Introduction
Container-optimized operating systems represent a new paradigm in Linux deployment - minimal systems designed specifically to run containers with minimal overhead, automatic updates, and immutable infrastructure principles. While RancherOS (now discontinued) pioneered this approach, its successors and similar distributions continue to shape modern container infrastructure.
In 2026, understanding these lightweight OS options helps infrastructure engineers make informed decisions about container-focused deployments. This guide covers the concepts, implementation patterns, and alternatives for minimal container operating systems.
Understanding Container Operating Systems
What is a Container OS?
Container operating systems is specifically designed to run containers with these characteristics:
- Minimal Footprint: Tiny base system, often under 100MB
- Container Runtime: Docker, containerd, or runc built-in
- Immutable Design: Read-only root filesystem
- Atomic Updates: Rollback capability
- Fast Boot: Optimized for quick startup
- Automatic Updates: Seamless security patches
Why Use Container OS?
Traditional Linux distributions include components unnecessary for container workloads:
- Desktop environments
- Multiple init systems
- Package managers
- Development tools
- Libraries for diverse applications
Container OS strips away unnecessary components, providing only what’s needed for container orchestration.
RancherOS
Historical Context
RancherOS was a lightweight Linux distribution designed specifically to run containers. Key innovations:
- System Containers: Docker as the primary init system
- User Containers: Docker containers for applications
- Minimal Size: ~20MB base image
- Simplicity: Two types of Docker containers only
RancherOS Architecture
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ User Docker Containers โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ System Docker (init) โ
โ - console, network, logging โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Linux Kernel โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Installing RancherOS (Historical)
# Download ISO
# https://github.com/rancher/os/releases
# Install to disk
sudo ros install -i rancher/os:v1.5.0 -d /dev/sda
# Cloud-config
vim cloud-config.yml
#cloud-config
hostname: rancher-server
rancher:
console: default
docker:
storage_driver: overlay2
ssh_keys:
- ssh-rsa AAAAB3... user@host
Configuring RancherOS
# Access console
ssh -i ~/.ssh/id_rsa rancher@server
# View containers
sudo system-docker ps
sudo docker ps
# Manage services
sudo system-docker run -d --name console rancher/console:latest
Migration Path
Since RancherOS reached end-of-life in 2020, consider these alternatives:
- Rancher RKE2 - Kubernetes distribution
- K3s - Lightweight Kubernetes
- openSUSE MicroOS - Rolling container OS
- Fedora CoreOS - Red Hat’s container OS
- Flatcar Container Linux - Community-driven
MicroOS
openSUSE MicroOS
openSUSE MicroOS provides a modern container-optimized experience:
# Download MicroOS
# https://get.opensuse.org/microos/
# Install (similar to regular openSUSE)
sudo zypper install -t pattern microos_base
# Transactional updates
sudo transactional-update
MicroOS Features
# Check update status
transactional-update status
# View pending updates
transactional-update pkg list
# Apply updates
sudo transactional-update up
# Rollback
sudo transactional-update rollback
Automatic Updates
# Enable automatic updates
sudo systemctl enable --now transactional-update.timer
# Configure in /etc/transactional-update.conf
# /etc/transactional-update.conf
AUTOUPDATE=1
REBOOT=auto
Flatcar Container Linux
Introduction
Flatcar Container Linux (covered in detail in another article) offers:
- Immutable root filesystem
- Automatic updates via update_engine
- Kubernetes-optimized
- Community-driven
See our Flatcar Container Linux article for detailed coverage.
Fedora CoreOS
Overview
Fedora CoreOS is Red Hat’s container OS:
# Download
# https://coreos.github.io/
# Install
sudo coreos-installer install /dev/sda \
--ignition-file config.ign
# Butane config (FCCT)
variant: fcos
version: 1.4.0
passwd:
users:
- name: core
ssh_authorized_keys:
- ssh-rsa AAAA...
Alternative: K3s on Minimal OS
Running K3s on openSUSE MicroOS
# Install MicroOS
# Add K3s repository
sudo zypper ar -f https://download.opensuse.org/repositories/Kubic:/Channel:/Stable/openSUSE_Leap_15.4/ Kubic
# Install K3s
sudo zypper install k3s
# Enable and start
sudo systemctl enable --now k3s
# Access cluster
sudo k3s kubectl get nodes
Container-Optimized Deployment Patterns
Single-Container Deployment
Deploy directly to a container OS:
# On any container OS
docker run -d \
--name nginx \
-p 80:80 \
-v /data:/usr/share/nginx/html:ro \
nginx:alpine
Kubernetes Deployment
# Install K3s
curl -sfL https://get.k3s.io | INSTALL_K3S_EXEC="--disable=traefik" sh -
# Deploy application
kubectl create deployment nginx --image=nginx
kubectl expose deployment nginx --port=80 --type=NodePort
Systemd for Containers
# Instead of Docker, use systemd
# /etc/systemd/system/myapp.service
[Unit]
Description=My Application
After=network.target
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/bin/podman run --name myapp \
--network host \
-v /data:/data:ro \
docker.io/library/nginx:alpine
ExecStop=/usr/bin/podman stop myapp
[Install]
WantedBy=multi-user.target
Immutable Infrastructure
Benefits
Immutable infrastructure provides:
- Consistency: Same image everywhere
- Predictability: Known state
- Security: Reduced attack surface
- Rollback: Easy recovery
- Testing: Parity dev/prod
Implementation
# Use read-only root
# /etc/fstab
LABEL=ROOT / ext4 ro,noatime 0 1
tmpfs /var tmpfs defaults 0 0
# Data on separate volume
LABEL=DATA /var/lib ext4 defaults,noatime 0 2
/etc overlay
# Use overlay for /etc
# /etc/overlay.conf
OVERLAY_COMPOSITE=99
OVERLAY_UPPER=/etc.upper
OVERLAY_LOWER=/etc.lower
Configuration Management
Cloud-Init
Most container OS supports cloud-init:
#cloud-config
users:
- name: admin
ssh_authorized_keys:
- ssh-rsa AAAA...
sudo: ALL=(ALL) NOPASSWD:ALL
write_files:
- path: /etc/systemd/system/app.service
content: |
[Unit]
Description=My App
[Service]
Type=simple
ExecStart=/usr/bin/docker run --name app myapp
[Install]
WantedBy=multi-user.target
runcmd:
- systemctl daemon-reload
- systemctl enable --now app.service
Butane/FCCT
variant: fcos
version: 1.4.0
storage:
files:
- path: /etc/hostname
contents:
inline: |
node1
- path: /etc/sysctl.d/99-kubernetes.conf
contents:
inline: |
net.bridge.bridge-nf-call-iptables=1
net.ipv4.ip_forward=1
Network Configuration
Static Networking
# /etc/systemd/network/10-eth0.network
[Match]
Name=eth0
[Network]
Address=192.168.1.100/24
Gateway=192.168.1.1
DNS=8.8.8.8
VLAN Configuration
# /etc/systemd/network/20-vlan.network
[Match]
Name=eth0.100
[Network]
Address=10.0.100.10/24
Storage Configuration
Separate Data Volume
# Partition data disk
sudo fdisk /dev/sdb
# Format
sudo mkfs.ext4 /dev/sdb1
# Mount
# /etc/fstab
/dev/sdb1 /var/lib/containers ext4 defaults,noatime 0 2
BTRFS Subvolumes
# Create subvolumes
sudo btrfs subvolume create /var/lib/containers
sudo btrfs subvolume create /var/lib/kubelet
# Snapshot for backups
sudo btrfs subvolume snapshot -r /var/lib/containers /var/lib/containers-backup
Monitoring
Container Metrics
# cAdvisor
docker run \
--cadvisor=true \
--cadvisor-port=8080 \
--memory=/sys/fs/cgroup/memory \
--docker=/var/run/docker.sock \
gcr.io/cadvisor/cadvisor:latest
# Prometheus node exporter
docker run -d \
--net="host" \
--pid="host" \
quay.io/prometheus/node-exporter:latest \
--path.rootfs=/host
Security
Read-Only Root
# Enable read-only root
# GRUB cmdline
root=LABEL=ROOT ro
# Or in /etc/fstab
LABEL=ROOT / ext4 ro 0 1
Mandatory Access Control
# Enable SELinux (Fedora CoreOS)
# Already enforced by default
# Enable AppArmor (openSUSE)
sudo aa-status
sudo systemctl enable --now apparmor
Best Practices
Deployment
- Use automated provisioning
- Version control for configs
- Test updates in staging
- Plan rollback procedures
Updates
- Test updates before production
- Use canary deployments
- Monitor after updates
- Keep backups
Security
- Enable automatic security updates
- Use read-only root filesystem
- Implement network isolation
- Monitor for anomalies
Conclusion
While RancherOS is no longer maintained, the concepts it pioneered live on in modern container-optimized distributions. Solutions like openSUSE MicroOS, Fedora CoreOS, and Flatcar Container Linux provide mature alternatives with active development.
The shift toward immutable infrastructure and minimal container hosts continues to gain momentum, offering improved security, simplified management, and faster deployment cycles for modern cloud-native applications.
Resources
- openSUSE MicroOS Documentation
- Fedora CoreOS Documentation
- Flatcar Container Linux
- K3s Documentation
- Rancher Labs Archives
Comments