Image based Linux OSes have become increasingly popular. From GnomeOS to Bazzite there are a lot of ways to build and maintain your images. This workshop will walk you through how to improve a standard transactional deployment to be hardened, sealed, and verifiable including hardware-rooted attesation by utilizing Unified Kernel Images (UKI), bootc, and composefs.
We will walk through the entire lifecycle of an OCI-native operating system:
- Defining the image: Customizing a container image tailored for your needs.
- Leveraging Composefs: Understanding how bootc ingests OCI containers and materializes them into a secure, verifiable, read-only filesystem.
- Sealing the OS: Bundling your configuration into a Unified Kernel Image (UKI) to establish strict lifecycle and update guarantees rooted in hardware security.
- Booting and Verification: Deploying your newly minted image and validating its tamper-resistance and deployment integrity.
By the end of this lab, you will walk away with a fully functional, self-generated sealed image template and the practical confidence to implement container-like immutability across your infrastructure.
Prerequisites for Attendees:
- Familiarity with Podman and basic Linux command-line navigation.
- A Linux machine capable of running a virtual machine (KVM/QEMU, qemu-img, virtiofsd, openssh-clients)
Sean is a Software Engineer with 15 years of experience who has a passion for Virtualization in all its forms. When Sean is not working he is a host on the Hybrid Cloud Show, working on his homelab, or scuba diving. Ask him about why you absolutely need a homelab!