ParticleOS, from Fedora to Feast: Stirring Traditional Distros into Immutable Delights

<p>How to successfully brew a Linux immutable image, with bells and whistles</p> <ul> <li>take a <a href="https://github.com/systemd/particleos">ParticleOS recipe</a> 📜</li> <li>generously pour in packages from a traditional distribution like <a href="https://www.fedoraproject.org/">Fedora</a> 🫗</li> <li>add a pinch of <a href="https://microsoft.github.io/ipe/">security policies for code integrity</a>, build time and boot time customizations to taste 🧂</li> <li>amalgamate them together with <a href="https://systemd.io/">systemd</a> 👩🏻‍🍳</li> <li>stir vigorously with <a href="https://github.com/systemd/mkosi">mkosi</a> 🥣</li> <li>bake until crispy in the <a href="https://openbuildservice.org/">Open Build Service</a> ♨️</li> <li>allow time to cool in your <a href="https://download.opensuse.org/repositories/system:/systemd/">CDN</a> 🥧</li> </ul> <p>Creating a (truly!) immutable distribution with a strong security posture and a chain of trust that starts in the hardware and ends in userspace is no longer a job that requires an entire team and starting from first principles. With the power of tooling and infrastructure provided by the <a href="https://systemd.io">systemd project</a>, anyone can customize, build and deploy at scale and securely starting from your preferred traditional package-based distribution.</p> <p>This talk will go over all the tooling and infrastructure available to achieve this, from systemd to mkosi, from UEFI Secure Boot and dm-verity to the Integrity Policy Enforcement LSM, from OBS to systemd-sysupdate, from systemd-repart to systemd-firstboot, and show a working example and how to reproduce and customize it.</p>