Immutable Linux Distros for Homelabs: Fedora CoreOS vs Flatcar vs Talos vs Bottlerocket
Traditional Linux distributions -- Ubuntu Server, Debian, Rocky Linux -- are general-purpose operating systems. You install them, SSH in, install packages, edit config files, and gradually accumulate state that becomes impossible to reproduce. This works fine until you need to rebuild a machine and realize you've been running on accumulated tribal knowledge for two years.
Photo by Shubham Dhage on Unsplash
Immutable Linux distributions take a different approach. The root filesystem is read-only. You don't SSH in and tweak things. You define the desired state in a configuration file, and the OS converges to that state. Updates are atomic -- the entire OS image gets replaced as a unit, with automatic rollback if the new version fails to boot.
For homelabs running containers or Kubernetes, these distros eliminate an entire category of problems: configuration drift, broken updates, and the "what did I install on this machine?" question.
Quick Comparison
| Feature | Fedora CoreOS | Flatcar Linux | Talos Linux | Bottlerocket |
|---|---|---|---|---|
| Primary use | General containers | General containers | Kubernetes only | Kubernetes (AWS focus) |
| SSH access | Yes (optional) | Yes (optional) | No | Limited (admin container) |
| Init system | systemd | systemd | Custom (machined) | systemd (limited) |
| Config format | Ignition (JSON/Butane) | Ignition (JSON/Butane) | Machine config (YAML) | TOML via API |
| Update mechanism | rpm-ostree + Zincati | Nebraska + update-engine | Rolling (talosctl) | API-driven, A/B partition |
| Container runtime | podman + Docker (optional) | Docker or containerd | containerd (CRI only) | containerd |
| Kubernetes support | Manual or via tools | Manual or via tools | Built-in (talosctl) | EKS-optimized, self-hosted possible |
| Bare metal support | Excellent | Excellent | Excellent | Limited (cloud-focused) |
| Learning curve | Medium | Medium | High | Medium |
| Community | Large (Red Hat backed) | Medium (Microsoft/CNCF) | Growing | Medium (AWS backed) |
Fedora CoreOS
Fedora CoreOS (FCOS) is the most versatile option. It's a minimal, auto-updating Fedora-based OS designed to run containers, but it doesn't force you into Kubernetes. You can run plain Docker or Podman containers via systemd units, which makes it suitable for homelabs that haven't adopted Kubernetes yet.
Configuration with Butane
FCOS uses Ignition for first-boot provisioning. You write human-readable Butane YAML, compile it to Ignition JSON, and the machine configures itself on first boot:
# config.bu -- Butane format
variant: fcos
version: "1.5.0"
passwd:
users:
- name: core
ssh_authorized_keys:
- ssh-ed25519 AAAA... your-key
storage:
files:
- path: /etc/hostname
contents:
inline: homelab-node1
systemd:
units:
- name: caddy.service
enabled: true
contents: |
[Unit]
Description=Caddy reverse proxy
After=network-online.target
[Service]
ExecStart=/usr/bin/podman run --rm --name caddy -p 80:80 -p 443:443 -v caddy_data:/data docker.io/library/caddy:latest
ExecStop=/usr/bin/podman stop caddy
Restart=always
[Install]
WantedBy=multi-user.target
Compile and install:
butane --strict config.bu > config.ign
# Use config.ign during installation or pass via PXE/cloud-init
Updates
FCOS uses rpm-ostree for atomic updates and Zincati for automatic update scheduling. Updates download a new OS image, stage it, and reboot into it. If the new image fails, the system rolls back to the previous one automatically.
# Check current deployment
rpm-ostree status
# Manually trigger an update
sudo rpm-ostree upgrade
Best for: Homelabs running Docker/Podman containers without Kubernetes. The SSH access and familiar systemd model make it the gentlest on-ramp to immutable infrastructure.
Flatcar Container Linux
Flatcar is the community continuation of CoreOS Container Linux (before Red Hat acquired CoreOS and merged it into Fedora CoreOS). If you've used the original CoreOS, Flatcar feels identical. It uses the same Ignition provisioning, the same update engine, and the same general philosophy.
Key Differences from Fedora CoreOS
Flatcar tracks a more conservative update cadence than FCOS. It offers three release channels -- Stable, Beta, and Alpha -- and homelabbers should stick with Stable. The update engine uses Nebraska (an open-source update server) rather than Zincati, which gives you more control over when and how updates roll out, especially if you're running multiple nodes.
# Check current version and channel
cat /etc/os-release
update_engine_client -status
# Force an update check
update_engine_client -check_for_update
Why Choose Flatcar Over FCOS
The main reason is stability posture. Fedora CoreOS tracks Fedora's aggressive release schedule, which means new kernel versions, new systemd versions, and new package versions arrive quickly. Flatcar is more conservative -- it optimizes for not breaking your running containers. For a homelab where uptime matters more than having the latest kernel, Flatcar is the safer choice.
Flatcar also has better integration with configuration management tools like Terraform and Ansible, thanks to its longer history in production environments.
Best for: Production-minded homelabs that want stability over bleeding-edge features. If you're running services that can't tolerate unexpected reboots or behavior changes, Flatcar's conservative release model is a better fit than FCOS.
Like what you're reading? Subscribe to HomeLab Starter — free weekly guides in your inbox.
Talos Linux
Talos is the most opinionated option on this list. It's a Kubernetes-only operating system. There is no SSH. There is no shell. There is no package manager. The entire OS exists to run Kubernetes, and you manage it exclusively through talosctl and the Kubernetes API.
This sounds extreme, but the security and operational benefits are real. No SSH means no attack surface for shell-based exploits. No package manager means no configuration drift. No shell means nobody (including you) can log in and "fix" something manually, which means your automation must be correct.
Bootstrap a Cluster
# Generate machine configs
talosctl gen config homelab-cluster https://10.0.0.10:6443
# Apply config to a machine
talosctl apply-config --nodes 10.0.0.10 --file controlplane.yaml
# Bootstrap the cluster
talosctl bootstrap --nodes 10.0.0.10
# Get kubeconfig
talosctl kubeconfig --nodes 10.0.0.10
Machine Configuration
Everything about the machine -- network, disks, kernel parameters, cluster settings -- is defined in a YAML machine config:
machine:
type: controlplane
network:
hostname: talos-cp1
interfaces:
- interface: eth0
dhcp: true
install:
disk: /dev/sda
image: ghcr.io/siderolabs/installer:v1.7.0
cluster:
controlPlane:
endpoint: https://10.0.0.10:6443
network:
cni:
name: flannel
Updates
Talos updates are applied via talosctl upgrade, which replaces the entire OS image atomically. The upgrade process is zero-downtime for the cluster if you have multiple control plane and worker nodes.
# Upgrade a node
talosctl upgrade --nodes 10.0.0.10 --image ghcr.io/siderolabs/installer:v1.7.1
# Check upgrade status
talosctl version --nodes 10.0.0.10
Best for: Homelabs that are fully committed to Kubernetes. If everything you run is a Kubernetes workload and you want the smallest possible attack surface, Talos is the purest expression of the immutable OS concept.
Bottlerocket
Bottlerocket is Amazon's container-optimized OS. It was built for EKS (Elastic Kubernetes Service), and that's where it shines. For homelabs, it's the least natural fit on this list, but it's worth understanding.
The Cloud-First Design
Bottlerocket has no SSH by default. Configuration is done through a TOML-based API. Updates use an A/B partition scheme, where the inactive partition gets the new image and the system swaps to it on reboot.
# Bottlerocket settings (applied via API or user data)
[settings.kubernetes]
cluster-name = "homelab"
api-server = "https://10.0.0.10:6443"
[settings.host-containers.admin]
enabled = true
source = "public.ecr.aws/bottlerocket/bottlerocket-admin:latest"
The "admin container" is Bottlerocket's escape hatch -- a privileged container that gives you shell access to the host when you need to debug. This is more practical than Talos's zero-shell approach, but it's a security tradeoff.
Bare Metal Reality
Bottlerocket can run on bare metal, but it requires more effort than the other options. The official builds target AWS, VMware, and specific cloud providers. Community efforts to run Bottlerocket on bare metal exist, but documentation is sparse and the experience is rough compared to Fedora CoreOS or Talos.
Best for: Homelabs that mirror AWS production environments. If you run EKS at work and want your homelab to match, Bottlerocket makes sense. Otherwise, the other three options are more practical for bare metal.
Which One Should You Choose?
You run Docker/Podman containers without Kubernetes: Fedora CoreOS. It's the only option here that doesn't assume Kubernetes. You get immutability, atomic updates, and the ability to define container workloads as systemd units.
You want Kubernetes but also want SSH access: Fedora CoreOS or Flatcar. Both support Kubernetes (via kubeadm, k3s, or other bootstrappers) while keeping SSH available for debugging. Flatcar if you value stability; FCOS if you want the latest features.
You want a pure Kubernetes OS with maximum security: Talos Linux. The no-SSH, no-shell model is intimidating at first but forces good operational habits. If your homelab is a learning environment for production Kubernetes practices, Talos teaches you to do everything through APIs and automation.
You're mirroring an AWS environment: Bottlerocket. Not recommended for general homelab use, but unbeatable if AWS compatibility is your goal.
For most homelabbers just starting with immutable infrastructure, Fedora CoreOS is the right first step. It's the most flexible, has the largest community, and lets you adopt immutability gradually without committing to Kubernetes. Once you're comfortable with the immutable model, moving to Talos for a dedicated Kubernetes cluster is a natural progression.