Dropping Windows, Bazzite is Great, But How About School/Work Use? A Comprehensive Guide to Separating Gaming and Productivity on Bazzite

As revWhiteShadow, and owner of kts personal blog site, like many, we’ve reached a point where Windows’ persistent presence on our machines feels less like a welcome guest and more like an uninvited squatter. The allure of Linux, particularly the Fedora-based Bazzite, has proven irresistible, especially with its seamless support for Nvidia RTX 30 series graphics and its out-of-the-box gaming capabilities. Like many, we’ve dabbled with other distros like Ubuntu and Mint, but the Bazzite/Fedora KDE Plasma combination just feels right. The gaming performance is undeniably superb, but the desire to transition entirely to Linux, encompassing school, work, and personal use, presents a new challenge: effectively separating the gaming and productivity aspects of our digital lives. The goal is to create isolated environments, preventing access to Steam and other gaming platforms from the personal side and vice versa. So how do we accomplish this?

Addressing the Separation Challenge: Beyond Multiple User Accounts

The immediate and most obvious solution is, of course, multiple user accounts. However, simple user accounts alone are insufficient for the level of isolation required to truly keep work and play separate. They offer limited protection against accidental access and don’t effectively isolate applications or data.

Limitations of Simple User Accounts

While user accounts provide basic separation, they fall short in several critical areas:

  • Application Visibility: Applications installed by one user are often visible to others, even if not directly accessible. This creates clutter and potential distractions.
  • Data Leakage: Sharing files between users can be cumbersome and poses a risk of accidentally exposing sensitive data from the work environment to the gaming environment (or vice versa).
  • Configuration Conflicts: System-wide settings can impact both user accounts, potentially causing conflicts or unintended side effects.
  • Lack of True Isolation: Ultimately, user accounts share the same underlying system, making them vulnerable to exploits that could compromise both environments.

Therefore, we need to explore more robust isolation techniques.

Containerization: A Powerful Solution for Application and Environment Isolation

Containerization offers a far more sophisticated approach to isolating applications and environments. Technologies like Docker and Podman allow you to package applications and their dependencies into self-contained units, preventing them from interfering with each other or the host system.

Leveraging Podman on Bazzite for Isolation

Since Bazzite is Fedora-based, Podman is a natural choice for containerization. Podman is a daemonless container engine that’s fully compatible with Docker images and offers several advantages over Docker, including enhanced security and rootless operation.

Creating a Work Container

  1. Define a Base Image: Start by selecting a base image that provides the foundation for your work environment. Popular choices include fedora:latest, ubuntu:latest, or even specialized images like debian:stable-slim.

    podman pull fedora:latest

  2. Create a Dockerfile: A Dockerfile is a text file that contains instructions for building a container image. Create a file named Dockerfile in a dedicated directory.

    FROM fedora:latest

# Install necessary packages for work/school
RUN dnf update -y && \
    dnf install -y libreoffice vim git firefox chromium

# Create a dedicated user for work
RUN useradd -m workuser
USER workuser

# Set the working directory
WORKDIR /home/workuser

  3. Build the Image: Use the podman build command to build the container image.

    podman build -t work-environment .

  4. Run the Container: Use the podman run command to start a container based on the image. It is important to map a folder on your harddisk to the container, this way the work is saved on your harddisk and is not lost when you close the container.

    podman run -it -v /path/to/your/work/directory:/home/workuser/work --name work-container work-environment
    • -it: Allocates a pseudo-TTY and keeps STDIN open, allowing you to interact with the container.
    • -v /path/to/your/work/directory:/home/workuser/work: Mounts a directory from your host system into the container, allowing you to share files between the host and the container. Change /path/to/your/work/directory to an existing folder on your machine.
    • --name work-container: Assigns a name to the container for easy management.

  5. Accessing the Container: The container will now provide a terminal prompt. Any application inside the container will be isolated from the rest of the system. To open an application with gui from within the container you need a display server like X11 or wayland.

Setting up X11 Forwarding for Graphical Applications in Podman

To run graphical applications within the Podman container, you’ll need to configure X11 forwarding. This allows the container to display its graphical output on your host system.

  1. Install X11 Packages in the Container: Ensure that the necessary X11 packages are installed within the container image. Add the following lines to your Dockerfile (before the USER instruction):

    RUN dnf install -y xorg-x11-server-Xorg xorg-x11-xauth

  2. Configure X11 Forwarding: When running the container, add the following options to the podman run command:

    podman run -it \
    -e DISPLAY=$DISPLAY \
    -v /tmp/.X11-unix:/tmp/.X11-unix \
    --security-opt label=disable \
    -v /path/to/your/work/directory:/home/workuser/work \
    --name work-container work-environment
    • -e DISPLAY=$DISPLAY: Sets the DISPLAY environment variable within the container to match the host system’s display.
    • -v /tmp/.X11-unix:/tmp/.X11-unix: Mounts the X11 socket from the host system into the container.
    • --security-opt label=disable: Disables SELinux labeling for the container, which is often necessary for X11 forwarding to work correctly.

  3. Run xauth: Inside the container, run the following command to allow the container to connect to the X server:

    xauth add $(xauth list | tail -1)

Now you should be able to run graphical applications like Firefox or LibreOffice within the container, and their windows will appear on your host system’s display.

Creating a Gaming Container (Optional)

You can apply the same principles to create a gaming container, isolating Steam and other gaming platforms from your personal environment. This can be useful for testing games in a controlled environment or preventing game updates from interfering with your system. However, running games within a container may introduce performance overhead, so consider whether it’s truly necessary. Bazzite comes preconfigured with tools like Steam, Lutris, and Heroic Games Launcher, so its more practical to isolate the personal environment.

Benefits of Containerization

  • Strong Isolation: Containers provide a high degree of isolation, preventing applications from interfering with each other or the host system.
  • Reproducibility: Containers ensure that your applications run consistently across different environments.
  • Portability: Containers can be easily moved between different machines or cloud platforms.
  • Security: Containers can enhance security by limiting the attack surface of individual applications.
  • Cleanliness: Installing and removing applications within a container leaves your host system clean and uncluttered.

Virtualization: A More Resource-Intensive but Comprehensive Isolation Approach

Virtualization takes isolation to the next level by creating completely separate virtual machines (VMs). Each VM has its own operating system, kernel, and resources, providing a higher degree of isolation than containerization.

Utilizing KVM/QEMU on Bazzite

KVM (Kernel-based Virtual Machine) is a virtualization technology built into the Linux kernel. QEMU is a software emulator that can be used in conjunction with KVM to create and manage VMs.

Installing KVM/QEMU

Bazzite, being Fedora-based, makes installing KVM/QEMU relatively straightforward:

sudo dnf install @virtualization
sudo systemctl enable --now libvirtd

Creating a Virtual Machine

You can use tools like virt-manager (Virtual Machine Manager) to create and manage VMs graphically.

  1. Install Virt-Manager:

    sudo dnf install virt-manager

  2. Launch Virt-Manager: Open the Virtual Machine Manager application.

  3. Create a New VM: Click the “Create a new virtual machine” button.

  4. Follow the Wizard: The wizard will guide you through the process of selecting an installation source (e.g., an ISO image), allocating resources (CPU, memory, disk space), and configuring network settings.

  5. Install an Operating System: Once the VM is created, start it and install your desired operating system (e.g., Fedora, Ubuntu, Windows).

Dedicated VMs for Work and Personal Use

With virtualization, you can create two separate VMs: one for work/school and one for personal use. This provides complete isolation between the two environments.

Advantages of Virtualization

  • Complete Isolation: VMs offer the highest degree of isolation, ensuring that activities in one environment cannot affect the other.
  • Operating System Flexibility: You can run different operating systems in each VM, allowing you to tailor the environment to your specific needs.
  • Enhanced Security: VMs provide a strong security boundary, preventing malware or vulnerabilities in one environment from spreading to the other.
  • Resource Allocation: You can allocate dedicated resources to each VM, ensuring that critical applications have sufficient resources to run smoothly.

Disadvantages of Virtualization

  • Resource Intensive: VMs require significant resources (CPU, memory, disk space), especially when running multiple VMs simultaneously.
  • Overhead: Virtualization introduces some performance overhead compared to running applications directly on the host system.
  • Complexity: Setting up and managing VMs can be more complex than using containers or simple user accounts.

Combining Approaches: Layered Security

For maximum security and isolation, you can combine containerization and virtualization. For example, you could run your work applications within containers inside a dedicated work VM. This adds an extra layer of protection against potential security breaches.

Practical Considerations for Bazzite

  • Desktop Environment: Bazzite comes with KDE Plasma. Ensure the chosen desktop environment (or another one installed in a container) is configured properly.
  • File Sharing: Carefully consider how you’ll share files between the host system and the isolated environments. Use secure protocols like SFTP or dedicated file-sharing services.
  • Backup Strategy: Implement a robust backup strategy to protect your data in both the host system and the isolated environments.
  • Performance Monitoring: Monitor the performance of your system and the isolated environments to identify and resolve any bottlenecks.

Conclusion: Tailoring Isolation to Your Specific Needs

Choosing the right approach to separating gaming and productivity on Bazzite depends on your specific needs and priorities. Simple user accounts are insufficient for true isolation. Containerization offers a lightweight and flexible solution for isolating applications and environments, while virtualization provides the highest degree of isolation but requires more resources. By carefully considering the advantages and disadvantages of each approach, you can create a secure and efficient workflow that allows you to enjoy the benefits of Bazzite for both gaming and productivity. In the end, it is up to the user to define their workflow. Our personal preference goes to the containerization with Podman.