Flatkvm is a tool to easily run flatpak apps isolated inside a VM, using QEMU/KVM.
WARNING: This is beta quality software and hasn't been externally audited, use it with care. If you need trusted isolation, take a look at Qubes OS.
The flatkvm binary on the Host executes a QEMU instance accelerated by KVM, using an snapshot of a specialized template as root filesystem, and a per-app virtual disk image which is automatically created on demand. The VM starts an Xorg session running i3wm and flatkvm-agent, a small program which communicates with the binary on the Host using a virtio-vsock device.
Once the session in the VM is ready, flatkvm instructs the agent to mount the flatpak directories, shared read-only from the Host using virtio-9p, and to execute the flatpak application indicated in by the user in the command line.
Afterward, flatkvm and agent keep the communication open to notify about clipboard events, D-Bus notifications, and to signal the eventual termination of the flatpak application. Once the app has exited, flatkvm sends an ACPI shutdown signal to the VM using the QMP interface.
-
If enabled, all clipboard contents of the Host are shared with the VM: Automatic clipboard sharing implies that all contents of the Host are sent to the VM, and viceversa, which is a significant breach in the isolation. Ideally, clipboard sharing should be on-demand, probably provided by some D-Bus service, and integrated in the UI.
-
Spotify starts up but the VM is immediately shut down: Spotify (and probably some other apps too) fork+exec's after running, which confuses the flatkvm-agent into thinking the app has already exited. The workaround is passing the -n flag to flatkvm run to disable automatic shut down.
-
The first run of Steam takes a long time: This is the result of combination of virtio-9p's poor performance and Steam insisting of inspecting each library present in the package. After Steam has updated itself, its runtime (and the games) will reside in the dedicated virtual disk, so this will no longer be an issue.
The easiest way to give flatkvm a try is by using this Copr repository:
$ sudo dnf copr enable slp/flatkvm
$ sudo dnf install flatkvm
The install some app using flatpak:
flatpak install --user --from https://firefox-flatpak.mojefedora.cz/org.mozilla.FirefoxNightly.flatpakref
And execute it with flatkvm:
flatkvm run org.mozilla.FirefoxNightly
Despite its young age, flatkvm is already quite complex with four different components (flatkvm, flatkvm-agent, flatkvm-linux and flatkvm-template-debian) interacting between them. Being honest, porting, packaging and testing it for every distro requires an amount of time I don't currently have, so I'm focusing on Fedora.
Or course, if you want to volunteer to port and maintain flatkvm for another distro, you'll be more than welcome! ;-)