Flatcar Container Linux: Immutable OS for Containers and Kubernetes

Introduction

Flatcar Container Linux represents a paradigm shift in operating system design for containerized workloads. Originally derived from CoreOS, Flatcar provides an immutable, minimal operating system optimized specifically for running containers at scale. In 2026, with Kubernetes dominating container orchestration and edge computing growing rapidly, Flatcar has emerged as a preferred choice for organizations seeking a secure, low-maintenance operating system that integrates seamlessly with modern container platforms.

This comprehensive guide explores Flatcar Container Linux, examining its immutable architecture, container runtime integration, Kubernetes support, automatic update mechanisms, and practical deployment scenarios. Whether you’re planning a Kubernetes cluster, building an edge computing platform, or seeking a more secure operating system for containers, this article provides the knowledge needed to leverage Flatcar effectively.

Understanding Immutable Operating Systems

Traditional Linux distributions treat the operating system as mutable—packages can be installed, updated, and removed at any time. While this flexibility has served computing well, it introduces complexity, security vulnerabilities, and configuration drift in large-scale deployments. Immutable operating systems address these challenges by treating the base system as read-only, with all customizations applied through overlay mechanisms.

The Immutable Design Philosophy

┌─────────────────────────────────────────────────────────────────────┐
│                    IMMUTABLE VS TRADITIONAL OS                         │
├─────────────────────────────────────────────────────────────────────┤
│                                                                      │
│  ┌─────────────────────┐      ┌─────────────────────┐               │
│  │   Traditional OS   │      │  Immutable OS      │               │
│  ├─────────────────────┤      ├─────────────────────┤               │
│  │ /usr mutable        │      │ /usr read-only     │               │
│  │ apt/yum install     │      │ Package layers     │               │
│  │ Configuration drift │      │ Atomic updates     │               │
│  │ Manual patching     │      │ Auto-updates       │               │
│  │ Pets (unique)       │      │ Cattle (replace)   │               │
│  │ Stateful            │      │ Stateless          │               │
│  └─────────────────────┘      └─────────────────────┘               │
│                                                                      │
│  Benefits:                                                          │
│  - Consistent, reproducible systems                                │
│  - Faster startup and scaling                                      │
│  - Simplified rollback and recovery                                 │
│  - Reduced attack surface                                           │
│  - Declarative configuration                                       │
│                                                                      │
└─────────────────────────────────────────────────────────────────────┘

Flatcar Architecture

Flatcar implements an immutable architecture through multiple mechanisms:

# View Flatcar partition layout
lsblk
# NAME   MAJ:MIN RM   SIZE RO TYPE MOUNTPOINT
# sda      8:0    0    20G  0 disk
# ├─sda1   8:1    0   512M  0 part /boot
# ├─sda2   8:2    0     2G  0 part [SWAP]
# └─sda3   8:3    0  17.5G  0 part /

# The root filesystem is mounted read-only
mount | grep -E "usr|opt"
# /dev/sda3 on /usr type ext4 (ro,relatime,seclabel)
# /dev/sda3 on /opt type ext4 (ro,relatime,seclabel)

Flatcar Features

Minimal Footprint

Flatcar is designed to be minimal, containing only what’s needed for running containers:

# Flatcar vs Ubuntu (typical installed packages)
# Ubuntu Server: ~1000+ packages
# Flatcar: ~300 packages

# Check installed packages
rpm -qa | wc -l
# Output: ~280 packages

# View core packages
rpm -qa | grep -E "kernel|systemd|containerd|docker"
# kernel-5.15.x
# systemd-251.x
# containerd-1.6.x
# docker-20.10.x (or docker-ce in newer versions)

Automatic Updates

Flatcar implements automatic, atomic updates using Omaha (the same protocol used by Chrome OS):

# Check update status
update_engine_client -status

# View pending update
update_engine_client -pending

# Check current version
cat /etc/flatcar/update.conf
# GROUP=stable

# Force check for updates
update_engine_client -check_for_update

# Rollback to previous version (if available)
flatcar-update -rollback

Dual Partition Scheme

Flatcar maintains two root partitions, enabling atomic updates and instant rollback:

# View partition layout
cgpt show /dev/sda
# The two root partitions alternate:
# Partition 1: Current OS (active)
# Partition 2: Next/Previous OS (passive)

# After update, partitions swap roles
# This ensures if update fails, rollback is instant

Container Runtime

Flatcar ships with containerd and runc as the default container runtime, providing a minimal, standards-compliant foundation for running containers.

Containerd Configuration

# Check containerd version
containerd --version
# containerd github.com/containerd/containerd v1.6.28

# View containerd config
cat /etc/containerd/config.toml

# Default config includes:
# - runc runtime
# - CNI networking
# - Systemd cgroup driver

# Containerd is configured for Kubernetes by default
# Uses systemd cgroup driver for proper resource management

Running Containers

# Using ctr (containerd CLI)
ctr images pull docker.io/library/nginx:latest
ctr run -d docker.io/library/nginx:latest nginx

# Using crictl (Kubernetes CRI compatible)
crictl pull nginx:latest
crictl run nginx.yaml

# Using nerdctl (Docker-compatible CLI)
nerdctl pull nginx
nerdctl run -d nginx

Docker Compatibility

While Flatcar primarily uses containerd, Docker compatibility is available:

# Install Docker (if needed)
# Flatcar offers a Docker package
# rpm-ostree install docker

# Or use docker-cli with containerd
# nerdctl provides docker-compatible CLI
nerdctl build -t myapp .
nerdctl run -d -p 8080:80 myapp

Kubernetes Integration

Flatcar is optimized for Kubernetes workloads, with first-class support for running Kubernetes nodes.

kubelet Integration

# Flatcar includes kubelet as a package
# Install kubelet
rpm-ostree install kubelet kubeadm kubectl

# Or use kubeadm to join cluster
kubeadm join --token <token> <master-ip>:6443

# The kubelet uses containerd as CRI runtime
# No dockershim needed in Kubernetes 1.20+

CRI-O Alternative

For pure CRI compliance:

# Install CRI-O instead of Docker/containerd
rpm-ostree install cri-o cri-tools

# Configure kubelet to use CRI-O
# /etc/kubelet/config.yaml
# runtimeRequestTimeout: 10m
# runtimeType: remote

Configuration Management

Flatcar uses Butane (formerly Ignition) for declarative configuration at first boot.

Butane Configuration

# config.bu - Flatcar configuration
variant: flatcar
version: 1.0.0
passwd:
  users:
    - name: core
      ssh_authorized_keys:
        - ssh-rsa AAAA...
storage:
  files:
    - path: /etc/hostname
      contents:
        node1.example.com
    - path: /etc/systemd/system/docker.service.d/10-flatcar.conf
      contents: |
        [Service]
        ExecStart=
        ExecStart=/usr/bin/dockerd --host=fd:// --containerd=/var/run/containerd/containerd.sock
  links:
    - path: /etc/localtime
      target: /usr/share/zoneinfo/UTC
      hard: false

Converting to Ignition

# Install butane
butane --version

# Generate Ignition JSON
butane --pretty --strict config.bu > config.ignition.json

# Use with cloud-init or PXE boot

Using Container Linux Config Transpiler

# Alternative: use CT (Container Linux Config Transpiler)
ct --in-file config.yaml --out-file config.json

# Flatcar also supports:
# - cloud-init
# - afterburn (machine-id injection)
# - flatcar-ignition (direct ignition)

Deployment Methods

Cloud Deployment

Flatcar is available on major cloud platforms:

# AWS
# Use Flatcar AMI from AWS Marketplace
# Search for "Flatcar Container Linux" in EC2

# GCP
# gcloud compute instances create k8s-node \
#   --image-family flatcar-stable \
#   --image-project flatcar-cloud \
#   --machine-type e2-medium

# Azure
# Select Flatcar Container Linux from Azure Marketplace
# Use cloud-init or ARM template

# DigitalOcean
# Select Flatcar from marketplace when creating droplet

Bare Metal with PXE

Deploy Flatcar via PXE for bare metal:

# PXE server configuration
# /etc/dhcpd.conf
subnet 192.168.1.0 netmask 255.255.255.0 {
  range 192.168.1.100 192.168.1.200;
  option routers 192.168.1.1;
  filename "flatcar/flatcar_production_pxe.vmlinuz";
}

# Kernel command line for PXE boot
# flatcar.flatcar_autologin=yes flatcar.config.url=http://server/config.ign

Virtualization

Deploy Flatcar on virtualization platforms:

# Proxmox VE
# Upload Flatcar ISO or PXE boot
# Use cloud-init for configuration

# libvirt/Virsh
virt-install \
  --name flatcar-node \
  --ram 2048 \
  --disk path=/var/lib/libvirt/images/flatcar.qcow2,size=20 \
  --os-variant detect \
  --location http://stable.flatcar-linux.org/amd64-usr/current/flatcar_production_vmware_amd64.ova

# VMware
# Use Flatcar OVA from VMware marketplace

Package Management with rpm-ostree

Flatcar uses rpm-ostree for package management, combining RPM packages with OSTree for atomic updates.

Basic Operations

# Check available updates
rpm-ostree upgrade --check

# Apply updates
rpm-ostree upgrade

# View pending deployment
rpm-ostree status

# Reboot into new deployment
systemctl reboot

# Rollback to previous version
rpm-ostree rollback

# Install additional packages
rpm-ostree install kubeadm kubectl

# Remove packages
rpm-ostree uninstall kubeadm

Layering Packages

# View packages in current deployment
rpm-ostree db list

# Check pending layers
rpm-ostree status
# State: idle
# Deployments:
# * flatcar
#     Version: 3760.3.1
#     Base: flatcar:flatcar/stable/amd64-usr
#   flatcar
#     Version: 3602.3.5
#     Base: flatcar:flatcar/stable/amd64-usr

Networking

Flatcar includes modern networking tools optimized for containers:

# Check network configuration
networkctl

# CNI plugins are pre-installed
ls /opt/cni/bin/
# bridge  dhcp  flannel  host-local  ipvlan  loopback  macvlan
# portmap  ptp  sample  static  tuning  vlan

# NetworkManager is not used by default
# Instead: systemd-networkd

Security Features

Immutable Root Filesystem

# Verify read-only /usr
mount | grep "usr"
# /dev/sda3 on /usr type ext4 (ro,relatime,seclabel)

# Attempting to write to /usr fails
touch /usr/bin/test
# touch: cannot touch '/usr/bin/test': Read-only file system

SELinux

Flatcar includes SELinux enabled by default:

# Check SELinux status
getenforce
# Enforcing

# SELinux context for containers
ps -Z
# system_u:system_r:container_t:s0:c1,c2 1234 ? {containerd-shim}

Automatic Security Updates

# Security updates are applied automatically
# The stable channel receives patches for:
# - Kernel vulnerabilities
# - Container runtime issues
# - Systemd and core libraries

# View update history
journalctl -u update-engine -f

Flatcar Variants

Flatcar offers three channels:

# Stable - Production workloads
# - Tested for 2+ weeks
# - Monthly releases
# - Security updates backported

# Beta - Pre-stable testing
# - Next stable candidate
# - Weekly releases

# Alpha - Latest features
# - Cutting-edge kernel
# - New container runtimes
# - Weekly releases

# Switch channels
rpm-ostree rebase flatcar:flatcar/beta/amd64-usr

Use Cases

Kubernetes Worker Nodes

# Typical Flatcar Kubernetes node config:
# 1. Provision with Butane/Ignition
# 2. Install kubelet, containerd
# 3. Join cluster with kubeadm
# Benefits:
# - Minimal attack surface
# - Automatic OS updates
# - Easy node replacement
# - Consistent configuration

Edge Computing

# Flatcar advantages for edge:
# - Small footprint (minimal disk/memory)
# - Atomic updates (no partial updates)
# - Easy rollback (dual partition)
# - Minimal maintenance
# - Security hardening

Container Workloads

# Running containerized applications:
# - Use containerd/runc directly
# - Or Docker with compatibility layer
# - CNI networking included
# - Persistent storage via bind mounts or volumes

Comparison with Alternatives

Feature	Flatcar	Fedora CoreOS	RancherOS
Base	CoreOS	Fedora	RancherOS
Package Manager	rpm-ostree	rpm-ostree	System Docker
Init System	systemd	systemd	System Docker
Update Model	OSTree	OSTree	Docker-based
Kubernetes	Native	Native	RKE
Minimum RAM	~1GB	~1GB	~512MB

Conclusion

Flatcar Container Linux provides a purpose-built platform for containerized workloads in 2026. Its immutable design ensures consistent, secure, and manageable infrastructure, while automatic updates and atomic rollbacks reduce operational burden. With first-class Kubernetes support, minimal footprint, and strong security defaults, Flatcar has earned its place as a preferred operating system for organizations running containers at scale.

The key to Flatcar’s value lies in treating infrastructure as cattle rather than pets—systems can be destroyed and recreated with known state, making scaling predictable and recovery trivial. For Kubernetes deployments, edge computing environments, and any scenario requiring secure, low-maintenance container hosts, Flatcar offers compelling advantages over traditional Linux distributions.