How to Set Up and Explore Fedora Hummingbird: A Secure, Rolling-Release Linux OS

Introduction

Fedora Hummingbird is a groundbreaking Linux distribution from Red Hat that takes a security-first approach to the operating system. Unlike traditional distros, Hummingbird is delivered as an OCI image — the same format used for containers — and is built on the Project Hummingbird pipeline. It targets developers and cloud-native workloads who need a minimal, hardened system with near-zero CVEs. This guide walks you through understanding, downloading, and running Fedora Hummingbird in a virtual machine.

How to Set Up and Explore Fedora Hummingbird: A Secure, Rolling-Release Linux OS — Source: itsfoss.com

What You Need

A computer with an x86_64 (64-bit Intel/AMD) or aarch64 (ARM64) processor
Virtualization software such as QEMU/KVM, VirtualBox, or VMware (the official instructions focus on QEMU)
At least 4 GB of RAM (8 GB recommended) and 20 GB of free disk space for the VM
Basic familiarity with the Linux command line and virtual machine management
An internet connection to download the OCI image and updates
No Red Hat subscription is required — the image is free and open-source

Step-by-Step Guide

Step 1: Understand the Key Differences from Fedora Atomic

Before downloading, it's crucial to know what makes Hummingbird unique. Fedora's existing Atomic Desktops (Silverblue, Kinoite) are rpm-ostree-based, released on a six-month cycle, and come with a desktop environment. Hummingbird, in contrast:

Is a rolling release that tracks Fedora Rawhide directly
Shipped as an OCI image — the entire OS is a container image
Has no desktop environment — it's a command-line only system
Uses a Konflux-based build pipeline that pulls over 95% of packages from Rawhide and the rest from upstream
Each package has independent CVE tracking with a vulnerability feed maintained by Red Hat Product Security
The kernel is the Always Ready Kernel (ARK) from the CKI project
Updates are atomic with rollback support, the root filesystem is read-only, and writable state is confined to /var and /etc

This combination minimizes attack surface and ensures rapid patching — ideal for servers and container hosts.

Step 2: Download the Fedora Hummingbird Image

Visit the official Fedora Hummingbird download page (linked from the Fedora Project site). You'll find images for both x86_64 and aarch64. The file is an OCI image, typically distributed as a tarball or a compressed archive. No subscription or registration is needed.

Note: This is an experimental image. Do not use it in production environments.

After downloading, verify the checksum (provided on the download page) to ensure integrity. For example:

sha256sum fedora-hummingbird-latest-x86_64.tar.xz

Step 3: Set Up a Virtual Machine

The easiest way to run Fedora Hummingbird is in a virtual machine. Follow these steps using QEMU (other hypervisors work similarly):

Install QEMU and related tools: sudo dnf install qemu-kvm libvirt virt-install (on Fedora) or the equivalent for your host OS.
Create a disk image for the VM: qemu-img create -f qcow2 hummingbird-disk.qcow2 20G
Start the VM with the downloaded OCI image as the boot source. The exact command depends on the image format, but typically you'll use virt-install with the --disk and --cdrom parameters pointing to the downloaded file. Consult the project's step-by-step instructions on the download page for precise details.
Boot the VM and connect via SSH or console. The default login credentials (if any) are documented on the download page; often you'll set them during the first boot.

Step 4: Verify the Environment and Update

Once logged in, confirm that the system is immutable:

Check that / is mounted as read-only: mount | grep 'on / ' should show ro.
List writable directories: ls -ld /var /etc (they should be writable).
Check the kernel version: uname -r — expect an ARK kernel.

Update the system atomically:

rpm-ostree update

This triggers the Konflux pipeline to pull the latest image. Since Hummingbird is a rolling release, updates arrive frequently. Each update is atomic: if it fails, the system automatically rolls back to the previous state.

Step 5: Monitor Vulnerability Status

Leverage the per-package CVE feed. Red Hat Product Security maintains a feed for each package in Hummingbird. You can query it via a tool or API (details on the project's GitLab). For a generic list, use:

dnf updateinfo list cves

However, the dedicated feed provides a clearer picture of what actually affects your specific setup, filtering out irrelevant vulnerabilities.

Step 6: Contribute and Explore

The source code for Fedora Hummingbird lives on GitLab and is open for contributions. If you find bugs or want to help harden packages, check the repository. The project also welcomes feedback on the pipeline and documentation.

Tips for Success

Start in a VM — Because it's experimental, always run Hummingbird in a virtual machine first. This protects your host system from potential instability.
Understand atomic updates — Unlike traditional distros, you cannot directly modify files in /. Use rpm-ostree commands or overlay configurations in /etc.
Monitor the vulnerability feed — The per-package CVE tracking is a powerful feature. Set up automated alerts to stay on top of patches.
Explore container workflows — Since Hummingbird ships as an OCI image, you can use it as a base for your own container images. This aligns with its cloud-native focus.
Contribute enhancements — If you find a missing package or a bug, submit a merge request on GitLab. The project is still young and community help is valuable.
Watch for production readiness — Keep an eye on Fedora announcements for when Hummingbird graduates from experimental status. Until then, avoid deploying it on critical systems.