Package managementIntermediate22 min read

What Does flatpak Mean?

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security

This page mentions older exam versions. See the Current Exam Context and Legacy Exam Context sections below for the updated mapping.

On This Page

Quick Definition

Flatpak is a tool that lets you install and run apps on Linux without worrying about which version of Linux you have or what other software is already installed. It wraps each app with its own needed files, so it works smoothly on almost any Linux system. This is similar to how a portable app on Windows doesn’t need to be installed. Flatpak also keeps apps separate from each other for better security.

Common Commands & Configuration

flatpak install flathub org.gimp.GIMP

Installs the GIMP image editor from the Flathub remote. This is the most common way to install a Flatpak application.

flatpak run org.gimp.GIMP

Launches the GIMP application inside its sandboxed environment.

flatpak list

Lists all installed Flatpak applications and runtimes. Use `--app` to show only applications, `--runtime` to show only runtimes.

flatpak update

Updates all installed Flatpak applications and runtimes to the latest available versions from their remotes.

flatpak uninstall org.gimp.GIMP

Removes the GIMP application, but keeps its runtime and user data. Add `--delete-data` to remove user configuration as well.

flatpak override --user org.gimp.GIMP --filesystem=host:ro

Grants the GIMP application read-only access to the entire host filesystem. The `--user` flag applies the override only to the current user.

flatpak info -m org.gimp.GIMP

Shows the metadata, including permissions (filesystem, sockets, devices) for the specified application.

flatpak search firefox

Searches available Flatpak remotes for applications matching 'firefox' and displays their full IDs and descriptions.

flatpak uninstall --unused

Removes any runtimes that are no longer required by any installed application. This helps free up disk space.

Must Know for Exams

Flatpak appears in various Linux certification exams, most notably the CompTIA Linux+ (XK0-005), Red Hat Certified System Administrator (RHCSA), and the Linux Professional Institute (LPI) Linux Essentials and LPIC-1 exams. In CompTIA Linux+, the exam objectives include “Given a scenario, manage software configurations” and specifically mention package management tools including Flatpak. You might be asked to identify the correct command to install a Flatpak application from a remote repository, or to recognize the difference between Flatpak and Snap. The exam may present a scenario where a user cannot install an application due to dependency issues, and the correct solution involves using Flatpak.

For the RHCSA exam, Red Hat has introduced Flatpak as a supported package management method. While the RHCSA traditionally focuses on RPM and DNF, newer objectives include understanding alternative package formats. You could be asked to install a Flatpak from a given URL or to list installed Flatpak applications. The exam might test your ability to troubleshoot an application that fails to launch because of insufficient sandbox permissions.

In LPI exams (especially LPIC-1 101-500), the section on package management now includes Flatpak and Snap as supplementary tools. Questions may ask for the command to update a Flatpak runtime or to remove a Flatpak application. Trap questions often involve confusing Flatpak commands with similar RPM or DNF commands. For example, a student might mistakenly use `dnf install` instead of `flatpak install`. Another common exam trap is assuming Flatpak applications run with full system access, which they do not by default.

Finally, in general IT certifications like CompTIA A+ or Network+, Flatpak may appear in a light supporting role as an example of a containerized application technology. You won’t be expected to know detailed commands, but you should understand the concept of sandboxed app deployment. In cloud or DevOps certifications (like AWS SysOps or Azure Administrator), Flatpak is less relevant unless the exam explicitly covers Linux desktop environments. So for most candidates, focusing on the command syntax (`flatpak install`, `flatpak run`, `flatpak list`, `flatpak update`) and the sandboxing concept is sufficient.

Simple Meaning

Think of your computer like an apartment building. Each tenant (or application) wants to put up decorations, but if everyone nails shelves into the same wall, the wall gets weak and might break. Traditional software installation is like letting each tenant hammer nails wherever they want, into the same walls, causing conflicts and mess. Flatpak is like giving each tenant their own separate, self-contained room with its own walls, floor, and ceiling. When a tenant wants to move in, they bring all their own furniture, decorations, and even their own paint. They don’t touch the building’s main structure or other tenants’ rooms. If a tenant leaves, they take everything with them, leaving no trace.

In more practical terms, when you install a program the old way on Linux, it usually puts files in shared folders like /usr/bin or /usr/lib. If two programs need different versions of the same helper library (say, a library that helps draw buttons on the screen), they can fight over which version is in the shared folder. This is often called “dependency hell.” Flatpak solves this by putting each app and its specific libraries inside its own private folder. The app only sees its own files, and a shared runtime system provides basic, common tools without causing conflict. This means an app built for Ubuntu can run perfectly on Fedora, Debian, or any other Linux distribution, because the app carries its own environment. Also, because apps are sandboxed (isolated), a bug or virus in one app cannot easily access your personal files or other apps. This makes your system more stable and secure. Flatpak uses a technology called “bubbles” (from the tool “bubblewrap”) to create these isolated spaces. So Flatpak is not just a package manager; it’s a whole platform for distributing and running Linux applications in a safe, portable way.

Full Technical Definition

Flatpak is a next-generation application sandboxing and distribution framework for Linux desktop systems. It operates by decoupling applications from the host operating system’s underlying libraries and configuration. At its core, Flatpak uses a combination of Linux kernel features such as namespaces, cgroups (control groups), and seccomp (secure computing mode) to create isolated environments for each application. The fundamental architecture consists of three layers: the runtime, the application, and the Flatpak daemon (flatpak-session-helper).

The runtime is a base set of libraries (like GLib, GTK, or Qt) that an application expects to be present. Flatpak provides shared runtimes such as org.freedesktop.Platform or org.gnome.Platform. Multiple applications can share the same runtime, saving disk space. The application itself is packaged as a Flatpak bundle containing the app’s binaries, data, and additional libraries that are not in the runtime. These are distributed via remote repositories (remotes) such as Flathub. The Flatpak command-line tool or GUI software center handles downloads, dependency resolution, and installation.

During installation, Flatpak unpacks the application into a dedicated directory under /var/lib/flatpak/app/ or ~/.local/share/flatpak/app/. The application is then launched via the Flatpak portal system, which uses the D-Bus message bus and the xdg-desktop-portal interface to request resources (like file access, network, or notifications) from the host system. By default, an application has very limited access: it cannot see files outside its sandbox, cannot communicate with other processes normally, and cannot access hardware directly. Permissions are declared in a manifest file and can be granted or revoked by the user using commands like flatpak override.

The isolation is enforced by bubblewrap, a low-level tool that uses user namespaces to remap user IDs, mount namespaces to create a private filesystem, network namespaces to block or restrict network access, and seccomp filters to limit system calls. This means that even if an application is malicious, it cannot easily compromise the host system. Flatpak also supports partial updates, offline installation, and atomic upgrades (the entire application is replaced in one step, avoiding half-installed states).

From an IT certification perspective, understanding Flatpak is important because many modern enterprise Linux distributions (like RHEL, Fedora, Ubuntu) are adopting Flatpak as a way to distribute software without breaking system stability. It is often compared to Snap (a similar technology by Canonical). The difference lies in the sandboxing approach and the runtime model: Flatpak uses a per-application sandbox, while Snap uses a system-wide confinement model. Both are important for container-like desktop virtualization. In exams, you may be asked to identify the purpose of Flatpak, its sandboxing mechanisms, or how to manage Flatpak applications via the command line.

Real-Life Example

Imagine you live in a dormitory with a shared kitchen. One resident, Alex, wants to cook a complex meal that requires a specific brand of blender, a special spice, and a unique type of pan. If Alex uses the shared kitchen normally, they would need to check if that blender is available, if someone else already used the spice, and whether the pan is free. If someone else, Jamie, is also cooking at the same time and wants the same pan, there is a conflict. They might have to wait, or worse, Jamie might have already started and left the pan dirty. This is similar to traditional Linux package management where an app needs specific library versions that might conflict with other apps.

Now imagine the dormitory installs a set of “personal cooking pods” for each resident. Each pod is a small, private, fully equipped kitchen that contains all the tools and ingredients that resident selects. Alex gets a pod with that exact blender, that exact spice, and that exact pan. Jamie gets a pod with their own preferred equipment. They can both cook at the same time, without interfering. When Alex is done, they can clean up and close the pod, leaving no mess in the shared space. They can even take the whole pod and move to a different dormitory that supports the same pod system.

In this analogy, the dormitory building is your Linux operating system. The shared kitchen represents the system’s common library folders like /usr/lib. The personal cooking pods are Flatpak’s sandboxes. The blender, spice, and pan are the specific libraries or dependencies an application needs. The ability to move the pod to another dormitory is Flatpak’s cross-distribution portability. By using this model, every application gets a consistent environment, conflict is eliminated, and system cleanliness is maintained.

Why This Term Matters

For IT professionals managing Linux desktops or servers with graphical applications, Flatpak solves significant operational challenges. In a corporate environment, you often need to run custom or third‑party software that was built for a different Linux distribution or requires libraries that would conflict with the company’s standard image. Flatpak allows you to deploy that application without risking system stability. This reduces support calls caused by broken dependencies and makes system updates safer because upgrading a shared library won’t break Flatpak apps that bundle their own version.

Security is another major concern. Traditional applications installed via the system package manager run with the full permissions of the user. If a user installs a suspicious application, it could access personal documents, passwords, or network services. Flatpak’s sandboxing limits what an app can do by default. For example, a PDF viewer installed via Flatpak might not be able to access your SSH keys unless you explicitly grant file access. This is especially important in environments where users are not fully trusted or where you need to run legacy applications that have known vulnerabilities.

Flatpak simplifies software distribution for developers. Instead of packaging an application for every Linux distribution (deb for Debian/Ubuntu, RPM for Fedora/RHEL, etc.), they can create one Flatpak and publish it on Flathub or a private repository. For IT teams, this means faster deployment of updates and less testing across different distros. Flatpak also supports offline installation and air‑gapped environments, which is critical for secure enterprises. Overall, understanding Flatpak helps you manage modern Linux workflows, reduce maintenance overhead, and improve system security-all topics that can appear in certification exams for Linux administrators or general IT support roles.

How It Appears in Exam Questions

Exam questions about Flatpak typically fall into three categories: command syntax, troubleshooting, and conceptual understanding.

In command syntax questions, you may be given a scenario like “Which command installs the application org.gimp.GIMP from the Flathub remote?” with multiple‑choice options such as `flatpak install flathub org.gimp.GIMP`, `dnf install org.gimp.GIMP`, `apt install gimp`, or `snap install gimp`. The correct choice is `flatpak install flathub org.gimp.GIMP`. Another variant asks to list all installed Flatpak applications: `flatpak list`. Or to update all Flatpak runtimes: `flatpak update`. These questions test your familiarity with the basic command structure-notice that it uses the full application ID (reverse domain format) and the remote name.

Troubleshooting scenarios often involve an application that fails to start. For example, “A user installed a Flatpak application but it cannot access files in the /home/user/Documents directory. What is the most likely cause?” The answer is that the application does not have the necessary filesystem permission. You may be asked to grant permission using `flatpak override --filesystem=home:ro org.example.app`. Another common problem is that the Flatpak runtime is missing or outdated. The question might give an error message like “error: runtime org.gnome.Platform//43 not found” and ask what action to take-the correct answer is to install the runtime via `flatpak install flathub org.gnome.Platform//43`.

Conceptual questions might ask “What is a defining feature of Flatpak compared to traditional package managers?” with options focusing on sandboxing, cross‑distribution compatibility, or atomic updates. Another type asks to identify a disadvantage of Flatpak-for example, increased disk space usage due to bundled libraries. You could also be asked to differentiate Flatpak from Snap: Flatpak uses a per‑application sandbox while Snap uses a system‑wide confinement model; Flatpak uses bubblewrap while Snap uses AppArmor or SELinux. These distinctions are important for exam traps.

Finally, you might face a scenario where a system administrator wants to deploy an application to multiple Linux desktops without affecting the base OS. The question asks for the best method, and the answer is Flatpak (or Snap). In such cases, the exam expects you to weigh the benefits of isolation and portability against traditional package management.

Study CompTIA Linux+

Test your understanding with exam-style practice questions.

Practise

Example Scenario

You are a junior IT support specialist for a small company that uses Ubuntu Linux on all employee workstations. The marketing department needs to run a design tool called “DesignPro” that is only distributed as a Flatpak from a third‑party repository called “design‑repo.” The software requires a recent version of the GTK library that is not available in the company’s Ubuntu 20.04 LTS repositories. You are tasked with installing this application on the marketing manager’s laptop without breaking any existing software.

First, you open a terminal and check if Flatpak is installed by running `flatpak --version`. It is not installed, so you install Flatpak using `sudo apt install flatpak`. Next, you add the remote repository using `flatpak remote-add --if-not-exists design-repo https://design-repo.example.com/flatpak.flatpakrepo`. Then you install the application with `flatpak install design-repo com.designpro.app`. During the installation, Flatpak automatically downloads the required runtime (org.gnome.Platform). The installation completes without any conflicts.

Now you test the application. You launch it by running `flatpak run com.designpro.app`. The application starts successfully. You notice that it cannot access the user’s Downloads folder. You check the application’s permissions by running `flatpak info -m com.designpro.app`. You see that file access is set to “none.” To grant access to Downloads, you run `flatpak override --user com.designpro.app --filesystem=~/Downloads`. The application then functions as expected.

Later, you want to update all Flatpak applications. You run `flatpak update` and it updates the runtime and the application to newer versions. Six months later, the marketing team decides to use a different design tool, and you remove the old one with `flatpak uninstall com.designpro.app`. You also clean up leftover runtimes with `flatpak uninstall --unused`. Throughout this scenario, you never had to worry about system‑level library conflicts, proving the value of Flatpak in a mixed‑software environment.

Common Mistakes

Using `sudo` in front of every Flatpak command, even when the command is for the user’s own applications.

Flatpak has a user‑level installation mode (under ~/.local/share/flatpak) and a system‑wide mode (under /var/lib/flatpak). Many commands, like `flatpak install --user`, do not need root privileges. Unnecessary use of `sudo` can lead to permission errors if the user does not have sudo rights, or it can install applications system‑wide when the user intended personal installation.

Check whether you need system‑wide or user‑wide installation. For single‑user scenarios, omit `sudo` and use `--user` flag if needed. Use `sudo flatpak` only when you explicitly want to install for all users.

Assuming Flatpak applications have full filesystem access by default.

Flatpak applications are sandboxed and have very limited access. By default, they can only see their own private directory and cannot access the user’s home folder, removable media, or network. This catches many new users who try to open a file using a Flatpak editor and get permission denied.

Use `flatpak override` to grant specific filesystem permissions, or use the application’s menu to request access. Check permissions with `flatpak info -m <app-id>`.

Confusing Flatpak application IDs with package names from traditional package managers.

Traditional package managers (like apt or dnf) use simple names like “gimp” or “firefox.” Flatpak uses reverse‑domain notation like “org.gimp.GIMP” or “org.mozilla.firefox.” A user might type `flatpak install gimp` expecting it to work, but they must use the full ID and specify the remote (e.g., `flatpak install flathub org.gimp.GIMP`).

Always search for the application first with `flatpak search <keyword>` to get the full ID. Then use that ID in the install command, along with the remote name.

Thinking that removing a Flatpak application also removes all its unused runtimes automatically.

Flatpak runtimes (like org.gnome.Platform) can be shared across multiple applications. When you uninstall an application, its runtime remains on disk because it might be needed by other apps. This can lead to accumulated disk usage over time.

Periodically run `flatpak uninstall --unused` to safely remove runtimes that are no longer needed by any installed application.

Exam Trap — Don't Get Fooled

{"trap":"A question asks: “Which command removes a Flatpak application and all of its associated data including user settings and runtimes?” The answer choices include `flatpak remove`, `flatpak uninstall`, and `flatpak delete`. Many learners pick `flatpak uninstall` because it is the standard removal command.

However, the trick is that `flatpak uninstall` only removes the application, not its user data (which remains in ~/.var/app/). To remove user data as well, you must add the `--delete-data` flag."

,"why_learners_choose_it":"Learners assume that the uninstall command cleans everything, like typical package managers. They may not read the question carefully and do not consider the difference between removing the application binary and removing configuration files.","how_to_avoid_it":"Read the question precisely.

If it mentions “all associated data including user settings,” remember that Flatpak uses a separate directory for user data. The correct command is `flatpak uninstall --delete-data <app-id>`. Practice this concept by reviewing the Flatpak man page or documentation before the exam."

Commonly Confused With

flatpakvsSnap (package manager)

Flatpak and Snap are both sandboxed package managers for Linux, but they use different sandboxing technologies. Flatpak uses bubblewrap (userspace namespaces) while Snap uses AppArmor or SELinux, along with cgroups. Flatpak applications are typically updated via the Flathub repository, whereas Snap uses the Snap Store. Snap is more tightly integrated with Ubuntu and supports both desktop and server applications, while Flatpak focuses on desktop graphical apps. In terms of packaging, Flatpak uses a runtime model where multiple apps share a common base, while Snap uses a compressed filesystem image (squashfs) for each app with a separate snap core.

If you need to install GIMP on Ubuntu, you could use `flatpak install flathub org.gimp.GIMP` or `snap install gimp`. Both work, but the Flatpak version might have more up‑to‑date libraries from Flathub, while the Snap version might be more tightly controlled by Canonical.

flatpakvsAppImage

AppImage is another portable Linux application format, but it is not sandboxed. An AppImage is a single executable file that you can download, make executable (`chmod +x`), and run directly. It does not install itself into the system; it runs from the same directory. In contrast, Flatpak requires installation into a managed repository and enforces sandboxing. AppImage is simpler but less secure and does not support automatic updates as as Flatpak.

Downloading LibreOffice as an AppImage means you just download one file and run it. With Flatpak, you run `flatpak install flathub org.libreoffice.LibreOffice` and then updates are handled by `flatpak update`.

flatpakvsDocker (containers)

Docker is a containerization platform primarily used for server-side applications and microservices, running full OS‑level virtualized environments. Flatpak is for desktop GUI applications on Linux. Docker containers are managed with a daemon, use layered images from a registry, and are meant to be ephemeral. Flatpak applications are persistent, sandboxed, and interact with the user’s session via portals. While both use Linux namespaces, Docker is for deploying services, whereas Flatpak is for running user applications securely.

You would use Docker to run a web server or database. You would use Flatpak to run a video editor or a music player on your desktop.

Step-by-Step Breakdown

1

Adding a remote repository

Flatpak needs to know where to find its applications. A remote is a repository URL that hosts Flatpak applications and runtimes. The most common remote is Flathub. You add it with `flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo`. This step is analogous to adding a software source in apt (like a PPA) or a repository in YUM/DNF.

2

Searching for an application

You search for a Flatpak application using `flatpak search <keyword>`. For example, `flatpak search gimp` returns a list of available applications with their full IDs (like org.gimp.GIMP) and descriptions. This is important because the install command requires the exact ID, not just a common name.

3

Installing the application

You install with `flatpak install <remote-name> <app-id>`, e.g., `flatpak install flathub org.gimp.GIMP`. Flatpak automatically resolves and downloads any required runtime (e.g., org.gnome.Platform) if not already present. The installation is atomic: either the entire application is installed or nothing is left in an incomplete state.

4

Running the application

You launch the application with `flatpak run <app-id>`. The system uses bubblewrap to create a sandbox, then runs the application inside it. The application sees only its own files and the permissions granted by its manifest or user overrides.

5

Managing permissions

By default, applications have minimal permissions. You can view them with `flatpak info -m <app-id>`. To grant additional access, use `flatpak override --user <app-id> --filesystem=host` (or specific directories). This modifies the sandbox policy and can be done without reinstalling the app.

6

Updating applications and runtimes

Running `flatpak update` updates all installed applications and runtimes to their latest versions available from their remotes. You can also update a specific app with `flatpak update <app-id>`. Updates are also atomic, and old versions are kept until you run `flatpak uninstall --unused`.

7

Uninstalling applications and cleaning up

Remove an application with `flatpak uninstall <app-id>`. This removes the application but keeps its runtime and user data. To remove user data, use `--delete-data`. To remove unused runtimes, use `flatpak uninstall --unused`. This keeps disk usage tidy and avoids bloating the system.

Practical Mini-Lesson

Flatpak is not just a package manager; it is a complete application runtime and sandboxing platform for Linux desktops. From a practical IT standpoint, you need to understand its architecture to deploy, troubleshoot, and secure applications.

First, the core concept is the runtime-a set of base libraries that applications expect. Flatpak provides several curated runtimes, such as `org.freedesktop.Platform` and `org.gnome.Platform`. When you install a Flatpak, the required runtime is either already present on the system or is automatically downloaded. This runtime is versioned (e.g., //43), and applications depend on a specific major version. If you run `flatpak list --runtime`, you can see all installed runtimes. It is important to keep runtimes updated because they often contain security patches.

Second, the sandbox is enforced by bubblewrap. As an administrator, you may need to diagnose why an application cannot open a file or access the network. You should know the common override flags: `--filesystem` (to grant access to directories like `host`, `home`, `xdg-documents`, or specific paths), `--socket` (to allow the X11 or Wayland display server, or network sockets), and `--device` (to grant access to devices like `dri` for GPU acceleration). For example, `flatpak override --user --socket=network org.mozilla.firefox` allows Firefox to access the internet if it was denied by default (though in practice Firefox usually has that).

Third, Flatpak stores user-specific data in `~/.var/app/<app-id>`. This includes configuration files, cache, and persistent data. If you need to completely reset an application (e.g., troubleshooting a crash), you can delete this directory. Note that uninstalling with `flatpak uninstall` does not remove this directory unless you add `--delete-data`.

Fourth, Flatpak supports offline deployment. You can download a Flatpak bundle (.flatpak file) from a repository and install it with `flatpak install --bundle myapp.flatpak`. This is useful for air-gapped environments. As an IT professional, you might create a local mirror of Flathub for your enterprise. This involves using `flatpak build-update-repo` and `flatpak create-usb` commands.

a common pitfall is running out of disk space due to old runtimes. Run `flatpak uninstall --unused` monthly. Also, note that Flatpak applications are heavier than native packages because they bundle libraries. In an environment with hundreds of users, you might want to share the system-wide installation directory via NFS, but be careful with user-specific data.

In practice, professionals configuring Linux desktops at scale often combine Flatpak with a traditional package manager for core system tools. For example, they use apt for the kernel and base utilities, and Flatpak for user-facing applications like browsers, media players, and office suites. This provides both stability and flexibility.

Troubleshooting Clues

Symptom: Application launches but cannot see any files or folders

Symptom: Application fails to start with error 'error: runtime org.gnome.Platform//43 not found'

Symptom: Application starts but has no sound or cannot use microphone

Memory Tip

Think of Flatpak as a “flat pack” furniture box: each app comes with its own tools and instructions, so it works anywhere without borrowing from the house.

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Legacy Exam Context

Older materials may mention these exam versions, but learners should use the current objectives for their target exam.

XK0-005XK0-006(current version)

Related Glossary Terms

Quick Knowledge Check

1.What is the correct command to install the application 'org.videolan.VLC' from the Flathub remote?

2.Which of the following best describes the default filesystem access of a Flatpak application?

3.After uninstalling a Flatpak application with `flatpak uninstall`, what should you do to remove unused runtimes?