+
The command reference is generated from the flatpak repo; see https://github.com/flatpak/flatpak/tree/main/doc
Flatpak comes with a rich commandline interface. @@ -183,13 +183,98 @@ Information about an application or runtime
Besides standard environment variables such as XDG_DATA_DIRS and
- XDG_DATA_HOME, flatpak is consulting some of its own.
-
FLATPAK_FANCY_OUTPUT
+ XDG_DATA_HOME, flatpak consults some of its own.
+
FLATPAK_BINARY
+ Path to the flatpak executable that will be written
+ into exported .desktop files
+ and scripts when an app is installed.
+ The default is /usr/bin/flatpak,
+ unless overridden at build time by
+ --bindir.
+
FLATPAK_BWRAP
+ Path to the
+ bwrap(1)
+ executable that will be used to create the sandbox.
+ Depending on how Flatpak was configured at build-time,
+ the default is either to search the
+ PATH,
+ or use a vendored copy which is normally installed as
+ /usr/libexec/flatpak-bwrap.
+
FLATPAK_CONFIG_DIR
+ The location of flatpak site configuration. If this is not set,
+ /etc/flatpak is used (unless overridden at build
+ time by --sysconfdir).
+
FLATPAK_DATA_DIR
+ The location of Flatpak's OS-level defaults and
+ integration hooks.
+ If this is not set,
+ /usr/share/flatpak is used,
+ unless overridden at build time by
+ --datadir.
+
FLATPAK_DBUSPROXY
+ Path to the
+ xdg-dbus-proxy(1)
+ executable that will be used to filter D-Bus
+ traffic between the sandbox and the host system.
+ Depending on how Flatpak was configured at build-time,
+ the default is either to search the
+ PATH,
+ or use a vendored copy which is normally installed as
+ /usr/libexec/flatpak-dbus-proxy.
+
FLATPAK_DOWNLOAD_TMPDIR
+ Path to a directory that will be used temporarily
+ when downloading OCI layers,
+ and potentially for other downloads in future.
+ The standard TMPDIR is not used
+ for this,
+ because Flatpak apps are frequently too large to
+ fit on a tmpfs.
+
FLATPAK_FANCY_OUTPUT
May be set to 0 to avoid fancy
formatting when outputting to a terminal.
This feature is also disabled automatically when
standard output is not a terminal,
or when G_MESSAGES_DEBUG is set.
+
FLATPAK_FORCE_TEXT_AUTH
+ May be set to 1 to force use of
+ a simple built-in
+ polkit(8)
+ agent when authentication is required to modify
+ the system-wide installation.
+ By default,
+ the desktop environment's polkit agent is used,
+ if one is available,
+ usually resulting in a graphical prompt.
+
FLATPAK_GL_DRIVERS
+ A colon-separated list of graphics driver extensions
+ to try to use for OpenGL, Vulkan and similar APIs,
+ most-preferred first.
+ The default is to select a graphics driver
+ automatically.
+ Values in this list match the last dot-separated
+ component of the names of extensions with the
+ active-gl-driver condition.
+ Typical values are
+ default,
+ mesa-git or
+ nvidia-550-120
+ (replacing the version number by the major and minor
+ version of the nvidia kernel module).
+
FLATPAK_RUN_DIR
+ The location of flatpak runtime global files. If this is not set,
+ /run/flatpak is used.
+
FLATPAK_SYSTEM_CACHE_DIR
+ The location where temporary child repositories will be created during pulls
+ into the system-wide installation. If this is not set, a directory in
+ /var/tmp/ is used. This is useful because it is more
+ likely to be on the same filesystem as the system repository (thus increasing
+ the chances for e.g. reflink copying), and we can avoid filling the user's
+ home directory with temporary data.
+
FLATPAK_SYSTEM_DIR
+ The location of the default system-wide installation. If this is not set,
+ /var/lib/flatpak is used (unless overridden at build
+ time by --localstatedir or
+ -Dsystem_install_dir).
FLATPAK_TTY_PROGRESS
May be set to 1 to enable reporting
machine-readable progress to the terminal.
@@ -200,24 +285,6 @@
FLATPAK_USER_DIR
The location of the per-user installation. If this is not set,
$XDG_DATA_HOME/flatpak is used.
-
FLATPAK_SYSTEM_DIR
- The location of the default system-wide installation. If this is not set,
- /var/lib/flatpak is used (unless overridden at build
- time by --localstatedir or --with-system-install-dir).
-
FLATPAK_SYSTEM_CACHE_DIR
- The location where temporary child repositories will be created during pulls
- into the system-wide installation. If this is not set, a directory in
- /var/tmp/ is used. This is useful because it is more
- likely to be on the same filesystem as the system repository (thus increasing
- the chances for e.g. reflink copying), and we can avoid filling the user's
- home directory with temporary data.
-
FLATPAK_CONFIG_DIR
- The location of flatpak site configuration. If this is not set,
- /etc/flatpak is used (unless overridden at build
- time by --sysconfdir).
-
FLATPAK_RUN_DIR
- The location of flatpak runtime global files. If this is not set,
- /run/flatpak is used.
flatpak-permission-show — Show permissions
flatpak permission-show [OPTION...] APP_ID
Lists dynamic permissions for the given app which are stored in the Flatpak permission store. -
- When called without arguments, lists all - the entries in all permission store tables. When called - with one argument, lists all the entries in the named - table. When called with two arguments, lists the entry - in the named table for the given object ID.
The permission store is used by portals.
Each portal generally has its own table in the permission
@@ -2828,7 +2889,7 @@
as well as the --env option. Apart from that, Flatpak always
unsets or overrides the following variables, since their session values
are likely to interfere with the functioning of the sandbox:
-
| PATH |
| LD_LIBRARY_PATH |
| LD_PRELOAD |
| LD_AUDIT |
| XDG_CONFIG_DIRS |
| XDG_DATA_DIRS |
| SHELL |
| TEMP |
| TEMPDIR |
| TMP |
| TMPDIR |
| XDG_RUNTIME_DIR |
| container |
| TZDIR |
| PYTHONPATH |
| PERLLIB |
| PERL5LIB |
| XCURSOR_PATH |
| GST_PLUGIN_PATH_1_0 |
| GST_REGISTRY |
| GST_REGISTRY_1_0 |
| GST_PLUGIN_PATH |
| GST_PLUGIN_SYSTEM_PATH |
| GST_PLUGIN_SCANNER |
| GST_PLUGIN_SCANNER_1_0 |
| GST_PLUGIN_SYSTEM_PATH_1_0 |
| GST_PRESET_PATH |
| GST_PTP_HELPER |
| GST_PTP_HELPER_1_0 |
| GST_INSTALL_PLUGINS_HELPER |
| KRB5CCNAME |
| XKB_CONFIG_ROOT |
| GIO_EXTRA_MODULES |
| GDK_BACKEND |
| VK_ADD_DRIVER_FILES |
| VK_ADD_LAYER_PATH |
| VK_DRIVER_FILES |
| VK_ICD_FILENAMES |
| VK_LAYER_PATH |
| __EGL_EXTERNAL_PLATFORM_CONFIG_DIRS |
| __EGL_EXTERNAL_PLATFORM_CONFIG_FILENAMES |
| __EGL_VENDOR_LIBRARY_DIRS |
| __EGL_VENDOR_LIBRARY_FILENAMES |
+
| PATH |
| LD_LIBRARY_PATH |
| LD_PRELOAD |
| LD_AUDIT |
| XDG_CONFIG_DIRS |
| XDG_DATA_DIRS |
| SHELL |
| TEMP |
| TEMPDIR |
| TMP |
| TMPDIR |
| XDG_RUNTIME_DIR |
| container |
| TZDIR |
| PYTHONPATH |
| PYTHONPYCACHEPREFIX |
| PERLLIB |
| PERL5LIB |
| XCURSOR_PATH |
| GST_PLUGIN_PATH_1_0 |
| GST_REGISTRY |
| GST_REGISTRY_1_0 |
| GST_PLUGIN_PATH |
| GST_PLUGIN_SYSTEM_PATH |
| GST_PLUGIN_SCANNER |
| GST_PLUGIN_SCANNER_1_0 |
| GST_PLUGIN_SYSTEM_PATH_1_0 |
| GST_PRESET_PATH |
| GST_PTP_HELPER |
| GST_PTP_HELPER_1_0 |
| GST_INSTALL_PLUGINS_HELPER |
| KRB5CCNAME |
| XKB_CONFIG_ROOT |
| GIO_EXTRA_MODULES |
| GDK_BACKEND |
| VK_ADD_DRIVER_FILES |
| VK_ADD_LAYER_PATH |
| VK_DRIVER_FILES |
| VK_ICD_FILENAMES |
| VK_LAYER_PATH |
| __EGL_EXTERNAL_PLATFORM_CONFIG_DIRS |
| __EGL_EXTERNAL_PLATFORM_CONFIG_FILENAMES |
| __EGL_VENDOR_LIBRARY_DIRS |
| __EGL_VENDOR_LIBRARY_FILENAMES |
Also several environment variables with the prefix "GST_" that are used by gstreamer are unset (since Flatpak 1.12.5).
@@ -4005,47 +4066,49 @@
The default policy for the session bus only allows the
application to own its own application ID, its
- subnames and its own application id as a subname of
- "org.mpris.MediaPlayer2". For instance if the app is called
- "org.my.App", it can only own "org.my.App", "org.my.App.*"
- and "org.mpris.MediaPlayer2.org.my.App".
+ subnames and its own application ID as a subname of
+ org.mpris.MediaPlayer2. For instance if the app is called
+ org.my.App, it can only own org.my.App,
+ org.my.App.*
+ and org.mpris.MediaPlayer2.org.my.App.
It is only allowed to talk to names matching those patterns, plus
- the bus itself (org.freedesktop.DBus)
- and the portal APIs (bus names of the form org.freedesktop.portal.*).
+ the bus itself (org.freedesktop.DBus)
+ and the portal APIs (bus names of the form org.freedesktop.portal.*).
Additionally the app is always allowed to reply to messages sent to it, and emit broadcast signals (but these will not reach other sandboxed apps unless they are allowed to talk to your app.
- If the [Session Bus Policy] group is present, it provides
+ If the [Session Bus Policy] group is present, it provides
policy for session bus access.
Each key in this group has the form of a D-Bus bus name or
prefix thereof, for example org.gnome.SessionManager
- or org.freedesktop.portal.*
+ or org.freedesktop.portal.*.
- The possible values for entry are, in increasing order or - access: + The possible values for an entry are the following, in increasing order of + access. Each value implies all the access from any lower values:
none- The bus name or names in question is invisible to the application. + The bus name is invisible to the application. Available since 0.2.
see- The bus name or names can be enumerated by the application. + The bus name can be enumerated by the application. Available since 0.2.
talk- The application can send messages/ and receive replies and signals from the bus name or names. + The application can send messages to, and receive replies and signals from, the bus name. Available since 0.2.
own- The application can own the bus name or names (as well as all the above). + The application can own the bus name. Available since 0.2.
If the sockets key is not allowing full access
to the D-Bus system bus, then flatpak does not make the system
- bus available unless the [System Bus Policy] group is present
+ bus available unless the [System Bus Policy] group is present
and provides a policy for filtered access. Available since 0.2.
- Entries in this group have the same form as for the [Session Bus Policy] group.
+ Entries in this group have the same form as for the
+ [Session Bus Policy] group.
However, the app has no permissions by default.
The [Environment] group specifies environment variables to set @@ -4283,6 +4346,11 @@ is a Flatpak extension that indicates that the remote is not an ostree repository, but is rather an URL to an index of OCI images that are stored within a container image registry. +
+ For OCI remotes, client and CA certificates are read from
+ /etc/containers/certs.d and
+ ~/.config/containers/certs.d as documented in
+ containers-certs.d(5).
gpg-verify (boolean)Whether to use GPG verification for content from this remote.
gpg-verify-summary (boolean)Whether to use GPG verification for the summary of this remote.
This is ignored if collection-id is set, as refs are verified in commit metadata in that case. Enabling gpg-verify-summary would break peer to peer distribution of refs.
collection-id (string)The globally unique identifier for the upstream collection repository, to allow mirrors to be grouped.
All flatpak-specific keys have a xa. prefix:
xa.disable (boolean)Whether the remote is disabled. Defaults to false.
xa.prio (integer)The priority for the remote. This is used when listing remotes, and when