Bootable Linux Containers

Container

Published

December 6, 2025

Modified

December 6, 2025

Overview

Why use an bootbale container-based operating system?¹

Manage image-based Linux systems at scale
Prevent all configuration drift on the infrastructure
Emphasis on day-2 operation, CI/CD + orchestrated update
Unify development & operations tooling around containers
Seamless upgrades with robust rollback
Ensure signed & verifiable state

Images

Bootable container images have following properties:

Includes Linux kernel, firmware, and bootloader
Includes Systemd as PID 0 init-system
Build with a Containerfile …integrates with container CI/CD
Packaged as a sing-able versioned OCI container image

A variation of pre-build bootable containers is available²˒³˒⁴˒⁵˒⁶˒⁷

Build

bootc-base-imagectl (from Fedora) builds base images from configuration files

Notable sub-commands:
- build-rootfs - Generate container rootfs
- rechunk - Create a new container with split, reproducible layers
Leverages multi-stage builds in the Containerfile (with Podman)
1. Pull a base image for the build environment
2. Install tooling (includes the bootc-base-imagectl script) and configuration, run the build
3. Copy the built rootfs into a new image
Builds a single layer image by default …use rechunk to split into chunked layers
The rootfs is build with ostree⁸ and rpm-ostree⁹

Conversion

bootc-image-builder¹⁰ converting bootc container images

Build a qcow2 image for bootable container

podman pull ghcr.io/osbuild/bootc-image-builder:latest
podman pull quay.io/almalinuxorg/almalinux-bootc:9.4

# configuration
mkdir output
cat > config.toml <<EOF
[[customizations.user]]
name = "alice"
password = "bob"
key = "ssh-rsa AAA ... user@email.com"
groups = ["wheel"]
EOF

# build VM image
podman run --rm -it --privileged --pull=newer \
    --security-opt label=type:unconfined_t \
    -v ./config.toml:/config.toml:ro \
    -v ./output:/output \
    -v /var/lib/containers/storage:/var/lib/containers/storage \
    quay.io/centos-bootc/bootc-image-builder:latest \
    --type qcow2 \
    --use-librepo=True \
     quay.io/almalinuxorg/almalinux-bootc:9.4

Deployment

sudo dnf install -y podman bootc

bootc¹¹ - Applies a container image as an update on an already running Linux system

Designed to be operating system and distribution-agnostic
A/B deployment of container images …state sharing on single file-system
Transactional, in-place OS updates using container images
- Built on the principle of an immutable operating system
- Ensuring predictable updates and rollbacks
bootc used to pull, deploy, and manage OS images
- Writes to existing file-system replacing /usr and /boot
- Persistent state in /etc and /var
- A bootloader allows to rollback to a previous deployment
Notable sub-command…
- upgrade - download, stage updated container
- rollback - staged updates discarded …back to previous state
- switch - change to different reference container
- install - to-disk or to-filesystem

Start with a stock Linux system, overwrite with a bootable container image:

podman run --rm --privileged --pid=host --security-opt  label=type:unconfined_t \
           -v /dev:/dev -v /var/lib/containers:/var/lib/containers -v .:/output \
           quay.io/almalinuxorg/almalinux-bootc:9.4 \
           bootc install to-disk --wipe /dev/vda

Anaconda ostreecontainer¹² to install from an OS container

systemctl soft-reboot - Apply image changes without reboot (careful with kernel updates!)

Footnotes

Bootable container images
https://containers.github.io/bootable/↩︎
Fedora Bootc Images
https://docs.fedoraproject.org/en-US/bootc/base-images/
https://gitlab.com/fedora/bootc/base-images:↩︎
CentOS Bootc Images
https://centos.github.io/centos-bootc
https://gitlab.com/redhat/centos-stream/containers/bootc ↩︎
RockyLinux Bootc Images
https://github.com/hugo-cuenca/rockylinux-base-experimental ↩︎
AlmaLinux Bootc Images
https://github.com/AlmaLinux/bootc-images ↩︎
Bootcrew Bootc Images
https://github.com/bootcrew ↩︎
Universal Blue
https://universal-blue.org ↩︎
OSTree Project , GitHub
https://ostreedev.github.io/ostree/↩︎
rpm-ostree from CoreOS, GitHub
https://coreos.github.io/rpm-ostree/↩︎
bootc-image-builder, GitHub
https://github.com/osbuild/bootc-image-builder ↩︎
bootc Project, Github
https://bootc-dev.github.io
https://github.com/bootc-dev/bootc
https://www.cncf.io/projects/bootc ↩︎
Anaconda Documentation
https://pykickstart.readthedocs.io/en/latest/kickstart-docs.html#ostreecontainer ↩︎

--- title: Bootable Linux Containers categories: - Container date: 2025/12/06 date-modified: 2025/12/06 --- # Overview Why use an bootbale container-based operating system?[^LP3eD] * Manage image-based Linux systems at scale * Prevent all configuration drift on the infrastructure * Emphasis on day-2 operation, CI/CD + orchestrated update * Unify development & operations tooling around containers * Seamless upgrades with robust rollback * Ensure signed & verifiable state [^LP3eD]: Bootable container images <https://containers.github.io/bootable/> # Images Bootable container images have following properties: - Includes Linux kernel, firmware, and bootloader - Includes Systemd as PID 0 init-system - Build with a `Containerfile` ...integrates with container CI/CD - Packaged as a sing-able versioned OCI container image A variation of pre-build bootable containers is available[^LP2sQ]˒[^D76gH]˒[^TY8DF]˒[^op4RF]˒[^tY5D3]˒[^LOp43] [^LP2sQ]: Fedora Bootc Images <https://docs.fedoraproject.org/en-US/bootc/base-images/> <https://gitlab.com/fedora/bootc/base-images>: [^D76gH]: CentOS Bootc Images <https://centos.github.io/centos-bootc> <https://gitlab.com/redhat/centos-stream/containers/bootc> [^TY8DF]: RockyLinux Bootc Images <https://github.com/hugo-cuenca/rockylinux-base-experimental> [^op4RF]: AlmaLinux Bootc Images <https://github.com/AlmaLinux/bootc-images> [^tY5D3]: Bootcrew Bootc Images <https://github.com/bootcrew> [^LOp43]: Universal Blue <https://universal-blue.org> ## Build [`bootc-base-imagectl`](https://gitlab.com/fedora/bootc/base-images/-/blob/main/bootc-base-imagectl) (from Fedora) builds base images from configuration files * Notable sub-commands: - `build-rootfs` - Generate container rootfs - `rechunk` - Create a new container with split, reproducible layers * Leverages multi-stage builds in the `Containerfile` (with Podman) 1. Pull a base image for the build environment 2. Install tooling (includes the `bootc-base-imagectl` script) and configuration, run the build 3. Copy the built rootfs into a new image * Builds a single layer image by default ...use `rechunk` to split into chunked layers * The rootfs is build with `ostree`[^Hg54E] and `rpm-ostree`[^oi3EW] [^Hg54E]: OSTree Project , GitHub <https://ostreedev.github.io/ostree/> [^oi3EW]: `rpm-ostree` from CoreOS, GitHub <https://coreos.github.io/rpm-ostree/> ## Conversion `bootc-image-builder`[^DF34a] converting bootc container images [^DF34a]: `bootc-image-builder`, GitHub <https://github.com/osbuild/bootc-image-builder> Build a `qcow2` image for bootable container ```bash podman pull ghcr.io/osbuild/bootc-image-builder:latest podman pull quay.io/almalinuxorg/almalinux-bootc:9.4 # configuration mkdir output cat > config.toml <<EOF [[customizations.user]] name = "alice" password = "bob" key = "ssh-rsa AAA ... user@email.com" groups = ["wheel"] EOF # build VM image podman run --rm -it --privileged --pull=newer \ --security-opt label=type:unconfined_t \ -v ./config.toml:/config.toml:ro \ -v ./output:/output \ -v /var/lib/containers/storage:/var/lib/containers/storage \ quay.io/centos-bootc/bootc-image-builder:latest \ --type qcow2 \ --use-librepo=True \ quay.io/almalinuxorg/almalinux-bootc:9.4 ``` # Deployment ```bash sudo dnf install -y podman bootc ``` `bootc`[^KL87D] - Applies a container image as an update on an already running Linux system [^KL87D]: bootc Project, Github <https://bootc-dev.github.io> <https://github.com/bootc-dev/bootc> <https://www.cncf.io/projects/bootc> * Designed to be operating system and distribution-agnostic * A/B deployment of container images ...state sharing on single file-system * Transactional, in-place OS updates using container images - Built on the principle of an immutable operating system - Ensuring predictable updates and rollbacks * `bootc` used to pull, deploy, and manage OS images - Writes to existing file-system replacing `/usr` and `/boot` - Persistent state in `/etc` and `/var` - A bootloader allows to rollback to a previous deployment * Notable sub-command... - `upgrade` - download, stage updated container - `rollback` - staged updates discarded ...back to previous state - `switch` - change to different reference container - `install` - to-disk or to-filesystem Start with a stock Linux system, overwrite with a bootable container image: ```bash podman run --rm --privileged --pid=host --security-opt label=type:unconfined_t \ -v /dev:/dev -v /var/lib/containers:/var/lib/containers -v .:/output \ quay.io/almalinuxorg/almalinux-bootc:9.4 \ bootc install to-disk --wipe /dev/vda ``` Anaconda `ostreecontainer`[^GH4d2] to install from an OS container [^GH4d2]: Anaconda Documentation <https://pykickstart.readthedocs.io/en/latest/kickstart-docs.html#ostreecontainer> `systemctl soft-reboot` - Apply image changes without reboot (careful with kernel updates!)