Getting Started with Fedora Hummingbird: A Step-by-Step Guide to the Super Hardened Rolling Release
Introduction
If you follow Linux security news, you've likely noticed a surge in vulnerabilities — and a corresponding push for more resilient operating systems. Fedora Hummingbird is Red Hat's latest answer to this challenge, delivering a rolling-release distribution that ships as a complete OCI image. Built on the security-first pipeline of Project Hummingbird, it offers a minimal, hardened, distroless environment with near-zero CVEs. This guide will walk you through downloading, deploying, and exploring Fedora Hummingbird in a virtual machine, so you can experience its atomic updates, read-only root filesystem, and per-package vulnerability tracking firsthand.
What You Need
- A computer with an x86_64 or aarch64 processor
- At least 4 GB of RAM (8 GB recommended for the VM)
- Virtualization software (e.g., VirtualBox, QEMU/KVM, or VMware) — the official download page provides step-by-step instructions for spinning up a VM
- Basic familiarity with the Linux command line
- An internet connection to download the OCI image and updates
- Optional: A GitLab account if you plan to contribute to the source code
Step-by-Step Guide
Step 1: Understand Fedora Hummingbird's Unique Architecture
Before diving into installation, take a moment to grasp what makes this distro special. Fedora Hummingbird is not your typical desktop Linux. It's a rolling release that tracks Fedora Rawhide directly, drawing over 95% of its packages from Rawhide and pulling the rest from upstream. Every package has its own CVE tracking feed maintained by Red Hat's Product Security team, giving you a clear picture of which vulnerabilities actually affect your system. The kernel is the Always Ready Kernel (ARK) from the CKI project, which follows mainline Linux. Updates are atomic with rollback support, the root filesystem is read-only, and writable state is confined to /var and /etc. Unlike Fedora's Atomic Desktops (Silverblue, Kinoite), Hummingbird ships no desktop environment — it's aimed at developers and cloud-native workloads.
Step 2: Verify Your Hardware and Virtualization Setup
Fedora Hummingbird currently supports x86_64 and aarch64 architectures. To run it, you'll need a hypervisor that can boot from an OCI image. The recommended approach is to use a virtual machine. Ensure your system supports hardware virtualization (VT-x/AMD-V) and that it's enabled in your BIOS/UEFI. Install your preferred virtualization software — VirtualBox is a good free option, while QEMU/KVM offers better performance on Linux hosts.
Step 3: Download the Fedora Hummingbird OCI Image
Visit the official Fedora Hummingbird download page. Important: This image is currently experimental and not suitable for production use. No subscription or registration is required. You'll find images for both x86_64 and aarch64 platforms. Download the appropriate image file for your architecture. The file will be a compressed OCI image (e.g., .oci.gz). Keep track of where you save it.
Step 4: Set Up a Virtual Machine
Follow your VM software's instructions to create a new virtual machine. Here's a general outline:
- Create a new VM: Give it a name like 'Fedora-Hummingbird'.
- Assign resources: Allocate at least 2 CPU cores and 4 GB of RAM (8 GB recommended).
- Attach the OCI image: Most hypervisors don't directly support OCI images as bootable disks. You may need to convert the image to a format your hypervisor understands (e.g., VMDK for VirtualBox, QCOW2 for QEMU). Use tools like
qemu-imgoroci-to-vmscripts. The download page provides detailed instructions for this step. - Configure networking: Use NAT or bridged networking, depending on your needs.
- Boot the VM: Start the virtual machine. You should see the Fedora Hummingbird boot process.
Step 5: Log In and Explore the System
After boot, log in with the default credentials (check the download page for specifics, as they may vary). You'll be greeted by a minimal command-line environment — no graphical desktop. Explore the read-only filesystem: try creating a file in / — it will fail. Writable directories are /var and /etc. Verify the kernel version: uname -r should show an ARK kernel.
Step 6: Test Atomic Updates and Rollbacks
One of Hummingbird's key features is atomic updates. The build pipeline continuously rebuilds and pushes updated images when vulnerabilities are patched upstream. To update your running system, use the update command (likely rpm-ostree or a custom tool — refer to the documentation). Perform an update, then reboot. If something goes wrong, you can roll back to the previous deployment using the rollback command. This ensures your system stays secure without manual intervention.
Step 7: Check Vulnerability Status
Run the vulnerability feed for a specific package to see its CVE status. For example, you could query the status of the kernel package. This per-package tracking is more granular than generic CVE lists, helping you focus on real threats.
Step 8: (Optional) Contribute to the Project
Fedora Hummingbird's source code is hosted on GitLab and open for contributions. If you find a bug or have an improvement, you can fork the repository, make changes, and submit a merge request. See the project's contributing guidelines for details.
Conclusion and Tips
- Consider your use case: Fedora Hummingbird is designed for developers and cloud-native workloads, not daily desktop use. If you need a GUI, consider Fedora Atomic Desktops instead.
- Stay informed: Since this is experimental, expect frequent breaking changes. Join the Fedora development mailing list or community chat to stay updated.
- Back up important data: Even though updates are atomic and rollbacks are supported, always keep backups of your configuration in
/etcand data in/var. - Monitor the CVE feed: Take advantage of the per-package vulnerability feed to proactively patch only what matters to your setup.
- Explore automation: Because Hummingbird ships as an OCI image, you can easily incorporate it into containerized workflows or CI/CD pipelines.