Skip to content

Ideas: More stable base, Longterm Kernel, Atomic Structure

Very interesting project! Though, as a Fedora Kinoite user myself, I wonder about the choice a bit.

While Fedora packages and the KDE desktop are great, there are obvious issues here

Pro

  • up-to-date packages, allowing own maintenance?
  • KDE Plasma as a powerful but traditional desktop
  • established distro as base

Con

  • Fedora is only somewhat independent from RedHat, a US-based company
  • Fedora is way too "bleeding edge". As a helper in their Forums, we come upon kernel issues all the time.
  • The recent kernel is really not ideal. The current LTS kernel would make way more sense, be sufficient for most use cases
  • the dnf package manager is not easy. I have had, and needed to read, a ton of nontrivial issues that are messy and hard to solve.

Alternative deployment model

image-based (atomic, immutable)

Fedora has begun their "Atomic Desktops" which solve a huge issue with the instability of dnf and the need for frequent updates. The system works really well, updates are more solid than Windows updates, but still faster.

This is done via rpm-ostree but will be replaced with bootc soon. A lack in features can be expected, for example local package changes. So admins would need a local forge, pull down an image, add some things on top, and the clients only sync with that image. Updates would be really fast in that way.

NixOS (deterministic)

Alternatively I have found NixOS, which is more complex and might have specific issues. But it

  • is deterministic (a few config files, no entropy mess)
  • allows atomic background updates (sudo nixos-rebuild boot)
  • automatically saves prior system versions for rollback
  • abstracts a lot of things into its own language, making many things easier and more centralized
  • by default uses a 6 months stable release, and has packages for the official linux-longterm kernels (unlike Fedora!)

As a beginner, I was able to relatively quickly setup a working system, with the 6.12 LTS kernel, a stable base, a few unstable packages, full disk encryption, systemd-boot and a Wayland-only KDE Plasma desktop!

It was extemely easy, and while there is a learning curve, it is also worth noting that this does not require a server to build images at all. It is all done with a few config files.

Comparison

A great EU Distro, OpenSUSE, poorly has no good "immutable" or "atomic" model. They implement snapshots well, but there is no way to reset a system, or control the state in a deterministic way.

Rock-stable distros like Debian or Enterprise Linux (RHEL, Alma, etc.) may work, but can still introduce maintenance burdens.

Alternative Base Distro

I see Arch and Alpine are discussed. Alpine could have big security benefits, but might have problems running binary packages.

When using rolling distros, packages would need to be delayed and vendored, which is a bit against the goal of not building a distro.

So these would make sense as base

  • OpenSUSE Slowroll
  • NixOS
  • Debian
  • CentOS Stream
  • Almalinux, Rockylinux, Oracle Linux
  • Ubuntu LTS

Easiest is to choose a distro that already bundles a stable packaging system with it. So traditional package-based systems are unsuited.

Here, CentOS Stream (apart from NixOS) is best, as there are HeliumOS (now Aurora-LTS) and Bluefin-LTS, both in the "universal blue" project.

They take CentOS Stream as a container image, and add the needed packages on top. All that can be done using podman, anywhere. Basing off CentOS Stream is pretty new, so the images are technically in "alpha". But I have tested them, and they work really well.

Using the official longterm kernel guarantees faster (and less dependent from RedHat) security backports.

Goal: Replace Windows

If you really want to replace Windows (10), you need something that has

  • very long support (i.e. years, not months)
  • a rock solid, automated updating system. No dnf system-upgrade mess
  • little potential to break
  • ability to update a machine that was not turned on in a while

Software

For software, using Flatpak and binaries (like the firefox tarball) make sense. Flatpak overrides can be managed with something like Ansible.

Security

Also regarding security, locking down these systems would be a good idea. You can have a look at what I proposed to HeliumOS, and also have a look at the Secureblue project. Secureblue bases off Fedora Atomic Desktops too.

Deployment

Image-based systems make a lot of sense, like the uBlue project shows. You can build a EU-wide base image, and the national images are built 2 hours after that runner, add in their custom things. Then the regional runners run 4 hours after the EU-wide runner, and can add their custom things again.

You can have a clear hierarchy, and be able to reuse the setups of each country how you like. The images can be built in private, on premise, but could also be built on open forges like a Forgejo instance.

Customization and presets dont take a lot of expertise or tooling like Ansible, as you can see in the heavy customization that uBlue or secureblue do.

Here you can find the CI/CD files for building Fedora Atomic Desktops, on Gitlab

Edited by boredsquirrel