 64 bit". settings.json:

{
    "extensions.ignoreRecommentations": false,
    "remote.autoForwardPortsSource": "output",
    "remote.autoForwardPorts": false,
    "files.watcherExclude":{
        "**": true,
    }
    "extensions.allowed":{
        
        // Publishers
        "huggingface":true,
        "julialang":true,
        "mutable-ai":true,
        "kodezi":true,
        "codeium":true,
        "trunk":true,
        "github":true,
        "builder":true,
        "broadcommfd":true,
        "rust-lang":true,
        "IBM":true,
        "dart-code":true,
        "google":true,
        "redhat":true,
        "oracle":true,
        "databricks":true,
        "dbtlabsinc":true,
        "snowflake":true,
        "malloy":true,
        "couchbase":true,
        "supermaven":true,
        "jetbrains":true,
        "golang":true,

        // Microsoft extensions
        "ms-vscode":true,
        "ms-mssql":true,
        "ms-python":true,
        "ms-toolsai":true,
        "ms-azuretools":true,
        "ms-pyright":true,
        "ms-dotnettools":true,
        "MS-CEINTL":true,
        "ms-vsts":true,


        // Specific extensions
        "twxs.cmake":true,
        "eamodio.gitlens":true,
        "esbenp.prettier-vscode":true,
        "saoudrizwan.claude-dev": "stable",

        // themes
        "huacat.office-theme":true,
        "ellacrity.recoil":true,
        "imagineee.moon-purple":true,
        "pyxel.flare-theme":true,
        "anishde12020.orbi":true
        
    }
    
}

{
    "extensions.ignoreRecommentations": false,
    "remote.autoForwardPortsSource": "output",
    "remote.autoForwardPorts": false,
    "files.watcherExclude":{
        "**": true,
    }
    "extensions.allowed":{
        
        // Publishers
        "huggingface":true,
        "julialang":true,
        "mutable-ai":true,
        "kodezi":true,
        "codeium":true,
        "trunk":true,
        "github":true,
        "builder":true,
        "broadcommfd":true,
        "rust-lang":true,
        "IBM":true,
        "dart-code":true,
        "google":true,
        "redhat":true,
        "oracle":true,
        "databricks":true,
        "dbtlabsinc":true,
        "snowflake":true,
        "malloy":true,
        "couchbase":true,
        "supermaven":true,
        "jetbrains":true,
        "golang":true,

        // Microsoft extensions
        "ms-vscode":true,
        "ms-mssql":true,
        "ms-python":true,
        "ms-toolsai":true,
        "ms-azuretools":true,
        "ms-pyright":true,
        "ms-dotnettools":true,
        "MS-CEINTL":true,
        "ms-vsts":true,


        // Specific extensions
        "twxs.cmake":true,
        "eamodio.gitlens":true,
        "esbenp.prettier-vscode":true,
        "saoudrizwan.claude-dev": "stable",

        // themes
        "huacat.office-theme":true,
        "ellacrity.recoil":true,
        "imagineee.moon-purple":true,
        "pyxel.flare-theme":true,
        "anishde12020.orbi":true
        
    }
    
}

If you try to manually install a vsix from an approved publisher it claims that it's not in the allow list

Phorcys•3mo ago

that is interesting, i'll try to have a look this week but i'm currently in NYC for an internal event so I'll likely take some time to reply so probably not until next week hey, updating you on this, the last weeks have been very busy for me, and this week will be too so there is a lot of backlog that has built up so I apologize for the delay! If no one else from the team has had the time to figure this out I should be able to catch up with all open issues by next week EOW, I will try to leave an answer, even if it is an "i don't know" just so you know we're looking at this! thanks for your understanding :-) sorry for pushing this back further again, i understand how it is :( it will get better though! I have been traveling a lot and this week is my finals week 🤞

zhongtiao1OP•3mo ago

No problem, thank you for the update! Good luck on finals 🙂

Phorcys•3mo ago

hey! this was really slow but i finally got to take a look

Phorcys•3mo ago

so the restrictions do work and i'm also able to install the ext

Phorcys•3mo ago

can you screenshot when that happens? and there should be a way to open more detailed logs too, or maybe just check code-server logs

Solution

zhongtiao1•3mo ago

It looks like having files.watcherExclude may be the thing that blocks extensions.allowed from working. Removed that and everything looks to be working now!

matifali•3mo ago

@Phorcys is it something we should document may be as a guide?

Phorcys•3mo ago

yes I think so we already have rudimentary docs but I will update them

matifali•3mo ago

Thank you

Gaming

Programming

Blocking extensions for shared environment

Did you find this page helpful?