Opinions on immutable distros
Hey! I’m currently on Fedora Workstation and I’m getting bored. Nothing in particular. I’ve heard about immutable distros and I’m thinking about Fedora Kinoite. The idea is interesting but idk if it’s worth it. CPU and GPU are AMD. Mostly used for gaming.
If you're bored, try Nix. It has all the characteristics of an immutable distro, aims for reproducibility, and is complicated enough to keep you amused for months.
Yeah I was thinking about it. Just feels like it might be too much for just day to day use. Without programming and having to reproduce the system on different machines. At least that’s what the comments say in few places lol
Yah, I get that. But lots of people use Nix as a daily desktop driver because it's immutable. It's not hard to set up the first time with some example configs, and if you want to get more complicated, it's certainly an interesting direction and great time sink.
Frankly, I'd try it in a VM first, so you can snapshot it and play, and see what you think. I don't use it myself but I've set it up a few times and it's pretty cool to play with, I might get around to putting it on one of my bare metal desktops one day.
I see many people here wondering, why they should consider an immutable system.
As someone, who thought the same a few months ago, and now chose Silverblue, here are reasons why:
My #1 reason is, that everything is worry free.
Those advantages above don't apply to "normal" OSs, even, if I keep everything in Distrobox and Flatpaks.
Immutable OSs aren't called "The future of Linux" without reason. They usually shouldn't impair anyone, and make the whole Linux ecosystem better in any aspect.
I'm sorry but none of the above sound different from a regular distro. Maybe I haven't got the gist. You can have snapshots and atomic updates on a regular distro, you don't have to reinstall to switch from Gnome to KDE, I can install all kinds of stuff cleanly anyway thanks to package managers, I don't use root often so the system files are effectively read-only as far as I'm concerned, and so on.
As far as security is concerned I don't see the big deal, I mean I get why a read-only OS would in theory be harder to break into but it can still be modified for updates so I guess it's not really "immutable" after all.
What am I missing?
Edit: before anybody points it out, I do know about the rebase layers and I think it's an interesting approach, but ultimately still gets the same results as packages. It may be helpful for distro builders but doesn't make much difference as a user.
You're correct. But, and here's the big but, the whole immutability-thing isn't something the user should be worried about at all.
On Android for example, the system is read-only too, and pretty much nobody cares too, because it was always designed this way and it doesn't inhibit functionality.
It is mainly a big pro for developers in how I see it. See, every installation creates some package drift. One dependency here, one extra program there, no problem.
But in sum, there will accumulate hundreds of "bloat"-packages over the years, which add many unknown vulnerabilities and bugs that are completely individual to your setup.
And then it will begin: a program crashes here, there's your black screen, and every dev on the issue report says " closed, can't replicate". And after an OS-reinstall, it works again.
And if you want to install KDE on Pop!OS for example, it is highly individual and there are still some packages you didn't see, and it will be very buggy.
Some buttons that are misalligned, misconfigured drivers, and so on.
I tried changing the DE on my normal Fedora one time and even though I thought I did everything correct, I had to reinstall due to screen tearing/ flickering, many misconfigurations, and so on.
On Silverblue, it's a process of 5 minutes max, and then my setup will be the same as the one from thousand other people.
I can't recommend Silverblue enough.
Thing is: on the "surface" it's not that much different than the "normal" Fedora and it's spins.
So, if you want something hugely different on the base, I'd recommend NixOS instead. Nix feels like "the new Arch" for me and is the tinkerer's dream.
It appears to be very complicated too, so it should keep you "not bored" as you said.
I personally wouldn't use NixOS though, as I am just a "casual" user and don't want to over-complicate everything.
I personally am very happy with Silverblue, especially due to one reason: the ability to rebase to many many images.
As other commenters have stated, there's a project called uBlue.
It allows you to swap out the base OS (everything except "your stuff") with one command, so you can rebase to many different community spins and different desktops cleanly.
The uBlue base OS is just Vanilla SB with some QOL stuff added, like codecs and other stuff. It is really a "just works" distro, that manages itself and functions in the background without you noticing.
The other spins give you different DEs, preconfigured drivers, opinionated approaches to different DEs, a SteamOS clone, and so on...
Absolutely great, 10/10
I might try Nix first and see how it goes, if that fails I'll try Kinoite (I prefer KDE :)) thanks for the input :)
Hi! I've been using Fedora Kinoite (and now Bazzite Desktop) for about a year.
I'd say bazzite desktop would be a good fit for you if you want to give an immutable desktop a try. It automatically sets up an arch distrobox for steam and lutris, it even has one click installers for things like oversteer in the post-install welcome screen, it auto-updates and is generally just quite a nice improvement on based Fedora Kinoite.
Immutable distros ARE used differently, you will mostly use flatpaks for basic apps (Although a lot of people do that anyway), but any traditional packages you want to install will be done in distrobox. You CAN overlay packages to the base system, but it should be seen as a last resort.
Let me know if you have any questions :)
Interesting. Standard question, why Kinoite and why Bazzite over others? Aren’t you worried bazzite is more bloated than pure Kinoite? Or is that just my mutable distro fear lol Any resources about distrobox/layering etc you recommend?
I use Kinoite over silverblue and other Fedora versions simply because of the desktop. I choose Fedora atomic over other immutable distros because I simply think it's the easiest/most convenient. VanillaOS might be pretty good, but from what I can tell it's on an Ubuntu/Debian update schedule which isn't what I want. I tried NixOS but it's complexity just wasn't appealing.
I use Bazzite over Kinoite because it has all of the tweaks I want, honestly the amount of "bloat" isn't as crazy as you'd imagine.
I don't have any resources about distrobox unfortunately, but I'm sure they're around.
What do you mean by bored¿? Because you will be similarly bored by silverblue or kinoite. They are built to be stable and somewhat boring
Idk, I might be just trying to find something to tinker with, immutable is kind of "new flashy" thing :P
Tinkering on silverblue is similar to tinkering on fedora (at least in my experience) just more restrictive in that the read only parts can't be changed(obviously) and tinkering with packages requires reboots and layering. The good thing is you can rollback to easily undo shit.
This is what I have been doing for years on my Synology box.
Just a handful of Synology apps (mostly backup and snapshot apps) and all the rest of the ecosystem running in Docker. So the main system is bloatfree.
On Linux desktop, mostly flatpaks installations.
That's absolutely not true.
Immutable systems aren't just "normal systems you can't change", no, they're more.
They're image based. So, every OS is the same, giving you better reproducibility, resulting in less bugs, better security and a "fresh" OS after every update.
Your OS accumulates stuff over every update and by just using it over time, and having an image based OS is just better.
Immutability has so much more advantages than just keeping the host clean. It has some disadvantages, yes, but for most people out there, way more advantages!
Why do all these immutable distros not support use of secure boot and/or TPM. If there was one that made it a breeze to configure this and made using my AURs easy as well I probably could give immutable a chance. But ATM it all looks like I'll have to wait until a major corp like Ubuntu made & supported an immutable version so we can get these quirks hashed out.
I believe Universal Blue supports Secure Boot, since they specifically went to make it work for even Nvidia users - I'm assuming it works similarly for the non Nvidia variants or maybe just uses Fedora's default keys? I'm not too well versed in how SB works.
Then it also comes with Distrobox so you can just spin up an Arch container and use AUR apps through there.
RedHat & Debian family desktop distros use a key that is signed by Microsoft for supporting secure boot. For compatibility reasons mostly as some hardware will brick when the MS signed keys are not found. But I prefer to sign my own keys and enroll them as I currently do with sbctl. I have no need for extra kernel modules/drivers as Nvidia users would (seems like a hacky workaround if the kernel can't ship the drivers and signing your own kernel makes the situation even more complicated).
However I have been meaning to try Distrobox, if I get around to trying out immutable I will give it a good run.
I'm not sure what you mean exactly but I use Silverblue with secureboot on and a LUKS encrypted drive using a fido2 key. To my knowledge I also could configure the use of TPM to store my key but find that setup not to my liking.
This summary should cover my main concerns with current secure boot implementations on the major distros. Ignore everything else other the linked part. I also would not want to be forced to use grub as the bootloader.
Curious. What did you not like about using TPM to store keys in your setup? I use TPM for secure state validation & automatic decryption of my LUKS drive, it's great and also acts as a tripwire for secureboot state.
I could build a custom version of Silverblue (u-Blue) to replicate what I already have setup, but none of this would be supported configuration. All this is not entirely to blame on on immutable distros (traditional distros don't give a damn about secure boot either way), just that to mess around within /etc is a no-no in such a model so to get multiple pre-configured options for secureboot configs/keys that work seamlessly would be a great experience for me.
Here's secure boot for NixOS: https://github.com/nix-community/lanzaboote/
Yeah. Came across it when it was released. It's still considered experimental.
And am sure NixOS is great but it definitely is a weird operating system.
I jumped. I replaced workstation with silverblue. It feels like installing the early version of the future of linux. From an enduser perspective you do not gain too much going from workstation to silverblue. Yet only if you were already using flatpaks a lot. Installing software into the OS becomes more difficult which is the point. It's not good for tinkering. For tinkering you should use arch. Reducing the possibilities to fuck up the system sounds great for the end user. I love that you can remove everything but from a business point of view and the responsibility I have when recommending an OS, immutability is great. Moreover it's more difficult to install snap which is good as well.
I think they have a place, but personally speaking, I feel they stifle tinkering. So they're a "no" for me.
I feel the exact opposite -- I feel like they encourage tinkering in their own way, since they offer the ability to much more easily roll back to a known good configuration.
If I didn’t enjoy tinkering, I would use one of the immutable distros, or at least the Fedora versions.
I personally don’t like that they feel like Android or Chrome OS, but I know that is also the draw to them for others.
You can still tinker!
NixOS is pretty complicated, but in my eyes the next-gen Arch.
And Silverblue is still be able to be tinkered with.
See, on immutable systems, you don't change the system itself, but the next image.
Similar to PDFs: you shouldn't change the PDF, but the original document and then export the PDF again.
PDFs aren't bad, but they aren't designed to be edited, and that's their pro.
And with Project uBlue you can create custom images how you want.
You like Hyprland? There's an image exactly with that! You see what I mean :)
Been playing with that Bazannite (sp?) Variant, it works fine, but i am still undecided if learning the ins and puts of it are worth the switch from my Pop_os install.
There was a little bit research and learning to do some tasks, but nothing surprising.
it does seem it boots much slower than my pop_os install, but I think I have it installed on an internal Hybrid HDD that i not yet replaced with a SSD, so that may be the cause.
pop_os boots amazingly fast, not sure what they do to it.
and having to reboot to get stuff updated/installed is a bit annoying, the ability to roll back is the trade off I guess.
However I can't really think of a time that I needed to roll back, perhaps I am just lucky. So the entire roll back feature is something that I don't know if I will ever actually use.
good luck.
Thanks for the input :)
I tried VanillaOS a while ago and was able to get everything working with my usual setup. I think it has the best approach, and when their v2 comes out, I’m probably gonna switch from Fedora.
What made you choose VanillaOS over Fedora spins?
I haven't tried v1 yet, but i am really looking forward to their v2 release. Really glad to see they are swapping from ubuntu-based to debian-based. Tons of really neat features in their roadmap too.
I've been on an arch kick recently, but i like the idea of immutable for my laptop which i don't use as often as my desktop, but when i do use it i need it to just work and not have to be as proactive about the rolling release schedule. Honestly it becomes a good secondary device OS since it'll likely support whatever package manager you use on your main to make installing all the same things the same way easy.
Immutables are an amazing idea. I just wish Arch (EndeavourOS) had it.
Isn't SteamOS immutable and Arch based? Surely there's also a more general purpose distribution that does that.
Yup, true
There is AstOS although I haven't tried it personally and I'm not sure how well it works.
Oh nice. I'm going to look into it more. I have invested so much damn time into my current setup and I don't want to just migrate. So many apps and games are set up the way I want them. Not a distro-hopper here and you get the picture.
Is AstOS still active? I found this AshOS which is similar but I had never tried any of it. Maybe also inactive don't really know. Thx for mentioning AstOS, I never thought this is possible on Arch distribution.
That's what distrobox is for
If you are bored, no reason to change hahaha. If you want an always running system, use Kinoite.
I tried Fedora Silverblue as well as uBlue Linux and it was pretty ok. My favorite though is NixOS. I look forward to trying out blendOS and VanillaOS.
I've been using Kinoite for a couple of years now on my Thinkpad. What would you like to know?
How much did you have to adapt to the new app installing workflow? If you know what I mean
I learned quickly that installing apps the traditional way causes pretty major instability. You're basically rebasing the entire OS via ostree to install one application. After my second nuke and pave due to updates no longer working from me rebasing I took the time to learn toolbox so if a flatpak is not available I can still use an application (containerized) without altering the OS. Toolbox by default pulls in another Fedora install as the app base. I recommend using Alpine instead, much smaller and lighter.
I guess the moral of the story is learn to install applications the correct way, or just don't use an immutable OS
If nearly all of your gui apps are available as a flatpak, it's simple to adapt. While I was using Silverblue I set my terminal up to launch directly into a distrobox, which gave me a regular container to install apps with a regular package manager (e.g. pacman in my case).
If I used Silverblue today I'd use the Nix package manager (with home manager) to install all my cli apps.
I’m not a a current user of immutable distros, but I’m in the same boat as you. Interested in immutable os’s, running fedora workstation, getting bored.
I’ve been working on independent setups to see how I’d get customization working on an immutable distro. Some combination of containers seems like how I’d go. See this explanation.
For example, I’m running a wayland system, and RemoteApp/Rails on freerdp only works with X. Xwayland is currently broken on my system (installed as fedora 39 *beta). I require this for work. I installed distrobox with debian 12 bookworm, installed the required packages and it works like a charm.
On immutable OS’sI have been watching Vanilla OS for a while. I really like what I see. I’m just not sure what the security posture of it is.
The biggest thing holding me back is Gnome 45. It’s so good. Having an independent prioritized thread for mouse/keys makes it feel so smooth.
I’ve built hyprland and begun adding all the essential pieces to make it a viable replacement for Gnome. I’m not there yet, but once I figure out ad-hoc multi-monitor support with docks, I will be.
*edit
2 points for vanillaOS. What’s the problem with their security? Also, coming from KDE, what’s that about gnome mouse thing you’re talking about? Just curious lol
I don’t have a particular problem with their security, I just don’t have a clear picture of what they’re about yet - and I don’t want to give the impression that I’ve investigated it and found everything’s in order.
Gnome’s mouse thing is about running the human input devices in a separate thread, prioritized over the rest of its spawned processes. The practical upshot is, if your system is chugging under the weight of too many programs, your input won’t be laggy
I think immutable OSes serve two purposes: For the developer who needs to operate multiple environments at the same time, and for the utter novice who could screw something up otherwise.
This audience, us, is the exactly middle ground. We like tinkering. We like setting things up.
So, I don’t think immutable OSes are for us.
Not true in my opinion.
You can still tweak the image to your liking, you just have to approach it differently.
One of the many things image based OSs offer is peace of mind.
It's just great to know my PC will work just as fine tomorrow as it did today, and I don't have to fix anything.
Yeah man I don't know. I used to think I like tinkering(used endeavour for a few months) but I am enjoying the no maintaince life with uBlue very much. Most of the time the system updates on its own and I am not even aware that the system updated. Same with flatpaks which also auto update so they are always on the latest version provided by flathub when I use them. But I also like gnome so maybe I am not the tinker lover I thought I was
Edit: Tumbleweed is not immutable, you learn something new every day, especially from your mistakes 🙃 (it's still a really nice distro)
Personally really happy with my choice of Immutable Distro: OpenSuse Tumbleweed. To me, who is half a year into using linux, its very convenient to use an immutable system as IF i were to do a wrong command or whatever its super easy to rollback the system (at least on Suse as it uses btrfs-filesystem). Another thing worth mentioning which is also why I chose to go with immutable is that it really teaches you "the good standards" of where to tinker with files and where not to, at least for a beginner like myself this is very nice.
Tumbleweed isn't immutable
Tumbleweed isn't immutable... Aeon (previously MicroOS Desktop) is.
Oh wow, won't you look at that! 😅 Well that jsut shows my lack of experience I guess. I swear I heard it somewhere and just believed it was. Or maybe I misread and read that MicroOS and Aeon was, therefore assumed Tumbleweed was... My bad!
As you already noted Tumbleweed isn't immutable, but it is generally delightful! It's the one I've always been most comfortable with in terms of Rolling Releases
Noted, thanks :)
I personally don't like them. I just keep my system clean and use distrobox and flatpak
This is why fedora had a little bar after rebooting when I updated right? What am I a Windows user?!? This is the extent of my understanding of immutable distros and I am furious with them.
I don't know what you mean with your comment?
The progress bar on Gnome-based distros like Fedora and Ubuntu was their offline install.
This increases the likelihood of a successful update without borking your system.
You can always deactivate that or update via terminal.
It has nothing to do with immutable OSs. Actually, most of them even update without you noticing, which is quite convenient imo!
I was mostly joking and I might have been mis-attributing the delay. From the time's I've had Fedora, including with KDE, if I update I have a pause during the next boot where I have to let the install finish before getting back to functional. My belief was that this was because the immutable system could not be running while updating, compared to non-immutable where a standard reboot works with a new kernel et al.
No. You don't see or feel the update with silverblue. You see the update with the normal workstation version. The immutable version fixes that.
I have corrected the one thing I know about immutable distros and am now furious with all others.
There are many good comments here and from what I've read immutable seems best suited to the Enterprise IT environment where you don't want the user fiddling with the system, and you want built in rollback and quick configuration. As well as user data protection.
But for Linux users at home I don't see any massive advantage. Especially if you're running a reliable distro like Mint or Debian, or better yet Linux Mint Debian Edition is the best of both worlds.
If you only turn the PC on to watch YouTube, read a document, scan and print, surf the web or game your system should be 100% ok. Unless you're running Manjaro or Arch.
What I don't like about the immutable approach is that it turns my PC into a dumb terminal locked by the distro Devs and updated at their will. It's ok if I have read only on my Android phone because I don't need to get into root etc. That's a good place for immutable.
But I don't want my Linux box at home to be a just an appliance that someone else essentially has control over.
That's very much an Apple approach. Don't let the user see or touch anything. They can just be content to change the wallpaper and add a widget. We'll decide when and how the OS gets updated, what apps they can and cannot run etc.
Ultimately it infringes on user freedom and the very FOSS principles that set Linux apart from the rest.
In short, fine for Enterprise IT but no good for the average Linux user.
What I don't like about the immutable approach is that it turns my PC into a dumb terminal locked by the distro Devs and updated at their will.
I think you are misunderstanding how immutable distros work. They can be just as configurable as regular distros and in the case of nixOS it is more configurable than popular distros. The point of immutability is to ensure that the system can't be broken during when it is running by a bad update or install or by user making configuration errors as these are applied during reboot. If the system is broken then a earlier snapshot is booted so you always have a working system. You can setup a regular distro with this atomicity and snapshots but it is not as easy as using immutable distros. Yes tinkering and using native packages is harder in most immutable distros but immutables never were a catch all solution. Use what suits you. I was just a little upset that you claimed that immutables are not in the spirit of FOSS. You can even make your own images(base OS) in distros like fedora silverblue and update your system with those images instead of using what the maintainers provide. It is what uBlue uses
You make a lot of good points, but I have to disagree on the "don't let the user see or touch anything". That's very much not the way immutable distros behave (and I speak mostly about Fedora Silverblue here, I don't have experience with other immutable systems): you can touch and change anything and often times you have mechanisms put in place by the distro developers to do exactly that. It's just that the way you make changes is very different from classical distros, that's all, but you can definitely customize and change whatever you want. I feel the comparison between immutable distros and Apple is really far off: Apple actively prevents users from making changes, while immutable Linux is the opposite -- while there may be some technical limitations, the devs try to empower the user as much as possible.
I'm thinking about it as well! I'm on workstation. I'm not sure about the additional benefit for me as a user. Or let's say for a newbie, should I recommend the immutable version?
I wrote a comment above.
That one may interest you and explains why :)
I mean.... you can try it in a VM or live USB :)
Eh, I don't do anything illicit on the internet neither work at NASA or any other high-security-related job... so I'm in the "Lol" side of this whole story.
Compile your commands, kids.
Immutable distros are all about making thing that were easy into complex, “locked down”, “inflexible”, bullshit to justify jobs and payed tech stacks and a soon to be released property solution.
We had Ansible, containers, ZFS and BTRFS that provided all the required immutability needed already but someone decided that is is time to transform proven development techniques in the hopes of eventually selling some orchestration and/or other proprietary repository / platform / BS like Docker / Kubernetes does.
“Oh but there are truly open-source immutable distros” … true, but this hype is much like Docker and it will invariably and inevitably lead people down a path that will then require some proprietary solution or dependency somewhere that is only required because the “new” technology itself alone doesn’t deliver as others did in the past.
As with CentOS’s fiasco or Docker it doesn’t really matter if there are truly open-source and open ecosystems of immutable distributions because in the end people/companies will pick the proprietary / closed option just because “it’s easier to use” or some other specific thing that will be good on the short term and very bad on the long term. This happened with CentOS vs Debian is currently unfolding with Docker vs LXC/RKT and will happen with Ubuntu vs Debian for all those who moved from CentOS to Ubuntu.
We had good examples of immutable distributions and architectures before as any MIPS router and/or IOT device is usually immutable and there are also reasons why people are moving away from those towards more mutable ARM architectures.
this was a whole bunch of rambling and complaining without amounting to much. what's actually got you upset about increasing the security model?