Developers talk a lot about “immutability.” Outside the technical world, it usually means something negative: unmoving, inflexible, and entrenched. However, in the technical field, these features become an advantage and mean that a system is reliable and reproducible.
Like many concepts and trends in technology, it’s nothing new. NixOS (more on it later) has existed for over twenty years, and ChromeOS is probably the most widely used immutable operating system (OS). However, the widespread adoption of containers with Docker just over 10 years ago brought the concept to broader attention.
Typically, you define a container in a text file, and a container runtime turns that definition into running services. This means it’s relatively easy to shut down, recreate, and reboot the container based on that definition. No matter how many times you recreate and reboot it, you can rely on it being the same — immutable.
Development teams now use containers widely, managed and orchestrated by tools such as Kubernetes. Containers take the concept of immutability some of the way.
There is still an operating system and many other levels of software surrounding them. Everything needs to be immutable to have a fully trustable, reliable, and reproducible operating system.
This possibly sounds extreme to those of us who use Windows, macOS, or most distributions of Linux regularly. But from edge devices and servers to the desktop machines you and I use daily, immutable operating systems are now entering a practical reality.
Why is this happening now? As Canonical’s product manager of Ubuntu Core, Gabriel Aguiar Noury, tells me, it’s because of the growth of cybersecurity regulations from governments around the World. “These regulations generally tell device makers and developers that things will change. We need to be more compliant,” Noury says. “We need to be sure that every element in our products has a security plan, which includes security maintenance.”
The EU introduced cybersecurity regulation in 2019, and Noury adds that the act’s deadline for compliance is bringing a lot of interest. “The EU cybersecurity regulation is getting traction, and in 2027, we will start having to comply with it. So right now, we’re in this period where we must make the devices we launch compliant with that. And, the idea of immutability plays into that.”
Nix and NixOS
Nix is the oldest still active immutable operating system. People often use “Nix” and “NixOS” interchangeably, but they are different. Nix is a package manager used to build and install small dependencies, such as OpenSSL, to larger ones, such as Firefox or a programming language toolchain.
As Valentin Gagarin, part of the Nix maintainer team, says: “Nix is many things to many people. But at the core, Nix is astonishingly simple.”
Almost every package you install doesn’t live in isolation and uses its own complex tree of dependencies. To handle this and remain immutable, when you build and install a package with Nix, it retains a cryptographic hash of everything used to install that dependency at the time of installation.
If you install the dependency again later, Nix creates a new hash, meaning you can switch back to the functioning version if there are issues. “Nix wires up the relationships between files in a file system that become part of one application binary and records them in an immutable way,” Gagarin says. “Whenever you want to transfer these files somewhere else, pulling on one end gives you the entire thing rather than falling apart.”
NixOS takes this further. You can define the entire operating system from packages in the Nix package manager and the configuration of those packages. The configuration depends on the packages you install but could include boot devices, login messages, user accounts, and more. Also, Nix executes each process that creates these files in an isolated sandbox, further enhancing security.
To anyone who has ever used mobile device management (MDM) or something similar to roll out consistent system images across a fleet of machines, this may not sound that revolutionary, but NixOS doesn’t require sending large image files of multiple gigabytes across networks, it’s just a text file built at rollout.
Again, like the package manager, you can roll back if there’s an issue. NixOS allows you to switch between different operating system configurations in the only time it takes to build that system. The same applies if an installation process is interrupted. On reboot, it restores the system to the last good state, and you can try again.
Nix has developed these ideas for a long time despite their modern-sounding application. It has existed for more than 20 years and is older than Docker and Git.
As Gagarin adds, it wasn’t even first. “Nix was also not the first attempt to change Linux packaging. Nix had precursors, which essentially did the same thing but were more complicated and less accessible to the general Linux audience. And I think what made Nix different is its conceptual simplicity. And it’s still around as opposed to many others.”
Community and business
The Nix community is open-source and donation-funded, with around 800 active monthly contributors. But the modern trend for immutability and how well Nix fits into it hasn’t passed businesses by, even though Gagarin admits he isn’t completely sure of the origins of the rise in interest.
Three of the most interesting commercial products based on NixOS are Determinate Systems, Flox, and DevBox. All are in the early stages, but they and tools like them recognise that maybe the “simpler” world of developing using container runtimes such as Docker wasn’t as simple as promised and offer an alternative.
Ubuntu Core
When many think of Linux, they think of Ubuntu from Canonical. It’s hard to get realistic numbers, as most sources report desktop usage, whereas, in reality, its data centres and servers are where Linux reigns supreme.
Canonical’s immutable offering, Ubuntu Core, is aimed not at desktop users but at edge devices. These are the small computing devices now found everywhere, from cars to robots to smart cities and industry. Often running only a handful of services on small embedded boards, edge devices are typically managed remotely, at scale, and running crucial functions where security and reliability are paramount. A perfect use case for an immutable operating system.
Noury explains the use cases. “Think about the core operating system and the core elements of your device. They shouldn’t change during normal operations, and you shouldn’t need to maintain them.”
Instead, Ubuntu Core lets you focus on the unique functional components for your use case and trust that they won’t change without your input. “When you are deploying a digital kiosk, smart home device, or robot running in a manufacturing line, you want to focus on tackling your problems and be sure that the components you rely on won’t change until you change them,” Noury adds.
Canonical’s Snap format and Snap Store are similar to the Nix package manager. Installing a dependency from the Snap Store contains all the dependencies at the time of installation, with additional protections that protect the host operating system from the “snapped” application.
To any macOS user, this may sound a lot like installing from the App Store, but as Linux users are more used to building software as they install, it’s a more novel approach and one that divides the Linux community.
Ubuntu Core works differently from NixOS. Instead of configuring with a text file, you use a series of models to define the core components of an operating system, such as the architecture, the base of the operating system, the snaps and snap versions to install, and the levels of security to use.
With that done, you can roll out, build, and install an image across machines. If you use Canonical’s Multipass tool, you can also create, test and build images locally in a virtual machine before rolling them out and browse pre-built images to base yours on.
While Ubuntu Desktop remains non-immutable, it also has the Snap store for a degree of immutability, and this post from a Canonical engineer details how it could work.
Fedora Silverblue and Vanilla OS
From one of the other big names in Linux distributions, Fedora‘s immutable offering, Silverblue, combines elements of NixOS and Ubuntu Core. For larger graphical applications, Silverblue uses Flatpak, which works similarly to the Snap Store (and App Store), distributing applications as one self-contained bundle.
Developer tools use Toolbx, which in turn uses containers to allow developers to have a per-project series of functioning dependencies with no effect on the base operating system. However, there’s no configuration file tying everything together as with NixOS and Ubuntu Core.
Vanilla OS is similar. The entire operating system isn’t immutable, but key parts of it are. It has its own approach to a package manager in the form of Apx, which installs packages into a container, isolating everything from the host operating system and, again, making it easy to switch between versions.
In addition to individual installations, you can also define developer environments based on other Linux distributions with Apx, which positions Vanilla OS as a kind of Linux hub. It also handles system updates differently, creating temporary partitions (again, based on container images) for the update that it only switches to after a successful reboot (recent versions of macOS do something similar).
Finally, if you want to be extra cautious and immutable, you can make the entire file system read-only, meaning everything has to run in containers.
Both Fedora Silverblue and Vanilla OS don’t go to the immutable extremes that NixOS does, but they do make the most important and vulnerable parts immutable.
Who to trust
Trust is a central aspect throughout this discussion. The selling point of immutable operating systems is that they are trustworthy and secure. But why should you trust them?
As Noury says, “immutability doesn’t necessarily mean security.” At base, the preventatives are that they allow you to test and roll back if there are problems, and that typically, services run in isolated sandboxes (be that containers or something else), meaning that any rogue service can have minimal impact on anything else.
For commercial offerings such as Ubuntu Core or commercially supported NixOS, the maintainers usually watch Common Vulnerabilities and Exposures (CVE) databases to ensure releases are vulnerability-free. Still, these sources are far from perfect and don’t highlight bugs, so developers still need to do their own testing — which, thankfully, immutable operating systems make easier.
An immutable future
As I’ve covered throughout this article, even if you don’t want to go all out with a fully immutable operating system like NixOS and all of the caveats that come with it, the increased need for security in modern consumer devices means that many of the operating systems you use are already partially immutable anyway, especially when it comes to installing updates.
One of my recent articles covered Homebrew, the package manager for macOS (and also now Linux), and that adds a degree of immutability to installing applications, depending on how you use it.
While the communities around the immutable operating systems mentioned in this article have worked hard to build systems as accessible and usable as possible, a fully immutable operating system is still more complex than a “conventional” one. You need to understand that one application doesn’t necessarily equal one installation and how to switch between them. Because of the multiple installations, they can also take up more disk space, which is easy to forget.
I’m not sure that fully immutable operating systems are the future of operating systems just yet, but some of their concepts and principles definitely are. They constitute a classic example of how, sometimes, it can take 20 years or more for a technical concept to find its time.
Get the TNW newsletter
Get the most important tech news in your inbox each week.