What is an Immutable OS ?
The definition of the word immutable is “unchanging over time or unable to be changed.”
In computing, “immutable” is most commonly associated with Blockchain, specifically the decentralised ledger that uses cryptographic hashes to protect the data from alteration.
An immutable operating system is a system that, once installed, cannot be modified. All system and application updates must be installed on a separate partition and the system must be rebooted to switch to the updated version. This approach has several benefits. It allows the system to be rolled back to a previous state easily if something goes wrong. With a traditional operating system, updates are often installed in-place, which can introduce new bugs or cause compatibility issues. It makes the system more resistant to tampering and malware, and it simplifies system maintenance. Immutable operating systems are often used in environments where security is a top priority, such as in military and financial systems.
The purpose is to ensure the host operating system is protected from accidental or malicious modifications, which improves security, stability and performance by guaranteeing the integrity of the core system.
This makes security, reliability and performance proactively enforced instead of reactively maintained. It also often provide a highly effective rollback (restoration) capability.
In a more detailled view, we can say that :
Benefit of immutable operating systems is that they are more resistant to tampering and malware. If an attacker gains access to a traditional operating system, they can make changes to the system that may not be easily reversible. With an immutable operating system, the attacker would not be able to make any permanent changes, as the system is designed to resist modification.
Immutable operating systems also simplify system maintenance. In a traditional operating system, system administrators must constantly apply patches and updates to keep the system secure and up-to-date. With an immutable operating system, this is not necessary, as the system is designed to automatically roll out updates and roll back if necessary.
They are inherently more secure, because many attacks and exploits depend on writing or changing files. Also, even if an exploit is found, bad actors cannot change the operating system on disk (which in itself will thwart attacks that depend on writing to the filesystem), so a reboot will clear any memory-resident malware and recover back to a non-exploited state.
Immutable systems are also easier to manage and update: the operating system images are not patched or updated but replaced atomically (in one operation that is guaranteed to fully complete or fully fail — no partial upgrades!
Which Immutable OS distribution to select?
As of today, there are some Linux distributions aiming at creating an Immutable OS, the oldest one being CoreOS, targeting container usages. In a way, we can also consider that containers are some sort of Immutable OS by themselves, adding another layer of security. Each distribution takes its own path to the immutable solution.
The most known distributions are :
- CoreOS, which has been bought by RedHat, no more maintained as-is, but is now part of FedoraCoreOS (aka CoreOS Container Linux ) and included in Openshift. Lightweight Linux distribution designed for use in large and scalable clusters. It uses an immutable file system and runs all applications in containers, which makes it easy to roll out updates and roll back if necessary.
- FlatCar : successor/fork of CoreOS, of all of those, is the one with the less immutable characteristics (the root filesystem is writable, and nodes support SSH ! There are also, Ignition and Afterbrun which run on first boot to setup the node more or less like a puppet/ansible workflow.
- BottleRocket from AWS, makes root (/) read-only and forbids SSH access. It uses the concept of Bootstrap containers to customize the way the node runs. These are containers that are executed by systemd after the node has booted, that have access to the root filesystem and host devices
- Talos from Sidero Lab, makes root (/) read-only and forbids ssh and console access. Each driver should be signed with an ephemeral key link (change each time a new version is built/delivered). Being fully immutable, it requires some extension set up during the node installation or update. In order to effect any change on thoses systems extensions, it has to be re-installed on the node. This encourages (indeed, enforces!) the idea of
cattle-not-petsas in order to add or change to a node via system extensions, the contents of the disk will be wiped and replaced.
- SliverBlue which is a variant of Fedora (and not FedoraCoreOS), and more of a desktop distribution, but with an advantage for those used to container-based software development, because everything is already a container.
- Steam Deck: the Valve next version will be more or less like an immutable OS distribution! Making it probably the first to be so much used/deployed!
- Qubes OS: This is an open-source operating system that uses a security-oriented design to provide strong isolation between different applications and activities. It is based on the Xen hypervisor and uses a combination of virtualization and compartmentalization to achieve its security goals. Qubes OS also has a number of other security-oriented features, such as an immutable root file system.
- Subgraph OS: This is a Debian-based Linux distribution that is designed to be resistant to malware and other threats. It uses a number of security-oriented features, including an immutable file system and a firewall that blocks all incoming network traffic by default. Overall, Subgraph OS is a secure operating system that is designed to provide a safe and secure computing environment for its users. It is particularly well-suited for use in environments where security is a top priority, such as in military and financial systems.
Immutable OS usage
Many uses stem from the security brought by the immutability. There are a few known users of immutable operating systems, including:
- Google: Google uses an immutable operating system for their Kubernetes clusters, to easily create and manage containerized applications.
- Netflix: Netflix uses immutable operating systems for their cloud-based infrastructure, to easily roll out updates and make changes without affecting the underlying systems.
- Amazon Web Services (AWS): AWS offers an immutable operating system as a base image for their Elastic Container Service (ECS) and Elastic Kubernetes Service (EKS)
Flatcar provide an minimal image where the tool need for container are already in. Configuration and so on, are done externally, so that the image can be concidered as an appliance in a way.
One of the usage is the hosting of containers. In this case, Podman seems to be leading. Podman is a daemonless container engine for developing, managing, and running OCI Containers on Linux. Critically, Podman containers can be executed in rootless mode, which reinforces the security model defined as part of an immutable operating system. As a result, podman is considered more secure than Docker as it does not require root access, making it a great choice for running headless/web applications, tools and packages.
As of today, depending on your target. You can choose FlatCar if you want to run containers, as CoreOS is more tighten to Openshift. If you are looking for a very harden OS go for Talos. And, Qube OS or Silverblue if you want this on your desktop.