Fedora Silverblue is becoming more and more popular inside and outside the Fedora world. So based on feedback from the community, here are answers to some interesting questions about the project. If you do have any other Silverblue related questions, please leave it in the comments section and we will try to answer them in a future article.
What is Silverblue?
Silverblue is a codename for the new generation of the desktop operating system, previously known as Atomic Workstation. The operating system is delivered in images that are created by utilizing the rpm-ostree project. The main benefits of the system are speed, security, atomic updates and immutability.
What does “Silverblue” actually mean?
“Team Silverblue” or “Silverblue” in short doesn’t have any hidden meaning. It was chosen after roughly two months when the project, previously known as Atomic Workstation was rebranded. There were over 150 words or word combinations reviewed in the process. In the end Silverblue was chosen because it had an available domain as well as the social network accounts. One could think of it as a new take on Fedora’s blue branding, and could be used in phrases like “Go, Team Silverblue!” or “Want to join the team and improve Silverblue?”.
What is ostree?
OSTree or libostree is a project that combines a “git-like” model for committing and downloading bootable filesystem trees, together with a layer to deploy them and manage the bootloader configuration. OSTree is used by rpm-ostree, a hybrid package/image based system that Silverblue uses. It atomically replicates a base OS and allows the user to “layer” the traditional RPM on top of the base OS if needed.
Why use Silverblue?
Because it allows you to concentrate on your work and not on the operating system you’re running. It’s more robust as the updates of the system are atomic. The only thing you need to do is to restart into the new image. Also, if there’s anything wrong with the currently booted image, you can easily reboot/rollback to the previous working one, if available. If it isn’t, you can download and boot any other image that was generated in the past, using the ostree command.
Another advantage is the possibility of an easy switch between branches (or, in an old context, Fedora releases). You can easily try the Rawhide or updates-testing branch and then return back to the one that contains the current stable release. Also, you should consider Silverblue if you want to try something new and unusual.
What are the benefits of an immutable OS?
Having the root filesystem mounted read-only by default increases resilience against accidental damage as well as some types of malicious attack. The primary tool to upgrade or change the root filesystem is rpm-ostree.
Another benefit is robustness. It’s nearly impossible for a regular user to get the OS to the state when it doesn’t boot or doesn’t work properly after accidentally or unintentionally removing some system library. Try to think about these kind of experiences from your past, and imagine how Silverblue could help you there.
How does one manage applications and packages in Silverblue?
For graphical user interface applications, Flatpak is recommended, if the application is available as a flatpak. Users can choose between Flatpaks from either Fedora and built from Fedora packages and in Fedora-owned infrastructure, or Flathub that currently has a wider offering. Users can install them easily through GNOME Software, which already supports Fedora Silverblue.
One of the first things users find out is there is no dnf preinstalled in the OS. The main reason is that it wouldn’t work on Silverblue — and part of its functionality was replaced by the rpm-ostree command. Users can overlay the traditional packages by using the rpm-ostree install PACKAGE. But it should only be used when there is no other way. This is because when the new system images are pulled from the repository, the system image must be rebuilt every time it is altered to accommodate the layered packages, or packages that were removed from the base OS or replaced with a different version.
Fedora Silverblue comes with the default set of GUI applications that are part of the base OS. The team is working on porting them to Flatpaks so they can be distributed that way. As a benefit, the base OS will become smaller and easier to maintain and test, and users can modify their default installation more easily. If you want to look at how it’s done or help, take a look at the official documentation.
What is Toolbox?
Toolbox is a project to make containers easily consumable for regular users. It does that by using podman’s rootless containers. Toolbox lets you easily and quickly create a container with a regular Fedora installation that you can play with or develop on, separated from your OS.
Is there any Silverblue roadmap?
Formally there isn’t any, as we’re focusing on problems we discover during our testing and from community feedback. We’re currently using Fedora’s Taiga to do our planning.
What’s the release life cycle of the Silverblue?
It’s the same as regular Fedora Workstation. A new release comes every 6 months and is supported for 13 months. The team plans to release updates for the OS bi-weekly (or longer) instead of daily as they currently do. That way the updates can be more thoroughly tested by QA and community volunteers before they are sent to the rest of the users.
What is the future of the immutable OS?
From our point of view the future of the desktop involves the immutable OS. It’s safest for the user, and Android, ChromeOS, and the last macOS Catalina all use this method under the hood. For the Linux desktop there are still problems with some third party software that expects to write to the OS. HP printer drivers are a good example.
Another issue is how parts of the system are distributed and installed. Fonts are a good example. Currently in Fedora they’re distributed in RPM packages. If you want to use them, you have to overlay them and then restart to the newly created image that contains them.
What is the future of standard Workstation?
There is a possibility that the Silverblue will replace the regular Workstation. But there’s still a long way to go for Silverblue to provide the same functionality and user experience as the Workstation. In the meantime both desktop offerings will be delivered at the same time.
How does Atomic Workstation or Fedora CoreOS relate to any of this?
Atomic Workstation was the name of the project before it was renamed to Fedora Silverblue.
Fedora CoreOS is a different, but similar project. It shares some fundamental technologies with Silverblue, such as rpm-ostree, toolbox and others. Nevertheless, CoreOS is a more minimal, container-focused and automatically updating OS.
Daniel
I’d argue for fonts, a better option would to just install them to /usr/local/share/fonts or ~/.local/share/fonts, both work on Silverblue and a font manager would be able to do this, even when Flatpaked.
You’re not messing with system packages, and if anything goes wrong you can just wipe /usr/local and not have a broken system.
jakfrost
“a better option would to just install them to /usr/local/share/fonts”
On Silverblue, this would be /var/usr/local/share/fonts, since the /usr directory is a part of the immutable atomic OS and /var plus /etc are the only two writable areas of the file system.
Daniel
There’s a symlink at /usr/local still though.
Leslie Satenstein
I modify the keyboard layout to add additional key characters. With SB, will I still be able to do that.
I add the yen and euro symbols to my French Canada Layout.
Daniel
That depends on how you edit your keyboard layouts.
e.g. If you edit files in /usr/share/X11/xkb you can put your modified ones in /usr/local/share/X11/xkb it should override. This would also have the benefit of not breaking after updates.
Matthew Bunt
Are there any disadvantages to using package layerering on Silverblue vs just containers and flatpaks?
Phil Parsons
this sounds like great stuff for the Raspberry Pi 4…. also good environment for testing the technology
Stef
Good article 😃. Would be nice to add a link to the project main page and the Silverblue docs.
Gregory Bartholomew
Silverblue is probably great for the typical user, but as a developer/power-user/sysadmin (and just someone who likes to play around a bit with the lower-level workings of the OS), I worry that large chunks of the filesystem being “immutable” is just going to cause me frustration when I try to do the non-standard things that I like to do. I hope Silverblue never replaces Workstation as is suggested in the article.
Also, I’d like to point out that some of the main features of Silverblue can be replicated quite easily by a more powerful filesystem. In particular I am currently using ZFS for my “root” filesystem and it allows me to “rollback” any changes that I make to my filesystem by interrupting the boot processes just before the root filesystem is mounted and running (for example) “zfs rollback root@5.1.16-300.fc30.x86_64″. ZFS’s rollback feature gives me the same recovery ability that Silverblue does, but without locking me out of vast portions of my filesystem.
Matthew Miller
What are the non-standard things you’re interested in doing? Can you move to a model where you’re doing them in containers?
Of course, Silverblue will never be perfect for everyone. We can’t make it perfect for anyone in specific if we try to target everyone in general. Even if it becomes our main desktop edition, we’ll have non-ostree spins and releases for as long as people are interested in making them.
Gregory Bartholomew
It isn’t that I have a specific few non-standard things that I am doing. It is really more that I like to do/try non-standard things. Maybe I’m a bit of an oddball in that regard, but it is one of the things that has always appealed to me about Fedora — its “bleeding edge” nature and my ability to play with the latest and greatest new packages and package features.
I can give you a brief list of some of the non-standard things that I am currently doing just as an example, but supporting these specific things isn’t really the point for me. The point is that I can do this sort of thing and the day that Fedora no longer allows me to do it might be the day that I find another distribution.
Just a few examples of non-standard things from my current setup:
I just upgraded from rotational disks to SSDs and switched to using ZFS for my root filesystem.
I wanted to try out ZFS’s “endor” checksum algorithm. From the man page:
“Edon-R is a very high-performance hash algorithm that was part of the NIST SHA-3 competition. It provides extremely high hash performance (over 350% faster than SHA-256), but was not selected because of its unsuitability as a general purpose secure hash algorithm. This implementation utilizes the new salted checksumming functionality in ZFS, which means that the checksum is preseeded with a secret 256-bit random key (stored on the pool) before being fed the data block to be checksummed. Thus the produced checksums are unique to a given pool.”
But Grub’s custom zfs driver doesn’t support the newest ZFS features. Also, I wanted to be able to move my hard drives to a newer machine without redoing the partitioning scheme someday, but my current system is BIOS and the new system might be UEFI.
So I did another non-standard thing and setup a non-standard $BOOT partition that is formatted with vfat and has the syslinux bootloader installed with a custom patch (here) that allows it to read the systemd-boot style drop-in files that are automatically placed under the $BOOT/$MACHINE-ID directory if you pre-create it and uninstall all the grub packages (includding grubby).
Rather than mirroring the $BOOT partition with mdraid, I decided to create a custom /etc/rc.d/rc.local script with the followin clause:
if mountpoint -q /boot.1 && mountpoint -q /boot.2; then
rsync -r –delete /boot.1/* /boot.2
fi
Now my $BOOT partition is “backed up” to the secondary drive, but only after successfully booting from the primary. /boot is a symlink to /boot.1 and /boot.1 and /boot.2 are listed individually in /etc/fstab like so:
root / zfs defaults 0 0
/dev/disk/by-partuuid/31af9b2d-c158-4d89-8ed6-fc8379432cf3 /boot.1 vfat defaults,nofail 0 0
/dev/disk/by-partuuid/c363eec2-3acc-46dc-a58c-7e4f8c65fb18 /boot.2 vfat defaults,nofail 0 0
/dev/md/swap swap swap defaults,nofail 0 0
When I upgrade to UEFI I’ll probably make the rsync contitional on the current boot-up being from the primary drive (as can be determined from the efivariables).
I’ve recently started using i3 desktop manager in combination with LXDM. I made some visual customizations to LXDM by tweaking /etc/lxdm/lxdm.conf and adding a background image in /var/lib/lxdm.
I created a custom /etc/kernel/postinst.d/99-snapshot script so that a ZFS restore point will get automatically created every time a new kernel is installed:
cat /etc/kernel/postinst.d/99-snapshot
#!/usr/bin/bash
vim:set ts=3:
if [[ -n “$1” ]]; then
zfs snapshot root@$1 &> /dev/null
fi
I’ll probably create a corresponding one under /etc/kernel/prerm.d to clean up old snapshots, but I haven’t gotten that far yet.
There are other things as well of varying degrees of complexity, and I suspect a lot of them could be made to work with Silverblue if one want to put the time and effort into fighting with it, but if I can find another distribution that allows me to play with such things more easily, I am liable to switch to it. To date, however, Fedora has always been great about being the sort of OS that I can experiment with (other than perhaps selinux, but that is easy enough to switch off when necessary). It is exactly that sort of tinkering ability that I like about Fedora (and open source in general) and Silverblue seems like a bit of a move in the wrong direction to me. Though I can see its market appeal to the more general customer.
Dave Airlie
I think one thing that should be done is messaging where Silverblue isn’t useful or is going to work against power users.
For example anyone doing OS development, like fedora devs, kernel devs, library devs etc are totally going to fail using silverblue. I’d really appreciate if there was some better messaging around the severe limitations using silverblue would have on a typical fedora packaging workflow or any of the lowlevel OS devs.
Skyler Hawthorne
I agree with this completely. Flatpak and Docker have their own limitations and shortcomings. The article itself says that the value proposition of Silverblue is:
Using Docker for some things, Flatpak for others, and for the rest having to reboot any time you need to modify the underlying OS, seems like a lot more thinking about the OS than just
.
Colin Walters
Why do you say that? I created ostree and rpm-ostree and I use Silverblue as a development platform for them, as well as OpenShift 4. I’ve submitted patches to quite a lot of userspace, and continue to do so.
I talked about this and other things here https://fedorapeople.org/~walters/2018.01-devconf-desktopcontainers/#/
The big challenge is to switch to containerizing your development environment, but once you do, you get a lot of benefits as well.
For example, I use
from my toolbox container, not my host.
Andrew
I have ran into issues trying to access devices. I like the the idea of rootless and sandboxing but with IoT I have ran into some conceptual headaches that are poorly documented if at all.
Leslie Satenstein
Hi MM
I have 6 disks on my home system with several (6) distributions therein.
from the fstab
UUID=7a3c702b-f021-49d1-944a-885480cca5c0 /scratch ext4 defaults,relatime 1 2
/scratch is to the mount point.
On other disks ..
/scratch1 /scratch2 /junk and /backup are soft links (ln -s ) to other partitions of the same name somewhere on one or more if the 6 disks.
When I created the above, I also chmod’d them to
chmod 1000 for /scratch1 /scratch2 /junk and /backup
the fstab has, for example, … defaults,noauto,user for the above links
1) all the /scratch1… /junk are available from any distro. and are intentionally not automounted.
2) when I run a backup rsync synching /scratch to /scratchx my script first does a mount, it runs, rsync and demounts file partition.
When not mounted, the mount points show 1000 for permisions. When one of these is mounted, the partition will show up as 755 permissions for the duration of the rsync.
The chmod 1000 protects my data on that drive.
With silverblue, if I continue, I will have to find a way to accept /scratch
Ondrej Kolin
When you rebase, it may fail on not being possible to just rebase, because the package could cause package inconsistency, etc. So you should use toolboxes and flatpaku.
Misc
I am running Silverblue on a laptop since the start (like, more than 1 year), and I still go back to my RHEL 7 laptop anytime I do anything more than “browse the web”, because “running things in containers” is fine for some workload, but I bump into limitation every time.
For example, if you want to do anything fancy with network (like, using nmap, tcpdump), it get more complicated, as I need 2 pet containers depending on whether I need root or not (since root in the container is likely not really root outside). I can’t just switch from one to the others with sudo, unlike all docs written in the last 30 years.
My latest example (like from this weekend) is flashing a arm board with dfu-util. Despites seeing the board with lsub, it didn’t work when using the toolbox container. I know why (because root in the matrix do not mean root outside the matrix), but that’s the kind of things that will surprise people.
That’s not new, during Flock, I told the story of me trying to do some CTF on Silverblue (http://www.hackgnar.com/2018/06/learning-bluetooth-hackery-with-ble-ctf.html) and why this failed because of the sandboxing (since doing anything with bt requires to relax permission from containers, which took me a while to figure, and I am fairly technical).
There is also no good workflow for running any kind of services in containers for now. If I want to do any work against a postgres database (such as “doing web dev’), I either have to do the container myself (so keep it updated, rebuild it locally, run it outside of the system, etc), or layer it. Running it in the toolbox container do not work (and I just tried). And I consider layering to be bad, as hinted in the article.
Adriano Corte Real
Unfortunately in my experience A LOT of flatpaks are outdated by several months.
So then what?
RObert
But I don’t want immutable OS base files… I like control. I mean, who doesn’t. So no thanks.
David
I’m keen to try out Silverblue, but I’m not a fan of GNOME – are there plans to release spins for different desktop environments?
Tomáš Popela
It looks like the community is working on KDE and XFCE variants – https://discussion.fedoraproject.org/t/kinoite-a-kde-and-now-xfce-version-of-fedora-silverblue/147
Bruce Bigby
What are the performance impacts of flatpaks? Aren’t they self-contained largely? Also, does being mostly self-contained mean that their integration with the rest of the system is less than perfect. To what extent can flatpaks share resources? I imagine that some flatpaks might duplicate resources, and thus, require additional memory resources, correct?
MS
I’ve been using Fedora for a few months now, and have installed almost every release except the lqxt spin. Didn’t get to it yet.
Silverblue is a great idea and I’ve enjoyed testing it out. Although there were a few minor issues for me ( eg: I’m still at the I have no idea what I’m doing stage ), I’m sure it will only get better.
There is a slightly different kind of workflow / learning curve from a normal Fedora release, and I found the documentation very helpful to get started from scratch.
The first obstacle I had was figuring out what to do without dnf installed.
Once I learned that Silverblue provides rpm and rpm-ostree to manage packages at the system level, and dnf is available inside the toolbox / container it was easier to get started.
Outside the toolbox you can use rpm to query packages etc, and rpm-ostree for installs :
rpm -qa | sort -fu > rpm-list-installed.txt
rpm -qa | grep httpd
—
** Please add a silverblue tag for this article
– https://fedoramagazine.org/tag/silverblue/
Some other SIlverblue posts also have no silverblue tag which may make them harder to find in future :
https://fedoramagazine.org/backup-on-fedora-silverblue-with-borg/
Thanks and keep up the great work.
svsv sarma
Why can’t I use Fedora Media Writer for Silverblue? Does it mean the Silverblue is quite different and a class apart from the available images/flavors?
Tomáš Popela
You can, but currently it’s a little bit hidden – open the Fedora Workstation product in Media Writer, then click on the “Other variants..” link that will open an popup, where you can choose the Silverblue.
bioinfornatics
I would like to know if Fedora silver can be used as replacement to :
– Environment Modules —-> https://en.wikipedia.org/wiki/Environment_Modules_(software)
– SCL —-> https://www.softwarecollections.org/en/
Alejandro
I understand how Silverblue can be an advantage for some people and I wish the devs the best of luck with it.
I like to have control over my system and it seems to me that, because of the way SB works, it will not stay out of my way.
As a software developer, I like the os tree. The inmutable system, not so much.
If the traditional workspace is replaced by SB, I’ll probably leave Fedora. I really hope it doesn’t happen, or at least that they’re maintained in parallel.
Vasile Guta-Ciucur
Well, they already said that a traditional Fedora distro will be a community thing. The key phrase here is “Total control” and there is where all popular OSes are forced to go – no exceptions.
You will leave not only Fedora for serious work (probably you’ll keep it for browsing, media and social media consumption), but also Linux. Prepare ahead…
Yazan Al Monshed
Nice Blog, I Need more details about slivervblue !
Colin Walters
Please replace this paragraph; it’s not accurate. See https://lwn.net/Articles/793674/
With e.g.:
Paul W. Frields
@Colin: Done, thanks.
John Adesoye
I just switched to fedora Silverblue from the fedora traditional desktop. For I can’t wait, so I installed silverblue across my laptops. I love it!. Thank you guys for working hard behind the scenes.
I put my fonts into /var/usrlocal/share/fonts/myfonts. Remember to create directory for fonts and myfonts as example. Also, note that usrlocal is not the same as usr/local in fedora Silverblue. I installed all apps from terminal without using flathub. I got my printer Brother mfc-j4610dw working.
Fedora Silverblue is more lenient to memory usage and lets you do everything you do in the current standard fedora (in a little different way) without having to shoot yourself in the foot.
The only annoyance I encountered was that the system need reboot, to take snapshot, after apps installed. Also, Gnome software management wasn’t displaying all apps and slow when used to install apps. Apart from that no issue.
Fedora Silverblue will be a great OS!
Enrico
thx for the article, every info about Silverblue is wanted.
In my opinion is SB the best thing I have met, since I’m on Linux 15 years, It’s the OS of the future, that is worth working on.
I’m running SB now on my ThinkPad laptop, it’s really amazing stable, clean, simple to use, toolbox container…
I look forward to further development
Alex
The old model allows me to control and personalise my system as I see fit. Silverblue adds complexity that I don’t need nor want. If it replaces the Workstation, I’m moving to Qubes OS.
I understand the advantages it might have for some users, but to me, seems like a solution in search of a problem.
Nonetheless, I appreciate the tech behind it. Seems promising.
Bev
I tried SilverBlue out, but couldn’t get the firewall to install. Why isn’t that included in the initial installation files? Just wondering, why it’s not included in the initial installer package? After installing, then I couldn’t get to update my system, so ditched it and returned back to regular Fedora 30 installation. Even though it is supposed to be immutable I felt very exposed by not being able to install Gnome’s GUI app Firewall, and not being able to update my system. Shouldn’t every OS have a firewall ready at hand? I even tried enabling firewalld and it threw up a message notifying me it couldn’t install (sorry forgot the actual message), so I gave up on using SilverBlue : (
jakfrost
“I tried SilverBlue out, but couldn’t get the firewall to install.”
The firewall manager (firewalld) is installed on my Silverblue system, and I thought it was part of the Silverblue core image. Gnome Firewall would eventually get flatpakked I guess, but I’m not informed on that topic. In order to use firewalld, you would need to be root, and on Silverblue that normally means sudo, since your user is usually set up with administration rights.
David
Interesting and frankly I’m not sure I will ever go SilverBlue. The main reason is easy access to software, the Fedora Workstation distro has a huge repository and outside of that many Linux applications easily build to run under Workstation. I’m not too sure about SilverBlue.
Frankly like with Flatpaks, SilverBlues team has failed miserably at getting across any real benefit of the technology. It isn’t just benefits either it perplexes me that an article like this doesn’t attempt to list out the current state of user software in SilverBlue. If not a list in the article at least a link to a list of user apps that, are supported currently under SilverBlu or intend to be. After all the whole point of a distro is to avoid going the DIY route for apps.
John
Firewall is installed out of the box both in regular and Silverblue fedora workstation. To install GUI firewall, simply open terminal and insert this command line: (sudo rpm-ostree install firewall-config) for siilverblue and reboot. For regular fedora work station change rpm-ostree to dnf and you are done – happy.
I’m a fedora/centos user since 2005. I have tried many other distros but not happy with any of them. Fedora is clean, stable and secure OS that meets my IT needs. Guest what, is free!
Philip Jones
This is all new to me (Ubuntu / Debian based experience only) but I did try out EndlessOS and saw the disk was recognised as ostree so it’s presumably based on Silverblue or its predecessor.
It worked well on my ancient Core2Duo laptop despite Gnome.
My main gripe was that it was very resistant to dual booting with my regular distro. Is that unavoidable with Silverblue or just a ‘feature’ of EndlessOS (who said dual booting was only possible with Windows)?
For what it’s worth my impression of the base concept and implementation was in all other respects very favourable. Very interesting development.
Göran Uddeborg
Trying to understand how this thing really works, here are a few questions:
I’ve tweaked my /etc/ssh/sshd_config by simply editing it with emacs. Would that be any different with SB?
I have made an SELinux module to allow logrotate to rotate a few more files than default, and created the corresponding file in /etc/logrotate.d. Would that be any different with SB?
I’m using gpsbabel (via a wrapper script) to talk to a GPS device through /dev/ttyUSB* files. Would that be any different with SB?
I’m running a slightly tweaked version of sendmail created by adding a few patches to the default SRPM, rebuilding and installing. This would be different with SB I understand, but exactly how would I do this?
isr
Does Silverblue back up and restore configurations? In my experience, confgurations are more important target to restore than packages in some cases.