Preconfigure Container Registry in Codespaces

I’m trying to preconfigure a private container registry in a CodeSpace so workshop participants can use it. According to the docs it’s all pretty straight forward, but it looks like I’m missing something, because it won’t work, and the docs aren’t clear on what I need to expect on the receiving end.

What I’ve done so far:

  • I have a custom CodeSpace container image that inherits from univesal-linux:1.6.4
  • I have configured the 3 documented variables:
    • GH_CONTAINER_REGISTRY_SERVER=ghcr.io
    • GH_CONTAINER_REGISTRY_SERVER=jessehouwing
    • GH_CONTAINER_REGISTRY_SERVER=PAT with Packages (Read) permission

enter image description here

  • I have rebuilt the codespace
  • I tried a different prefix than GH_ to no avail.

If I read the docs correctly, this should make sure docker can pull from ghcr using my credentials, but all I get is an error:

codespace ➜ /workspaces/attendee-jessehouwing (main) $ docker pull ghcr.io/xxxxx-customers/xxxxx-cli
Using default tag: latest
Error response from daemon: Head "https://ghcr.io/v2/xxxxx-customers/xxxxx-cli/manifests/latest": unauthorized

I searched the vscode-container repository for a hint to something I may have to configure on my custom container, but I don’t really see anything wrong.

Custom container dockerfile:

FROM mcr.microsoft.com/vscode/devcontainers/universal:1-linux

USER codespace
    
RUN az extension add --name azure-devops

I tried in the standard vscode container and see the same behavior. I must be doing something wrong.