Immutable distribution - Fedora Silverblue - Technological watch

Learn what is an Immutable distribution in less than 5 minutes !
Monday, May 6, 2024
  1. Introduction
  2. Introduction to Fedora Silverblue
  3. Managing Fedora Silverblue
    1. Flatpak
    2. Toolbox
    3. rpm-ostree
  4. Understand silverblue
  5. My opinion and conclusion
  6. To go further

Introduction

In the realm of linux distributions, a paradigm is gaining traction - immutable distributions. These distributions are designed with a unique characteristic: they are read-only. This seemingly simple feature brings with it a host of benefits, making these distributions more secure, reliable, and stable.

The philosophy driving this approach is a shift from installing applications directly onto the root filesystem to installing them in containers. This encapsulation provides an additional layer of security and isolation, ensuring that the underlying system remains unaffected by the applications running on it.

Updating your system in an immutable distribution environment is a different process compared to traditional methods. Instead of applying updates to the live system, you create a new boot image. This image includes any updated packages that are needed. When you’re ready, you boot into this new image, effectively updating your system.

There are numerous immutable distributions available. Here are examples (listed in no particular order):

  • carbonOS: An upcoming independent Linux distribution that focuses on providing a seamless user experience with robust technology at its core.
  • Fedora Silverblue: A variant of Fedora Workstation that emphasizes immutability.
  • Flatcar Container Linux: A Linux distribution built by the community and tailored for container workloads.
  • NixOS: An innovative distribution with declarative and reproducible system configurations.
  • Vanilla OS: An immutable distribution that offers users a stock (or vanilla) GNOME experience.

Introduction to Fedora Silverblue

Fedora Silverblue is an immutable variant of the Fedora Workstation (which is the basic, non-immutable version of Fedora).

Managing Fedora Silverblue

In this section, we will explore how to install software, set up a development environment, and update the distribution.

Flatpak

Source: https://docs.fedoraproject.org/en-US/flatpak/

Flatpak is a package management utility designed for Linux distributions. It allows you to distribute, install, and manage software without worrying about dependencies or the specific Linux distribution you’re using.

One of the key features of Flatpak is its use of sandboxing. This means that applications are isolated from each other, enhancing the security of your system.

It is perfect is you want to install simple desktop applications like Gimp or LibreOffice.

Terminal window
flatpak search gimp
flatpak install gimp

Note: to have access to more softwares, we can use Flathub.

Toolbox

Source: https://docs.fedoraproject.org/en-US/fedora-silverblue/toolbox/

Toolbox is a utility provided by Fedora, designed to create containerized command-line environments on top of your Fedora base system. Toolbox is built on top of OCI container images and Podman.

Toolbox addresses a key issue in Fedora Silverblue where the package manager dnf is absent and the /usr/ directory is read-only. By utilizing Toolbox, users can establish a comprehensive development environment equipped with compilers, debuggers, editors, SDKs, and more (GUI or CLI tools).

Terminal window
toolbox list


toolbox create <name>


toolbox enter <name>
    # Once in the toolbox, we can use dnf to install our softwares
    # Example:
    dnf check-update
    sudo dnf install code nodejs php # etc...
    code . # Open vscode


toolbox rm <name>

rpm-ostree

Source: https://coreos.github.io/rpm-ostree/

If you’re looking to manage your Fedora Silverblue distribution, rpm-ostree is the tool you should be using.

Please note that changes made by rpm-ostree command do not take effect until you reboot your system.

You can install software with rpm-ostree, but it is often preferable to use Flatpak or Toolbox to maintain a clean system and avoid the need to restart your system.

Terminal window
rpm-ostree status


sudo rpm-ostree install htop # Install package with "rpm-ostree" should be use at the least resort
sudo systemctl reboot # Needs reboot for each operation we do


sudo rpm-ostree rollback
sudo systemctl reboot


sudo rpm-ostree remove htop
sudo systemctl reboot


sudo rpm-ostree upgrade
sudo systemctl reboot


ostree refs


# Upgrade Fedora Silverblue
# https://docs.fedoraproject.org/en-US/fedora-silverblue/updates-upgrades-rollbacks/#upgrading
rpm-ostree upgrade
ostree remote refs fedora | grep silverblue | grep $(uname -m)
rpm-ostree rebase fedora:fedora/40/x86_64/silverblue # <- get the newest Fedora version

Every operation you perform with rpm-ostree results in a new commit. This means that if you encounter any issues, you can simply boot into a commit with a known stable state of your system!

Updating and upgrading your system is safe and very easy!

Please note that an rpm-ostree operation does not affect software installed with Flatpak or Toolbox.

Understand silverblue

To understand Fedora Silverblue’s file system structure, we can check the directory /:

Terminal window
ls -l /


# Displays this:


# total 48
# lrwxrwxrwx.   5 root root    7 Feb  7 00:19 bin -> usr/bin
# drwxr-xr-x.   7 root root 4096 May  5 10:35 boot
# drwxr-xr-x.  21 root root 4300 May  6 18:00 dev
# drwxr-xr-x.   1 root root 4106 May  5 13:40 etc
# lrwxrwxrwx.   5 root root    8 Feb  7 00:19 home -> var/home
# lrwxrwxrwx.   5 root root    7 Feb  7 00:19 lib -> usr/lib
# lrwxrwxrwx.   5 root root    9 Feb  7 00:19 lib64 -> usr/lib64
# lrwxrwxrwx.   5 root root    9 Feb  7 00:19 media -> run/media
# lrwxrwxrwx.   5 root root    7 Feb  7 00:19 mnt -> var/mnt
# lrwxrwxrwx.   5 root root    7 Feb  7 00:19 opt -> var/opt
# lrwxrwxrwx.   5 root root   14 Feb  7 00:19 ostree -> sysroot/ostree
# dr-xr-xr-x. 394 root root    0 May  6 18:00 proc
# lrwxrwxrwx.   5 root root   12 Feb  7 00:19 root -> var/roothome
# drwxr-xr-x.  49 root root 1280 May  6 18:10 run
# lrwxrwxrwx.   5 root root    8 Feb  7 00:19 sbin -> usr/sbin
# lrwxrwxrwx.   5 root root    7 Feb  7 00:19 srv -> var/srv
# dr-xr-xr-x.  13 root root    0 May  6 18:00 sys
# drwxr-xr-x.   1 root root   74 Feb  7 00:19 sysroot
# drwxrwxrwt.  23 root root  500 May  6 18:19 tmp
# drwxr-xr-x.   1 root root  174 Jan  1  1970 usr
# drwxr-xr-x.   1 root root  228 May  5 13:40 var

We can see that the directories /home/, /mnt/, /opt/ and /root/ are aliases to the directory /var/. The directories /bin/, /lib/, /lib64/ and /sbin/ are aliases to the directory /usr/.

Now, let’s look all the mounted volumes on our system:

Terminal window
mount

This command will output a list of all mounted volumes. Here’s what you might see:

...
/dev/<disk> on / type ext4 (rw,relatime,seclabel)
/dev/<disk> on /usr type ext4 (ro,relatime,seclabel)
...
/dev/<disk> on /var type ext4 (rw,relatime,seclabel)
...

In the output, you’ll observe that the /usr/ directory, which houses the binaries (/usr/bin/) and libraries (/usr/lib/), is mounted as read-only. This is a protective measure integral to the system’s security. It’s a fundamental attribute of Fedora Silverblue’s immutable design. Conversely, the /var/ directory is mounted as read-write. This directory serves as the storage area for system logs (/var/log) and flatpaks, providing a dynamic space for system operations.

That’s why we can’t easily modify the system.

Terminal window
alex@xxx:~$ sudo touch /bin/hello


# touch: cannot touch '/bin/hello': Read-only file system


# Even with "sudo", we can't modify system directories ! 😮

We can check informations on our filesystems:

Terminal window
df


# /dev/<disk> -- mounted on -- /sysroot

In the context of Fedora Silverblue, /sysroot is the root of your actual system that’s currently running.

My opinion and conclusion

Immutable distributions signify a substantial paradigm shift in our approach to system management and maintenance. By adopting immutability, we can significantly enhance the security, reliability, and stability of our systems.

Here are some of my personal observations from using Fedora Silverblue for over a year:

In conclusion, Fedora Silverblue, with its immutable distribution, offers a robust, reliable, and versatile platform that caters to a wide range of users, from developers to everyday users. 😊

To go further

Recommended articles
Category blog icon

Falco - Technological watch

Technological watch Top post !

Learn how to protect your Kubernetes cluster in less than 5 minutes !

7 minutes
Category blog icon

RabbitMQ - Technological watch

Technological watch

Learn what is RabbitMQ in less than 5 minutes !

6 minutes
Category blog icon

OpenAPI / Swagger - Technological watch

Technological watch

Learn what is OpenAPI / Swagger in less than 5 minutes !

3 minutes
Category blog icon

Svelte - Technological watch

Technological watch

Learn what is Svelte in less than 5 minutes !

2 minutes
Category blog icon

PicoCSS - Technological watch

Technological watch

Learn what is PicoCSS in less than 5 minutes !

2 minutes
Category blog icon

Terraform - Technological watch

Technological watch

Learn what is Terraform in less than 5 minutes !

5 minutes
Category blog icon

Jenkins - Technological watch

Technological watch

Learn what is Jenkins in less than 5 minutes !

3 minutes
Category blog icon

UFW - Technological watch

Technological watch

Learn what UFW (Uncomplicated FireWall) in less than 5 minutes !

3 minutes