Fedora Hummingbird brings the container security model to a Linux host OS

Container image security pipelines have spent the past several years pushing toward minimal footprints, hermetic builds, and continuous CVE remediation. The Fedora Project is now applying that same approach to the host operating system. At Red Hat Summit 2026, Fedora announced Fedora Hummingbird, a container-based rolling Linux distribution delivered as an OCI image.

“The Linux market has split: IT operations teams need the decades-long stability of Red Hat Enterprise Linux, while builders, both human and agentic, demand upstream velocity and image-based workflows,” said Gunnar Hellekson, VP and GM, Red Hat Enterprise Linux, Red Hat. “Fedora Hummingbird Linux will define the platform for the agents that build the future of enterprise software.”

A distroless model extended to the host

Project Hummingbird, the effort underlying the new distribution, targets zero CVE reports across every container image it ships. Over the past eight months, the team has assembled a catalog of 49 distroless container images, totaling 157 variants once FIPS and multi-architecture builds are counted. The lineup covers Python, Go, Node.js, Rust, Ruby, OpenJDK, .NET, PostgreSQL, and nginx, among others. Distroless in this context means no package manager and no shell, leaving only the application and its strict runtime dependencies.

Fedora Hummingbird extends the same model down to the operating system. The OS ships as an OCI image, built through the same Konflux-based pipeline used for the rest of the Hummingbird catalog. It supports x86_64 and aarch64 architectures and runs in container, virtual machine, and bare-metal deployments.

Pipeline and kernel

The build pipeline uses isolated, reproducible builds from pinned package lists. Incremental updates rely on chunkah, a tool developed by the Hummingbird team that limits downloads to changed portions of an image. Vulnerability scanning runs continuously through Syft and Grype. When an upstream fix lands, the pipeline rebuilds, tests, and publishes the patched image.

Most packages in every Hummingbird image come directly from Fedora Rawhide. The remainder are pulled from upstream when Rawhide lacks the needed version, and changes are contributed back to Fedora. Each package carries its own identity, lifecycle, and CVE feed maintained by Red Hat’s Product Security team. Machine-readable vulnerability data ships with every package and indicates which CVEs affect a given workload.

The distribution uses the ARK (Always Ready Kernel) from the CKI project, which tracks the mainline Linux kernel directly and is already in use within Fedora.

Atomic updates and read-only root

The bootable container approach gives Fedora Hummingbird atomic updates with built-in rollback. The root filesystem is read-only, and writable state is confined to /var and /etc. Configuration drift and partial update states are eliminated by design.

The project is available for free at GitLab.

Download: The IT and security field guide to AI adoption