Linux distributions are known for their robust security. But, like any powerful thing, you could still compromise a Linux system. Immutable Linux distributions went for a change and enhanced your operating system’s security even further by being a read-only system.
If you’re also interested in trying out an immutable Linux distro, this roundup will show you the top ones you can try now. So, without further ado, let’s see what each of these distros has to offer.
Starting our list, we have NixOS, an innovative distro with declarative and reproducible system configurations.
NixOS is built from scratch. That means it’s not based on any distro. It’s quite stable because it creates a ‘new generation’ every time you install or upgrade software. Not only it’s hard to break something, but even if something breaks, you can fall back to a previous generation.
NixOS uses the Nix package manager. There are over eighty thousand available packages. So you’ll find the most common software.
This distro makes it easy to create tailored configurations in a file and use it on other computers to reproduce the same environment. So you can replicate your system on many devices with just one file.
You can start with NixOS by downloading the package manager or an ISO file.
2. Vanilla OS
Vanilla OS is an immutable distro offering users a stock (or vanilla) GNOME experience. Initially, it was an Ubuntu-based distro. But in a later release, they switched to a Debian Sid base. Much like NixOS, Vanilla OS takes some unique approaches.
It has a new sub-system or package manager named Apx. Apx manages one or more containers. When you install software, you install it inside these containers, limiting the risk of breaking anything.
The ABroot technology in this distro allows you to change your system safely. No change is made if something goes wrong, and you can return to the previous state.
Another interesting tool is the Vanilla System Operator. It’s a smart updater that first checks the conditions of your device usage and only updates if everything looks okay.
Check out Vanilla OS and their get-started guides if you want to try it.
3. Fedora Silverblue
Silverblue is the immutable spin for Fedora Workstation. If you’ve used Fedora before, you’ll have a similar experience with some changes.
Fedora Silverblue is reliable and stable because all containers and applications are separated from the host system. This also adds to it being suitable for containers and software development.
Silverblue uses atomic updates, which means the update will not take place if something bad happens, ensuring your computer works perfectly. It uses Flatpak for installing graphical applications.
You have Toolbx, which makes it easier for developers to develop and troubleshoot in interactive command-line environments instead of using the host.
Get Fedora Silverblue to learn more about it.
4. Endless OS
Endless OS is a Debian-based Linux distribution. One of its main selling points is that it works perfectly without an internet connection. That is, the built-in tools are offline-capable.
Endless OS has 1800+ pre-installed apps and promises a more smartphone-like user experience. It’s more geared toward people who have little technical knowledge.
It has a dedicated app center to install and update your software. It contains all the daily-driver Linux apps and software from other OSes, making it useful for people who need non-Linux software on a Linux system.
Endless OS uses GNOME and has an elegant look and feel to it. With features like parental control and a bunch of learning apps such as Kolibri, it could also be a good Linux distribution for children.
Get the current version, Endless OS 5, to see if you like it.
5. openSUSE MicroOS
MicroOS is openSUSE’s immutable version of Linux. It’s available for both servers and desktops. The desktop versions are commonly known as openSUSE Aeon (the GNOME version) and openSUSE Kalpa (the Plasma desktop version).
It follows all the immutability philosophies. Nothing is altered during runtime. There is no need for configuring single instances in runtime.
MicroOS uses transactional updates, which let you use your hard disk space efficiently by using BTRFS with snapshots. You can roll back to an old BTRFS snapshot in case of trouble.
All applications are installed in containers separated from the core filesystem, so malware can’t easily affect your system.
MicroOS updates are secure. If there’s a dependency conflict, the update is stopped. In case of a failed update, the filesystem snapshots get deleted.
Download and install openSUSE MicroOS to get a grip.
Talos Linux is an immutable, secure, minimal distro for Kubernetes from Sidero Labs.
Being hardened and minimal, it’s a secure option for containers and small systems. The API is secured using mutual TLS (mTLS) authentication.
It leaves the primary disk to Kubernetes by running in memory from a SquashFS. There is no shell, SSH, or console. An API takes care of system management.
Talos is prompt in serving the latest versions of Kubernetes and Linux, allowing you to boost your agility. You can start by creating a Talos cluster inside Docker in a few minutes.
If you’re a developer, consider trying Talos out.
The Bottlerocket Linux distribution comes from Amazon Web Services. It’s built to run containers and only has the software you need.
Bottlerocket offers better uptime for your container applications. Single-step updates, rolling back when needed, can reduce the number of errors you face.
Supporting only container-centric applications makes it less prone to attacks and makes a case for better resource management.
You can automate Bottlerocket updates using Amazon EKS, a container orchestration service. This can reduce operational costs and maintenance overhead.
You receive 3 years of support covered by the AWS support plans.
You can get Bottlerocket as an Amazon Machine Image (AMI) in Amazon Elastic Compute Cloud (EC2).
Go to their GitHub repo to learn how to use this operating system.
blendOS tries to unify all popular Linux distributions into one box. It has access to apps from various Linux distros such as Ubuntu, Debian, Fedora, Kali Linux, Arch Linux, and others. It also has native support for Android apps and web apps.
blendOS supports 7 desktop environments, including GNOME, KDE, XFCE, and Cinnamon. You can easily switch between them using the terminal.
Being immutable and atomic, it handles updates in the background without interrupting your usage. No need to reinstall the OS after breaking something.
blendOS offers a YAML file named ‘cadre’ that you can use to store your desktop configurations and containers. You can use the file to take your configurations to other machines and set up everything according to your config.
Both gamers and developers will have a good time with this distro because of its versatile app collection for both kinds.
Check out more about blendOS and try it out.
Guix is a GNU operating system distribution that uses the Linux-libre kernel. It heavily promotes freedom for the users. It offers transactional upgrades to easy rollbacks when necessary. Its declarative system configuration allows you to reproduce build environments.
Guix uses a central tool called ‘guix package’ to maintain packages. You can install, update, and remove packages with normal privileges.
Developers get more control over their build environments. Using the ‘guix shell’ command, you can rapidly set up your development environment without manually installing dependencies.
You can replicate Guix instances on multiple machines, thanks to it being version-controlled. That means you can technically travel in time. Some common fields where Guix is mostly used are software development, high-performance computing, bioinformatics, research studies, etc.
Get more familiar with Guix by installing it on your device.
10. Flatcar Container Linux
Lastly, we have Flatcar Container Linux, a community-driven Linux distribution. It’s built to take care of container workloads. It’s secure, minimal, and up-to-date.
Flatcar Container Linux only comes with the bare minimum tools and software you need to handle container workloads. That means there’s a lesser chance of attacks on your system.
It also minimizes accidental or intentional breaking due to ‘/usr’ being a read-only partition and the OS lacking a package manager.
This distro follows the USR-A and USR-B methods to get updated. There are two partitions: an active one used and a stand-by one. During the update, you use the active partition while the update takes place in the inactive one. After reboot, the system boots into the partition where the update took place.
Feel free to check out the current releases to install Flatcar Container Linux if needed.
Which Immutable Linux Distro Should You Use?
This boils down to what you will use the immutable distro for (if you need one).
Each of the Linux distributions we’ve mentioned serves a special purpose. NixOS, for example, is an advanced distribution not suited for beginners. Some of the OSes are best for containerization work. A lot of these options are suitable as daily drivers for your desktop, while others are for servers.
Based on your needs, you can evaluate the distros we mentioned and get started in the world of immutable distros.
This guide introduces some of the most popular immutable Linux distributions you can try now and mentions the unique features each offers. If we missed any note-worthy distro, let us know in the comments.