Is it possible to install and use Flatpak as a non-root user?
Dan Nicholson
nicholson at endlessm.com
Sun Feb 2 15:54:14 UTC 2020
On Sat, Feb 1, 2020 at 7:29 PM Parke <parke.nexus at gmail.com> wrote:
>
> Thank you for the information about the (undocumented?) --user flag.
It's documented in flatpak-install(1) and flatpak-remote-add(1) and
pretty much all flatpak CLI commands that need to know if they operate
on the user installation or the system installation.
> As a non-root user on an Ubuntu 19.10 host, I downloaded and extracted
> an Alpine Linux "mini root filesystem". Alpine says this filesystem
> is "for use in containers and minimal chroots."
>
> I used a utility I wrote (https://github.com/parke/lxroot) to
> unshare() and chroot() into the directory that contained the extracted
> Alpine Linux filesystem. (At this point, I am running an Alpine Linux
> userland inside a transient Linux user namespace that was dynamically
> created by lxroot, all on top of the Ubuntu 19.10 kernel.)
...
> Summary: I have not yet found a way to install and run Flatpak
> packages as a non-root user.
This is not accurate. Flatpak works fine as an unprivileged user. In
fact, basically everything about flatpak runs unprivileged. There's
really only one piece that runs unprivileged - the system installation
and some helpers that allow you to access it from an unprivileged
user. You can install and run flatpaks just fine from a user
installation.
What you're doing, though, is not equivalent to simply "non-root user"
since you're calling unshare(). You're trying to run in a sandbox, and
flatpak also uses a sandbox via bubblewrap. If I had to guess, you're
outer sandboxing is interfering with the sandboxing that bubblewrap
sets up. Another thing I've run into in the past when trying to use
flatpak in an alternate root via chroot is that bubblewrap uses
pivot_root(), and that doesn't work correctly when you're in a root
entered into with chroot() -
https://github.com/containers/bubblewrap/issues/135. And that was just
for installing flatpaks, not for running them.
The expected configuration is that flatpak is a host tool. Just like
you wouldn't install docker inside a container and then run containers
out of that. I'm sure it can be made to work, but I don't think it's a
well supported configuration.
More information about the Flatpak
mailing list