Flatpak a technical walk-through. Alexander Larsson, Red Hat

Size: px

Start display at page:

Download "Flatpak a technical walk-through. Alexander Larsson, Red Hat"

Bruce Jackson
5 years ago
Views:

1 Flatpak a technical walk-through Alexander Larsson, Red Hat

2 What is Flatpak?

3 apps for the Linux Desktop

4 Distribute your app

5 Run it anywhere

6 Build in anywhere

7 Run it sandboxed

8 How is this different from containers?

9 Non-privileged user Must not require root permissions Must not grant root permissions No root-only features

10 Desktop integration Icon shows up in desktop Automatic setup of X11/Wayland/Pulseaudio DBus integration OpenGL / DRI support Uses freedesktop specs Interactive permissions system

11 OSTree Bubblewrap Building blocks

12 OSTree its like git for operating systems

13 Repo layout app bin hello.sh README $ cat app/readme This is some example content

14 Repo layout app bin hello.sh README $ cat app/readme This is some example content $ ostree --repo=repo init $ ostree --repo=repo commit \ --subject="foobar" \ --branch=master app 8528ed0cee $ ostree --repo=repo show master commit 8528ed0cee Date: :18: Foobar

15 Repo layout app bin hello.sh README repo/ config objects 94/b60b8c7a.dirtree f2/13a94e40.dirtree 30/d1d158ec.file 80/04dd449f.file 85/28ed0cee.commit d9/f4b64256.dirmeta refs/heads/master $ cat app/readme This is some example content $ cat repo/refs/heads/master 8528ed0cee $ cat repo/objects/80/04dd449f.file This is some example content

16 Repo layout app bin hello.sh README repo/ config objects 94/b60b8c7a.dirtree f2/13a94e40.dirtree 30/d1d158ec.file 80/04dd449f.file 85/28ed0cee.commit d9/f4b64256.dirmeta refs/heads/master $ cat app/readme This is some example content $ cat repo/refs/heads/master 8528ed0cee $ cat repo/objects/80/04dd449f.file This is some example content $ echo -n "..." >> app/readme $ ostree --repo=repo commit \ --subject= Changed stuff --branch=master app 2e9472ca3f

17 Repo layout app bin hello.sh README repo/ config objects 94/b60b8c7a.dirtree c6/171320dd.dirtree f2/13a94e40.dirtree 30/d1d158ec.file 80/04dd449f.file 67/a1a77c36.file 85/28ed0cee.commit 2e/9472ca3f.commit d9/f4b64256.dirmeta refs/heads/master $ cat app/readme This is some example content $ cat repo/refs/heads/master 2e9472ca3f $ cat repo/objects/80/04dd449f.file This is some example content $ cat repo/objects/67/a1a77c36.file This is some example content...

18 Checkout repo/ config objects 94/b60b8c7a.dirtree c6/171320dd.dirtree f2/13a94e40.dirtree 30/d1d158ec.file 80/04dd449f.file 67/a1a77c36.file 85/28ed0cee.commit 2e/9472ca3f.commit d9/f4b64256.dirmeta refs/heads/master

19 Checkout repo/ config objects 94/b60b8c7a.dirtree c6/171320dd.dirtree f2/13a94e40.dirtree 30/d1d158ec.file 80/04dd449f.file 67/a1a77c36.file 85/28ed0cee.commit 2e/9472ca3f.commit d9/f4b64256.dirmeta refs/heads/master $ ostree --repo=repo checkout \ master new

20 Checkout repo/ config objects 94/b60b8c7a.dirtree c6/171320dd.dirtree f2/13a94e40.dirtree 30/d1d158ec.file 80/04dd449f.file 67/a1a77c36.file 85/28ed0cee.commit 2e/9472ca3f.commit d9/f4b64256.dirmeta refs/heads/master new bin hello.sh README $ ls -lr new new: drwxr-xr-x. 2 alex alex 60 bin -rw-r--r--. 2 alex alex 19 README new/bin: -rw-r--r--. 2 alex alex 38 hello.sh $ cat app/readme This is some example content...

21 Checkout repo/ config objects 94/b60b8c7a.dirtree c6/171320dd.dirtree f2/13a94e40.dirtree 30/d1d158ec.file 80/04dd449f.file 67/a1a77c36.file 85/28ed0cee.commit 2e/9472ca3f.commit d9/f4b64256.dirmeta refs/heads/master new bin hello.sh README $ ls -lr new new: drwxr-xr-x. 2 alex alex 60 bin -rw-r--r--. 2 alex alex 19 README new/bin: -rw-r--r--. 2 alex alex 38 hello.sh $ cat new/readme This is some example content... $ stat new/readme grep Inode Device: 2fh/47d Inode: Links: 2 $ stat repo/objects/67/a1a77c36.file \ grep Inode Device: 2fh/47d Inode: Links: 2

22 Repo mode archive-z2 config objects 35/b2a1ffa5.dirtree 67/a1a77c36.filez 80/04dd449f.filez c6/171320dd.dirtree d9/f4b64256.dirmeta db/92a318a1.commit db/92a318a1.commitmeta refs/heads/master summary.sig summary Host on HTTP server GPG sign commits Static deltas Hosting a repo

23 OSTree advantages Automatic deduplication Disk RAM Efficient updates Atomic updates No privileges needed No kernel requirements

24 bubblewrap unprivileged chroot on steroids

25 The virtual filesystem A a1 a1 B FS Root Mount point A / / a2 b1 a2 a3 b1 b2 c c1 C B / /a1 C / /a1/b1 C /c1 /a1/b2 a3 c1 c2 foo b3 foo b2 c3 c2 c3 foo b3

26 chroot A a1 B FS Root Mount point b1 a2 a3 b1 b2 c c1 C A / / B / /a1 C / /a1/b1 C /c1 /a1/b2 c1 c2 foo b3 c2 c3 foo Process root /a1 b2 foo c3 b3

27 namespaces A a1 B FS Root Mount point b1 a2 a3 b1 b2 c c1 C A / / B / /a1 C / /a1/b1 C /c1 /a1/b2 c1 c2 foo b3 c2 c3 foo Process root /a1 Process mount table b2 foo c3 b3

28 What is wrong with chroot? Must be root Why?

29 Unprivileged user namespaces prctl(pr_set_no_new_privs) User mappings

30 bubblewrap Simple tool to use user namespaces Starts with / as empty tmpfs Add bindmounts and dirs/files/symlinks $ bwrap --dir /tmp --ro-bind /usr /usr --symlink usr/lib64 /lib64 /usr/bin/ls / lib64 tmp usr

31 Other features Namspaces: net, ipc, pid, uts, cgroup Filesystems: tmpfs, proc, dev Pid 1 handler seccomp

32 Setuid version For distros that disable user namespaces

33 Flatpak feet view Each installation has an OSTree repo Apps and runtimes are branches app/org.gnome.gedit/x86_64/stable runtime/org.gnome.platform/x86_64/3.28 Checked out (deployed) next to repo Run with bubblewrap bwrap --ro-bind $app /app --ro-bind $runtime /usr...

34 Deployed app $ cd /var/lib/flatpak $ ls -l app/org.gnome.gedit/x86_64/stable drwxr-xr-x. 4 alex wheel ce9102a... lrwxrwxrwx. 1 alex wheel 64 active -> 849ce9102a.. $ ls -l app/org.gnome.gedit/x86_64/stable/active/ -rw-r--r--. 2 alex alex 966 metadata drwxr-xr-x. 6 alex alex 89 files drwxr-xr-x. 4 alex alex 30 export -rw-r--r--. 1 alex alex 134 deploy $ ls -la app/org.gnome.gedit/x86_64/stable/active/files/ drwxr-xr-x. 2 alex alex 56 bin drwxr-xr-x. 7 alex alex 4096 lib drwxr-xr-x. 17 alex alex 238 share -rw-r--r--. 1 alex alex 0.ref

35 flatpak install flathub org.gnome.gedit ostree pull flathub $REF COMMIT=$(ostree rev-parse flathub:$ref) ostree checkout --branch $REF $REF/$COMMIT create $REF/$COMMIT/{deploy, files/.ref} syncfs() ln -sf $COMMIT $REF/active process $REF/$COMMIT/export into exports/

36 flatpak update org.gnome.gedit Same, but after: mv $REF/$OLDCOMMIT.removed for D in.removed/*; do if flock --exclusive --nonblock $D/.ref; then rm -rf $D; fi done

37 Flatpak sandbox Namespaces: user, fs, pid, Optional namespaces: net, ipc Seccomp Disable weird network types no ptrace, perf, personality, multiarch, keyring, weird syscalls No recursive namespaces Per-app /tmp Runs in transient systemd --user scope Filtering DBus proxy Writable per-app storage in ~/.var/app/$appid

38 Questions Links: Reaching us #flatpak on freenode

Flatpak. Apps on the Linux desktop. Alexander Larsson Red Hat

Flatpak. Apps on the Linux desktop. Alexander Larsson Red Hat Flatpak Apps on the Linux desktop Alexander Larsson Red Hat Flatpak Major Goals Cross-distro deployment and distribution Sandboxing applications Shorter distance between developers and users Using Flatpak