Building the Next Generation Container OS

Use immutable infrastructure to deploy and scale your containerized applications. Project Atomic provides the best platform for your Linux Docker Kubernetes (LDK) application stack.

Project Atomic introduces Atomic Registry — a free and open source enterprise container registry. Manage your containers without third party hubs.

Learn more!


Atomic Host

Based on proven technology either from Red Hat Enterprise Linux or the CentOS and Fedora projects, Atomic Host is a lightweight, immutable platform, designed with the sole purpose of running containerized applications.

To balance the need between long-term stability and new features, we are providing different releases of Atomic Host for you to choose from.

Get Started

Atomic App and Nulecule

With Atomic App, use existing containers as building blocks for your new application product or project. Using existing containers to provide core infrastructure components lets you focus more on building the stuff that matters and less time packaging and setting up the common plumbing required.

Define your Atomic Apps with the Nulecule specification to compose and distribute complex applications.

Learn more about Atomic App

Learn more about Nulecule

Atomic Registry

An enterprise Docker container registry solution run on-premise or in the cloud.

Atomic Registry uses 100% open source technology to provide enterprise features such as role-based access control (RBAC), diverse authentication options, a rich web console, flexible storage integration and more.

Get started with Atomic Registry

Community News

Automate Building Atomic Host

Project Atomic hosts are built from standard RPM packages that have been composed into filesystem trees using rpm-ostree. This guide provides an example of automating building and testing new Atomic Host ostrees.

One of the primary benefits to Atomic Host and OSTree has been the ability to configure once, deploy many times using custom OSTree images. But the process for doing so wasn’t streamlined or well-documented. I’m helping change that. I’m going to describe how to build atomic host in automated...

Read More »

Fedora's First Ever Container Layered Image Release

On behalf of the Fedora Atomic WG and Fedora Release Engineering, I am pleased to announce the first ever Fedora Layered Image Release. From now on we will be doing regularly scheduled releases of Fedora Layered Image content that will match the Fedora Atomic Two Week Release schedule.

Each Container Image is released with the following streams which aim to provide lifecycle management choices to our users:

Name
Name-Version
Name-Version-Release

Each of the Name and Name-Version tags will be updated in place with their respective updates for as long as the maintainer supports them and the Name-Version-Release will always be a frozen in time reference to that particular release of the Container Image.

Read More »

New CentOS Atomic Host with Updated Docker, Kubernetes and Etcd

An updated version of CentOS Atomic Host (tree version 7.20170209), is now available, including significant updates to docker (version 1.12.5), kubernetes (version 1.4) and etcd (version 3.0.15).

CentOS Atomic Host is a lean operating system designed to run Docker containers, built from standard CentOS 7 RPMs, and tracking the component versions included in Red Hat Enterprise Linux Atomic Host.

CentOS Atomic Host is available as a VirtualBox or libvirt-formatted Vagrant box, or as an installable...

Read More »

Tightening Up SELinux Policy for Containers

I wrote a blog post a couple of weeks ago explaining how SELinux can block breakout of processes in containers using when exploiting a vulnerability in the /usr/bin/docker-runc or /usr/bin/runc executable. At the time, I explained that the policy for container_t was blocked from writing to most parts of the OS other the container content labeled container_file_t. Despite blocking writes, though, it still allowed reads of some files.

A few people were alarmed when they realized that SELinux would block the breakout on writes but there is a chance for information leakage into the container. The usual example was the ability to read /etc/passwd from the host. But this isn’t unlimited access to the host. If the same container processes tried to read /etc/shadow on the hosts, or content in users home directories, or database data in /var, they would be blocked.

Read More »

» View older news

Ready to try Atomic?

Get Started