My immutable Fedora
April 29, 2021
For many years now, I’ve been using immutable versions of Fedora. I remember that I started to play with immutable Fedora back in 2015 when Fedora Atomic was new. I liked the idea since the first time I’ve read about it, but in the beginning, I did not spend too much time making it work on my setup because it seemed a little bit too complex. At DevConf.cz 2016, I met Patrick Uiterwijk, who was running his spin of Fedora Atomic. We had a long chat on it, and he explained to me his workflow. Soon after, I started to use an immutable version of Fedora on my personal laptop, but I was not daring to use it on my work laptop. When I left Red Hat at the end of 2017, my personal laptop became my only laptop for a little while, and the immutable Fedora became my only OS. Since then, I’ve been using only immutable Fedora on my computers. In June 2020, I took the time to clean up my build process and files, and I moved all the needed bits to a new git repo that is now openly available and can be found here.
If you are wondering what’s an immutable OS and why it’s different from a “mutable” (or “standard”) OS, the short version of it is that with an immutable OS, when the OS is running, the OS filesystem is in read-only mode. Therefore no application can change the OS or the installed applications. This aspect has many implications, one of which is that you can not upgrade or alter the installed software, but you need to “re-install” the whole OS while the OS is not running. This feature can seem more a problem than a feature, but as we will see, it’s not, and actually, it does bring a lot of advantages.
There are many aspects that I enjoy about the immutable OS I use. The biggest ones are the cleanness of the environment, the update process, and its security.
The cleanness of the environment is mainly due to the fact that I build my own images and could also be achieved with mutable OSes as well, but I think thanks to Fedora immutable tools, this is much easier with an immutable OS.
To build the whole OS, I only need a YAML file with some variables and the list of packages to be installed, and the
rpm-ostree tool will take care to build (and then install) the whole OS.
This process makes it very easy to version the source files and to track the changes over time.
In addition to the cleanness of the build process, I love the cleanness of having all the software that I use, but only the software that I use installed on my OS.
Due to how I have set up my environment (but I believe it’s also the current default for Fedoraofficial immutable OSes such as Fedora CoreOS and Fedora SilverBlue), I have two bootable partitions. When I do updates, I update the non-active partition. This workflow allows me to always have a version that I’m sure works correctly and that I can go back to if the newly updated version is somehow broken.
The security aspect was the one that initially brought me to the immutable OS world. The fact that the OS filesystem currently in use is mounted in read-only mode (and the other one is not mounted at all) means that most kind of attacks trying to implant a long-lasting malware or backdoor will not be effective. This aspect does not mean that an immutable OS is 100% secure, but the attack surface is way less than a mutable OS.
I wanted to create this blog post for quite some time because immutable OSes have huge advantages, and I think more people should consider them as their next OS. I would suggest to anyone interested in the topic to start from a pre-built OS such as Fedora CoreOS (mainly for servers) or Fedora Silverblue (for GNOME environments). You can then use the layering feature to add a few software that you might need on top of the official images.