Fedora Hummingbird: A Practical Guide to Distroless, Rolling OS Deployment
Overview
Fedora Hummingbird represents a paradigm shift in operating system delivery: it's a container-native, rolling release Fedora distribution designed from the ground up to minimize security vulnerabilities. At its core, the project extends the principles of Project Hummingbird—distroless images, hermetic builds, and continuous CVE triage—from individual application containers all the way to the host OS itself. Whether you're running containers in virtual machines, on bare metal, or deploying microservices with minimal attack surface, Fedora Hummingbird gives you a constantly patched, immutable foundation.
Why does this matter? Traditional distributions force you to manage patches and inherit third-party vulnerabilities. Hummingbird images ship with zero known CVEs (verified live via the catalog), and the pipeline keeps them there by rebuilding as soon as upstream fixes land. With over 49 distroless images covering languages like Python, Go, Node.js, Rust, Ruby, Java, .NET, and databases like PostgreSQL and nginx, Fedora Hummingbird compresses months of security work into a podman pull.
This guide walks through everything you need: from prerequisites to step-by-step deployment, common pitfalls, and a clear summary of the benefits. By the end, you'll understand how to leverage Fedora Hummingbird for both container workloads and as a full host OS.
Prerequisites
Before diving in, ensure your environment meets these requirements:
- A Linux host (Fedora 40+ recommended) or any system with Podman/Docker installed. Windows/macOS users can use WSL2 or a VM.
- Podman or Docker – for pulling and running container images.
- Git – to clone configuration files if you plan to customize builds.
- Internet connectivity – images are hosted on the Hummingbird container registry.
- Optional:
virt-managerorqemufor testing the full OS image as a VM.
If you're new to container concepts, review the basics of images, registries, and volume mounts before proceeding.
Step-by-Step Instructions
1. Pulling and Running a Hummingbird Container Image
The simplest way to experience Fedora Hummingbird is by running a distroless application image. Start with a popular language runtime, such as Python:
podman pull ghcr.io/hummingbird-project/python:latestVerify the image's CVE status by visiting the live catalog or by scanning locally with Grype:
grype ghcr.io/hummingbird-project/python:latestNotice the output shows 0 vulnerabilities – this is the promise. To run a simple Python script inside the container, mount your code:
cat > hello.py << EOF
print("Hello from Fedora Hummingbird!")
EOF
podman run --rm -v $(pwd):/app:Z ghcr.io/hummingbird-project/python:latest python /app/hello.pyThe image has no shell or package manager—only the Python interpreter and essential libraries.
2. Booting the Full Host OS
Fedora Hummingbird isn't just for containers; it can serve as a complete operating system. The host base image is available as a bootable container. Use bootc (Container Native Boot) to install it on bare metal or a VM:
podman pull ghcr.io/hummingbird-project/fedora-hummingbird:latest
bootc install to-disk --target /dev/sdaFor testing in a VM, use qemu with a cloud image:
qemu-system-x86_64 -m 2G -drive file=hummingbird.qcow2,format=qcow2Once booted, you'll have a read-only root filesystem. Application updates are delivered via image pulls, not package managers. To update the host, pull a new image and reboot.
3. Checking the Live CVE Catalog
All Hummingbird images have a publicly accessible CVE catalog updated continuously. Visit https://hummingbird-project.github.io/catalog to see per-image vulnerability counts. You can filter by variant (FIPS, multi-arch, etc.) and even subscribe to alerts via RSS. This transparency ensures you never deploy a container with unpatched issues.
4. Customizing a Distroless Image
To add your application to a Hummingbird base, write a Dockerfile that copies your compiled binary (no apt or dnf allowed). For example, a Go static binary:
FROM ghcr.io/hummingbird-project/go:latest
COPY ./myapp /app
ENTRYPOINT ["/app"]Build and scan:
podman build -t myapp .
grype myappThe base image already handles security; your layer only adds your code, minimizing new risks.
5. Enrolling in Rolling Updates
Fedora Hummingbird tracks Rawhide, so updates come fast. For containers, simply re-pull images periodically via cron or GitHub Actions:
podman pull ghcr.io/hummingbird-project/python:latestFor the host OS, set up automatic update checks with bootc upgrade and reboot. The pipeline's incremental updater (chunkah) ensures only changed layers download, saving bandwidth.
Common Mistakes
- Expecting a package manager or shell – Hummingbird images are intentionally stripped of
bash,apt,dnf, etc. You cannot exec into them to install tools. Instead, use a separate debug container or mount tools from a host. - Treating host OS like traditional Fedora – The full OS is immutable; don't try to
dnf installanything. Changes happen through image rebuilds. - Ignoring architecture variants – The registry tags include
amd64andarm64suffixes. Pull the correct one for your hardware, e.g.,python:arm64. - Skipping CVE verification – While Hummingbird ships zero CVEs, custom layers could introduce flaws. Always scan final images.
- Using
latestin production without pinning – For reproducibility, pin to a specific digest or version tag (e.g.,python:2026-05-01).
Summary
Fedora Hummingbird delivers a distroless, rolling, and continuously hardened OS experience—from application containers to the host. By leveraging immutable images and automated vulnerability patching, it eliminates CVE management overhead. This guide covered prerequisites, pulling and running containers, booting the complete OS, checking the live CVE catalog, customizing images, and setting up rolling updates. Avoid common pitfalls by remembering distroless means no shell, and always verify final builds. Start today by pulling a Python image and experiencing zero vulnerabilities firsthand.