In-Depth

Hands-on with Open-Source Flatcar OS for Containers

• By Tom Fenton
• 01/02/2025

Flatcar was one of the projects that caught my eye at KubeCon this year. What I found interesting about it is that it is a Linux distribution tailored to run containers. This means that the developers cut out all the packages and bits that didn't support running containers, equating to a light Linux distribution with a smaller, more secure footprint. With that in mind, I am going to give you an overview of what Flatcar is and how it came to be in this article. In another article, I will install it and see how easy it is to work with.

Not only did it catch my eye, but it also caught the eye of the Cloud Native Computing Foundation (CNCF) as the CNCF Technical Oversight Committee (TOC) accepted Flatcar as a CNCF incubating project at KubeCon this year.

Chris Aniszczyk, CTO of CNCF, gave it a rather big endorsement as he said, "A secure community-owned cloud native operating system was one of the missing layers of the CNCF technology stack," and "As validated by a thorough due diligence process, Flatcar has more than proven itself in this role, and we are thrilled to adopt it as an Incubating project and will support growing its community."

Flatcar has significant adoption, including giants in the industry, including Adobe (with more than 20,000 nodes running Flatcar), Stackit (a managed Kubernetes service), and Wipro (using it for its managed PostgreSQL service).

Joseph Sandoval, principal product manager at Adobe and end User Advisory Board member at CNCF, had this to say about it: "Adobe leverages Flatcar as the host operating system for self-managed Kubernetes deployments across our multi-cloud environment, including Microsoft Azure. We have proven it out at very large scale, and been really impressed both with how Flatcar simplifies our operations and how the project has matured and evolved to stay at the forefront of Linux OS development with capabilities such as Cluster API and system extensions. Adoption by the CNCF is the next logical step, and we are happy to endorse and support that move as a CNCF end-user member."

It was fittingly named Flatcar, as in transportation lingo for train cars used to carry containers. So, Flatcar is an OS used to deliver containers in the datacenter.

History and Background
Flatcar Container Linux originated in 2018 as a lightweight, container-optimized OS that traces its roots back to CoreOS Container Linux. Like CoreOS, Flatcar was designed to be a robust and secure foundation for deploying and managing containerized applications, particularly Kubernetes.

Initially, CoreOS pioneered the concept of a minimal, immutable OS focused on containerized workloads. However, following Red Hat's acquisition of CoreOS in 2018, Kinvolk, a cloud-native technology company, forked CoreOS Container Linux to create Flatcar. This move aimed to continue the vision of a lightweight, secure, and efficient container OS.

In 2021, Microsoft acquired Kinvolk, giving the project some major cred and (hopefully) solidifying Flatcar's position and commitment to its community-driven development. Its acceptance as an incubating project marked a significant step toward its recognition as a community-driven, open-source project.

It has hit many notable milestones, including 967 GitHub Stars, 1,813 pull requests, 1,444 issues, 429 releases, 643 contributors, and an impressive list of project sponsors like Cisco, Equinix, and Wipro.

As a CNCF project, Flatcar is poised for continued growth and innovation. With the support of Microsoft and the broader cloud-native community, it should remain a leading choice for organizations seeking a secure and efficient OS and container platform.

Key Features in Flatcar
Flatcar has many features that differentiate it from other general-purpose Linux distributions such as a security-focused approach with regular security updates and zero-touch provisioning for automated deployment and management. It has a minimal footprint to reduce attack surfaces and improve performance and security, an immutable infrastructure for stability and security, and a container-centric design for optimized container workloads.

To explore these features more deeply, Flatcar's OS image includes only the packages needed to run containers. This minimalist approach reduces the amount of software to manage and the potential attack surface. It has a highly secure and immutable OS file system. The OS is deployed to a cryptographically secured read-only filesystem, eliminating a whole category of security vulnerabilities that modify installed OS files. Its node configuration is defined in a YAML file applied on the first boot. After that, the node configuration is generally treated as immutable, avoiding "configuration drift" and enabling management at scale. Updates are shipped as validated images and applied in an atomic operation. If the update fails, the system automatically reverts to the previous image. The project includes an update server that provides advanced fleet-wide policy controls and a graphical view of fleet status.

New Features in Flatcar
In the months leading up to KubeCon, the developers pushed extra hard to get new features into the project, including System Extensions. Leveraging the capabilities introduced in recent systemd releases, Flatcar has adopted system extensions (sysexts) as the strategic path forward for customizing and enhancing the base OS. A "bakery" of off-the-shelf system extensions makes it easy to create custom images supporting different cloud platforms, Cluster API integrations, or versions optimized for edge applications such as lightweight web assembly workers.

They updated Flatcar to support more environments, including ARM64-based servers, with Azure Cobalt being a recent addition, along with out-of-the-box support for Nvidia Tesla GPUs for AI workloads. More public clouds were also added, including Scaleway, Brightbox, Hetzner, OVH, and Akamai/Linode.

Its upstream Cluster API project now supports Ignition-based distros, and Flatcar has Cluster API integrations with various platforms, including Azure, AWS, and VMware.

The Future Is Bright for Flatcar
The Flatcar roadmap is publicly accessible on GitHub. Its main objectives include expanding the range of system extensions to support a wider variety of use cases, advancing the Flatcar CAPI implementation, utilizing system extensions to allow independent updates for both the control plane and OS, and enhancing security features. Enhanced security features include secure boot, disk encryption, and integrity measurement architecture (IMA).

As a CNCF-hosted project, Flatcar is part of a neutral foundation aligned with its technical interests. It is also part of the larger Linux Foundation, which provides governance, marketing support, and community outreach. With its healthy developer and user bases and Microsoft's backing, Flatcar will have a great future.

In my next article, I will install Flatcar and get a feel for its functionality.

More information and installation media for Flatcar Container Linux can be found here.