I recently took up Bazzite from mint and I love it! After using it for a few days I found out it was an immutable distro, after looking into what that is I thought it was a great idea. I love the idea of getting a fresh image for every update, I think for businesses/ less tech savvy people it adds another layer of protection from self harm because you can’t mess with the root without extra steps.
For anyone who isn’t familiar with immutable distros I attached a picture of mutable vs immutable, I don’t want to describe it because I am still learning.
My question is: what does the community think of it?
Do the downsides outweigh the benefits or vice versa?
Could this help Linux reach more mainstream audiences?
Any other input would be appreciated!
I don’t mind flatpaks, but overall I don’t enjoy how software installs on immutable distros if it’s not flatpacked. It’s quite a kludge.
is nixos considered immutable or mutable? kind of has characteristics of both.
nixos and guix are immutable and two of the only immutable distros I like
The store is immutable but the system itself definitely isn’t.
deleted by creator
Packages in nix are in the store directory, each package in a dir named after the package hash. So you can have 15 versions of firefox installed, for instance, and the different versions go in different folders with different hashnames.
When it’s time to set up a user env, their specific version of firefox is (conceptually) symlinked into the users profile. When that user executes firefox it gets one out of the 15 versions. Another user may get a different one.
Anyway, the package store is off limits to users, and a real bad idea to modify for root too.
deleted by creator
That’s not what sandboxed means and Nix isn’t sandboxed.
Sandboxed means it runs in a separate container, often with limited permissions; raising security at the cost of performance.
deleted by creator
I’d argue it’s closer to a mutable distro than an immutable one.
Nixos tends to lean on the term reproducible instead of immutable, because you can have settings (e.g files in /etc & ~/.config) changed outside of nix’s purview, it just won’t be reproducible and may be overwritten by nix.
You can build an ‘immutable’ environment on nix, but rather than storing changes as transactions like rpm-ostree, it’ll modify path in /nix/store and symlink it. Sure, you can store the internal representation of those changes in a git repo, but that is not the same thing as the changes themselves; if the nixpkgs implementation of a config option changes, the translation on your machine does too.
Nixos tends to lean on the term reproducible instead of immutable, because you can have settings (e.g files in /etc & ~/.config) changed outside of nix’s purview, it just won’t be reproducible and may be overwritten by nix.
Interesting. If possible, could you more explicitly draw comparisons on how this isn’t quite the same over on say Fedora Atomic? Like, sure changes of
/etcare (at least by default) being kept track of. But you indeed can change it.libostreedoesn’t even care what you do in your home folder. Thus, changes to e.g.~/.config(and everything else in/var[1]) are kept nowhere else by default.
- Which happens to be more crowded than on other distros as folders like
/optare actually found here as well.
~/.config is probably a poor comparison on my part; it’s management is actually done by home-manager rather than Nixos proper, and I can’t think of another OS that fills this same role.
Nixos generates (for example) /etc/systemd/network to a path in /nix/store and symlinks it to it’s appropriate locations. After the files are generated the appropriate /nix/store paths are (re-mounted? Over-mounted? I’m not sure the implementation) made read-only (by default), but anything that isn’t generated is absolutely both mutable and untracked, and that “not tracking everything in /etc” is more what I’m going on about.
If you use Nixos as intended (when you find that a package is lacking a config option you want, create your own nix option internally) the distro is effectively immutable, but if you use Nixos for anything moderately complex that changes frequently e.g. a desktop os, you eventually run into the choice: become competent enough to basically be a nixpkgs contributor, or abandon absolute immutability.
I think the first option is worth it, and did go down that route, but it is unreasonable to expect the average Linux consumer to do so, and so something like fedora atomic is going to remain more “immutable” for them than nixos.
This need to git gud is thankfully lessening with every commit to nixpkgs, and most people can already get to most places without writing their own set of nix options or learning how to parse //random markup language// into nix, but you’ll eventually run into the barrier.
- Which happens to be more crowded than on other distros as folders like
I used an immutable fedora on my surface pro 4, I wanted to shoot myself in the face every time I had to install anything. I’m good on that for the rest of my natural life.
Was what you wanted not available in a flatpack/ app image?
Wasn’t about that at all. Any DNF action took a lightyear… man just typing out those long commands (very hard to remember coming from apt) nevermind the much crazier wait time. Using toolbox for dev environments to compile things was a total nightmare. I’m sure there’s a scenario where it’s ideal, that was certainly not my situation.
Gotcha I was just wondering what the limitations are, I’m still messing with and I’ve not hit one yet but I was curious where they pop up. So for devs immutable distros don’t play well, that definitely makes sense!
From what I gather, if you like tinkering and compiling and installing random weird apps then immutable can be a serious pain in the ass like I discovered.
Did you ever try using Distrobox? That’s the recommended way if installing random apps.
I’m not sure that would’ve influenced my situation with a dual core i5-6300U and 4gb ram, it’s a pretty sluggish thing from the get go. But good to know about distrobox maybe that can help me in the future. Now rocking Debian and it’s great.
Debian sounds like a great fit for you. But it’s good to know that Universal Blue has a lot of tools available for installing and tinkering that many just don’t know about. They are extremely powerful OSs.
It’s definitely great for the mainstream. Think of Linus Sebastian who has somehow broken every OS except for SteamOS.
It’s not great for me who uses Arch Linux btw with the expectation that if the system doesn’t break on its own, then I will break it myself.
And anybody who thinks that Linus doesn’t look for those ways to break Linux is deluding themselves. He’s a fucking asshole.
He can be an asshole, but I believe finding bugs is part of his job.
Would you rather have him find them and complain to a community who might know what they could be, or someone else who will just complain and buy a MacBook instead?
Honestly, I would say it isn’t great for anyone who has to do something low level even once. Now that there are open source nvidia kernel drivers that has solved a pretty big issue for most people who would be interested in immutable distros, but there are still many other drivers and issues that your regular user may face.
One example off the top of my head is that flatpaks specifically can’t ship systemd services if I recall correctly. A lot of wayland apps for thigns like input have to use daemons because of wayland’s security model. Lact for AMD and now Nvidia GPU control, ydotool, or even gui versions of such tools for remapping input.
Snaps require custom kernel modules that aren’t used outside of ubuntu, so I hesitate to trust them regardless of any of the other issues people have with them.
This basically leaves appimages which aren’t available for everything and don’t always seem to work at least not as reliably as flatpak. I even tried to package the rstudio forensic software as an appimage myself, so I could have an easy way to use that proprietary piece of software, but I just couldn’t get it to work. I couldn’t get it to work with distrobox either using the official methods they provide to install it on linux. I did get it working in a chroot for some reason, but it had graphical issues. In the end, I made a PKGBUILD for arch and got it working that way.
The point of all this is that a lot of times people say immutable is great for average, non tech savvy people, but I believe that literally everybody ends up needing to do low level stuff at least once or twice every so often. Which simply isn’t a great experience since you end up having to do layering which throws these theoretical average users right back into the normal complexity of a mutable system, but with even more uncertainty in my opinion.
Now then with all of these caveats. I do still agree that immutable distros are great for the aforementioned group of people and I know this statement contradicts a lot of what I have described above. The reason why I think they are great for the less tech savvy people however isn’t because of any actual technical merit of the systems design though. Immutable distros are great for people like Linus Sebastion because it limits what they can do. You simply have to accept what is there the same way that you have to on proprietary systems like Mac and Windows. Those systems force you to do things a certain way unlike Linux and that is what people like Linus need because they have no business mucking around with the system to begin with.
Lastly, all of this only works because devices like the Steam Deck are being run on specific hardware thus guaranteeing there compatibility. This is what we ultimately need. There would be much less need for low level operations to get drivers or change settings to make wifi or audio work right on a billion different devices if these people were buying linux compatible hardware in the first place.
You can install packages in immutable distros. It’s just not as easy and recommended as a last resort.
With Universal Blue (Bazzite, Bluefin, Aurora) you can install packages with “layering”. It’s basically modifying the image by adding packages on top of what is shipped by the distro, and those packages get added each time the image is updated.
The better, more involved solution is to create your own image from the base image. That gives you a lot more control. You can even remove packages from the base image.
Weird, I don’t have any issues developing custom systemd services or similar on my Kinoite installation. Packages that need to run on the host system can be layered, everything else is running in distrobox.
These are valid concerns but to me they sound more like lack of tooling rather than inherent disadvantages of immutable distros. Linux distros have not historically been designed from the ground up for immutability and it makes sense that there are issues that aren’t handled optimally. Surely we can come up with clean and simple solutions to basic problems like setting up daemons and drivers if we work on it!
Secure != stable Immutable distros aren’t always more secure but rather more stable and hard to break Also btw nixos can apply updates without rebooting
I wouldn’t call NixOS immutable.
It can be made to be by pinning various things which are not by default.
What things?
At the surface, you can pin the commit you pull packages from, but if you want to go deeper, you can essentially define your own channel and dependent binaries, allowing you to store every aspect of how a generation is built.
Yes, or use flakes which gives you a lockfile pinning everything. But this is related to reproducibility, not immutability.
If you control everything in the build it is, and every generation is immutable.
Isn’t immutability related to the root filesystem being read-only? I can write on my root filesystem, even if it’s mostly links to the store I can replace those links.
NixOS is immutable and atomic, but it isn’t image-based.
Immutable simply refers to how the running system configuration can’t be changed by simply putting a file somewhere (e.g. copy a binary to
/bin, which is a bad idea).For example, Fedora Atomic and derivatives are image based, although they are more flexible than the A/B types like SteamOS.
OpenSUSE MicroOS uses btrfs snapshots to apply updates atomically, and is more flexible than most image based immutable distros.
Edit: But I don’t think those terms have a single definition, so how would you differentiate these terms?
I’m on NixOS right now and just dropped a Chewy in my
/bin, only had tosudo touch /bin/chewy.That doesn’t make it not immutable. /bin is not a critical directory in NixOS, only the contents of /nix are, which are immutable. /bin isn’t even part of your path by default.
Well that was an approximation to keep it simple and disprove the given example. There are other directories in the root filesystem that are in the path by default, or used in some other critical way (like
/etc). Even if they are links to directories in the nix store you can replace the link.I understand, but it didn’t really disprove anything. Immutable distro’s protect core components from being modified. /bin is hardly relevant on NixOS, so of course it wouldn’t be made immutable.
/etcis also generally not considered a core component, and every immutable distro I’ve used left it writable. By default, every binary installed through NixOS is put in/run/current-system/sw/bin, which is immutable. Many other important files are also linked to/run/current-system, which is why the whole directory is immutable. It essentially takes the place of what the root directories would be on an FHS distro.I don’t know any other path used in critical ways that is not immutable. The primary paths that immutablility is relevant for in FHS distros are /usr, /lib, /lib64, and /bin. None of these paths are really used on NixOS, besides some files symlinked there for edge cases, like /bin/sh.
If you were to remove all the symlinks you are able to, the system would still work for the most part. You would lose custom configurations in /etc, but that is true for most immutable distros. Most apps have a default configuration to fallback to.
The misunderstanding comes from the fact that immutable is a poor description for any OS, which is why many now use atomic instead. Even in immutable distros, many files can still be modified, and things can still be broken if you try hard enough. Still, NixOS definitely falls under the general description of and immutable distro, as the core of the OS is immutable.
deleted by creator
Good point. I’ll have to stop using immutable and stay with atomic (and declarative).
Interestingly
/binand/usr/binare not in PATH by default, so/bin/chewycan only be executed by its path directly and won’t affect the systems reliability.
In your opinion, when can we refer to a distro as being immutable? How do you regard the likes of Fedora Atomic, openSUSE Aeon or Vanilla OS? Are any of these immutable in your opinion?
To be honest I don’t know these very well. I only use NixOS. My understanding is that in an immutable distribution the root filesystem is read-only. Granted in NixOS the nix store is immutable and most things in the root filesystem are just links to the nix store, but the root filesystem itself is not read-only.
Is there debian based immutable distro?
Yes, it’s called VanillaOS! https://vanillaos.org/
Thank you)
Isn’t it based on Ubuntu?
I think it was prior to version 2, but these days it’s based on Sid - https://vanillaos.org/nerd-info
Good. I just quickly glanced at the site and there were multiple mentions of Ubuntu… Glad they switched to Debian, this way I might try it on second PC.
I’m not really sure how the upsides of immutable distros work. I’ve been using linux for a long time and I’m not an expert but I’ve learned bits of things here and there.
I recently bought a steamdeck and it’s running an immutable distro. I don’t really know how to use software that’s installed via flatpak because it’s weird.
I have a game installed that runs badly (unplayable for me) through proton. I can launch it through q4wine if I switch the steamdeck into “desktop mode” and it runs much better.
If it wasn’t an immutable distro I could pretty easily make a shell script that launches the game through wine. Then I could add that shell script as a non steam game and it would (I think) run well, and I’d be able to launch it from the non desktop side of steam OS that is a lot more streamlined.
There is something comforting to me about immutable distros though.
I feel like I don’t remember half the shit I have installed on my computers. If I wanted to start cutting things out I don’t know where I’d start. But with flatpaks I get the sense I could probably just wipe anything I don’t use out of the flatpak directory and I probably wouldn’t break anything.
I’m fairly certain you could still run that shell script on steamOS? I don’t understand why an immutable distro would keep you from doing that. It’s essentially what Lutris and Heroic Games launcher do.
I have investigated the idea and came to the conclusion that immutable distros are essentially a research project. They attempt to advance the state-of-art a slight bit but the cost is currently too great.
Perhaps somebody will some day create something that’s worth switching to. But I don’t think that has happened yet, or is happening with any of the current distros. Silverblue might become that with enough polish, but I feel that to get that amount of polish, they would have to make Silverblue the 1st class citizen, i.e. the default install of Fedora.
I wonder if you can download Apparmor and Apparmor-d on mutable distros, But I faced issues of bwrap and I couldn’t find a SELinux equivalent for Apparmor-d i tried allowing Bwrap but it didnt work so i uninstalled Apparmor.
I have a really hard time getting Aurora working the way all my other Linux devices so that are running some form of Ubuntu (Mate or Bodhi). With that said, it’s been very stable and i like not being interrupted with packages to install while working on things…
Mixed bag review. I give it 3.5 out of 5 stars.
So, you’re saying that immutable is terrible for system uptime.
You have to reboot machines to run secure kernel code. High uptime means running outdated, vulnerable system code.
Uptime is for services, not individual servers.
I don’t mind flatpaks in a pinch, but having to use them for literally every app on my computer is an unreasonable amount of bloat.
But the more apps the more the dedup is saving space
Not when every app decides to use a different point version of the same damn platform.
"Hello Mr. Application. I see you’d like to use the Freedesktop-SDK 23.08.27
“Oh…well hello other application. What’s this? You want to use Freedesktop-SDK 24.08.10? Well…I guess so…”
Edited to add: Yes, I know that flatpaks will upgrade to use updated platforms. But it doesn’t automatically remove the old one, forcing you to have to run flatpak remove --unused every week just to keep your drive clean. That’s hardly user friendly for the average person.
The average person has a 1tb+ drive and doesn’t care about a few hundred megabytes of bloat in a partition they will never look at. If someone is switching from Windows, every app having its dependencies self contained is mostly normal anyway (aside from the occasional system provided dll). The only people likely to care about removing old flatpak platforms are the kind of people who don’t mind running the command to remove them.
The average person definitely doesn’t have a 1tb drive.
61% of steam users have 1tb or more total hard drive space.
https://store.steampowered.com/hwsurvey/Steam-Hardware-Software-Survey-Welcome-to-Steam
I don’t think Steam users really represent the average person…
The average person doesn’t own a computer anymore, but I think steam users are pretty representative of people who want to use the OS that markets itself as “The next generation of Linux gaming”
Steam users are not the “average user”… they are the “average gamer”.
That’s a very fair point. But it’s still annoying.
The average person has a phone, with 128gb of storage.
The typical laptop I deal with have 512gb ssd drives.
The typical desktop in a corporate environment is 256gb or 512gb.
1tb drives are very much not “average”.
I had a systemd unit that ran it weekly after the update one ran. I feel like the default behavior though should be automatic purge old unused runtimes though too. I don’t see why that wouldn’t the case to me.
I’ve even gone so far as wanting to force run time changes underneath the packs because of Caves and such, but thats my niche and puts security over function.
Definitely not a free lunch sys admin wise, but it is still a marked improvement over native apps 98% of the time for me.
The barrier for me is that I use a lot of apps which require native messaging for inter-program communication (keepass browser, citation managers talking to Libreoffice, etc.), and the portal hasn’t been implemented yet. Its been stuck in PR comment hell for years. Looks like its getting close, but flatpak-only is a hard no go for me until then.
Even after that, I would worry about doing some Dev work on atomic distros, and I worry about running into other hard barriers in the future.
I love building my own uBlue image. Tinkering is done in toolbox containers, definite changes are baked into the image. Completely custom (to me) and when you get it right it will just work anywhere. If I would brick my PC/storage I can just boot up another and restore my (back-upped) home dir with very little effort.
Immutable distros are great for applications where you want uniformity for users and protections against users who are a little too curious for their own good.
SteamOS is a perfect use case. You don’t want users easily running scripts on their Steam Decks to install god knows what and potentially wreck their systems, then come to Valve looking for a fix.
Immutable distros solve that issue. Patches and updates for the OS roll out onto effectively identical systems, and if something does break, the update will fail instead of the system. So users will still have a fully functional Steam Deck.
If you’re not very technical, or you aren’t a power user and packaged apps like Flatpaks are available for all your software, then go for it. I prefer to tinker under the hood with my computers, but I also understand and except the risk that creates.
Immutable distros are a valuable part of a larger, vibrant Linux ecosystem IMO.
Immutable are the ultimate tinkerer’s distros. It’s just a different way of tinkering. True tinkering in immutable means creating your own image from the base image and that allows you to add or remove packages, change configs, services, etc.
Example: you create your own image. You decide you want to try something, but you’re being cautious. So you create a new image based on your first with your changes. You try it out and you don’t like it or it doesn’t work for some reason, you can just revert back to you other image.
Another thing worth mentioning, with these distros, you can switch between images at will. I’m new to Linux as my daily driver desktop OS, and I’ve rebased three times. It’s really cool to be able to do that.
Don’t know why this would be downvoted. Atomic distro’s are a tinkerers paradise, as all of it can be done fearlessly. I can make stupid changes to configurations that I don’t understand on NixOS, then when things break, simply revert the git commit and rebuild. (Or reboot to the last build if I broke it bad enough).
Who knows. People are passionate about Linux. And downvoting takes no effort. And people downvote stuff randomly.
if something makes linux more secure, safer or easier to use then it’ll be hated because people in the linux community are allergic to all those things. Secure boot? they hate it, wayland? they hate it, immutability? they hate it, flatpaks/sandboxed app? they hate it, gnome? they hate it. Even rust is hated by many.
So Bazzite basically is an immutable 3rd-party SteamOS. It was originally designed for handhelds (though has desktop images now) and includes the Steam Deck’s
gamemodepackage. That means it has the same interface, but working on a Legion Go or an Ally X. If anyone here has* any of those three you should seriously check it out!The other thing as well is that more often than not, the update will succeed and you won’t figure out until the next boot that something is wrong. However, Bazzite has a rollback tool so you can just change back to the previous image, reboot again and get to gaming.
That’s the best reason for immutable for gaming IMO. I don’t want to be fucking around with the OS when I’m in the mood to game. Being able to quickly rollback and jump into things in ~10 minutes or less is how it should be.
I need to run immutable distros more, and I need to figure out how to roll my own images.
Desktop side, I need certain things in the base image rather than adding more layers or using a container. Things like rsync, nvim, git, curl, lynx, etc.
Would immutable distros help reach more desktop audiences? Perhaps. It’s more about applications though. The biggest help has been electron apps and the migration to web apps. The Steam Deck is successful because it has applications people want.
Server side, they look really promising for bare metal servers. Provided, there is an easy way to compile custom images. Being able to easily rollback to a known good image is very enticing, as you point out.
