For some time now we have been talking more and more frequently, at various levels, about the concept of immutability. Creating an immutable backup on a NAS or in the cloud helps, for example, to prevent ransomware or to fulfill specific legal requirements (compliance). A immutable data it is a set of bytes stored in read-only format, which cannot be modified over time by anything or anyone.
The Immutable Linux distributions they have a peculiar characteristic: some areas of the system cannot be modified and always remain as they are. This concept is certainly not new: many devices use it, for example, to prevent unauthorized modifications and avoid the alteration of files crucial to the functioning of the device itself.
A classic scheme consists in making the content of the immutable directory radice (root) of Linux: in this way it is possible to avoid accidental or unwanted changes to the operating system. However, users can extend the same approach to other resources, including the folder /usrwhich contains system files and programs that are not necessary for the startup process or for system recovery in case of disaster.
Il versioning, generally supported by immutable Linux distributions, gives you the opportunity to manage new versions of programs and any system component. It is thus possible for users to return, if necessary, to one previous version for example when problems occur after an update.
How is the versioning in immutable Linux distributions
Europenized into “versionamento“, il versioning it is managed by immutable Linux distros using various technical workarounds. First of all, the so-called atomicity of updates ensures that they cannot occur”means update“: the transition procedure from one version to another occurs consistently and cannot be interrupted or left in an inconsistent state. This is particularly comforting because in the case of system updates, you are sure that the machine will always be bootable. Without surprises and sudden accidents.
The atomic package management of applications allows you to benefit from the same advantages. Among other things i packet manager included in the various distributions ensure in turn versioning declarative and atomicity.
Some immutable Linux distros support advanced file systems such as Btrfs e ZFS. Both involve the concept of snapshot, i.e. the creation of images over time of the contents of the file system. Before making significant changes to your system, creating a snapshot offers a sure lifeline. Should any problems arise, the user can always return to a previous state certainly working.
Extensive use is also made of containerization: Programs can be packaged in containers that host all dependencies, facilitating consistent deployment across different environments. Tools orchestration come Docker Compose, Kubernetes e Podman they can oversee the deployment and updating of containers easily and effectively.
The concept of layering
The technology of stacking OverlayFS allows you to overlay one or more file systems so that they appear as a single file system. It is widely adopted in immutable Linux distributions precisely because, above the (layer) of the operating system (which remains immutable), it is possible to build and add new information. Stacking a writable layer (read-write) allows you to make and record changes, while still preserving the underlying structure.
It itself supports the concept of snapshots and rollback, OverlayFS technology allows you to return the system – if necessary and at any time – to a previous state. For this very reason, immutable Linux distributions use OverlayFS to manage the updates of the operating system safely and reversible.
The security of immutable Linux distributions
Those who develop immutable Linux distributions present them as significantly more secure than traditional ones. This is certainly true because being able to count on the fact that no user, not even using specific privileges, can alter the basis of the operating system is an added value.
Immutable distros reduce the attack surface preventing unauthorized changes to the operating system, especially regarding the most critical system files. Nothing excludes, however, that a harmful component could still cause damage to the part of the system that is not immutable. It is therefore always moving with caution, without allowing yourself to be lulled into a false sense of security.
The advantages, as highlighted previously, however derive from the possibility of isolate applications, thanks to the use of containers and other technologies; from the management of rollback; from centralized configuration management, facilitating consistency between environments and reducing the possibility of incorrect configurations; from support for the versioning and for snapshots.
A selection of the best immutable distributions
Traditionally, immutable Linux distributions were something essentially reserved for developers, professionals and server system managers. As highlighted previously, in fact, these are solutions particularly suitable for those who have to perform test softwareto those who work with containers, to those who must have the guarantee of being able to count on a stable and, indeed, unchangeable system basis.
Over time, the concept of immutability has also been extended to desktop distributionsso as to deliver the benefits to a wider audience of users.
Fedora Silverblue
Fedora Silverblue is a variant of the well-known Linux operating system that has some unique features compared to the traditional distribution Fedora Workstation. It is based on the concept of atomicity, guaranteeing maximum stability and simplifying version management.
The deployment leverages containers: this means that applications are often contained in Flatpak containers. This allows you to isolate programs from the rest of the operating system, reducing potential dependency conflicts and significantly improving security.
Il desktop environment chosen for this distro is GNOME Workstation but with the containerization-oriented approach, the desktop experience becomes much more manageable.
Silverblue slavishly follows the development cycle of Fedora: upon the release of a new version of Fedora it is reasonable to expect the imminent arrival of an updated release of Silverblue.
carbonOS
Among the immutable Linux distributions, carbonOS is a bit of a newcomer. So much so that on the official website of the project there is still talk of early adopters.
carbonOS uses a scheme that focuses on Flatpak and containerization. The system aims to deliver safe system updates and verified boot as well as other features that not all atomic distributions offer. As for the desktop environment, the distribution exploits GNOME.
The dream is to create, over time, a sort of platform GnomeBook that is, an operating system that does not require maintenance like Chrome OS, which can nevertheless be as powerful as a real desktop operating system. All without depriving users of total control on hardware and software.
NixOS
NixOS is a Linux distribution based on the Nix package manager. The main feature of NixOS is declarative management of system configuration and software packages. Rather than making direct changes to the system configuration, NixOS defines a declarative description of the system and the desired packages, interpreted by the packet manager Nix to apply changes consistently.
The system configuration is defined through a single file, often called configuration.nix: Contains a timely description of all aspects of the system, including software packages, network settings, kernel specifications, and more. Each software package is isolated and does not interfere with the others, also thanks to highly reproducible management.
After editing the configuration file, the command “NixOS rebuild” allows you to apply the applied changes. Thanks to the management of “variants”, users can set different configurations and switch from one to another in a simple and…