Distrobox best practice for app installs (vs Flathub)

Hey there,

just installed Bazzite today, my first dive into the atomic world, and am now thinking about the best practice using distrobox for installing apps.

1.) I want to install certain applications that do not run 100% well via flatpak or are more or less security/privacy-sensitive. For example, I feel like it would be a good practice to install/update my web browser via the official repo and keep it in its own box to isolite it from other applications like say Webex, Zoom or some instant messengers.
On the other hand, adding more and more boxes is probably bad for performance, update time and battery life (notebook), right?

2.) For the first box I went with Fedora latest. Do you think that might introduce conflicts when the next release rolls out? Is it recommended to handle that manually and change the version right after the Bazzite image itself has upgraded successfully?

I hope you will excuse the naive questions and do thank you for the help. :slight_smile:

Kind regards

  1. Distrobox is fairly open in terms of security, because it allows read-write access to your home directory and all network interfaces. If you want to optimize your setup for security/privacy, then flatpak gives you most efficiency for the least effort (assuming that the program works well with flatpak). But if you want to take things up a few levels, then you should look into creating your own containers. There are several tools you can use, but I think quadlets sound like a good fit for your use-case. The downside of this approach is that you have to be very explicit about which files, directories and networking ports you want to share with the host. Finding out the necessary permissions requires a bit of trial and error.

  2. See Cattle not Pets. You want to write your own Dockerfiles/Containerfiles or at least use the package manager inside your container to generate a list of installed packages, so that you can bootstrap a fresh container without much effort.

Always happy to share knowledge when I have some to spare.

1 Like

Thanks for taking the time!

Problem is, for example, that my browser is unable to communicate with my password manager when running inside a flatpak container. There also appear to be some visual bugs here and there which is why I thought about installing most of the software through native dnf inside of a shared distrobox.

On the other hand there are some closed source applications like instant messengers or video calling apps which are not even officially verified on Flathub. Some of them are not even available as flatpak, like Webex, and have to be installed as rpm packages. Isolating them is probably a good idea in terms of privacy and security. But then it would also break features like screen sharing, which I need for working with my colleagues. :melting_face:

I think it will be difficult to reconcile all of this, especially without too much of technical complexity. Hope you have some ideas, though. :thinking:

By the way: Any idea why my distrobox containers do not ask for a root password when using dnf or other root-privileged commands? I created the container without the root flag. Same for a second test-container I just created, running on Debian.

Have a look at FlatSeal (com.github.tchx84.Flatseal) which allows you to tweak the permissions of flatpaks.

The tricky part is figuring out which permissions to enable. The flatpaks typically have reasonable defaults but some additional permissions like those that are needed to e.g. talk to a password manager might not be granted by default.

That’s the default behaviour:

$ sudo grep '^[^#].*NOPASSWD' /etc/sudoers /etc/sudoers.d/*
/etc/sudoers.d/sudoers:"stego" ALL = (root) NOPASSWD:ALL
/etc/sudoers.d/toolbox:%wheel ALL=(ALL) NOPASSWD: ALL

See How to Run sudo Without Password