This post is part of my “Immutable Linux” post series I have planned.
This one here is the first of (probably) three posts in total. It should provide you an introduction into this topic, debunk some myths, give you an overview into different concepts, and maybe a slight hint into Linux’ future.
If you’re after a super complicated expert-level post, you’re wrong here, sorry.
I want to keep it simple and, because of that, I’m gonna “lie” a few times in this writeup to keep everything understandable for everyone, including Linux newcomers.
The post will be a bit longer to read.
I know, that not everyone has the time for that, so here’s a
TL;DR:
- Immutable distros are the future and totally underrated!
- Don’t call them immutable - you can still change and customize them to your liking.
- They have A LOT of pros compared to traditional systems - less bugs, better security, they’re almost indestructible, and more!
- Maybe check out Fedora uBlue. It’s the most sophisticated image distro out there right now. But its’ contenders aren’t sleeping too and will be interesting too in the future.
- They are still pretty new, which might be a problem right now regarding compatibility and spread of use.
1. Introduction
I. What is an immutable distro?
The term “immutable” is very unfitting in my opinion. Why? Because those kind of distros are, in fact, changeable. They just require a different approach than traditional ones (e.g. Arch, Linux Mint, etc.). But more onto that later. I prefer the term “image based” or “atomic”, not only because that’s more fitting, but also because it doesn’t imply inherent restrictions.
II. How do they differ from traditional distros?
Image-based distros (IBD from now on) are a pretty new concept, that heavily relies on many new technologies from the recent past, especially containerization and new partition systems.
Their main differences, compared to traditional mutable distros (TMD from now on), are:
- Restricted file system: most parts of the OS are locked down and not changeable as easily, at least from a side level. Of course, you still have sudo rights and “own” your device.
- For the end user, there’s now an easy distinction between “your” stuff (photos, configs, some applications, etc.) and “the rest of the system”, which, in short, only exists to make your computer running. Use your Android phone as example. You don’t notice many restrictions there too and it hides the complex stuff successfully for normal users. Rooting has become a thing of the past for most users and everything works as it should.
- Atomic changes: your system gets either changed completely, or not at all when upgrading. If the power gets lost while updating, you won’t end up with a half-upgraded OS in the end. It will just boot into the same state as before. With every transaction, it basically “copies” the source image and applies it to yours, so it will be the same.
- They are based on a clearly defined, centralized setup.
Imagine it like how McDonald’s works. There are thousands of restaurants in one country, but they all have the same recipes in common. This results in every burger tasting the same around the country, no matter where you are. Every process is heavily regulated, documented and supervised. It’s a very rigid system. In contrast, TMDs are very wobbly. They change all the time. Many programs write somewhere, whereever they want, into the root file system, updates add and remove stuff, and so on, and so on. Imagine every cook at McDonalds now decides to freestyle his burgers. In the beginning, they may taste the same as before. But then, he adds more and more mustard, forgets the salad, and after some time, the burger isn’t recognisable anymore, and no one knows why. This is called package drift, and I’ll tell you why that’s bad in the next paragraph.
III. Advantages
Package drift
Package drift is a developers’ nightmare.
Did you ever notice, how, after some time, may it be weeks, months, or years, your Linux install or programs become ever so slightly less reliable? Freezes here, memory leaks there, crashed programs, and so on. It’s because of the point explained above.
Even, if you use a TMD just like you would an IBD (everything via Flatpak, no root usage, etc.), you still change the underlying system all the time due to updates and executed apps. You have one starting point, and after some time, it won’t be the identical to the install from someone else, even if you used the PC exactly the same.
Realistically, this usually isn’t a huge problem to be fair. Package managers are great and you will barely notice it, at least in the beginning. But after some time, the state diverges too much and you’ll run into problems. The most notable one:
“It works on my PC. Issue closed.”.
I’ve used KDE again and again from time to time for example. Usually, on the normal Fedora KDE variant, installed via a clean reinstall. The first weeks were fine - and then came the Krashes. Every time. I used it now for quite some time on Fedora Atomic, and I encounter almost no bugs at all! Same with other software. Barely any bugs or crashes.
Security
The first reason why IBDs are more secure is the point from above. If there are the same loop holes on every install, the devs can reproduce it and fix it immediatelly.
Software not being able to modify the whole file system is also a huge plus.
Because you usually work with restricted containers, you can define permissions for each program, at least with Flatpaks.
Ease of use
They often feel like a great hotel room. You know, it is being cleaned by the staff and you don’t have to make the beds or care for other stuff. Updates are usually (if you want) being taken care of automatically without the user having to press a button or restart. If you shut down your PC anyway, like you always should after a few days at least, you boot into the updated image.
The “your stuff” and “the rest” explaination from above also applies here. Especially newcomers don’t need to learn what every part of the Linux OS does, because they won’t even touch it anyway.
Many images also come pre-made with baked in drivers, e.g. for Nvidia GPUs, Asus hardware or Microsoft Surface devices. No fiddling required! Because the drivers are already part of the image, they are usually more reliable than if you would install them on another distro. If there’s something broken, it will be broken for everyone, and the devs can fix it instantly. In the meantime, you can just roll back and have an always working system.
Reliability
You’ll always have a working OS. They are known to be almost indestructible, both from user errors, and bad updates.
If you still manage to fuck it up, you can just boot into the image from yesterday, and it will be exactly in the same state as back then.
This doesn’t work like Snapper (from OpenSuse Tumbleweed) for example, where you have to restore a certain config, and even then, it might still not work. It’s more like a second/ third parallel installed OS next to your current one, which only share the user data between them, and in which you can just boot into in seconds, just like when dual booting. I had to make use of that a few times, and it always worked reliably. Restoring backups, e.g. on Tumbleweed, on the other hand, often didn’t work for me and I had to reinstall my system.
The Atomic-Update point from above also applies here, if you have an unsteady power supply, pets, or whatever.
They feel cleaner
All your data are in one place, and not scattered around the system.
You will work in containers a lot, which will also make organisation easier. Look at my Distrobox-post for more information.
It’s basically like using drawers instead of cluttering your whole apartment with stuff.
Distrohopping made easy
Due to how the file system is build, you can easily swap out “the OS”-part with something else, while keeping your user data.
If I’m on Fedora Silverblue (Gnome) for example, I can just rebase to Kinoite (KDE) in less than 10 minutes. It is like a clean reinstall without any weird dependencies or leftovers. I just did that today again because I just can’t decide…
You can also choose between many other DEs and TWMs too if you want.
IV. Limitations and cons
Container workflow
While you usually can install packages the traditional way (e.g. via rpm-ostree layering on Fedora Atomic) on most distros, it is usually not recommended and should only be reserved for TLP or your printer driver for example. If you decided to do that, you have to reboot each time you install something, which obviously sucks!
Because of that, you work with containers. The most common one is Flatpak. They cover 99,9% of your needs for every graphical app and are easily installable via software center.
Other common ones are Distrobox/ Toolbx and Nix, especially for CLI tools.
They all sometimes don’t work everytime as intended. For example, I still have to fix a Flatpak permission from time to time, and other commenters said they still have some problems getting specific programs working in Distrobox. But, to be honest, I never encountered software that didn’t work on my OS yet, with the exception of a VPN client, which should be fixed by now.
Too new
The concept and spread of IBDs is not yet fully matured. They work wonderfully, don’t get me wrong. But, there are still some minor rough edges and potential to uncover.
That’s not being me just a fanboy and saying it’s “just some minor problem here and there”, while it is infuriating in reality, no. It’s literally only super minor stuff that is fixed easily.
For example, I encounter some programs that could work absolutely fine, but just spit out errors because of a missing link, e.g. it wants to access /bin/, but the OS only has /var/bin as example.
It’s great to see devs now knowing about this issue and trying to fix them.
The biggest problem is the lack of documentation and spread. There are just sometimes minor issues you have to fix yourself, because it doesn’t apply to other distros and you can’t find a solution online.
And this is the main reason I don’t recommend every super new user to check out IBDs yet, because of the lack of support. Not, because they don’t work fine. They do. Better than normal ones imo. It’s just because if they google something, they want to apply the guide for Ubuntu to their own system, and that won’t work. They can’t think of a workaround due to the lack of experience. This is why. Wait 1-2 years, and it should work completely fine.
For people I can help physically, I would do it without any doubt.
2. Misconceptions debunked
You can’t change anything and they aren’t customizable
They are just as customizable as traditional distros. You just have to do that differently. Instead of trying to change them from a bottom-up-approach, you have to change the image itself and then apply the changes. This sounds more complicated than it is. On Nix, you just change a few lines in your config and then reload, and on uBlue it’s even easier!
They aren’t user friendly
In my opinion, they are even more user friendly than classic ones. They only appear so, because they are different from what we learned over the last years.
I would even go as far as saying that VanillaOS or Silverblue have the potential to “replace” Mint, especially if all they wanna do is consume media and play some games. See a few lines above why I think it isn’t the time for that yet.
They’re a dumbed-down OS
They’re as complicated and capable as you wish. It’s still Linux, don’t forget that.
ChromeOS or Android can be considered dumbed down, yes. Fedora Silverblue is the same OS as Workstation on the surface, you wouldn’t notice a difference first at all. And NixOS is one of the most capable and complicated distros out there. They’re very diverse and have different philosophies and tech under the hood!
They will take away my distro of choice!
No one will. There will always be at least one other person who likes Arch just as much as you do. It’s still Linux and FOSS. It will replace some use cases where it makes sense, and it will go under in others where it doesn’t. Only time will tell.
And even if they replace your distro of choice, it would be a slow and welcome transition, similar to Wayland over the last years.
3. Small overview over different distros and concepts
Fedora Atomic
With that I mean the “immutable” Fedora variants, like Silverblue, Kinoite, and so on. They only differ by their DE.
In my opinion, Fedora Atomic is the most refined one currently. It uses a version-archiving package manager (often gets called “git-like”), that documents and stores changes like the branches of a tree. Hence its’ name OSTree.
You can “layer” packages with rpm-ostree, which allows you to use software from the normal Fedora repository, while keeping the base system unchanged.
The coolest thing about it is a project called universal-blue.org. With uBlue, you can create images yourself and basically create your own distro, with the main plus that you don’t have to maintain it for security or other updates, because it does that itself.
If you’re missing Hyprland for example in the list of available images, you can just create your own setup with it and publish it there for others to use.
uBlue provides OOTB-usable vanilla images with drivers, codecs and some QOL-changes baked in, because the official Fedora image isn’t allowed to ship them by default.
The main pro-point is that, as example, the Nvidia-driver is already baked in and won’t break. And if it does, it will on thousands of other installs, and the devs can fix it extremely quickly.
There are many community spins and variants, for example one with the Deepin DE, a hardened variant for better security, and much more!
Bazzite, also a community image, is the best alternative to SteamOS and Nobara. It has the same pros as Nobara, without the problems of security or instability due to only one developer. Best gaming distro out there!
NixOS
“The new Arch”. It’s considered to be one of the most complicated, but also extremely powerful distro and should only be used by experts according to some, or it will lead to frustration.
It also has a great packaging system called “Nix”, which can be used on any other distro, and even MacOS!
It’s known to be the king of reproducability, since the whole config is written in just one single text file.
OpenSuse Atomic
Once called MicroOS Desktop in general, it’s now split between Aeon (Gnome), MicroOS (headless base) and Kalpa (KDE). It works a bit differently than Fedora Atomic, but currently, it’s in its’ infant shoes and isn’t as commonly used yet.
VanillaOS
It’s supposed to be a next-gen Linux Mint. Same principle of stability, reliability, user friendliness and simplicity, but with a different way of achieving that.
It’s made by the same team that also develops Bottles (for WINE) and currently undergoes heavy development. It will be based on Debian instead of Ubuntu soon and only offers the Gnome desktop right now. It, and OpenSuse Atomic, use the concept of A/B-Root, which is also used by Android.
I will keep an eye on it and maybe, in some time, recommend it to noobs instead of Mint. We’ll see!
Others
There are a lot of other ones out there too, like EndlessOS, BlendOS, SteamOS, and more. If you missed them, tell me in the comments!
I just wanted to name the most popular or promising ones.
Future
There’s the saying of “The future of Linux is immutable”. I think that’s right.
There are so many great things image based systems do better than our current traditional ones. It’s fascinating what new possibilities will arise soon. The clean rebasing to custom images for example is only the start!
I think they are great for both newcomers, due to simplicity and reliabiltiy, aswell as experts.
I can only see those minor rough edges being polished in the next 1-2 years. Flatpak and Wayland for example used to be in the same spot just 2 years ago, and now, they’re a staple of the Linux desktop.
Everyone should at least take a look into them in my opinion!
You have got to be the biggest promoter of immutable distros on lemmy.
Good job though. While there are some pain points with immutable distros, i feel they are great for the casual users who will just browse the web, play some games and maybe do some document reading and editing.
You have got to be the biggest promoter of immutable distros on lemmy.
I unironically think I might be that. One of the main reasons I wrote this post is to just send it as “read further” option when I recommend uBlue in every second thread.
If I wouldn’t post other stuff, one might think I am a bot or something 😅
i feel they are great for the casual users who will just browse the web, play some games and maybe do some document reading and editing.
Yes, as one partial group. If you don’t use your PC to its full potential, you won’t run into problems. 90% is web based anyway.
Right now, they are super interesting especially for early adopters and experienced users. For the middle ground user, e.g. if you researched for Linux yourself but don’t have much experience otherwise, you might run into some problems that require other people to help you or a bit of research on forums.
But I don’t think that will happen anyway and I still would recommend it to most people.I overshare my Nix setup at the slightest hint it could be relevant and I also feel like I’ve shilled Bazzite at least once basically every week or so ever since I created this account, but I guess I’ll settle for second place 😛
Joking aside, thanks for sharing, that was a great read. Good for newcomers and skepticals alike IMO, I’ll keep it handy!
Nice writeup!
Only thing is:
If you decided to do that, you have to reboot each time you install something, which obviously sucks!
You don’t have to reboot if you use the
--apply-live
switch, but of course, you’d still need to reboot for something like a kernel update. And of course, I wouldn’t recommend layering packages either, unless there’s no other alternative.Thanks!
Yeah, of course you’re right. As I said in the beginning, I had to lie a bit for simplification.
But, rebooting is the recommended way to keep everything running buttery smooth. I personally also recommend just sticking to the usage guidelines, since you don’t have to layer any stuff on regular basis. Just rebooting and losing one minute once a while is worth it for me. I work in containers anyway, see my Distrobox-post.
The
--apply-live
-tag also only applies to rpm-ostree, not to A/B-root afaik, and I wanted to keep it a bit more general.
“Atomic” is a catchy descriptor! Atomic distros for the Atomic Age! It could be an umbrella term since NixOS and Guix are atomic, but instead of images and partitions they use symlinks, and patch binaries to use full paths for libraries and programs that they reference. So there are image-based distros, and I guess expression-derived distros which are both atomic.
I haven’t tried image-based distros. This post fills in some gaps for me. Thanks for the write-up!
Thanks! 🙂
Fedora Atomic also uses symlinks. Basically everything is stored in /var/, including your /home/.
I really recommend giving it a try if you want. My top recommendation is uBlue, either Gnome or KDE. There are also many other images around if you want, depending what you like.
Well ok, they both use symlinks but in different ways. I think what I was trying to say is that in NixOS it’s symlinks all the way down.
IIUC on Fedora Atomic you have an ostree image, and some directories in the image are actually symlinks to the mutable filesystem on
/var
. Files that are not symlinks to/var
(and that are not inside those symlinked directories), are hard links to files in the ostree object store. (Basically like checked-out files in a git repository?)On NixOS this is what happens if examine what’s in my path:
$ which curl /run/current-system/sw/bin/curl $ ls -l /run | grep current-system /run/current-system -> /nix/store/p92xzjwwykjj1ak0q6lcq7pr9psjzf6w-nixos-system-yu-23.11.20231231.32f6357 $ ls -l /run/current-system/sw/bin/curl /run/current-system/sw/bin/curl -> /nix/store/r304lglsa9i2jy5hpbdz48z3j3x2n4a6-curl-8.4.0-bin/bin/curl
If I select a previous configuration when I boot I would get a different symlink target for
/run/current-system
. And what makes updates atomic is the last step is to switch the/run/current-system
symlink which switches over all installed packages at once.I can temporarily load up the version of
curl
from NixOS Unstable in a shell and see a different result,$ nix shell nixpkgs-unstable#curl # this works because I added nixpkgs-unstable to my flake registry $ which curl /nix/store/0mjq6w6cx1k9907vxm0k5pk7pm1ifib3-curl-8.4.0-bin/bin/curl # note the hash is different
I could have a different version
curl
installed in my user profile than the one installed system-wide. In that case I’d see this:$ which curl /home/jesse/.nix-profile/bin/curl $ ls -la /home/jesse | grep .nix-profile .nix-profile -> /nix/var/nix/profiles/per-user/jesse/profile $ ls -l /nix/var/nix/profiles/per-user/jesse profile -> profile-133-link profile-130-link -> /nix/store/ylysfs90018zc9k0p0dg7x6wvzqcq68j-user-environment profile-131-link -> /nix/store/9hjiznbaii7a8aa36i8zah4c0xcd8w6d-user-environment profile-132-link -> /nix/store/h4kkw1m5q6zdhr6mlwr26n638vdbbm2c-user-environment profile-133-link -> /nix/store/jgxhrhqiagvhd6g42d17h4jhfpgxsk3n-user-environment
Basically symlinks upon symlinks everywhere you look. (And environment variables.)
So I guess at the end everything is symlinks on NixOS, and everything is hard links plus a set of
mount
paths on Fedora Atomic.
Thanks! I’m planning to use Bazzite when I get my next laptop and this is very informational. I never knew about Universal Blue but now I think it’s a fantastic resource!
Use your Android phone as example. You don’t notice many restrictions there too and it hides the complex stuff successfully for normal users. Rooting has become a thing of the past for most users and everything works as it should.
This does not inspire confidence. The restrictions imposed on Android’s storage, and the hoops you have jump through to get around them, make using my device more frustrating.
You’re describing a more restricted file system than even Windows has.
It was only to show that you don’t need root access to get a working device.
As I said, I had to lie a bit so that everyone gets my point.If you know how Android’s storage system works in every detail, you’re not the demographic I had in my mind.
The post is mainly to get a rough understanding, not to nitpick on every detail.
I wanted to like it and I tried it over and over but I could not for the life of me get opensuse aeon or kalpa to work on my desktop when tumbleweed works perfectly. As soon as I installed the Nvidia drivers it went belly up and I couldn’t find help online.
I’m still new to Linux so I’ll accept that I need more experience but I can’t help but feel like a degree in computer science is a recommended prereq for this stuff since there just doesn’t seem to be solid documentation to get you through it.
That experience made me take microos off my server and put in proxmox instead.
When I installed Tumbleweed not so long ago, I also had problems. The installer is notorious for giving you an unusable system sometimes, even when using the defaults.
Don’t worry mate!
Sometimes, things are not as user friendly as they should be, it’s not your fault. I started without any knowledge or IT background only 3 years ago too and you will get the hang of it soon.
And don’t fixate too much on what “you’re supposed to use”. Only because image-based OSs are hip now, doesn’t mean Mint or whatever else is useless.When I installed Tumbleweed not so long ago, I also had problems. The installer is notorious for giving you an unusable system sometimes, even when using the defaults.
I have been running Tumbleweed “stock” on my desktop for about 10 months now and truth to be told I never had a problem with it, including updates. Rock stable with a nice snapshot feature as a safety net.
That’s why I’ll wait to install Kalpa on the desktop. Just no reason for it.
I have of course run into bugs but those came from KDE. Can’t really blame Tumbleweed for those.
In fact, Tumbleweed is the reason I went all in with Linux and ditched dual booting Windows, as I had been bit pretty hard early on my linux journey with other distros and made me think twice using Linux as a daily-reliable-driver.
I absolutely believe you. I also had a good experience with it, besides from the few paoercuts of running a bleeding edge distro.
I just have many power-cuts and sometimes, my PC went off when updating or was in a state of not being able to power on.
Also, updating this huge amount of data every week is just not the best choice for my bandwidth.Yeah, maybe Slowroll is better for for that kind of bandwidth limitation. It is still pretty fast paced in the update department.
Looking forward to Ubuntu Core Desktop.
Canonical: “Hey, I’ve heard you all hate Snaps.”
Community: “Yeah, they suck! Use Flatpaks and other technologies instead, like everyone else.”
Canonical: “Alright. Here’s a whole distro with Snaps at its’ base. You’re welcome!”
Community: “…”Can’t build an OS out of flatpaks. ducks
Great post! Very informative! I have tried to install Kinoite but it’s tricky to do with partitions. I currently have all my data/files on a big partition and install the system in a different one, and I can’t seem to install Kinoite without “formatting” the disk. Will do in the future for sure!
Yeah, that’s what I’ve heard too. Right now, dual booting seems to be hard too on the same drive. I think it’s because if the unusual disk layout.
Thank you for taking the time to write all this, I’ve been interested in immutable desktops for a while, and this was probably the best overview of them that I’ve seen to date!
deleted by creator
Same for me!
I didn’t want to include my own experiences, but I’m also a “noob”.
I never worked in IT and only try new things, like Linux, Android custom ROMS, selfhosting, and more, because I just enjoy it.
But in the end, I just want a modern and reliable system that doesn’t get into my way.I will include that information in my next post tho, where I wanna show that this technology is usable by everyone, even a dumbass like myself.
I even had the same problem with the MullbadVPN-app, where I just gave up in the end and used the Wireguard protocol implementation from Gnome.
deleted by creator
Immutable distros sound great for desktop users, distro hoppers, and system admins maintaining a fleet of desktop Linux machines in the wild. They sound more than a little annoying for homelab server users that mostly interact with their machine via the terminal and are more likely to want to run unpopular software on unpopular hardware in a niche distro.
Actually that is exactly what I’m looking to do for my upcoming home server - configure and define everything via NixOS so that I can almost instantly reprovision it should I have to (restore from backup on hardware issues, recover from borked software upgrades, etc).
Setting up solid backups is important to me, so I plan to bake the full setup into the configuration. That allows me to test everything in a VM first and then apply it all with a simple GIT fetch and rebuild once I commit to hardware.
It’s aspirational so far, but the more I read the more sense it makes to me. My own desktop won’t be far behind if all of that works…
I’m barely rebuilding my server once a decade, so that’s all pretty irrelevant. I do use docker a bunch for programs I’d never interact with in the terminal, but that’s not really my issue with immutable; it’s flatpaks and the CLI, bash wrappers or aliases and all that noise. Too much trouble till they sort that out better.
Not at all in my opinion!
I also have a home server and execute more niche software.Doing both is absolutely no problem, due to containers. I will add you my recent post about Distrobox below, so you don’t have to search for it.
Once you notice, that I can run every software I want, including stuff from the AUR, you pretty much never feel any limitations.
Using your default package manager is so old school 😁
Edit: here’s the link to my post
https://feddit.de/post/8018330
Even in the other way around, I’m thinking about using CoreOS or MicroOS (both image-based headless distros) for said server, in case I need to rebuild it.
There too you only use Docker or Podman, which is a reason why even that should be no problem at all.
That just would give me the guarantee that it works all the time.Cool so you didn’t really get what I was saying.
deleted by creator
Check out cleanroom: https://github.com/cleanroom-team/cleanroom
It’s what I use for a stable and immutable system
I really like your posts; thank you.
Can you help me understand how atomic distros work when you need to, for example, install a small script which is unsupported in the packaging, but takes liberties by creating folders or assuming some kind of file structure?
I have never used a image based distro in my life, but there is one thing I understand but don’t really understand at the same time.
Can I or can I not install stuff from the terminal? Like exa, zsh and so on…
Like what everyone says is “Use Flatpak” but that doesn’t cover terminal use at all, so I’m left confused.
Yeah, of course you can!
- You either have the ability to install it on your host directly (e.g. layering it via rpm-ostree to use the Fedora repos). This is usually not recommended, for Fedora Atomic for example, this hugely increases the update times and should only be used for drivers or if something doesn’t work otherwise.
- Or you use Distrobox/ Toolbx for that. Here’s a link on a post I made recently: https://feddit.de/post/8018330
thank you, I think I’ll install a atomic distro as my first distro now. I like the fact that it’s hard to break but still gives the full Linux experience
Is Solus an image based distro?
No