4

Would installing Visual Studio Code in a Docker container offer better isolation than a snap or Flatpack?

Eliah Kagan
  • 117,780
messuhesta
  • 41
  • 3
    Why you need isolation, please describe your usage scenario? If you don't trust Microsoft, use vscodium instead of vscode. docker is not made for this. – pLumo Jul 09 '20 at 06:08
  • 1
    I don't know if it's really a matter of trust, but if people choose Linux mainly because they don't trust Windows 10' creators (NO privacy, etc.) then why should I give them this gateway through this app? Can you prove otherwise? – messuhesta Jul 11 '20 at 04:54
  • 1
    I tried to install it via snap but I have this message. Something stinks here.

    "This revision of snap "codium" was published using classic confinement and thus may perform arbitrary system changes outside of the security sandbox that snaps are usually confined to, which may put your system at risk. "

     – messuhesta Jul 15 '20 at 16:54

2 Answers2

2

Code_OSS AppImage

Unlike other applications, AppImages do not need to be installed before they can be used, however they need to be marked as executable before they can be run. This is a Linux security feature.

Visual Studio Code OSS Edition:

Download the Code_OSS AppImage and make it executable using your file manager or by entering the following commands in a terminal:

chmod +x ./*.AppImage

Then double-click the AppImage in the file manager to open it.

Sandboxing Code_OSS:

If you want to restrict what Code_OSS can do on your system, you can run the AppImage in a sandbox like Firejail. This is entirely optional and currently needs to be configured by the user.

enter image description here

karel
  • 114,770
2

As pLumo has already stated that docker isn't made for this. If you're concerned about running Visual Studio Code in a sandbox, snaps and AppImages would be a better option.

But if you're still interested in running Visual Studio Code inside a Docker container, you can follow below steps:

Preparing the docker container

Create a new Dockerfile inside an empty folder, for example, "myimage" and add

FROM ubuntu:20.04
RUN apt update
RUN apt install -y gpg sudo
RUN echo "deb [arch=amd64] http://packages.microsoft.com/repos/vscode stable main" >> /etc/apt/sources.list.d/vscode.list
RUN apt-key adv --keyserver keyserver.ubuntu.com --recv-keys EB3E94ADBE1229CF
RUN apt update
RUN apt install --no-install-recommends -y code
RUN apt install --no-install-recommends -y libx11-xcb1
RUN apt install --no-install-recommends -y libxtst6
RUN apt install --no-install-recommends -y libasound2
CMD /usr/share/code/code --no-sandbox --unity-launch

Build the container:

sudo docker build -t myimage .

Running Visual Studio Code:

Run the container using:

sudo docker run --rm -ti --net=host -e DISPLAY=:0  myimage

If you get

(code:1): Gtk-WARNING **: cannot open display: :0

Run

xhost +SI:localuser:root

Retry running the container.

Creating Desktop Entry a.k.a. shortcut

Since docker needs sudo privileges to run, you can use pkexec inside the desktop entry. To create a shortcut, run

nano ~/.local/share/applications/vscode-docker.desktop

and add these contents

[Desktop Entry]
Version=1.0
Name=VSCode Docker
Icon=code
Exec=bash -c 'pkexec env DISPLAY=$DISPLAY XAUTHORITY=$XAUTHORITY /usr/bin/docker run --rm -t --net=host -e DISPLAY=:0 myimage'
Type=Application
Terminal=false

Note: Since the desktop entry uses pkexec, docker needs to be run non-interactively , i.e., without i option.

Kulfy
  • 17,696