Building the Next Generation Container OS

Use immutable infrastructure to deploy and scale your containerized applications. Project Atomic builds OSes, tools, and containers for cloud native platforms.

Buildah, a different way to build containers, is now available for testing.

Learn more!

Atomic Host

Atomic Host provides "immutable infrastructure" for deploying to hundreds or thousands of servers in your private or public cloud. Available in Fedora Atomic Host, CentOS Atomic Host, and Red Hat Atomic Host editions depending on your platform and support needs.

To balance the need between long-term stability and new features, we are providing different releases of Atomic Host for you to choose from.

Get Started

Container Registries

You can get your containerized applications from the CentOS Container Pipeline and the Fedora Layered Image Build Service

Trusted container content from the projects you already trust.

Learn more about Fedora Layered Images

Learn more about CentOS Container Pipeline

Community News

Fedora Atomic 26 July 25 Release

A new Fedora Atomic Host update is available via an OSTree commit:

Commit: 0715ce81064c30d34ed52ef811a3ad5e5d6a34da980bf35b19312489b32d9b83
Version: 26.91

This is the second release for Fedora 26 Atomic Host. This contains a newer version of Kubernetes with fixes for the bug that was in the original release of the Fedora Atomic 26 tree.

Users of built-in Kubernetes on Fedora Atomic Host can now rebase onto the version 26 ref. We will be releasing a few blogs shortly about upgrading your existing hosts.

Read More »

Unprivileged containers with bwrap-oci and bubblewrap

The introduction of user namespaces in the Linux kernel has opened the doors to running containers as default user logins via e.g. ssh or desktop. On Fedora, bwrap-oci lets you make use of this feature, as I will demonstrate.

The concept behind user namespaces is quite simple: UIDs and GIDs in a user namespace are converted to a different set in the parent namespace, so that an application thinks it’s executed as root while instead a non-privileged user is running it. User namespaces are not limited to altering an application’s UID/GID mappings, a user can keep capabilities in the new namespace and together with other namespaces perform privileged operations there that are unprivileged in the parent namespace. For example, an application with a new network namespace can create firewall rules that only affect its namespace. This offers extra security since the container is limited to the user that is running it, so even if something goes wrong the process has no more privileges than the user who runs it (unless things go very wrong!).

Read More »

» View older news

Ready to try Atomic?

Get Started