Comment by codedokode
4 hours ago
Note that VS Code is built on Electron and it is a pain to sandbox because Electron has (had?) SUID sandbox helper, and you cannot run SUID binaries in sandbox easily. Sandboxing on Linux is extremely difficult task.
It feels so bad to see the "You need go give Chrome SUID Root for the sandbox to work". Setting a Web Browser SUID Root was an old joke about clueless users. It was the worst security screwup someone could imagine.
Don't build your ide on electron then.
podman seems to handle rootless namespaces just fine, minor caveat for some perf overhead but it's not the end of the world.
And volumes. Volumes are not fun with podman. Ironically my team tried GitHub Codespaces and never looked back. Super cheap and uses DevContainers.
What's the difference between Podman and docker for volumes? Other than needing to add Z to get volumes to mount with SELinux