Getting Started with Fedora Hummingbird: A Comprehensive Guide
Overview
Fedora Hummingbird is a groundbreaking container-based rolling Linux distribution announced at Red Hat Summit 2026. It brings the principles of Project Hummingbird—minimal, hardened, distroless container images—directly to the full operating system. This means you get an up-to-date, secure system that updates continuously from upstream sources, whether you run it in containers, virtual machines, or on bare metal.
Unlike traditional distributions, Fedora Hummingbird uses an image-based workflow similar to containers. The host OS itself is delivered as an immutable image, with applications running in isolated containers. This approach eliminates the need for a package manager on the host, dramatically reducing the attack surface and vulnerability management overhead.
This guide will walk you through understanding what Fedora Hummingbird is, what you need to get started, and how to deploy it. You'll learn how to pull a pre-built image, boot it, and avoid common pitfalls. By the end, you'll be ready to explore a system that aims for zero CVE reports.
Prerequisites
Before diving in, ensure you have the following:
- Hardware or virtualization platform – Fedora Hummingbird can run on bare metal, in a virtual machine (e.g., libvirt, VirtualBox, VMware), or as a container. Minimum requirements: 2 GB RAM, 20 GB disk space, 64-bit x86_64 or ARM64 processor.
- Internet connection – You'll need to pull the image from the Hummingbird containers repository.
- Basic familiarity with containers – Understanding of container concepts (images, containers, registries) helps but isn't strictly required.
- Optional: podman or docker – To pull and inspect the image before booting. podman is recommended on Fedora.
Step-by-Step Instructions
Step 1: Pull the Fedora Hummingbird Image
The foundation for Fedora Hummingbird is available today from the Hummingbird containers repository. You can pull the host OS image using podman or docker:
podman pull quay.io/hummingbird/fedora-hummingbird:latestAlternatively, for a specific variant (e.g., FIPS or multi-arch), list tags:
podman search quay.io/hummingbird/fedora-hummingbird --list-tagsChoose a tag that matches your architecture and requirements. The image is distroless – no package manager, no shell – just the kernel and minimal runtime.
Step 2: Boot the Image
You can boot Fedora Hummingbird on bare metal or in a VM. For VM environments, convert the container image to a bootable disk image. Use the provided conversion tool (part of the Hummingbird ecosystem) or follow these steps with podman and qemu:
- Extract the image layers – Create a temporary directory and export the root filesystem:
podman export $(podman create quay.io/hummingbird/fedora-hummingbird:latest) -o hummingbird-rootfs.tar - Create a disk image – Use qemu-img to create a qcow2 image and copy the rootfs into it:
Note: Exact kernel parameters may vary; refer to the official documentation for the latest conversion script.qemu-img create -f qcow2 hummingbird.qcow2 20G guestfish -a hummingbird.qcow2 <<EOF run mkfs ext4 /dev/sda mount /dev/sda / tar-in hummingbird-rootfs.tar / copy-file /boot/vmlinuz* /boot/vmlinuz EOF - Boot the VM – Use virt-install or qemu-system-x86_64 with the created disk:
qemu-system-x86_64 -m 2048 -hda hummingbird.qcow2 -serial stdio
For bare metal, you can write the image to a USB or SSD using dd. Ensure you have a bootloader (e.g., GRUB) that can chainload the Hummingbird kernel and initramfs.
Step 3: Post-Boot Configuration
Once booted, Fedora Hummingbird presents a read-only root filesystem. All persistent data (config, logs, user data) must be stored in volumes or writable directories mounted from external storage. The system uses a rolling update mechanism based on image layers.
- No package manager – You cannot install software with dnf/yum. Instead, use containers for applications.
- Configure network – Use systemd-networkd or netplan (if included). A static IP can be set via kernel command line during boot.
- Manage users – Add users via /etc/passwd, but remember changes will be lost on image update unless stored persistently.
Step 4: Understanding Updates and Vulnerability Management
Fedora Hummingbird updates are handled at the image level. When a new image is published (triggered by upstream patches in Fedora Rawhide or directly from project leaves), you pull the latest version and reboot. The system uses chunkah (an incremental update tool) to download only changed layers, making updates efficient.
The Konflux pipeline behind Project Hummingbird continuously scans all images with Syft and Grype. It triages CVEs, applies patches, and rebuilds images automatically. You can check current CVE status live at the Hummingbird catalog. Over 95% of packages come from Fedora Rawhide; remaining are pulled from upstream and contributed back.
Step 5: Running Your First Container Workload
Since the host is minimal, you'll run applications in containers. For example, to run a Node.js app using a distroless Hummingbird image:
podman run -d --name myapp quay.io/hummingbird/nodejs:20 myapp.jsThis pulls a hardened, distroless Node.js image with no CVE backlog. The host and container images share the same security philosophy.
Common Mistakes
- Expecting a package manager – The host has no shell or package manager. Do not try to 'ssh in' and install tools. Instead, use container-specific workflows.
- Assuming mutable root – The root filesystem is read-only. Any changes you make (e.g., editing config files) must be in persistent mounts or volumes.
- Ignoring rolling updates – Fedora Hummingbird tracks Rawhide, meaning updates arrive rapidly. You must reboot frequently to stay secure. Plan for this in your environment.
- Using untrusted images – The whole point is avoiding third-party container images with unknown CVEs. Stick to the Hummingbird catalog for best results.
- Skipping the conversion step – The container image is not directly bootable on bare metal without converting to a disk image. Follow the official conversion scripts.
Summary
Fedora Hummingbird brings the zero-CVE approach of Project Hummingbird to the full operating system. By using distroless, image-based updates, and a rolling release model from Fedora Rawhide, it offers a minimal and secure platform for running containerized workloads. This guide covered the prerequisites, pulling the image, booting it, and common pitfalls. Start experimenting today, and you'll experience a new paradigm in OS security and simplicity.
Related Articles
- Exploring Sealed Bootable Containers for Fedora Atomic Desktops
- How to Keep Up with Open Source Development: A Guide to Navigating LWN.net Weekly Editions
- A Non-Programmer's Guide to Compiling C Programs from Source
- Mastering Linux Security Updates: A Practical Guide for Multi-Distro Environments
- Boosting Hyperscale Efficiency with AI Agents at Meta
- How to Navigate an Ubuntu Infrastructure Outage: A Step-by-Step Guide
- Key Security Patches: Linux Distributions Update Critical Packages
- How to Safely Apply Critical Security Updates Across Major Linux Distributions