Immutability: The Future of Linux
A look at two similar and one unique implementation of application containerisation and immutability in the Linux ecosystem.
One of the first big problems that many new Linux users encounter is when they break their system while trying to add or remove applications, when they don't understand the impact on other installed dependencies. A popular example of this is tech YouTuber Linus Sebastian breaking his system while trying to install Steam.
However, with increasing Linux adoption for personal desktops and workstations, there has been an advent of new Linux distributions which isolate the base system from user-installed applications to eliminate breakage and create repeatable (if not reproducible) systems. In this post, I try to understand and explain three popular Linux distributions which champion immutability and reproducibility using two different approaches.
Application Containerisation
Docker and Kubernetes, industry-standard tools for creation and management of containerised applications, have made the concept mainstream in the application development space. Red Hat and SUSE brought these principles to operating systems with the Project Atomic and openSUSE Kubic respectively, which have now been retired and replaced by Fedora CoreOS and openSUSE MicroOS respectively. These systems have also been adapted for desktops and workstations.
Fedora Silverblue
Silverblue was first presented as an official spin of Fedora Workstation in October 2018 with the release of Fedora 29. While both distributions are identical in appearance, the distinction between Silverblue and Workstation can be explained in three parts - the base system, GUI applications and command-line applications.
The base system uses rpm-ostree, a packaging system created by combining libostree with Fedora's package manager DNF. The system update mechanism is atomic, i.e. a new image is generated and applied. This allows users to choose from multiple images to boot into, and also rollback easily to the last working state in case of any failure during updates. The base system is intended to be identical by default in terms of packages present, but Silverblue also provides the flexibility of layering packages over the base system.
For installing GUI applications, Silverblue recommends Flatpak, a universal package manager which creates a sandbox comprising of the installed applications and their dependencies separate from the base system. These applications can be installed from the Fedora Flatpak registry or an abridged version of Flathub, the official advertised app store.
For command-line applications, Silverblue comes pre-installed with toolbox based on Podman, a drop-in replacement for Docker. Users can use OCI images for a minimal base to install command-line applications, and even GUI applications (although Flatpak is recommended). Fedora provides official images, and the community has created unofficial images for other popular distributions like Arch Linux and Ubuntu.
openSUSE MicroOS
The architecture (for lack of a better word) of Silverblue and MicroOS is quite similar, but the implementation is somewhat different in all three parts.
The base system of MicroOS uses their default package manager zypper under the hood but delivers atomic updates and rollback functionality by creating snapshots of the BTRFS subvolumes using snapper. Another difference is the absence of layering, thus making the base images 100% identical across deployments.
Users have complete unfettered access to Flathub for installing Flatpak on MicroOS, unlike Silverblue which provides the Fedora Flatpak registry and a curated version of the Flathub, thus limiting the application availability for the latter.
And finally for command-line containerisation tools, users also have the alternative of using distrobox which works with both Podman and Docker and provides images for more distributions, thereby seems to be less limited than toolbox.
openSUSE MicroOS is still deemed as alpha software, but it seems to edge out Silverblue with the use of standard tools like BTRFS and snapper, unfettered Flathub access and the out-of-box availability of distrobox.
Nix and NixOS
While working on his Ph.D at Utrecht University in the Netherlands (read his thesis), Eelco Dolstra created the Nix language for the cross-platform Nix package manager, which provides a way to create reproducible builds of packages and by extension, as evidenced by NixOS.
NixOS provides the same features as the aforementioned distributions, but manages them in a very different manner. It provides an immutable root file system by replacing all global system directories with the /nix/store directory which contains all the binaries and configurations for various system components in their own directories. This aids features like installing multiple package versions, atomic upgrades and rollbacks and rebasing based on changes made to the configuration.nix file, which can be used for deploying reproducible builds across multiple machines.
Apart from NixOS, the Nix language and package manager has also inspired a number of projects which take tools like Docker and Kubernetes to another level. The package repository nixpkgs contains over 40,000 packages built for Linux and MacOS. However, NixOS is meant for the more advanced users and comes with a steep learning curve involving understanding this domain-specific expression language.
Final Thoughts
Linux and Unix based operating systems based on the immutability principle are making the experience more user-friendly for non-tech inclined users who want a just works system and advanced users who desire granular control over the system without the risk of data and other losses. I personally have been using Fedora Silverblue for the last three months and it has been an Adwaita experience. I am getting to learn more thanks to people like Jorge Castro who writes almost exclusively about these systems on his website.